Configuring Oracle Public Cloud to Federate with Microsoft Azure Active Directory

Introduction

Companies usually have some Identity and Access Management solution deployed on premises to manage users and roles to secure access to their corporate applications. As business move to the cloud, companies will, most likely, want to leverage the investment already made into such IAM solutions and integrate them with the new SaaS or PaaS applications that are being added to their portfolio.

Oracle Public Cloud and its Shared Identity Management services (SIM) provides integration with third-party Identity Providers (IdP) by using a well-known industry standard, SAML WebSSO Federation. This way, existing investments in IAM systems can be leveraged to allow users to log in to their corporate IdP and then single sign-on to Oracle Public Cloud applications that uses the Shared Identity Management Services.

In this post, we will show how to configure Oracle Public Cloud’s SIM (Service Provider) to Federate with Microsoft Azure Active Directory (IdP).

This post assumes Azure version used is “Azure Active Directory Premium”.

Before starting this procedure, make sure you have administrator access to both Azure Portal and Oracle Public Cloud Portal.

To expedite your work, open each of the services in a different browser, as we will make changes and copy data from one service to another.

Configure Azure AD as IdP for SAML Federation

Create and configure an application in Azure

Sign in to Azure Portal and browse to “Active Directory”, “Applications”, and click “Add”

img1

Select “Add an application from the gallery”.

img2

 

 

 

 

 

 

 

 

 

 

 

Select “Custom”, then “Add an unlisted application my organization is using”, provide a name, and save.

img3On the Application page, click on “Configure single sign-on”.

img4

Select “Microsoft Azure AD Single Sign-On”, click Next

img5

On the “Configure App Settings” screen, add the values for Oracle Public Cloud.

Don’t worry about them now, we will enter some temporary values, later on we will obtain the correct ones from OPC.

In “Issuer”, enter the OPC value for Provider ID, for example: https://myservices.us.oraclecloud.com/oam/fed/cloud/ateamiddomain

In “Reply URL”, enter OPC value for Assertion Consumer Service URL, for example: https://myservices.us.oraclecloud.com/oam/server/fed/sp/sso?tenant=ateamiddomain

Click Next.

img14

In the “Configure single sign-on at Oracle Public Cloud” screen, download Azure Metadata (XML) and save the file as “IdP-Metadata.xml”.

We will use this file later to configure Oracle Public Cloud.

Check “Confirm that you have configured single sign-on as described above.”

Click next.

img7

In the next screen, confirm the notification email and save.

Configure Oracle Public Cloud as Service Provider for SAML Federation

Log into Oracle Public Cloud, go to “Users”, “SSO Configuration” and click on “Configure SSO” button.

img8

In the pop-up window, select “Import identity provider metadata” and load the Azure Metadata file, IdP-Metadata.xml, we saved from the previous step.

From the select drop-downs, choose:

SSO Protocol: HTTP POST

User Identifier: User ID

Contained in: NameID

img9

Save it, and from the resulting screen, take a note of the following information from OPC: “Provider Id” and “Assertion Consumer Service URL”.

img10

 

 Update Azure Active Directory with OPC Information

Go back to Azure Portal, and select your directory, then click on “Applications” and then on the application we just created in the previous step, “Oracle Public Cloud”.

img11

Click on “Configure single sign-on”.

img12

Select “Microsoft Active Directory” again, and click Next.

img13

In the “Issuer” field, enter the value you copied from OPC, “Provider Id”.

In the “Reply URL” field, enter the value you copied from OPC, “Assertion Consumer Service URL”.

img14

For the next steps, just go with the default, click next and save.

Assign Azure Users to access Oracle Public Cloud.

In Azure, you have to specify which users and/or groups will have access to the “Oracle Public Cloud” application, otherwise users won’t be able to access the application after log-in.

In Azure portal, navigate to your directory, click on “Applications” and choose the application we created, “Oracle Public Cloud”.

Go to “Users and Groups” tab, and search for the groups you would like to grant access to the application and assign them by clicking on the assign button at the bottom of the page.

img15

Importing Azure Users into Oracle Public Cloud.

Before users can actually log-in to Azure and SSO to Oracle Cloud, we need to have the usernames imported into OPC.

To export the users from Azure, use the recommended method, depending if your users are sourced from an on-prem Active Directory (use the standard AD tools to export them) or if the users are sourced from Azure directly (use Azure AD Windows Power Tools).

To upload users into Oracle Public Cloud, you need to export your users into a CSV file, with the following structure: First Name, Last Name, Email, User Login.

The User Login must match the same username used to log-in to Azure.

Consult the following document on how to manage users in OPC: Importing a Batch of User Accounts

Testing and Enabling SSO for Oracle Public Cloud

After the necessary configurations are done on both sides, we can test if the SSO is working.

Log in to Oracle Public Cloud Portal and go to Users, SSO Configuration.

Click on the “Test” button.

img16

A new browser will open, click on “Start SSO”.

img17

 

 

 

 

 

 

 

 

 

 

You will be redirected to Azure Portal login page.

Provide a user credentials that have access to the Oracle Public Cloud Application.

img18

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

If authentication is successful, you will be redirected to Oracle Public Cloud page, showing the results of the SAML Assertion and authentication.

img19

Now, you can enable SSO for this identity domain. Go to Users, SSO Configuration and click on “Enable SSO”.

img20

Once the SSO is enabled for this identity domain, users can log in with their corporate account from Azure, by choosing “Sign in using your company ID” button at the login screen.

img21

Conclusion

Oracle Public Cloud allows customers with a current functional IAM solution, be it on on-premise or in the cloud, to maintain their investiment while integrating with new applications on Oracle Cloud that uses the Shared Identity Management services.

Customers can easily maintain users in a centralized IdP, and grant or revoke access for external applications without the need to update any account or permissions on the external systems.

A company can revoke access for a departing employee to Oracle Public Cloud by simply removing him from the group that has access to the application defined in Azure AD, or give access to an entire organization with a few clicks of the mouse.

Add Your Comment