Securing Oracle SaaS and PaaS solutions using IP whitelisting and Multi-Factor Authentication (MFA)

Securing Oracle SaaS and PaaS solutions using IP whitelisting and MFA

Published on: Category: Oracle

With more and more business applications in the cloud, the need for tighter security increases. Setting up Multi-Factor Authentication (MFA) is one way to achieve this. In this article, we will show how to set up MFA and IP whitelisting for the Oracle Cloud.

User laptops can be hacked, and malware can accidentally be installed, thus passwords will be compromised. However, in the pre-cloud era, business applications were less exposed to the outside world. Now, anyone in the world could in theory access your business application. The only security measure in between: a username/password combination.

IP whitelisting

Using IP whitelisting, we can make sure only IP addresses coming from a specific country (or continent) can access your cloud applications. More elaborate schemes one can implement are those in which you restrict specific roles (admin and such) to only login from a short list of IP addresses.

For the Oracle cloud, you can configure this using the Oracle Identity Cloud Service (IDCS).

Defining sign-on policies

In Oracle IDCS, we can define multiple sign-on policies. Each policy defines a set of rules, and a list of applications for which these rules apply. The default sign-on policy allows any authenticated user access to the IDCS application (see fig 1).

Figure 1: The default sign-on policy allows all access

Each rule within a sign-on policy helps in determining whether a user may or may not sign on. Each rule can either grant or restrict access. By means of setting a rule priority, we can control the order in which rules are evaluated.

Adding a second sign-on policy for a specific application allows us to configure access specifically for a single application (see figures 2 and 3).  In our example, we are going to define specific sign-on policies for Oracle Integration Cloud (PaaS). If one defines a specific sign-on policy for a particular application, IDCS will use that instead of the ‘Default’ one.

Figure 2: Adding a sign-on policy for a specific application
Figure 3: Adding a specific application to sign-on policy. If desired, multiple applications can be added

Now, we need to allow access to this application, based on a particular (corporate) IP range.
In figures 4, 5 and 6 you can see how to:

-        Define a network perimeter.
-        Add a rule to the policy to allow access for all users within a particular IP address range.

Figure 4: Adding network perimeter
Figure 5: Adding network perimeter listing all corporate IP addresses. Please mind this is an internal IP range used for illustration purposes only
Figure 6: Sign-on rule whitelisting the corporate IP range

We add a second rule to restrict all other access to Oracle Integration Cloud (fig 7 and 8).

Figure 7: Rule to deny all access
Figure 8: Sign-on policy rules to allow only corporate, whitelisted addresses

Say, we would like people outside the corporate address range to be able to login, but with additional authentication.

Setting up MFA in Oracle Cloud

Enabling Multi-Factor Authentication (MFA) in the Oracle Cloud is rather simple. In your IDCS console, navigate to Security -> MFA and simply check some boxes (see figures 9 and 10).

Figure 9: MFA menu
Figure 10: Enable MFA by checking boxes

Next, we add a new rule to our Integration sign-on policy. This rule will allow all other IP addresses to access the system, but it will require the user to present an additional factor (see figure 11 and 12).

Figure 11: Adding second rule for all IP addresses outside of corporate range, to make use of MFA
Figure 12: Three sign-on rules. First rule allows access whenever someone logs in from the corporate IP range. Second rule defines users who have to use a second authentication factor. Last rule denies all access

Log in using MFA

With the new sign-on policy in place, we’re going to try to log in our Oracle Integration Cloud instance.

Figure 13: First, we sign on using our username/password credentials

Oracle now requests a second authentication token (figure 14). To get access, we download a mobile app (Oracle Verificator). After downloading, the app needs to be matched with this particular cloud account. Luckily, this is very easy. On the first login attempt, IDCS detects that no mobile app was coupled to this account. A quick and easy QR code pops up to match this account to your mobile authenticator app.

Figure 14: MFA: 2-Step Verification
Richard Velden
About the author Richard Velden

Oracle Fusion Middleware Developer at Qualogy. Specializes in integration and cloud development using Oracle technologies such as: SOA Suite, Service Bus, Integration and Process Cloud.

More posts by Richard Velden
Comments (1)
  1. om 22:10

    How do you apply these concepts to Oracle SaaS, particularly Fusion Cloud ERP/HCM, when IDCS Foundation is in place?