Oracle Cloud SAML Integration Guide

Suggest an edit

Prerequisites

  • Administrator access to an Oracle Cloud account (Identity Domain Administrator or Security Administrator role)
  • A SplitSecure Identity Provider created and approved
  • An Oracle Cloud tenancy with access to Identity Domains
  • A separate browser or browser profile with SplitSecure configured (for testing)

Oracle Cloud Configuration

1 Navigate to Identity Providers

  1. Log in to the Oracle Cloud console at https://cloud.oracle.com/
  2. Open the navigation menu and select Identity & Security
  3. Under Identity, select Domains
  4. Select the identity domain you want to configure (e.g., Default)
  5. Click Federation

2 Add a SAML Identity Provider

  1. Under Identity providers find and click on Actions
  2. Select Add SAML IdP

Add Details

  1. Add a name (e.g., SplitSecure SAML IdP), a description (optional) and a logo
  2. Click Next

Exchange Metadata

  1. Select Import IdP metadata
  2. Upload your IdP metadata file (found in SplitSecure at Secure Accounts → SAML2 Identity Providers → [Your IdP] → Details → Download Metadata)
  3. Click Next

Map User Identity

  1. For Requested Name ID format select Unspecified
  2. For Map user attribute:
    • Identity provider user attribute: SAML assertion Name ID
    • Identity domain user attribute: Username
  3. Click Next

Review and Create

  1. Click Create IdP

SplitSecure Configuration

1 Get Oracle Cloud Details

  1. Click on your newly created IdP
  2. At the top right, click Action and select Export SAML metadata
  3. Click Metadata File → Download XML

2 Configure SplitSecure with Oracle Cloud Details

  1. In SplitSecure, navigate to Secure Accounts → Create Account
  2. Select Oracle Cloud
  3. Enter a name for the account (e.g., Oracle Cloud Secure Account)
  4. Select your Identity Provider
  5. Upload the Oracle Cloud metadata XML file downloaded in the previous step
  6. Click Create Account

3 Test the Connection

  1. On OCI click on your IdP
  2. At the top right, click Action and select Test Login

Complete Oracle Cloud Configuration

1 Activate the Identity Provider

  1. Go to Federation → Identity Providers
  2. Click on your SplitSecure IdP
  3. At the top right, click Action and select Activate IdP

2 Assign IdP to Policy (Required)

  1. Go to Federation → IdP policies
  2. Select Default Identity Provider Policy (or create a new one)
  3. Click Edit IdP rule
  4. Under Assign identity providers, add your SplitSecure IdP
  5. Click Save changes

Configure MFA Bypass for Federated Users (Optional)

1 Create Sign-On Rule

  1. Go to Domain policies → Sign-On policies
  2. Select Security Policy for OCI Console
  3. Click Sign-on rules
  4. Click Add Sign-on rule
  5. Configure the rule:
    • Rule name: SplitSecure IdP no MFA
    • Authenticating identity provider: Select your SplitSecure IdP
    • Actions: Leave “Prompt for additional factor” unchecked
  6. Click Add
  7. Click Edit priority and move this rule to Priority 1

User Access Configuration

Option A: Just-In-Time (JIT) Provisioning (Recommended)

Users are automatically created in Oracle Cloud on first login.

  1. Go to Federation → Identity Providers
  2. Click on your SplitSecure IdP
  3. At the top right, click Action and select Configure JIT
  4. Click Enable Just-In-Time (JIT) provisioning
  5. Click Create a new identity domain user
  6. Click Update the existing identity domain user (optional)

Map user attributes:

IdP user attribute type IdP user attribute value Maps to Identity domain user attribute
NameID NameID value User Name
Attribute LastName Last name
Attribute Email Primary Work Email
Attribute FirstName First Name
  1. To associate a user with a group from the IdP’s side, configure group mappings as needed
  2. Click Update

Option B: Pre-Provisioned Users

Users must exist in Oracle Cloud before they can log in.

  1. Go to Users management in your identity domain
  2. Click Create user
  3. Enter user details matching their SplitSecure identity:
  • Email must match the SAML NameID or mapped attribute
  1. Assign users to appropriate groups

Test Authentication

1 SP-Initiated SSO (User starts at Oracle Cloud)

  1. Navigate to: https://cloud.oracle.com/
  2. Enter your tenancy name and click Next
  3. Select your identity domain
  4. Click on SplitSecure (your IdP name) on the login page
  5. Authenticate with SplitSecure
  6. You should be redirected back to Oracle Cloud, logged in

2 IdP-Initiated SSO (User starts at SplitSecure)

  1. Navigate to Secure Accounts
  2. On your Oracle Cloud secure account click authenticate
  3. Fill out the form
  4. Click Request Access

3 CLI Authentication (Token-Based SSO)

  1. In a terminal:
oci session authenticate
  1. Select your region
  2. A browser window will open automatically
  3. Select your identity domain and click SplitSecure to authenticate
  4. Complete authentication in SplitSecure
  5. Return to the terminal - you’ll see a confirmation message

Troubleshooting

Issue Possible Cause Solution
“User not authorized” User doesn’t exist and JIT is disabled Enable JIT provisioning or pre-create the user
SAML assertion error Attribute mapping mismatch Verify NameID format and attribute mappings match between SplitSecure and OCI
Certificate error Expired or incorrect certificate Re-download metadata from SplitSecure
IdP not shown on login IdP not assigned to policy Add IdP to the Default Identity Provider Policy
Still prompted for OCI MFA Sign-on policy not configured Create a sign-on rule for federated users with MFA disabled (Priority 1)
Redirect loop Multiple IdP policies conflicting Review and simplify IdP policy rules

External Resources