DBMS_CLOUD_FUNCTION_ADMIN Package
The DBMS_CLOUD_FUNCTION_ADMIN package supports invoking generic scripts from an Autonomous AI Database instance and registering identity providers for external authentication with Database Tools.
Summary of DBMS_CLOUD_FUNCTION_ADMIN Subprograms
This table summarizes the subprograms included in the DBMS_CLOUD_FUNCTION_ADMIN package.
| Subprogram | Description |
|---|---|
| DEREGISTER_REMOTE_EXECUTION_ENV Procedure | This procedure removes an endpoint that was previously registered. |
| GRANT_REMOTE_EXECUTION_ENV Procedure | This procedure enables the ADMIN user to grant privileges on a registered endpoint to a user other than the ADMIN. |
| REGISTER_REMOTE_EXECUTION_ENV Procedure | This procedure registers a remote endpoint environment. |
| REVOKE_REMOTE_EXECUTION_ENV Procedure | This procedure enables the ADMIN user to revoke privileges on a registered endpoint from a user other than the ADMIN. |
| CREATE_IDP Procedure | This procedure enables the ADMIN user to create a new identity provider for external authentication. This procedure is not used for OCI IAM identity provider registration. |
| UPDATE_IDP Procedure | This procedure enables the ADMIN user to update an existing identity provider entry identified by idp_id. |
| DELETE_IDP Procedure | This procedure enables the ADMIN user to remove an identity provider registration from the database. |
DEREGISTER_REMOTE_EXECUTION_ENV Procedure
This procedure removes an endpoint that was previously registered.
Syntax
DBMS_CLOUD_FUNCTION_ADMIN.DEREGISTER_REMOTE_EXECUTION_ENV(
remote_endpoint_name IN VARCHAR2
);Parameters
| Parameter | Description |
|---|---|
remote_endpoint_name |
Specifies the remote endpoint to remove. This parameter is mandatory. |
Example
BEGIN
DBMS_CLOUD_FUNCTION_ADMIN.DEREGISTER_REMOTE_EXECUTION_ENV(
remote_endpoint_name => 'REM_EXECUTABLE');
END;
/Usage Notes
- To run this procedure you must be logged in as the
ADMINuser.
GRANT_REMOTE_EXECUTION_ENV Procedure
This procedure enables the ADMIN user to grant privileges on a registered endpoint to a user other than the ADMIN.
Syntax
DBMS_CLOUD_FUNCTION_ADMIN.GRANT_REMOTE_EXECUTION_ENV(
remote_endpoint_name IN VARCHAR2,
user_name IN VARCHAR2
);Parameters
| Parameter | Description |
|---|---|
remote_endpoint_name |
Specifies the registered remote endpoint name. This parameter is mandatory. |
user_name |
Specifies the username. This parameter is mandatory. |
Example
BEGIN
DBMS_CLOUD_FUNCTION_ADMIN.GRANT_REMOTE_EXECUTION_ENV(
remote_endpoint_name => 'REM_EXECUTABLE',
user_name => '<username>');
END;
/Usage Notes
- To run this procedure you must be logged in as the
ADMINuser.
REGISTER_REMOTE_EXECUTION_ENV Procedure
This procedure registers a remote endpoint.
Syntax
DBMS_CLOUD_FUNCTION_ADMIN.REGISTER_REMOTE_EXECUTION_ENV(
remote_endpoint_name IN VARCHAR2,
remote_endpoint_url IN CLOB,
wallet_dir IN VARCHAR2,
remote_cert_dn IN CLOB
);Parameters
| Parameter | Description |
|---|---|
remote_endpoint_name |
Specifies the remote endpoint to register. This parameter is mandatory. |
remote_endpoint_url |
Specifies the remote location of the library. The parameter accepts a string value in For example: This parameter is mandatory. |
wallet_dir |
Specifies the directory where the self-signed wallet is stored. This parameter is mandatory. |
remote_cert_dn |
Specifies the server certificate Distinguished Name (DN). This parameter is mandatory. |
Example
BEGIN
DBMS_CLOUD_FUNCTION_ADMIN.REGISTER_REMOTE_EXECUTION_ENV(
remote_endpoint_name => 'REM_EXECUTABLE',
remote_endpoint_url => 'remote_hostname:16000',
wallet_dir => 'WALLET_DIR',
remote_cert_dn => 'CN=VM Hostname');
END;
/Usage Notes
- To run this procedure you must be logged in as the
ADMINuser.
REVOKE_REMOTE_EXECUTION_ENV Procedure
This procedure enables the ADMIN user to revoke privileges on a registered endpoint from a user other than the ADMIN.
Syntax
DBMS_CLOUD_FUNCTION_ADMIN.REVOKE_REMOTE_EXECUTION_ENV(
remote_endpoint_name IN VARCHAR2,
user_name IN VARCHAR2
);Parameters
| Parameter | Description |
|---|---|
remote_endpoint_name |
Specifies the registered remote endpoint name. This parameter is mandatory. |
user_name |
Specifies the username. This parameter is mandatory. |
Example
BEGIN
DBMS_CLOUD_FUNCTION_ADMIN.REVOKE_REMOTE_EXECUTION_ENV(
remote_endpoint_name => 'REM_EXECUTABLE',
user_name => '<username>');
END;
/Usage Notes
- To run this procedure you must be logged in as the
ADMINuser.
CREATE_IDP Procedure
This procedure registers an external identity provider (IDP) with your Autonomous AI Database. This procedure is not used to register OCI IAM identity provider information.
Syntax
DBMS_CLOUD_FUNCTION_ADMIN.CREATE_IDP(
idp_name IN VARCHAR2,
client_id IN VARCHAR2,
client_secret IN VARCHAR2,
params IN JSON
);Parameters
| Parameter | Description |
|---|---|
idp_name |
Specifies a unique name for the identity provider registration. This parameter is mandatory. |
client_id |
Specifies the client identifier from the application registered with the identity provider. This parameter is mandatory. |
client_secret |
Specifies the client secret for the registered application. This parameter is mandatory. |
params |
Specifies a JSON object that contains identity provider configuration values. This parameter is mandatory. |
Supported JSON Parameters
| Parameter | Description |
|---|---|
discovery_url |
OpenID Connect discovery endpoint used to retrieve authentication metadata. For Microsoft Entra ID: https://login.microsoftonline.com/<tenant-id>/v2.0/.well-known/openid-configurationOCI IAM does not require CREATE_IDP registration or a discovery_url value in this procedure. |
Example: Register Microsoft Entra ID
This example shows how to register Microsoft Entra ID as an external identity provider by using the tenant-specific OpenID Connect discovery URL.
BEGIN
DBMS_CLOUD_FUNCTION_ADMIN.CREATE_IDP(
idp_name => 'AZURE_AD',
client_id => '<client-id>',
client_secret => '<client-secret>',
params => JSON_OBJECT(
'discovery_url' VALUE
'https://login.microsoftonline.com/<tenant-id>/v2.0/.well-known/openid-configuration'));
END;
/Example: Register AWS Cognito
This example shows how to register AWS Cognito as an external identity provider by using an Amazon Cognito OpenID Connect discovery URL.
BEGIN
DBMS_CLOUD_FUNCTION_ADMIN.CREATE_IDP(
idp_name => 'AWS',
client_id => '<client-id>',
client_secret => '<client-secret>',
params => JSON_OBJECT(
'discovery_url' VALUE
'https://cognito-idp.<region>.amazonaws.com/<user-pool-id>/.well-known/openid-configuration'
));
END;
/Example: Register Google Cloud Platform (GCP)
This example shows how to register Google Cloud as an external identity provider by using the Google OpenID Connect discovery URL.
BEGIN
DBMS_CLOUD_FUNCTION_ADMIN.CREATE_IDP(
idp_name => 'GCP',
client_id => '<client-id>',
client_secret => '<client-secret>',
params => JSON_OBJECT(
'discovery_url' VALUE
'https://accounts.google.com/.well-known/openid-configuration'
));
END;
/Example: Register Okta
This example shows how to register Okta as an external identity provider by using the Okta authorization server OpenID Connect discovery URL.
BEGIN
DBMS_CLOUD_FUNCTION_ADMIN.CREATE_IDP(
idp_name => 'OKTA',
client_id => '<client-id>',
client_secret => '<client-secret>',
params => JSON_OBJECT(
'discovery_url' VALUE
'https://<okta-domain>/oauth2/default/.well-known/openid-configuration'
));
END;
/You must register an identity provider once for a database unless you need to update or replace the registration.
| Provider | CREATE_IDP required? |
Discovery URL pattern |
|---|---|---|
| OCI IAM | No | Not applicable. OCI IAM is enabled with DBMS_CLOUD_ADMIN.ENABLE_EXTERNAL_AUTHENTICATION and does not use CREATE_IDP. |
| Microsoft Entra ID (Azure) | Yes | https://login.microsoftonline.com/<tenant-id>/v2.0/.well-known/openid-configuration |
| AWS Cognito | Yes | https://cognito-idp.<region>.amazonaws.com/<user-pool-id>/.well-known/openid-configuration |
| Google Cloud Platform (GCP) | Yes | https://accounts.google.com/.well-known/openid-configuration |
| Okta | Yes | Org server: https://<okta-domain>/.well-known/openid-configurationDefault/custom server: https://<okta-domain>/oauth2/<authorization-server-id>/.well-known/openid-configuration |
UPDATE_IDP Procedure
This procedure modifies an existing identity provider registration. You can update the client credentials, identity provider metadata, or both.
Syntax
DBMS_CLOUD_FUNCTION_ADMIN.UPDATE_IDP(
idp_id IN VARCHAR2,
client_id IN VARCHAR2 DEFAULT NULL,
client_secret IN VARCHAR2 DEFAULT NULL,
params IN JSON DEFAULT NULL
);Parameters
| Parameter | Description |
|---|---|
idp_id |
Specifies the unique identifier of the identity provider registration to update. |
client_id |
Specifies the updated client identifier. This parameter is optional. |
client_secret |
Specifies the updated client secret. This parameter is optional. |
params |
Specifies the updated JSON configuration parameters. This parameter is optional. |
Example
This example shows how to update the client credentials and OpenID Connect discovery URL for an existing identity provider registration.
BEGIN
DBMS_CLOUD_FUNCTION_ADMIN.UPDATE_IDP(
idp_id => '<idp-id>',
client_id => '<client-id>',
client_secret => '<client-secret>',
params => JSON_OBJECT(
'discovery_url' VALUE
'https://login.microsoftonline.com/<tenant-id>/v2.0/.well-known/openid-configuration'));
END;
/Usage Notes
- If you provide
client_id, you must also provideclient_secret. If you provideclient_secret, you must also provideclient_id. - The
idp_idvalue is returned when the identity provider is created. - Any parameter that is omitted retains its current value.
- Updating an identity provider does not affect existing database users configured for external authentication.
DELETE_IDP Procedure
This procedure removes a registered identity provider from the database.
Syntax
DBMS_CLOUD_FUNCTION_ADMIN.DELETE_IDP(
idp_id IN VARCHAR2
);Parameters
| Parameter | Description |
|---|---|
idp_id |
Specifies the unique identifier of the identity provider registration to remove. This parameter is mandatory. |
Example
This example shows how to remove an existing identity provider registration by using its idp_id.
BEGIN
DBMS_CLOUD_FUNCTION_ADMIN.DELETE_IDP(
idp_id => 'AZURE-ID');
END;
/Usage Notes
- Deleting an identity provider removes the registration information used by Database Tools for external authentication.
- Before deleting an identity provider, ensure that no applications or users depend on that registration for authentication.
- Users configured for traditional database authentication can continue to authenticate with their database username and password after an identity provider registration is deleted.
DBA_LIST_IDP View
The DBA_LIST_IDP view shows the identity providers registered for external authentication in Autonomous AI Database. Use this view to review the identity provider name, client identifier, and OpenID Connect discovery metadata used by database tools and external authentication flows.
Columns
| Column | Description |
|---|---|
idp_id |
Unique identifier for the registered identity provider. The value is generated when the identity provider is registered. |
idp_name |
Name of the identity provider. For example, AZURE_AD identifies Microsoft Entra ID as the identity provider. |
client_id |
Client identifier for the application registered with the identity provider. Database tools use this value when they redirect users for external authentication. |
params |
JSON object that stores identity provider configuration parameters. The discovery_url parameter identifies the OpenID Connect discovery endpoint for the identity provider. |
PARAMS JSON Attributes
| Attribute | Description |
|---|---|
discovery_url |
OpenID Connect discovery URL for the identity provider. The discovery URL returns metadata such as the authorization endpoint, token endpoint, issuer, and signing keys. For Microsoft Entra ID, this URL uses the tenant-specific .well-known/openid-configuration endpoint. |
Example
This example lists selected columns for registered identity providers:
SELECT idp_id,
idp_name,
client_id,
params
FROM dba_list_idp;Sample output:
IDP_ID IDP_NAME CLIENT_ID PARAMS
---------- ---------- ---------------------- ------------------------------------------------------------
AZURE-ID AZURE_AD 5691bae2-XXX-YYY-ZZZ {"discovery_url":"https://login.microsoftonline.com/XXXX-YYYY-ZZZ-KKK-/v2.0/.well-known/openid-configuration"}In this example:
-
AZURE-IDis the generated identity provider identifier. -
AZURE_ADis the registered identity provider name. -
CLIENT_IDis the application client ID from Microsoft Entra ID. -
The
PARAMSvalue contains thediscovery_urlused to locate the OpenID Connect configuration for the Entra ID tenant.