OCI Identity Federation for AI Platform User Authentication
PythonTo set up OCI Identity Federation for AI Platform User Authentication, you need to configure the necessary resources within your OCI environment. Pulumi allows you to define your cloud infrastructure using familiar programming languages, such as Python.
We'll first set up an identity provider (IdP) that allows external users to authenticate using federated credentials. Once the IdP is created, you'll define an authentication policy, followed by the provisioning of a user entity that will represent the federated user within the OCI environment. We will also create an auth token for programmatic access to the OCI services.
Here's a detailed Pulumi program in Python to accomplish this:
import pulumi import pulumi_oci as oci # Replace "MY_COMPARTMENT_ID" with your OCI compartment ID compartment_id = "MY_COMPARTMENT_ID" # Define an OCI Identity Provider for federated single sign-on # In the metadata argument, provide the XML file containing metadata # about the external Identity Provider identity_provider = oci.identity.IdentityProvider("myIdentityProvider", compartment_id=compartment_id, name="my-identity-provider", description="My Identity Provider for federated SSO", product_type="IDCS", # Assuming the external IdP is Oracle Identity Cloud Service protocol="SAML2", # The protocol used for federation, e.g., SAML2 metadata="""PASTE_IDP_METADATA_XML_CONTENT_HERE""", freeform_tags={"Environment": "Production"} ) # Define an authentication policy that fits the needs of your AI Platform authentication_policy = oci.identity.AuthenticationPolicy("myAuthenticationPolicy", compartment_id=compartment_id, network_policy=oci.identity.AuthenticationPolicyNetworkPolicyArgs( network_source_ids=["network-source-id"] # Specify appropriate network source IDs if needed ), password_policy=oci.identity.AuthenticationPolicyPasswordPolicyArgs( minimum_password_length=12, is_numeric_characters_required=True, is_special_characters_required=True, is_username_containment_allowed=False, is_lowercase_characters_required=True, is_uppercase_characters_required=True ) ) # Provision a user that represents a federated user within OCI user = oci.identity.User("myUser", compartment_id=compartment_id, name="my-federated-user", description="User representing a federated identity", freeform_tags={"Federation": "True"} ) # Create an Auth Token for the User, allowing programmatic access to OCI Services auth_token = oci.identity.AuthToken("myAuthToken", user_id=user.id, description="Auth token for federated user" ) # Export important identifiers that you would need in your application pulumi.export("identity_provider_id", identity_provider.id) pulumi.export("user_id", user.id) pulumi.export("auth_token", auth_token.token)
In the program above, we first create an
IdentityProvider
to set up federation with an external identity source. Themetadata
would be the XML content that describes your IdP's SAML2 configurations. This could be a federation with a service such as Okta or Azure AD. Ensure to replacePASTE_IDP_METADATA_XML_CONTENT_HERE
with the actual XML content.Next, we define an
AuthenticationPolicy
that establishes the criteria for password complexity and network policies to follow within your AI Platform.We also create a
User
resource to represent federated identities. Such a user will not have password-based credentials within OCI since the authentication takes place through your external IdP.Finally, we generate an
AuthToken
for the user, which is used when you want to authenticate against OCI services programmatically.Make sure to replace
MY_COMPARTMENT_ID
with your actual OCI compartment ID where you wish to configure the federation services and adhere to your enterprise's identity and access guidelines for federating user access. Thefreeform_tags
are used to label resources for sorting or categorization according to your needs.Exporting the identifiers at the end of the program allows you to easily reference them in your application or in the Pulumi console.
Please note that this script assumes you have your OCI provider set up and authenticated. To apply this configuration, save the script as
__main__.py
and runpulumi up
in the same directory. This will prompt Pulumi to provision the resources as defined in the script within your OCI environment.