Tutorial 1: Entra ID as Authoritative Source to Manage Identities Using Entra ID Gallery Application

Configure Entra ID as the authoritative identity store to manage identities in OCI IAM using an application template from Entra ID Gallery.

  1. Configure OCI IAM so that Entra ID is the identity store to manage identities in OCI IAM. In OCI IAM, create a confidential application.
  2. Generate a secret token from the OCI IAM identity domain's client ID and client secret. Use this, along with the domain URL, in Entra ID.
  3. Create an app in Entra ID and use the secret token and identity domain URL to specify the OCI IAM identity domain, and prove that it works by pushing users from Entra ID to OCI IAM.
  4. Assign the users and groups which you want to provision to OCI IAM to the Entra ID application.
  1. In addition, instructions on how to
    • Set users' federated status so that they're authenticated by the external identity provider.
    • Stop users getting notification emails when their account is created or updated.
1. Create a Confidential Application

In this section, you configure Entra ID to act as the identity manager so that user accounts are synchronized from Entra ID to OCI IAM.

  1. In the identity domain, you are working in, click Applications.
  2. Click Add Application, and choose Confidential Application and click Launch workflow.

    Confidential application

  3. Enter a name for the application, for example Entra ID, click Next.
  4. Under Client configuration, select Configure this application as a client now.

    Configure application as a client

  5. Under Authorization, check Client credentials.

    Configure application for client credentials

  6. Under Client type select Confidential.
  7. Scroll down, and in the Token issuance policy section, set Authorized resources to Specific.

    Token issuance policy

  8. Select Add app roles.
  9. In the App Roles section, click Add roles, and in the Add app roles page select User Administrator then click Add.

    Add app roles

  10. Click Next, then Finish.
  11. On the application overview page, click Activate and confirm that you want to activate the application.

    The confidential application is activated.

2. Find the Domain URL and Generate a Secret Token

You need two pieces of information to use as part of the connection settings for the enterprise app you create in Entra ID:

  • The domain URL.
  • A secret token generated from the client ID and client secret.
  1. Return to the identity domain overview by clicking the identity domain name in the breadcrumbs. Click Copy next to the Domain URL in Domain information and save the URL to an app where you can edit it.

    The domain information showing where the Domain URL information is.

  2. In the confidential app in OCI IAM, click OAuth configuration under Resources.
  3. Scroll down, and find the Client ID and Client secret under General Information.
  4. Copy the client ID and store it
  5. Click Show secret and copy the secret and store it.

    Client ID and client secret

    The secret token is the base64 encoding of <clientID>:<clientsecret>, or
    base64(<clientID>:<clientsecret>)

    These examples show how to generate the secret token on Windows, Linux, or MacOS.

    In a Windows environment, open CMD and use this powershell command to generate base64 encoding[Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes('client_id:secret'))"

    In Linux, use
    echo -n <clientID>:<clientsecret> | base64 --wrap=0
    In MacOS, use
    echo -n <clientID>:<clientsecret> | base64
    The secret token is returned. For example
    echo -n 392357752347523923457437:3454-9853-7843-3554 | base64
    Nk0NzUyMzcyMzQ1NzMTc0NzUyMzMtNTQzNC05ODc4LTUzNQ==

    Make a note of the secret token value.

3. Create OCI application on Entra ID

Configure Entra ID to enable Entra ID to be the authoritative identity store to manage identities in IAM.

  1. In the browser, sign in to Microsoft Entra ID using the URL:
    https://portal.azure.com
  2. Click Identity then Applications.
  3. Click Enterprise applications.

    Add an enterprise app

  4. On the Enterprise applications page, click New application then Oracle.
  5. Select Oracle Cloud Infrastructure Console.

    Choose Oracle Cloud Infrastructure Console

  6. Enter a name, or accept the default of Oracle Cloud Infrastructure Console.
  7. Click Create.

    Create OCI IAM console app

  8. Choose Provisioning from the left menu under Manage.

    Provisioning page for the enterprise application in Entra ID

  9. Click Get started, and change Provisioning Mode to Automatic.
  10. In Tenant URL, enter the OCI IAM Domain URL from 2. Find the Domain URL and Generate a Secret Token followed by /admin/v1. That is, the tenant URL is
    https://<domainURL>/admin/v1
  11. Enter the secret token you generated in 2. Find the Domain URL and Generate a Secret Token.

    Enter admin credentials

  12. Click Test Connection. When this message appears, the connection is successful
    Testing connection to Oracle Cloud Infrastructure Console
    The supplied credentials are authorized to enable provisioning
  13. Choose Provisioning from the left menu under Manage and click Start provisioning. The provisioning cycle starts, and the status of provisioning is displayed.
4. Assign Users and Groups to the Entra ID Application

Assign the users which you want to provision to OCI IAM to the Entra ID application.

  1. In Entra ID, in the left menu click Enterprise applications.
  2. Click the application you created earlier, Oracle Cloud Infrastructure Console.
  3. In the left menu under Manage, click Users and groups.
  4. In the Users and groups page, click Add user/group.
  5. In the Add Assignment page, on the left under Users and groups, click None Selected.

    The Users and groups page opens.

  6. Select one or more users or groups from the list by clicking on them. The ones you select are listed under Selected items.

    Users and Groups

  7. Click Select. The number of users and groups selected are shown on the Add Assignment page.

    The number of users and groups you have selected are shown on the Add Assignment page.

  8. On the Add Assignment page, click Assign.

    The Users and groups page now shows the users and groups you have chosen.

    The users and group you have chosen are shown in the list of users and groups for the app.

  9. Click Provisioning in the left menu to provision the groups and users. The provisioning log shows the status.

    The provisioning log showing a status of successful.

  10. When provisioning has been successful, the Current cycle status shows that the incremental cycle has completed and the number of users provisioned to OCI IAM is shown.

    The status of provisioning is shown, along with the number of users provisioned to OCI IAM

    In OCI IAM, you can now see the users and groups provisioned from Entra ID.

    The Entra ID users now provisioned in IAM
    Note

    When you remove users from the Oracle Cloud Infrastructure console app on Entra ID, the user will only be deactivated on OCI IAM.

    The Entra ID groups now provisioned in IAM

5. Additional Configurations for Federated Users
  • You can set users' federated status so that they're authenticated by the external identity provider.
  • You can disable notification emails being sent to the user when their account is created or updated.
a. Setting Users' Federated Status

Federated users don't have credentials to sign in directly to OCI. Instead they're authenticated by the external identity provider. If you want users to use their federated accounts to sign in to OCI, set the federated attribute to true for those users.

To set the user's federated status:

  1. In the browser, sign in to Microsoft Entra ID using the URL:
    https://portal.azure.com
  2. Click Identity then Applications.
  3. Click Enterprise applications.
  4. Click the application you created earlier, Oracle Cloud Infrastructure Console.
  5. In the left menu under Manage, click Provisioning then click Edit Provisioning.
  6. In the Provisioning page, click Mappings.
  7. Under Mappings, click Provision Entra ID Users.

  8. Under Attribute Mappings, scroll down and click Add New Mapping.

    Add New Mapping field under Attribute Mappings

  9. In the Edit Attribute page:
    • For Mapping type, choose Expression.
    • For Expression, enter CBool("true").
    • For Target Attribute, choose urn:ietf:params:scim:schemas:oracle:idcs:extension:user:User:isFederatedUser.

      Edit Attribute page

  10. Click Ok.
  11. In the Attribute Mapping page, click Save.

Now, when the users are provisioned from Entra ID to OCI, their federated status is set to true. You can see this in the user's profile page.

  • In the OCI Console, navigate to the identity domain you are using, click Users, and click the user to show the user information.
  • Federated is shown as Yes.

    User information showing that the user is federated

b. Disable Notifications for Account Creation or Updates

The bypass notification flag controls whether an email notification is sent after creating or updating a user account in OCI. If you don't want users to be notified that account have been created for them, then set the bypass notification flag to true.

To set the bypass notification flag:

  1. In the browser, sign in to Microsoft Entra ID using the URL:
    https://portal.azure.com
  2. Click Identity then Applications.
  3. Click Enterprise applications.
  4. Click the application you created earlier, Oracle Cloud Infrastructure Console.
  5. In the left menu under Manage, click Provisioning then click Edit Provisioning.
  6. In the Provisioning page, click Mappings.
  7. Under Mappings, click Provision Entra ID Users.

    Provision Entra ID Users under Mappings, in the Provisioning Mode page

  8. Under Attribute Mappings, scroll down and click Add New Mapping.

    Add New Mapping field under Attribute Mappings

  9. In the Edit Attribute page:
    • For Mapping type, choose Expression.
    • For Expression, enter CBool("true").
    • For Target Attribute, choose urn:ietf:params:scim:schemas:oracle:idcs:extension:user:User:bypassNotification.

      Edit Attribute page

  10. Click Ok.
  11. In the Attribute Mapping page, click Save.