Companies usually have some Identity and Access Management solution deployed on premises to manage users and roles to secure access to their corporate applications. As business move to the cloud, companies will, most likely, want to leverage the investment already made into such IAM solutions and integrate them with the new SaaS or PaaS applications that are being added to their portfolio.
Oracle Public Cloud and its Shared Identity Management services (SIM) provides integration with third-party Identity Providers (IdP) by using a well-known industry standard, SAML WebSSO Federation. This way, existing investments in IAM systems can be leveraged to allow users to log in to their corporate IdP and then single sign-on to Oracle Public Cloud applications that uses the Shared Identity Management Services.
In this post, we will show how to configure Oracle Public Cloud’s SIM (Service Provider) to Federate with Microsoft Azure Active Directory (IdP).
This post assumes Azure version used is “Azure Active Directory Premium”.
Before starting this procedure, make sure you have administrator access to both Azure Portal and Oracle Public Cloud Portal.
To expedite your work, open each of the services in a different browser, as we will make changes and copy data from one service to another.
Configure Azure AD as IdP for SAML Federation
Create and configure an application in Azure
Sign in to Azure Portal and browse to “Active Directory”, “Applications”, and click “Add”
Select “Add an application from the gallery”.
Select “Custom”, then “Add an unlisted application my organization is using”, provide a name, and save.
Select “Microsoft Azure AD Single Sign-On”, click Next
On the “Configure App Settings” screen, add the values for Oracle Public Cloud.
Don’t worry about them now, we will enter some temporary values, later on we will obtain the correct ones from OPC.
In “Issuer”, enter the OPC value for Provider ID, for example: https://myservices.us.oraclecloud.com/oam/fed/cloud/ateamiddomain
In “Reply URL”, enter OPC value for Assertion Consumer Service URL, for example: https://myservices.us.oraclecloud.com/oam/server/fed/sp/sso?tenant=ateamiddomain
In the “Configure single sign-on at Oracle Public Cloud” screen, download Azure Metadata (XML) and save the file as “IdP-Metadata.xml”.
We will use this file later to configure Oracle Public Cloud.
Check “Confirm that you have configured single sign-on as described above.”
In the next screen, confirm the notification email and save.
Configure Oracle Public Cloud as Service Provider for SAML Federation
Log into Oracle Public Cloud, go to “Users”, “SSO Configuration” and click on “Configure SSO” button.
In the pop-up window, select “Import identity provider metadata” and load the Azure Metadata file, IdP-Metadata.xml, we saved from the previous step.
From the select drop-downs, choose:
SSO Protocol: HTTP POST
User Identifier: User ID
Contained in: NameID
Save it, and from the resulting screen, take a note of the following information from OPC: “Provider Id” and “Assertion Consumer Service URL”.
Update Azure Active Directory with OPC Information
Go back to Azure Portal, and select your directory, then click on “Applications” and then on the application we just created in the previous step, “Oracle Public Cloud”.
Click on “Configure single sign-on”.
Select “Microsoft Active Directory” again, and click Next.
In the “Issuer” field, enter the value you copied from OPC, “Provider Id”.
In the “Reply URL” field, enter the value you copied from OPC, “Assertion Consumer Service URL”.
For the next steps, just go with the default, click next and save.
Assign Azure Users to access Oracle Public Cloud.
In Azure, you have to specify which users and/or groups will have access to the “Oracle Public Cloud” application, otherwise users won’t be able to access the application after log-in.
In Azure portal, navigate to your directory, click on “Applications” and choose the application we created, “Oracle Public Cloud”.
Go to “Users and Groups” tab, and search for the groups you would like to grant access to the application and assign them by clicking on the assign button at the bottom of the page.
Importing Azure Users into Oracle Public Cloud.
Before users can actually log-in to Azure and SSO to Oracle Cloud, we need to have the usernames imported into OPC.
To export the users from Azure, use the recommended method, depending if your users are sourced from an on-prem Active Directory (use the standard AD tools to export them) or if the users are sourced from Azure directly (use Azure AD Windows Power Tools).
To upload users into Oracle Public Cloud, you need to export your users into a CSV file, with the following structure: First Name, Last Name, Email, User Login.
The User Login must match the same username used to log-in to Azure.
Consult the following document on how to manage users in OPC: Importing a Batch of User Accounts
Testing and Enabling SSO for Oracle Public Cloud
After the necessary configurations are done on both sides, we can test if the SSO is working.
Log in to Oracle Public Cloud Portal and go to Users, SSO Configuration.
Click on the “Test” button.
A new browser will open, click on “Start SSO”.
You will be redirected to Azure Portal login page.
Provide a user credentials that have access to the Oracle Public Cloud Application.
If authentication is successful, you will be redirected to Oracle Public Cloud page, showing the results of the SAML Assertion and authentication.
Now, you can enable SSO for this identity domain. Go to Users, SSO Configuration and click on “Enable SSO”.
Once the SSO is enabled for this identity domain, users can log in with their corporate account from Azure, by choosing “Sign in using your company ID” button at the login screen.
Oracle Public Cloud allows customers with a current functional IAM solution, be it on on-premise or in the cloud, to maintain their investiment while integrating with new applications on Oracle Cloud that uses the Shared Identity Management services.
Customers can easily maintain users in a centralized IdP, and grant or revoke access for external applications without the need to update any account or permissions on the external systems.
A company can revoke access for a departing employee to Oracle Public Cloud by simply removing him from the group that has access to the application defined in Azure AD, or give access to an entire organization with a few clicks of the mouse.
All site content is the property of Oracle Corp. Redistribution not allowed without written permission