OCI Identity Federation for AI Platform User Authentication

Question

Pulumi · Accepted Answer

To set up OCI Identity Federation for AI Platform User Authentication, you need to configure the necessary resources within your OCI environment. Pulumi allows you to define your cloud infrastructure using familiar programming languages, such as Python.

We'll first set up an identity provider (IdP) that allows external users to authenticate using federated credentials. Once the IdP is created, you'll define an authentication policy, followed by the provisioning of a user entity that will represent the federated user within the OCI environment. We will also create an auth token for programmatic access to the OCI services.

Here's a detailed Pulumi program in Python to accomplish this:

```python
import pulumi
import pulumi_oci as oci

# Replace "MY_COMPARTMENT_ID" with your OCI compartment ID
compartment_id = "MY_COMPARTMENT_ID"

# Define an OCI Identity Provider for federated single sign-on
# In the metadata argument, provide the XML file containing metadata 
# about the external Identity Provider
identity_provider = oci.identity.IdentityProvider("myIdentityProvider",
    compartment_id=compartment_id,
    name="my-identity-provider",
    description="My Identity Provider for federated SSO",
    product_type="IDCS",  # Assuming the external IdP is Oracle Identity Cloud Service
    protocol="SAML2",  # The protocol used for federation, e.g., SAML2
    metadata="""PASTE_IDP_METADATA_XML_CONTENT_HERE""",
    freeform_tags={"Environment": "Production"}
)

# Define an authentication policy that fits the needs of your AI Platform
authentication_policy = oci.identity.AuthenticationPolicy("myAuthenticationPolicy",
    compartment_id=compartment_id,
    network_policy=oci.identity.AuthenticationPolicyNetworkPolicyArgs(
        network_source_ids=["network-source-id"]  # Specify appropriate network source IDs if needed
    ),
    password_policy=oci.identity.AuthenticationPolicyPasswordPolicyArgs(
        minimum_password_length=12,
        is_numeric_characters_required=True,
        is_special_characters_required=True,
        is_username_containment_allowed=False,
        is_lowercase_characters_required=True,
        is_uppercase_characters_required=True
    )
)

# Provision a user that represents a federated user within OCI
user = oci.identity.User("myUser",
    compartment_id=compartment_id,
    name="my-federated-user",
    description="User representing a federated identity",
    freeform_tags={"Federation": "True"}
)

# Create an Auth Token for the User, allowing programmatic access to OCI Services
auth_token = oci.identity.AuthToken("myAuthToken",
    user_id=user.id,
    description="Auth token for federated user"
)

# Export important identifiers that you would need in your application
pulumi.export("identity_provider_id", identity_provider.id)
pulumi.export("user_id", user.id)
pulumi.export("auth_token", auth_token.token)
```

In the program above, we first create an `IdentityProvider` to set up federation with an external identity source. The `metadata` would be the XML content that describes your IdP's SAML2 configurations. This could be a federation with a service such as Okta or Azure AD. Ensure to replace `PASTE_IDP_METADATA_XML_CONTENT_HERE` with the actual XML content.

Next, we define an `AuthenticationPolicy` that establishes the criteria for password complexity and network policies to follow within your AI Platform.

We also create a `User` resource to represent federated identities. Such a user will not have password-based credentials within OCI since the authentication takes place through your external IdP.

Finally, we generate an `AuthToken` for the user, which is used when you want to authenticate against OCI services programmatically.
 
Make sure to replace `MY_COMPARTMENT_ID` with your actual OCI compartment ID where you wish to configure the federation services and adhere to your enterprise's identity and access guidelines for federating user access. The `freeform_tags` are used to label resources for sorting or categorization according to your needs.

Exporting the identifiers at the end of the program allows you to easily reference them in your application or in the Pulumi console.

Please note that this script assumes you have your OCI provider set up and authenticated. To apply this configuration, save the script as `__main__.py` and run `pulumi up` in the same directory. This will prompt Pulumi to provision the resources as defined in the script within your OCI environment.