About Configure SAML and SCIM
You can set up a federated log-in between an identity domain and external identity provider to sign in and access OCI resources by using existing log-ins and passwords managed by the identity provider.
Set Up SAML in Okta
Set up Okta as an IdP, with OCI Identity and Access Management acting as a service provider, enabling user access to services and applications in OCI Identity and Access Management using Okta-authenticated user credentials.
- In Okta, click Admin.
- In the left pane, click Applications, then Applications.
- Under Applications, click Browse App Catalog.
- In the search field, enter
saml
, then select SAML Service Provider. - Click Add Integration.
- In the Application label field, enter
Okta SAML Provider
. - Click Next.
- In the Default Relay State field, enter
https://oc2.cloud.oracle.com/?tenant=yourtenancyname&domain=yourdomainname
.- In OCI, click the main menu, then Identity & Security, then Identity, then Domains.
- Note the tenancy name and domain name.
- Replace
yourtenancyname
andyourdomainname
as appropriate.
Set Up SAML in OCI
Configure a SAML IdP setup in OCI, using the configured SAML options in Okta.
- In the OCI console, click the main menu, then Identity & Security, then Add SAML identity provider page, then select Enter identity provider metadata manually.
- In Okta, on the Add SAML Service Provider page, under Metadata details, click More details, then beside Sign on URL, click Copy.
- In OCI, in the Identity provider issuer URI field, enter the copied text.
- In Okta, under Sign on methods, click View Setup Instructions, then under Sign in to your service provider, copy the text of the Identity Provider Issuer URI.
- In OCI, in each of the SSO service URL field, Identity provider logout request URL field, and Identity provider logout response URL field, enter the sign on URL you retained from Okta.
- Under Logout binding, select POST.
- Enable Send signing certificate with SAML message.
- Click Next.
- In the Requested NameID format dropdown, select Email address.
- Click Create IdP.
- On the Export page, beside Assertion consumer service URL, click Copy.
- In Okta, in the Assertion Consumer Service URL field, enter the copied text.
- In OCI, on the Export page, beside Provider ID, click Copy.
- In Okta, in the Service Provider Entity Id field, enter the copied text.
- Click Done.
- On the Okta SAML Provider page, click Assign, then Assign to People.
- Click Assign beside each assignees' name, provide a user name, then click Save and Go Back.
- Click Done.
- In OCI, click Next.
- (Optional) Click Test login.
- Click Next.
- Click Activate.
- Click Finish.
- Under Security, click IdP policies.
- Click Default Identity Provider Policy.
- On the Default IDP Rule row, click the three dots, then click Edit IdP rule.
- Under Assign identity provider, click and select Okta-SAML-Setup.
- Click Save changes.
- Return to the IdP policies page, then click Sign-on policies.
- Click Default Sign-On Policy.
- On the Default Sign-On Rule row, click the three dots, then click Edit sign-on rule, then click Continue.
- Under Assign idenity provider, click and select Okta-SAML-Setup.
- Click Save changes.
- Sign in to your Oracle Cloud tenancy using the Okta-SAML-Setup option.
- Sign in to Okta.
- On the verification screen, select Get a push notification.
Provision SCIM
Use the SCIM provisioning process to set up SSO to manage user identities in the cloud. OCI Identity and Access Management supports user life cycle management between Okta and OCI Identity and Access Management.
Set Up OCI SAML IdP
Use the Okta setup options to update the SAML IdP setup.
- In OCI console, under IdP SAML identity providers, select the previously created SAML IdP (for example, Okta).
- Click the action menu (three dots), then click Edit IdP.
- Copy and paste the Issuer to update the identity provider issuer URI.
- Copy and paste the sign on URL to update the identity provider log-out request URL and identity provider log-out response URL and SSO service URL.
- Under Signing Certificate, upload the previously-downloaded signing certificate.
- Click Save.
- Click the action menu (three dots), then click Activate.