Note:

• This tutorial requires access to Oracle Cloud. To sign up for a free account, see Get started with Oracle Cloud Infrastructure Free Tier.
• It uses example values for Oracle Cloud Infrastructure credentials, tenancy, and compartments. When completing your lab, substitute these values with ones specific to your cloud environment.

Set up Single Sign-On Between Oracle Cloud Infrastructure Identity and Access Management and PingOne

Introduction

By setting up Single Sign-On (SSO) between PingOne and Oracle Cloud Infrastructure Identity and Access Management (OCI IAM), OCI administrators can seamlessly log in to the OCI Console using their PingOne credentials.

PingOne acts as the Identity Provider (IdP), authenticating users and passing secure authentication tokens to OCI IAM, which functions as the Service Provider (SP). This integration eliminates the need for administrators to manage separate OCI credentials, enhancing security and simplifying access management.

This tutorial shows you how to integrate OCI IAM, acting as a service provider (SP), with PingOne, acting as an IdP. By setting up federation between PingOne and OCI IAM, you enable user access to services and applications in OCI through SSO.

Note: This tutorial is specific to OCI IAM with identity domains.

Objectives

• Set up SSO between OCI IAM and PingOne.

Prerequisites

• Access to an OCI tenant. For more information, see Oracle Cloud Infrastructure Free Tier.

• Identity domain administrator role for the OCI IAM identity domain. For more information, see Understanding Administrator Roles..

• A PingOne environment with PingOne SSO service enabled. You will also need one of the following roles:

  • Organization Administrator.
  • Environment Administrator.
  • Client Application Developer.

Task 1: Get the Service Provider Metadata from OCI IAM

You need the SP metadata from your OCI IAM identity domain to import into the Security Assertion Markup Language (SAML) PingOne application you create. OCI IAM provides a direct URL to download the metadata of the identity domain you are using.

To download the metadata, follow these steps.

1. Open a browser tab and enter the URL: https://cloud.oracle.com.

2. Enter your Cloud Account Name, also referred to as the tenancy name, and select Next.

3. Select the identity domain to sign in to. This is the identity domain that is used to configure SSO. For example, Default.

4. Sign in with your username and password.

5. Open the navigation menu and select Identity & Security. Under Identity, select Domains.

   

6. Click the name of the identity domain that you want to work in. You might need to change the compartment to find the domain that you want. Click Settings and then Domain settings.

   

7. Under Access signing certificate, check Configure client access. Select Save changes. This lets a client to access the signing certification for the identity domain without signing in to the domain.

   

8. Return to the identity domain overview by selecting the identity domain name in the breadcrumb navigation trail. Then, click Security and then Identity providers. Click Export SAML metadata.

   

9. Ensure that Metadata file is selected. Under Metadata with self-signed certificates, click Download XML. Save this locally in your machine, this is the SP metadata.

   

Task 2: Create a PingOne SAML Application

In this task, we will work in the PingOne Admin Console to create a SAML application in PingOne.

1. In the browser, sign in to PingOne using the URL: https://console.pingone.com/index.html?env=<your_environment_ID>

2. Under Applications, click Applications and + to add a new application.

   

3. Enter Application name (for example, OCI Admin Console), select Application Type as SAML Application and click Configure.

4. Select Import Metadata and click Select a file. Select the SP metadata file saved in Task 1.9. If you see ACS URLs and Entity ID auto-populated, the XML was parsed correctly. Click Save.

   

Task 3: Configure the SAML Application

Set up SSO for the PingOne SAML application, and download the IdP metadata.

In this task, we will use the SP metadata file you saved earlier and also set up the attribute mappings.

1. Click the application, Configuration and then click the edit symbol at the top-right.

   

2. In Subject NameID Format, change the selection to urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress and click Save.

   

3. Click Attribute Mappings and then click the edit symbol at the top-right.

4. In Attributes, enter saml_subject, change the PingOne Mappings to Email Address and click Save.

   

5. Click Overview, scroll to the bottom and click Download metadata. Save this locally in your machine, this is the IdP metadata.

   

6. Turn on or activate the app.

Note: By default the value for NameID maps to username in OCI IAM.

Task 4: Set up Authentication Policies and User Access

In case of federation, we recommend having MFA setup along with group or role based access control.

1. Click Policies and then click the edit symbol at the top-right.

2. Click + Add Policies, assign the policies relevant to your architecture and click Save.

   

3. Click Access and the edit symbol at the top-right.

4. Select the groups that would be authorized to access the app. Skip this step if you do not want to enforce this restriction.

   

Task 5: Enable PingOne as IdP for OCI IAM

For these steps, you are working in OCI IAM. In this section, you use the IdP metadata file you saved earlier and also set up the attribute mappings.

1. In the OCI Console, for the domain you are working in, select Security and then Identity providers.

2. Select Add IdP, then select Add SAML IdP.

3. Enter a name for the SAML IdP, for example PingOne. Select Next.

4. Ensure that Import identity provider metadata is selected. Select the PingOnemetadata.xml file saved earlier into Identity provider metadata. Select Next.

   

5. In Map user identity, set the following:

   • Under Requested NameID format, select Email address.
   • Under Identity provider user attribute, select SAML assertion Name ID.
   • Under Identity domain user attribute, select Username.

   

6. Select Next.

7. Under Review and Create, verify the configuration and select Create IdP.

8. Under Activate IdP, click Activate, then at the bottom click Close.

9. Under Security, go to IdP policies and click Create IdP policy.

   

10. Provide a name and click Add policy. For example: PingOne IdP

11. Click Add IdP rule and enter a name. For example, Default.

12. In Assign identity providers, select PingOne. Additionally, you may target specific groups or exclude users for this IdP. Click Add IdP rule and Next.

    

13. (Optional) If you need to restrict this policy to apply to certain apps only, then add them under Add apps.

14. Select Close.

Task 6: Test SSO Between PingOne and OCI

Note: For this to work, the SSO user must be present in both OCI IAM and PingOne with a valid email address.

In this task, you can test that federated authentication works between OCI IAM and PingOne.

1. Open a browser tab and enter the OCI Console URL: https://cloud.oracle.com.

2. Enter your Cloud Account Name, also referred to as your tenancy name, and click Next.

3. Select the identity domain in which PingOne federation has been configured.

4. In the sign-in page, you can see an option to sign in with PingOne. Click PingOne and you are redirected to the PingOne log in page.

   

5. Provide your PingOne credentials.

On successful authentication, you are logged in to the OCI Console.

Acknowledgments

• Author - Tonmendu Bose (Senior Cloud Engineer)

More Learning Resources

Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.

For product documentation, visit Oracle Help Center.

---

Title and Copyright Information

Set up Single Sign-On Between Oracle Cloud Infrastructure Identity and Access Management and PingOne

G27669-01

March 2025

Copyright ©2025, Oracle and/or its affiliates.