Oracle Cloud Infrastructure Documentation

Federating with Oracle Identity Cloud Service

This topic points to the appropriate topics for federating Oracle Cloud Infrastructure with Oracle Identity Cloud Service depending on when you activated your tenancy.

Tenancies created December 21, 2018 and after

These tenancies are automatically federated with Oracle Identity Cloud Service and configured to provision federated users in Oracle Cloud Infrastructure.

To manage your federated users and groups, see Adding Groups and Users for Tenancies Federated with Oracle Identity Cloud Service.

For information about the federation, see Frequently Asked Questions for Oracle Identity Cloud Service Federated Users.

Tenancies created between December 18, 2017 and December 20, 2018

These tenancies are automatically federated with Oracle Identity Cloud Service but are not configured to provision federated users in Oracle Cloud Infrastructure to allow these users to have additional credentials (API keys, auth tokens, etc.).

To enable this feature for users, you need to perform a one-time upgrade, see: User Provisioning with Oracle Identity Cloud Service.

After you have performed this upgrade, see Adding Groups and Users for Tenancies Federated with Oracle Identity Cloud Service to manage your federated users and groups.

Tenancies created before December 18, 2017

These tenancies must be manually federated with Oracle Identity Cloud Service. See Federating with Oracle Identity Cloud Service described below.

Manually Federating with Oracle Identity Cloud Service

Your organization can have multiple Oracle Identity Cloud Service accounts (e.g., one for each division of the organization). You can federate multiple Identity Cloud Service accounts with Oracle Cloud Infrastructure, but each federation trust that you set up must be for a single Identity Cloud Service account.

Note

Before following the steps in this topic, see Federating with Identity Providers to ensure that you understand general federation concepts.

Web Application and Client Credentials

For each trust, you must set up a web application in Oracle Identity Cloud Service (also called a trusted application); instructions are in Instructions for Federating with Oracle Identity Cloud Service. The resulting application has a set of client credentials (a client ID and client secret). When you federate your Identity Cloud Service account with Oracle Cloud Infrastructure, you must provide these credentials.

COMPUTEBAREMETAL application

A trusted application in Oracle Identity Cloud Service that contains the set of client credentials (a client ID and client secret) you'll need to provide when you federate your Identity Cloud Service account with Oracle Cloud Infrastructure.

Required URLs

The easiest way to federate with Oracle Identity Cloud Service is through the Oracle Cloud Infrastructure Console, although you could do it programmatically with the API. If you're using the Console, you're asked to provide a base URL instead of the metadata URL. The base URL is the left-most part of the URL in the browser window when you're signed in to the Identity Cloud Service console:

  • Base URL: <Identity Cloud Service account name>.identity.oraclecloud.com

If you're using the API to federate, you need to provide the metadata URL, which is the base URL with /fed/v1/metadata appended, like so:

  • Metadata URL: <Identity Cloud Service account name>.identity.oraclecloud.com/fed/v1/metadata

The metadata URL links directly to the IdP-provided XML required to federate. If you're using the API, you need to provide both the metadata URL and the metadata itself when federating. For more information, see Managing Identity Providers in the API.

OCI-V2-<tenancy_name> app

When you manually federate an Oracle Identity Cloud Service account with Oracle Cloud Infrastructure, a new SAML application called OCI-V2-<tenancy_name> is automatically created in that Oracle Identity Cloud Service account. If you later need to delete the Oracle Identity Cloud Service identity provider from your Oracle Cloud Infrastructure tenancy, make sure to also delete the OCI-V2-<tenancy_name> from Oracle Identity Cloud Service. If you don't, and you later try to federate the same Oracle Identity Cloud Service account again, you'll get a 409 error saying that an application with the same name already exists (that is, OCI-V2-<tenancy_name>).

Provisioned User
A provisioned user is provisioned by Oracle Identity Cloud Service in Oracle Cloud Infrastructure and is synched to a federated user that is managed in Oracle Identity Cloud Service. The provisioned user can have the special Oracle Cloud Infrastructure credentials like API keys and auth tokens to enable programmatic access. Provisioned users cannot have Console passwords.

Instructions for Federating with Oracle Identity Cloud Service

Following is the general process an administrator goes through to set up the identity provider, and below are instructions for each step. It's assumed that the administrator is an Oracle Cloud Infrastructure user with the required credentials and access.

  1. In Oracle Identity Cloud Service, get the required information you'll need to perform the set up steps in Oracle Cloud Infrastructure.
  2. In Oracle Cloud Infrastructure, set up the federation:

    1. Set up Oracle Identity Cloud Service as an identity provider.
    2. Map Oracle Identity Cloud Service groups to IAM groups.
  3. In Oracle Cloud Infrastructure, set up the IAM policies for the IAM groups to define the access you want the members of the mapped groups to have.
  4. Inform your users of the name of your Oracle Cloud Infrastructure tenant and the URL for the Console (for example, https://console.us-ashburn-1.oraclecloud.com).
Step 1: Get required information from Oracle Identity Cloud Service
Step 2: Add Oracle Identity Cloud Service as an identity provider in Oracle Cloud Infrastructure
Step 3: Set up IAM policies for the groups
Step 4: Give your federated users the name of the tenant and URL to sign in

Managing Identity Providers in the Console

To delete the identity provider
To add group mappings for Oracle Identity Cloud Service
To update or delete a group mapping

Managing Identity Providers in the API

For information about using the API and signing requests, see REST APIs and Security Credentials. For information about SDKs, see Software Development Kits and Command Line Interface.

Use these API operations:

Identity providers:

Group mappings: