X

Tips and HowTos for Single Sign-On & Federation Oracle Identity Management Integrations

  • August 7, 2018

Integrating ADFS 2.0/3.0 SP with IDCS IdP

It has been a long time since my last article! Today I will describe how to integrate IDCS acting as an IdP with ADFS acting as an SP.

The SAML 2.0 integration will be based on:

  • Email address will be used as the NameID Format
  • The NameID value will contain the IDCS user’s email address
  • The HTTP POST binding will be used to send the SAML Assertion to the SP
  • Users will exist in both systems, with each user having the same email address so that it can be used as the common user attribute.

ADFS 2.0 is available in Windows 2008 R2, while ADFS 3.0 is available in Windows 2012 R2. The articles will showcase screenshots for ADFS 3.0, while the documented steps will apply to both versions.

Collecting the IDCS SAML 2.0 Metadata

The IDCS SAML 2.0 Metadata for your tenancy will be used to create an IdP partner in the ADFS environment.

IDCS provides a certificate for each account that will be issued by the Oracle Public Cloud Certificate Authority. That certificate is used in SAML operations, to sign the SAML messages exchanged between IDCS and the remote SAML partner. Because ADFS will attempt to validate any signing certificates we will need to use an IDCS SAML 2.0 Metadata specifically designed for ADFS workflows (see https://docs.oracle.com/en/cloud/paas/identity-cloud/uaids/creating-saml-partner-and-crl-list-validation.html for more information).

To download the IDCS SAML 2.0 Metadata for ADFS:

  • Go to the IDCS Admin Console https://idcs-….identity.oraclecloud.com/ui/v1/adminconsole
  • Authenticate
  • Then in the address bar, replace /ui/v1/adminconsole by /fed/v1/metadata?adfsmode=true: https://idcs-….identity.oraclecloud.com/fed/v1/metadata?adfsmode=true
  • From the browser menu, go to File -> Save As
  • Save the file locally on your computer.

ADFS Setup

To add IDCS as an IdP in ADFS SP, perform execute the following steps:

  • Go to the machine where ADFS 2.0/3.0 is deployed
  • If ADFS 2.0 is used
    • Click Start Menu -> Programs -> Administrative Tools -> AD FS 2.0 Management
    • Expand ADFS 2.0 -> Trust Relationships
  • If ADFS 3.0 is used
    • In Server Manager, click Tools -> AD FS Management
    • Expand AD FS -> Trust Relationships
  • Right click on Claims Provider Trusts and select Add Claims Provider Trust
  • The Add Claims Provider Trust window will appear

Execute the following steps:

  • Click Start
  • Select Import data about the claims provider from a file
  • Click browse and select the local IDCS SAML 2.0 Metadata saved in the previous section

Execute the following steps:

  • Click Next
  • Enter a name for the new SAML 2.0 Identity Provider

Execute the following steps:

  • Click Next
  • A summary window will be displayed

Execute the following steps:

  • Click Next
  • Leave Open the Edit Claims box checked

Execute the following steps:

  • Click Close
  • The Edit Rule window will appear

Execute the following steps:

  • Click Add Rule
  • Select Pass Through or Filter an Incoming Claim

Execute the following steps:

  • Click Next
  • Enter a name for the Claim Rule
  • Select NameID as the Incoming Claim Type
  • Select Email as the Incoming name ID format
  • Select
    • Pass through all claim values if you want to accept any email addresses
    • Pass through only claim values that match a specific email suffix value if you want to only accept a specific set of email addresses (in our example, I will select this choice as all users will have an @acme.com email address)

Execute the following steps:

  • Click Finish
  • The list of claim rules will be displayed
  • Click OK

 

Collecting ADFS Federation Information

The ADFS Service Identifier, URLs and Signing/Encryption certificates need to be retrieved so that an SP Partner can be created in IDCS.

  • Go to the machine where ADFS 2.0/3.0 is deployed
  • If ADFS 2.0 is used
    • Click Start Menu -> Programs -> Administrative Tools -> AD FS 2.0 Management
    • Click on ADFS 2.0 -> Service
  • If ADFS 3.0 is used
    • In Server Manager, click Tools -> AD FS Management
    • Click on AD FS -> Service
  • Click on Edit Federation Service Properties on the right column
  • Copy the Federation Service Identifier

Execute the following steps:

  • If ADFS 2.0 is used, expand ADFS 2.0 -> Service; If ADFS 3.0 is used, expand AD FS -> Service
  • Click on Certificates
  • Save the Signing Certificate in a local file:
    • Double click on the Certificate entry under the Token-signing section
    • Click on Details
    • Click on Copy to File
    • Click Next
    • Select Base64- encoded X.509 (.CER)
    • Click Next
    • Enter a filename
    • Click Next
    • Click Finish
    • Click Ok to close the window
  • Save the Encryption Certificate in a local file, if SAML Encryption is a requirement:
    • Follow the same steps as above, with the Token-decrypting section

Execute the following steps:

  • Open a browser
  • Go to the ADFS 2.0/3.0 Metadata publishing service:
    https://adfs-host:adfs-port/FederationMetadata/2007-06/FederationMetadata.xml
  • Navigate in the XML document to find the ADFS SAML Service URL
    • Locate the EntityDescriptor -> SPSSODescriptor -> AssertionConsumerService XML Element
    • Copy the value of the Location Attribute: it is the ADFS SAML Service URL (it should be something like https://adfs-host:adfs-port/adfs/ls/)

IDCS Setup

To add ADFS as an SP partner in IDCS, execute the following steps:

  • Go to the IDCS Administration Console: https://idcs-….identity.oraclecloud.com/ui/v1/adminconsole
  • Navigate to Applications
  • Click on Add
  • Click on SAML Application
  • Enter a Name for the SP
  • Enter an Application URL / Relay State that should be sent by IDCS/IdP to ADFS when performing IdP Initiated SSO operations
  • Check the Display in My Apps box if needed

Execute the following steps:

  • Click Next
  • Enter the ADFS Federation Service Identifier copied earlier as the Entity ID
  • Enter the ADFS SAML Service URL copied earlier as the Assertion Consumer URL
  • Select Email Address as the NameID Format
  • Select Primary Email as the NameID Value
  • Click Upload and select the ADFS Signing Certificate saved earlier

Execute the following steps:

  • Expand the Advanced
  • Enter the ADFS SAML Service URL copied earlier as the Single Logout URL
  • Enter the ADFS SAML Service URL copied earlier as the Logout Response URL
  • If Encryption is required, enable it and upload the ADFS Encryption Certificate saved earlier

Execute the following steps:

  • Click Finish
  • Click Activate
  • Click on the User/Groups tab and assign the App to the User and/or Groups that will be granted access to the App. Users who are not granted access to the App will not be able to perform the SSO operation with ADFS

Test

To test, access the IDCS My Apps page:

  • URL:
    https://idcs-….identity.oraclecloud.com/ui/v1/myconsole
  • IDCS will challenge for authentication if needed
  • Click on the App you just created
    • If you are not able to see the App, that’s because you have not been granted the App or you did not check the Display in My Apps box
  • You will be redirected to ADFS SP with a SAML Assertion


 

 

 

Cheers,
Damien Carru

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.