Configure Identity Cloud Service (IDCS) for Single Sign-On

Identity Domain or IDCS?

There are two ways to complete this setup. It depends on what your screen looks like when you start the process. Most of you will be using an Identity Domain in Oracle Cloud, while others will use IDCS (this article).

How to use this guide

1. You should have read the steps to enable Single Sign-On (SSO) for either the paying or non-paying organization.
2. Follow the steps below to set up IDCS.
3. Provide Oracle with the ID for the IDCS account. You can find instructions to do this below.
4. Once Oracle confirms the Lobby is configured to use your IDCS account, you can then create an Identity Provider Policy in IDCS.
5. Follow the remaining steps for enabling Single Sign-On (SSO) for either the paying or non-paying organization.

Introduction

Configuring SSO requires knowledge of SAML concepts and access to your company’s Identity Provider (IdP) to add configurations. This will normally be a member of the IT or Identity Management team within your company.

Your IdP will typically be a system such as Microsoft Azure Active Directory. You will need an Oracle Identity Cloud Service (IDCS) company account.

A Foundation license for IDCS is provided with our Cloud SaaS products such as Aconex. If your company already has an IDCS company account (often because they use other Oracle products), it’s usually best to use the same account for access to Aconex. If no account is currently available you can create one.

Step 1: Create a new configuration for a SAML-based integration in your IdP

Details of this step are specific to your IdP application and provider (Microsoft Azure Active Directory, Microsoft ADFS, Okta), but for all SAML-based IdP integrations, the process is similar.

Follow your application’s instructions to create a new SAML-based integration. This will involve downloading a Federation Metadata XML file that you will later import into IDCS. Once IDCS setup is complete you can return to your IdP SAML setup screen (it’s good to have it open in the other window) and complete it the process.

Once you have the Federation Metadata XML file, the first stage of your IdP setup is now complete – you will return to complete this later. You can now continue to set up your IDCS configuration.

Note: for some IdP it is required to populate the Entity ID and the Reply URL of a SAML counterpart (e.g. IDCS in this case). Entity ID and Reply URL can be formed from IDCS URL as follows:

Entity ID: https://idcs-.identity.oraclecloud.com:443/fed


Reply URL: https://idcs-.identity.oraclecloud.com/fed/v1/sp/sso

Step 2: IDCS Configuration

Once you have the Federated Metadata XML file from your IdP, switch to IDCS.

1. Sign in to the IDCS Admin Console:
   idcs-[ID].identity.oraclecloud.com/ui/v1/adminconsole (replace [ID] with the ID of your IDCS account.)
   
   You'll see your dashboard.

2. On the menu select Security then select Identity Providers.
3. Click +Add SAMLIDP to create a new SAML-based link to an identity provider.

4. Upload the Federated Metadata XML file that you downloaded from your SAML IdP in Step 1.

5. On the Map screen use the default values and click Next.

6. Download the IDCS Metadata file.
7. Switch back to your SAML IdP to complete the setup.

Step 3: Finish configuration in your IdP

You can now return to the configuration of your IdP service.

1. Follow your IdP application’s process to upload a metadata file and upload the Federated Metadata XML file you downloaded from IDCS.
2. After the upload you should see a screen indicating URLs and other info, taken from the metadata file.
3. Confirm that the user identity is based on the user’s email address.
4. Typically IdPs have policies or groups that indicate if a user is eligible to use a configured SAML provider. Confirm that users are added to those groups or policies in your IdP if required.
5. At this point both your IdP and IDCS are fully configured and ready for testing. Switch back to the IDCS window and use its test capabilities.

Step 4: Test and finish configuration in IDCS

1. Click Test Login.

2. You will be presented with your IdP’s sign-in screen. Enter valid credentials for a user that exists in your IdP that is configured to use the SAML Federation App. A user account with the same email must also exist in IDCS. 
3. If the test sign-in was successful you will see the following message:

Your connection is successful.

You may close this window and go back to the admin console.

 

If the test login failed you will see a screen similar to the one below. Please read the error description to amend the setup or create missing data:

Connection failed. Configuration may need to be modified.

No user was returned during the SAML assertion to user mapping via the NameID attribute for partner Azure AD: NamedID poleary@majestic.com, user attribute name userNamed, message: ***See below***.
Show Assertion Details
You may close this window and go back to the admin console.

 

Step 5: Activate and finish configuration in IDCS

1. Click Next.
2. Click Activate.
3. Click Finish.

Step 6: Provide Oracle with the ID for your IDCS account

After configuring IDCS you need to provide Oracle with the ID for your IDCS account.

The easiest way to do this is to paste your IDCS console URL into the ticket. The URL will look something like this: https://idcs-.identity.oraclecloud.com/ui/v1/myconsole

You will not be able to create an Identity Provider Policy in IDCS until Oracle confirms the Lobby is configured to use your IDCS account. 

You've successfully configured IDCS. 

Next, you need to create an Identity Provider Policy in IDCS. Note: Oracle needs to have confirmed the Lobby is configured to use your IDCS account before you complete these next steps.