Understand Federated SSO for Oracle Cloud Infrastructure

The architecture for federated single sign-on (SSO) for Oracle Cloud Infrastructure depends on whether the identity provider is Oracle Identity Cloud Service or an identity provider outside Oracle Cloud.

About Managing User Identities in Oracle Cloud Infrastructure

Users in Oracle Cloud Infrastructure are managed in the Identity and Access Management (IAM) module.

When an Oracle Cloud Infrastructure tenant is created, Oracle sets up a tenant administrator user in IAM and adds the tenant administrator to the Administrators group. The tenancy automatically applies a policy that gives the Administrators group access to all of the Oracle Cloud Infrastructure API operations and all of the resources in the tenancy. The tenant administrator can create users and groups, and can define access policies.

This diagram shows how tenant administrators manage users, groups, and policies in Oracle Cloud Infrastructure.
Description of oci-users-groups-overview.png follows
Description of the illustration oci-users-groups-overview.png

For an Oracle Cloud Infrastructure tenancy that’s federated with an external identity provider, the groups and users must be managed in that identity provider. Each group must be mapped to a group in Oracle Cloud Infrastructure. The necessary policies must be created in Oracle Cloud Infrastructure to enable the users in each group to use and manage the appropriate resources.

About Federated SSO Options for Oracle Cloud Infrastructure

Oracle Cloud Infrastructure supports federation with Oracle Identity Cloud Service, Microsoft Active Directory, and Microsoft Azure Active Directory using the Security Assertion Markup Language (SAML) 2.0 protocol.

On the Oracle Cloud Infrastructure sign-in page, federated users can sign in to the Oracle Cloud Infrastructure web console or to sign in using the federated identity provider's authentication workflow.
Description of oci-fed-vs-direct-signin.png follows
Description of the illustration oci-fed-vs-direct-signin.png

Federated users can manage and use resources in Oracle Cloud Infrastructure according to the access policies defined for the groups that the users are in.

When a user signs in through a federated identity provider, the user name is prefixed with the identity provider’s name.

About Federating Oracle Cloud Infrastructure with Oracle Identity Cloud Service

Federation with Oracle Identity Cloud Service enables users to access Oracle Cloud Infrastructure and other Oracle Cloud services using a single set of credentials. User accounts don't need to be created separately for each identity domain.

Since December 2017, new tenancies created in Oracle Cloud Infrastructure are federated, by default, with Oracle Identity Cloud Service. The tenant administrator user is federated automatically. For Oracle Cloud Infrastructure tenancies that aren't federated with Oracle Identity Cloud Service, the tenant administrator can configure federation with one or more Oracle Identity Cloud Service accounts.

Here's an overview of the process for setting up federation between Oracle Cloud Infrastructure and an Oracle Identity Cloud Service account.

First, you must create a trusted application in Oracle Identity Cloud Service and make a note of the following details of the trusted application:
  • The client ID and client secret.

    These credentials are required when registering Oracle Identity Cloud Service as the identity provider in Oracle Cloud Infrastructure.

  • The base URL of the Oracle Identity Cloud Service account: IdentityCloudServiceAccountName.identity.oraclecloud.com

    When using the Oracle Cloud Infrastructure API to register Oracle Identity Cloud Service as an identity provider, the format of the base URL is: IdentityCloudServiceAccountName.identity.oraclecloud.com/fed/v1/metadata

Then, in Oracle Cloud Infrastructure, register the Oracle Identity Cloud Service account as an identity provider, and map the Oracle Identity Cloud Service groups to the appropriate IAM groups.

About Federating Oracle Cloud Infrastructure with Microsoft Active Directory

You can federate multiple Microsoft Active Directory accounts with Oracle Cloud Infrastructure. Trust must be configured separately for each of your Active Directory accounts.

Here's an overview of the process for configuring federation between Oracle Cloud Infrastructure and an Microsoft Active Directory account.

First, download the SAML metadata document for your Active Directory Federation Services (AD-FS) server, and note the names of the Active Directory groups that you want to map to Oracle Cloud Infrastructure groups.

Then, in Oracle Cloud Infrastructure, register the Oracle Identity Cloud Service account as an identity provider, and map the Oracle Identity Cloud Service groups to the appropriate IAM groups.

Finally, in AD-FS, add Oracle Cloud Infrastructure as a trusted relying party, and add claim rules so that the user ID and groups are included in the SAML authentication response that AD-FS provides to Oracle Cloud Infrastructure.