Using OCI Identity provider policy to automatically set an identity provider based on username attribute

October 25, 2023 | 10 minute read
Mimi Mukherjee
Master Principal Solution Engineer
Text Size 100%:


An organization may have many different identity providers for authenticating users. Some identity providers are internal such as username-password, while others are external federated identity providers. Here, I will explain how to use IdP policy on OCI identity domain to automatically set an identity provider for user authentication based on username attribute. This is an example scenario for this IdP policy: 

  • If username ending with domain1.com, use identity provider IDP1 to authenticate the user.
  • If username ending with domain2.com, use identity provider IDP2 to authenticate the user. 
  • (Optionally) Anyone else not in domain1.com and domain2.com, use IDP3 to authenticate.

In this example, IDP1, IDP2 and IDP3 can be any identity provider such as username_password, SAML or OpenID Connect.  Here’s the steps to implement this on OCI:

  1. Enable username first flow
    1. In the OCI Console, under Identity & Security -> Domains
    2. Click on the Domain.  In this example, TestDomain
    3. On the left navigation link, click on Settings
    4. Then click on Session settings on the left
    5. Click on the Enable username first flow check box and click Save changes at the bottomFigure-1e: Enable username first flow
  2. For this example, the 3 Identity providers IDP1, IDP2 and IDP3 are already created and configured.
  3. Create a new IdP policy with 4 IdP rules
    1. Under Identity > Domains > TestDomain > Security > IdP polies, click Create IdP policy
      Figure-3a: Identity provider policies
    2. Enter the name of the new policy and click Add policy
      Figure-3b: Create IDP policy
    3. Click Add IdP rule
      Figure-3c: Create IDP Policy
    4. Create the 1st rule with username-password as the identity provider and empty username as the condition.  However, empty username is not a condition that is available in the OCI console UI and this condition can only be set using API call.  Leave the condition as empty for now and click Add IdP rule.
      Figure-3d: Create IDP policy
    5. Create the 2nd rule and set the identity provider to IDP1 and set the condition to end with @domain1.com
      Figure-3e: Create IDP policy
    6. Create the 3rd rule and set the identity provider to IDP2 and set the condition to end with @domain2.com
      Figure-3f: Create IDP policy
    7. (Optionally) Create 4th rule and set the identity provider to IDP3 and leave the condition as empty. 
      Figure-3g: Create IDP policy
    8. The IdP policy with all 4 IdP rules is now created. 
      Figure-3h: Create IDP policy
  4. Go back to the 1st rule and find the condition OCID of this rule.  Use the identity domain API call to patch this condition and set the attribute to username is empty.
    1. Open network trace in the browser and edit the 1st rule.
      Figure-4a: Patch condition
    2. Get the condition OCID attached to the rule by click on the network trace that start with “Conditions?filter”.  The OCID can be seen in the payload.  Copy and save the OCID.
      Figure-4b: Patch Condition
    3. Use the identity domain API call to patch this condition.  This can be done using oci raw-request from cloud shell or Postman or curl.  Using oci raw-request from cloud shell is simplest.
      1. To use oci raw-request, open cloud shell from OCI console. 
        Figure-4c-i: Patch Condition
      2. In Cloud Shell, use an editor of your choice to create a file request.json with the following condition payload:
        {
          "schemas": [
            "urn:ietf:params:scim:api:messages:2.0:PatchOp"
          ],
          "Operations": [
            {
              "op": "replace",
              "path": "operator",
              "value": "eq"
            },
            {
              "op": "replace",
              "path": "attributeName",
              "value": "empty"
            },
            {
              "op": "replace",
              "path": "attributeValue",
              "value": "#concat($(actorName),\"empty\")"
            }
          ]
        }
        
      3. The request.json should look like this:  
        Figure-4c-iii: Patch Condition
      4. Run the oci raw-request command using your identity domain url and the condition ocid saved from network trace in step above.
        oci raw-request --http-method PATCH --target-uri <identity domain url>/admin/v1/Conditions/<Condition OCID> --request-body file://request.json
        

        Figure-4c-iv: Patch condition
      5. Make sure the status returned is 200 indicating the request is successful  
        Figure-4c-v1: Patch condition
        Figure-4c-v2: Patch condition
      6. This completes the patch operation of the EmptyUsernameRule condition.
  5. Once the IdP rules are configured, click Next to Add apps to add all the applications that would use this IdP policy for authentication.

Now with this IdP policy, a user attempting to authenticate to this identity domain will be presented with login page with username field only.  Once the username is entered, then the user will be directed to the corresponding identity provider based on the username to authenticate into applications assigned to IdP policy.

 

 

Postman can also be used for patching the IdP policy rule condition with the identity domain Rest API.  If you want to do this in Postman, here’re the steps for Postman

  1. Configure a Confidential Application in the identity domain if one does not exist.
    • Under Identity > Domains > TestDomain, click Integrated applications on the left. Then click Add application and select Confidential Application and Launch workflow.
      Postman Patch Condition: Configure Confidential Application 1
    • Enter a Name and click Next. 
    • In Configure OAuth screen, Client configuration section, select Configure this application as a client now. Select client credentials
      Postman Patch Condition: Configure Confidential Application 2
    • Scroll to the bottom and select Add app role
      Postman Patch Condition: Configure Confidential Application 3
    • Click Add roles and select Identity Domain Administrator and click Add
      Postman Patch Condition: Configure Confidential Application 4
      Postman Patch Condition: Configure Confidential Application 5
    • Click Next and Finish
    • Then Activate the application  
      Postman Patch Condition: Configure Confidential Application 6
    • Copy and save both the Client ID and Client Secret 
      Postman Patch Condition: Configure Confidential Application 7
  2. Get an oauth token for the identity domain.  In this example, postman is used for the identity domain api call.  
    • In the collections, expand REST_API_for_Oracle_Identity_Cloud_Service > OAuth >Tokens and click on Obtain access_token (client_credentials)
      Postman Patch Condition: Get OAuth Token 1
    • Edit Environment variable and set the current values of variables for HOST, Client ID and Client Secret of the identity domain
      Postman Patch Condition: Get OAuth Token 2
    • Click Send to get the access token 
      Postman Patch Condition: Get OAuth Token 3
    • Copy the access token and edit the environment and paste in the access token in current value 
      Postman Patch Condition: Get OAuth Token 4
  3. PATCH the condition with payload below 
    {
      "schemas": [
        "urn:ietf:params:scim:api:messages:2.0:PatchOp"
      ],
      "Operations": [
        {
          "op": "replace",
          "path": "operator",
          "value": "eq"
        },
        {
          "op": "replace",
          "path": "attributeName",
          "value": "empty"
        },
        {
          "op": "replace",
          "path": "attributeValue",
          "value": "#concat($(actorName),\"empty\")"
        }
      ]
    }
    • In postman, navigate to Policy > Conditions > Modify > Patch Update a condition.
    • In the URL, paste the saved condition OCID after /admin/v1/Conditions/.
    • In the Body, copy the payload and run it.  Make sure the Status code is 200  
      Postman Patch Condition
  4. After completing the patch operation, delete the confidential application created in step 1.

Mimi Mukherjee

Master Principal Solution Engineer


Previous Post

Install and configure OAS 6.4 and Grafana 9.2 for use with OEM 13.5 - Step by Step Guide

Amine Tarhini | 19 min read

Next Post


Creating LLM powered applications using OCI Generative AI

Rekha Mathew | 7 min read