Introduction

Many of our customers use Microsoft to store their identities.  At its core, Microsoft uses Active Directory (AD) a Lightweight directory access protocol or LDAP to store user identities including passwords.  Though Active Directory is the core component, many customer’s are moving to Entra ID (formerly Azure AD) as their identity layer.
 
To authenticate and provision users from Microsoft to OCI Identity and Access Management (IAM) you have a  few options.  You can use the OCI Active Directory Bridge, Active Directory Federation Service (ADFS) or Entra ID.  The later two options use the standard SAML 2.0 protocol as the authentication protocol.
 
In this post I will discuss the pros and cons for the options describe.  There is no ‘one size fits all’ approach and is dependent on the current state of the customer.  However, from our experience, we recommend one of these options that seem to work the best.
 
 

Details

OCI Active Directory Bridge

This is software created by Oracle to provision users from an Active Directory domain to OCI IAM domain. It uses the SCIM interface for user management/CRUD operations.  There is also a ‘Delegated Authentication’ feature that allows users to log into the OCI IAM domain and use the existing password in Active Directory.
 
Pro’s:
  • Easy to install
  • Supports user provisioning via SCIM
  • Support ‘Delegated Authentication’.  No need to store passwords in OCI IAM.
  • Free to use.
 
Cons:
  • Software needs to be installed and maintained.
  • HA supported and recommended for production.  Since there are two points of failure;the windows server and the AD bridge software.
    • To enable HA you must file a support request (SR).
  • Firewall rules need to be in place for outside connectivity. Must be able to access the OCI IAM domain via the internet.
  • Does not support SAML.
  • ‘Delegated Authentication’ may have higher than normal latency, depending on server specification and load on system.
 
A concern for some customers is that the AD Bridge needs access to the OCI IAM domain endpoint, which requires exposure to the internet via firewall configuration.  Also, if you are using the ‘Delegated Authentication’ feature consider doing stress testing to make sure that the system can handle the latency.
 
This option is good for customer’s that do not have or are planning for ADFS or Entra ID and require a stop-gap solution.
 
To get started, check ot the Oracle documentaion.
 

Active Directory Federation Service (ADFS)

ADFS is an extension to Active Directory to allow SAML support for user authentication. 
 
Pro’s
  • Easy to install,
  • Part of Microsoft ecosystem and familiar to IT Administrators (Microsoft shop) 
  • Minimal cost.
 
Cons:
  • Software needs to be installed and maintained.
  • Initial setup required for SAML 2.0.
  • HA supported and recommended for production.  Since there are two points of failure;the windows server and the ADFS software.
  • Firewall rules need to be in place for outside connectivity. Must be able to access the OCI IAM domain via the internet.
  • Does not support provisioning/user management.
 
The cons are similar to AD Bridge with the addition that ADFS does not support provisioning.  Some of our customer’s use ADFS as well as AD Bridge to get the User Management/Provisioning support.
 
This option is good for customers that already have ADFS and require Single-Sign-On (SSO).  Some customer’s do not want to pay a premium for Entra ID so they opt for ADFS and AD Bridge for provisioing of users.
 
Here is an overview for ADFS.
 

Entra ID

Entra ID is a cloud base Identity Provider (IdP) that supports the standard SAML 2.0 protocol.  It also uses SCIM for user management/CRUD operations to provision users to OCI IAM domains.
 
Pros:
  • Cloud based Identity Provider (IdP).  No software to install.
  • Supports SAML 2.0/OAuth/OIDC.
  • Supports user provisioning via SCIM.
  • Easier interface for user provisioning.
  • Interface allows for more control/security to assign users and/or groups to specific applications.
 
Cons:
  • Initial setup required for SAML 2.0/Provisioing.
  • More costly per user identity.
 
Though Entra ID is more costly, the support for SAML/SCIM/OAUTH and ease of use to maintain users/groups is why we recommend Entra ID to integrate with OCI IAM.
 
Many larger enterrprises already use Entra ID.  In this case, an Entra ID adminnistrator will need to create a neew OCI IAM gallery Applicaiton.
 
For more information on the integration steps take a look at these links:
 
 

Summary

For an existing Microsoft customer using their identity stack there are a few options to integrate with OCI IAM:
  1. OCI Active Directory Bridge
  2. Microsoft ADFS  (+ AD Bridge for provisioning)
  3. Entra ID
 
The options above support Authentications and user management/provisioning each with their Pros and Cons.  Our recommendation is to use SAML 2.0 via Entra ID.  I find that this is the easiest way for customer to setup and control which users have access to specific applications.
 
For customer’s that do not have an enterprise identity provider, consider OCI Identity and Access Management (IAM),  It is more cost effective than Entra ID and will seamlessly integrate with OCI IaaS/SaaS/PaaS.  There are different licensing tiers that you can read about here.
 
Thanks for reading!