DEV Community

Cover image for How to set up Identity Federation between Google Cloud and Oracle Cloud
Faris Durrani
Faris Durrani

Posted on

How to set up Identity Federation between Google Cloud and Oracle Cloud

#oracle #cloud #gcp #iam

How to set up Identity SAML Federation between Google Cloud Platform (GCP) and Oracle Cloud Infrastructure (OCI)

Setting up Identity Federation will allow users to log into OCI using their GCP IAM organization credentials, rather than logging in using a new username-password in OCI. This can improve credential management and security by having a central place to store all user logins.

We will replicate the steps in Oracle Docs: Task 6: Set Up Identity Federation (Optional) with some UI updates. This is an optional succession to the How to create an Oracle Autonomous Database@Google Cloud article we wrote.

Prerequisites

  1. Have an OCI account
  2. Have a GCP account and an associating GCP Workspace IAM Admin console at https://admin.google.com. Note that this requires you having and associating a private DNS domain (e.g. example.com) to the Google Cloud Admin console

1. Create groups in GCP Admin Console

While not strictly necessary, this helps to confirm the JIT (Just-in-time) provisioning works as intended. You can create any group but we recommend at least one group name already present in OCI and GCP ("odbg-db-family-administrators") and one other only present in GCP ("example-group415") for POC purposes.

We create a number of groups in the GCP Admin console: https://admin.google.com/u/1/ac/groups. If you came from the Oracle Database@Google Cloud article, we created the groups for Autonomous Database access based on Oracle Docs: Task 5: Set Up Role Based Access Control:

GCP groups

2. Create a new custom SAML app in GCP

Go to https://admin.google.com/u/1/ac/apps/unified and click on Add app > Add custom SAML app.

Add custom SAML app

We added the following app details:

  • App name: OracleCloudFederation
  • Description: Configures identity federation between Google Cloud and Oracle Cloud for Oracle Database@Google Cloud use.

App name

Click CONTINUE.

In the next page, Download Metadata. Leave this page open for now.

Download metadata

3. Add SAML IdP in OCI

Log into your OCI account. Go to ☰ Menu > Identity & Security > Domains > Default (or another domain) > Federation > Actions > Add SAML IdP.

Add SAML IdP

We give the SAML identity provider a random name:

SAML name

Import the downloaded IdP metadata from GCP:

Import IdP metadata

Leave this page open.

4. Add SAML IdP in GCP

Click on Export SAML metadata to export the OCI SAML metadata details.

OCI SAML metadata

Switch view from Metadata file to Manual export.

Manual export

Go back to the GCP Admin page. Click CONTINUE.

Continue GCP Admin

Copy paste the OCI values into GCP like so:

GCP OCI
ACS URL Assertion consumer service URL
Entity ID Provider ID

SAML Metadata direction

Leave the Name ID details as their default.

Click CONTINUE.

4. Add attribute mapping in GCP

In the next page, add the following attribute

  • First name → FirstName
  • Last name → LastName
  • Primary email → PrimaryEmail

Under the Group membership section, add all the groups of the users you want to be sent to OCI. Enter the App attribute MemberOf. Click FINISH.

Attribute mapping

5. Turn on User access in GCP

In the next page showing the SAML app details, click on User access

Click User access

Switch to ON for everyone. Click SAVE.

Switch on

6. Finish SAML app creation in OCI

Go back to the OCI page. We finished importing GCP's IdP metadata file. Click Next.

Next

Change Requested Name ID format to Email address. Click Next and Create IdP.

Email ID format

7. Activate and add to IdP policy

Now we want to activate our newly-created IdP app and add it as an option to the login policy. Click the app.

Click app

Click on the Activate IdP button (under Actions or in the banner).

Activate IdP

Next, we need to add the IdP app to the IdP policy. Go back to the Federation page and click on the Default Identity Provider Policy.

Click Default Identity Provider Policy

Under the Identity provider rules, edit the first IdP rule.

Edit rule

Add the newly-created IdP app to the list of Assign identity providers. Click Save changes.

Add app

Now you can login but without any groups.

8. Set up JIT

To enable the user's groups in GCP to appear in OCI and sync the user's group membership, we need to enable Just-in-time (JIT) provisioning so the group membership info can be shared from GCP to OCI.

Go back to the Federation page and click on the IdP app.

Click app

Click Actions > Configure JIT.

Configure JIT

Enable these settings:

  • Enable Just-In-Time (JIT) provisioning
  • Create a new identity domain user
  • Update the existing identity domain user

Enable settings

Add these Map user attributes info:

IdP user attribute type IdP user attribute name Maps to Identity domain user attributes
NameID NameID value User Name
Attribute LastName Last name
Attribute PrimaryEmail Primary Work Email
Attribute FirstName First name

Map user attributes info

Now, we assign group mappings. Enter the following values:

  • Group membership attribute name: MemberOf
  • Assign implicit group membership: Select this
  • When assigning group membership...: Merge with existing group memberships
  • When a group is not found...: Ignore the missing group

Group mappings

Click Update.

9. Verify Federated login

We are done! Now, we need to test the OCI login using GCP credentials.

Log out of OCI as necessary. Log in to your OCI account at https://cloud.oracle.com. You should see your GCP login option here.

GCP Login option

Log in using that button, which should lead you to your GCP login, and your successful OCI login.

OCI login

ℹ Troubleshoot: if the login is unsuccessful, check back the OCI JIT settings are correct.

We'll log out and log back in as the OCI admin so we can see all the groups and users added.

Here, we can see my GCP user added to the OCI list of users.

New user

And I can see that new user is a member of the "odbg-db-family-administrators" group, which that user is in GCP. Note that while the user is also in the GCP group "example-group415", this group did not get transferred into OCI because that group was never created in OCI in the first place. The JIT only matches groups present in both OCI and GCP.

Groups

You now have successfully created an identity federation from GCP to OCI.

References

  1. Oracle Docs: Task 6: Set Up Identity Federation (Optional)

Safe harbor statement

The information provided on this channel/article/story is solely intended for informational purposes and cannot be used as a part of any contractual agreement. The content does not guarantee the delivery of any material, code, or functionality, and should not be the sole basis for making purchasing decisions. The postings on this site are my own and do not necessarily reflect the views or work of Oracle or Mythics, LLC.

This work is licensed under a Creative Commons Attribution 4.0 International License.

Top comments (0)