Until now, Oracle Cloud Infrastructure (OCI) users could authenticate with their credentials to Identity and Access Management (IAM) and then transparently access many OCI services, including the control plane for Oracle Database instances. However, they had to use a separate database-native authentication mechanism such as username/password or certificates to log in to the database itself. As one can imagine, this was inconvenient to users and administrators who had to manage each database user account separately within each database.
We are excited to announce the integration of Oracle Autonomous Database – Shared (ADB-S) with OCI IAM. This integration will improve the ADB-S user experience in three ways. First, administrators can now manage all their ADB-S users centrally, without making changes to each database individually when users join, change roles, or leave an organization. Second, database users can log in using their single IAM database credential instead of remembering and using a different password for each database. Finally, tools or applications that accept OCI IAM tokens can now use single sign-on (SSO) to connect the end-user to the database. We’ll now describe each of these cases and show how the IAM to ADB-S integration brings greater operational efficiencies, streamlines the user experience, and improves security.
In many organizations, multiple users have similar roles and responsibilities across many databases. Ensuring that they have the same authorization can be cumbersome and error-prone. A few years back, we introduced centrally managed users (CMU) using Active Directory to address these issues. We are now introducing similar capabilities for database users on OCI through integration with IAM. We have now centralized their user schema mapping and database authorization in IAM. Database schemas can get mapped to an IAM user or multiple users belonging to a given IAM group. Further, database users belonging to the same IAM group get the same access rights – greatly simplifying the DBA job in managing multiple users with identical responsibilities. Besides centrally managing user authorization, IAM also centrally manages user lockout and termination.
Users can now authenticate to their multiple ADB-S databases with a single, centrally managed username and password. Once the ADB-S database is configured for IAM integration, users simply log in with their IAM username and the new IAM database password attribute to sign in to the ADB-S. No special configuration or patches are required for the database client, and any client that currently works with the database continues to function normally.
We now also support IAM-native token-based authentication for the database. Once a user authenticates to a participating application using an IAM token, that application can request an IAM database token for the user and pass it to the database, providing users with a single sign-on (SSO) experience to the database. This is very useful if the application needs to securely propagate the end-user identity to the database for compliance or security reasons. Participating applications and tools need to use the updated database 19c JDBC or Instant client and pass the database token through the database client API.
Legacy applications can also leverage the OCI Command Line Interface (OCI CLI) utility to request the database token for the user. For example, an IAM user can use OCI CLI to get the database token to access ADB-S using SQL*Plus.
Read more about IAM integration in the Database Security Guide for 19c. To learn about this feature, a dedicated video playlist is now available on YouTube. Anything else you might need can be found in the ADB-S documentation.
This integration is the first step towards fully integrating database users with OCI Identity and Access Management. Continue to keep an eye on the Oracle Cloud Security blog for more announcements.
Alan Williams is the Product Manager responsible for authentication and authorization technologies in the Oracle Database group. Prior to joining the Oracle Database Security team, he was involved in government and military projects involving high-security architecture, design and processes along with ITIL implementation. Alan is a 30-year veteran of the IT industry and has certifications in ITIL v3 Foundation and DOD Architecture Foundation and is a United States Air Force veteran. He earned his Bachelor’s degree from the Massachusetts Institute of Technology and Masters of Business Administration from the Rensselaer Polytechnic Institute
Previous Post
Next Post