When I went to implement a federated single sign-on (SSO) between Oracle Access Manager (OAM) and Google Suite (G Suite) where OAM was going to act as my identity provider (IdP) and G Suite my service provider (SP), I figured that it was going to be a fairly painless process, given the standard configuration options that most federated enterprise single sign-on applications require (i.e. exporting and exchanging of metadata, attribute mapping, etc…)
However, I found it a little different if you want to use G Suite as an IdP, as opposed to configuring G Suite as a SP. This is mainly because there’s more detail available on how to implement G Suite as an IdP, than a SP. If you’re not very familiar with SSO with G Suite, the options provided for setting up a third party IdP (although it may seem straightforward), can leave you puzzled, especially since there’s not an explicit option to export G Suite SP metadata or import IdP metadata from a third party.
Despite the limited options available for setting up a third party IdP in G Suite, I was able to successfully configure SSO using OAM as an IdP and G Suite as a SP through some trial and error. The following describes my base configuration and setup. You may find this to be a useful reference.
Access Manager (OAM) as the Identity Provider (IdP)
Login in as your Google Admin user (http://admin.google.com). Select the “Security” option
Under Security, select the “Set up single sign-on (SSO)” option
Select the checkbox, Setup “SSO with third party provider”
Provide the following:
Sign-in page URL: URL to initiate Federation sign-in to Google Suite with OAM (e.g. http://[HOSTNAME]:[PORT]/oamfed/idp/initiatesso?providerid=google.com&returnurl=https://accounts.google.com)
Sign-out page URL: Logout page for Federation sign-out from OAM (e.g. http://[HOSTNAME]:[PORT]/fed/user/logout)
Change password URL: Leave Blank
Verification Certificate: Upload certificate exported from the OAM keystore (Note: The certificate file must be a X.509-formatted certificate with an embedded public key. The certificate is contained in the .oamkeystore. This keystore can be found by logging into OAM admin console under Configuration -> Settings -> View Federation -> Federation Settings).
To export this certificate from the OAM keystore, do the following from the OAM server:
Extract certificate from OAM keystore
Before you connect to the keystore, you need to know the OAM keystore password. Recover the OAM keystore password by doing the following from this blog post.
Upon retrieving the OAM keystore password, export the certificate using the following java keytool command:
./keytool -exportcert -alias “stsprivatekeyalias” -storetype JCEKS -keystore /app/oracle/admin/domain/aserver/OAMDomain/config/fmwconfig/.oamkeystore > oam.cert
(Note: The alias used for the Signing and Encryption Key called “stsprivatekeyalias”. This alias is the keystore reference to the certificate and we need this in order to export the certificate file.)
Upload the oam.cert file (verification certificate) into Google Suite
Google Suite as the Service Provider (SP)
Under Set up single sign-on (SSO) in the Google Admin, click on DOWNLOAD CERTIFICATE under Certificate 1. (Note: Save certificate to be uploaded to OAM as part of the Google Suite SP configuration)
Log into OAM Admin console. Click on the Federation Option. Click on the Identity Provider Management
Create a new Service Provider Partner. Fill out the following:
Name: Same as the Service Provider (e.g. Google Suite. Make sure enable partner is checked)
Service Details: Select Enter Manually radio button
Provider ID: google.com
Assertion Consumer URL: https://www.google.com/a/[your G Suite Domain]/acs
Logout Request URL: http://[OAMHOST:PORT]/ oamfed/idp/ initiatesso?providerid=google.com &returnurl=https://accounts.google.com
Load Signing Certificate: Upload certificate downloaded from Google Suite
NameID Format: Email Address
NameID Value: User ID Store Attribute: uid
Single Sign-On with Google Suite
Federate to Google Suite (http) using the following URL: