Identity Federation
Learn how to create identity federation for OracleDB for Azure using Azure Active Directory.
This final onboarding step is optional. If Azure administrators believe one or more OracleDB for Azure users will need to use the OCI Console to perform tasks, then they should enable identity federation between Azure and OCI to enable users to use a single set of credentials to login to both cloud environments.
For the guided onboarding path, there is no automated process for configuring identity federation. Instead, the OracleDB for Azure portal provides a link to instructions for the steps an authorized Azure user must perform to configure identity federation between the two cloud environments.
User records in Azure Active Directory must contain a last name and valid email address to work with OracleDB for Azure identity federation.
More information
See Oracle Cloud Infrastructure IAM Policy Statements for Oracle Database Service for Azure for details on the OCI IAM policies needed when you configure identity federation for OracleDB for Azure.
Instructions
- Navigate to the OCI Console at https://cloud.oracle.com.
- Enter your Cloud Account Name, also referred to as your tenancy name, and click Next.
- Select the identity domain to sign in to. For OracleDB for Azure, you will use the Default domain.
- Sign in with your admin user name and password.
- Open the navigation menu and click Identity & Security. Under Identity, click Domains.
- In the list of domains, click the name of the domain you want to view. For OracleDB for Azure, you will use the Default domain.
- On the domain's Overview page, click Applications in list of links under Identity domain.
- Click Add application and select Confidential Application .
- Click Launch workflow.
- In the Add Confidential Application workflow, enter a Name for your application. For example, "AzureSCIMProvisioningApplication".
- Click Next at the bottom of the page.
- On the Configure OAuth page, in the Client Configuration section, select Configure this application as a client now.
- Under Authorization, select Client Credentials.
- Under Client type, select Confidential.
- In the Token issuance policy section, select Add App Roles.
- In the App roles table, click the Add roles button.
- In Add app roles panel, in the list of app roles, select User Administrator, then click Add.
- Click Next.
- On the Configure policy page, under Web Tier Policy, select Skip and do later.
- Click Finish to create the application.
-
On the details page for the application you just created, in the General Information section, locate the Client ID and Client secret fields. Copy these values into a text editor and format them as follows, using a colon (":") character as a delimiter between them:
<client_id>:<client_secret>
- Create a base64 encoded value using this string and store it in a safe place. You will need the base64 encoded value during your federation setup.
OCI allows you to use a special URL to download the SAML service provider metadata. The download URL is formatted as follows:
https://idcs-<Service-Instance-Number>.identity.oraclecloud.com/fed/v1/metadata
To Get the Service Provider Metadata from OCI IAM
- Navigate to the OCI Console at https://cloud.oracle.com.
- Enter your Cloud Account Name, also referred to as your tenancy name, and click Next.
- Select the identity domain to sign in to. For OracleDB for Azure, you will use the Default domain.
- Sign in with your user name and password.
- Open the navigation menu and click Identity & Security. Under Identity, click Domains.
- In the list of domains, click the name of the domain you want to view. For OracleDB for Azure, you will use the Default domain.
- On the domain's Overview page, click Settings in list of links under Identity domain.
-
On the Domain Settings page, under Access signing certificate, check Configure client access.
This allows a client to access the signing certification for the identity domain without being signed into the domain.
- Click Save changes.
- Return to the identity domain overview by clicking the identity domain name ("Default domain") in the breadcrumb navigation trail. Click Copy next to the Domain URL in Domain information and save the URL to an app where you can edit it.
- In a new browser tab, paste the URL you copied and add
/fed/v1/metadata
to the end.For example:
https://idcs-<unique_id>.identity.oraclecloud.com:443/fed/v1/metadata
- The metadata for the identity domain is displayed in the browser. Save it as an
XML file with the name
IDCSMetadata.xml
.
What's Next?
Create a SAML service principal in the Azure portal. See To create a SAML service principal in your Azure account for instructions.
Before starting this task, you will need to download your OCI identity domain's SAML service provider metadata. See To download your OCI IAM domain's SAML service provider metadata for instructions.
- Sign in to the Azure portal.
- Under Azure services, click Azure Active Directory.
- In the left pane, click Enterprise applications.
- Click + New Application.
- Click + Create your own application.
- Provide a name for your application in the name field. For example, "OCI IAM Domain SAML Service Provider".
- Select the Integrate any other application you don't find in the galley (Non-gallery) radio button.
- Click Create. It will take few moments for Azure to create the application.
- On your application's Overview page, click Single sign-on in the left pane under Manage.
- Select SAML for the single sign-on method.
- Click Upload metadata file.
- In the Upload metadata file dialog, click the folder icon,
then navigate to the locally-saved OCI ID metadata file
(
IDCSMetadata.xml
) - Select the metadata file, and then click Add. The pre-configured metadata from the file is used to create the application.
- In the Basic SAML Configuration panel, click Save. Close the panel after the save operation completes.
- Locate the Federation Metadata XML field in the SAML Signing Certificate section and click the Download link. You will use this file to create an Identity Provider resource in OCI. This resource will allow OCI's Identity service to federate with Azure Active Directory.
- In the left pane, click Users and groups.
- Click + Add user/group.
-
On the Add Assignment pane, select None Selected under Users and groups or Users.
-
Search for and select the user or group that you want to assign to the application. For example, you can search on a user name such as
odsauser1@liilca.com
. Search and add additional users or groups, as needed. -
Review the list of Selected items, then click Select.
-
On the Add Assignment pane, select Assign at the bottom of the pane.
What's Next?
Create an identity provider resource for Azure Active Directory in the in the OCI Console. See To create an identity provider resource in OCI IAM for Azure Active Directory for instructions.
To complete this task, you will need the Federation Metadata XML file downloaded from the Azure portal. This download is described in To create a SAML service principal in your Azure account.
- Sign into your OCI account at https://cloud.oracle.com.
- Provide the tenancy name.
- Select the "Default" domain.
- Provide the user credentials. Make sure your OCI user has the necessary administrative privileges required to configure identity federation in your OCI account.
- Open the navigation menu and click Identity & Security.
- Click Domains under the Identity heading.
- Select your compartment.
- In the list of domains, locate the Default domain and click the domain's name.
- Click Identity providers under Security.
- Click the Add IdP button and select the Add SAML IdP option.
- Under Add details, provide a name for the identity provider. Optionally, you can add a description of the identity provider. Then click Next.
- On the Configure IdP screen, select Import identity provider metadata.
- Drag and drop the Federation Metadata XML file into the Identity provider metadata box, or click the select one link and navigate to and select the file in your local file system. Then click Next.
- On the Map attributes screen, select the Name ID as the identity provider user attribute. Select Username as the identity domain user attribute, and Email address as the Requested NameID format.
- Click Create IdP.
- Optional. On the Export screen, click the Download button in the Service provider metadata field to download the metadata for your SAML identity provider.
- Optional. Test the configuration settings for the IdP to confirm that the IdP is working properly. You can use the credentials of the IdP to sign in to the identity domain through an external website.
- Under Activate IdP, click Activate, then click Finish.
What's Next?
Enable users and groups synchronization in the Azure SAML service principal. See To enable users and groups synchronization in the Azure SAML service principal for instructions.
You will need to create policies in OCI IAM to enable authorization for OracleDB for Azure user groups by Azure Active Directory. See Managing Access to Resources for an overview of policies in OCI IAM.
See Oracle Cloud Infrastructure IAM Policy Statements for Oracle Database Service for Azure for example policy statements.
- Navigate to the OCI Console at https://cloud.oracle.com.
- Enter your Cloud Account Name, also referred to as your tenancy name, and click Next.
- Select the identity domain to sign in to. For OracleDB for Azure, you will use the Default domain.
- Sign in with your admin user name and password.
- Open the navigation menu and click Identity & Security. Under Identity, click Domains.
- In the list of domains, click the name of the domain you want to view. For OracleDB for Azure, you will use the Default domain.
- On the domain's Overview page, click Groups in list of links under Identity domain.
- Click Create group and enter the group name. For example,
odsa-db-family-administrators
. - Enter a description for the group.
- Click Create to create the group.
- Open the navigation menu and click Identity & Security. Under Identity, click Policies.
- Click Create Policy.
- Enter a name for the policy. For example:
my_odsa_compartment_odsa-db-family-administrators
. - Enter a description for the policy.
- For Compartment, select the OracleDB for Azure compartment.
- In the Policy Builder section, enable Show manual editor, then copy and paste your policy into Policy Builder field.
- Select Create Another Policy if you want to create another policy after you create the policy you are currently configuring.
- Click Create.
- Repeat steps 12 to 18 to create the additional policies you need for your users.
The OCI IAM user groups you created in To create OCI IAM User Groups and Policies for OracleDB for Azure need a corresponding set of user groups in Azure Active Directory to enable OracleDB for Azure user authorization. Create the following groups in Azure and assign your Azure users to them as needed:
-
oci-direct-readers
-
network-oci-direct-users
-
exadb-oci-direct-users
-
ocimcs-administrator
- Sign in to the Azure portal.
- On the Home page, select Azure Active Directory.
- On the Active Directory page, select Groups.
- Click New group.
- On the New Group page, for Group type, choose Security.
- Enter a Group name and Group description.
- Click No owners selected under Owners and select a group owner, then click Select.
- Click No members selected under Members and select group members, then click Select.
- Click Create.
- Repeat steps 4 to 9 to create all the groups discussed in this topic.
- In your Azure account, navigate to the SAML service principal that your created
using the instructions in To create a SAML service principal in your Azure account:
- Under Azure services, click Azure Active Directory.
- In the left pane, click Enterprise applications.
- In the list of Enterprise Applications, click the name of your application. The application's Overview page is displayed.
- Click Provisioning in the left pane.
- Click Get Started.
- On the Provisioning page, select "Automatic" as the Provisioning Mode.
-
In the Admin Credentials section, provide the tenant URL and the base64 secret token discussed in the last two steps of To create a confidential application for OracleDB for Azure in your OCI account.
- Click Test Connection.
- If the connection setup is successful, click Save.
What's Next?
You can assign additional Azure users to the OracleDB for Azure user groups. See Adding OracleDB for Azure Users in Azure After Completing Your Sign Up for more information.