Best Practices from Oracle Development's A‑Team

Federation with Oracle Cloud Infrastructure and Oracle Access Manager


Oracle Cloud Infrastructure (OCI) supports Federation (SAML 2.0) with third party Identity Providers (IdP). This post specifically describes how to federate with Oracle Access Manager (OAM) as the IdP and describes how OCI federation works with OAM.  First, I highly recommended that you read my colleague's post 'Streamline Enterprise Access Management and Oracle Cloud Infrastructure Access Management with Federated Group Mapping'.  Olaf gives a great overview on how to setup federation on OCI.
This post will guide you with setting up federation with OAM.  I have recently gone through this integration and came across some issues.  But don't fret, all of the issues I encountered have workarounds and at the time of this writing all issues have been submitted with Oracle.  My hope is that this will help our customers implementing this use case until all the fixes have been implemented.

Configuration Setup

To setup OAM as an IdP you should read the whitepaper here.  The whitepaper describes in detail the steps needed to complete the setup.  However, you may run across some issues which are described below.
In Step 1-3; within the saved OCI metadata you will see the following:
<md:RequestedAttribute FriendlyName="GroupName"
This is the name OCI expects to receive from OAM with a list of groups as it’s value. However there is an issue how OAM parses this attribute value and no SAML response is sent.  In order to get a valid SAML response you will need to change the’Name’ value to something other than "https://auth.oraclecloud.com/saml/claims/groupName”.  Let’s change it to: "https://auth.oraclecloud.com/saml/claimss/groupName” (notice the extra ’s’ in claims).  
Now that we have made a change to the metadata the signature is now invalid. The signature is used to validate and make sure that the metadata has not been tampered with. In order for OAM to process/accept the metadata we must also remove the signature.

<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">



Now save the file and import into OAM as documented.
In Step 1-11 the ‘Message Attribute Name is incorrect.  It should be https://auth.oraclecloud.com/saml/claims/groupName.  Here we are directing OAM to send the group information for a particular user using this attribute name.
In Step 3, the whitepaper describes how to import the OAM IdP metadata; however, you may encounter the following error:
{:code "InvalidSAMLMetadata", :message "Invalid metadata xml string. cvc-elt.4.2: Cannot resolve 'query:AttributeQueryDescriptorType' to a type definition for element 'md:RoleDescriptor'."}
You can avoid this error by removing the 'md:RoleDescriptor' section near the end of this file.

That's it!  Test and validate!



Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.Captcha