Federating OCI Identity Domains with Google Workspace

June 3, 2024 | 5 minute read
Ramesh Balajepalli
Master Cloud Architect
Text Size 100%:

Many organizations have central identity management solutions and prefer to use them for authenticating users for all applications. Oracle Cloud Infrastructure (OCI) supports open federation standards, including Security Assertion Markup Language (SAML) 2.0 to make it easier for systems and service providers to interact. 

In this blog post, I will guide you through the process of federating Google Workspace with OCI.

Setting Up a Custom SAML App in Google Admin Console

To begin, follow these steps to add a custom SAML app in the Google Admin Console:

  1. In the Google Admin Console, go to Menu -> Apps -> SAML Apps and click on “Add custom SAML app.

    Add custom SAML app

  2. In the Basic information for your custom app, enter a name for your app (e.g., "OCI Identity Domain") and optionally upload an icon and click Continue.
  3. On the Google Identity Provider details page, download the setup information needed by the service provider (OCI Identity Domain) using one of these options:
    1. Download the IDP metadata.
    2. Copy the SSO URL and Entity ID and download the Certificate. 

      Google Identity Provider details

       

  4. Before proceeding with the next steps, you need to complete the configuration of the SAML Identity Provider in OCI (Go to Configuring SAML Identity Provider in OCI section below)
  5. In the Service Provider Details window, enter the ACS (Assertion Consumer Service) URL and Entity ID field provided by OCI and click Continue.

    Service Provider Details


     

  6. Click Add mapping to map user attributes based on the service providers (OCI) requirements and click Finish.

    Add mapping

     

Configuring SAML Identity Provider in OCI

  1. In the OCI Console, navigate to Identity -> Domains -> [Your Domain] -> Security -> Identity Providers and click on on "Create Identity Provider"

    Create Identity Provider

  2. Under "Add Details" provide a Name for the Identity Provider and optionally add a Description and Logo. Click "Next"
  3. Select "" and upload the XML file downloaded in Step 3.a from the Google Admin Console. Click "Next"

    Import IdP metadata

  4. In the "Map user identity" section, map a users attribute value received from the Identity Provider to a corresponding attribute value for the user in Oracle Identity Domain Service.

    Map user identity

     

Now that you've configured the SAML Identity Provider in OCI, you can proceed with configuring the custom SAML app in the Google Admin Console as described earlier.

User Synchronization

User synchronization after SAML federation is essential to ensure that user identities and attributes are consistent across all systems, enhancing security and maintaining up-to-date access controls. It helps prevent discrepancies between identity providers and service providers, ensuring seamless and secure access to resources.

To synchronize OCI with users from Google IdP, you 2 options

Option 1 – Authoritative Sync (Recommended)

Option 2 – Using JIT (Just-in-Time) Provisioning

 

Enabling and Testing the Custom SAML App

After configuring the custom SAML app, you will need to enable it and test the configuration.

  1. In the Google Admin Console, navigate to Menu -> Apps -> SAML Apps and click on the custom app you just added.
  2. Click "User access" -> "On for everyone" or "Off for everyone" then click "Save.”
  3. To verify SSO is Working, click "Test SAML login" and your app should open in a separate tab.

Note:  If Just-In-Time (JIT) provisioning or Authoritative sync has not been configured, you will need to manually create a user in OCI IAM to test the SAML login. You can follow the steps outlined in this document to create the user.
 

Test SAML Login

 

Conclusion

Federating Google Workspace with OCI Identity Domains using SAML 2.0 provides a secure and seamless way to authenticate users against third-party applications. By following the steps outlined in this blog post, you can easily set up and configure the integration between Google Workspace and OCI, enabling your organization to leverage its existing identity management solution for authentication.

Ramesh Balajepalli

Master Cloud Architect

Ramesh Balajepalli is a Cloud Architect at OCI. He works with customers to design secured, scalable, and well-architected solutions on Oracle Cloud Infrastructure. He is passionate about solving complex business problems with the ever-growing capabilities of technology.


Previous Post

Unlock the Power of Oracle AI: Near Real-Time data to Feed Your RAG

Elói Lopes | 18 min read

Next Post


Automating KMS Key Rotation for Enhanced Volume Security

Ramesh Balajepalli | 5 min read