> ## Documentation Index
> Fetch the complete documentation index at: https://docs.siderolabs.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Configure Oracle Cloud for Omni

> Set up Oracle Cloud Identity Domains to authenticate users into Omni via SAML.

This guide walks through configuring Oracle Cloud Identity Domains as a SAML provider for Omni, then enabling SAML authentication on the Omni container.

## Configure Oracle Cloud Identity Domains

This section walks through creating a SAML application in Oracle Cloud and collecting the IdP metadata file needed to complete the Omni configuration.

### Step 1: Navigate to your domain

To get started, log in to Oracle Cloud and navigate to your identity domain.

1. Log in to Oracle Cloud.
2. On the left menu, select **Identity & Security** > **Domains**.
3. Click your desired domain, then select **Integrated Applications**.

### Step 2: Create a SAML application

Create a new SAML application to represent your Omni instance.

1. Click **Add Application** > **SAML Application** > **Launch Workflow**.
2. Give the application a name, for example "Omni".
3. Leave all other fields blank, then click **Submit**.

### Step 3: Configure SSO settings

Open the SSO configuration for the application you just created and update the fields below. Leave all other fields at their defaults.

1. Select the application, then click **SAML SSO Configuration** > **Edit SSO Configuration**.
2. Update only the fields listed in the table below.

| Option                 | Value                               | Description                                            |
| ---------------------- | ----------------------------------- | ------------------------------------------------------ |
| Entity ID              | `https://<omni-fqdn>/saml/metadata` | The fully-qualified domain name for metadata retrieval |
| Assertion Consumer URL | `https://<omni-fqdn>/saml/acs`      | The fully-qualified domain name for the ACS endpoint   |
| Name ID Format         | Email address                       | The format used to identify the user                   |
| Name ID Value          | Primary email                       | The value sent as the Name ID in the assertion         |
| Enable single logout   | Disabled                            | Leave single logout disabled                           |

### Step 4: Map attributes

At the bottom of the **SAML SSO Configuration** page, configure the attribute mappings that allow Omni to identify users by name and email.

1. Locate the **Attribute Configuration** block.
2. Use the **Add Attribute** button to create the following mappings.

| Name      | Name Format | Value         | Description              |
| --------- | ----------- | ------------- | ------------------------ |
| email     | Unspecified | Primary email | The user's email address |
| firstName | Unspecified | First name    | The user's first name    |
| lastName  | Unspecified | Last name     | The user's last name     |

<img src="https://mintcdn.com/siderolabs-fe86397c/3AhNY-_bUoY0u8-e/omni/security-and-authentication/using-saml-with-omni/images/configure-oracle-cloud-app-configuration.png?fit=max&auto=format&n=3AhNY-_bUoY0u8-e&q=85&s=d558ac73fd66f3342ab80d9a8ada374b" alt="Oracle Cloud attribute configuration" width="2027" height="864" data-path="omni/security-and-authentication/using-saml-with-omni/images/configure-oracle-cloud-app-configuration.png" />

### Step 5: Assign users

Add the users who should have access to Omni. You can add more users at any time by returning to this section.

1. Navigate to the **Users** section of the application.
2. Add any users that should have access to Omni.

### Step 6: Download the IdP metadata file

Download the IdP metadata file and place it on the host that will run the Omni container. The remaining steps in this guide assume the file is saved at `~/oraclemetadata.xml`.

1. Head back to the **SAML SSO Configuration** tab.
2. Click **Download** next to the **Identity Provider Metadata** field.
3. Copy or upload the file to the following path on your container host:

```bash theme={null}
~/oraclemetadata.xml
```

This completes the configuration required in Oracle Cloud.

***

## Configure Omni to use Oracle Cloud

To enable SAML authentication, pass the required flags to the Omni container at startup. Alternatively, you can set these values using the [Omni configuration file](../../reference/omni-configuration#saml) instead of CLI flags.

### Step 1: Review the required flags

Before starting the container, familiarize yourself with the flags needed for both Docker and Omni. The Docker flag mounts the IdP metadata file into the container, and the Omni flags enable and configure SAML authentication.

| Scope  | Flag                                                                                | Description                                        |
| ------ | ----------------------------------------------------------------------------------- | -------------------------------------------------- |
| Docker | `-v $PWD/oraclemetadata.xml:/oraclemetadata.xml`                                    | Mounts the IdP metadata file into the container    |
| Omni   | `--auth-saml-enabled=true`                                                          | Enables SAML authentication                        |
| Omni   | `--auth-saml-metadata=/oraclemetadata.xml`                                          | Path to the IdP metadata file inside the container |
| Omni   | `--auth-saml-name-id-format=urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress` | Ensures Omni processes the email address correctly |

### Step 2: Start the container

Run the Omni container with the flags from Step 1. The example below shows a minimal `docker run` command with the required flags in place.

```bash theme={null}
docker run \
  ...
  -v $PWD/oraclemetadata.xml:/oraclemetadata.xml \
  ...
  ghcr.io/siderolabs/omni:latest \
  --auth-saml-enabled=true \
  --auth-saml-metadata=/oraclemetadata.xml \
  --auth-saml-name-id-format=urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
```