What I'd like to do

I want to log in to oracleCloud with my Google Work Space account. Since curiosource uses Google Work Space as its unified ID infrastructure, we wanted to be able to log in to the console of OCI, which we use as infrastructure, with the above account.

SetUp

Register a SAML application in Google Work Space and upload metadata to the OCI side. First, obtain metadata for SAML integration from the Google Work Space management console.

Once the metadata has been downloaded, we now operate on the OCI Conl. Open the federation and upload the metadata you just downloaded.

Once registered as a federation, download the Oracle metadata. At first glance, it looks like a general document, but the parameters are properly different for each tenant.

What is important in metadata, entityID urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST

part of the metadata.

These are set from the GoogleWorkSpace console.

Once this has been set up, users can log in to the console, but since they do not have any privileges, we will set up the console so that they can be granted privileges.

In this case, we set up the user of the management organization to have Admin authority in the organization hierarchy of GoogleWorkSpace.

Setup in OracleConsole. The group linkage from the Google side is linked in the form of a path, so input the following information. This time, we set the authority to the user of the Admin organization.

Next, set the following on the Google side.

GoogleDirectory attributes: OrgnaizationUnitPath Application attributes (common): https://auth.oraclecloud.com/saml/claims/groupName

By setting up to this point, a user who belongs to the Admin organization on the Google side can also operate as an Adminitsration user on the Oracle side.