Using OCI Identity provider policy to automatically set an identity provider based on username attribute

An organization may have many different identity providers for authenticating users. Some identity providers are internal such as username-password, while others are external federated identity providers. Here, I will explain how to use IdP policy on OCI identity domain to automatically set an identity provider for user authentication based on username attribute. This is an example scenario for this IdP policy: 

• If username ending with domain1.com, use identity provider IDP1 to authenticate the user.
• If username ending with domain2.com, use identity provider IDP2 to authenticate the user. 
• (Optionally) Anyone else not in domain1.com and domain2.com, use IDP3 to authenticate.

In this example, IDP1, IDP2 and IDP3 can be any identity provider such as username_password, SAML or OpenID Connect.  Here’s the steps to implement this on OCI:

1. Enable username first flow
   1. In the OCI Console, under Identity & Security -> Domains
   2. Click on the Domain.  In this example, TestDomain
   3. On the left navigation link, click on Settings
   4. Then click on Session settings on the left
   5. Click on the Enable username first flow check box and click Save changes at the bottom
2. For this example, the 3 Identity providers IDP1, IDP2 and IDP3 are already created and configured.
3. Create a new IdP policy with 4 IdP rules
   1. Under Identity > Domains > TestDomain > Security > IdP polies, click Create IdP policy
      
   2. Enter the name of the new policy and click Add policy
      
   3. Click Add IdP rule
      
   4. Create the 1st rule with username-password as the identity provider and empty username as the condition.  However, empty username is not a condition that is available in the OCI console UI and this condition can only be set using API call.  Leave the condition as empty for now and click Add IdP rule.
      
   5. Create the 2nd rule and set the identity provider to IDP1 and set the condition to end with @domain1.com
      
   6. Create the 3rd rule and set the identity provider to IDP2 and set the condition to end with @domain2.com
      
   7. (Optionally) Create 4th rule and set the identity provider to IDP3 and leave the condition as empty. 
      
   8. The IdP policy with all 4 IdP rules is now created. 
      
4. Go back to the 1st rule and find the condition OCID of this rule.  Use the identity domain API call to patch this condition and set the attribute to username is empty.
   1. Open network trace in the browser and edit the 1st rule.
      
   2. Get the condition OCID attached to the rule by click on the network trace that start with “Conditions?filter”.  The OCID can be seen in the payload.  Copy and save the OCID.
      
   3. Use the identity domain API call to patch this condition.  This can be done using oci raw-request from cloud shell or Postman or curl.  Using oci raw-request from cloud shell is simplest.
      1. To use oci raw-request, open cloud shell from OCI console. 
         
      2. In Cloud Shell, use an editor of your choice to create a file request.json with the following condition payload:

         {
           "schemas": [
             "urn:ietf:params:scim:api:messages:2.0:PatchOp"
           ],
           "Operations": [
             {
               "op": "replace",
               "path": "operator",
               "value": "eq"
             },
             {
               "op": "replace",
               "path": "attributeName",
               "value": "empty"
             },
             {
               "op": "replace",
               "path": "attributeValue",
               "value": "#concat($(actorName),\"empty\")"
             }
           ]
         }
         

      3. The request.json should look like this:  
         
      4. Run the oci raw-request command using your identity domain url and the condition ocid saved from network trace in step above.

         oci raw-request --http-method PATCH --target-uri <identity domain url>/admin/v1/Conditions/<Condition OCID> --request-body file://request.json
         

         
         
      5. Make sure the status returned is 200 indicating the request is successful  
         
         
      6. This completes the patch operation of the EmptyUsernameRule condition.
5. Once the IdP rules are configured, click Next to Add apps to add all the applications that would use this IdP policy for authentication.

Now with this IdP policy, a user attempting to authenticate to this identity domain will be presented with login page with username field only.  Once the username is entered, then the user will be directed to the corresponding identity provider based on the username to authenticate into applications assigned to IdP policy.

Postman can also be used for patching the IdP policy rule condition with the identity domain Rest API.  If you want to do this in Postman, here’re the steps for Postman

1. Configure a Confidential Application in the identity domain if one does not exist.
   • Under Identity > Domains > TestDomain, click Integrated applications on the left. Then click Add application and select Confidential Application and Launch workflow.
     
   • Enter a Name and click Next. 
   • In Configure OAuth screen, Client configuration section, select Configure this application as a client now. Select client credentials
     
   • Scroll to the bottom and select Add app role
     
   • Click Add roles and select Identity Domain Administrator and click Add
     
     
   • Click Next and Finish
   • Then Activate the application  
     
   • Copy and save both the Client ID and Client Secret 
     
2. Get an oauth token for the identity domain.  In this example, postman is used for the identity domain api call.  
   • In the collections, expand REST_API_for_Oracle_Identity_Cloud_Service > OAuth >Tokens and click on Obtain access_token (client_credentials)
     
   • Edit Environment variable and set the current values of variables for HOST, Client ID and Client Secret of the identity domain
     
   • Click Send to get the access token 
     
   • Copy the access token and edit the environment and paste in the access token in current value 
     
3. PATCH the condition with payload below 

   {
     "schemas": [
       "urn:ietf:params:scim:api:messages:2.0:PatchOp"
     ],
     "Operations": [
       {
         "op": "replace",
         "path": "operator",
         "value": "eq"
       },
       {
         "op": "replace",
         "path": "attributeName",
         "value": "empty"
       },
       {
         "op": "replace",
         "path": "attributeValue",
         "value": "#concat($(actorName),\"empty\")"
       }
     ]
   }

   • In postman, navigate to Policy > Conditions > Modify > Patch Update a condition.
   • In the URL, paste the saved condition OCID after /admin/v1/Conditions/.
   • In the Body, copy the payload and run it.  Make sure the Status code is 200  
     
4. After completing the patch operation, delete the confidential application created in step 1.