Indentity Proxy and Oracle Cloud Infrastructure

Steps to configure Zscaler Identity Proxy and Oracle Cloud Infrastructure (OCI).

  1. Open OCI Identity/Federation configuration and download the OCI metadata XML:
  1. Open the XML and copy the entityID (only the highlighted text in the red box is needed):
  1. Now add a new Identity Proxy configuration on Zscaler Internet Access.

    a. Insert a meaningful name;
    b. Select Other Cloud Apps;
    c. Insert the entityID you just got in the fields ACS URL and Entity ID;
    d. Select the available Response Signing SAML Certificate;
    e. Disable Pass-on Group Details;
    f. Set Unmanaged Action to Block;
    g. Save and activate the configuration.

  1. Download the Zscaler certificate. We will need that to craft the Zscaler metadata.xml:
  1. Copy the Identity Proxy URL:
  1. Open the attached metadata.xml and replace the following fields:
metadata.xml
<?xml version="1.0" encoding="utf-8"?>
<EntityDescriptor ID="_95e49938-4ead-48b9-a923-65ae8ab83d61" entityID="HxnBcP11TmLwf827tTW1XkexT767jq0dBMLpFfMtxTqnksaSqWppntKJOaEI00QIvSx5Q/bbUqZIopJ86A0xAA==" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
<IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<KeyDescriptor use="signing"><KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"><X509Data><X509Certificate>MIIHBzCCBe+gAwIBAgIQB9mGWpERnPN/TkCq4rbZhDANBgkqhkiG9w0BAQsFADBw
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMS8wLQYDVQQDEyZEaWdpQ2VydCBTSEEyIEhpZ2ggQXNz
dXJhbmNlIFNlcnZlciBDQTAeFw0yMDA4MTgwMDAwMDBaFw0yMjExMTYxMjAwMDBa
MHoxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMREwDwYDVQQHEwhT
YW4gSm9zZTEWMBQGA1UEChMNWnNjYWxlciwgSW5jLjEQMA4GA1UECxMHWnNjYWxl
cjEZMBcGA1UEAwwQKi56c2NhbGVydHdvLm5ldDCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBALJ04Nz0ls8OMkRnd83ZBBZN3qkQUXMRgki3QMvHl3gL6FpK
L8o4GtkH3TBoPBUsuObz9u9BVh4aV4crDrTh/ProUXGPId84uYViKI75O/SeN0lk
/YGrmX52RrTJ//pwmYSzO5hXfz/EKhHjCQNBj9d9l0lP0TkQdgO7gLru+P+Uchb1
1bBhBQQG0ELemLyyACrGfhzfAq1MbCk4HoIwDBP0KZE3qY0BTXGJ4lcucf5pDvdz
M2faLwUkVN8U61YjnzbmuTHxb9ICvEUTx1+j+fyiZgMJbJQGhMwO0DWu4oR7iDoK
l6uzyHdmImkU/nuZP6WasfmoGTsIsBO1cqUIhm8CAwEAAaOCA5EwggONMB8GA1Ud
IwQYMBaAFFFo/5CvAgd1PMzZZWRiohK4WXI7MB0GA1UdDgQWBBQ1TXMRrsFazTWT
XMFPfOgcu+R64jBBBgNVHREEOjA4ghAqLnpzY2FsZXJ0d28ubmV0gg56c2NhbGVy
dHdvLm5ldIIUbG9naW4uenNjYWxlcnR3by5uZXQwDgYDVR0PAQH/BAQDAgWgMB0G
A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjB1BgNVHR8EbjBsMDSgMqAwhi5o
dHRwOi8vY3JsMy5kaWdpY2VydC5jb20vc2hhMi1oYS1zZXJ2ZXItZzYuY3JsMDSg
MqAwhi5odHRwOi8vY3JsNC5kaWdpY2VydC5jb20vc2hhMi1oYS1zZXJ2ZXItZzYu
Y3JsMEwGA1UdIARFMEMwNwYJYIZIAYb9bAEBMCowKAYIKwYBBQUHAgEWHGh0dHBz
Oi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwCAYGZ4EMAQICMIGDBggrBgEFBQcBAQR3
MHUwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBNBggrBgEF
BQcwAoZBaHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0U0hBMkhp
Z2hBc3N1cmFuY2VTZXJ2ZXJDQS5jcnQwDAYDVR0TAQH/BAIwADCCAX4GCisGAQQB
1nkCBAIEggFuBIIBagFoAHYAKXm+8J45OSHwVnOfY6V35b5XfZxgCvj5TV0mXCVd
x4QAAAFz/xGU0wAABAMARzBFAiB6EUKpCwG1DiV2DxbYRNnha2yrfDXGNdaSOZDX
+rySNgIhAKuzk/U3hNAtalXwBe4+5aVGQGidY9TvvxwTkG0s+WyLAHYAQcjKsd8i
RkoQxqE6CUKHXk4xixsD6+tLx2jwkGKWBvYAAAFz/xGUgwAABAMARzBFAiAeiBTP
rIl/eLzEIopqs1okqOTgeu6MqkhckGqBoEY8OgIhAKxZZRO7ei1LQbLtcZRd3bYl
+n1gtke7UWl/i1J880onAHYARqVV63X6kSAwtaKJafTzfREsQXS+/Um4havy/HD+
bUcAAAFz/xGVIgAABAMARzBFAiBceVr2emXIKBGhms2WQ4nz9RrKUZKW/yRB7AAJ
l6UkbgIhAK3AD5wWNhdlSTTL+QwFH+crw3p5AqFITGN9BrRIM+q4MA0GCSqGSIb3
DQEBCwUAA4IBAQB2bz6pH+U3OqdYvu86ZRIp7UNME6S5sPqwwTzDg7/wxJ1pu033
0Rchjmva7ESF+pgDKW781ag7OWt4dP7oiK8JcjdzKoe8LTZ8JSV0VnTTYfq8IpTN
aO6EWi2CnrpZDISEUxmKXImCf0e5HEEP8UDFaFSXL8ae+gfiUvCoR9/CN1cFIuu/
Wm5ubHG2xioENuDIitc/2KYhPxmzmRrXiV4d5OCw7BkAWonLq64rYiZYX706PY2X
pz1xww/L0nfkh0GeG0uXnkbA56/xCKvywTXQwX+HNgicM3ok+9pwwEqdZ+HeJcwP
xfJGdOQNFEiehvI5qigE2yy2d6skRvKWaEUA</X509Certificate></X509Data></KeyInfo></KeyDescriptor>

<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://idp.zscalertwo.net/samlsso/HxnBcP11TmLwf827tTW1XkexT767jq0dBMLpFfMtxTqnksaSqWppntKJOaEI00QIvSx5Q/bbUqZIopJ86A0xAA==" />
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://idp.zscalertwo.net/samlsso/HxnBcP11TmLwf827tTW1XkexT767jq0dBMLpFfMtxTqnksaSqWppntKJOaEI00QIvSx5Q/bbUqZIopJ86A0xAA==" /></IDPSSODescriptor></EntityDescriptor>

a. entityID – the last part of the Identity Proxy URL. So, if the URL is “http://idp.zscalertwo.net/samlsso/HxnBcP11TmLwf827tTW1W0i3Rr28iK4dB87pF6d3wGyqxdqT4Wo8gtSTPaQR2FADuzJ/V/HaVVRFLppR47AA=” your entityID is HxnBcP11TmLwf827tTW1W0i3Rr28iK4dB87pF6d3wGyqxdqT4Wo8gtSTPaQR2FADuzJ/V/HaVVRFLppR47AA=
b. X509Certificate – no need to paste the BEGIN/END CERTIFICATE lines;
c. Locations – now paste the Identity Proxy URL on the TWO locations by the end of the file. (Note: you probably do not really need to enter this twice, but I did this way and it worked, so… I’m happy with it. If you have some time to stress what should be the best configuration, please let me know and I’ll update this document.).

  1. Save that file for later.

  2. Go back to the OCI console and add a new Identity Provider:

    a. Insert a meaningful name and description;
    b. Select SAML 2.0 Compliant Identity Provider;
    c. Upload the crafted metadata.xml;

  1. Configure the mappings add the new Identity Provider:
  1. Now when you log on to your OCI tenant a new option will appear:

Useful links:

About Identity Proxy Settings | Zscaler

Federating with Identity Providers (oracle.com)

3 Likes