Note:

• This tutorial requires access to Oracle Cloud. To sign up for a free account, see Get started with Oracle Cloud Infrastructure Free Tier.
• It uses example values for Oracle Cloud Infrastructure credentials, tenancy, and compartments. When completing your lab, substitute these values with ones specific to your cloud environment.

Disable the OCI Local Password Capability of Users Provisioned from Okta using Okta Attribute Mapping

Introduction

Oracle Cloud Infrastructure Identity and Access Management (OCI IAM) provides identity and access management features such as authentication, single sign-on (SSO), and identity lifecycle management for OCI as well as Oracle and non-Oracle applications, whether SaaS, cloud-hosted, or on-premises. To provision your identities from a trusted source like Okta or Microsoft Entra ID using System for Cross-domain Identity Management (SCIM) provisioning is a recommended approach. With SCIM you can define HTTP endpoints to create, read, update, and delete resources for entities such as users and groups. Assuming that the SCIM provisioning is already set up between Okta and OCI IAM and users/groups are getting provisioned to OCI IAM from Okta, however if it is not set up you can configure it. For more information, see Identity Lifecycle Management Between OCI and Okta.

In this tutorial, we will disable the local password capability for a user in OCI IAM pushed from Okta, because our goal is that users getting provisioned from Okta must always authenticate from Okta and should not use a local password of OCI IAM to log in.

Objectives

• Disable the OCI local password capability of users provisioned from Okta using Okta attribute mapping.

Prerequisites

• Set up Identity Lifecycle Management between OCI and Okta.

• An Okta account with administrator privileges to configure provisioning attributes.

Task 1: Create a Custom Attribute on Okta Provisioning Application

1. Log in to the Okta instance, go to Applications and click the application that you have used for provisioning. Click Provisioning.

   

2. Click Go to Profile Editor.

   

3. In the Attributes section, click Add Attribute.

   

4. Enter the following information and click Save.

   • External namespace: External namespace value should be urn:ietf:params:scim:schemas:oracle:idcs:extension:capabilities:User.

   

   The attribute is now created and the next task is to map it.

Task 2: Map the Attribute to be synced from Okta to OCI IAM

1. Go to the application used for provisioning. Under Provisioning, click Show Unmapped Attributes.

   

2. You will be able to see the attribute that you created in Task 1 but it will be currently showing as unmapped. To map it, click the Edit icon.

   

3. In Attribute value, select same value for all users and set the value to false.

   

4. In Apply on, select Create and Update and click Save.

   

5. After the attribute is mapped successfully, click Force Sync to force this change to be updated in OCI IAM.

   

   After a few minutes you can check that the local password capability of all users pushed from Okta will be turned Off and the users can no longer use their local passwords to log in.

Related Links

• Identity Lifecycle Management Between OCI and Okta

Acknowledgments

• Author - Aqib Javid Bhat (Senior Cloud Engineer)

More Learning Resources

Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.

For product documentation, visit Oracle Help Center.

---

Title and Copyright Information

Disable the OCI Local Password Capability of Users Provisioned from Okta using Okta Attribute Mapping

G14582-01

September 2024

Copyright ©2024,

Oracle and/or its affiliates.