Oracle Identity Cloud Service: Integrating with Microsoft Active Directory Federation Services (AD FS)

 

Before You Begin

Purpose

In this tutorial you learn to integrate Oracle Identity Cloud Service with Microsoft Active Directory Federation Services as an identity provider (IdP).

Time to Complete

120 minutes.

Background

Oracle Identity Cloud Service provides integration with SAML 2.0 identity providers (IdPs). This integration:

  • Works with federated Single Sign-On (SSO) solutions that are compatible with SAML 2.0 as an IdP. This includes Microsoft Active Directory Federation Services (AD FS), Shibboleth Identity Provider, and Oracle Access Management (OAM).
  • Allows users to log into Oracle Identity Cloud Service using the credentials from their own identity provider.
  • Can force the IdP authentication for all users or offer the IdP authentication as an option (Login Chooser option).

The identity provider integration provides the following benefits:

  • Single Sign-On across cloud and on-premises solutions: Oracle Identity Cloud Service provides Single Sign-On for cloud applications while the IdP provides Single Sign-On for on-premises applications. Users log in only once, using their IdP credentials.
  • Support multiple Single Sign-On scenarios in parallel: By combining the Login Chooser with an IdP, you offer different Single Sign-On scenarios per user. This option can be used for the following scenarios :
    • Employees authenticate using their enterprise IdP credentials.
    • Contractors authenticate directly in Oracle Identity Cloud Service
  • Enable defense In depth strategies in the Cloud: The IdP integration - when wisely planned and coupled with other security controls - can enable a hybrid cloud defense in depth (apply your on-premises security controls on cloud solutions). For example, if you implement IdP authentication as the only option for your employees and your IdP is accessible only through the Intranet or VPN, you ensure that Oracle Identity Cloud Service is accessed only when your employees are in your network-safe environment.

In this tutorial, you learn to integrate Oracle Identity Cloud Service with Microsoft Active Directory Federation Services (AD FS) as an identity provider (IdP).

What Do You Need?

  • Access to Oracle Identity Cloud Service with authorization to manage identity providers (Identity Domain Administrator or Security Administrator)
  • An on-premises Microsoft Active Directory Federation Server installation.
    Tip: In this tutorial, we are using the Microsoft Active Directory Federation Server software provided with Microsoft Windows Server 2012 R2.
  • Users synchronized between the Federation Service's Microsoft Active Directory domain and Oracle Identity Cloud Service
    Tip: You can synchronize users between Microsoft Active Directory and Oracle Identity Cloud Service manually, using REST APIs, Oracle Identity Manager connectors or bridges.
    The tutorial Integrating with Microsoft Active Directory Using Directory Integrations explains how you can do that.
  • As a recommendation, you should be familiar with Microsoft Active Directory Domain Services, Microsoft Active Directory Federation Services, and SAML 2.0 concepts, such as Identity Providers, Relying Parties, and Claims.
 

Validate Prerequisites

In this task, you validate the prerequisites before integrating the identity provider.

 

Confirm that a User with the Same Email Address Exists in both systems.

The identity provider integration requires that the user entry with the same email exists on both Federation Service's MIcrosoft Active Directory Domain and Oracle Identity Cloud Service. In this task, you find a user that exists on both systems. If required, you manually create a user to fulfill this requirement.

Tips:
  1. Launch the Microsoft Active Directory Users and Computers utility (in Windows 2012 Server, click Server Manager, click Tools, and then click Active Directory Users and Computers).
  2. The Employees folder, double-click the user you want to use for tests and record the user's email address (in the example, csaladna@example.com).
    Active Directory Users and Computer Utility after opening a user (in the screenshot, Clarence Saladna). The user E-mail field is highlighted in the screenshot.
    Description of this image
    Notes:
    • The user email address is used to link the user logged in to Microsoft Active Directory Federation Services with the user entry in Oracle Identity Cloud Service.
    • In case you don't have a user for tests, you can create one in Microsoft Active Directory.
  3. Access the Oracle Identity Cloud Service console and click Users.
  4. In the Search Users field, enter the user e-mail address you recorded from Microsoft Active Directory (in the example: csaladna@example.com).
  5. Under the search results, confirm that a user with the Microsoft Active Directory's email address exists.
    Users page. Search results display a user with the e-mail recorded from Active Directory on previous steps.
    Description of this image
    Tip: If the user doesn't exist in Oracle Identity Cloud Service, click Add and create the user using the same email address you recorded from Microsoft Active Directory.
 

Verify that Microsoft Active Directory Federation Service is Working

  1. Access the Microsoft Active Directory Federation Service Sign In page: https://adfs.example.com/adfs/ls/IdpInitiatedSignOnPage (replace adfs.example.com with your Microsoft Active Directory Federation Service hostname)
  2. If required, select Sign in to this site and click Sign In.
  3. Enter the Microsoft Active Directory credentials for a user that exists on both Microsoft Active Directory Federation Service and Oracle Identity Cloud Service (in this example, csaladna@example.com) and click Sign In.
    AD FS Sign-In form fulfilled. Mouse clicking the Sign-In button
    Description of this image
  4. Confirm that the message You are signed in is displayed.
    AD FS page after authentication with You are signed in message highlighted.
    Description of this image

You are ready to integrate Microsoft Active Directory Federation Service and Oracle Identity Cloud Service.

 

Register Microsoft Active Directory Federation Service as Identity Provider

  1. Access the Microsoft Active Directory Federation Service metadata file: https://adfs.example.com/FederationMetadata/2007-06/FederationMetadata.xml (replace adfs.example.com with your Microsoft Active Directory Federation Service hostname)
  2. Save the FederationMetadata.xml file.
    Tip: You will use this file to register Microsoft Active Directory Federation Service with Oracle Identity Cloud Service.
  3. In the Identity Cloud Service console, expand the Navigation Drawer , click Security, and then click Identity Providers.
  4. Click Add or Add SAML IDP.
  5. Enter a Name and Description for the identity provider and click Next
    Tip: Use a Name and Description that can be easily identified by the users that will be using the identity provider authentication. This helps identifying the identity provider in the login page.
  6. Select Import Identity Provider metadata, and then click Upload. Select the FederationMetadata.xml file, click Open, and then click Next.
    Identity Provider creation page with the Import Provider metadata field highlighted.
    Description of this image
  7. Select Primary Email Address as Oracle Identity Cloud Service User Attribute and Email Address as Requested NameID Format, and then click Next.
    Identity Provider creation page with the Oracle Identity Cloud Service User Attribute and the Requested NameID Format fields highlighted.
    Description of this image
  8. Click Finish.
  9. In the Identity Providers page, confirm the creation of the new identity provider.
    Identity Providers page with the new Identity Provider highlighted.
    Description of this image
  10. In the Identity Cloud Service console, expand the Navigation Drawer, click Settings, and then click Default Settings.
  11. Turn on the Access Signing Certificate option to allow clients to access the tenant signing certificate and the SAML metadata without logging in to Oracle Identity Cloud Service.
  12. Obtain the SAML metadata.To learn about the options to access metadata, see Access SAML Metadata.
  13. Save the file in your local desktop as Metadata.xml

    14. Note: Don't copy the content that appear in the web browser. Save the file instead.

  14. Transfer the Metadata.xml file to the Windows Server where Microsoft Active Directory Federation Service is managed.

At this point, Microsoft Active Directory Federation Service is registered as identity provider in Oracle Identity Cloud Service.
In the next steps, you register Oracle Identity Cloud Service as a trusted relying party in Microsoft Active Directory Federation Service.

 

Register Oracle Identity Cloud Service as a Trusted Relying Party

 

Register the Relying Party

  1. Launch the Microsoft Active Directory Federation Service Management utility (in Windows 2012 Server Manager utility, click Tools, and then click AD FS Management).
  2. Click Action, and then click Add Relying Party Trust....
  3. In the Add Relying Party Trust Wizard window, click Start.
  4. Select Import data about the relying party from a file, and then click Browse.
  5. Select the Metadata.xml (previously downloaded from Oracle Identity Cloud Service), and then click Next.
    Add Relying Party Trust wizard window with the Import data about the relying party from a file section highlighted and mouse over the Next button.
    Description of this image
  6. Enter a display name, provide a description under Notes, and then click Next.
    Add Relying Party Trust wizard window with the display name and notes fields fulfilled.
    Description of this image
  7. Proceed with the default options until you reach the Finish step, and then click Close. The Edit Claim Rules window opens.
    Edit Claim Rule window displayed.
    Description of this image
    Tip: The claim rules define what information from a logged user will be sent from Microsoft Active Directory Federation Service to Oracle Identity Cloud Service after a successful authentication.
 

Configure Claim Rules

In this step, you configure two claim rules for Oracle Identity Cloud Service as a relying party:

  • Email: This rule defines that the email address from users logged in are sent to Oracle Identity Cloud Service.
  • Name ID: This rule defines that the email address are presented as Name ID to Oracle Identity Cloud Service.
  1. In the Edit Claim Rules window, click Add Rule.
  2. Select Send LDAP Attributes as Claims as claim rule template, and then click Next.
  3. Provide the information as follows, and then click Finish.
    4. Email Claim Rule - attributes
    Attribute Value
    Claim rule name Email
    Attribute store Active Directory
    Mapping of LDAP attributes to outgoing claim types
    • LDAP Attribute: E-Mail-Addresses
    • Outgoing Claim Type: E-Mail Address
    Add Transform Claim Rule window displayed with attributes fulfilled plus the finish button highlighted.
    Description of this image
    The Email rule shows in the Edit Claim Rules window.
  4. Click Add Rule....
  5. Select Transform an Incoming Claim as claim rule template, and then click Next.
  6. Provide the information as follows, and then click Finish.
    7. Email Claim Rule - attributes
    Attribute Value
    Claim rule name Name ID
    Incoming claim type E-Mail Address
    Outgoing claim type Name ID
    Outgoing name ID format Email
    Add Transform Claim Rule window displayed with attributes fulfilled plus the finish button highlighted.
    Description of this image
  7. In the Edit Claim Rules for Oracle Cloud window, confirm that both the Email and the Name ID rules are created.
    Claim Rules window with the Email and the Name ID rules displayed.
    Description of this image
  8. Click OK.

At this moment, both Microsoft Active Directory Federation Service and Oracle Identity Cloud Service have enough information to establish Single Sign-On.
In the next steps, you test the Single Sign-On integration.

 

Test and Enable the Identity Provider Connection

In this task, you test the authentication between Oracle Identity Cloud Service and Microsoft Active Directory Federation Service.
If the authentication is successful, you enable the identity provider for end-users.

 

Test the Connection

  1. Restart your browser and access the Identity Cloud Service console.
  2. After logging in, expand the Navigation Drawer , click Security, and then click Identity Providers.
  3. Under the identity provider entry you previously created, click the right side drop down menu, and then click Test. The Microsoft Active Directory Federation Service Login form appears in a new window or tab.
    Identity Provider Page with Test Login link highlighted in the background. AD FS Login page in a foreground with mouse over the Sign-In button.
    Description of this image
  4. Sign in with a user that exists on Microsoft Active Directory Federation Service and Oracle Identity Cloud Service.
  5. Confirm that the message Your connection is successful is displayed.
    Successful connection message in the screen.
    Description of this image
 

Optional: Troubleshoot a Connection

In case you don't have a successful connection, try the following:

  1. If the "Connection Failed" error message is displayed, click Show Assertion Details, and check the SAML error message (xml format).
    Connection Failed page with the Assertion Details section.
    Description of this image
    Look for the messages under the <samlp:Status> and </samlp:Status> tags.
  2. Check the Microsoft Active Directory Federation Service logs in Windows 2012 R2 Server, click Server Manager, and then click AD FS and check the Events table.
    Connection Failed page with the Assertion Details section.
    Description of this image
  3. Check your configuration.
  4. Repeat the test, using a network tracing tool such as the Google developer's tool, the SAML Tracer for Firefox, or Wireshark.
 

Enable the Connection

  1. Return to Identity Cloud Service console's Identity Providers page.
  2. Click on the right side drop down menu of your Identity provider, click Activate and then click Activate in the popup window.
    Identity Providers Page. Activating the IdP.
    Description of this image

The Microsoft Active Directory Federation Service identity provider integration is enabled.

 

Show the Identity Provider on the Login Page

  1. In the Oracle Identity Cloud Service's Identity Providers page, click on the right side drop down menu of your Identity provider, select Show on Login Page, and then click Show in the popup window.
    2. Identity Providers Page. Activating the Federated SSO and the Login Chooser.
    Description of this image

A confirmation message will appear confirming that the identity provider will be shown in the login age, and an eye icon appear to the Identity Provider in the list.

Show On Login Page icon.
Description of this image
 

Add the Identity Provider to the Default Identity Provider Policy

  1. In the Identity Cloud Service console, expand Navigation Drawer , click Security, and then click IDP Policies.
  2. Click the Default Identity Provider Policy.
    Description of this image
  3. Select Identity Providers tab and then click Assign to add the Identity Provider to this policy.
  4. In the Assign Identity Providers dialog, select the Identity Provider that you want to assign, and then click OK.
    Description of this image

    Note: Only Identity Providers that was selected to show on login page appear in this list.

The Identity Provider is displayed in the Default Identity Provider Policy page.
 

Log In to Oracle Identity Cloud Service with Microsoft Active Directory Federation Service Credentials

  1. Restart your browser and access the Oracle Identity Cloud Service console.
  2. Verify that the Login page displays a new login option for login with the external identity provider.
    Oracle Identity Cloud Service login page with a new login option for the external Identity Provider highlighted.
    Description of this image
  3. Click the link to Sign-in with your Identity Provider. The Microsoft Active Directory Federation Service login page is displayed.
  4. Sign in with an user that exists both on Microsoft Active Directory Federation Service and Oracle Identity Cloud Service.
  5. Oracle Identity Cloud Service displays My Apps page for the user.
    6. My apps home page in Identity Cloud Service
    Description of this image
  6. On the top-right corner, click the circle that contains the user initials, and then click My Profile to see more information about the user.

The Microsoft Active Directory Federation Service Identity Provider integration is enabled and fully functional.

 

What's Next? Enforce Federated Access for Specific Users

After enabling the Microsoft Active Directory Federation Server authentication as identity provider, the user logged using Microsoft Active Directory Federation Service credentials can still:
  • Log in to Oracle Identity Cloud Service using the login form within the page instead of using only the Microsoft Active Directory Federation Service authentication.
  • Access Oracle Identity Cloud Service using the Can't sign in? link provided within the login page.
  • Change the user password in Oracle Identity Cloud Service by accessing the Change My Password page.
  • Break the link between Microsoft Active Directory Federation Service and Oracle Identity Cloud Service emails by accessing the Set Email Options page.
To prevent users from performing these actions, you must mark the user as a federated entity.

Important: Ignore this section in case you have an bridge already configured that uses the option Users can login to cloud applications using AD Password option.

 

Manually Mark a User as Federated

  1. Access the Identity Cloud Service console.
  2. Search and open the user entry.
  3. Click the Federated switch, and then click Update User.
    Users page with the Federated switch and the update button highlighted.
    Description of this image
  4. Sign out of Oracle Identity Cloud Service.
 

Mark a User as Federated in the Bridge

In case you have Microsoft Active Directory as identity provider in Oracle Access Manager plus an bridge, you can perform the following steps to mark your Active Directory users as federated.

  1. In the Identity Cloud Service console, click Settings, and then click Directory Integrations.
  2. Click your the Microsoft Active Directory Integration.
    Identity Bridge settings.
    Description of this image
  3. Click Enable federated authentication, save your changes and then sign out the Oracle Identity Cloud Service console.
    Identity Bridge settings with the Federation option highlighted.
    Description of this image
 

Verify the User Access

  1. Restart your browser and access the Identity Cloud Service console.
  2. Sign in with the federated user. Oracle Identity Cloud Service returns the message Invalid user.
    This happens because a federated user cannot log in directly in Oracle Identity Cloud Service.
  3. Return to the login page, sign in with your identity provider credentials.
  4. After logging in, visit your profile and observe that the options Change My Password and Set Email Options are not available.
    User page after login. Change my Password and Set Email Options no longer available.
    Description of this image

This confirms that the federated user cannot circumvent the Microsoft Active Directory Federation Service authentication.

 

What's Next? Multiple Identity Providers

You can configure and activate multiple identity providers by following the same procedure described in this tutorial for the Microsoft Active Directory Federation Services.
You also can mark all the activated identity providers to shows up on the login page as a login option for the users.
 

Want to Learn More?

To learn about the options to access metadata, see Access SAML Metadata.
To learn more about how to configure the Active Directory Identity Bridge (for user synchronization) and how to manage the bridge integrated to the Microsoft Active Directory Federation Service integration, visit: To learn more about how to use other methods for managing Oracle Identity Cloud Service users and groups externally, visit:
 

Credits

  • Developer(s): Frederico Hakamine.
  • Update(s): Felippe Oliveira.