Best Practices from Oracle Development's A‑Team

Configure Remote Access VPN on ASA using OCI IDCS for login

Catalin Andrei
Cloud Networking Solutions Architect

This blog was not possible without the support from my colleague Chris Johnson.


This blog is a follow-up to previous posts on CISCO ASAv in OCI. If you did not read them, you can find the first blog that focuses on the provisioning of the Marketplace VM and can be found here, and the second blog that focuses on the configuration needed to have a working VPN RA can be found here. The architecture used for this implementation can be found here.

Below you can see the network diagram.


This blog has the following prerequisites:

  • Have a working ASAv instance on OCI.
  • Have a working VPN RA on the ASAv.
  • Have IDCS Administrator rights on the OCI tenancy.


1. Create the SAML application under OCI IDCS

Login to your OCI tenancy and navigate to "Identity & Security > Federation > OracleIdentityCloudService" and fetch the "Oracle Identity Cloud Service Console" and login to the IDCS service console.

In the dashboard, under "Applications and Services" click the plus sign,

and select SAML Application.

Configure the application name.

In the following screen fill in the following:

Download the "Signing Certificate" and "Identity Provider Metadata"


Activate the SAML application.

Under the SAML application navigate to the Groups tab and assign the dev group.



Note that the group dev has a user assigned.

Create another SAML application for the prod user. The Metadata will be the same for both applications.


2. Extract the Metadata from the IDCS

In a text editor open the IDCS metadata and look for the following atributes: "entityID", "SingleSignOnService" and "SingleLogoutService".