Oracle Cloud Infrastructure Documentation

SSO Between OCI and Microsoft Azure

In this tutorial, configure SSO between the OCI IAM and Microsoft Azure AD, using Azure AD as the identity provider (IdP).

This 30 minute tutorial shows you how to integrate OCI IAM, acting as a service provider (SP), with Azure AD, acting as an IdP. By setting up federation between Azure AD and OCI IAM, you enable users' access to services and applications in OCI using user credentials that Azure AD authenticates.

This tutorial covers setting up Azure AD as an IdP for OCI IAM.

  1. First, download the metadata from the OCI IAM identity domain.
  2. In the next few steps you create and configure an app in Azure.
  3. In Azure, set up SSO with OCI IAM using the metadata.
  4. In Azure, edit the Attributes and Claims so that the email name is used as the identifier for users.
  5. In Azure, add a user to the app.
  6. For the next steps, you return to your identity domain to finish the setup and configuration.In OCI IAM, update the default IdP policy to add Azure AD.
  7. Test that federated authentication works between OCI IAM and Azure AD.
Note

This tutorial is specific to IAM with Identity Domains.
Before You Begin

To perform this tutorial, you must have the following:

  • A paid Oracle Cloud Infrastructure (OCI) account, or an OCI trial account. See Oracle Cloud Infrastructure Free Tier.

  • Identity domain administrator role for the OCI IAM identity domain. See Understanding Administrator Roles.
  • An Azure AD account with one of the following Azure AD roles:
    • Global Administrator
    • Cloud Application Administrator
    • Application Administrator
Note

The user used for Single Sign On (SSO), must exist in both OCI IAM and Azure AD for SSO to work. After you complete this SSO tutorial, there is another tutorial, Identity Lifecycle Management Between OCI IAM and Azure AD. This other tutorial guides you through how to provision user accounts from Azure AD to OCI IAM or from OCI IAM to Azure AD.
1. Get the Service Provider Metadata from OCI IAM

You need the SP metadata from your OCI IAM identity domain to import into the SAML Azure AD application you create. OCI IAM provides a direct URL to download the metadata of the identity domain you are using. To download the metadata, follow these steps.

  1. Open a supported browser and enter the Console URL:

    https://cloud.oracle.com.

  2. Enter your Cloud Account Name, also referred to as the tenancy name, and click Next.
  3. Select the identity domain to sign in to. This is the identity domain that is used to configure SSO, for example Default.
  4. Sign in with your username and password.
  5. Open the navigation menu and click Identity & Security. Under Identity, click Domains.
  6. Click the name of the identity domain that you want to work in. You might need to change the compartment to find the domain that you want. Then, click Settings and then Domain settings.
  7. Under Access signing certificate, check Configure client access.

    This lets a client to access the signing certification for the identity domain without signing in to the domain.

  8. Click Save changes.

    Configure client access on the Domain Settings page

  9. Return to the identity domain overview by clicking the identity domain name in the breadcrumb navigation trail. Click Copy next to the Domain URL in Domain information and save the URL to an app where you can edit it.

    The domain information showing where the Domain URL information is.

  10. In a new browser tab, paste the URL you copied and add /fed/v1/metadata to the end.

    For example,

    https://idcs-<unique_ID>.identity.oraclecloud.com:443/fed/v1/metadata
  11. The metadata for the identity domain is displayed in the browser. Save it as an XML file with the name OCIMetadata.xml.
2. Create an Azure AD Enterprise Application

For the next few steps, you are working in Azure AD.

Create a SAML enterprise application in Azure AD.

  1. In the browser, sign in to Microsoft Azure using the URL:
    https://portal.azure.com
  2. Click Azure Active Directory to open the Azure Active Directory overview page.
  3. In the left menu, click Enterprise applications.
  4. On the Enterprise applications page, click New application.
  5. In Search applications, type Oracle Cloud Infrastructure Console.
  6. Click Oracle Cloud Infrastructure Console by Oracle Corporation.
  7. Enter a name for the app, for example, Oracle IAM, and click Create.

    Azure AD showing the name of the app

    The enterprise app is created in Azure AD.

3. Set Up Single Sign-On for the Azure AD Enterprise App

Set up SSO for the Azure AD SAML application, and download the Azure AD SAML metadata. In this section, you use the OCI IAM SP metadata file you saved in 1. Get the Service Provider Metadata from OCI IAM.

  1. In the Getting Started page, click Get started under Set up single sign on.
  2. Click SAML, then click Upload metadata file (button at the top of the page). Browse to the XML file containing the OCI identity domain metadata, OCIMetadata.xml.
  3. Provide the Sign on URL. For example 
    https://idcs-<domain_ID>.identity.oraclecloud.com/ui/v1/myconsole
  4. Click Save.
  5. Close the Upload metadata file page from the X in the upper right. If you are asked whether you want to test the application now, choose not to because you will test the application later in this tutorial.
  6. In the Set up Single Sign-On with SAML page, scroll down and in SAML Signing Certificate, click Download next to Federation Metadata XML.
  7. When prompted, choose Save File. The metadata is automatically saved with the default filename <your_enterprise_app_name>.xml. For example, OracleIAM.xml.

    The Azure AD SAML-based SSO page

4. Edit Attributes and Claims

Edit the Attributes and Claims in your new Azure AD SAML app so that the user email address is used as the user name.

  1. In the enterprise application, from the menu on the left, click Single sign-on.
  2. In Attributes and Claims, click Edit.
  3. Click the required claim: 
    Unique User Identifier (Name ID) = user.mail [nameid-format:emailAddress]
  4. In the Manage claim page, change the Source attribute from user.userprinciplename to user.mail.

    Azure AD attributes and claims

  5. Click Save.

Additional Azure AD Configurations

In Azure AD, you can filter groups based on the group name, or sAMAccountName, attribute.

For example, suppose only the Administrators group needs to be sent over using SAML:

  1. Click the group claim.
  2. In Group Claims, expand Advanced options.
  3. Select Filter Groups.
    • For Attribute to match, select Display Name.
    • For Match with, select contains.
    • For String, provide the name of the group, for example, Administrators.

    Filter for groups

Using this option, even if the user in the administrator group is part of other groups, Azure AD only sends the Administrators group in SAML.
Note

This helps organisations to send only the required groups to OCI IAM from Azure AD.
5. Add a User to the Azure AD Application

Create a user for your Azure AD application. Later, this user can use their Azure AD credentials to sign in to the OCI Console.

  1. In the Azure Active Directory Admin Center, My Dashboard, click Users.
  2. Click New user, and create a user and enter their email ID.
    Note

    Ensure that you use the details of a user present in OCI IAM with the same email id.
  3. Return to the enterprise application menu. Under Getting Started, click Assign users and groups. Alternatively, click Users from under Manage on the menu on the left.
  4. Select Add user/group, and on the next page under Users click None Selected.
  5. In the Users page, click the test user you created. As you select it, the user appears under Selected items. Click Select.
  6. Back on the Add Assignment page, click Assign.
6. Enable Azure AD as IdP for OCI IAM

For these steps, you are working in OCI IAM.

Add Azure AD as an IdP for OCI IAM. In this section, you use the Azure AD metadata file you saved in 3. Set Up Single Sign-On for the Azure AD Enterprise App, for example, Oracle IAM.xml.

  1. In the OCI Console in the domain you are working in, click Security and then Identity providers.
  2. Click Add IdP, then click Add SAML IdP.
  3. Enter a name for the SAML IdP, for example Azure AD. Click Next.
  4. Ensure that Import identity provider metadata is selected, and browse and select, or drag and drop the Azure AD metadata XML file, Oracle IAM.xml into Identity provider metadata. This is the metadata file you saved when you worked through 3. Set Up Single Sign-On for the Azure AD Enterprise App. Click Next.
  5. In Map user identity, set the following
    • Under Requested NameID format, select Email address.
    • Under Identity provider user attribute, select SAML assertion Name ID.
    • Under Identity domain user attribute, select Primary email address.

    SAML identity provider attributes

  6. Click Next.
  7. Under Review and Create, verify the configurations and click Create IdP.
  8. Click Activate.
  9. Click Add to IdP Policy Rule.

  10. Click Default Identity Provider Policy to open it, click the Actions menu (Actions Menu) and click Edit IdP rule.

    The context menu showing "Edit IdP Rule"

  11. Click Assign identity providers and then click Azure AD to add it to the list.

    adding azure ad as an identity provider in the default IdP rule

  12. Click Save Changes.
7. Test SSO Between Azure AD and OCI
In this section, you can test that federated authentication works between OCI IAM and Azure AD.
Note

For this to work, the user used for SSO must be present in both OCI IAM and Azure AD. Also, the user must be assigned to the OCI IAM application created in Azure AD.

There are two ways to do this:

If you haven't set up users to test this tutorial, you see the following error
Sorry, but we're having trouble signing you in.
AADSTS50105: Your administrator has configured 
the application application-name ('<unique_ID>')
to block users unless they are specifically granted
('assigned') access to the application.

Test the SP initiated SSO.

  1. Open a supported browser and enter the OCI Console URL:

    https://cloud.oracle.com.

  2. Enter your Cloud Account Name, also referred to as your tenancy name, and click Next.
  3. Select the identity domain in which AzureAD federation has been configured.
  4. On the sign-in page, you can see an option to sign in with Azure AD.

    OCI IAM sign-in page

  5. Select Azure AD. You are redirected to the Microsoft login page.
  6. Provide your AzureAD credentials.
  7. On successful authentication, you are logged in to the OCI Console.
What's Next

Congratulations! You have successfully set up SSO between Azure AD and OCI IAM.

If you already had a user created in Azure AD and assigned to the application, that had been provisioned to OCI IAM, you were able to test that federation authentication works between OCI IAM and Azure AD. If you didn't have such a user, you can create one by following one of the Identity Lifecycle Management Between OCI IAM and Azure AD tutorials.

To explore more information about development with Oracle products, check out these sites: