Interruption of Federated Authentication Flow for Oracle Cloud
Recently, Oracle sent out an advisory about the shared identity management service provider certificate expiring during February, 2020. This certificate is responsible for the SAML signing and federation and its expiration would mean that the federated authentication flow initiated by the service provider will encounter interruptions due to a signature mismatch. In simpler terms, do you have Single Sign-On configured in your Oracle Cloud instance to authenticate using your in-house Identity Provider (IDP), such as Shibboleth, ADFS, etc.? If so, unless you update the Service Provider (SP) certificates before Feb 20th, 2020, the setup will stop working.
While the recent notification seems to be applicable to US2 or US Central (Chicago) Data Center, it is inevitable that other Data Centers will be affected in the not-so-distant future. If you are affected, then the Administrators for your subscription will be notified by Oracle. The image below shows the content from email, explaining the issue.
Figure 1 – Email from Oracle that explains the shared identity management service provider certificate issue
Do not worry, for Oracle also included the steps in the notification email to fix the issue. Let’s take a look at the steps:
Login to the Oracle Cloud Console (My Services dashboard) using the following URL: https://www.oracle.com/cloud/sign-in.html. Enter your Identity Domain ID and then your login credentials to sign in.
Under the “Navigation” menu at the upper left side of the screen, click on “Users” under Account Management.
Figure 2 – Where “Users” is located in Oracle Cloud
3. Click on “SSO Configuration”.
Figure 3 – Where to find “SSO Configuration” once you are on the “Users” page
4. On this page, you will see a section called “Configure your Identity Provider Information”. In this section, you will see the “Export Metadata” button.
Figure 4 – Where you can find the “Export Metadata” button in the “Configure your Identity Provider Information” section
5. Click the “Export Metadata” button, and choose the option “Provider Metadata (SAML 2.0)”
Figure 5 – Illustrates the “Provider Metadata (SAML 2.0)” option
6. The Oracle Cloud Console metadata will be downloaded automatically. Save it on your local machine.
Figure 6 – Illustrates the download of the Oracle Cloud Console metadata file
7. Import this file into your Identity Provider (IDP) service. The details of this step will depend on the technology that you are using, such as Shibboleth or ADFS. In a follow-up blog, we will show the steps to take if the IDP is Oracle Identity Cloud Service (IDCS).
In the meantime, if you have any questions on concerns regarding this update, please feel free to send us an email here. We would love to hear about your experience with this change, or any other part of the Oracle Cloud.
Update as of January 28, 2020: Click here to view the follow-up blog post on the steps to take if your IDP is Oracle Identity Cloud Service (IDCS).