Oracle Cloud
Configure Oracle Cloud Infrastructure SAML
Prerequisites
- Administrator access to an Oracle Cloud account (Identity Domain Administrator or Security Administrator role)
- A SplitSecure Identity Provider created and approved
- An Oracle Cloud tenancy with access to Identity Domains
- A separate browser or browser profile with SplitSecure configured (for testing)
Oracle Cloud Configuration
Navigate to Identity Providers
- Log in to the Oracle Cloud console at https://cloud.oracle.com/
- Open the navigation menu and select Identity & Security
- Under Identity, select Domains
- Select the identity domain you want to configure (e.g., Default)
- Click Federation
Add a SAML Identity Provider
- Under Identity providers find and click on Actions
- Select Add SAML IdP
Add Details
- Add a name (e.g., SplitSecure SAML IdP), a description (optional) and a logo
- Click Next
Exchange Metadata
- Select Import IdP metadata
- Upload your IdP metadata file (found in SplitSecure at Secure Accounts → SAML2 Identity Providers → [Your IdP] → Details → Download Metadata)
- Click Next
Map User Identity
For Requested Name ID format select Unspecified
For Map user attribute:
- Identity provider user attribute: SAML assertion Name ID
- Identity domain user attribute: Username
Click Next
Review and Create
- Click Create IdP
SplitSecure Configuration
Get Oracle Cloud Details
- Click on your newly created IdP
- At the top right, click Action and select Export SAML metadata
- Click Metadata File → Download XML
Configure SplitSecure with Oracle Cloud Details
- In SplitSecure, navigate to Secure Accounts → Create Account
- Select Oracle Cloud
- Enter a name for the account (e.g.,
Oracle Cloud Secure Account) - Select your Identity Provider
- Upload the Oracle Cloud metadata XML file downloaded in the previous step
- Click Create Account
Test the Connection
- On OCI click on your IdP
- At the top right, click Action and select Test Login
Complete Oracle Cloud Configuration
Activate the Identity Provider
- Go to Federation → Identity Providers
- Click on your SplitSecure IdP
- At the top right, click Action and select Activate IdP
Assign IdP to Policy (Required)
- Go to Federation → IdP policies
- Select Default Identity Provider Policy (or create a new one)
- Click Edit IdP rule
- Under Assign identity providers, add your SplitSecure IdP
- Click Save changes
Configure MFA Bypass for Federated Users (Optional)
Create Sign-On Rule
Go to Domain policies → Sign-On policies
Select Security Policy for OCI Console
Click Sign-on rules
Click Add Sign-on rule
Configure the rule:
- Rule name: SplitSecure IdP no MFA
- Authenticating identity provider: Select your SplitSecure IdP
- Actions: Leave “Prompt for additional factor” unchecked
Click Add
Click Edit priority and move this rule to Priority 1
User Access Configuration
Option A: Just-In-Time (JIT) Provisioning (Recommended)
Users are automatically created in Oracle Cloud on first login.
Go to Federation → Identity Providers
Click on your SplitSecure IdP
At the top right, click Action and select Configure JIT
Click Enable Just-In-Time (JIT) provisioning
Click Create a new identity domain user
Click Update the existing identity domain user (optional)
Map user attributes:
IdP user attribute type IdP user attribute value Maps to Identity domain user attribute NameID NameID value User Name Attribute LastName Last name Attribute Email Primary Work Email Attribute FirstName First Name To associate a user with a group from the IdP’s side, configure group mappings as needed
Click Update
Option B: Pre-Provisioned Users
Users must exist in Oracle Cloud before they can log in.
Go to Users management in your identity domain
Click Create user
Enter user details matching their SplitSecure identity:
- Email must match the SAML NameID or mapped attribute
Assign users to appropriate groups
Test Authentication
Use a separate browser or browser profile with SplitSecure configured to test without affecting your current session.
SP-Initiated SSO (User starts at Oracle Cloud)
- Navigate to:
https://cloud.oracle.com/ - Enter your tenancy name and click Next
- Select your identity domain
- Click on SplitSecure (your IdP name) on the login page
- Authenticate with SplitSecure
- You should be redirected back to Oracle Cloud, logged in
IdP-Initiated SSO (User starts at SplitSecure)
- Navigate to Secure Accounts
- On your Oracle Cloud secure account click authenticate
- Fill out the form
- Click Request Access
CLI Authentication (Token-Based SSO)
In a terminal:
oci session authenticateSelect your region
A browser window will open automatically
Select your identity domain and click SplitSecure to authenticate
Complete authentication in SplitSecure
Return to the terminal - you’ll see a confirmation message
Troubleshooting
| Issue | Possible Cause | Solution |
|---|---|---|
| “User not authorized” | User doesn’t exist and JIT is disabled | Enable JIT provisioning or pre-create the user |
| SAML assertion error | Attribute mapping mismatch | Verify NameID format and attribute mappings match between SplitSecure and OCI |
| Certificate error | Expired or incorrect certificate | Re-download metadata from SplitSecure |
| IdP not shown on login | IdP not assigned to policy | Add IdP to the Default Identity Provider Policy |
| Still prompted for OCI MFA | Sign-on policy not configured | Create a sign-on rule for federated users with MFA disabled (Priority 1) |
| Redirect loop | Multiple IdP policies conflicting | Review and simplify IdP policy rules |
External Resources
- Identity Domains Documentation Identity domains overview
- Managing SAML Identity Providers SAML IdP configuration
- IAM MFA Best Practices MFA security recommendations
- Configuring Sign-On Policies Sign-on policy management
Last updated: