Configuring Oracle Cloud Identity Management and Single Sign-On with Workspace One Access
In my last post, I talked about why Identity Management technologies are important in a multi-cloud world. I also showed how Workspace One Access can help organizations reduce identity sprawl, improve their compliance, and provide a consistent user experience. Now we’re going to start looking at how we can use Workspace One Access to configure identity federation and single sign-on to the hyperscaler clouds starting with Oracle Cloud.
An Overview of Oracle Cloud Identity Management
Every hyperscaler cloud has different constructs and terminology that we should be aware of. Before we dive into configuring identity federation for Oracle Cloud, I want to cover some of the key concepts that we will run into and provide some additional resources that you can reference.
Oracle Cloud uses “Identity Domains” for managing Identity federation. Identity domain is a container used for managing users, groups, policies, federation, and user provisioning. It can be used for managing access to Oracle Cloud resources via Identity and Access Management (IAM) roles or federating with other Identity providers including Workspace One. I recommend reviewing Oracle’s documentation on IAM with Identity Domains here.
Every Oracle Cloud tenant gets a free-tier Identity Domain, and this is where the default Administrator account and group are created. You can configure identity federation with this default identity domain, or you can provision additional identity domains to meet your specific needs. You can find more details about the different types of identity domains In Oracle’s documentation.
Identity Federation between Workspace One and Oracle Cloud is SAML-based. You can also set up Just-in-Time (JIT) provisioning for users and groups, and you can map Workspace One Access groups to Oracle groups and IAM Policies. I won’t cover how to configure Oracle IAM Polices as that Is beyond the scope of this post.
By the end of this walkthrough, you should have basic SAML-based Identity Federation between your Workspace One Access tenant and your Oracle Cloud tenant’s default Identity Domain.
Configuring Oracle Cloud to Support Identity Federation
Before we begin, we need to have a few prerequisites in place.
First, we will need to have an Oracle Cloud account, and you need to have permission to configure an IdP. Identity management is included in the Oracle Free Tier. We will also need to have a Workspace One Access environment that has at least one user account. This Workspace ONE user account should have the same email address as the Oracle Cloud account that is configuring identity federation; otherwise, you will receive a cryptic error when testing the integration. And we will need to retrieve our SAML IDP metadata from Workspace One. You will want to save the Workspace ONE SAML metadata file to your computer so we can import it into Oracle later.
Once we have these prerequisites and we’re signed into our account, we can start configuring identity federation. The steps for this are:
- Sign into your Oracle Cloud management plane.
- Click on Identity and Security.
Figure 1: Oracle Sidebar Menu for Identity and Security
- Click on Domains. Oracle Cloud allows customers to create multiple identity domains to meet various use cases, but for this walkthrough, we will edit the default domain.
Figure 2: Domains Menu
- Select Default.
Figure 3: Default Domain
- Select Security.
Figure 4: Default Domain Security Menu
- Select Identity Providers.
Figure 5: Identity Providers Menu
- Click Add IDP (1) and select Add SAML IDP (2).
Figure 6: Adding a SAML IdP
- Provide a Name and Description. Optionally, if you have a custom icon, you can provide it here too.
Figure 7: SAML IdP Details
- Click Next.
- Click the Export SAML Metadata button.
Figure 8: Exporting SAML IdP metadata
- Click the Metadata URL box (Figure 9-1). This will create a URL to the metadata XML file that we can import directly into Workspace ONE Access.
- Click the Access Metadata or signing certificate slider switch (Figure 9-2).
Figure 9: Metadata URL Details
- Copy the Metadata URL and save it in a safe location. We will need this in a future step.
- Click Close.
- Click Import SAML Metadata.
- Upload the Workspace ONE Access SAML metadata file that you downloaded as a prerequisite.
Figure 10: Importing SAML IdP Metadata from Workspace ONE Access
- Click Next twice.
- Click Create IDP.
Configuring Workspace ONE Access to Federate with Oracle Cloud
We are halfway done! We now need to switch back to Workspace ONE Access. We will need to use the Metadata URL that we copied in Step 13 to finish the setup.
- Log into the Workspace ONE Access Console
- Click on Resources -> Web Apps -> New
- Provide a name and description for this new web application.
Figure 11: Creating a new SaaS Application in Workspace ONE Access
- Click Next.
- Paste the Metadata URL that you copied in Step 13 in the last section into the URL/XML box.
Figure 12: Providing the Oracle Cloud SAML Metadata URL to Workspace ONE Access
- Enter the following into the Relay State URL box:
https://cloud.oracle.com/?region=<your region>&tenant=<your cloud account name>
- <Your region> is the Oracle Cloud region where your control panel is hosted
- <Your Cloud Account Name> is the cloud account name you provided at the first Oracle Cloud sign-in window
- Scroll down and click Advanced Properties.
- Scroll down to Custom Attribute Mapping.
- Create the following entries:
- Name: FirstName
Value: ${user.firstname} - Name: LastName
Value: ${user.lastname} - Name: GroupNames
Value: Administrators
- Name: FirstName
Note: We are using Administrators here for the ease of setup and demonstration. You would not do this in a production environment. You can send the names of all groups that a user belongs to by using the ${user.groups} in the value field. OCI can parse the GroupNames field and map roles based on group membership when using the JIT User Provisioning. This post will not cover setting up JIT.
- Click Next.
- Select the Access Policy that you want to use for Oracle Cloud from the drop down.
Figure 13: Assigning an Access Policy to the Oracle Cloud SAML configuration
- Click Next.
- Click Save and Assign.
- Select the users or groups that will access Oracle Cloud.
Figure 14: Assigning Users and Groups to our Oracle Cloud app
- Click Save.
Testing and Activating Identity Federation in Oracle Cloud
Now that both sides of our identity federation are configured, we need to test it and enable users to sign in. I recommend that you test the configuration in a private tab in your web browser and that your Workspace One user has an account set up in your Oracle Cloud account as we have not configured JIT user provisioning.
- Sign back into your Oracle Cloud control plane.
- Go to Identity and Security -> Domains -> Default -> Security -> Identity Providers
- Click on Configuration Status.
- Click Test Login.
- If everything is configured correctly and you’re testing with a Workspace One User that has a user account in Oracle Cloud, you should see the following message:
Figure 15: Successfully Testing SAML between Workspace ONE Access and Oracle Cloud
Note: If you see an error message stating that No username was received, please validate that you created an Oracle Cloud Account for your Workspace One test user.
- Close the window.
- Click Activate IDP.
Once you click Activate IDP, basic single sign-on between Workspace One Access and Oracle Cloud is configured. If an account has been manually created and a role has been assigned, users will be able to launch the Oracle Cloud console from within the Workspace One app catalog. Oracle Cloud supports JIT user provisioning, but this requires some advanced setup that will be covered in a future post.
You can learn more about Oracle Cloud VMware Solution, our VMware-based software defined datacenter service, on the VMware Cloud Techzone page or on the Oracle Cloud website. You can also learn more about Workspace ONE Access on our Anywhere Workspace Techzone page.