Oracle Cloud Infrastructure Documentation

Configuring Identity Federation

To set up an identity provider in Private Cloud Appliance, ensure that you have its metadata file and that CA certificate requirements have been verified. Add the required group mappings to enable federated user authentication.

Follow the step by step instructions in this section to manage identity providers and their group mappings.

Managing Identity Providers

Adding Active Directory as an Identity Provider

  1. Sign in to the Service Web UI.

  2. Open the navigation menu and click Identity Provider.

  3. On the Identity Providers page, click Create Identity Provider.

  4. On the Create an Identity Provider page, provide the following information:

    • Display Name

      The name that the federated users see when choosing which identity provider to use for signing in to the Service Web UI. This name must be unique across all identity providers and cannot be changed.

    • Description

      A friendly description of the identity provider.

    • Authentication Contexts

      Click Add Class Reference and select an authentication context from the list.

      When one or more values are specified, Private Cloud Appliance (the relying party), expects the identity provider to use one of the specified authentication mechanisms when authenticating the user. The returned SAML response from the identity provider must contain an authentication statement with that authentication context class reference. If the SAML response authentication context does not match what is specified here, the Private Cloud Appliance authentication service rejects the SAML response with a 400.

    • Encrypt Assertion (Optional)

      When enabled, the authorization service expects encrypted assertions from the identity provider. Only the authorization service can decrypt the assertion. When not enabled, the authorization service expects SAML tokens to be unencrypted, but protected, by SSL.

    • Force Authentication (Optional)

      When enabled, users are always asked to authenticate at their identity provider when redirected by the authorization service. When not enabled, users are not asked to re-authenticate if they already have an active login session with the identity provider.

    • Metadata URL

      Enter the URL for the FederationMetadata.xml document from the identity provider.

      By default, the metadata file for ADFS is located at https://<id-provider-name>/FederationMetadata/2007-06/FederationMetadata.xml.

  5. Click Create Identity Provider.

    Your new identity provider is assigned an OCID and is displayed on the Identity Providers page

After the identity provider is added, you must set up the group mappings between Private Cloud Appliance and Active Directory. See Managing Group Mappings for an Identity Provider.

Updating an Identity Provider

  1. Open the navigation menu and click Identity Providers.

    A list of the identity providers is displayed.

  2. For the identity provider you want to update, click the Actions icon (three dots) and then click Edit.

  3. Change any of the following information. However, be aware that changing this information can affect the federation.

    • Description

    • Authentication Contexts

      Add or delete a class reference.

    • Encrypt Assertion

      Enable or disable encrypted assertions from the identity provider.

    • Force Authentication

      Enable or disable redirect authentication from the identity provider.

    • Metadata URL

      Enter the URL for a new FederationMetadata.xml document from the identity provider.

  4. Click Update Identity Provider.

Viewing Identity Providers and Configuration Details

The identity provider details page displays general information such as authentication contexts. It also provides the identity provider's settings, which include the redirect URL. From this page, you can also edit the identity provider and manage the group mappings.

  1. Open the navigation menu and click Identity Providers.

    A list of the identity providers is displayed.

  2. For the identity provider whose details you want to view, click the Actions icon (three dots) and then click View Details.

    The identity provider details page is displayed.

Deleting an Identity Provider

If you want to remove the option for federated users to log into Private Cloud Appliance you must delete the identity provider, which also deletes all of the associated group mappings.

  1. Open the navigation menu, click Identity and then click Federation.

    A list of the identity providers is displayed.

  2. For the identity provider you want to delete, click the Actions icon (three dots) and then click Delete.

  3. At the Delete Identity Provider prompt, click Confirm.

Managing Group Mappings for an Identity Provider

When working with group mappings, remember the following:

  • A given Active Directory group is mapped to a single Private Cloud Appliance group.

  • Private Cloud Appliance group names must not contain spaces and cannot be changed later. Allowed characters are letters, numerals, hyphens, periods, underscores, and plus signs (+).

  • You cannot update a group mapping, but you can delete the mapping and add a new one.

Important

Before federated users can sign in to the Service Web UI, you must provide them with the URL. Ensure that you have configured all required group mappings, otherwise a federated user cannot perform any operations in Private Cloud Appliance.

Creating a Group Mapping

Perform the following steps for each identity provider group you want to map:

  1. Open the navigation menu and click IDP Group Mappings.

    A list of the identity provider group mappings is displayed.

  2. Click Create Group Mapping.

    The IDP Group Mapping Form is displayed

  3. In the Name field, enter a name for the IDP group mapping.

  4. In the IDP Group Name field, enter the exact name of the identity provider group.

  5. From the Admin Group Name list, select the Private Cloud Appliance group you want to map to the identity provider group.

  6. Optionally, enter a Description of the group.

  7. Click Create IDP Group Mapping.

    The new group mapping is displayed in the list.

Updating a Group Mapping

  1. Open the navigation menu and click IDP Group Mappings.

    A list of the identity provider group mappings is displayed.

  2. For the group mapping you want to update, click the Actions icon (three dots) and then click Edit.

    The IDP Group Mapping Form is displayed.

  3. Modify any of the following fields. However, be aware that changing this information can affect the federation.

    • Name

    • IDP Group Name

    • Admin Group Name

    • Description

  4. Click Modify IDP Group Mapping.

    The updated group mapping is displayed in the list.

Deleting a Group Mapping

  1. Open the navigation menu and click IDP Group Mappings.

    A list of the identity provider group mappings is displayed.

  2. For the group mapping you want to delete, click the Actions icon (three dots) and then click Delete.

  3. At the Deleting IDP Group Mapping prompt, click Confirm.