About Configure SAML and SCIM

You can set up a federated log-in between an identity domain and external identity provider to sign in and access OCI resources by using existing log-ins and passwords managed by the identity provider.

Set Up SAML in Okta

Set up Okta as an IdP, with OCI Identity and Access Management acting as a service provider, enabling user access to services and applications in OCI Identity and Access Management using Okta-authenticated user credentials.

1. In Okta, click Admin.
2. In the left pane, click Applications, then Applications.
3. Under Applications, click Browse App Catalog.
4. In the search field, enter saml, then select SAML Service Provider.
5. Click Add Integration.
6. In the Application label field, enter Okta SAML Provider.
7. Click Next.
8. In the Default Relay State field, enter https://oc2.cloud.oracle.com/?tenant=yourtenancyname&domain=yourdomainname.
   1. In OCI, click the main menu, then Identity & Security, then Identity, then Domains.
   2. Note the tenancy name and domain name.
   3. Replace yourtenancyname and yourdomainname as appropriate.

Set Up SAML in OCI

Configure a SAML IdP setup in OCI, using the configured SAML options in Okta.

You will be switching between OCI and Okta frequently during this setup.

1. In the OCI console, click the main menu, then Identity & Security, then Add SAML identity provider page, then select Enter identity provider metadata manually.
2. In Okta, on the Add SAML Service Provider page, under Metadata details, click More details, then beside Sign on URL, click Copy.
3. In OCI, in the Identity provider issuer URI field, enter the copied text.
4. In Okta, under Sign on methods, click View Setup Instructions, then under Sign in to your service provider, copy the text of the Identity Provider Issuer URI.
5. In OCI, in each of the SSO service URL field, Identity provider logout request URL field, and Identity provider logout response URL field, enter the sign on URL you retained from Okta.
6. Under Logout binding, select POST.
7. Enable Send signing certificate with SAML message.
8. Click Next.
9. In the Requested NameID format dropdown, select Email address.
10. Click Create IdP.
11. On the Export page, beside Assertion consumer service URL, click Copy.
12. In Okta, in the Assertion Consumer Service URL field, enter the copied text.
13. In OCI, on the Export page, beside Provider ID, click Copy.
14. In Okta, in the Service Provider Entity Id field, enter the copied text.
15. Click Done.
16. On the Okta SAML Provider page, click Assign, then Assign to People.
17. Click Assign beside each assignees' name, provide a user name, then click Save and Go Back.
18. Click Done.
19. In OCI, click Next.
20. (Optional) Click Test login.
21. Click Next.
22. Click Activate.
23. Click Finish.
24. Under Security, click IdP policies.
25. Click Default Identity Provider Policy.
26. On the Default IDP Rule row, click the three dots, then click Edit IdP rule.
27. Under Assign identity provider, click and select Okta-SAML-Setup.
28. Click Save changes.
29. Return to the IdP policies page, then click Sign-on policies.
30. Click Default Sign-On Policy.
31. On the Default Sign-On Rule row, click the three dots, then click Edit sign-on rule, then click Continue.
32. Under Assign idenity provider, click and select Okta-SAML-Setup.
33. Click Save changes.
34. Sign in to your Oracle Cloud tenancy using the Okta-SAML-Setup option.
35. Sign in to Okta.
36. On the verification screen, select Get a push notification.

Provision SCIM

Use the SCIM provisioning process to set up SSO to manage user identities in the cloud. OCI Identity and Access Management supports user life cycle management between Okta and OCI Identity and Access Management.

1. In Okta, click Admin.
2. In the left pane, click Applications, then Applications.
3. Click Create App Integration.
4. Select SAML 2.0, then click Next.
5. In the App name field, enter OCI OKTA SCIM Integration, then click Next.
6. In OCI, click the menu, then Identity & Security, then Domains.
7. On the Domains page, click Default.
8. In the left pane, click Security, then Identity providers.
9. On the Okta-SAML-Setup row, click the three dots, then Edit IdP.
10. Under Export details, on the Assertion consume service URL row, click Copy.
11. In Okta, in the Sinle sign-on URL field, enter the copied text.
12. In OCI, under Export details, on the Provider ID row, click Copy.
13. In Okta, in the Audience URI (SP Entity ID) field, enter the copied text.
14. In the Default RelayState field, enter https://oc2.cloud.oracle.com/?tenant=yourtenancyname&domain=domainname
15. Click Next.
16. Beside Are you a customer or partner?, select I'm a software vendor..., then click Finish.
17. Click the General tab.
18. Beside App Settings, click Edit.
19. Beside Provisioning, select SCIM, then click Save.
20. Click the Provisioning tab.
21. Beside SCIM Connection, click Edit.
22. Enter the domain URL:
    1. In OCI, navigate to Domains, then click Default.
    2. Beside Domain URL, click Show, then copy the URL.
    3. In Okta, in the SCIM connector base URL field, enter the copied URL.
    4. Replace the training :433 with /admin/v1.
23. In the Unique identifier field for users, enter your user name.
24. Beside Supported provisioning actions, select:
    • Import New Users and Profile Updates
    • Push New Users
    • Push Profile Updates
    • Push Groups
25. In the Authentication Mode dropdown, select HTTP Header.
26. Enter the authorization token:
    1. In OCI, navigate to Domains, then click Default.
    2. Click Integrated applications, then Add application.
    3. Select Confidential Application, then click Launch workflow.
    4. In the Name field, enter Okta-SCIM-OCI.
    5. Under Authentication and authorization, enable Enforce grants as authorization, then click Next.
    6. Under Client configuration, select Configure this application as a client now.
    7. Under Authorization, enable Client credentials.
    8. Near the bottom, enable Add app roles, then click Add roles.
    9. Enable User Administrator, then click Add, then Next, then Finish.
    10. Click Activate, then Activate application.
    11. Under General Information, copy the Cliet ID.
    12. Open a Base64 encoder, then enter the client ID, and append a colon at the end.
    13. Under General Information, under Client secret, click Show secret, then click Copy.
    14. In the Base64 encoder, append the client secret to the end.
    15. Run the encoder, then copy the encoded text.
    16. In Okta, under HTTP Header, in the Authentication field, enter the encoded text.
    17. (Optional) Click Test Connector Configuration.
    18. Click Save.
27. Beside Provisioning to App, click Edit.
28. Enable:
    • Create Users
    • Update User Attributes
    • Deactivate User
29. Click Save.
30. Click the Assignments tab, then expand the Assign dropdown, then click Assign to People, set up the assignation, then click Done.
    The new user should appear in the Default domain's Users list in OCI.

Set Up OCI SAML IdP

Use the Okta setup options to update the SAML IdP setup.

1. In OCI console, under IdP SAML identity providers, select the previously created SAML IdP (for example, Okta).
2. Click the action menu (three dots), then click Edit IdP.
3. Copy and paste the Issuer to update the identity provider issuer URI.
4. Copy and paste the sign on URL to update the identity provider log-out request URL and identity provider log-out response URL and SSO service URL.
5. Under Signing Certificate, upload the previously-downloaded signing certificate.
6. Click Save.
7. Click the action menu (three dots), then click Activate.

This should configure your SCIM provisioning. From here on, user provisioning and federation via Okta should be possible.

Resolve SCIM Push Group Error

Resolve the SCIM push group error, if you encounter it.

You will have to deactivate and delete the previous SCIM configuration as part of this fix.

1. In Okta, click Applications > Applications > Browse App Catalog.
2. Search for and select Oracle Identity Cloud Service.
3. Click Add Integration.
4. In the Subdomain field, enter anything (for example, idcs-a1b2c3d4).
5. Click Done.
6. Click the Provisioning tab, then click Configure API Integration.
7. Click Enable API integration.
8. In the Base URL field, enter the saved domain URL:
   1. In OCI, go to Identity > Domains.
   2. Click Default.
   3. Expand the Domain URL field, and click Copy.
   4. In Okta, paste it into the Base URL field, then append: /admin/v1
9. Delete the existing application.
   1. In OCI, go to Identity > Domains > Default domain > Integrated applications.
   2. Click the menu (three dots) for the application > Deactivate > Deactivate application.
   3. Click the menu again > Delete > Delete application.
10. Create a new application.
    1. Click Add application > Confidential Application > Launch workflow.
    2. In the Name field, enter Okta_IDCS, then click Next.
    3. Click Client configuration.
    4. Enable Client credentials.
    5. Enable Add app roles.
    6. Click Add roles.
    7. Enable User Administrator, then click Add.
    8. Click Next, then Finish.
    9. On the application page, click Activate > Activate application.
11. Generate a token.
    1. On the application page, under General Information, copy the Client ID.
    2. Paste the client ID into a base64 token generator's input field.
    3. On the application page, under General Information, click Show secret, then click Copy.
    4. Append the secret to the client ID, then encode and copy the API token.
    5. In Okta, in the API Token field, paste the API token.
    6. Click Test API Credentials, then (if successful) click Save.
12. Complete the provisioning.
    1. In Okta, on the Provisioning tab, beside Provisioning to App, click Edit.
    2. Enable Create Users, Update User Attributes, and Deactivate Users, then click Save.
13. Create a test group.
    1. In Okta, click the Push Groups tab.
    2. Click Push Groups > Find groups by name.
    3. In the By name field, enter test_group, then click Save.
14. Assign the test group.
    1. In Okta, click the Assignments tab.
    2. Click Assign > Assign to People.
    3. Beside Test_user_SCIM_Prov, click Assign.
    4. Click Done > Save and Go Back > Done.
    5. Click the Push Groups tab.
    6. Under Push Status, set the dropdown to Push now.
    7. In OCI, refresh and the test group should appear.