Oracle Cloud Infrastructure SAML Single Sign-On (SSO) integration
This topic contains procedures to configure AppName for Single Sign-On (SSO) in CyberArk Identity using SAML.
With CyberArk Identity, you can choose single-sign-on (SSO) access to the Oracle Cloud Infrastructure web application with SP-initiated SAML SSO (for SSO access through the Oracle Cloud Infrastructure web application).
AppName SSO supported features
This application template supports the following features:
Prerequisites for AppName SSO
Before you configure the AppName web interface for SSO, you need the following:
Create an account in Oracle Cloud Infrastructure with admin access
Configurations on the admin portal
Configure the AppName app template in the Identity Administration portal
The following procedure describes the steps in the Identity Administration portal needed to configure the AppName app template for SSO.
Step 1: Add the AppName web app template.
In the Identity Administration portal, select Apps & Widgets > Web Apps, then click Add Web Apps.
On the Search page, enter the application name in the Search field and click the search button.
Next to the application name, click Add.
On the Add Web App page, click Yes to confirm.
Click Close to exit the Application Catalog.
The application opens to the Settings page.
Step 2: Configure the Settings page.
Set an app name, description, category, and logo if you want to change them.
Step 3: Configure the Trust page.
In the Identity Provider Configuration section, select Metadata, then click Download Metadata File to download the IdP metadata.
This file is used later when you configure the SAML integration in AppName .
Step 4: Configure the SAML Response page.
Add email attribute as shown in the image below.
Step 5: Configure the Permission page.
Select users and groups to assign the application.
Step 6: Review and save.
Review your settings to confirm your configuration. For example, you might want to verify that you selected the appropriate users, groups, or roles on the Permissions page. Click Save when you are satisfied.
Configure AppName for SAML single sign-on
The following procedure describes the steps in the AppName Admin Portal needed to configure the AppName app template for SSO.
Go to Oracle Cloud Infrastructure website and click Sign in to Oracle Cloud.
Enter your Cloud Account Name and click Next.
Enter your user name and password and click Sign In.
Click the profile icon and select Identity Domain: Default.
Go to Identity Cloud Service > Security > Identity Providers > click Add IdP. The Add SAML Identity Provider window appears.
Fill the required details in the Add details tab and click Next.
Enter the name of the IdP
Enter information about the IdP.
Click Upload to add an icon that represents the IdP. The icon should be 48 x 48 pixels in size and have a transparent background. Supported file formats are png, fig, jpg, jpeg.
Fill the following details in the Configure IdP tab and click Next.
Import Identity Provider metadata
Click this to configure SSO for the IdP by importing metadata.
Click Upload. Select the XML file containing the IdP metadata that you want to import.
Signature Hashing Algorithm
Select the SHA-1 or SHA-256 hash algorithm when signing SAML messages to the Identity Provider.
Include Signing Certificate
Select this check box to include the Oracle Identity Cloud Service signing certificate with signed SAML messages sent to the IdP.
If you don't want to include a signing certificate with your signed SAML messages, then leave the check box deselected.
Fill the following details in the Map attributes tab and click Next.
Identity Provider User Attribute
Select the element in the SAML assertion received from IdP, where you can find the unique user identifier.
If you select Name ID, then Oracle Identity Cloud Service matches the user based on the value of the Subject NameID element in the assertion.
If you select SAML Attribute, you must enter an Attribute element's name in the SAML assertion. The user is matched based on the value of that attribute.
Oracle Identity Cloud Service User Attribute
Select the user identity attribute in Oracle Identity Cloud Service that will match the user identity attribute received in the SAML assertion from the IdP.
Requested NameID Format
Select the NameID format that the Oracle Identity Cloud Service will specify in SAML authentication requests sent to the Identity Provider.
If you don't want to provide a format, then select <None Requested>.
Fill the following details in the Export tab to export the Oracle Identity Cloud Service SAML configuration details and click Next.
Service Provider Metadata
Click Download to export metadata for Oracle Identity Cloud Service. Use this XML metadata to configure the Identity Provider service.
URL uniquely identifies the Oracle Identity Cloud Service identity domain as a SAML provider. (Provider ID is also known as Issuer ID or Entity ID.)
Assertion Consumer Service URL
URL of the Oracle Identity Cloud Service SAML service to which the IdP will send SAML assertions.
Logout Service Endpoint URL
The Oracle Identity Cloud Service SAML service URL to which the IdP will send SAML logout requests.
Logout Service Return URL
The Oracle Identity Cloud Service SAML service URL to which the IdP will send SAML logout responses after the Oracle SAML provider has sent it a SAML logout request.
Service Provider Signing Certificate
Click Download to retrieve the signing certificate of the Oracle Identity Cloud Service SAML provider. The IdP uses this certificate to verify SAML requests and responses signed by Oracle Identity Cloud Service.
Service Provider Encryption Certificate
Click Download to retrieve the encryption certificate of the Oracle Identity Cloud Service SAML provider. The IdP can use this certificate to encrypt SAML assertions sent to Oracle Identity Cloud Service.
To get the Oracle Identity Cloud Service root certificate, refer to Obtain the Root CA Certificate from Oracle Identity Cloud Service.
In the Test IdP tab, click Test Login to test the configuration settings for the IdP.
In the Activate pane, click Activate IdP to activate the IdP.
After activating IdP, go to IdP Policies > select Default Identity Provider Policy.
Click Edit IdP rule and include the Identity Provider name you activated in earlier steps in the Assign Identity providers list.
Click Save changes
SP Initiated SSO
For SP-initiated SSO, use the following URL as a sub-domain link. For example: https://console.[region].oraclecloud.com/?tenant=[tenantid]
Select your IdP from the Identity provider drop-down list. It will redirect to CyberArk IdP provider.
After you successfully authenticate to the IdP provider, it redirects you back to the Oracle Cloud Infrastructure web interface.
For additional resources, refer to the following Oracle Cloud Infrastructure’s integration support documents: