Oracle Cloud Infrastructure Documentation

JIT Provisioning from Azure AD to OCI IAM

In this tutorial, you configure Just-In-Time (JIT) Provisioning between between the OCI Console and Azure AD, using Azure AD as the IdP.

You can set up JIT provisioning so that identities can be created in the target system during run time, as and when they make a request to access the target system.

This tutorial covers the following steps:

  1. Configure the Azure AD IdP in OCI IAM for JIT.
  2. Update the OCI IAM app configuration in Azure AD.
  3. Test that you can provision from Azure AD to OCI IAM.
Note

This tutorial is specific to IAM with Identity Domains.
Before You Begin

To perform this tutorial, you must have the following:

  • A paid Oracle Cloud Infrastructure (OCI) account, or an OCI trial account. See Oracle Cloud Infrastructure Free Tier.

  • Identity domain administrator role for the OCI IAM identity domain. See Understanding Administrator Roles.
  • An Azure AD account with one of the following Azure AD roles:
    • Global Administrator
    • Cloud Application Administrator
    • Application Administrator

In addition, you must have completed the tutorial SSO Between OCI and Microsoft Azure, and collected the object ID of the groups which you are going to used for JIT Provisioning.

1. Configure SAML Attributes Sent by Azure AD

In order to JIT Provisioning to work, appropriate and required SAML attributes have to be configured, which will be sent in SAML Assertion to OCI IAM by Azure AD.

  1. In the browser, sign in to Microsoft Azure using the URL:
    https://portal.azure.com
  2. Navigate to Azure Active Directory and click Enterprise Applications.
  3. Click the Oracle Cloud Infrastructure Console application.
    Note

    This is the app you created as part of SSO Between OCI and Microsoft Azure.
  4. In the left menu, click Single sign-on.
  5. In the Attributes and Claims section, click Edit.
  6. Verify that the attributes are properly configured:
    • NameID
    • Email Address
    • First Name
    • Last Name

    If you require new claims, add them.

  7. Make a note of all the configured claim names. For example

    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname

    is the claim name for First Name.

    Attributes and claims

  8. Under Azure Active Directory, navigate to Groups. You'll see all the groups available in Azure AD.
  9. Make a note of Object ids of the groups want to make part of SAML to send to OCI IAM.

    Group details in Azure AD

Additional Azure AD Configurations

In Azure AD, you can filter groups based on the group name, or sAMAccountName, attribute.

For example, suppose only the Administrators group needs to be sent over using SAML:

  1. Click the group claim.
  2. In Group Claims, expand Advanced options.
  3. Select Filter Groups.
    • For Attribute to match, select Display Name.
    • For Match with, select contains.
    • For String, provide the name of the group, for example, Administrators.

    Filter for groups

Using this option, even if the user in the administrator group is part of other groups, Azure AD only sends the Administrators group in SAML.
Note

This helps organisations to send only the required groups to OCI IAM from Azure AD.
2. Configure JIT Attributes in OCI IAM

In OCI IAM, update the Azure AD IdP for JIT.

  1. Open a supported browser and enter the Console URL:

    https://cloud.oracle.com

  2. Enter your Cloud Account Name, also referred to as your tenancy name, and click Next.
  3. Select the identity domain which will be used to configure SSO.
  4. Sign in with your username and password.
  5. Open the navigation menu and click Identity & Security.
  6. Under Identity, click Domains.
  7. Select the identity domain in which you have already configured Azure AD as IdP.
  8. Click Security from menu on the left, and then Identity providers.
  9. Click the Azure AD IdP.
    Note

    This is the Azure AD IdP you created as part of SSO Between OCI and Microsoft Azure.
  10. On the Azure AD IdP page, click Configure JIT.

    Configuration page for the Azure AD identity provider in IAM

  11. On the Configure Just-in-time (JIT) provisioning page:
    • Select Just-In-Time (JIT) provisioning.
    • Select Create a new identity domain user.
    • Select Update the existing identity domain user.

    enable just in time provisioning

  12. Under Map User attributes:
    1. Leave the first row for NameID unchanged.
    2. For other attributes, under IdP user attribute select Attribute.
    3. Provide the IdP user attribute name as follows
      • familyName: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
      • primaryEmailAddress: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
    4. Click Add Row and enter: http://schemas.xmlsoap.ohttp://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname.

      For the identity domain user attribute, choose First name.

      Note

      The fully qualified display name (FQDN) is from 1. Configure SAML Attributes Sent by Azure AD.

    This diagram shows what the user attributes in OCI IAM should look like (on the right), and the mapping of user attributes between Azure AD and OCI IAM.

    Mapping of user attributes between Azure AD and OCI IAM

  13. Select Assign group mapping.
  14. Enter the Group membership attribute name: http://schemas.microsoft.com/ws/2008/06/identity/claims/groups.
  15. Select Define explicit group membership mappings.
  16. In IdP Group name, provide the Object ID of the group in Azure AD from the previous step.
  17. In Identity domain group name, and select the group in OCI IAM to map the Azure AD group to.

    Assign group mappings

    This diagram shows what the group attributes in OCI IAM should look like (on the right), and the mapping of group attributes between Azure AD and OCI IAM.

    Mapping of group attributes between Azure AD and OCI IAM

  18. Under Assignment rules, select the following:
    1. When assigning group memberships: Merge with existing group memberships
    2. When a group is not found: Ignore the missing group

    setting assignment rules

    Note

    Select options based on your organization's requirements.
  19. Click Save changes.
3. Test JIT Provisioning Between Azure AD and OCI
In this section, you can test that JIT provisioning works between Azure AD and OCI IAM.
  1. In Azure AD console, create a new user with an email Id which is not present in OCI IAM.

  2. Assign the user to the required groups.

    assign user to groups

  3. In the browser, open the OCI Console.
  4. Select the identity domain in which JIT configuration has been enabled.
  5. Click Next.
  6. From the sign on options, click Azure AD.
  7. On the Azure login page, enter the newly created user id.

    Azure login page

  8. On successful authentication from Azure:
    • The user account is created in OCI IAM.
    • The user is logged into the OCI Console.

    My Profile in OCI IAM for user

  9. Select the Profile menu (Profile menu icon), which is on the upper-right side of the navigation bar at the top of the page, and then click My profile. Check the user properties such as email id, first name, last name, and associated groups.

    Check user properties in OCI IAM

What's Next

Congratulations! You have successfully set up JIT provisioning between Azure AD and OCI IAM.

To explore more information about development with Oracle products, check out these sites: