Enable Azure AD Authentication on Autonomous Database

An Azure AD administrator and an Autonomous Database administrator perform steps to configure Azure AD authentication on Autonomous Database.

• Registering the Oracle Database Instance with a Microsoft Azure AD Tenancy
  A user with Azure AD administrator privileges uses Microsoft Azure AD to register the Oracle Database instance with the Microsoft Azure AD tenancy.
• Enabling Microsoft Azure AD v2 Access Tokens
  To enable the Microsoft Azure AD v2 access token, you must configure it to use the upn attribute from the Azure portal.
• Managing App Roles in Microsoft Azure AD
  In Azure AD, you can create and manage app roles that will be assigned to Azure AD users and groups and also be mapped to Oracle Database global schemas and roles.
• Configuring Azure AD as an External Identity Provider for Autonomous Database
  An Autonomous Database administrator can enable Azure AD as an external identity provider on an Autonomous Database instance.

Enabling Microsoft Azure AD v2 Access Tokens

To enable the Microsoft Azure AD v2 access token, you must configure it to use the upn attribute from the Azure portal.

The Azure AD v2 access token, which is only supported on Autonomous Database Serverless, supports a wider range of access scenarios than the v1 token, including authentication for both organizational accounts (Azure AD) and personal Microsoft accounts (MSA). You can use this token with applications that are registered in the Azure portal using the App registrations (Preview) experience.

1. Check the version of the Azure AD access token that you are using.
2. Log in to the Microsoft Azure portal.
3. Search for and select Azure Active Directory.
4. Under Manage, select App registrations.
5. Choose the application for which you want to configure optional claims based on your scenario and desired outcome.
6. Under Manage, select Token configuration.
7. Click Add optional claim and select upn.

• Checking the Azure AD Access Token Version
  You can check the version of the Microsoft Azure AD access token that your site uses by using the JSON Web Tokens web site.

Checking the Azure AD Access Token Version

You can check the version of the Microsoft Azure AD access token that your site uses by using the JSON Web Tokens web site.

By default, Azure AD Microsoft Azure AD v1 access token, but your site may have chosen to use v2. Oracle Database supports v1 tokens and Autonomous Database Serverless supports v2 tokens, as well. If you want to use the v2 access tokens, then you can enable their use for the Oracle database. To find the version of the Azure AD access token that you are using, you can either check with your Azure AD administrator, or confirm the version from the JSON Web Tokens website, as follows.

1. Go to the JSON Web Tokens website.

   https://jwt.io/

2. Copy and paste the token string into the Encoded field.
3. Check the Decoded field, which displays information about the token string.
   Near or at the bottom of the field, you will see a claim entitled ver, which indicates either of the following versions:

   • "ver": "1.0"
   • "ver": "2.0"

Configuring Azure AD as an External Identity Provider for Autonomous Database

An Autonomous Database administrator can enable Azure AD as an external identity provider on an Autonomous Database instance.

To enable Azure AD as an external identity provider:

1. Log in to the Autonomous Database instance as a user who has the EXECUTE privilege on the DBMS_CLOUD_ADMIN PL/SQL package. The ADMIN user has this privilege.
2. Run the DBMS_CLOUD_ADMIN.ENABLE_EXTERNAL_AUTHENTICATION procedure with the Azure AD required parameters.

   BEGIN
     DBMS_CLOUD_ADMIN.ENABLE_EXTERNAL_AUTHENTICATION(
         type   =>'AZURE_AD',
         params => JSON_OBJECT('tenant_id' VALUE 'tenant_id',
                               'application_id' VALUE 'application_id',
                               'application_id_uri' VALUE 'application_id_uri'),
         force => TRUE
     );
   END;

   In this procedure the Azure AD parameters are:

   • type: Specifies the external authentication provider. For Azure AD, as shown, use 'AZURE_AD'.
   • params: Values for the required Azure AD parameters are available from the Azure portal on the app registration Overview pane for Azure Active Directory. The required params for Azure AD are:
     • tenant_id: Tenant ID of the Azure Account. Tenant Id specifies the Autonomous Database instance's Azure AD application registration.
     • application_id: Azure Application ID created in Azure AD to assign roles/schema mappings for external authentication in the Autonomous Database instance.
     • application_id_uri: Unique URI assigned to the Azure Application.

       This it the identifier for the Autonomous Database instance. The name must be domain qualified (this supports cross tenancy resource access).

       The maximum length for this parameter is 256 characters.

   • force: Set this parameter to TRUE if another EXTERNAL AUTHENTICATION method is configured for the Autonomous Database instance and you want to disable it.

   For example:

   BEGIN
     DBMS_CLOUD_ADMIN.ENABLE_EXTERNAL_AUTHENTICATION(
         type   =>'AZURE_AD',
         params => JSON_OBJECT('tenant_id' VALUE '29981886-6fb3-44e3-82',
                               'application_id' VALUE '11aa1a11-aaa',
                               'application_id_uri' VALUE 'https://example.com/111aa1aa'),
         force  => TRUE
     );
   END;

   This sets the IDENTITY_PROVIDER_TYPE system parameter.

   For example, you can use the following to verify IDENTITY_PROVIDER_TYPE:

   SELECT NAME, VALUE FROM V$PARAMETER WHERE NAME='identity_provider_type';
    
   NAME                   VALUE   
   ---------------------- -------- 
   identity_provider_type AZURE_AD

   See ENABLE_EXTERNAL_AUTHENTICATION Procedure for more information.