AST Team Successfully Completes Oracle Chatbot Training

chatbots2Oracle Mobile Cloud Enterprise is a unique industry offering in that it combines both cross platform mobile development and chatbots into a single comprehensive offering.  Developers can create a chatbot in as little as a few hours and integrate it with various messaging platforms or mobile apps.

Our team recently attended and successfully completed Oracle’s Online Training on Chatbots, learning the ropes of how to build a chatbot and how to best model use cases for maximum customer engagement.  It was exciting to explore the use cases and we hope to showcase some of these in the near future.  In the meantime, you can view this excellent video series on how to model and build your own chatbots!

AST’s Integration team members who attended the Oracle Chatbot training earned completion badges after successfully finishing the training exam.  Congratulations to Sanjay B., Ankit C., Ankesh A., Jignesh P., and Shirish K.!


If you’re lost on where to start with chatbots or wondering how they can help you better engage with customers, let us know!  We can help you!

Tagged with: , , , , , , ,

Managing a SOAP Version Mismatch Issue Using Oracle Service Bus

Recently, we discovered a version mismatch issue in which two SOAP services on different versions (Service-A on SOAP 1.2 and Service-B on SOAP 1.1) were failing to communicate with each other. Here, we explain how to resolve this issue.

Difference between SOAP 1.1 and SOAP 1.2

Before diving into the solution, let’s look at the improvements SOAP Version 1.2 provides over SOAP 1.1.

  1. Offers a clear processing model;
  2. Provides improved interoperability with testing and implementation requirements;
  3. Based on XML Information Set (i.e. It is specified as an Infoset, which is carried from one SOAP node to another, whereas SOAP 1.1 was based on XML 1.0 serialization.);
  4. Offers protocol independence for developers by providing a binding framework;
  5. Includes HTTP binding for improved integration to the World Wide Web;
  6. Delivers a well-defined extensibility model; and
  7. Provides improved support for Web standards.

WSDL changes observed in SOAP 1.2

  1. Namespace Changes: SOAP 1.2 supports the following namespace definition:

2.  SOAP 1.2 uses “application/soap+xml” as the Content Type, whereas SOAP 1.1 uses “text/xml”.

3.  SOAP:Operation and SOAP Binding must be specified in SOAP 1.2 WSDL.


Now, to overcome the versioning mismatch issue mentioned above, we must follow these steps:

  1. Generate the OSB Proxy as a Message Based Proxy service. This will be based on the XSD with only the “body” part with required parameters to call Service-A (SOAP 1.2) and Service-B (SOAP 1.1).
  2. Create a Pipeline Service based on the same methodology explained in number 1, above.
  3. In the Pipeline Service, navigate to Message Flow and add a Pipeline Pair – rename it per the process standards.
  4. In the Request Pipeline node, add a Stage and rename it per process standards.
  5. Inside the Stage, add a Service Callout, then browse for the Proxy Service for the wrapper of Service-A or the business service of Service-A. The Service Callout configuration is shown below with the required message to Service-A parameters assigned. 1
  6. After the above Pipeline Pair is complete, add a Route Node.
  7. Inside the Route Node, add a Routing Operation and configure the same for the Business Service of Service-B.
  8. Inside the Request Actions, assign or replace the Body and Header to make a successful call for Business Service. The following snapshot illustrates this.  2

As always, if you have any questions regarding this issue or solution, leave us a comment below or contact us at and our team will get back to you.

Tagged with: , , , , ,

Configure Password Digest OWSM Security Policy

A familiar constraint we encounter when using Oracle Service Bus (OSB) Business Services is that they are required to be configured with the Username Token policy, where the password should not be text-based; rather, it should be in binary format with Nonce and Creation Time. The password should also use the same Password Digest – SHA Base-64 encoded format – for enhanced security implementation.

This type of security policy is not provided out of the box by Oracle Web Services Manager (OWSM).

This post will explain how to create the correct policy in a few quick steps.

To overcome the above security configuration issue, you will need to:

  1. Configure the WebLogic Server Security Realm providers to use Active types as the Password Digest.
  2. Configure a custom OWSM Security Policy to accept the password type as Password Digest.

Below are the detailed steps for the two high-level processes outlined above.

  1. Configure the WebLogic Server Security Realm providers to use Active types as Password Digest.
    1. Log in to WebLogic Console, and go to Summary of Security Realms > myrealm > Providers.  1
    2. Create a new Provider (e.g. Custom GESB Provider) and select Type: DefaultAuthenticator.

2                 c. Open the newly created provider, go to Configuration > Provider Specific tab, select the Enable Password Digest checkbox, and save changes.


d. Go to DefaultIdentityAsserter and Select wsse:PasswordDigest in Active Types.

4                      e. Restart the WebLogic Server.

  1. Configure out-of-the-box WSM Security Policy for Password Digest.
    1. Log in to EM Console and go to WebLogic Domain > Web Services > WSM Policies
    2. Click on “oracle/wss_username_token_client_policy”, then click Create Like button

5                    c. In the General tab, provide the name of the policy, leaving the other settings as is.

6                     d. In the Assertions tab, select Digest as the Password Type, then select the Nonce Required and Creation Time Required check boxes, and click Save.


  1. The Policy you configured should be ready now.


  1. Restart the server.

The newly created OWSM policy can now be attached to your chosen process to provide CSF Key credentials. The policy will automatically create binary passwords and other required parameters.

Tagged with: , , , , ,

A Security Exception When Deploying Composites

As part of best practices, a deployer responsible for deploying composites should not need to have the roles a privileges of an administrator; instead, they should be limited to deploying composites.

Selecting the proper roles and privileges to grant deployment rights to this user is slightly confusing and involves changes to the user’s Oracle WebLogic Server enterprise role, as well as their Oracle SOA Suite application role. The following security exception will occur if and when the account used for deployments through JDeveloper lacks the appropriate roles and privileges to complete a deployment:

“Error finding SOA configured servers to deploy archive.
Deployment cannot continue.
Java.lang.SecurityException: MBean attribute access denied.
     MBean: EMDomain:Name=soa-infra,
     Getter for attribute Server
     Detail: Access denied. Required roles: Admin, Operator, Monitor, Deployer, executing subject:   principals[testuser]”

Middleware 4272017

This error occurs because there is no default mapping of roles between Oracle WebLogic Server groups or users and Oracle Enterprise Manager Fusion Middleware Control.

Both the Oracle WebLogic Server enterprise role (for example, Oracle WebLogic Server Monitor) and the Oracle SOA Suite application role (for example, SOAMonitor) are required to use Oracle Enterprise Manager Fusion Middleware Control. If you have only one of these roles, Oracle Enterprise Manager Fusion Middleware Control does not work properly.


The fix is simple and requires assigning the required role in WebLogic Security Realm:

  1. Login to WebLogic console as WebLogic or as any user with administrative privileges.
  2. Click on “Security Realm” and select “myrealm”.
  3. Select “Users and Groups” tab.
  4. Select the user which requires access and navigate to “Groups” tab.
  5. Assign the user to “Operators” group.

Assigning the required role in Enterprise Manager:

  1. Login to WebLogic console as WebLogic or as any user with administrative privileges.
  2. Right click on soa-infra and select “Security” -> “Application Roles
  3. Add the same user to “SOAOperator” role.
  4. Navigate to Application Policies (Right click on soa-infra -> “Security” -> “Application Policies”) and assign “oracle.fabric.permission.CompositePermission” to “SOAOperator” role.

The user will now have necessary privileges for deploying composites through Jdeveloper.

Tagged with: , , ,

Automating CSF Key Credentials Configurations

What are CSF Key Credentials?

A credential store is a repository of security data (credentials). A credential can hold username and password combinations, tickets, or public key certificates.

Credential Store Framework (CSF) is a framework which provides a set of in-built APIs that can be used by applications to create, read, update, and manage the credentials securely.

CSF Uses: 

The credential store is mainly used to store the credentials (username and password) to access the service and the applications.

Use Case Scenario: 

We had a requirement to configure the SOA CSF Key Credentials programmatically using an automated process.


The credential store configuration can be accomplished using a WLST command. In addition, ANT scripts are used for automation.

Step 1: Open a Windows Command Prompt or Linux/Unix Shell Terminal to start the WebLogic Server Administration Scripting Shell utility. Enter the following, depending on the system.

(Windows Command Prompt)

C:\Users\<<username>> cd <<ORACLE_HOME>>\wlserver\common\bin

C:\<<ORACLE HOME>>\wlserver\common\bin> wlst

(Unix/Linux Shell Terminal)

[oracle@myhost ]$ cd <<ORACLE_HOME>>/wlserver/common/bin

[oracle@myhost bin]$ ./wlst

Step 2: At the WLST utility prompt, connect to the Admin Server.

wlst:/offline> connect(‘weblogic’,’welcome1′,’t3://localhost:7001′)

Step 3: Once the user is successfully connected to the Admin Server, the following commands can be executed (see the image below).

(For CSF Key Creation)


(For CSF Key Update)


(For CSF Key Deletion)


Automating CSF Key Credentials

Automation of CSF Key Credential Configuration at deployment time

ANT Scripts can be used to automate CSF Key Credential Configuration at deployment time.

<target name=”createCSFKeyCred”>
<wlst debug=”false” arguments=”${admin.username} ${admin.password} ${admin.server} ${map} ${keyCredentialsName} ${user} ${password} ${desc}”>
print(‘Connecting to WLST Server’)
connect (adminUser,adminPassword,adminUrl)
print(‘Creating Security Credentials’)


Tagged with: , , , , ,

Creating Your Own IoT Showcase Using Oracle SOA Suite

shutterstock_495910507Oracle Fusion Middleware 12c introduces a wealth of new features and capabilities, and continues to surpass expectations in the realm of performance and scalability as the leading strategic Event Stream Processing Platform from Oracle.

Recently, we worked on showcasing the capabilities of Oracle Fusion Middleware to process and analyze a large volume of high velocity data generated by Internet of Things (IoT) devices in real time.  This use case involved measuring the temperature of shipping containers during transit, and reporting on the status in real time.  Since the container contents were temperature sensitive, the temperature had to be maintained within given upper and lower values.  The ideal solution provides real-time alerts and intelligence allowing the user to flag the shipping carrier and make business decisions (such as either recalling or taking corrective action on the shipment) during transit.

As part of the demo, we built an IoT device using off-the-shelf components.  This device contained temperature, humidity, and location sensors, and was set up in a custom-printed 3D enclosure.  In a typical case, there would be multiple sensors deployed across several locations monitoring and measuring various factors as needed, and relaying this information in real time to the backend system for processing and analysis.  To receive and process data from the IoT device, we built a solution using Oracle Complex Event Processing (Stream Analytics) and Business Activity Monitoring to receive and process this data in real time, and present it as a dashboard.

The following videos provide a high level overview of the use case followed by the actual demo.  In the coming weeks, we will guide you on how to build your very own IoT showcase using the Oracle SOA Suite platform.  Stay tuned!

IoT Introduction and Business Use Case

IoT Demo



Tagged with: , , , , , ,

Resolving GTC Issues in Oracle Identity Manager

The GTC (Generic Technology Connector) is used to build connectors for target systems like flat-file imports via FTP or SPML-based provisioning over Web Services. It can be used to integrate target systems that do not need complicated provisioning process flows with OIM.

The GTC can be created in OIM using the web-based point-and-click graphical wizard, which clearly shows the user the data flows that are being defined within the connector. This will reduce the deployment timelines.

In this post, we’ll demonstrate how to resolve a GTC issue while configuring a CSV file for use in reconciliation in OIM11gR2 PS3.

Issue: You may experience the following issue when creating a Flat File Trusted Generic Technology Connector (GTC) when the GTC is saved. We are following standard steps to create a GTC in OIM.


The corresponding error appears in the OIM diagnostic log:

<Nov 3, 2016 3:09:20 PM IST> <Error> <XELLERATE.WEBAPP> <BEA-000000> <Class/Method: CreateGenConnectorAction/createGenericConnectorSuccess encounter some problems: java.lang.NullPointerException
oracle.iam.platform.utils.ServiceInitializationException: java.lang.NullPointerException at oracle.iam.platform.Platform.getService(
<Nov 3, 2016 3:09:20 PM IST> <Error> <XELLERATE.DATABASE> <BEA-000000> <Class/Method: DirectDB/getConnection encounter some problems: Error while retrieving database connection.Please check for the following

 Database server is running.

 Datasource configuration settings are correct.

java.sql.SQLException: java.sql.SQLException: Exception occurred while getting connection: oracle.ucp.UniversalConnectionPoolException: Cannot get Connection from Datasource: java.sql.SQLRecoverableException: IO Error: Invalid connection string format, a valid format is: “host:port:sid” at com.thortech.xl.util.DirectDB$DBPoolManager.getConnection(

Solution: Need to correct parameter maxConnections and url values in the OIM-MDS file /db/oim-config.xml, as shown below:

Existing Value:

MaxConnections = 5
Url = jdbc:oracle:thin:@[Host DB IP]:1521/orcl

Sample Expected Value:

MaxConnections = 25
Url = jdbc:oracle:thin:@<OIM_DB_HOST_IP>:<OIM_DB_PORT>/<OIM_DB_SID>

Note: URL value above should contain the correct value of the host, port, and SID of OIM database.

We have two approaches to performing the above changes:

Approach 1: Use the standard EM console.

Approach 2: Use & standard OOB OIM utility.

We’ll go into more detail below.

APPROACH 1 – Using the standard EM console

Using an EM console should be the preferred approach since it reduces the possbility of making errors with the configuration files. The existing values should be verified and saved as a backup before being changed, using the steps mentioned below –

 Step 1: Log in to OIM-EM console http://<EM_HostIP>:< EM_HostPort>/em

Step 2: Click on Identity and Access > OIM > oim(


Step 3: Click on drop down Oracle Identity Manager > System MBean Browser


Step 4: Click on Application Defined MBeans > oracle.iam


Step 5: Click on XMLConfig > Config


Step 6: Click on XMLConfig.DirectDBConfig > DirectDB

Make below changes and click on Apply.

MaxConnections = 25
Url = jdbc:oracle:thin:@<OIM_DB_HOST_IP>:<OIM_DB_PORT>/<OIM_DB_SID>



Step 7: Verify the changes.

APPROACH 2 –  Using & standard OOB OIM utility

If you wish to get your hands dirty and perform the changes manually using the command line, here are the steps. It is recommended that the EM console be used for such changes in order to avoid unnecessary edits. Always make a backup copy of the files you’ll be editing before making any changes.  Use the & standard OOB OIM utility available under $MW_HOME/Oracle_IDM/server/bin.

Please note that oim-config.xml file will be exported under the standard /db folder (under sample /tmp/export_04112016 directory). In the steps below MW_HOME refers to Middleware installed folder and OIM_ORACLE_HOME refers to IOM installed folder.

Step 1: Check parameters values in the file under /app/oracle/middleware/Oracle_IDM/server/bin/

Step 2: Go to $MW_HOME/Oracle_IDM/server/bin  & run ./

Below is the folder structure once the export is done successfully:


Step 3: Modify the oim-config.xml file as suggested under the Solution section above, and place it under /tmp/import_04112016/db

Step 4: Go to /app/oracle/middleware/Oracle_IDM/server/bin & run ./

Step 5: Verify the changes using Step 2.

Now, create the GTC again using the standard steps. If the issue persists, restart Admin and OIM-managed server after clearing the temp cache directory.

As always, if you have any questions regarding this process or our provided solution, please do not hesitate to post a comment below, and our team will get back to you.

Tagged with: , , ,

Tech Shorts – WebLogic Server – EM and Console Slow Response

We recently implemented a complete Oracle Fusion Middleware 12c ( Stack for a client based on Oracle SOA Enterprise Deployment Guide (EDG). The design focus was to implement a highly available and scalable clustered environment which contained OSB, SOA, MFT, OWSM, ESS, BAM managed servers, and a highly available Admin Server. Each of the managed servers had their own dedicated VM with an active-passive Admin Server cluster. We performed extensive tuning and load testing to make sure the system can function under demand.

However, as we migrated to higher environments, the deployments screen would take a long time to render, even though all the deployed applications functioned as expected without any issue. It sometimes resulted in timeouts and would cause application deployments to fail. The overall performance of both the WebLogic Console and Enterprise Manager was sluggish, particularly affecting the deployment screen, with wait times of over 30 mins to render a single click action! If some of the servers were shutdown, the load time would improve slightly, but it was not a viable option to keep the server shut down. From the log files, everything appeared to be normal and there were no error messages.

Working together with Oracle Support, we noticed that in some of the thread dumps and Java Flight Recordings, a few of the managed beans took too long to respond and this was later identified as a known defect. In order to confirm that this was the issue, we disabled the new thread self-tuning functionality added in this release of WebLogic Server. In order to disable the new thread self-tuning functionality, we added the following JVM start-up parameter to all the WebLogic Servers and restarted.


After the restart, the WebLogic Console was significantly improved and the deployment screen would load in a few seconds, a great improvement from the 30 minutes before the thread tuning setting was applied.

This verified that their performance issue was due to the newly added functionality, and the temporary workaround was to disable it. At the time of writing this post, Oracle has released a patch that fixes this issue. The high-level steps are as follows:

  1. Remove the parameter -Dweblogic.UseEnhancedIncrementAdvisor=false from all WebLogic Server startup
  2. Apply Patch 23762529 for WLS to all the servers in the domain
  3. Restart all the servers and test by logging in to console and clicking on the Deployments tab
  4. If it works, then apply Patch 24901211 for WLS 12.2.1 to all servers in the domain
  5. Restart all the servers and test

This should resolve the performance issues caused by the new thread self-tuning functionality.

Tagged with: , , ,

Changing the XELSYSADM Password in OIM 11gR2

shutterstock_120673339It is sometimes necessary to change the password of the Oracle Identity Management (OIM) System Administrator, known as XELSYSADM.  As this user has many dependencies in OIM, we would need to change the XELSYSADM password using the WLS utility.  Previously (in version 10g), this was a small task, but with the introduction of OIM 11g, new approval workflows, and other special security features, this task can now be somewhat involved and needs to be executed with care.

Some instructions suggest changing the XELSYSADM password from the OIM Identity Console, with a couple of CSF keys from the EM console – that’s it!  This may be true in some cases, but not in all.  If you have LDAP sync enabled or OIM integrated with OAM, following those steps is not enough.  In this case, the best way to change the system admin user password is through the utility.

The utility is available in the <ORACLE_HOME>/server/bin directory.  Running this utility is quite simple, as you just need to provide the values of certain parameters in the file, then run the shell (.sh) file in your Linux environment.  Keep in mind, however, that this is not applicable if your OIM is on a Windows environment.  There is no batch file for a Windows environment.

If we open the script and check a command that this utility is running, we can change the password by simply running a java class file.  This java class file can be directly run, even if your OIM environment is on a Windows box.

The following are common steps to be executed, regardless of environment (e.g., Linux or Windows):

  1. Log in to the EM console with the WebLogic user credentials.
  2. Expand the WebLogic Domain, right click OIAM_domain, and navigate to Security > Credentials.
  3. On the Credentials page, Expand ‘oim’ and select ‘sysadmin’, then click on the Edit icon to change the XELSYSADM credentials from the pop-up window.


4.  Repeat step 3, above, for the oim.sysadminmap (CSF key: sysadmin) and                                 (CSF key: OIMAdmin) CSF maps.

 Follow the steps below to change the password for the XELSYSADM user (System Administrator or any other user) in a Linux environment:

  1. Open the Command prompt.
  2. Go to the <OIM_ORACLE_HOME>/server/bin directory.
  3. Open the file from the <OIM_ORACLE_HOME>/server/bin directory.
  4. Update the following content from the file. (Example values are provided for each attribute present in the file.  These are sample values only; you must change all values as appropriate for your environment.)

  1. Execute the ./ command on the command line. It will ask a couple of questions, as shown below.  Provide the correct input for each question.

  1. A confirmation message should be received after successful execution of the utility.

Follow the steps below to change the password for the XELSYSADM user (System Administrator or any other user) in a Windows environment:

1.  Open the command prompt and run the following command, as appropriate:

a.  Run the command below if you have OIM-OAM integration enabled or LDAP sync enabled:

<JAVA_HOME>/bin/java<DOMAIN_HOME>\config\fmwconfig\jps-config-jse.xml -DDOMAIN_HOME=<DOMAIN_HOME> oracle.iam.platform.utils.OIMAdminPasswordReset_WLS jdbc:oracle:thin:@<DB_HOST>:<DB_PORT>:<SID> <OIM_SCHEMA_OWNER> xelsysadm ldap://<LDAP_HOST>:<LDAP_PORT> <LDAP_ADMIN_USER> cn=xelsysadm,cn=Users,dc=example,dc=com

If you do not have LDAP sync or OIM-OAM integration enabled, run the command below:

<JAVA_HOME>/bin/java<DOMAIN_HOME>\config\fmwconfig\jps-config-jse.xml -DDOMAIN_HOME=<DOMAIN_HOME> oracle.iam.platform.utils.OIMAdminPasswordReset_WLS jdbc:oracle:thin:@<DB_HOST>:<DB_PORT>:<SID> <OIM_SCHEMA_OWNER> xelsysadm


<JAVA_HOME> is e.g. C:\Java\jdk1.7.0_51
<DOMAIN_HOME> is e.g.
<LDAP_HOST> is server hostname where OID, AD is deployed for ldap sync
<DB_HOST> is server hostname of the database server
<DB_PORT> is e.g.
<SID> is e.g.
<LDAP_PORT> is e.g
3060 for OID

2. After running the command, enter the password for the DB Schema user and LDAP admin user.  Also, enter the new password for XELSYSADM you wish to set.

Enter the following after running the script to complete the password change for XELSYSADM:

  • OIM DB Schema Password
  • LDAP Administrator Password
  • OIM Administrator XELSYSADM new password
  • Re-enter OIM Administrator XELSYSADM new password

As always, if you have any questions about the processes or ideas presented here, please leave us a comment below.

Tagged with: , , , , ,

Oracle Identity Cloud Service Integration with Salesforce

As promised in an earlier blog post, we are continuing our exploration of Oracle Identity Cloud Service (IDCS) this week.  In this post, we’ll provide some insight on IDCS Integration with Salesforce to achieve Single Sign-On (SSO).  Herein are the various steps involved in achieving this.

Note:  We did not have a Salesforce instance available for this demo, so we used the developer version of Salesforce.  The Salesforce developer edition is fairly easy to obtain – just sign up at  After signing up, we received an email with the credentials and were set to go.

High-Level Integration Steps

IDCS–Salesforce integration can be achieved using the following steps:

  1. Create test users in Oracle IDCS.
  2. Create the same test users in Salesforce as were created in IDCS in Step 1.
  3. Register the Salesforce Domain.
  4. Extract Identity Provider Metadata from IDCS and import to Salesforce.
  5. Extract Service Provider Metadata from Salesforce and import to IDCS.
  6. Test the login.

Detailed Steps

The details of each step are provided below.

Step 1:  Upload users in Oracle IDCS via CSV import. This step is the same as illustrated in the previous blog post on IDCS.

Step 2:  Create users in Salesforce.

a.  Log in to Salesforce.

b.  Click on Manage Users link.


c.  Click on Users.


d.  Click New User button.


e.  Fill in the user details in the form, shown below, making sure that the username is the same as the username in IDCS.


f.  Click the Save button and make sure that the newly created user is visible in the list.


Step 3:  Register the Salesforce Domain.

a.  Log in to Salesforce.

b.  Click on Domain Management.


c.  Click on My Domain.


d.  The My Domain page is shown below.


e.  Enter the domain name and click the Check Availability button.


f.  Click the Register Domain button.


g.  User receives an email confirmation. Please note that this can sometimes take a day to receive.

h.  To complete the domain registration, follow the instructions in the email.

Step 4:  Extract Identity Provider Metadata from IDCS and import to Salesforce.

 Follow the below steps to extract Metadata from IDCS.

a.  Log in to IDCS at:

b.  Enter username and password to log in.


c.  Click on the File menu and select Save As.


d.  Enter the name of the file and click the Save button.


Follow the steps below to Import Metadata to Salesforce.

a.  Log in to Salesforce at:

b.  Click on Security Controls, then Single Sign-On Settings.


c.  The Single Sign-On settings page is shown below.


d.  Click the New from Metadata File button.


e.  Enter Name of Identity provider and select the extracted IDCS file.


f.  Click the Create Button.


g.  Click Save.


h.  Click the Edit button.


i.  Check the SAML Enabled box. Click Save.


j.  The page will look like that shown below.


k.  Click on Domain Management > My Domain.


l.  Click the Edit button under Authentication Configuration.


m.  Click on Deploy to Users button to deploy the domain to the users.


Step 5:  Extract Service Provider Metadata from Salesforce and import to IDCS.

 Follow the below steps to Extract Service Provider Metadata from Salesforce.

a.  Log in to Salesforce at:

b.  Click on Security Controls, then Single Sign-On Settings.


c.  Click on SAML Single Sign-On Settings.


d.  Click the Download Metadata button and save the file.


e.  Click on the IDCS MetaData link and note the following values. Also, download the signing certificate.

  • logoutRequestUrl
  • partnerProviderId
  • assertionConsumerUrl

f.  Click on Certificate and Key Management.


g.  Click the SelfSignedCert_29Dec2016_073349 link from the Certificates panel and click the Download Certificate button to save the file.


Follow the below steps to Import Salesforce SP Metadata into IDCS.

a.  Obtain access token from OIDCS as admin user.

URL: IDCS token service end point

Headers: Authorization

Operation: POST

Data: admin user, password, scope



b.  Use the above access token to invoke the REST API.

URL: IDCS token service end point

Headers: Authorization

Operation: POST

Data: Details populated with service provider SCIM schema


Step 6:  Test the login.

a.  Log in to Salesforce at:  You should be redirected to the IDCS login page.


b.  Enter username and password.

c.  User is now logged in to Salesforce successfully!


 Optionally, follow these steps to verify the underlying SAML Exchange.

a.  Behind the scenes, the Salesforce service provider sends a signed authentication request to IDCS (which can be seen in the SAML tracer plugin in Chrome).

b.  IDCS Identity Provider sends a signed assertion response confirming the user’s identity.


As always, if you have any questions about these steps to Integrate IDCS with Salesforce, please do not hesitate to leave us a comment below!

Tagged with: , , , ,