1. Enhance user experience by deploying your custom sign-in application on OKE
  2. Enhance User Experience with Custom Sign-In Application on OKE

Enhance User Experience with Custom Sign-In Application on OKE

You can display your organization's own URL during employee sign in instead of using the default OCI IAM sign-in page and URL by hosting your custom sign-in application in your own domain.

Consider an example of an insurance company, Unified Insurance, which hosts their service on Oracle Cloud. Unified Insurance provides health insurance for employees of Vision Corporation. The employees of Vision Corporation are the consumers of the health insurance policy and will access the Unified Insurance portal to manage their benefits. Oracle is the identity provider and hence the URL displayed on their browser will be a standard Oracle identity URL as follows:

https://<oracle-customer-identity-domain instance>.identity.oraclecloud.com/ui/<version>/signin

Unified Insurance can replace this URL with a URL specific to Vision Corporation by hosting the service in their own domain using a custom sign-in application. The following is an example of the organization-specific URL:

https://visioncorporation.com/employee-signin

In this solution playbook, you learn how to replace the default OCI IAM sign-in page and URL with your organization-specific vanity URL and sign-in page by hosting the custom sign-in application on Oracle Cloud Infrastructure Kubernetes Engine (OKE).

Before You Begin

Identify your organization's requirement and select the appropriate solution.

Hosted Sign-In for Enterprise Organization Employee

Customize the Identity Domain's hosted sign-in page and the branding of the Identity Domain sign-in UI.

Vanity URL for End User or Consumer

Use this solution to support an organization-specific vanity URL for your end users or consumers.

Architecture

The following architecture design shows how you can deploy and run the custom sign-in application on OCI Kubernetes Engine (OKE).

Description of custom-sign-app-arch.png follows
Description of the illustration custom-sign-app-arch.png

custom-sign-app-arch-oracle.zip

The following is an example user workflow for Vision Corporation employees after implementing this solution:

  1. Employees can sign in using their own self-service portal application to view their health insurance benefits.
  2. They are taken to their organization's health insurance and benefits website.
  3. The URL displayed in the address bar is specific to the organization they work for and not an Oracle-provided URL.

Unified Insurance can provide this experience to Vision Corporation by hosting their custom sign-in application on OKE.

Note:

You will require a working sample application secured with Identity Domain's out-of-the-box sign-in UI for testing purposes. The tester will be taken to this application after signing in using the custom application. This application can be hosted anywhere and must be a SAML 2.0, OAUTH, or an app gateway protected application.

This architecture supports the following components:

  • Identity and Access Management (IAM)

    Oracle Cloud Infrastructure Identity and Access Management (IAM) is the access control plane for Oracle Cloud Infrastructure (OCI) and Oracle Cloud Applications. The IAM API and the user interface enable you to manage identity domains and the resources within the identity domain. Each OCI IAM identity domain represents a standalone identity and access management solution or a different user population.

  • Kubernetes Engine

    Oracle Cloud Infrastructure Kubernetes Engine (OCI Kubernetes Engine or OKE) is a fully managed, scalable, and highly available service that you can use to deploy your containerized applications to the cloud. You specify the compute resources that your applications require, and Kubernetes Engine provisions them on Oracle Cloud Infrastructure in an existing tenancy. OKE uses Kubernetes to automate the deployment, scaling, and management of containerized applications across clusters of hosts.

  • Load balancer

    The Oracle Cloud Infrastructure Load Balancing service provides automated traffic distribution from a single entry point to multiple servers in the back end.

  • Registry

    Oracle Cloud Infrastructure Registry is an Oracle-managed registry that enables you to simplify your development-to-production workflow. Registry makes it easy for you to store, share, and manage development artifacts, like Docker images. The highly available and scalable architecture of Oracle Cloud Infrastructure ensures that you can deploy and manage your applications reliably.

  • Service gateway

    The service gateway provides access from a VCN to other services, such as Oracle Cloud Infrastructure Object Storage. The traffic from the VCN to the Oracle service travels over the Oracle network fabric and does not traverse the internet.

  • Internet gateway

    The internet gateway allows traffic between the public subnets in a VCN and the public internet.

  • Virtual cloud network (VCN) and subnet

    A VCN is a customizable, software-defined network that you set up in an Oracle Cloud Infrastructure region. Like traditional data center networks, VCNs give you control over your network environment. A VCN can have multiple non-overlapping CIDR blocks that you can change after you create the VCN. You can segment a VCN into subnets, which can be scoped to a region or to an availability domain. Each subnet consists of a contiguous range of addresses that don't overlap with the other subnets in the VCN. You can change the size of a subnet after creation. A subnet can be public or private.

  • Docker

    A software platform that allows you to build, test, and deploy applications quickly. Docker provides the ability to package and run an application in a loosely isolated environment called a container. The isolation and security allows you to run many containers simultaneously on a given host.

About Required Services and Roles

This solution requires the following services and roles:

Service Name: Role Required to...
GitHub: Developer Fork repository and download the custom sign-in application.
Docker: Developer Create Docker image file.
Identity Domain: Application Administrator
  • Create, update, activate, deactivate, and delete applications in an identity domain.
  • Grant and revoke access to applications for groups and users.
Oracle Cloud Infrastructure: Create OCIR repository Create OCIR repository and creating an OKE cluster.
Kubernetes: Command Line Tool Access to a Kubernetes command line tool.
Sign-in application: IDCS_CLIENT_ID and IDCS_CLIENT_CREDENTIALS Invoke Identity Domain APIs.