Note:

• This tutorial requires access to Oracle Cloud. To sign up for a free account, see Get started with Oracle Cloud Infrastructure Free Tier.
• It uses example values for Oracle Cloud Infrastructure credentials, tenancy, and compartments. When completing your lab, substitute these values with ones specific to your cloud environment.

Set up Single Sign-On and User Provisioning between OCI IAM and JumpCloud

Introduction

By setting up Single Sign-On (SSO) between Oracle Cloud Infrastructure Identity and Access Management (OCI IAM) and JumpCloud, OCI administrators can seamlessly login to the OCI Console using their JumpCloud credentials. Additionally, with user provisioning over RESTful APIs, real time user-sync from JumpCloud to OCI can be achieved.

This tutorial showcases how OCI IAM can be integrated with JumpCloud, by setting up a Security Assertion Markup Language (SAML) federation and a System for Cross-domain Identity Management (SCIM) 2.0 connection.

Furthermore, once SSO is established and identities are synced across, OCI IAM policies can be defined to setup access controls to various OCI resources. For more information, see Getting Started with Policies and Deep Dive into Tag based Oracle Cloud Infrastructure Identity and Access Management Policies.

Note: This tutorial is specific to OCI IAM with identity domains.

Objectives

• Set up SAML based SSO for access management.

• Set up SCIM 2.0 provisioning for identity management.

• Test and validate.

Prerequisites

• Access to an OCI tenancy. For more information, see Oracle Cloud Infrastructure Free Tier.

• Identity domain administrator role for the OCI IAM identity domain. For more information, see Understanding Administrator Roles.

• A JumpCloud organization.

• Administrator role within the JumpCloud organization.

Note: We have noticed inconsistencies in user creation/update actions while using the OCI offering in the JumpCloud integrations. Therefore, for the purpose of this tutorial, we are going to use the custom application instead.

Section 1: Set up SAML based SSO for Access Management

JumpCloud acts as the Identity Provider (IdP), authenticating users and passing authentication tokens securely to OCI IAM, which functions as the Service Provider (SP). To set up SAML federation, metadata needs to be exchanged by both parties.

Task 1.1: Get the Service Provider Metadata from OCI IAM

The SP metadata from the OCI IAM identity domain are exported first.

1. Open a browser tab and enter the URL: https://cloud.oracle.com.

2. Enter Cloud Account Name, also referred to as the tenancy name, and click Next.

3. Select the identity domain to sign in to. This is the identity domain that is used to configure SSO, for example Default.

4. Enter the administrator credentials to log in to the OCI Console.

5. Navigate to Identity & Security, then goto Identity and click Domains.

   

6. Click the name of the identity domain. If the domain is not visible, change the compartment to find the right domain.

   

7. Click Security, Identity providers and Export SAML metadata.

   

8. Select Metadata file. Under Metadata with self-signed certificates, click Download XML and save this XML file locally in the computer, this is the SP metadata.

   

Task 1.2: Create a SSO Application

SSO application is created in the JumpCloud portal to represent the OCI Console.

1. In the browser, sign in to the JumpCloud portal using the URL: https://console.jumpcloud.com/login

2. Under USER AUTHENTICATION, select SSO Applications and click Get Started.

   

3. Under Custom Application, click Select and then Next.

   

4. Select Manage Single Sign-On (SSO) and then Configure SSO with SAML. Select Export users to this app (Identity Management) and click Next.

   

5. Enter a name under Display Label (for example, OCI Console) and click Save Application. Then, click Configure Application.

   

Task 1.3: Configure the SSO Application

SSO configuration is needed on the newly created custom application.

1. In the SSO tab, under Service Provider Metadata, click Upload Metadata and select the SP metadata file saved in Task 1.1.8.

   

2. If the SP Entity ID and ACS URLs get auto-populated, the XML file was parsed correctly.

   Under JumpCloud Metadata, click Export Metadata and save this XML file locally in the computer, this is the IdP metadata. Once done, click Save.

   

Task 1.4: Enable JumpCloud as IdP for OCI IAM

A new IdP is created that represents JumpCloud. Once done, IdP policy is setup to enable SSO authentication.

1. In OCI Console, navigate to the domain, select Security and click Identity providers.

2. Select Add IdP and click Add SAML IdP.

   

3. Enter a Name (for example, JumpCloud) for the SAML IdP and click Next.

   

4. Ensure to select Import IdP metadata. Under Upload identity provider metadata, upload the IdP metadata from Task 1.3.2 and click Next.

   

5. In Map user identity, enter the following information and click Next.

   • Requested NameID format: Select None.
   • Identity provider user attribute: Select SAML assertion Name ID.
   • Identity domain user attribute: Select Username.

   

6. In Review and Create, verify the configuration and click Create IdP.

   

7. Click Activate and then Add to IdP policy.

   

   Note: Out of the box, only one default IdP policy is present in a domain that does not have any apps associated with it. This essentially means that all apps fall within this policy’s scope, including the OCI Console. If the domain has custom IdP policies that target specific apps separately, ensure to add the rules as necessary to target the OCI Console. Exercise caution, as any misconfiguration can result in a lockout.

8. Click Create IdP policy.

   

9. In Add policy, enter Name (for example, OCI Console) and click Add Policy.

   

10. In Add identity provider rules, click Add IdP rule and enter Rule name. For example, OCI Console access rule.

    Under Assign identity providers, select Username-Password and JumpCloud. Once done, click Add IdP rule and then Next.

    

    Note: The Username-Password option is added to preserve local authentication. This avoids a lockout in case there are problems in the federation settings.

11. Click Add app, search and select OCI Console from the list. Click Add app and then Close.

    

Section 2: Setup SCIM 2.0 based User Provisioning

The user lifecycle management is configured between JumpCloud and OCI IAM, where JumpCloud acts as the identity store. Ensure that all users intended for provisioning downstream have appropriate values populated for the following attributes:

• First Name
• Last Name
• Company Email
• Display Name
• Work Country
• Work City (locality)
• Work State (region)
• Work Street Address
• Postal Code

Note: The mapping of Company Email to username ensures consistency in SAML Subject/NameID and is required for SSO to work. For example:

<saml2:Subject><saml2:NameID Format="urn:oasis:names:tc:SAML:1.0:nameid-format:unspecified">XXX+test4@oracle.com</saml2:NameID> 

Task 2.1: Create a Confidential Application in OCI IAM and Generate Secret Token

An OAuth 2.0 client are registered in OCI IAM. Appropriate flows are enabled and privileges are granted. The credentials for this client are collected.

1. Go to the OCI Console, navigate to Domains and select the domain that was used in Section 1.

2. Go to Integrated applications, select Add application, Confidential Application and click Launch workflow.

   

3. Enter Name (for example, SCIMclient) for the confidential application and click Next.

4. In the Client configuration section, select Configure this application as a client now and under Authorization, select Client Credentials.

   

5. Select Add app roles and click Add roles. In the Add app roles page, select User Administrator and click Add.

   

6. Click Next and then Finish.

7. Click Activate to activate the new application.

   

8. In the General Information section, note the Client ID and Client secret and select Show secret to reveal the plain text.

   

9. The secret token is the base64 encoding of clientID and clientsecret.

   • For Windows, open PowerShell and run the following command to generate base64 encoding.

     [Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes('client_id:secret')) 

   • For MacOS, use Terminal to run the following command.

     echo -n <clientID>:<clientsecret> | base64 

     The secret token is returned. For example:

     echo -n 392357752xxxx7523923457437:3454-9853-7843-3554 | base64 Nk0NzUyMzxxxxxxxxxxxxxxxMzMtNTQzNC05ODc4LTUzNQ== 

   

10. Make a note of the secret token.

Task 2.2: Find the OCI IAM GUID

The SCIM endpoint details is required by the client to make API calls.

1. Go to the OCI Console, navigate to Domains and select the domain that was used in Section 1.

2. Select Copy next to the Domain URL in Domain information and make a note of this. It should look like this:

   https://<IdentityDomainID>.identity.oraclecloud.com:443 

3. Add /admin/v1 to the end of the URL. The final URL should look like this:

   https://<IdentityDomainID>.identity.oraclecloud.com:443/admin/v1 

4. Make a note of the URL.

Task 2.3: Configure Identity Management in the JumpCloud Application

Go to the JumpCloud, the SCIM endpoint and OAuth 2.0 credentials are populated.

1. Open the SSO app created in Task 1.1.2 and go to Identity Management.

2. Enter the following information and click Test Connection.

   • API type: Select SCIM API.
   • SCIM Version: Select SCIM 2.0.
   • Base URL: Enter base URL from Task 2.2.4.
   • Token Key: Enter the secret token generated from Task 2.1.10.
   • Test User Email: Enter an email for a user in the JumpCloud directory.

   

   Note: If the connection is successful, SCIM user-attribute customization becomes available. Groups are synced to OCI by default but this can be changed by turning OFF the Group Management.

3. In SCIM Attribute Name, click + Add attribute to create the attribute mappings based on the following image. Once done, click Activate.

   

4. There should be a notification about the connection being verified. click Save.

   

Task 2.4: Assign groups to the JumpCloud application

Note: As a pre-requisite, create the groups for OCI admins in JumpCloud before proceeding.

Now, the groups that require access to Oracle resources are aligned for provisioning.

1. Open the SSO app & goto User Groups tab.

2. Select the groups that need to be provisioned into OCI and click Save.

   

Section 3: Test and Validate

Note: For SSO to work, the SSO user account must be present in both OCI IAM and JumpCloud.

Finally, the synchronized identities are validated and federated authentication is put to test.

1. Open one of the users in both JumpCloud and OCI Console to validate that the details match.

   

   

2. Repeat the same process to validate that the groups are synced.

   

   

Note: Now that the identities are synchronized, we will validate the SSO login.

1. In a new browser window, open the OCI Console. Enter Cloud Account Name, also referred to as the tenancy name, and click Next.

2. Select the identity domain in which JumpCloud federation has been configured.

3. In the Oracle Cloud Account Sign In page, select JumpCloud. There should be a redirection to the JumpCloud log in page.

   

4. Enter the JumpCloud credentials for the federated user. Upon successful authentication, there should be a redirection back to OCI Console.

Conclusion

This integration eliminates the need for administrators to manage separate OCI credentials, enhancing security and simplifying access management. This also helps in identity management, reducing administrative overhead and eliminating redundancy.

Acknowledgments

• Author - Tonmendu Bose (Senior Cloud Engineer)

More Learning Resources

Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.

For product documentation, visit Oracle Help Center.

---

Title and Copyright Information

Set up Single Sign-On and User Provisioning between OCI IAM and JumpCloud

G33618-01

Copyright ©2025, Oracle and/or its affiliates.