# Oracle

Go to your Oracle Admin Console and navigate to the Identity Domains Overview page, then select **Applications** as depicted above.

Click on **Add Application**.

Select **SAML** as the application type.

Apply the appropriate settings to the Application Information as needed for your security posture. Click on **Edit SSO Configuration**. Download the **Metadata** and rename the file to **metadata.xml**. Set the **Entity ID** to the URL of your Connection Manager server. For example: ****. For the **Assertion Consumer URL**, add **/api/ext/saml/callback** to the end of the domain URL. For example: ****. Next, set the **Name ID** Format to **Email Address** and the **Name ID Value** to **Primary Email**. Leave the **Signed SSO** setting as **Assertion**. **Uncheck the box** to **Include Signing Certificate in Signature**, and leave the **Signature Hashing Algorithm** as **SHA-256**.

Assign attributes for **email** as listed above mapped to the value **User Name**. Add another attribute for **groups** with the settings of **Type Value Group Membership** and a **Condition** of **All groups**.

Assign **users** and **groups** as appropriate to your SAML application. You'll need to assign at least one user for testing purposes. **Connection Manager Server Configuration** Upload the **metadata.xml** file to your KCM server and move it into the directory **/etc/kcm-setup**.

Run the reconfigure command after production hours on your Connection Manager server.

Say **Y** to the option when presented to **setup SAML support**.

Select **1** for **Local Metadata file**. Then input the path of your **metadata file** as **/etc/kcm-setup/metadata.xml** and press enter. Answer **N** to **Does your SAML IDP require signed requests?** Input your **SAML entity ID** as the URL of your Connection Manager instance. For example: ****. Then enter **groups** as the **SAML group attribute**.

Choose which setting best applies to your security posture with regard to the **default authentication method**. If you want Just-In-Time provisioning of users, then answer **Y** to **Would you like user accounts to be automatically created for each successful login?**

Click the **SAML** link to authenticate to the main sign on page.

Your **user email address** should display in the top right corner after authenticating. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.keeper.io/keeper-connection-manager/authentication/authenticating-users-with-saml/oracle.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.