Any customer using Oracle IDCS with Azure AD as the IDP would want to automate the user and group provisioning process. When Azure AD acts as the IDP, the users are born in Azure AD or are brought into Azure AD from an on-premise repository like AD. Users of the Oracle SaaS or PaaS applications protected with IDCS can be authenticated by Azure AD by setting up the federation trust and user synchronization is a pre-requisite for SSO to work.
For user synchronization, one option is to use IDCS out of the box feature to pull all the Azure AD users/groups/memberships in. More details are available here.
Another option is to push the users/groups/memberships from Azure AD to IDCS. This option provides some flexibility in terms of which users/groups need to be provisioned/synchronized.
IDCS REST APIs comply with the System for Cross-domain Identity Management (SCIM), an open API standard for managing identities across vendors. Azure AD SCIM client can be configured to use this API to create/update/delete users and groups in IDCS.
This blog provides steps to configure this option.
You will need -
1) Azure AD admin access to create/update the IDCS gallery application.
2) IDCS 19.2.1+ standard with administrator access to create a new client application.
The following steps show how to create a client application in IDCS which is used by Azure AD to manage users in IDCS.
1) Login to your IDCS instance admin console and create a new confidential application.
Provide a name and click next.
Select Configure this application as a client now
Securely save the Client ID and Client Secret. This will be used later.
In Allowed Grant Types, select Client Credentials.
Add User Administrators role in Grant the client access to Identity Cloud Service Admin APIs
Save and Activate the application.
Microsoft now has a gallery application to integrate with IDCS and the latest configuration steps are available here.
Note: Previously this section of the blog had instructions on setting up a non-gallery application but with an addition of a gallery application, the old instructions are no longer valid.
Automated user provisioning/synchronization between multi-cloud IAM services like Azure and Oracle is critical for delivering better security and user experience and I am hoping that anyone trying to implement this solution will benefit from this post.