Note:
- This tutorial requires access to Oracle Cloud. To sign up for a free account, see Get started with Oracle Cloud Infrastructure Free Tier.
- It uses example values for Oracle Cloud Infrastructure credentials, tenancy, and compartments. When completing your lab, substitute these values with ones specific to your cloud environment.
Configure Sign-on Policies for Oracle Analytics Cloud and APEX Apps on OCI
Introduction
Oracle Cloud Infrastructure Identity and Access Management (OCI IAM) Identity Domain Sign-on Policies are a key element for managing access to applications deployed on Oracle Cloud Infrastructure (OCI).
This tutorial is inspired by a customer use case and outlines how an ISV or an Application Services Provider can implement sign-on policies to allow authentication to the applications they deliver to end-users while preventing these from accessing the OCI console.
For this tutorial, two applications are used: an Oracle Analytics Cloud application and an APEX application running on Autonomous Transaction Processing (ATP) service.
Objectives
- Create and configure a compartment and Identity Domain for the applications.
- Deploy one Oracle Analytics Cloud application and one APEX application using ATP.
- Integrate these two applications with OCI IAM Identity Domains.
- Configure Sign-On Policies to allow application access, while preventing application users from signing-on to the OCI Console.
Architecture
This tutorial uses the following architecture:
- Compartments: Compartment where both the Application Domain and the Oracle Analytics Cloud and ATP instances are created for this tutorial
- Domains:
- Default Domain
- Applications Domain
- Groups:
- Applications Domain:
- Group of applications users; can only access applications in the domain.
- Group of Oracle Analytics Cloud and ATP provisioning users; can only provision and manage Oracle Analytics Cloud and ATP instances in the domain.
- Default Domain:
- Group of users with permissions to manage all resources in the compartment used in this tutorial; these perform all the administrative activities for the applications Domain.
- Applications Domain:
- Sign-On Policies:
- Default Sign-On Policy:
- Rule 1: Allows access to the group of Oracle Analytics Cloud and ATP provisioning users.
- Rule 2: Denies access.
- Apps Sign-on Policy:
- Apps: Oracle Analytics Cloud and APEX applications.
- Rule: Allows access to the group of application users.
- Default Sign-On Policy:
Prerequisites
- Access to an OCI tenancy with Identity Domains
- An understanding of the OCI IAM model, namely compartments, identity domains, groups and policies.
- Create an user in the Default Domain who can manage all resources in the compartment you will use for the tutorial.
Task 1: Configure a compartment
-
Sign in to the OCI Console in the Default domain with a user that has permissions to manage resources in the tenancy or at the compartment level from which you will then create the tutorial compartment as a child compartment.
-
Create a compartment for the tutorial.
-
Make sure the Default domain user you are logged on with is in a group that has manage permissions on this compartment. If not, create (or ask your tenancy administrators to create) a policy using the following template:
Allow group <group to which your user belongs> to manage all-resources in compartment <compartment name>
Task 2: Configure the Applications Domain
-
In this newly created compartment, create an Identity Domain for the applications users. For the purpose of this tutorial, you can use a free domain. This is best practice, as it separates application users from administrator users.
-
In the newly created domain, create a group for the application users. For now, don’t add any users to this group. You’ll do it later in the tutorial, when you perform testing.
-
Create a group for the users who can provision Oracle Analytics Cloud and ATP instances, and assign a user to this group. You might need to create a user for this purpose.
-
Create policies to enable users of this group to create Oracle Analytics Cloud and ATP instances in the compartment you created for this tutorial.
Allow group <apps_domain>/<oac_provisioning_group> to manage analytics_instances in compartment <compartment name> Allow group <apps_domain>/<oac_provisioning_group> to manage autonomous_databases in compartment <compartment name>
Task 3: Configure the Oracle Analytics Cloud application
-
Sign in to the Applications Domain you created in Task 2 with the user you added to the group that manages Oracle Analytics Cloud and ATP instances.
-
Create the Oracle Analytics Cloud instance. Using the OCI Console, you need to provision the Oracle Analytics Cloud instance with a user belonging to the Domain your application users will be created and managed on. The reason for this is that the Oracle Analytics Cloud provisioning process automatically creates an Oracle Analytics Cloud application in the domain the user that provisions it is logged on.
Note: If you used the OCI API to provision the Oracle Analytics Cloud instance, you could provision the Oracle Analytics Cloud instance with a user from another domain, but this is outside the scope of the present tutorial.
-
Verify that the Oracle Analytics Cloud instance is bound to the Identity Domain you are signed in to. To do this, go to the Identity Domain you created in Task 2 and go to Oracle Cloud Services. You should see an application automatically created by the Oracle Analytics Cloud provisioning process in OCI.
-
Assign an Oracle Analytics Cloud Application role to the application users group.
Task 4: Configure the APEX application
-
Create an ATP instance.
-
Create an APEX workspace and install in it a sample APEX application. Go to the Application Gallery and select one of the sample applications (for instance the Sample Calendar app).
-
Sign out of the domain with this Oracle Analytics Cloud and ATP provisioning user. You will now need to sign in with the user you used at the beginning of the tutorial, which has permissions to manage all resources in the tutorial compartment.
-
Integrate the sample application with the OCI Identity Domain, following this guide.
- Create a Confidential Application in the applications Domain, for the APEX Application you installed in the previous step.
- Create a new Web Credential in your APEX workspace.
- Create a new authentication scheme for the APEX Application.
Task 5: Configure Sign-On Policies
-
Sign in to the Default domain and change the Default Sign-On Policy of the applications Domain. Start by changing the Default Sign-on Rule to only allow access to members of the Oracle Analytics Cloud and ATP provisioning group.
Note: For the purpose of this tutorial, we keep the rule as simple as you see below, but you should prescribe access with MFA for a production use case.
-
Add another Sign-on Rule to the Default Sign-on Policy. This rule is evaluated after the first rule and denies access to the domain to every user.
You should now have two rules in the Default Sign-on Policy, like shown below.
-
Create a new Sign-on Policy to allow application users to sign-on only to their applications.
-
Associate to this new policy both the APEX application created in Task 4 and the Oracle Analytics Cloud application automatically provisioned in Task 3.
-
Create a Sign-on Rule for this policy to allow users from the application group to sign-on to these two applications.
Note: Domain Toggling
If, instead of Oracle Analytics Cloud or Oracle Integration based applications, you need to deploy custom web applications, you should skip steps 1 and 2 of this task, and instead just toggle the domain and thus prevent it from being selected on the OCI console sign-on page.
On the Domain main page, edit the domain and prevent the domain from being selected on the OCI console sign-on page. This will prevent OCI web console access to the domain (including both the application users and the Domain administrator).
Task 6: Test
-
Create a new user in the applications domain and add it to the applications group created in the previous tasks.
-
Sign-on to the OCI console with the newly created user, selecting the applications Domain, and confirm the access is denied.
-
Sign-on to the APEX application with the newly created user and confirm you can successfully sign-on.
-
Sign-on to the Oracle Analytics Cloud application with the newly created user and confirm you can successfully sign-on.
Related Links
Next Steps
Sign-on Policies are not just a key element of application authentication in OCI, they are also very easy to use. This tutorial illustrates how simple it is to make sure you have complete control over the authentication of application users, enforcing the policies that make sense for your organization. Sign-on Policies provide additional functionality beyond what is used in this tutorial (such as enforcing MFA for specific groups of users). Make sure you check the additional resources to build a wider understanding of what Sign-on Policies can be used for.
Acknowledgments
- Authors - Ricardo Malhado (Principal Cloud Solution Architect), Arno Schots (Director EMEA Cloud Architects)
More Learning Resources
Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.
For product documentation, visit Oracle Help Center.
Configure Sign-on Policies for Oracle Analytics Cloud and APEX Apps on OCI
F82267-01
June 2023
Copyright © 2023, Oracle and/or its affiliates.