JIT Provisioning from Azure AD to OCI IAM
In this tutorial, you configure Just-In-Time (JIT) Provisioning between between the OCI Console and Azure AD, using Azure AD as the IdP.
You can set up JIT provisioning so that identities can be created in the target system during run time, as and when they make a request to access the target system.
This tutorial covers the following steps:
- Configure the Azure AD IdP in OCI IAM for JIT.
- Update the OCI IAM app configuration in Azure AD.
- Test that you can provision from Azure AD to OCI IAM.
This tutorial is specific to IAM with Identity Domains.
To perform this tutorial, you must have the following:
-
A paid Oracle Cloud Infrastructure (OCI) account, or an OCI trial account. See Oracle Cloud Infrastructure Free Tier.
- Identity domain administrator role for the OCI IAM identity domain. See Understanding Administrator Roles.
- An Azure AD account with one of the following Azure AD roles:
- Global Administrator
- Cloud Application Administrator
- Application Administrator
In addition, you must have completed the tutorial SSO Between OCI and Microsoft Azure, and collected the object ID of the groups which you are going to used for JIT Provisioning.
In order to JIT Provisioning to work, appropriate and required SAML attributes have to be configured, which will be sent in SAML Assertion to OCI IAM by Azure AD.
- In the browser, sign in to Microsoft Azure using the URL:
https://portal.azure.com
- Navigate to Azure Active Directory and click Enterprise Applications.
- Click the Oracle Cloud Infrastructure Console application.
- In the left menu, click Single sign-on.
- In the Attributes and Claims section, click Edit.
- Verify that the attributes are properly configured:
NameID
Email Address
First Name
Last Name
If you require new claims, add them.
- Make a note of all the configured claim names. For example
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
is the claim name for
First Name
. - Under Azure Active Directory, navigate to Groups. You'll see all the groups available in Azure AD.
- Make a note of Object ids of the groups want to make part of SAML to send to OCI IAM.
Additional Azure AD Configurations
In Azure AD, you can filter groups based on the group name, or sAMAccountName
, attribute.
For example, suppose only the Administrators
group needs to be sent over using SAML:
- Click the group claim.
- In Group Claims, expand Advanced options.
- Select Filter Groups.
- For Attribute to match, select
Display Name
. - For Match with, select
contains
. - For String, provide the name of the group, for example,
Administrators
.
- For Attribute to match, select
This helps organisations to send only the required groups to OCI IAM from Azure AD.
In OCI IAM, update the Azure AD IdP for JIT.
-
Open a supported browser and enter the Console URL:
- Enter your Cloud Account Name, also referred to as your tenancy name, and click Next.
- Select the identity domain which will be used to configure SSO.
- Sign in with your username and password.
- Open the navigation menu and click Identity & Security.
- Under Identity, click Domains.
- Select the identity domain in which you have already configured Azure AD as IdP.
- Click Security from menu on the left, and then Identity providers.
- Click the Azure AD IdP.
- On the Azure AD IdP page, click Configure JIT.
- On the Configure Just-in-time (JIT) provisioning page:
- Select Just-In-Time (JIT) provisioning.
- Select Create a new identity domain user.
- Select Update the existing identity domain user.
- Under Map User attributes:
- Leave the first row for
NameID
unchanged. - For other attributes, under IdP user attribute select
Attribute
. - Provide the IdP user attribute name as follows
- familyName:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
- primaryEmailAddress:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
- familyName:
- Click Add Row and enter:
http://schemas.xmlsoap.ohttp://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
.For the identity domain user attribute, choose
First name
.
This diagram shows what the user attributes in OCI IAM should look like (on the right), and the mapping of user attributes between Azure AD and OCI IAM.
- Leave the first row for
- Select Assign group mapping.
- Enter the Group membership attribute name:
http://schemas.microsoft.com/ws/2008/06/identity/claims/groups
. - Select Define explicit group membership mappings.
- In IdP Group name, provide the Object ID of the group in Azure AD from the previous step.
- In Identity domain group name, and select the group in OCI IAM to map the Azure AD group to.
This diagram shows what the group attributes in OCI IAM should look like (on the right), and the mapping of group attributes between Azure AD and OCI IAM.
- Under Assignment rules, select the following:
- When assigning group memberships: Merge with existing group memberships
- When a group is not found: Ignore the missing group
Note
Select options based on your organization's requirements. - Click Save changes.
- In Azure AD console, create a new user with an email Id which is not present in OCI IAM.
-
Assign the user to the required groups.
- In the browser, open the OCI Console.
- Select the identity domain in which JIT configuration has been enabled.
- Click Next.
- From the sign on options, click Azure AD.
- On the Azure login page, enter the newly created user id.
- On successful authentication from Azure:
- The user account is created in OCI IAM.
- The user is logged into the OCI Console.
- Select the Profile menu (), which is on the upper-right side of the navigation bar at the top of the page, and then click My profile. Check the user properties such as email id, first name, last name, and associated groups.
Congratulations! You have successfully set up JIT provisioning between Azure AD and OCI IAM.
To explore more information about development with Oracle products, check out these sites: