X

Oracle Cloud Simplifies Identity Management with Enhanced Okta Support

We are enhancing our federation support by enabling users who are federated with Okta to directly access the Oracle Cloud Infrastructure SDK and CLI.

Federation enables you to use identity management software - often times this is existing an existing identity management solution that is integrated with your corporate directory - to manage users and groups while giving them access to the Oracle Cloud Infrastructure Console, CLI, and SDK. If you're an Okta user, that means you can leverage the same set of credentials in the Oracle Cloud Infrastructure web console as well as in long-running, unattended CLI or SDK scripts. Users that are members of Okta groups that you select are synchronized from Okta to Oracle Cloud Infrastructure. You control which Okta users have access to Oracle Cloud Infrastructure, and you can consolidate all user management in Okta. To use this new feature, follow the setup process described in the documentation

Following is an example cost-management scenario that is greatly simplified by this feature. Suppose that you want to use the SDK to run a Python script that finds and terminates compute instances that don't have the CostCenter cost tracking tag. Instead of creating a local Oracle Cloud Infrastructure user, you can set up a user in Okta to run this script. You would follow these steps to enable this scenario:

Step 1: Set up or upgrade your Okta federation to provision users

If you do not have an existing federation with Okta, follow the instructions in the white paper, Oracle Cloud Infrastructure Okta Configuration for Federation and Provisioning. This paper includes instructions for both setting up your federation and provisioning with SCIM.

If you have an existing federation with Okta with group mappings that you want to maintain, you can add SCIM provisioning via the instructions in our documentation.

Step 2: Set up the user in Okta and associate that user with the correct groups

Managing all your users from your identity provider is a more scalable, manageable, and secure way to manage your user identities. Be sure to follow the principal of least privilege by creating an Okta user and associating that user with only the Okta groups that they need to do their job.

Step 3: Set up the Oracle Cloud Infrastructure group

Create a local Oracle Cloud Infrastructure group that will be used for the task and ensure that it has a policy that enables just the access control needed for the task. Consider setting up a group specifically for the type of administrator that you want (for example, compute instances administrator). For a detailed explanation of best practices in setting up granular groups and access policies, see the Oracle Cloud Infrastructure Security white paper. You can also create the group when you map it (next step).

Step 4: Map the Okta group to the Oracle Cloud Infrastructure group

Follow the instructions on adding groups and users for tenancies federated with Okta, and ensure that you map the correct group from Okta to the equivalent group in Oracle Cloud Infrastructure. You will know that you succeeded if you see users created in your tenancy from Okta (there is a filter that allows you to see only federated users).  

Step 5: Set up the user with an API key

Now that the Okta user exists as a provisioned user in Oracle Cloud Infrastructure, you must create an API key pair and upload it to the user. Each user should have their own key pair. For details, see the SDK setup instructions.

Step 6: Check the user's capabilities 

As a final check, ensure that the user has the capability to use API keys. You can also set the user's capabilities to use only API keys for the SDK and not the web console.

Now you've set up the Okta user to use the SDK and run scripts that the Oracle Cloud Infrastructure user has access to.   

Tips

  • You know that the user is federated if the user name is prefixed with the name that you gave the identity provider. For example, if you called the Okta federation okta, your user would be okta/username. There is also a feature that lets you filter the list of local users by which federation provider they came from.
  • Only users assigned to mapped groups are replicated. If you see some users but not the Okta user that you want, then that user doesn't belong to a group that has been mapped from Okta to Oracle Cloud Infrastructure.
  • If no users are being replicated, verify that you've followed the setup procedure and mapping between the groups. If that doesn’t work, visit My Oracle Support to open a support ticket.
  • To use the SDK or CLI, the client that runs the CLI or SDK must have the matching private key material stored on the client machine. Secure the client machine appropriately to prevent inappropriate access.

Conclusion

This feature streamlines how Okta users can be used with Oracle Cloud Infrastructure and especially the CLI and SDK. Stay tuned for future feature announcements regarding federation.  

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.Captcha