ENABLE_EXTERNAL_AUTHENTICATION Procedure

Syntax

DBMS_CLOUD_ADMIN.ENABLE_EXTERNAL_AUTHENTICATION(
   type         IN VARCHAR2,
   force        IN BOOLEAN DEFAULT FALSE,
   params       IN CLOB DEFAULT NULL
);

Parameter

Parameter Description

Parameter	Description
`type`	Specifies the external authentication type. Valid values: or . `'OCI_IAM'` `'AZURE_AD'` `'CMU'` `'KERBEROS'`
`force`	(Optional) Override a currently enabled external authentication scheme. Valid values are `TRUE` or `FALSE`. The default value is `FALSE`.
`params`	A JSON string that provides additional parameters for the external authentication. `CMU` parameters: `location_uri`: specifies the cloud storage URI for the bucket where files required for CMU are stored. If you specify `location_uri` there is a fixed name directory object `CMU_WALLET_DIR` created in the database at the path `'cmu_wallet'` to save the CMU configuration files. In this case, you do not need to supply the `directory_name` parameter. `credential_name`: specifies the credentials that are used to download the CMU configuration files from the Object Store to the directory object. Default value is `NULL` which allows you to provide a Public, Preauthenticated, or pre-signed URL for Object Store bucket or subfolder. `directory_name`: specifies the directory name where configuration files required for CMU are stored. If `directory_name` is supplied, you are expected to copy the CMU configuration files `dsi.ora` and `cwallet.sso` to this directory object. `KERBEROS` parameters: `location_uri`: specifies the cloud storage URI for the bucket where the files required for Kerberos are stored. If you specify `location_uri` there is a fixed name directory object `KERBEROS_DIR` created in the database to save the Kerberos configuration files. In this case, you do not need to supply the `directory_name` parameter. `credential_name`: specifies the credential that are used to download Kerberos configuration files from the Object Store location to the directory object. Default value is `NULL` which allows you to provide a Public, Preauthenticated, or pre-signed URL for Object Store bucket or subfolder. `directory_name`: specifies the directory name where files required for Kerberos are stored. If `directory_name` is supplied, you are expected to copy the Kerberos configuration files to this directory object. `AZURE_AD` parameters: `tenant_id`: Tenant ID of the Azure Account. Tenant Id specifies the Autonomous Database instance's Azure AD application registration. `application_id`: Azure Application ID created in Azure AD to assign roles/schema mappings for external authentication in the Autonomous Database instance. `application_id_uri`: Unique URI assigned to the Azure Application. This it the identifier for the Autonomous Database instance. The name must be domain qualified (this supports cross tenancy resource access). The maximum length for this parameter is 256 characters.

type

Specifies the external authentication type. Valid values: or .

'OCI_IAM'
'AZURE_AD'
'CMU'
'KERBEROS'

force

(Optional) Override a currently enabled external authentication scheme. Valid values are TRUE or FALSE.

The default value is FALSE.

params

A JSON string that provides additional parameters for the external authentication.

CMU parameters:

location_uri: specifies the cloud storage URI for the bucket where files required for CMU are stored.
If you specify location_uri there is a fixed name directory object CMU_WALLET_DIR created in the database at the path 'cmu_wallet' to save the CMU configuration files. In this case, you do not need to supply the directory_name parameter.
credential_name: specifies the credentials that are used to download the CMU configuration files from the Object Store to the directory object.
Default value is NULL which allows you to provide a Public, Preauthenticated, or pre-signed URL for Object Store bucket or subfolder.
directory_name: specifies the directory name where configuration files required for CMU are stored. If directory_name is supplied, you are expected to copy the CMU configuration files dsi.ora and cwallet.sso to this directory object.

KERBEROS parameters:

location_uri: specifies the cloud storage URI for the bucket where the files required for Kerberos are stored.
If you specify location_uri there is a fixed name directory object KERBEROS_DIR created in the database to save the Kerberos configuration files. In this case, you do not need to supply the directory_name parameter.
credential_name: specifies the credential that are used to download Kerberos configuration files from the Object Store location to the directory object.
Default value is NULL which allows you to provide a Public, Preauthenticated, or pre-signed URL for Object Store bucket or subfolder.
directory_name: specifies the directory name where files required for Kerberos are stored. If directory_name is supplied, you are expected to copy the Kerberos configuration files to this directory object.

AZURE_AD parameters:

tenant_id: Tenant ID of the Azure Account. Tenant Id specifies the Autonomous Database instance's Azure AD application registration.
application_id: Azure Application ID created in Azure AD to assign roles/schema mappings for external authentication in the Autonomous Database instance.
application_id_uri: Unique URI assigned to the Azure Application.
This it the identifier for the Autonomous Database instance. The name must be domain qualified (this supports cross tenancy resource access).

The maximum length for this parameter is 256 characters.

Exceptions

Exception	Error	Description
`invalid_ext_auth`	`ORA-20004`	See the accompanying message for a detailed explanation.

Usage Notes

With type OCI_IAM, if the resource principal is not enabled on the Autonomous Database instance, this routine enables resource principal with DBMS_CLOUD_ADMIN.ENABLE_RESOURCE_PRINCIPAL.
This procedure sets the system parameters IDENTITY_PROVIDER_TYPE and IDENTITY_PROVIDER_CONFIG to required users to access the instance with Oracle Cloud Infrastructure Identity and Access Management authentication and authorization.

Examples

Enable OCI_IAM Authentication

BEGIN DBMS_CLOUD_ADMIN.ENABLE_EXTERNAL_AUTHENTICATION(
     type => 'OCI_IAM',
     force=> TRUE );
END;
/

PL/SQL procedure successfully completed.

Enable CMU Authentication for Microsoft Active Directory

You pass in a directory name that contains the CMU configuration files through params JSON argument.

BEGIN DBMS_CLOUD_ADMIN.ENABLE_EXTERNAL_AUTHENTICATION(
     type => 'CMU',
     force => TRUE,
     params => JSON_OBJECT('directory_name' value 'CMU_DIR'); // CMU_DIR directory object already exists
END;
/

PL/SQL procedure successfully completed.

You pass in a location URI pointing to an Object Storage location that contains CMU configuration files through params JSON argument.

BEGIN
   DBMS_CLOUD_ADMIN.ENABLE_EXTERNAL_AUTHENTICATION(
       type     => 'CMU',
       params   => JSON_OBJECT('location_uri' value 'https://objectstorage.us-phoenix-1.oraclecloud.com/n/namespace-string/b/bucketname/o',
                               'credential_name' value 'my_credential_name')
   );
END;
/

PL/SQL procedure successfully completed.

Enable Azure AD Authentication

BEGIN DBMS_CLOUD_ADMIN.ENABLE_EXTERNAL_AUTHENTICATION(
     type => 'AZURE_AD',
     force => TRUE,
     params   => JSON_OBJECT( 'tenant_id' VALUE '....',
                              'application_id' VALUE '...',
                              'application_id_uri' VALUE '.....' ));
END;
/

PL/SQL procedure successfully completed.

Enable Kerberos Authentication

You pass in a directory name that contains Kerberos configuration files through params JSON argument.

BEGIN DBMS_CLOUD_ADMIN.ENABLE_EXTERNAL_AUTHENTICATION(
     type => 'KERBEROS',
     force => TRUE,
     params => JSON_OBJECT('directory_name' value 'KERBEROS_DIR'); // KERBEROS_DIR directory object already exists
END;
/

PL/SQL procedure successfully completed.

You pass in a location URI pointing to an Object Storage location that contains Kerberos configuration files through params JSON argument.

BEGIN DBMS_CLOUD_ADMIN.ENABLE_EXTERNAL_AUTHENTICATION(
     type => 'KERBEROS',
     force => TRUE,
     params => JSON_OBJECT('location_uri' value 'https://objectstorage.us-phoenix-1.oraclecloud.com/n/namespace-string/b/bucketname/o',
                           'credential_name' value 'my_credential_name');
END;
/

PL/SQL procedure successfully completed.

Oracle Cloud Infrastructure Documentation