Pages

7/06/2020

SSO using OKTA credentials in IDCS

In this blog post, I would like to detail out the configurations that are needed for enabling SSO from OKTA to Oracle IDCS. The steps to be followed are

1. Federation Data download from IDCS.
2. Configure IDCS as an app in OKTA.
3. Add OKTA as a SAML IDP in IDCS.
4. Single sign-on logout configuration in OKTA.

Here is an explanation of each step.

1. Federation Data download

      Download federation metadata of IDCS using below url. Update the Identity Cloud service name in the highlighted part.
                     https://idcs-tenent.identity.oraclecloud.com/fed/v1/metadata
            Note the entityID field and  AssertionConsumerService Binding location in the downloaded federation metadata file.
2. Configure IDCS as app in OKTA

1.       Login to OKTA.
a.       Click on Admin à Click add application
b.      Click on Create new application


c.       Select SAML 2.0


d.      Enter App Name and other fields – leave as default


e.      Enter below information:
                                                               i.      SSO login  - Enter AssertionConsumerService Binding location from IDCS federation metadata
                                                             ii.      Audience URI – Enter Entity ID
                                                            iii.      Delay – Blank
                                                           iv.      Name ID - Unspecified
                                                             v.      Application Username – Okta Username

             

f.        In Group Attribute Statement enter
                                                               i.      Name = https://auth.oraclecloud.com/saml/claims/groupName
                                                             ii.      Name format = Basic

             

g.       Save the configurations
h.      Sign-in page of the application appears
.        

i. Download the Identity Provider metadata



j.  Create Groups and or users, who would need access in IDCS

3.Changes in Oracle IDCS
  1.   Open Settings à Identity Provider à Add SAML IDP. Enter name and press next.
     

2.Upload the metadata file downloaded during OKTA application configuration 

     
    3. User Attribute Mapping:
     a.       Choose Identity Provider User attribute as Name ID.
     b.      Choose Oracle Identity Cloud service user attribute as Primary Email Address and Requested Name Id Format as Email address. 


4.       In the next page, note the urls and download the certificates.


5.       Test the application, you will be directed to Okta to enter login credentials to verify the connectivity and  Activate the application.
6.       Click on the menu and select Show on Login page option.

          

7.       Open IDP Policies. Click on Default Identity Provider Policy.



8.       Click on  Identity Providers à Assign and select the Identity provider created and Click Ok.


9.       Launch CECS or any application url in oracle Pass cloud. An option to sign in with OKTA credentials will appear. 


10.   If redirection to OKTA sign-in page for login is needed, then go to IDP policies and Open default IDP policies -> Select Local IDP and click remove.



11.   When the cloud applications url is launched, it will redirect to Okta login page.

4.Logout configuration in OKTA

1. In Okta application administration page, make the following advanced settings for enabling logout.  
        a) Click on the application in Okta, Edit SAML settings 

     

b) Click Show Advanced settings


                   Fill in the below details taken from IDCS application configuration step 4.
a.       Single sign-out URL.
b.      Enter SP Issuer as IDCS
c.       Signature certificate – upload SigningCertificate.pem file downloaded.

 


Reference:

Regards,
Vijay

No comments :

Post a Comment