You're viewing OCI IAM documentation for new tenancies in regions that have been updated to use identity domains.

Managing a SAML Identity Provider

Use the Console to add a SAML 2.0 identity provider (IdP) to an identity domain so authenticated users from the IdP can access Oracle Cloud Infrastructure can access resources and cloud applications.

Common terms

Identity Provider (IdP)

An IdP is a service that provides identifying credentials and authentication for users.

Service Provider (SP)

A service (such as an application, website, and so on) that calls upon an IdP to authenticate users.

Use the following steps to create a SAML 2.0 IdP:

Configuring SAML JIT Provisioning

SAML JIT Provisioning can be configured using the Console or /admin/v1/IdentityProviders REST API endpoint. See the following references to configure SAML JIT Provisioning:

Adding a SAML Identity Provider

Entering the SAML details for an identity provider.

  1. Navigate to the identity domain: Open the navigation menu  and select Identity & Security. Under Identity, select Domains.
  2. Click the name of the identity domain that you want to work in. You might need to change the compartment to find the domain that you want. Then, click Security and then Identity providers.
  3. Select Add IdP, and then select Add SAML IdP.
  4. Enter the following information:
    • Name: Enter the name of the IdP.
    • (Optional) Description: Enter a description of the IdP.
    • (Optional) Identity provider icon: Drag and drop a supported image, or select select one to browse for the image.
  5. Select Next.
  6. On the Exchange metadata screen, select Export SAML metadata button to send the SAML metadata to the identity provider. Do one of the following:
    • Import IdP metadata: Select this option if you have an XML file exported from your IdP. Drag and drop the XML file to upload the metadata, or select select one to browse for the metadata file.
    • Enter IdP metadata: Select this option if you want to manually enter the IdP metadata. Provide the following details:
      • Identity provider issuer URI
      • SSO service URI
      • SSO service binding
      • Upload identity provider signing certificate
      • Enable global logout
    • Import IdP URL: Enter the URL of your IdP metadata.
  7. Select Show advanced options if you want to select the following:
    • Signature hashing algorithm: Select SHA-256 or SHA-1
    • Require encrypted assertion: Indicates that the identity domain authorization expects an encrypted assertion from the IdP.
    • Force authentication: Select this option to require users to authenticate with the IdP, even if the session is still valid.
    • Requested authentication context: Select authentication content class references.
    • Holder-of-Key subject confirmation required: Available after you upload a Holder-of-Key (HOK) supported valid metadata file.
    • Send signing certificate with SAML message: Select this to include the identity domain's signing certificate with SAML messages sent by your identity domain. Some SAML providers require the signing certificate to look up the SAML partner configuration.
  8. Select Next.
  9. On the Add SAML identity provider screen, do the following:
    1. Select a Requested Name ID format.
  10. Map user's identity attributes received from the IdP to an Oracle Cloud Infrastructure identity domain.
    Mapping options vary based on identity provider. You might directly assign an IdP value to an Oracle Cloud Infrastructure identity domain value. For example, NameID might map to UserName. If you select SAML assertion attribute as the source, select the Assertion attribute name and then enter the Oracle Cloud Infrastructure identity domain.
  11. Select Submit.
  12. On the Review and create screen, review your SAML identity provider settings. If the settings are correct, select Create. Select Edit next to the set of settings, if you need to change them.
  13. The Console displays a message when the SAML identity provider is created. You can do the following from the overview page:
    • Select Test to verify that the SAML SSO connection is working correctly.
    • Select Activate to activate the IdP so the identity domain can use it.
    • Select Assign to IdP policy rule to assign this SAML identity provider to an existing policy rule you have created.
  14. Select Close.

Exporting SAML Metadata

Exporting the SAML metadata for an identity domain in IAM.

  1. Open the navigation menu  and select Identity & Security. Under Identity, select Domains.
  2. Click the name of the identity domain that you want to work in. You might need to change the compartment to find the domain that you want. Then, click Security and then Identity providers.
  3. Open an identity provider.
  4. Select Export SAML metadata.
  5. Select one of the following:
    • Metadata File: Select download the SAML XML metadata file, or download the SAML XML metadata with self-signed certificates.
    • Manual Export: Manually exporting the metadata allows you to choose from multiple SAML options, for example the Entity ID or Logout response URL. After you copy the export file, you can download the Service provider signing certificate or the Service provider encryption certificate.
    • Metadata URL: If your IdP supports downloading SAML metadata directly. Select Access signing certificate to allow clients to access the signing certificate without having to log into an IdP.

Configuring IdP metadata

Enter IdP metadata details manually, or import a metadata file.

  1. Select one of the following:
    • Import IdP metadata: Select this option if you have an XML file exported from your IdP. Drag and drop the XML file to upload the metadata, or select select one to browse for the metadata file.
    • Enter IdP metadata: Select this option if you want to manually enter the IdP metadata. Provide the following details:
      • Identity provider issuer URI:
      • SSO service URI
      • SSO service binding
      • Upload identity provider signing certificate
      • Upload identity provider encryption certificate
      • Enable global logout
      • Identity provider logout request URL
      • Identity provider logout response URL
      • Logout binding
  2. Select the Signature hashing algorithm method.
  3. Select whether you want to use a Signed signing certificate with SAML message.
  4. Select Next.

Mapping user attributes

Map the relationship between the IdP user attributes and identity domain user attributes.

  1. In the field Requested Name ID format, select a mapping option.

    Mapping options vary based on identity provider. You might be able to directly assign an IdP value to an Oracle Cloud Infrastructure identity domain value. For example, NameID might map to UserName. If you select SAML assertion attribute as the source, select the Assertion attribute name and then enter the Oracle Cloud Infrastructure identity domain.

    If you select Custom, enter the details in the field Custom Name ID format.

  2. Select fields in Identity provider user attribute and select a corresponding field in Identity domain user attribute.
  3. Select Next.

Reviewing and creating the IdP

Verify the IdP options are accurate and then create the IdP.

  1. Select Test login to open the IdP sign-in screen.
  2. Select Create IdP.
    Note

    To edit an IdP after creating it, go to the Identity Providers list, select the IdP, and then edit the IdP.