1. OCI Identity Federation for AI Platform User Authentication


    To set up OCI Identity Federation for AI Platform User Authentication, you need to configure the necessary resources within your OCI environment. Pulumi allows you to define your cloud infrastructure using familiar programming languages, such as Python.

    We'll first set up an identity provider (IdP) that allows external users to authenticate using federated credentials. Once the IdP is created, you'll define an authentication policy, followed by the provisioning of a user entity that will represent the federated user within the OCI environment. We will also create an auth token for programmatic access to the OCI services.

    Here's a detailed Pulumi program in Python to accomplish this:

    import pulumi import pulumi_oci as oci # Replace "MY_COMPARTMENT_ID" with your OCI compartment ID compartment_id = "MY_COMPARTMENT_ID" # Define an OCI Identity Provider for federated single sign-on # In the metadata argument, provide the XML file containing metadata # about the external Identity Provider identity_provider = oci.identity.IdentityProvider("myIdentityProvider", compartment_id=compartment_id, name="my-identity-provider", description="My Identity Provider for federated SSO", product_type="IDCS", # Assuming the external IdP is Oracle Identity Cloud Service protocol="SAML2", # The protocol used for federation, e.g., SAML2 metadata="""PASTE_IDP_METADATA_XML_CONTENT_HERE""", freeform_tags={"Environment": "Production"} ) # Define an authentication policy that fits the needs of your AI Platform authentication_policy = oci.identity.AuthenticationPolicy("myAuthenticationPolicy", compartment_id=compartment_id, network_policy=oci.identity.AuthenticationPolicyNetworkPolicyArgs( network_source_ids=["network-source-id"] # Specify appropriate network source IDs if needed ), password_policy=oci.identity.AuthenticationPolicyPasswordPolicyArgs( minimum_password_length=12, is_numeric_characters_required=True, is_special_characters_required=True, is_username_containment_allowed=False, is_lowercase_characters_required=True, is_uppercase_characters_required=True ) ) # Provision a user that represents a federated user within OCI user = oci.identity.User("myUser", compartment_id=compartment_id, name="my-federated-user", description="User representing a federated identity", freeform_tags={"Federation": "True"} ) # Create an Auth Token for the User, allowing programmatic access to OCI Services auth_token = oci.identity.AuthToken("myAuthToken", user_id=user.id, description="Auth token for federated user" ) # Export important identifiers that you would need in your application pulumi.export("identity_provider_id", identity_provider.id) pulumi.export("user_id", user.id) pulumi.export("auth_token", auth_token.token)

    In the program above, we first create an IdentityProvider to set up federation with an external identity source. The metadata would be the XML content that describes your IdP's SAML2 configurations. This could be a federation with a service such as Okta or Azure AD. Ensure to replace PASTE_IDP_METADATA_XML_CONTENT_HERE with the actual XML content.

    Next, we define an AuthenticationPolicy that establishes the criteria for password complexity and network policies to follow within your AI Platform.

    We also create a User resource to represent federated identities. Such a user will not have password-based credentials within OCI since the authentication takes place through your external IdP.

    Finally, we generate an AuthToken for the user, which is used when you want to authenticate against OCI services programmatically.

    Make sure to replace MY_COMPARTMENT_ID with your actual OCI compartment ID where you wish to configure the federation services and adhere to your enterprise's identity and access guidelines for federating user access. The freeform_tags are used to label resources for sorting or categorization according to your needs.

    Exporting the identifiers at the end of the program allows you to easily reference them in your application or in the Pulumi console.

    Please note that this script assumes you have your OCI provider set up and authenticated. To apply this configuration, save the script as __main__.py and run pulumi up in the same directory. This will prompt Pulumi to provision the resources as defined in the script within your OCI environment.