Integrate with Microsoft Active Directory

The Active Directory connector integrates Oracle Access Governance with Microsoft Active Directory. You can establish a connection between Microsoft Active Directory and Oracle Access Governance by entering connection details and configuring the connector. To achieve this, use the Orchestrated Systems functionality available in the Oracle Access Governance Console.

Prerequisites

Before you setup and configure a Microsoft Active Directory orchestrated system, you should consider the following pre-requisites and tasks.

Certified Components

The Microsoft Active Directory system can be any of the following:

  • Microsoft Active Directory
    • Installed on Microsoft Windows Server 2019, 64-bit platform.
    • Installed on Microsoft Windows Server 2016, 64-bit platform.
    • Installed on Microsoft Windows Server 2012, 64-bit platform.
    • Installed on Microsoft Windows Server 2012 R2, 64-bit platform.
    • Installed on Microsoft Windows Server 2008, both 32-bit and 64-bit platforms.
    • Installed on Microsoft Windows Server 2008 R2, both 32-bit and 64-bit platforms.

Supported Operations

The Microsoft Active Directory orchestrated system supports the following operations:

  • Create user
  • Delete user
  • Reset password
  • Add group
  • Remove group

Create a User Account for Microsoft Active Directory Orchestrated System Operations

Oracle Access Governance requires a user account to access the Microsoft Active Directory system during service operations. Depending on the system you are using, you can create the user in your target system and assign specific permissions and roles to the user.

For Microsoft Active Directory:

You can use a Microsoft Windows 2008 Server (Domain Controller) administrator account for operations. Alternatively, you can create a user account and assign the minimum required rights to the user account.

To create the Microsoft Active Directory user account for operations:

See Also: Microsoft Active Directory documentation for detailed information about performing this procedure.

  1. Create a group (for example, AGGroup) on the system. While creating the group, select Security Group as the group type and Global or Universal as the group scope.

    Note:

    In a parent-child domain setup, create the group in the parent domain.
  2. Make this group a member of the Account Operators group.
  3. Assign all read permissions to this group. If there are multiple child domains in the forest, then log in to each child domain and add the above group to the Account Operators group of each child domain.

    Note:

    You assign read permissions on the Security tab of the Properties dialog box for the user account. This tab is displayed only in Advanced Features view. To switch to this view, select Advanced Features from the View menu on the Microsoft Active Directory console.
  4. Create a user (for example, AGUser) on the target system. In a parent-child domain setup, create the user in the parent domain.
  5. Make the user a member of the group (for example, OIMGroup) created in Step 1.

Configure

You can establish a connection between Microsoft Active Directory and Oracle Access Governance by entering connection details and configuring your Microsoft Active Directory environment. To achieve this, use the orchestrated systems functionality available in the Oracle Access Governance Console.

Navigate to the Orchestrated Systems Page

Navigate to the Microsoft Active Directory page of the Oracle Access Governance Console, by following these steps:
  1. From the Oracle Access Governance navigation menu icon Navigation menu, select Service Administration → Microsoft Active Directory.
  2. Click the Add an orchestrated system button to start the workflow.

Select system

On the Select system step of the workflow, specify which type of database you would like to onboard.

  1. Select Microsoft Active Directory and click Next.

Enter details

On the Enter Details step of the workflow, enter the details for the orchestrated system:

  1. Enter a name for the database you want to connect to in the What do you want to call this system? field.
  2. Enter a description for the database in the How do you want to describe this system? field.
  3. Determine if this orchestrated system is an authoritative source, and if Oracle Access Governance can manage permissions for existing users by setting the following checkboxes.

    Table - Authoritative Source/Permission Management/Identity Collection Management

    Checkbox Default Description

    This is the authoritative source for my identities.

    Selected

    If selected, this checkbox means that this orchestrated system is a trusted source for user or identity information.

    I want to manage permissions for this system.

    Selected

    If selected, this checkbox means that Oracle Access Governance can provision accounts on the orchestrated system, and manage permissions for existing accounts residing in the orchestrated system.

    I want to manage identity collections for this orchestrated system.

    		Unselected If selected, this checkbox allows you to manage Microsoft Active Directory groups from within Oracle Access Governance. Any changes made to Microsoft Active Directory groups will be reconciled between Oracle Access Governance and the orchestrated system. Similarly, any changes made in Microsoft Active Directory, will be reflected in Oracle Access Governance.
  4. Click Next.

Configure

On the Configure step of the workflow, enter the configuration details required to allow Oracle Access Governance to connect to the target Microsoft Active Directory.

  1. In the Host field, enter the hostname or IP address for the directory you want to integrate with Oracle Access Governance.
  2. In the Domain Name field, enter the domain, for example example.com.
  3. In the Port field, enter the value of the TCP/IP port number used to communicate with the LDAP server. The default is 636.
  4. Enter the distinguished name which you will use to authenticate to the directory, in the Principal field. This is the user you created in Create a User Account for Microsoft Active Directory Orchestrated System Operations.
  5. Enter the password of the target distinguished name in the Password field. Confirm the password in the Confirm password field.
  6. Enter a base context from which to begin searches for users and groups into the Base Contexts field.
  7. In the Failover field, enter a list of failover servers in the format <servername>:<port>, <servername>:<port>, ..., for example ADExample1:636, ADExample1:636, ...
  8. In the SSL field, ensure that the value true is selected.

    Following are the steps to configure SSL on agent:

    1. Use JDK to install and run an agent.
    2. As part of agent installation process, copy cacerts of JDK used for agent under agent Installation directory.
    3. Import AD cert to above cacerts file using the command
      <%JAVA_HOME%>/bin/keytool -import -alias OIGAD-cert -file <AD-cert-file> -keystore <agent-install-dir>/cacerts
      Use port - 636
    4. Config.properties should include the following:
      JAVA_OPTS=-Djavax.net.ssl.trustStore=/app/cacerts-Djavax.net.ssl.trustStorePassword=changeit
  9. Check the right hand pane to view What I've selected. If you are happy with the details entered, select Add to create the orchestrated system.

Finish up

On the Finish Up step of the workflow, you are asked to download the agent you will use to interface between Oracle Access Governance and Microsoft Active Directory. Select the Download link to download the agent zip file to the environment in which the agent will run.

After downloading the agent, follow the instructions explained in the Agent Administration article.

Finally, you are given a choice whether to further configure your orchestrated system before running a data load, or accept the default configuration and initiate a data load. Select one from:
  • Customize before enabling the system for data loads
  • Activate and prepare the data load with the provided defaults

Post Configuration

There are no post configuration steps associated with a Microsoft Active Directory system.