SSO With OCI and Okta

In this tutorial, you set up Single Sign-On between OCI and Okta, where Okta acts as the identity provider (IdP) and OCI IAM is service provider (SP).

This 15 minute tutorial shows you how to set up Okta as an IdP, with OCI IAM acting as SP. By setting up federation between Okta and OCI IAM, you enable users' access to services and applications in OCI IAM using user credentials that Okta authenticates.

  1. First, gather the information needed from OCI IAM.
  2. Configure Okta as an IdP for OCI IAM.
  3. Configure OCI IAM so Okta acts as IdP.
  4. Create IdP policies in OCI IAM.
  5. Test that federated authentication works between OCI IAM and Okta.
Before You Begin

To perform either of these tutorials, you must have the following:

You gather the additional information you need from the steps of each tutorial:

  • Get the OCI IdP metadata and the signing certificate for the identity domain.
  • Get the identity domain's signing certificate.
1. Get the OCI Identity Provider Metadata and the Domain URL

You need the IdP SAML metadata from your OCI IAM identity domain to import into the Okta application you create. OCI IAM provides a direct URL to download the metadata of the identity domain you are using. Okta uses the OCI domain URL to connect to OCI IAM.

  1. Open a supported browser and enter the Console URL:

  2. Enter your Cloud Account Name, also referred to as your tenancy name, and click Next.
  3. Select the identity domain to sign in to. This is the identity domain that is used to configure SSO, for example Default.
  4. Sign in with your username and password.
  5. Open the navigation menu and click Identity Security. Under Identity, click Domains.
  6. Click the name of the identity domain that you want to work in. You might need to change the compartment to find the domain that you want. Then, click Security and then Identity providers.
  7. Click Export SAML metadata.

    Download SAML metadata

  8. Select the Metadata file option, and click Download XML.

    Download the XML file

  9. Rename the downloaded XML file to OCIMetadata.xml.
  10. Return to the identity domain overview by clicking the identity domain name in the breadcrumb navigation trail. Click Copy next to the Domain URL in Domain information and save the URL. This is the OCI IAM domain URL which you will use later.

    The domain information showing where the Domain URL information is.

2. Create an App in Okta

Create an app in Okta, and make a note of values you'll need later.

  1. In the browser, sign in to Okta using the URL:

    where <OktaOrg> is the prefix for your organization with Okta.

  2. In the left menu, click Security and choose Applications and then click Browse App Catalog.
  3. Search for Oracle Cloud and select Oracle Cloud Infrastructure IAM from the options available.
  4. Click Add Integration.
  5. Under General settings, enter a name for the application, for example OCI IAM, and click Done.
  6. In the application details page for your new application, click the Sign On tab, and under SAML Signing Certificates click View SAML setup instructions.
  7. On the View SAML setup instructions page, make a note of the following:
    • Entity ID
    • SingleLogoutService URL
    • SingleSignOnService URL
  8. Download and save the certificate, with a file extension of.pem.
3. Create Okta as an IdP in OCI IAM

Create an IdP for Okta on the OCI Console.

  1. In the OCI Console in the domain you are working in, click Security and then Identity providers.
  2. Click Add IdP, then click Add SAML IdP.
  3. Enter a name for the SAML IdP, for example Okta. Click Next.
  4. On the Exchange metadata page, ensure that Enter IdP metadata is selected.
  5. Enter the following from step 8 in 2. Create an App in Okta:
    • For Identity provider issuer URI: Enter the Enter ID.
    • For SSO service URL: Enter the SingleSignOnService URL.
    • For SSO service binding: Select POST.
    • For Upload identity provider signing certificate: Use the .pem file of the Okta certification.

      Exchange metadata page of create SAML identity provider

    Further down the page, ensure that Enable Global logout is selected, and enter the following.

    • For IDP Logout Request URL: Enter the SingleLogoutService URL.
    • For IDP Logout Response URL: eEnter tbhe SingleLogoutService URL.
    • Ensure that the Logout binding is set to POST.

      additional configuration

  6. Click Next.
  7. On the Map attributes page:
    • For Requested NameId format, choose Email address.
    • For Identity provider user attribute: Choose SAML assertion Name ID.
    • For Identity Domain user attribute: Choose Primary email address.
  8. Click Next.
  9. Review, and click Create IDP.
  10. On the What's Next page, click Activate, then click Add to IdP policy.
  11. Click Default Identity Provider Policy to open it, then click the Actions menu (Actions Menu) for the rule and click Edit IdP rule.
  12. Click in Assign identity providers and then click Okta to add it to the list.
  13. Click Save changes.
  14. Download the SP Certificate:
    • In the OCI Console in the domain you are working in, click Security and then Identity providers.
    • Click Okta.
    • On the Okta IdP page, click Service Provider metadata.
    • Click Download next to Service Provider signing certificate to download the SP signing certificate and save it.
4. Configure Okta
  1. In the Okta console, click Application then click the new application OCI IAM.
  2. Go to the Sign On tab and click Edit.
  3. Select Enable Single Logout.
  4. Browse to the certificate you downloaded from the OCI IAM Console in the previous step, and click Upload.
  5. Scroll down to Advance Sign-on Settings.
  6. Enter the following:
  7. Click Save.
  8. Go to the Assignments tab and assign users who you want to have access to this application.
  9. Click Next.
5. Test Single Sign On
  1. Enter the Console URL:

  2. Enter your Cloud Account Name, also referred to as your tenancy name, and click Next.
  3. Sign in with your username and password.
  4. Select the domain that you configured Okta IdP for.
  5. On the sign-in page, click the Okta icon.
  6. Enter your Okta credentials. You are signed in to the OCI Console.
What's Next

Congratulations! You have successfully set up an SSO between Okta and OCI IAM in two different ways.

To explore more information about development with Oracle products, check out these sites: