Disclaimer

Saturday, 31 January 2026

SAML in OCI

 


























First, set the roles clearly (very important)

  • Nizam → Apple employee

  • Azure AD (or On-prem AD + ADFS/Okta)Identity Provider (IdP)

  • OCI Identity DomainService Provider (SP)

  • OCI Console → What Nizam wants to access

👉 OCI does NOT authenticate users directly in this setup.
👉 OCI trusts Apple’s Identity system via SAML.

Why SAML is needed (big picture)

Enterprises never want separate passwords for each cloud.

So:

  • User identity = Enterprise control (AD / Azure AD / Okta)

  • Cloud access = Federated using SAML

  • Result = Single Sign-On (SSO)

That’s why you wrote correctly:

99% customers map cloud auth with on-prem AD / OKTA

Now the STEP-BY-STEP FLOW (mapped to your numbers)

🔹 STEP 1: Nizam tries to access OCI Console

📌 (Your arrow #1)

👉 At this point:

  • OCI sees: This domain uses SAML

  • OCI knows: I am NOT responsible for password validation

🔹 STEP 2: OCI redirects Nizam to Apple Identity Provider

📌 (Your arrow #2)

OCI sends a SAML Authentication Request to Azure AD.

This request says:

“Hey Azure AD,
Someone named nizam@apple.com wants to log in.
Please authenticate him and tell me who he is.”

🔁 Browser is redirected to:

  • Azure AD login page (or ADFS / Okta)

👉 OCI console is now waiting

🔹 STEP 3: Azure AD validates Nizam (real authentication)

📌 (Inside Apple on-prem / Azure AD box)

Now real security checks happen:

  • Password verification

  • MFA (OTP / Authenticator / SMS)

  • Conditional access

  • Device trust

  • Location rules

If ❌ fails → OCI never sees Nizam
If ✅ success → Azure AD proceeds

🔹 STEP 4: Azure AD sends SAML Response back to OCI

📌 (Your arrow #3)

Azure AD creates a SAML Assertion (signed XML).

It contains:

  • ✔ User identity: nizam@apple.com

  • ✔ Group membership (e.g. OCI-Admins)

  • ✔ Tenant / domain info

  • ✔ Timestamp & signature

This message says:

“OCI, I confirm Nizam is authenticated.
Here are his attributes and groups.
You can trust this.”

👉 Browser auto-posts this back to OCI.

🔹 STEP 5: OCI validates trust (critical step)

OCI does NOT blindly accept the response.

OCI checks:

  • Signature is valid?

  • Certificate matches Azure AD?

  • Assertion not expired?

  • User exists in OCI Identity Domain?

  • Group mapping exists?

If ❌ → Access denied
If ✅ → Login allowed

🔹 STEP 6: OCI maps Nizam to OCI Groups & Policies

Example mapping:

Azure AD Group → OCI Group
--------------------------------
OCI-Admins     → OCI_Admins
OCI-ReadOnly   → OCI_ReadOnly

OCI Policies:

Allow group OCI_Admins to manage all-resources in tenancy

👉 This defines what Nizam can do, not Azure AD.

🔹 STEP 7: Nizam gets OCI Console access 🎉

  • OCI session is created

  • Token/cookie issued

  • OCI Console loads

Now Nizam can:

  • View compartments

  • Manage compute, DB, network

  • According to OCI IAM policies

Important clarification (common confusion)

❌ Nizam does NOT log in to OCI directly
❌ OCI does NOT store his password

✔ OCI outsources authentication
✔ OCI keeps authorization

One-line summary (interview perfect answer)

OCI acts as a Service Provider, Azure AD acts as an Identity Provider, and SAML is used to federate authentication so that enterprise users can securely access OCI using their corporate credentials without managing passwords in OCI.


 


at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

OIC instance in OCI

  OCI vs OIC – Know the Difference in Oracle Cloud When you're exploring Oracle Cloud, two terms that sound similar — but do very diff...