Federation (Optional)

Learn how to set up identity federation for Oracle Database@Google Cloud.

Setting up identity federation for Oracle Database@Google Cloud is optional. Federation lets users sign in to the OCI tenancy associated with the service using Google Cloud IAM & Admin credentials. While most day-to-day database operations are performed in the Google Cloud environment and don't require the use of the Oracle Cloud Console, some database management tasks do require signing in to OCI.

Use the following instructions to make Google Cloud IAM & Admin the identify provider for the OCI tenancy.

1. In the Oracle Cloud Console, navigate to Identity & Security, then select Domains.

   

2. In the Domains list view, select the name of the "Default" domain to open the domain details page. Optionally, you can select another domain to configure single sign-on (SSO) for that domain.

   

3. Select Security in the Identity domain Overview page's left navigation menu.

   

4. On the Security page for the domain, select Identity providers in the left navigation menu.

   

5. On the Identity providers page, select Add IdP, then select Add SAML IdP.

   

6. Enter the Name that you want to display on the OCI login page when using Single sign-on (SSO) to access the Oracle Cloud Console. Optionally, you can add a Description. Select Next to continue.

   Leave this window or tab open while you perform the next steps that require the Google Cloud admin Console.

   

7. From the web browser, open another tab or window and navigate to the Google Cloud admin Console at https://admin.google.com/ac/apps/unified.

   

8. Select Add custom SAML app from the Add app menu.

   
9. Enter the following details and select Continue:
   • App name: OracleCloudFederation
   • Description: Configures identity federation between Google Cloud and Oracle Cloud for Oracle Database@Google Cloud use.
   

10. Under Option1: Download IdP metadata, select DOWNLOAD METADATA.

    

    Select CONTINUE. Leave this window or tab open while you perform the next steps in the Oracle Cloud Console.

    

11. Return to the window or tab that displays the Oracle Cloud Console. Select Import IdP metadata Upload metadata XML file. In the Upload identity provider metadata section, select select one..., then navigate to the XML file downloaded in the previous step from the Google Cloud admin console and upload the file.

    

12. Select Export SAML metadata.

    

13. On the Export SAML metadata dialog, select Manual export. Copy the Provider ID and Assertion consumer service URL values into a notepad file on the local machine. Leave this window or tab open while you perform the next steps that require the Google Cloud admin console.

    

14. Return to the tab or window displaying the Google Cloud admin console. On the Service provider details page, enter the following:

    • ACS URL: Enter the "Assertion consumer service URL" value copied from the Oracle Cloud Console in the previous step.
    • Entity ID: Enter the "Provider ID" value copied from the Oracle Cloud Console in the previous step.

    Select CONTINUE.

    

15. On the Attribute mapping page, select ADD MAPPING.

    

16. Add the following attribute mappings:

    • First name → FirstName
    • Last name → LastName
    • Primary email → PrimaryEmail

    For example, for the Basic Information attribute "First Name", enter the App attribute FirstName.

    

17. On the Attribute mapping page, in the Group membership section, add the following groups created for role-based access control (RBAC). The App attribute for the groups is MemberOf. Select FINISH to continue.

    • odbg-exa-infra-administrators
    • odbg-vm-cluster-administrator
    • odbg-exa-cdb-administrators
    • odbg-exa-pdb-administrators
    • odbg-dbmgmt-administrators
    • odbg-adbs-db-administrators
    • odbg-db-family-administrators
    • odbg-network-administrators
    • odbg-costmgmt-administrators
    • odbg-db-family-readers
    • odbg-network-readers
    • odbg-metrics-readers
    

    The Google Cloud admin console automatically redirects to the details page for the SAML application that you created.

18. Expand the User access section.

    

19. In the Service status section, select ON for everyone, then select SAVE.

    

20. Return to the window or tab that displays the Oracle Cloud Console. On the Add SAML identity provider page select Map user identity. Enter the following values:

    • Requested Name ID format: Select "Email address".
    • Identity provider user attribute: Select "SAML assertion Name ID"
    • Identity domain user attribute: Select "Username"
    

21. On the Add SAML identity provider page select Review and Create.

    Review the SAML identity provider details, then select Create IdP.

    

22. Select Activate to activate the identity provider (IdP).

    

    After you see the confirmation message that the identity provider has been activated, the identity provider is activated.

23. Select Add to IdP policy.

    

24. On the Identity provider (IdP) policies page, select Default Identity Provider Policy in the Name column of the list of policies.

    

25. On the Default Identity Provider Policy policy details page, in the Identity prover rules section, select Edit IdP rule.

    

26. On the Edit Identity provider rule page, find the Assign identity providers field. The field displays "Username-Password". Add "Google Cloud Federation", then select Save changes.

    

    After adding "Google Cloud Federation":

    

27. On the details page for the Google Cloud Federation identity provider, select Configure JIT.

    

28. On the Configure Just-in-time (JIT) provisioning page, enable Enable Just-In-Time (JIT) provisioning using the toggle switch. Remain on this page for the next few steps.

    

29. On the Configure Just-in-time (JIT) provisioning page, select Create a new identity domain user and Update the existing identity domain user.

    

30. On the Configure Just-in-time (JIT) provisioning page, map the user attributes as follows:

    IdP user attribute type	IdP user attribute name	Maps to	Identity domain user attributes
    NameID	NameID value	→	userName
    Attribute	LastName	→	familyName
    Attribute	PrimaryEmail	→	primaryEmailAddress
    Attribute	FirstName	→	firstName

    

31. On the Configure Just-in-time (JIT) provisioning page, toggle the Assign group mapping switch to enable the group mapping you configured. The Assign group mapping section expands to display group mapping configuration options (see next step).

    

32. On the Configure Just-in-time (JIT) provisioning page, select or enter the following values:

    • Group membership attribute name: MemberOf
    • Assign implicit group membership: Select the radio button to enable this option
    • When assigning group membership...: Merge with existing group memberships
    • When a group is not found...: Ignore the missing group

    Select Save changes after you select and enter the values.

    

    You have now completed the required steps to configure the identity federation between OCI and Google Cloud.

33. To test the SSO:

    1. Sign Out on the Oracle Cloud Console
    2. In the Or sign in with section of the login screen, select Google Cloud Federation.