Set up single sign-on between multiple Oracle Cloud Infrastructure tenancies
By: Date: 21/10/2021 Categories: OracleCloud Tags:

Oracle Identity Cloud service (IDCS) provides an innovative, fully integrated service that delivers all the core Identity and Access Management (IAM) capabilities through a multitenant cloud platform. Identity Cloud service manages user access and entitlements across a wide range of cloud and on-premises applications and services using a cloud native identity-as-a-service (IDaaS) platform. Organizations can enable a zero-trust strategy and establish user identity as a new security perimeter.

Configuring single sign-on between multiple tenancies using Oracle Identity Cloud service

In my example, we have one parent tenancy that has all user accounts and can log in into any child Oracle Cloud Infrastructure (OCI) tenancy.

1. Create user accounts in the parent tenancy. In the Console under Identity & Security, click Users.

A screenshot of the Create IDCS User screen in the Console.

2. Open Oracle IDCS and create a confidential application. A confidential application links between parent and child tenancies.

A screenshot of the Add Confidential Application screen in IDCS.

Click Confidential Application and select “Configure this application as a client now.” Click the check box for client credentials.

A screenshot of the Client bubble showing Authorization for adding a confidential application.

Click Next and then Next and Finish.

A screenshot of the Authorization bubble in the flow of creating a confidential application.

Copy the client ID and client secret and close the window. To activate this application, click Activate at top of the screen.

  • Client ID: <xxxxxxxxxxxxxxxxxxxxxxxxx>
  • Client Secret: <xxxxxxxxxxxxxxxxxxxxxx>

3. Create the group to have access to the tenancy.

A screenshot of the Add Group window showing the Group Details.

Select the users into this group and click Finish.

A screenshot of the group details page with a banner showing successful addition of the user.

Select the application created earlier (SSO_ODPCloudCETeam). Under the Groups tab, click Assign, add the idcs-sso-grp group, and click OK.

A screenshot of the Applications screen with the Assign button highlighted.

4. Log in to OCI child tenancy console with an admin account. To add new identity provider. Select Identity & Security. Click the Add Identity Provider button and select the correct group. Map between the groups in the IDCS environment.

A screenshot of the Add Identity Provider window with the details filled in.

5. Test time! Log in to child tenancy (in our example, wordprocomputerconsultan) and select the new identity provider. Log in with the credentials from the parent tenancy.

A screenshot of the single sign-on (SSO) screen with the credentials from the parent tenancy filled in.

Finally we can log in to the child tenancy (wordprocomputerconsultan) using the parent tenancy IDCS users.

A screenshot of the OCI Console with the Profile menu open and the tenancy outlined in red.

Post Views: 518