SSO Between OCI and Microsoft Azure
In this tutorial, configure SSO between the OCI IAM and Microsoft Azure AD, using Azure AD as the identity provider (IdP).
This 30 minute tutorial shows you how to integrate OCI IAM, acting as a service provider (SP), with Azure AD, acting as an IdP. By setting up federation between Azure AD and OCI IAM, you enable users' access to services and applications in OCI using user credentials that Azure AD authenticates.
This tutorial covers setting up Azure AD as an IdP for OCI IAM.
- First, download the metadata from the OCI IAM identity domain.
- In the next few steps you create and configure an app in Azure.
- In Azure, set up SSO with OCI IAM using the metadata.
- In Azure, edit the Attributes and Claims so that the email name is used as the identifier for users.
- In Azure, add a user to the app.
- For the next steps, you return to your identity domain to finish the setup and configuration.In OCI IAM, update the default IdP policy to add Azure AD.
- Test that federated authentication works between OCI IAM and Azure AD.
This tutorial is specific to IAM with Identity Domains.
To perform this tutorial, you must have the following:
-
A paid Oracle Cloud Infrastructure (OCI) account, or an OCI trial account. See Oracle Cloud Infrastructure Free Tier.
- Identity domain administrator role for the OCI IAM identity domain. See Understanding Administrator Roles.
- An Azure AD account with one of the following Azure AD roles:
- Global Administrator
- Cloud Application Administrator
- Application Administrator
The user used for Single Sign On (SSO), must exist in both OCI IAM and Azure AD for SSO to work. After you complete this SSO tutorial, there is another tutorial, Identity Lifecycle Management Between OCI IAM and Azure AD. This other tutorial guides you through how to provision user accounts from Azure AD to OCI IAM or from OCI IAM to Azure AD.
You need the SP metadata from your OCI IAM identity domain to import into the SAML Azure AD application you create. OCI IAM provides a direct URL to download the metadata of the identity domain you are using. To download the metadata, follow these steps.
-
Open a supported browser and enter the Console URL:
- Enter your Cloud Account Name, also referred to as the tenancy name, and click Next.
- Select the identity domain to sign in to. This is the identity domain that is used to configure SSO, for example
Default
. - Sign in with your username and password.
- Open the navigation menu and click Identity & Security. Under Identity, click Domains.
- Click the name of the identity domain that you want to work in. You might need to change the compartment to find the domain that you want. Then, click Settings and then Domain settings.
- Under Access signing certificate, check Configure client access.
This lets a client to access the signing certification for the identity domain without signing in to the domain.
- Click Save changes.
- Return to the identity domain overview by clicking the identity domain name in the breadcrumb navigation trail. Click Copy next to the Domain URL in Domain information and save the URL to an app where you can edit it.
- In a new browser tab, paste the URL you copied and add
/fed/v1/metadata
to the end.For example,
https://idcs-<unique_ID>.identity.oraclecloud.com:443/fed/v1/metadata
- The metadata for the identity domain is displayed in the browser. Save it as an XML file with the name
OCIMetadata.xml
.
For the next few steps, you are working in Azure AD.
Create a SAML enterprise application in Azure AD.
- In the browser, sign in to Microsoft Azure using the URL:
https://portal.azure.com
- Click Azure Active Directory to open the Azure Active Directory overview page.
- In the left menu, click Enterprise applications.
- On the Enterprise applications page, click New application.
- In Search applications, type
Oracle Cloud Infrastructure Console
. - Click
Oracle Cloud Infrastructure Console by Oracle Corporation
. - Enter a name for the app, for example,
Oracle IAM
, and click Create.The enterprise app is created in Azure AD.
Set up SSO for the Azure AD SAML application, and download the Azure AD SAML metadata. In this section, you use the OCI IAM SP metadata file you saved in 1. Get the Service Provider Metadata from OCI IAM.
- In the Getting Started page, click Get started under Set up single sign on.
- Click SAML, then click Upload metadata file (button at the top of the page). Browse to the XML file containing the OCI identity domain metadata,
OCIMetadata.xml
. - Provide the Sign on URL. For example
https://idcs-<domain_ID>.identity.oraclecloud.com/ui/v1/myconsole
- Click Save.
- Close the Upload metadata file page from the X in the upper right. If you are asked whether you want to test the application now, choose not to because you will test the application later in this tutorial.
- In the Set up Single Sign-On with SAML page, scroll down and in SAML Signing Certificate, click Download next to Federation Metadata XML.
- When prompted, choose Save File. The metadata is automatically saved with the default filename
<your_enterprise_app_name>.xml
. For example,OracleIAM.xml
.
Edit the Attributes and Claims in your new Azure AD SAML app so that the user email address is used as the user name.
- In the enterprise application, from the menu on the left, click Single sign-on.
- In Attributes and Claims, click Edit.
- Click the required claim:
Unique User Identifier (Name ID) = user.mail [nameid-format:emailAddress]
- In the Manage claim page, change the Source attribute from
user.userprinciplename
touser.mail
. - Click Save.
Additional Azure AD Configurations
In Azure AD, you can filter groups based on the group name, or sAMAccountName
, attribute.
For example, suppose only the Administrators
group needs to be sent over using SAML:
- Click the group claim.
- In Group Claims, expand Advanced options.
- Select Filter Groups.
- For Attribute to match, select
Display Name
. - For Match with, select
contains
. - For String, provide the name of the group, for example,
Administrators
.
- For Attribute to match, select
This helps organisations to send only the required groups to OCI IAM from Azure AD.
Create a user for your Azure AD application. Later, this user can use their Azure AD credentials to sign in to the OCI Console.
- In the Azure Active Directory Admin Center, My Dashboard, click Users.
- Click New user, and create a user and enter their email ID.Note
Ensure that you use the details of a user present in OCI IAM with the same email id. - Return to the enterprise application menu. Under Getting Started, click Assign users and groups. Alternatively, click Users from under Manage on the menu on the left.
- Select Add user/group, and on the next page under Users click None Selected.
- In the Users page, click the test user you created. As you select it, the user appears under Selected items. Click Select.
- Back on the Add Assignment page, click Assign.
For these steps, you are working in OCI IAM.
Add Azure AD as an IdP for OCI IAM. In this section, you use the Azure AD metadata file you saved in 3. Set Up Single Sign-On for the Azure AD Enterprise App, for example, Oracle IAM.xml
.
- In the OCI Console in the domain you are working in, click Security and then Identity providers.
- Click Add IdP, then click Add SAML IdP.
- Enter a name for the SAML IdP, for example
Azure AD
. Click Next. - Ensure that Import identity provider metadata is selected, and browse and select, or drag and drop the Azure AD metadata XML file,
Oracle IAM.xml
into Identity provider metadata. This is the metadata file you saved when you worked through 3. Set Up Single Sign-On for the Azure AD Enterprise App. Click Next. - In Map user identity, set the following
- Under Requested NameID format, select
Email address
. - Under Identity provider user attribute, select
SAML assertion Name
ID. - Under Identity domain user attribute, select
Primary email address
.
- Under Requested NameID format, select
- Click Next.
- Under Review and Create, verify the configurations and click Create IdP.
- Click Activate.
- Click Add to IdP Policy Rule.
-
Click Default Identity Provider Policy to open it, click the and click Edit IdP rule.
-
Click Assign identity providers and then click Azure AD to add it to the list.
- Click Save Changes.
For this to work, the user used for SSO must be present in both OCI IAM and Azure AD. Also, the user must be assigned to the OCI IAM application created in Azure AD.
There are two ways to do this:
- You can manually create a test user in both OCI IAM and Azure AD.
- However, if you want to test with a real time user, you should set up provisioning between Azure AD and OCI IAM by following the steps in the tutorial, Identity Lifecycle Management Between OCI IAM and Azure AD.
Sorry, but we're having trouble signing you in.
AADSTS50105: Your administrator has configured
the application application-name ('<unique_ID>')
to block users unless they are specifically granted
('assigned') access to the application.
Test the SP initiated SSO.
-
Open a supported browser and enter the OCI Console URL:
- Enter your Cloud Account Name, also referred to as your tenancy name, and click Next.
- Select the identity domain in which AzureAD federation has been configured.
- On the sign-in page, you can see an option to sign in with Azure AD.
- Select Azure AD. You are redirected to the Microsoft login page.
- Provide your AzureAD credentials.
- On successful authentication, you are logged in to the OCI Console.
Congratulations! You have successfully set up SSO between Azure AD and OCI IAM.
If you already had a user created in Azure AD and assigned to the application, that had been provisioned to OCI IAM, you were able to test that federation authentication works between OCI IAM and Azure AD. If you didn't have such a user, you can create one by following one of the Identity Lifecycle Management Between OCI IAM and Azure AD tutorials.
To explore more information about development with Oracle products, check out these sites: