Federation with Oracle Cloud Infrastructure and Oracle Access Manager

August 26, 2019 | 2 minute read
Text Size 100%:

Introduction

Oracle Cloud Infrastructure (OCI) supports Federation (SAML 2.0) with third party Identity Providers (IdP). This post specifically describes how to federate with Oracle Access Manager (OAM) as the IdP and describes how OCI federation works with OAM.  First, I highly recommended that you read my colleague's post 'Streamline Enterprise Access Management and Oracle Cloud Infrastructure Access Management with Federated Group Mapping'.  Olaf gives a great overview on how to setup federation on OCI.
 
This post will guide you with setting up federation with OAM.  I have recently gone through this integration and came across some issues.  But don't fret, all of the issues I encountered have workarounds and at the time of this writing all issues have been submitted with Oracle.  My hope is that this will help our customers implementing this use case until all the fixes have been implemented.
 
 

Configuration Setup

To setup OAM as an IdP you should read the whitepaper here.  The whitepaper describes in detail the steps needed to complete the setup.  However, you may run across some issues which are described below.
In Step 1-3; within the saved OCI metadata you will see the following:
 
<md:RequestedAttribute FriendlyName="GroupName"
 
This is the name OCI expects to receive from OAM with a list of groups as it’s value. However there is an issue how OAM parses this attribute value and no SAML response is sent.  In order to get a valid SAML response you will need to change the’Name’ value to something other than "https://auth.oraclecloud.com/saml/claims/groupName”.  Let’s change it to: "https://auth.oraclecloud.com/saml/claimss/groupName” (notice the extra ’s’ in claims).  
 
Now that we have made a change to the metadata the signature is now invalid. The signature is used to validate and make sure that the metadata has not been tampered with. In order for OAM to process/accept the metadata we must also remove the signature.
 

<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">

...

  </ds:Signature>

 
Now save the file and import into OAM as documented.
 
In Step 1-11 the ‘Message Attribute Name is incorrect.  It should be https://auth.oraclecloud.com/saml/claims/groupName. Here we are directing OAM to send the group information for a particular user using this attribute name.
 
In Step 2-11 there is a document bug that describes setting the 'expression' to return a subset of groups.  Specifically setting $user.groups = "OCI_*".  This expression is not supported (an enhancement request has been logged with Oracle).  Please use the value option as user/groups.
 
One last thing; OCI requires that multiple groups sent in the SAML Assertion must be within individual 'AttributeValue' tags.  By default OAM will send multiple groups in a single delimited line( i.e. comma).  You must change this behavior in OAM with the WLST call as described here.  

That's it!  Test and validate!

 

 

Vinay Kalra


Previous Post

VPN Connect - Simple Implementation - Part 2/2

Javier Ramirez | 16 min read

Next Post


Migration and upgrade of 11g database on-premise to 18c on Oracle Cloud Infrastructure with near zero downtime

Rishi Mahajan | 12 min read