Dome9

Before You Begin

Introduction

This document describes how to configure Oracle Identity Cloud Service to provide Single Sign-On (SSO) for Dome9 using SAML.

About Dome9

Dome9 is a software as a service (SaaS) platform that delivers comprehensive security and compliance to all businesses at all times across public cloud infrastructure environments.

After integrating Dome9 with Oracle Identity Cloud Service:

Users can access Dome9 using their Oracle Identity Cloud Service login credentials.
Users can start Dome9 using the Oracle Identity Cloud Service My Apps console.
Admins can assign and revoke user access to the Dome9 app using the Oracle Identity Cloud Service administration console.

What Do You Need?

An Oracle Identity Cloud Service account with authorization rights to manage apps and users (Identity Domain Administrator or Application Administrator).
A Dome9 account with authorization rights to configure federated authentication.
Make sure that the email ID of each user in Dome9 matches the primary email ID of the Oracle Identity Cloud Service account.
Identity Provider metadata. You can use the following URL to access the metadata: https://<IDCS-Service-Instance>.identity.oraclecloud.com/fed/v1/metadata.

Obtaining the Certificate

Use this section to convert the X509 Certificate value into a format that is suitable for Oracle Identity Cloud Service.

Tip: You use this content later during the Dome9 configuration in the "Configuring SSO for Dome9" section.

Use the following URL to access the metadata: https://<IDCS-Service-Instance>.identity.oraclecloud.com/fed/v1/metadata.
In the metadata file, locate the md:IDPSSODescriptor tag.
Copy the content between the dsig:X509Certificate tags into a text file. This content is the Oracle Identity Cloud Service Certificate.

Configuring SSO for Dome9

Access Dome9 as an administrator using the URL: https://secure.dome9.com/v2/login. The Dome9 home page appears.
In the upper-right corner, click the user ID drop-down list, and then select Account Settings.
On the Account Settings page, select the SSO tab.
Click Enable. The SSO Configuration window appears.

Use the table to update the federated authentication attributes, and then click SAVE.

This table lists the mandatory federated authentication attributes that you must set to complete the SSO configuration.
Attribute	Value
Account ID	Enter the Account ID value.
Issuer	Enter the Entity ID/Issuer URL. Use the metadata file that you downloaded earlier to obtain the Entity ID/Issuer URL. The Entity ID/Issuer URL information is located in the first line of the metadata. See the "What Do You Need" section.
Idp endpoint Url	Enter the Sign-in URL/SSO Endpoint: `https://<IDCS-Service-Instance>.identity.oraclecloud.com/fed/v1/idp/sso`.
X.509 certificate	Paste the certificate that you previously obtained. See the "Obtaining the Certificate" section.

Click Users & Roles on the header, and then select Users from the drop-down list. The User Management page appears.
Click Actions next to the user that you want to provide SSO access, and then select Connect to SSO from the drop-down list. The Connect user to SSO dialog box appears.
Click CONNECT to provide SSO access to the user.

Note: To provide SSO access to a user, click Users & Roles on the header, and then select Users from the drop-down list. On the User Management page, click Actions next to the user that you want to provide SSO access, and then select Connect to SSO from the drop-down list. On the Connect user to SSO dialog box, click CONNECT to provide SSO access to the user. Enabling SSO for this user deactivates the ability to log in using the user name and password.

Configuring the Dome9 App in Oracle Identity Cloud Service

Use this section to obtain the Account ID from Dome9, register and activate the Dome9 app, and then assign users to the app.

Obtaining the Account ID from Dome9

An account ID is required before you can register and activate the Dome9 app. You obtain that account ID from Dome9.

In the upper-right corner of the Dome9 home page, click the user ID drop-down list, and then select Account Settings. The Account Settings page appears.
Select SSO, and then click EDIT.
In the SSO Configuration window, copy the value specified in the Account ID field.

Registering and Activating the Dome9 App

Access the Oracle Identity Cloud Service administration console, select Applications, and then click Add.
Click App Catalog.
Search for Dome9, and then click Add.
In the App Details section, enter your Dome9 Account ID, and then click Next.

Note: This is the account ID value that you obtained while performing the steps in the "Obtaining the Account ID from Dome9" section.
Click Finish. Oracle Identity Cloud Service displays a confirmation message.
Click Activate, and then click Activate Application. Oracle Identity Cloud Service displays a confirmation message.

Assigning Users to the Dome9 App

On the Dome9 app page in Oracle Identity Cloud Service, select Users, and then click Assign. The Assign Users window appears.
Select users that you want to assign to Dome9, and then click OK. Oracle Identity Cloud Service displays a confirmation message stating that the Dome9 app is assigned to the users that you selected.

Verifying the Integration

Use this section to verify that SSO works when initiated from Oracle Identity Cloud Service (IdP initiated SSO) and Dome9 (SP initiated SSO).

Verifying Identity Provider Initiated SSO from Oracle Identity Cloud Service

Access the Oracle Identity Cloud Service My Profile console using the URL: https://<IDCS-Service-Instance>.identity.oraclecloud.com/ui/v1/myconsole.
Log in using credentials for a federated user that is assigned to the Dome9 app. Oracle Identity Cloud Service displays a shortcut to Dome9 under My Apps.
Click Dome9. The Dome9 home page appears.
In the upper-right corner of the Dome9 home page, confirm that the user logged in is the same for both Dome9 and Oracle Identity Cloud Service.

This confirms that SSO that is initiated from Oracle Identity Cloud Service works.

Verifying Service Provider Initiated SSO from Dome9

Access Dome9 using the URL: https://secure.dome9.com/sso/<Account_ID>. You are redirected to the Oracle Identity Cloud Service login page.
Log in using credentials for a federated user that is assigned to the Dome9 app. The Dome9 home page appears.
In the upper-right corner of the Dome9 home page, confirm that the user that is logged in is the same for both Dome9 and Oracle Identity Cloud Service.

This confirms that SSO that is initiated from Dome9 works.

Troubleshooting

Use this section to locate solutions to common integration issues.

Known Issues

Oracle Identity Cloud Service displays the message, "You are not authorized to access the app. Contact your system administrator."

Cause 1: The SAML 2.0 integration between the Oracle Identity Cloud Service Dome9 app and Dome9 is deactivated.

Solution 1:

Access the Oracle Identity Cloud Service administration console, select Applications, and then select Dome9.
In the App Details section, click Activate, and then click Activate Application. Oracle Identity Cloud Service displays a confirmation message.

Cause 2: The administrator revokes access for the user at the same time that the user tries to access the Dome9 app using Oracle Identity Cloud Service.

Solution 2:

Access the Oracle Identity Cloud Service administration console, select Applications, and then select Dome9.
In the App Details section, select Users, and then click Assign to re-assign the user.

Unknown Issues

For unknown issues, contact Oracle Support:

Go to https://support.oracle.com.
Select Cloud Support, and then sign in with your support credentials.
In the Cloud Dashboard, confirm that there are no planned outages in Oracle Identity Cloud Service, and then click Create Service Request.
Select Oracle Identity Cloud Service as the service type.
Complete your service request.