Configure a Microsoft Active Directory (AD) Bridge

After creating a Microsoft Active Directory (AD) Bridge, you configure it by:

  • Selecting the AD organizational units (OUs) and groups with which you want Oracle Identity Cloud Service to synchronize using the AD Bridge. The OUs contain the users that you want to import into Oracle Identity Cloud Service. By synchronizing with AD, the bridge can transfer new, updated, or deleted user or group records into Oracle Identity Cloud Service.

  • Specifying whether, after a user or group is synchronized from AD to Oracle Identity Cloud Service, if you activate or deactivate a user, modify the user's attribute values, or change the group memberships for the user in Oracle Identity Cloud Service, these changes will be propagated to AD.
  • Scheduling how often you want Oracle Identity Cloud Service to use the AD Bridge to import users and groups from AD.

  • Defining custom attribute mappings between AD and Oracle Identity Cloud Service.

  • Specifying whether users can use their Oracle Identity Cloud Service or AD passwords, or their federated accounts, to authenticate into Oracle Identity Cloud Service to access resources that are protected by Oracle Identity Cloud Service, such as the My Profile console, the Identity Cloud Service console, or any apps assigned to the users.

You can access the Managing Security Settings infographic to see how to configure an AD Bridge.

  1. In the Identity Cloud Service console, expand the Navigation Drawer, click Settings, and then click Directory Integrations.
  2. Click the AD Bridge that you want to configure.

    Note:

    The bridge has a status of Partially Configured.
  3. In the Configure the Microsoft Active Directory Domain page, configure the AD domain to listen for changes to users or groups in AD and import those changes into Oracle Identity Cloud Service.
    1. In the Select organizational units (OUs) for users and Select organizational units (OUs) for groups panes:
      1. Select the Include Hierarchy check box. If you select a parent OU, then all children OUs will be selected. The OUs contain the users and groups that you want to import into Oracle Identity Cloud Service.

        OR

        Deselect the check box. If you select a parent OU, then children OUs won’t be selected.

      2. Select the check box for each OU that contains users or groups with which you want Oracle Identity Cloud Service to synchronize using the AD Bridge.

        Note:

        If you don’t see any OUs for users or groups in the Select organizational units (OUs) for users and Select organizational units (OUs) for groups panes, then refresh your web browser.

        To force a full synchronization between AD and Oracle Identity Cloud Service, deselect all check boxes for selected user or group OUs, click Save, and then in the Save Configuration Changes? dialog box, click OK. Then, click Import to import the users and groups from AD.

      3. Optional. In the Filter text box, enter a custom filter to search for user or group OUs. For example, entering (sn=Smith) will return all users with the last name of Smith. Or, enter (department=IT) to return the IT group.

      Tip:

      • To select all users or groups, select the Include Hierarchy check box, and then select the top-most check box in each pane.

      • In the Filter text box, you can’t enter more than 4,000 characters.

      • The wildcard character * is allowed, except when the AD Attribute is a DN attribute. For more information about AD filters, click here.

      • You can use the Filter text box to synchronize users from AD to Oracle Identity Cloud Service based on their group memberships rather than their OUs. To do this, don't delect the check boxes for the OUs. Instead, in the Filter text box, provide the custom group membership filters.
      • If there's a mismatch between the number of users or groups you're expecting to be transferred into Oracle Identity Cloud Service and how many users or groups are actually imported, then use Active Directory Users and Computers to test the custom filter in AD to verify that the users and groups brought into Oracle Identity Cloud Service are correct.

      • The names of the users that you want to import into Oracle Identity Cloud Service must contain at least three characters. The names of the groups that you want to import into Oracle Identity Cloud Service must contain at least five characters.

      • The telephone numbers of the users that you want to import must meet the requirements of the RFC 3966 specification.

    2. In the Supported Operations area, choose which operations for Oracle Identity Cloud Service users or groups will be propagated to AD:
      • If you activate or deactivate Oracle Identity Cloud Service users, and you want these user activation status changes to be reflected in AD, then select the Activate/Deactivate Users check box. Otherwise, leave this check box deselected.
      • If you edit attribute values for Oracle Identity Cloud Service users, and you want these modifications to be passed to AD, then select the Update Users Attributes check box. Otherwise, leave this check box deselected.
      • If you change the groups to which Oracle Identity Cloud Service users belong, and you want these group membership changes to be propagated to AD, then select the Update Groups check box. Otherwise, leave this check box deselected.
    3. In the Set import frequency area, schedule how often, in hours and minutes, you want Oracle Identity Cloud Service to use the AD Bridge to import users and groups from AD.

      Important:

      During an incremental synchronization cycle, if there are more than 100,000 group membership changes in Microsoft Active Directory, then the synchronization cycle might take more than one hour. Microsoft Active Directory needs this time to process the change logs.
    4. In the Configure Attribute Mappings area, click Edit Attribute Mappings to define custom attribute mappings between AD and Oracle Identity Cloud Service. See Define Attribute Mappings for a Microsoft Active Directory (AD) Bridge. Otherwise, go to step e.
    5. In the Authentication Settings area, select Enable local authentication if you want users to use their Oracle Identity Cloud Service or their AD passwords to authenticate into Oracle Identity Cloud Service to access Oracle Identity Cloud Service-protected resources.

      If you select this option, then configure delegated authentication for this AD Bridge. By activating delegated authentication, users transferred into Oracle Identity Cloud Service through the bridge will use their AD passwords to sign in to Oracle Identity Cloud Service. By deactivating delegated authentication, users must use their Oracle Identity Cloud Service passwords to authenticate into Oracle Identity Cloud Service. See Configure Delegated Authentication in Oracle Identity Cloud Service for more information about configuring delegated authentication for an AD Bridge.

      Also, if you select Enable local authentication, then keep Don't send Welcome Notifications deselected to have Oracle Identity Cloud Service notify users by email that they must activate the Oracle Identity Cloud Service accounts that are created for them.

      Otherwise, if you don't want users to be notified that Oracle Identity Cloud Service created accounts for them, then select the Don't send Welcome Notifications check box.

      If you want users to use their federated accounts to authenticate into Oracle Identity Cloud Service, then select Enable federated authentication.

      Note:

      If you select this option, then configure SSO through the Identity Providers page. See Activate and Deactivate an Identity Provider.

      Important:

      By selecting Enable federated authentication, any user accounts that are transferred into Oracle Identity Cloud Service through the AD Bridge are classified as federated accounts. For referential integrity purposes, you can't deactivate, remove, or change the status of these user accounts to nonfederated.
    6. Click Save.
  4. In the Confirmation window, click OK.
    The status of the AD Bridge changes from Partially Configured to Configured. The bridge is created and configured.

    Important:

    Before you use the AD Bridge to import any AD user accounts into Oracle Identity Cloud Service, enable the Password Never Expires option for the accounts in AD. Otherwise, the passwords for the accounts will expire. If this occurs, then you can change the passwords. See Microsoft Active Directory (AD) Bridge Limitations in Known Issues for Oracle Identity Cloud Service.

    Note:

    If you use the AD Bridge to import a group into Oracle Identity Cloud Service, and then delete the group in Oracle Identity Cloud Service, you can re-establish a link between the group in AD and the group in Oracle Identity Cloud Service. To do so:
    1. In the Select organizational units (OUs) for groups pane, clear the check box for the designated group, and click Save.

    2. Select the check box for the group, and click Save again.

    3. Run the AD Bridge to synchronize the group between Oracle Identity Cloud Service and AD immediately. See Run a Microsoft Active Directory (AD) Bridge.