About Configure SAML and SCIM
You can set up a federated log-in between an identity domain and external identity provider to sign in and access OCI resources by using existing log-ins and passwords managed by the identity provider.
Set Up SAML in Okta
Set up Okta as an IdP, with OCI Identity and Access Management acting as a service provider, enabling user access to services and applications in OCI Identity and Access Management using Okta-authenticated user credentials.
- In Okta, click Admin.
- In the left pane, click Applications, then Applications.
- Under Applications, click Browse App Catalog.
- In the search field, enter
saml
, then select SAML Service Provider. - Click Add Integration.
- In the Application label field, enter
Okta SAML Provider
. - Click Next.
- In the Default Relay State field, enter
https://oc2.cloud.oracle.com/?tenant=yourtenancyname&domain=yourdomainname
.- In OCI, click the main menu, then Identity & Security, then Identity, then Domains.
- Note the tenancy name and domain name.
- Replace
yourtenancyname
andyourdomainname
as appropriate.
Set Up SAML in OCI
Configure a SAML IdP setup in OCI, using the configured SAML options in Okta.
- In the OCI console, click the main menu, then Identity & Security, then Add SAML identity provider page, then select Enter identity provider metadata manually.
- In Okta, on the Add SAML Service Provider page, under Metadata details, click More details, then beside Sign on URL, click Copy.
- In OCI, in the Identity provider issuer URI field, enter the copied text.
- In Okta, under Sign on methods, click View Setup Instructions, then under Sign in to your service provider, copy the text of the Identity Provider Issuer URI.
- In OCI, in each of the SSO service URL field, Identity provider logout request URL field, and Identity provider logout response URL field, enter the sign on URL you retained from Okta.
- Under Logout binding, select POST.
- Enable Send signing certificate with SAML message.
- Click Next.
- In the Requested NameID format dropdown, select Email address.
- Click Create IdP.
- On the Export page, beside Assertion consumer service URL, click Copy.
- In Okta, in the Assertion Consumer Service URL field, enter the copied text.
- In OCI, on the Export page, beside Provider ID, click Copy.
- In Okta, in the Service Provider Entity Id field, enter the copied text.
- Click Done.
- On the Okta SAML Provider page, click Assign, then Assign to People.
- Click Assign beside each assignees' name, provide a user name, then click Save and Go Back.
- Click Done.
- In OCI, click Next.
- (Optional) Click Test login.
- Click Next.
- Click Activate.
- Click Finish.
- Under Security, click IdP policies.
- Click Default Identity Provider Policy.
- On the Default IDP Rule row, click the three dots, then click Edit IdP rule.
- Under Assign identity provider, click and select Okta-SAML-Setup.
- Click Save changes.
- Return to the IdP policies page, then click Sign-on policies.
- Click Default Sign-On Policy.
- On the Default Sign-On Rule row, click the three dots, then click Edit sign-on rule, then click Continue.
- Under Assign idenity provider, click and select Okta-SAML-Setup.
- Click Save changes.
- Sign in to your Oracle Cloud tenancy using the Okta-SAML-Setup option.
- Sign in to Okta.
- On the verification screen, select Get a push notification.
Provision SCIM
Use the SCIM provisioning process to set up SSO to manage user identities in the cloud. OCI Identity and Access Management supports user life cycle management between Okta and OCI Identity and Access Management.
Set Up OCI SAML IdP
Use the Okta setup options to update the SAML IdP setup.
- In OCI console, under IdP SAML identity providers, select the previously created SAML IdP (for example, Okta).
- Click the action menu (three dots), then click Edit IdP.
- Copy and paste the Issuer to update the identity provider issuer URI.
- Copy and paste the sign on URL to update the identity provider log-out request URL and identity provider log-out response URL and SSO service URL.
- Under Signing Certificate, upload the previously-downloaded signing certificate.
- Click Save.
- Click the action menu (three dots), then click Activate.
Resolve SCIM Push Group Error
You will have to deactivate and delete the previous SCIM configuration as part of this fix.
- In Okta, click Applications > Applications > Browse App Catalog.
- Search for and select Oracle Identity Cloud Service.
- Click Add Integration.
- In the Subdomain field, enter anything (for example, idcs-a1b2c3d4).
- Click Done.
- Click the Provisioning tab, then click Configure API Integration.
- Click Enable API integration.
- In the Base URL field, enter the saved domain URL:
- In OCI, go to Identity > Domains.
- Click Default.
- Expand the Domain URL field, and click Copy.
- In Okta, paste it into the Base URL field, then append: /admin/v1
- Delete the existing application.
- In OCI, go to Identity > Domains > Default domain > Integrated applications.
- Click the menu (three dots) for the application > Deactivate > Deactivate application.
- Click the menu again > Delete > Delete application.
- Create a new application.
- Click Add application > Confidential Application > Launch workflow.
- In the Name field, enter Okta_IDCS, then click Next.
- Click Client configuration.
- Enable Client credentials.
- Enable Add app roles.
- Click Add roles.
- Enable User Administrator, then click Add.
- Click Next, then Finish.
- On the application page, click Activate > Activate application.
- Generate a token.
- On the application page, under General Information, copy the Client ID.
- Paste the client ID into a base64 token generator's input field.
- On the application page, under General Information, click Show secret, then click Copy.
- Append the secret to the client ID, then encode and copy the API token.
- In Okta, in the API Token field, paste the API token.
- Click Test API Credentials, then (if successful) click Save.
- Complete the provisioning.
- In Okta, on the Provisioning tab, beside Provisioning to App, click Edit.
- Enable Create Users, Update User Attributes, and Deactivate Users, then click Save.
- Create a test group.
- In Okta, click the Push Groups tab.
- Click Push Groups > Find groups by name.
- In the By name field, enter test_group, then click Save.
- Assign the test group.
- In Okta, click the Assignments tab.
- Click Assign > Assign to People.
- Beside Test_user_SCIM_Prov, click Assign.
- Click Done > Save and Go Back > Done.
- Click the Push Groups tab.
- Under Push Status, set the dropdown to Push now.
- In OCI, refresh and the test group should appear.