Task 8: Set Up Identity Federation (Optional)

Learn how to set up identity federation for Oracle Database@Azure.

Setting up identity federation for Oracle Database@Azure is optional. Federation lets users sign in to the OCI tenancy associated with the service using Azure Entra ID credentials. While most day-to-day database operations are performed in the Azure environment and don't require the use of the OCI Console, some database management tasks do require signing in to OCI.

Use the following instructions to make Azure Entra ID the identify provider for your OCI tenancy.

1. Sign in to the Azure portal at https://portal.azure.com/.

2. Search for "Microsoft Entra ID" and click Microsoft Entra ID in the search results to navigate to the Entra ID Overview page.

3. Under Manage, click Enterprise applications.

   

4. On the All applications page, click New application.

   

5. Search for "Oracle Cloud Infrastructure Console" and click the search result to navigate to the page for the application.

   

6. On the Oracle Cloud Infrastructure Console panel, enter a Name for the display name of the application in your Azure environment. For example: "Oracle Cloud Infrastructure Console", "OCI Console", or "OCI Console Contoso Sales". Then click Create to continue.

   

7. On Overview page for the new application, click .

   

8. On the Single sign-on page, click SAML to select the Security Assertion Markup Language (SAML) protocol.

   

   The portal redirects to the the SAML-based Sign-on page. Leave this browser window open on your computer while you do the next series of steps in the OCI Console. In the OCI Console, you will export a SAML metadata XML file. You will return to Azure to upload the XML file and continue with the Single Sign-on configuration.

   

9. In the OCI Console, navigate to Identity & Security, then click Domains.

   

10. In the Domains list view, click the name of the "Default" domain to open the domain details page. Optionally, you can select another domain to configure single sign-on (SSO) for that domain.

    

11. Click Security in the Identity domain Overview page's navigation menu.

    

12. On the Security page for the domain, click Identity providers in the navigation menu.

    

13. On the Identity providers page, click Add IdP, then select Add SAML IdP.

    

14. On the Add details page, enter the Name that you want to display on your OCI login page during single sign-on (SSO). Optionally, add a description. For example:

    Name: EntraID

    Description: Woodgrove Bank Azure Microsoft EntraID

    Click Next to continue.

    

15. On the Exchange metadata page, click Export SAML metadata.

    

16. On the Export SAML metadata panel, Find the Metadata file section and click Download XML. Leave the browser window displaying the OCI Console open on your computer while you complete the next series of steps.

    

17. Return to the browser window displaying the Azure portal SAML-based Sign-on page and click Upload metadata file.

    

18. In the Upload metadata file pop-up window, click the folder logo to select the SAML XML metadata file you exported from the OCI Console. Click Add to continue.

    

19. In the Basic SAML Configuration panel, find the Reply URL (Assertion Consumer Service URL) field. Copy the value in this field to your computer's clipboard. Don't edit any of the other populated fields.

    

20. Edit the copied Reply URL (Assertion Consumer Service URL) value by replacing /fed/v1/ with /ui/v1/myconsole. Then paste the edited URL into the Sign on URL field and click Save to continue.

    For example, if the Reply URL (Assertion Consumer Service URL) field has the following value:

    https://idcs-123a4b56example1de45fgh6i789j012.identity.oraclecloud.com/fed/v1/

    Then paste the edited version of the URL as the following example shows:

    https://idcs-123a4b56example1de45fgh6i789j012.identity.oraclecloud.com/ui/v1/myconsole

    

21. In the Test single sign-on with Oracle Cloud Infrastructure Console pop-up window, click No, I'll test later.

    

22. In the Attributes and Claims section, click Edit.

    

23. In the Required claim section, click the Unique User Identifier (Name ID) claim.

    

24. In the Source attribute field, select user.mail, then click Save. Click X to close the Manage claim dialog and to go back to the SAML-based Sign-on page.

    

25. On the SAML-based Sign-on page, in the SAML Certificates section, find the Federation Metadata XML field and click Download. Leave this browser window open on your computer while you do the next series of steps in the OCI Console.

    

26. Return to the Add SAML identity provider page in the OCI Console. Click Import IdP metadata (Upload metadata XML file). In the Upload identity provider metadata section, click the select one... link to select the IdP metadata XML file downloaded from the Federation Metadata XML download link in the previous step.

    

27. After you upload the XML file, the file name is displayed below the Upload identify provider section. Click Next to continue.

    

28. On the Map user identity page, select the following, then click Next to continue:

    • Requested Name ID format: Email address
    • Identity provider user attribute: SAML assertion Name ID
    • Identity domain user attribute: Primary email address
    

29. On the Review and Create page of the Add SAML identity provider workflow, review the displayed information, then click Create IdP.

    

30. On the What's Next? page of the Add SAML identity provider work flow, click Activate to Activate the IdP. Wait for the "EntraID identity provider has been activated" message to appear on the page before continuing.

    
31. On the What's Next? page of the Add SAML identity provider work flow, click Add to IdP policy.

32. On the Identity provider (IdP) policies page, click Default Identity Provider Policy.

    

33. On the Default Identity Provider Policy policy details page, in the Identity prover rules section, click Edit IdP rule.

    

34. In the Edit Identity provider rule panel, in the Assign identity providers field, enter the "EntraID" value. The field displays "Username-Password" by default.

    Click Save changes to continue.

    
35. Important
    
    

    In the steps that follow, you configure the OCI Confidential Application for that provisions EntraID users in OCI. Note that all users must include the following field values, or the provisioning of the user in OCI fails:

    • First name
    • Last name
    • Display name
    • email address
    Open the navigation menu and click Identity & Security. Under Identity, click Domains.
36. Click Default Domain. Then, click Integrated applications.
37. Click Add application.

38. In the Add application window, click Confidential Application, and then click Launch workflow.

    

39. On the Add application details page of the Add Confidential Application workflow, enter the following:

    • Name: Enter a name for the confidential application. You can enter up to 125 characters.
    • Description: Enter a description for the confidential application. You can enter up to 250 characters.

    Review the optional settings, then click Next.

    

40. On the Configure OAuth page, in the Client configuration section, select Configure this application as a client now.

    

41. On the Configure OAuth page, in the Client configuration section, select Client Credentials

    

42. On the Configure OAuth page, scroll down and find the Token issuance policy section. Under Authorized resources, select Specific, then check Add app roles to open the App roles section of the workflow.

    

43. In the App roles section, click Add roles, and search for "User Administrator". In the list of search results, select User Administrator, then click Add.

    

44. With the User Administrator role displaying in the App Roles list, click Next.

    

45. On the Configure policy page, review the default selection and click Finish.

    

46. On the Integrated applications tab of the "Default" domain details page, click the name of the Entra ID application you created to open the details page for the application.

    

47. Click Activate on the details page.

    

    Confirm that the application status is "Active".

    

48. Find the General Information section of the details page for your Entra ID application. In this section, do the following:

    • Copy the Client ID value to a notepad or other location on your computer for use in a CLI command discussed in the next step.
    • Click Show secret, and copy the client secret to the file with your Client ID.
    

    Close the Client secret dialog after copying the secret to continue.

    

49. Use the Client ID and Client secret values to create the following command.

    echo -n <clientID>:<clientsecret> | base64 --wrap=0

    For example:

    echo -n 7a5715example8b7429cdexample74a:63n8765exmaple49asbcs56abc235784 | base64 --wrap=0

50. Run the command in the OCI Cloud Shell (CLI). Click the Cloud Shell icon in the OCI Console header, then click Cloud Shell to open the CLI interface in your browser window. Paste the command into the CLI , then run the command.

    See the following topics for more information:

    • Using Cloud Shell
    • Required IAM Policy
    
51. Open the navigation menu and click Identity & Security. Under Identity, click Domains.
52. Click Default Domain to open the details page for the "Default" domain.

53. On the domain Overview page, copy the Domain URL to a notepad or other location on your computer.

    For example:

    https://idcs-638a9b18aexampleb77becf0f123d691.identity.oraclecloud.com:443

    

54. Return to the Azure portal Enterprise Application page displaying SAML-based Sign-on details shown in step 25. Click Provisioning in the Manage section.

    

55. On the Provisioning page, enter the following:

    • Provisioning Mode: Automatic

    • Tenant URL: Edit the copied URL from step 53 as follows:

      • Remove ":443" at the end of the URL
      • Add "/admin/v1" to the end of the URL

      For example:

      https://idcs-638a9b18aexampleb77becf0f123d691.identity.oraclecloud.com/admin/v1

      After editing the URL, paste it into the Tenant URL field.

    • Secret Token: Paste the secret token copied from the OCI Console in step 48.

    Click Test Connection, then click Save to continue.

    
    Important
    
    Wait for the message that confirms that the connection was successful. The message displays in the upper right corner of the page.

56. On the Provisioning page, click Provision Microsoft Entra ID Users in the Mappings section.

    

57. On the Attribute Mapping page, find the Mappings section and click Add New Mapping.

    

58. On the Edit Attribute page, enter the following:

    • Mapping type: Expression
    • Expression: CBool("true")

    • Target attribute: Select the string ending in ":isFederatedUser". For example:

      urn:ietf:params:scim:schemas:oracle:idcs:extension:user:User:isFederateUser

    Click OK to continue.

    

59. On the Attribute Mapping page, click Add New Mapping again to add a second mapping.

60. On the Edit Attribute page, enter the following:

    • Mapping type: Expression
    • Expression: CBool("true")

    • Target attribute: Select the string ending in ":bypassNotification". For example:

      urn:ietf:params:scim:schemas:oracle:idcs:extension:user:User:bypassNotification

    Click OK to continue.

    

61. Navigate to the Azure Enterprise Applications Overview page for the application you created in steps 3 to 6 of this task, then click Assign users and groups.

    
    Important
    
    

    All users must include the following field values, or the user assignments in OCI fail:

    • First name
    • Last name
    • Display name
    • email address

62. Click Add user/group and add the users and groups you want to include in the identity federation. After you enter the users and groups, they're synced with you OCI account.