Interruption of Federated Authentication for Oracle Cloud: Updating the Service Provider

Recently, Oracle sent out a notification about the shared identity management service provider certificate expiring during February, 2020. In one of our previous blog posts, found here, we discussed this recent notification, where certain identity management Service Provider (SP) certificates that are used in SAML-based authentication will expire soon. The notification is shown below:

Figure 1 – Email from Oracle that explains the shared identity management service provider certificate issue

In this notification, Oracle also provided steps that needed to be taken to avoid a service interruption. We looked at the majority of those steps in our blog post found here. Of the seven steps that were outlined, one through six were steps that were to be performed on the Oracle Cloud Identity & Access Management (IAM) console, a.k.a. “My Services” in Oracle EPM Cloud. The final step in this process is to make an update to the deployment in the Identity Provider (IdP), which is the other end of the Federated Authentication flow in Single Sign-On (SSO) authentication for Oracle Cloud. Since these steps vary based on the IdP technology being used, such as Shibboleth, Active-Directory Federation Services (ADFS), Okta, G Suite, etc., it is not possible to cover them all here. To serve as an example, we will look at how these steps are performed when the IdP is in the Oracle Identity and Access Management (IAM), which is part of Oracle Cloud Infrastructure (OCI) Platform-as-a-Service (PaaS).

To start, follow the steps outlined in the previous blog post, but extract the “Signing Certificate” instead of the entire “Provider Metadata (SAML 2.0)”.

Figure 2 – Illustrates extracting  the “Signing Certificate” rather than “Provide Metadata (SAML 2.0)”

Next, login to the Identity and Access Management (IAM) portal for the Identity Provider (IdP). For the Oracle OCI, one way to get to it by navigating to “Users” -> “identity (Primary)”.

Figure 3 – Where to find the “identity (Primary)” button to get to the IAM portal

Once you click on “identity (Primary)”, click on “Identity Console”.

Figure 4 – Where the “Identity Console” button is located

Click on “Applications” from the Navigation menu on the left. Select the “Application” that serves as the IdP to edit it.

Figure 5 – Illustrates selecting the “Application” that serves as the IdP to edit

Click to “Upload” the “Signing Certificate” that was downloaded from the Oracle Cloud, and “Save”.

Figure 6 – Illustrates uploading the Singing Certificate from the Oracle Cloud

Once the certificate is saved, the IdP application is all set. In the case of some IdP technologies, it may be necessary to restart the IdP application.

Figure 7 – Illustrates the uploaded and saved Signing Certificate

We hope this serves as a helpful guide in performing the steps needed to ensure that your environment continues to function in the manner it is expected to. If you have any questions or concerns regarding this update or the steps here, please feel free to send us an email here. We would love to hear about your experience with this change, or any other part of the Oracle Cloud.

#Metadata #oracle #Interruption #Shibboleth #Okta #OracleCloud #ServiceProviderSPCertificates #ADFS #SAML20 #SSOConfiguration #GSuite #SAMLsigningandfederation #InhouseIdentityProviderIDP #FederatedAuthentication