Tagged Oracle Identity Cloud Service

Oracle Kubernetes (OKE): Deploying a Custom Node.js Web Application Integrated with Identity Cloud Service for Unique Single Sign On (SSO) User Experience


In this post we are deploying a custom Node.js web application in Oracle Kubernetes Engine (OKE).

What we want to show is how to configure the custom web application in order to have a unique Single Sing On experience.

First part

Follow this tutorial here explaining how to enable SSO to the web app running locally

Second part

Now we are making small changes to deploy on kubernetes

Create a Dockerfile in the nodejs folder of the cloned project with the following:
FROM oraclelinux:7-slim
WORKDIR /app
ADD . /app
RUN curl --silent --location https://rpm.nodesource.com/setup_11.x | bash -
RUN yum -y install nodejs npm --skip-broken
EXPOSE 3000
CMD ["npm","start"]
Create K8s deployment file as follows:
apiVersion: v1
kind: Service
metadata:
name: idcsnodeapp
spec:
type: LoadBalancer
selector:
app: idcsnodeapp
ports:
- name: client
protocol: TCP
port: 3000
Deploy to k8s:
kubectl apply -f service.yaml
Grab the url of the new external load-balancer service created in k8s and modify the file auth.js with the appropriate values in your cloud environment
var ids = {
oracle: {
"ClientId": "client id of the IdCS app",
"ClientSecret": "client secret of the IdCS app",
"ClientTenant": "tenant id (idcs-xxxxxxxxxxxx)",
"IDCSHost": "https://tenantid.identity.oraclecloud.com",
"AudienceServiceUrl" : "https://tenantid.identity.oraclecloud.com",
"TokenIssuer": "https://identity.oraclecloud.com/",
"scope": "urn:opc:idm:t.user.me openid",
"logoutSufix": "/oauth2/v1/userlogout",
"redirectURL": "http://k8sloadbalancerip:3000/callback",
"LogLevel":"warn",
"ConsoleLog":"True"
}
};
Build the container and push to a repo you have write access to, such as:
docker build -t javiermugueta/idcsnodeapp .
docker push javiermugueta/idcsnodeapp
Modify the IdCS application with the public IP of the k8s load-balancer service
a
Create k8s deployment file as follows:
apiVersion: apps/v1
kind: Deployment
metadata:
name: idcsnodeapp
labels:
app: idcsnodeapp
spec:
replicas: 1
selector:
matchLabels:
app: idcsnodeapp
strategy:
type: Recreate
template:
metadata:
labels:
app: idcsnodeapp
spec:
containers:
- image: javiermugueta/idcsnodeapp
name: idcsnodeapp
ports:
- containerPort: 3000
name: idcsnodeapp


Deploy to k8s
kubectl apply -f  deployment.yaml
Test the app and verify SSO is working:

This slideshow requires JavaScript.

Hope it helps! 🙂

 

How to Secure User Access to Internet-Faced Cloud Solutions


internet screen security protection
Photo by Pixabay on Pexels.com

Suppose you are in charge for the security of a bank (CISO, CSO,…) that wants to control the access of users to the new ERP in the cloud that you are implementing.

There is a very simple and safe way to control which users access the environment.
Simply configure the Single Sign On of the cloud solution side so that the Service Provider is the ERP, and the Identity Provider is your on-premises identity management infrastructure.

How does it work?

When a user requests the url of the ERP, a login form hosted on the corporate servers appears, requesting the credentials. Since this form is deployed on-premises, only users connected to the corporate network (directly or via VPN) can access it.

fedsso
Oracle Identity Cloud is always provisioned when you buy clod services and allows you to configure, among other things, the following:

  • federate users between the cloud and LDAP on premises without the need to store the password in the cloud
  • configure the SSO provided by the on-premises access system
  • configure several authentication factors (MFA) for administrators
  • define network perimeters (ranges of IP’s that can access the cloud)
  • define Risk Providers and Adaptative Security, which are mechanisms to evaluate the risk in user access actions
  • define Sign On policies, which are rules that apply in different way depending on the user roles (the more powered user the more strong rules to apply)
  • out of the box reports with login attempts and application access

In addition to the out of the box features that IDCS (Identity Cloud Service) mentioned above, Oracle provides CASB (Cloud Access Security Broker)

Enjoy 😉

Oracle IdCS Tips Part I: Create Users Programatically in Node.js for Oracle Cloud Services with the REST API in less than a Basketball Quarter Length


Oracle Cloud provides Identity Cloud Services (IdCS) as the identity provider (and more) for all the cloud services offered in the stack.

STEP ONE

Ask your identity administrator to create a trusted application in IdCS with the settings as shown in the following screenshots:

This slideshow requires JavaScript.

STEP TWO

Ask your IdCS administrator for the ClientID and secret values for the previously created application.

idcs4

STEP THREE

Test the following code changing the values in bold with your specific values:

// jmu, april 2018

var express = require('express');
var app = express();
var https = require('https');
var fs = require('fs');
// this data comes from your IdCS administrator
const client_id = "43tgh656uhdh67ur67ruth"
const secret = "4erte-b04e-49b3-be06-534gdfg"
const idcsHost = 'idcs-45a9gsdg7876eac2935dcbd62.identity.oraclecloud.com'
// the user you want to create
var userName = "alextorrijo";
var userMail = "alextorrijo@acme.com";;
var familyName = "torrijo";
var givenName = "alex"
//
var userJSONData = {
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
"userName": userName,
"name": {
"familyName": familyName,
"givenName": givenName
},
"emails": [{
"value": userMail,
"type": "work",
"primary": true
}]
};
var userData = JSON.stringify(userJSONData);
const tokenData = "grant_type=client_credentials&scope=urn:opc:idm:__myscopes__";
var token = ""
var credentials = Buffer.from(client_id + ":" + secret).toString('base64');
var token_options = {
host: idcsHost,
port: 443,
path: '/oauth2/v1/token',
method: 'POST',
headers: {
"Content-Type": "application/x-www-form-urlencoded",
"Authorization": "Basic "+ credentials,
"Accept": "application/json, text/plain, */*"
}
};
app.get('/', function (req, res) {
res.send('Hi!<br>/createUser is your choice!');
});
app.get('/createUser', function (req, res) {
var x = https.request(token_options,function(res){
res.on('data',function(data){
token = JSON.parse(data).access_token;
fs.appendFile('logfile.log', token + '\r\n', function(err){;});
var create_user_options = {
host: idcsHost,
port: 443,
path: '/admin/v1/Users',
method: 'POST',
headers: {
"Content-Type": "application/scim+json",
"Authorization": "Bearer "+ token,
"Accept": "application/json, text/plain, */*"
}
};
var y = https.request(create_user_options,function(res){
res.on('data',function(data){
fs.appendFile('logfile.log', data + '\r\n', function(err){;});
});
});
y.write(userData);
y.end();
});
});
x.write(tokenData);
x.end();
res.send('Usuario creado, mira <a href="https://idcs-sdfgwrgsfsdfgsdfg.identity.oraclecloud.com/ui/v1/adminconsole?root=users" target="_blank"> aqui </a>');
});
app.listen(3456, function () {
console.log('Example app listening on port 3456!');
});
Run the file:
node idcscreateuser.js

Open a browser:

http://localhost:3456

Execute the createUser method:

http://localhost:3456/createUser

FINALY

Verify the user was created successfully.
idcs5

MORE INFO

Enjoy -)

Oracle Identity Cloud Service: “You cannot bookmark and access the /signin URL directly”


This message happens because you are requesting the sigin page directly while it is supposed that this page comes up as a challenge when you request s resource protected by IdCS in wich you are not logged in yet.

Solution: Request a resource protected by IdCS such as an application or this url <youridentitydomainurl>/ui/v1/myconsole. If you don’t have an application already registered and have administrative privileges try with <youridentitydomainurl>/ui/v1/ adminconsole

Enjoy 😉