Transcription
Oracle CloudAdministering Oracle Cloud Identity ManagementRelease 17.2E59052-15May 2017Documentation for Oracle Cloud account administrators,security administrators, and identity domain administratorsthat explains how to configure Federation SSO and how toprovision OAuth resources and clients using the self-serviceuser interface (UI) and how to protect Oracle Cloud servicesusing two-legged OAuth, service-to-service authorization.
Oracle Cloud Administering Oracle Cloud Identity Management, Release 17.2E59052-15Copyright 2015, 2017, Oracle and/or its affiliates. All rights reserved.This software and related documentation are provided under a license agreement containing restrictions onuse and disclosure and are protected by intellectual property laws. Except as expressly permitted in yourlicense agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license,transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverseengineering, disassembly, or decompilation of this software, unless required by law for interoperability, isprohibited.The information contained herein is subject to change without notice and is not warranted to be error-free. Ifyou find any errors, please report them to us in writing.If this is software or related documentation that is delivered to the U.S. Government or anyone licensing it onbehalf of the U.S. Government, then the following notice is applicable:U.S. GOVERNMENT END USERS: Oracle programs, including any operating system, integrated software,any programs installed on the hardware, and/or documentation, delivered to U.S. Government end users are"commercial computer software" pursuant to the applicable Federal Acquisition Regulation and agencyspecific supplemental regulations. As such, use, duplication, disclosure, modification, and adaptation of theprograms, including any operating system, integrated software, any programs installed on the hardware,and/or documentation, shall be subject to license terms and license restrictions applicable to the programs.No other rights are granted to the U.S. Government.This software or hardware is developed for general use in a variety of information management applications.It is not developed or intended for use in any inherently dangerous applications, including applications thatmay create a risk of personal injury. If you use this software or hardware in dangerous applications, then youshall be responsible to take all appropriate fail-safe, backup, redundancy, and other measures to ensure itssafe use. Oracle Corporation and its affiliates disclaim any liability for any damages caused by use of thissoftware or hardware in dangerous applications.Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks oftheir respective owners.Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks areused under license and are trademarks or registered trademarks of SPARC International, Inc. AMD, Opteron,the AMD logo, and the AMD Opteron logo are trademarks or registered trademarks of Advanced MicroDevices. UNIX is a registered trademark of The Open Group.This software or hardware and documentation may provide access to or information about content, products,and services from third parties. Oracle Corporation and its affiliates are not responsible for and expresslydisclaim all warranties of any kind with respect to third-party content, products, and services unlessotherwise set forth in an applicable agreement between you and Oracle. Oracle Corporation and its affiliateswill not be responsible for any loss, costs, or damages incurred due to your access to or use of third-partycontent, products, or services, except as set forth in an applicable agreement between you and Oracle.
ContentsPreface . vAudience . vScope of the Guide. vRelated Resources . vConventions. vi1 Managing Oracle Single Sign-OnOverview of SSO Configuration Tasks.1-1Exploring the SSO Configuration Page in My Services .1-2Configuring Oracle Cloud as the Service Provider .1-3Configuring an Identity Provider.1-5Testing SSO.1-6Problems Identified by Testing SSO .1-6Enabling SSO .1-7Enabling Sign In With Identity Domain Credentials .1-7Removing Users .1-8Updating SSO Metadata .1-8Troubleshooting SSO.1-92 Managing OAuth Resources and ClientsExploring the OAuth Administration Page in My Services .2-2How Do I Set Up OAuth in Oracle Cloud?.2-4How Do I Administer OAuth in Oracle Cloud? .2-5Registering New Resources in Oracle Cloud.2-6Overview of Managing OAuth Resources .2-7Viewing OAuth Resources .2-7Updating OAuth Resources .2-8Deleting OAuth Resources .2-9Overview of OAuth Client Configuration Tasks . 2-10Overview of Registering OAuth Clients . 2-10Registering Client Information in OAuth . 2-11Registering an Untrusted OAuth Client. 2-11iii
Registering a Trusted OAuth Client . 2-12Importing an OAuth Certificate from a Key Pair . 2-14Extracting a Certificate by Using openssl . 2-15Extracting a Certificate by Using the Certificate Import and Certificate Export Wizards. 2-15Associating a Certificate with an OAuth Client. 2-16Overview of Managing OAuth Clients . 2-16Viewing OAuth Clients . 2-17Updating OAuth Clients. 2-19Managing Client Certificates. 2-20Deleting OAuth Clients . 2-21Troubleshooting OAuth. 2-223 Securing Authorizations in Oracle CloudHow Do I Use Authorization Grants? .3-1Resource Owner Password Credentials Workflow .3-3Step-by-Step Workflow of the Resource Owner Password Credentials Grant .3-3Using REST API Calls for the Resource Owner Password Credentials Grant .3-4Obtaining an Access Token by Using the User Credentials Without a Client Assertion .3-4Obtaining an Access Token by Using the User Credentials and a JWT Client Assertion .3-7Client Credentials Grant Workflow .3-9Step-by-Step Workflow of the Client Credentials Grant . 3-10Using REST API Calls for the Client Credentials Grant . 3-11Obtaining an Access Token by Using a Client Authorization Header. 3-11Obtaining an Access Token by Using a Self-Signed Client Assertion . 3-13User Assertion Workflow . 3-16Using REST API Calls for the User Assertion Grant . 3-17Obtaining an Access Token by Using a Self-Signed User Assertion and the ClientCredentials . 3-18Obtaining an Access Token by Using a Self-Signed User Assertion and a Client Assertion. 3-20Successful Authorization . 3-23Authorization Error. 3-26iv
PrefaceOracle Cloud Administering Oracle Cloud Identity Management explains how toprovision Oracle Single Sign-On (SSO)and configure various OAuth resources andclients using the self-service user interface.Topics: Audience Scope of the Guide Related Resources ConventionsAudienceThis guide is intended for Oracle Cloud account administrators and customers buyingOracle Cloud services, who want to configure SSO and Identity Federation usingSecurity Assertion Markup Language (SAML), and manage various OAuth resourcesand clients.Scope of the GuideThe tasks explained in the guide include: Single Sign-On (SSO) OAuth resource management OAuth client managementShared Identity Management (SIM) uses SAML to function as a SAML serviceprovider to Oracle Fusion Applications SAML identity provider. This is done throughOracle Public Cloud support. In addition, SIM operates as a SAML service provider tofederate with a SAML identity provider, such as Oracle Fusion Applications, OracleAccess Management, Microsoft Active Directory Federation Services (ADFS), andShibboleth.Related ResourcesFor additional documentation related to your Oracle Cloud service, visit the OracleCloud website at:http://cloud.oracle.comv
Open the Support menu at the top of the page and select Documentation to access theOracle Cloud Documentation home page. Search or browse the library fordocumentation specific to your application, infrastructure, or platform cloud service.ConventionsThe following text conventions are used in this guide:viConventionMeaningboldfaceBoldface type indicates graphical user interface elements associatedwith an action, or terms defined in text or the glossary.italicItalic type indicates book titles, emphasis, or placeholder variables forwhich you supply particular values.monospaceMonospace type indicates commands within a paragraph, URLs, codein examples, text that appears on the screen, or text that you enter.
1Managing Oracle Single Sign-OnBy implementing Oracle Single Sign-On, your users can access multiple Oracle Cloudservices using one set of credentials. Also, logging out of one service logs a user out ofall other services.As administrator, you configure SSO because you want to use identity federationbetween Oracle Cloud as service provider and an external identity provider. This taskrequires you to configure Oracle Cloud as service provider, prepare your identityprovider, test your SSO configuration, and finally, enable SSO.Topics: Overview of SSO Configuration Tasks Exploring the SSO Configuration Page in My Services Configuring Oracle Cloud as the Service Provider Configuring an Identity Provider Testing SSO Problems Identified by Testing SSO Enabling SSO Enabling Sign In With Identity Domain Credentials Removing Users Updating SSO Metadata Troubleshooting SSONote: To learn more about the concepts of Oracle Single Sign-On, see AboutSSO in Understanding Identity Concepts.Overview of SSO Configuration TasksAs administrator, you enable SSO so your users can use their company credentials tolog in to all applications, including Oracle Cloud applications. This requires you toconfigure SAML 2.0 between Oracle Cloud and the identity provider.The following table shows you the steps that you must follow when configuring SSOon the SSO Configuration page from My Services in Oracle Cloud:Managing Oracle Single Sign-On 1-1
Exploring the SSO Configuration Page in My ServicesTaskDescriptionAdditional InformationConfigure Oracle Cloud as a serviceprovider.Go to the Users page and thenclick the SSO Configuration tab toconfigure Oracle Cloud as theservice provider.Configuring Oracle Cloud as theService ProviderConfigure an identity provider.After you configure Oracle Cloudas a service provider, youconfigure your identity provider.Configuring an Identity ProviderTest Single Sign-On.Test your SSO configuration beforeenabling SSO.Testing Single Sign-OnIdentify problems by testing SSO.Testing SSO can identify a numberof problems that you must fixbefore you can enable SSO.Problems Identified by Testing SSOEnable SSO.You must enable SSO before youcan use it.Enabling SSOEnable sign in with identity domaincredentials.If you want users (such as identitydomain administrators) to log inusing their identity domaincredentials, you must enable thisoption,Enabling Sign In With IdentityDomain CredentialsRemove users.After you enable SSO, ensure thatusers do not have credentials inOracle Cloud.Removing UsersUpdate SSO metadata.At some point, after you’veenabled SSO in production, youmight need to update the SSOmetadata.Updating SSO MetadataTroubleshoot SSO.If you can’t resolve a configurationproblem by testing SSO, then youmust troubleshoot theconfiguration.Troubleshooting SSOExploring the SSO Configuration Page in My ServicesThe SSO Configuration page in My Services helps Oracle Cloud accountadministrators and customers buying Oracle Cloud services to configure SSO betweenyour identity provider and with Oracle Cloud as the service provider.What You Can Do from the SSO Configuration PageThe following table describes what you can do from the SSO Configuration page:1-2 Oracle Cloud Administering Oracle Cloud Identity Management
Configuring Oracle Cloud as the Service ProviderToolDescriptionClick Remove Users to remove users that you added inOracle Cloud before enabling SSO. To learn more aboutwhy you should remove these users, see Removing Users.Click Configure SSO to start a set of tasks to configure anidentity provider, service provider, and SSO.To learn more about the configuration steps and the tasksthat you must perform, see Managing Oracle Single SignOn.The Configure an Identity Provider with Oracle Cloud Tutorial Series guides you through the configuration stepsfor different identity providers.What You Can See from the SSO Configuration PageThe SSO Configuration page displays the following information:FieldDescriptionYou can see the status of the SSO configuration when youaccess the SSO Configuration page. Before configuring SSO,it shows that SSO is Not Configured.You can start configuring SSO between Oracle Cloud andyour identity provider.Configuring Oracle Cloud as the Service ProviderTo configure SSO, start with configuring Oracle Cloud as service provider.To configure SAML 2.0 SSO between Oracle Cloud as service provider and the identityprovider:1. Go to the My Services dashboard page and click Users. Then click the SSOConfiguration tab.2. Click Configure SSO.The Configure SSO page is displayed.3. Select whether to import identity provider metadata or enter provider the metadatamanually. Your choice depends on whether your identity provider can exportmetadata.4. The next step depends on the selection that you made in Step 3.a. If your Identity Provider can export metadata, then you can import themetadata into Oracle Cloud. Select Import Identity Provider metadata. ClickChoose File and upload the identity provider metadata file (such asidp metadata.xml).Managing Oracle Single Sign-On 1-3
Configuring Oracle Cloud as the Service Providerb. For the SSO Protocol field, HTTP POST is recommended and is the default.The SSO Protocol field value refers to the SAML binding that’s used. SAMLbindings define how the SAML protocols map to the type of transport used.Oracle Cloud supports HTTP POST and HTTP Artifact. The HTTP POSTbinding defines how SAML protocol messages can be transported with thebase64-encoded content of a form control within an HTML form. The HTTPArtifact binding defines how a reference (or artifact) to a SAML request orresponse is transported over HTTP; the artifact (a small representation of acomplete SAML assertion) can be embedded in a URL as a query stringparameter, or it can be placed in a hidden form control.c. Select the User Identifier field. The user identifier is the Oracle LDAP directoryattribute that’s used to map the user information contained in the incoming SSOSAML assertion to an Oracle Cloud user. It’s either the user's email address orthe user ID. Select User's Email Address.d. Select the contained in field. If the User Identifier is the user's email address,then the contained in field must be NameID.Note:If the User Identifier value is the user ID, then the contained in field must bethe SAML attribute and you must specify the name of the SAML attribute forthe contained in field such as SamAccountName in the case of MicrosoftActive Directory Federation Services.e. Click Save.f. If your identity provider can’t export metadata, then you must enter metadatainformation manually, which means you must also provide the Issuer ID andSSO Service URL (this is the SAML assertion consumer URL), and indicatewhether Global logout should be enabled. You must also load your identityprovider’s signing certificate and encryption certificate.1-4 Oracle Cloud Administering Oracle Cloud Identity Management
Configuring an Identity ProviderConfiguring an Identity ProviderAfter you configure Oracle Cloud as a service provider, configure your identityprovider in the Configure your Identity Provider Information section of the SSOConfiguration page.1. Go to the Users page and click the SSO Configuration tab. Then scroll down to theConfigure your Identity Provider Information section.2. What you need to configure the identity provider depends on one of the following: If your identity provider can import metadata, export the metadata from theService Provider to import into the Identity Provider by doing the following:a.In the Configure your Identity Provider Information section click ExportMetadata, then select Provider Metadata.b.Save the metadata to a local file as SP metadat.xml.If your identity provider can’t import metadata, then copy and paste theprovider ID and URLs into a SAML 2.0 file to be used by the identity provider.Download the certificates from the service provider.3. Configure your identity provider, using its configuration interface. Theconfiguration steps are specific to each identity provider.Managing Oracle Single Sign-On 1-5
Testing SSOTesting SSOTest SSO to identify any SSO configuration problems.Go to the Users page and then click the SSO Configuration tab.1. On the SSO Configuration page in the Test your SSO section, click Test.The Initiate Federation SSO page appears.2. Click Start SSO.Clicking Start SSO triggers a Federation SSO workflow. You’re redirected to theidentity provider’s login page and challenged for authentication.3. Log in as an administrator. After the Federation SSO is performed, the result isdisplayed in the Test SSO page.4. The next step depends on whether the test is successful: If the test is successful, then proceed to Enabling SSO. If the test is unsuccessful, then view the test results to determine the cause. SeeProblems Identified by Testing SSOProblems Identified by Testing SSOThe Test SSO feature can identify various problems.The Assertion Couldn’t be Mapped to an Oracle Cloud UserThis may occur for the following reasons: The SIM user corresponding to the identity provider user doesn't exist. Oracle Cloud was incorrectly configured to map the incoming SSO assertion.An Error Occurs When Oracle Cloud Consumes the SAML AssertionTo resolve this problem: Ensure that the Oracle Cloud federation server has the latest identity providermetadata and signing certificate. If the identity provider encrypts the assertion, ensure that the identity providerhas the correct Oracle Cloud encryption certificate.After Logging Out, the User is Automatically Logged in AgainThis typically occurs when Oracle Cloud is wired with the identity provider usingHTTP basic authentication or with Microsoft Active Directory Federation Servicesidentity provider using Windows Integrated Authentication as the challengemechanism. Upon logging out and performing the SAML 2.0 logout protocol, the useris automatically logged in again. The identity provider can’t log the user out because: The browser caches the HTTP basic authentication credentials and thus theidentity provider can’t log the browser out.1-6 Oracle Cloud Administering Oracle Cloud Identity Management
Enabling SSO The Windows Desktop machine where the user is signed in automatically signs inthe browser with Microsoft Active Directory Federation Services identityprovider, so the identity provider can’t log the browser out.To resolve this problem, change the authentication mechanism at the identityprovider.The Identity Metadata Fails to Be Uploaded from the Console.To resolve this problem: Ensure that the metadata wasn’t modified. When downloading the metadata from the identity provider, save it using the File— Save As command. That is, don’t copy and paste the contents of the browser,because this action modifies the contents of the metadata.SSO Fails Because the Assertion Isn’t Signed.The Oracle Cloud federation server requires the SAML assertion to be signed. Ensurethat the assertion is signed and contains a digital signature element, even if the SSOresponse is signed.Problems that Can’t Be ResolvedIf you can’t resolve the problem using the Test feature, proceed to TroubleshootingSSO.Enabling SSOUntil you specifically enable SSO, you can’t use it. After SSO is enabled, you should beable to authenticate through the identity provider, after selecting Sign in using yourcompany ID on the Sign In to Oracle Cloud page.Go to the Users page and then click the SSO Configuration tab. If the status in theEnable SSO section is SSO is Not Enabled, and you tested SSO successfully, and youwant to enable SSO, then click Enable SSO to enable SSO for all Oracle Cloudservices. Until you do this, SSO isn’t enabled.After you enabled SSO, you can disable it from the Enable SSO section of the SSOConfiguration page.Enabling Sign In With Identity Domain CredentialsAfter SSO is enabled, users typically sign in using their identity provider credentials. Ifyou want your users to be able to sign in with their identity domain (Oracle Cloud)credentials, you need to enable this option.After you enable SSO, you have the option to allow users to sign in with their identitydomain credentials as well. This option is disabled by default because typically, asadministrator you want to force users to log in using their identity providercredentials.To enable the option for users to sign in with their identity domain credentials:1.Go to the Users page and then click the SSO Configuration tab.2.Go to the Enable Sign In to Oracle Cloud Services with Identity Domaincredentials section. Click Enable.Managing Oracle Single Sign-On 1-7
Removing Users3.A confirmation window appears informing you that after enabling, users that dohave credentials in their identity domains (for example identity domainadministrators), will be able to sign in to Oracle Cloud services using either theiridentity provider or identity domain credentials.Note: You can’t enable signing in with identity domain credentials, if SSOwas auto-configured for your system. The Enable Sign In to Oracle CloudServices with Identity Domain credentials button is disabled in this case.After you enabled sign in to Oracle Cloud with identity domain credentials, you candisable it from the Enable Sign In to Oracle Cloud Services with Identity Domaincredentials section of the page. This is necessary, if you want to force users to sign inonly with their identity provider credentials.Removing UsersRemove all users without the identity domain administrator role after you enable SSO.After you enable SSO, only users that have the identity domain administrator role orwere created before SSO was enabled, have credentials in Oracle Cloud. To avoidmaintaining credentials in two places after enabling SSO, you typically delete theexisting users and then reimport them. This step ensures that the users don’t havecredentials in Oracle Cloud and can access Oracle Cloud applications only with theircompany credentials.To delete all users that don’t have the identity domain administrator role assigned:1.Go to the Users page and then click the SSO Configuration tab.2.Click Remove Users.3.A window appears confirming that all users without the identity domainadministrator role will be removed, and that this operation can’t be undone.4.Click Remove Users to remove all users who don’t have the identity domainadministrator role assigned.5.A window displays the progress of the removal process, and then the number ofusers removed.Updating SSO MetadataAfter you’ve enabled SSO in production, you might want to update the SSO metadata.Reasons for updating the metadata include: The identity provider or service provider certificate has expired. The identity provider or provider key has been compromised. The identity provider URL endpoints need to be updated.If any of these reasons applies, then:1. Schedule an update of the SSO metadata in advance, because it requires an outage.2. Disable SSO using Disable SSO.1-8 Oracle Cloud Administering Oracle Cloud Identity Management
Troubleshooting SSO3. Update the identity provider or service provider metadata as needed.4. Test the configuration, as described in Testing SSO.5. After testing shows that SSO is working correctly, reenable SSO by clicking EnableSSO as described in Enabling SSO.Troubleshooting SSOIf you can’t resolve a configuration problem by using the Test feature, thentroubleshoot the configuration by following these steps.1. Review the Known Issues guide for any similar problem.2. Review any changes made on the identity provider and Oracle Cloud serviceprovider before the problem in the SSO workflow.3. Capture an HTTP trace of the SSO workflow, using a tool such as Fiddler WebDebugging Tool.4. Review the workflow to determine the point where the SSO workflow terminatedand which identity-related components are involved: identity provider, serviceprovider, web tier, gateways, proxies, and firewalls.5. Review the protocol messages and component logs to identify exceptions.6. Go to MyOracle Support to review known issues and find out if your problemexists there.7. If you’ve performed all troubleshooting steps and you’re confident that theproblem is due to Oracle Cloud, then contact Oracle Support Services. Be ready top
1-2 Oracle Cloud Administering Oracle Cloud Identity Management. Tool Description Click Remove Users to remove users that you added in Oracle Cloud before enabling SSO. To learn more about . The Configure an Identity Provider with Oracle Cloud - Tutorial Series guides you through the configuration steps for different identity providers.
