Integration with Oracle IDCS (Identity Cloud Service)

Overview

This document describes the procedure to configure the BlockID Admin Console as a passwordless authentication solution for your organization's Oracle IDCS users. This integration will allow your users to log in to the Oracle IDCS application account leveraging their biometrics. The biometric options include Touch ID / Face ID and LiveID.

Before you Begin

You will need the following resources and privileges to complete this integration:

1. Admin access to the following:
   • BlockID Tenant: If your organization is not registered for the BlockID tenant, visit the Sign Up page to set up a free BlockID tenant for your organization. The 1Kosmos representative will create a tenant URL, community, tenant tag, and a license key for your respective organization within the BlockID platform.
   • Oracle IDCS application that supports SAML integration
2. Install on your mobile device:
   • BlockID mobile application (Compatible with iOS and Android devices). Visit BlockID for Android or BlockID for iOS to download the application.

Assumptions

1. With the above prerequisites, you should now successfully be registered and be able to login to:
   • BlockID Admin Console application. Ensure the email address used to log in to this application is the same as the one used to log in to the Oracle IDCS account.
2. Installed and registered the BlockID mobile application.
   • Launch the BlockID mobile application and follow the on-screen instructions to register your app with the BlockID platform to enroll your biometrics. Visit the Enroll Biometrics (Touch ID / Face ID and LiveID) section of the BlockID Mobile Application User Guide for step by step understanding of the biometrics enrollment process within the BlockID mobile application.

There are two sets of configurations that need to be performed to enable this integration:

1. Configure your BlockID Tenant as an Identity Provider (IDP) within the Oracle IDCS application.
2. Configure the Oracle IDCS application as a Service Provider (SP) within your BlockID Tenant.

List of Topics:

1. Configure your BlockID Tenant as an Identity Provider (IDP) within the Oracle IDCS application
2. Configure the Oracle IDCS application as a Service Provider (SP) within your BlockID Tenant
   • Configure the BlockID tenant metadata
   • Set IDP Assertion Claim details
   • Add Oracle IDCS application as a Service Provider
3. Test the SAML Single Sign-On Connection

Configure your BlockID Tenant as an Identity Provider (IDP) within Oracle IDCS

Note:

The following steps will be performed by your Oracle IDCS administrator. Get your tenant's XML metadata file and SSL certificate from your 1Kosmos representative to configure 1Kosmos as an IDP within your company's Oracle IDCS application account.

1. Log in to the ORACLE Cloud instance.
2. From the upper left menu, navigate to Identity & Security > Identity > Federation as shown in the following Figure.

3. Click on the Download this document link of the Oracle metadata XML file at the center bottom of the page.

4. In the Federation section, click Add Identity Provider to begin the federation setup. The Add Identity Provider window is displayed.

5. In the Add Identity Provider window, enter details for the following fields:

   • Name: Enter the appropriate name for the BlockID as an IDP.
   • Description: Enter the appropriate description for the IDP.
   • Select the check box for the SAML 2.0 Compliant Identity Provider option.

6. Upload the BlockID metadata XML file that was received from your 1Kosmos BlockID representative. OR get it from the Configure the BlockID tenant metadata topic.

7. From the Authentication Context Class References list, select urn:oasis:names:tc:SAML:2.0:ac:classes:Password option.

8. Click Continue.
9. In the Identity Provider Group text box, enter admin.
10. From the OCI Group drop-down list, select Administrators.

11. Click Add Provider.

Configure Oracle IDCS application as a Service Provider (SP) within your BlockID Tenant

Configure the BlockID tenant metadata

1. Open the web browser and enter your organization’s BlockID tenant’s metadata URL in the following format: https://<customer_name>.1kosmos.net/default/metadata The XML metadata information file is displayed.

2. From the XML metadata information file, copy and save the values of the following keys to use while performing the Oracle IDCS application SAML integration configuration:

   • entityID: The example of its value is: https:// <customer_name>.1kosmos.net/default/idp1

   • SingleSignOnService URL: https://<customer_name>.1kosmos.net/default/SingleSignOnService

   • SingleLogoutService URL: https://<customer_name>.1kosmos.net/default/SingleSignOnService

   • X509Certificate:

     • Copy the certificate details and save them in the following format:

       -----BEGIN CERTIFICATE-----
       Certificate details
       -----END CERTIFICATE-----

     • Save the certificate with .cert extension.

Set IDP Assertion Claim details

Perform the below-mentioned steps:

1. Login to BlockID Admin Console, navigate to Administration Console > Federation > SAMLv2. The SAMLv2 screen is displayed.
2. In the IDP Assertion Claims Mapping tab, link the appropriate LDAP and Session attribute values to the Claims for each Label.
   • Map the nameIdentifier to email.
   • Click Save.

Note:

These mapped fields will be available in the SAMLv2 > Service Providers > SP Assertion Claims Mapping tab for the imported service provider.

Add Oracle IDCS application as a Service Provider

1. In the SAMLv2 screen, click Service Providers.

2. In the Service Providers List screen, from the One-Click Rapid Service Provider Onboarding section, click on the Oracle IDCS option.

3. In the Onboard Oracle IDCS as a SAMLv2 Service Provider window, enter details for the following fields:

   Note:

   In case, if your client does not share their Oracle IDCS's XML metadata file to 1Kosmos, get the Entity ID and Login URL (SAML Assertion Consumer Service URL) details of their Oracle IDCS application.

   • Application Label: Enter the appropriate name for your organization’s Oracle IDCS application as a service provider.
   • Entity ID: Enter the unique entityId URL specified in your single-sign on settings in the Oracle IDCS application.
   • Login URL: Enter the login URL specified in your single-sign on settings in the Oracle IDCS application.
   • Click Onboard Oracle IDCS.

4. Click on the newly added Oracle IDCS as a service provider link.

5. In the Edit screen:

   • In the SP Core Configuration tab: Check the following details are selected:
     • Select the checkbox for each request/response that should be signed: ensure that the Assertion and Authentication Request options are selected.
     • NameID Value: nameidentifier.
   • In the SP Assertion Claims Mapping tab: Select the checkbox for the following options:
     • nameIdentifier
   • In the SP Service URL End Points tab:
     • Select POST.
     • Ensure Oracle IDCS login URL is added.
   • Click Confirm and Save.

Test the SAML Single Sign-On Connection

1. In your browser, enter your organization’s Oracle IDCS URL. You will be redirected to the BlockID Admin console’s login screen is displayed with the barcode to be scanned from your BlockID mobile app.
2. On the BlockID mobile application’s Home screen, click ‘Scan QR’.
3. Scan the QR code. The confirmation pop-up window is displayed asking to Allow BlockID to access this device’s location?.
4. In the confirmation pop-up window, select Allow only while using the app. The Authentication screen is displayed with the Please authenticate using <Biometric_option> from 1kosmos message.
5. Click Authenticate and perform the appropriate authentication method. The pop-up window is displayed with Thank you! You have successfully authenticated to Log In message upon successful authentication.
6. You will be logged in to your Oracle IDCS account.