Oracle Identity Cloud Service Integration with Salesforce
As promised in an earlier blog post, we are continuing our exploration of Oracle Identity Cloud Service (IDCS) this week. In this post, we’ll provide some insight on IDCS Integration with Salesforce to achieve Single Sign-On (SSO). Herein are the various steps involved in achieving this.
Note: We did not have a Salesforce instance available for this demo, so we used the developer version of Salesforce. The Salesforce developer edition is fairly easy to obtain – just sign up at https://developer.salesforce.com/signup. After signing up, we received an email with the credentials and were set to go.
High-Level Integration Steps
IDCS–Salesforce integration can be achieved using the following steps:
- Create test users in Oracle IDCS.
- Create the same test users in Salesforce as were created in IDCS in Step 1.
- Register the Salesforce Domain.
- Extract Identity Provider Metadata from IDCS and import to Salesforce.
- Extract Service Provider Metadata from Salesforce and import to IDCS.
- Test the login.
Detailed Steps
The details of each step are provided below.
Step 1: Upload users in Oracle IDCS via CSV import. This step is the same as illustrated in the previous blog post on IDCS.
Step 2: Create users in Salesforce.
a. Log in to Salesforce.
b. Click on Manage Users link.
c. Click on Users.
d. Click New User button.
e. Fill in the user details in the form, shown below, making sure that the username is the same as the username in IDCS.
f. Click the Save button and make sure that the newly created user is visible in the list.
Step 3: Register the Salesforce Domain.
a. Log in to Salesforce.
b. Click on Domain Management.
c. Click on My Domain.
d. The My Domain page is shown below.
e. Enter the domain name and click the Check Availability button.
f. Click the Register Domain button.
g. User receives an email confirmation. Please note that this can sometimes take a day to receive.
h. To complete the domain registration, follow the instructions in the email.
Step 4: Extract Identity Provider Metadata from IDCS and import to Salesforce.
Follow the below steps to extract Metadata from IDCS.
a. Log in to IDCS at: https://xxxxx.identity.oraclecloud.com/fed/v1/Metadata
b. Enter username and password to log in.
c. Click on the File menu and select Save As.
d. Enter the name of the file and click the Save button.
Follow the steps below to Import Metadata to Salesforce.
a. Log in to Salesforce at: https://serene-dev-ed.my.salesforce.com
b. Click on Security Controls, then Single Sign-On Settings.
c. The Single Sign-On settings page is shown below.
d. Click the New from Metadata File button.
e. Enter Name of Identity provider and select the extracted IDCS file.
f. Click the Create Button.
g. Click Save.
h. Click the Edit button.
i. Check the SAML Enabled box. Click Save.
j. The page will look like that shown below.
k. Click on Domain Management > My Domain.
l. Click the Edit button under Authentication Configuration.
m. Click on Deploy to Users button to deploy the domain to the users.
Step 5: Extract Service Provider Metadata from Salesforce and import to IDCS.
Follow the below steps to Extract Service Provider Metadata from Salesforce.
a. Log in to Salesforce at: https://serene-dev-ed.my.salesforce.com
b. Click on Security Controls, then Single Sign-On Settings.
c. Click on SAML Single Sign-On Settings.
d. Click the Download Metadata button and save the file.
e. Click on the IDCS MetaData link and note the following values. Also, download the signing certificate.
- logoutRequestUrl
- partnerProviderId
- assertionConsumerUrl
f. Click on Certificate and Key Management.
g. Click the SelfSignedCert_29Dec2016_073349 link from the Certificates panel and click the Download Certificate button to save the file.
Follow the below steps to Import Salesforce SP Metadata into IDCS.
a. Obtain access token from OIDCS as admin user.
URL: IDCS token service end point
Headers: Authorization
Operation: POST
Data: admin user, password, scope
Example:
b. Use the above access token to invoke the REST API.
URL: IDCS token service end point
Headers: Authorization
Operation: POST
Data: Details populated with service provider SCIM schema
Step 6: Test the login.
a. Log in to Salesforce at: https://serene-dev-ed.my.salesforce.com. You should be redirected to the IDCS login page.
b. Enter username and password.
c. User is now logged in to Salesforce successfully!
Optionally, follow these steps to verify the underlying SAML Exchange.
a. Behind the scenes, the Salesforce service provider sends a signed authentication request to IDCS (which can be seen in the SAML tracer plugin in Chrome).
b. IDCS Identity Provider sends a signed assertion response confirming the user’s identity.
As always, if you have any questions about these steps to Integrate IDCS with Salesforce, please do not hesitate to leave us a comment below!
Hi,
I am looking for sequence of steps to follow for my solution.
My Env:
3 Oracle Cloud Fusion Application requires to be protected under SSO solution using IDCS.
Azure AD is active directory and will be used for authentication of AD users.
Non-AD users will be authenticated via IDCS.
So, my scenario is like Federated Proxy. Can you please help me in identifying the steps sequence which i need to follow to get this work.
Thanks.
Nikhil Mundra
+91-7201861750
Nikhil,
The setup you have described is a common integration scenario. You should be looking at using AD Bridge for internal users or set up ADFS with Azure AD and IDCS for self-managed users. Both can be integrated with these Fusion Apps via standard SAML 2.0 integration patterns. For more information, please reach out to our Technology Services division at info@astcorporation.com.