Enabling SSO (CLI)

This section describes how to configure SAML 2.0–based Single Sign-On (SSO) on the appliance using the command line interface (CLI).

SSO configuration is performed as part of the HTTPS service. Before configuring SSO, ensure that the requirements described in SSO Configuration are met.

Configuring SSO requires the following authorization scopes on the appliance:

Minimal required authorizations: administer, configure, and restart services.
If the user is authorized to configure the HTTPS service, no additional authorization is needed to configure SSO.

Access the CLI as an administrator.

Navigate to the HTTPS service and verify its configuration.

hostname:> configuration services https
hostname:configuration services https> show
Properties:
                      <status> = online
                   tls_version = TLSv1.2,TLSv1.3

Ensure that HTTPS status is "online".

Download the identity provider (IdP) metadata.

Specify the path to the metadata file and enter commit to start the download.

hostname:configuration services https> download
hostname:configuration services download (uncommitted)> set url=https://idcs-unique-id.identity.oraclecloud.com/fed/v1/metadata
                           url = https://idcs-unique-id.identity.oraclecloud.com/fed/v1/metadata
hostname:configuration services download (uncommitted)> commit

Accept the certificate when prompted.

Warning: The certificate of idcs-unique-id.identity.oraclecloud.com is untrusted.
Do you want to accept the certificate? y

Enable SSO.

hostname:configuration services https> set sso_enabled=true

Set the fully qualified domain name (FQDN) for the appliance.
The identity provider (IdP) must be able to ping the appliance nodes using their FQDNs. The entity IDs required for SAML registration with the IdP are derived from the FQDNs.
1. Set the appliance node FQDN.
```
hostname:configuration services https> set sso_node_fqdn=host-fqdn.example.com
```
2. (Cluster only) Set the peer node FQDN.
```
hostname:configuration services https> set sso_peer_fqdn=peer-fqdn.example.com
```

Configure required SSO properties.

Specify the SAML attribute that returns the LDAP username of the authenticated user.
```
hostname:configuration services https> set sso_attr_ldapuser=<attribute>
```
Oracle Identity Cloud Service (IDCS) stores the LDAP username in the "guid" SAML attribute. A different attribute might be used by other identity providers.

Select the service provider certificate for securing the communication between the ZFS Storage Appliance and the IdP.

Note:

If you prefer to use a new TLS certificate, import it first, then configure SSO.

Display all available certificates. If necessary, display the certificate data.

hostname:configuration services https> list
CERT      TYPE  SUBJECT COMMON NAME      ISSUER COMMON NAME   NOT AFTER 
cert-001  cert  hostname-1.w2k16-ldx...  Oracle Corporation   2026-5-15 
cert-002  cert  hostname-2.us.oracle...  Oracle Corporation   2038-1-19

hostname:configuration services https> select cer<tab>
cert-001  cert-002  cert-003  cert-004  cert-005
hostname:configuration services https> select cert-002
hostname:configuration services https cert-002> show

Set the certificate to be used.

hostname:configuration services https> set cert-002

Commit the configuration.

hostname:configuration services https> commit

Retrieve the service provider registration information.

hostname:configuration services https> registration show
Properties:
                node_entity_id = https://host-fqdn.us.oracle.com:215
                  node_acs_url = https://host-fqdn.us.oracle.com:215/sso/saml/postResponse
                peer_entity_id = https://peer-fqdn.us.oracle.com:215
                  peer_acs_url = https://peer-fqdn.us.oracle.com:215/sso/saml/postResponse
                   certificate = -----BEGIN CERTIFICATE-----

The output includes values required to configure the appliance as a service provider in the IdP.

Service provider entity ID
Assertion Consumer Service (ACS) url
Service provider certificate

Provide this information to the IdP as required.

To disable SSO:

hostname:> configuration services https
hostname:configuration services https> set sso_enabled=false
hostname:configuration services https>commit