Oracle Cloud Infrastructure Documentation

Identity Lifecycle Management Between OCI and Okta

In this tutorial, you configure user life cycle management between Okta and OCI IAM, where Okta act as the authoritative identity store.

This 30 minute tutorial shows you how to provision users and groups from Okta to OCI IAM.

  1. Create a confidential application in OCI IAM.
  2. Get the identity domain URL and generate a secret token.
  3. Create an app in Okta.
  4. Update Okta's settings.
  5. Test that provisioning works between OCI IAM and Okta.
  6. In addition, instructions on how to
    • Set users' federated status so that they're authenticated by the external identity provider.
    • Stop users getting notification emails when their account is created or updated.
Note

This tutorial is specific to IAM with Identity Domains.
Before You Begin

To perform this set of tutorials, you must have the following:

You gather the additional information the additional information you need from the steps of the tutorial:

  • The OCI IAM domain URL.
  • The OCI IAM client ID and client secret.
1. Create a Confidential Application in OCI

Create a confidential application in OCI IAM and activate it.

  1. Open a supported browser and enter the Console URL:

    https://cloud.oracle.com

  2. Enter your Cloud Account Name, also referred to as your tenancy name, and click Next.
  3. Sign in with your username and password.
  4. Open the navigation menu and click Identity & Security. Under Identity, click Domains.
  5. Select the identity domain in which you want to configure Okta provisioning and click Applications.
  6. Click Add Application, and choose Confidential Application and click Launch workflow.

    Confidential application

  7. Enter a name for the confidential application, for example OktaClient. Click Next.
  8. Under Client configuration, select Configure this application as a client now.
  9. Under Authorization, select Client Credentials.

    Configure application as a client

  10. Scroll to the bottom, and click Add app roles.
  11. Under App roles click Add roles, and in the Add app roles page select User Administrator and click Add.

    Add app roles

  12. Click Next, then click Finish.
  13. In the application details page click Activate and confirm that you want to activate the new application.
2. Find the OCI IAM GUID and Generate a Secret Token

You need two pieces of information to use as part of the connection settings for the Okta app you create later.

  1. Return to the identity domain overview by clicking the identity domain name in the breadcrumbs. Click Copy next to the Domain URL in Domain information and save the URL to an app where you can edit it.

    The domain information showing where the Domain URL information is.

    The OCI IAM GUID is part of the domain URL:

    https://<IdentityDomainID>.identity.oraclecloud.com:443/fed/v1/idp/sso

    For example: idcs-9ca4f92e3fba2a4f95a4c9772ff3278

  2. In the confidential app in OCI IAM, click OAuth configuration under Resources.
  3. Scroll down, and under General Information make a note of the client ID and client secret.
  4. Scroll down, and find the Client ID and Client secret under General Information.
  5. Copy the client ID and store it
  6. Click Show secret and copy the secret and store it.

    Client ID and client secret

    The secret token is the base64 encoding of <clientID>:<clientsecret>, or
    base64(<clientID>:<clientsecret>)

    These examples show how to generate the secret token on Windows and MacOS.

    In a Windows environment, open CMD and use this powershell command to generate base64 encoding [Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes('client_id:secret'))"

    In MacOS, use
    echo -n <clientID>:<clientsecret> | base64
    The secret token is returned. For example
    echo -n 392357752347523923457437:3454-9853-7843-3554 | base64
Nk0NzUyMzcyMzQ1NzMTc0NzUyMzMtNTQzNC05ODc4LTUzNQ==

    Make a note of the secret token value.

3. Create an app in Okta

Create an application in Okta.

  1. In the browser, sign in to Okta using the URL:

    https://<Okta-org>-admin.okta.com

    Where <okta-org> is the prefix for your organization with Okta.

  2. In the menu on the left, click Applications.

    If you already have an application which you created when you went through SSO With OCI and Okta, you can use it. Click to open it and edit it, and go to 5. Change Okta Settings.

  3. Click Browse App Catalog and search for Oracle Cloud. Select Oracle Cloud Infrastructure IAM from the options available.
  4. Click Add Integration.
  5. Under General settings, enter a name for the application, for example OCI IAM, and click Done.
5. Change Okta Settings

Connect the Okta app to the OCI IAM confidential app using the domain URL and secret token from an earlier step.

  1. In the newly created application page, click the Sign On tab.
  2. In Settings, click Edit.
  3. Scroll down to Advanced Sign-on Settings.
  4. Enter the domain URL in Oracle Cloud Infrastructure IAM GUID.
  5. Click Save.
  6. Near the top of the page, click the Provisioning tab.
  7. Click Configure API Integration.
  8. Select Enable API Integration.

    Enable API integration

  9. Enter the the secret token value you copied earlier in API Token.

  10. Click Test API Credentials.

    If you get an error message, check the values that you have entered and try again.

    When you get a message Oracle Cloud Infrastructure IAM was verified successfully!, Okta has successfully connected to the OCI IAM SCIM endpoint.

  11. Click Save.

The Provisioning to App page opens, where you can create users, update user attributes, map attributes between OCI IAM and Okta.

6. Test User and Group Provisioning

To test user and group provisioning for Okta:

  1. In the newly created application, choose the Assignments tab.
  2. Click Assign and select Assign to People.
  3. Search for the user to provision from Okta to OCI IAM.

    Click Assign next to the user.

  4. Click Save, and then Go Back.
  5. Now provision Okta groups into OCI IAM. In the Assignments tab, click Assign and select Assign to Groups.
  6. Search for the groups to be provisioned to OCI IAM. Next to the group name, click Assign.
  7. Click Done.
  8. Now sign in to OCI:

    1. Open a supported browser and enter the OCI Console URL:

      https://cloud.oracle.com.

    2. Enter your Cloud Account Name, also referred to as your tenancy name, and click Next.
    3. Select the identity domain in which Okta has been configured.
  9. Click Users.
  10. The user which was assigned to the OCI IAM application in Okta is now present in OCI IAM.
  11. Click Groups.
  12. The group which was assigned to the OCI IAM application in Okta is now present in OCI IAM.
7. Additional Configurations for Federated Users
  • You can set users' federated status so that they're authenticated by the external identity provider.
  • You can disable notification emails being sent to the user when their account is created or updated.
a. Setting Users' Federated Status

Federated users don't have credentials to sign in directly to OCI. Instead they're authenticated by the external identity provider. If you want users to use their federated accounts to sign in to OCI, set the federated attribute to true for those users.

To set the user's federated status:

  1. In the browser, sign in to Okta using the URL:

    https://<Okta-org>-admin.okta.com

    Where <okta-org> is the prefix for your organization with Okta.

  2. In the menu on the left, click Applications.
  3. Click the application you created earlier, OCI IAM.
  4. Scroll down to the Attribute Mappings section.
  5. Click Go to Profile Editor.
  6. Under Attributes, click Add Attributes.
  7. In the Add Attribute page:
    • For Data Type, choose Boolean.
    • For Display Name enter isFederatedUser.
    • For Variable Name enter isFederatedUser.
      Note

      The external name is automatically populated by the value of the variable name.
    • For External namespace, enter urn:ietf:params:scim:schemas:oracle:idcs:extension:user:User.
    • Under Scope, check User personal.

    Add attribute page

  8. Navigate back to Okta's Application page and select the OCI IAM application.
  9. Click Provisioning.
  10. Scroll down to Attributes Mapping and click Show Unmapped Attributes.
  11. Locate isFederatedUser attribute and click the edit button next to it.
  12. In the attribute page:
    • For Attribute value choose Expression.
    • In the box below, enter true.
    • For Apply on, choose Create and update.

    Attribute page

  13. Click Save.

    Attribute values showing federation

Now, when the users are provisioned from Okta to OCI, their federated status is set to true. You can see this in the user's profile page in OCI.

  • In the OCI Console, navigate to the identity domain you are using, click Users, and click the user to show the user information.
  • Federated is shown as Yes.

    User information showing that the user is federated

b. Disable Notifications for Account Creation or Updates

The bypass notification flag controls whether an email notification is sent after creating or updating a user account in OCI. If you don't want users to be notified that account have been created for them, then set the bypass notification flag to true.

To set the bypass notification flag:

  1. In the browser, sign in to Okta using the URL:

    https://<Okta-org>-admin.okta.com

    Where <okta-org> is the prefix for your organization with Okta.

  2. In the menu on the left, click Applications.
  3. Click the application you created earlier, OCI IAM.
  4. Scroll down to the Attribute Mappings section.
  5. Under Attributes, click Add Attributes.
  6. In the Add Attribute page:
    • For Data Type, choose Boolean.
    • For Display Name enter bypassNotification.
    • For Variable Name enter bypassNotification.
      Note

      The external name is automatically populated by the value of the variable name.
    • For External namespace, enter urn:ietf:params:scim:schemas:oracle:idcs:extension:user:User.
    • Under Scope, check User personal.

    Add Attribute page

  7. Navigate back to Okta's Application page and select the OCI IAM application.
  8. Click Provisioning.
  9. Scroll down to Attributes Mapping and click Show Unmapped Attributes.
  10. Locate bypassNotification attribute and click the edit button next to it.
  11. In the attribute page:
    • For Attribute value choose Expression.
    • In the box below, enter true.
    • For Apply on, choose Create and update.

    Attribute page

  12. Click Save.

    Attribute values showing bypass notification

What's Next

Congratulations! You have successfully set up user lifecycle management between Okta and OCI.

To explore more information about development with Oracle products, check out these sites: