1. Administering Oracle Identity Cloud Service
  2. Configure Administrator Settings
  3. Manage Microsoft Active Directory (AD) Bridges for Oracle Identity Cloud Service
  4. Create a Microsoft Active Directory (AD) Bridge

Create a Microsoft Active Directory (AD) Bridge

To create a Microsoft Active Directory (AD) Bridge that provides a link between your AD enterprise directory structure and Oracle Identity Cloud Service, you must be assigned to either the identity domain administrator role or the security administrator role. You must also have administrative rights to access the AD domain that you want to monitor by using the bridge.

Part of creating the AD Bridge is providing administrative credentials for both AD and Oracle Identity Cloud Service. The bridge requires these credentials to communicate with AD and Oracle Identity Cloud Service as an administrator.

See Add or Remove a User Account from an Administrator Role for more information about assigning administrator roles to users.

Important:

The AD account used to install the AD Bridge should have the following permissions:

  • Generic Read for the users and groups in the AD domain that you want to import into Oracle Identity Cloud Service

  • Generic Read for all organizational units (OUs) in the domain

  • Generic Read for the cn=Configuration container in the domain

  • The List Children and Read properties for the cn=Deleted Objects container with inheritance

If this account is also used to configure delegated authentication for the AD Bridge, then the account should have the following permissions:

  • Change Password

  • Reset Password

  • Read pwdLastSet

  • Write pwdLastSet

  • Read lockoutTime

  • Write lockoutTime

See Set Permissions for Your Microsoft Active Directory (AD) Account.

You can access the Managing Security Settings infographic to see how to create an AD Bridge.

  1. In the Identity Cloud Service console, expand the Navigation Drawer, click Settings, and then click Directory Integrations.
  2. If this is the first AD Bridge you’re creating, then click Add a Microsoft Active Directory Bridge. Otherwise, click Add.
  3. In the Install Bridge page, make a note of the Identity Cloud Service URL, Client ID, and Client Secret.
    The Identity Cloud Service URL contains the name and port number for your Oracle Identity Cloud Service identity domain. The Client ID and Client Secret are used by the AD Bridge to access Oracle Identity Cloud Service as an administrator.

    Note:

    The Client Secret is encrypted (for security purposes). To see the Secret in clear text, click Show Secret. To regenerate the Secret for the AD Bridge, click Regenerate.
  4. Click Download.
    Oracle Identity Cloud Service downloads the client for the AD Bridge.

    Note:

    Don’t close the Install Bridge page. You'll need to reference the Identity Cloud Service URL, Client ID, and Client Secret when creating the AD Bridge.
  5. To install the client for the AD Bridge, double-click the ad-id-bridge.exe file.
    The Welcome to AD Bridge Installer window appears.
  6. In the Language Selection area, select the language that you want to use to install the client for the AD Bridge, and then click OK.
    The Identity Cloud Service Microsoft Active Directory Bridge Installer appears.

    Tip:

    While you’re installing the client for the AD Bridge, Oracle Identity Cloud Service generates log files for the bridge automatically, and stores them in the %Temp% directory.
  7. If the Open File — Security Warning dialog box appears, then click Run. Otherwise, go to step 8.
  8. In the Welcome dialog box, click Next.
  9. In the Destination Folder dialog box, choose one of the following install choices:
    • To install the client in the default directory, click Next.
    • To select another directory to install the client:

      1. Click Browse.

      2. In the Browse For Folder dialog box, select the directory where Oracle Identity Cloud Service will install the client.

      3. Click OK.

      4. Click Next.

  10. In the Specify Proxy Server dialog box:
    1. If your organization has a firewall in place and requires communication to be handled using an HTTP Proxy Server, then select Use Proxy Server. If you select this check box, then provide the full path (or address) of the proxy server and the administrator credentials for connecting to the proxy server.
    2. If your organization doesn’t require communication to be handled using an HTTP Proxy Server, then don't select Use Proxy Server.
    3. Click Next.
  11. In the Specify Identity Cloud Service Credentials dialog box:
    1. Provide the Cloud Service URL, Client ID, and Client Secret.

      Tip:

      These credentials appear on the Install Bridge page of the Identity Cloud Service console.
    2. Click Test.

      The AD Bridge attempts to connect to the Oracle Identity Cloud Service server.

      If a connection can be established, then a Connection Successful! confirmation message appears.

      Otherwise, you’ll receive an error message, indicating that you entered an incorrect Cloud Service URL, Client ID, or Client Secret. Modify the incorrect values, and click Test again.

    3. Click Next.
  12. In the Specify Microsoft Active Directory Credentials dialog box, provide the following connection details to the AD server:
    1. Username: The AD account that the AD Bridge uses to access the AD server.
    2. Password: The password for the AD account.
    3. Use SSL: If you're connecting to the server via an SSL connection, then leave this check box selected. Otherwise, deselect it.

      Note:

      Oracle recommends that you keep the Use SSL check box selected because this results in a faster and more-secure connection. After you select or deselect this check box, and install the client for the AD Bridge, you can't modify this setting.
    4. Click Test.

      The AD Bridge attempts to connect to the AD server.

      If a connection can be established, then a Connection Successful! confirmation message appears.

      Otherwise, you’ll receive an error message, indicating that:

      • You entered an incorrect username or password. Modify the incorrect values, and click Test again.

      • You're attempting to connect to the AD server via an SSL connection, but the certificate for the server isn't trusted. Make sure that this certificate is valid, and is present in the trust store of your machine. Then, click Test again.

    5. Click Next.
  13. In the Summary dialog box, click Close.
  14. In the Identity Cloud Service console, access the Directory Integrations page.
    The AD Bridge that you created for the AD domain appears with a status of Partially Configured. The bridge is created, but not configured. See Configure a Microsoft Active Directory (AD) Bridge for more information about configuring this bridge.

    Note:

    If you don't see the AD Bridge in the Directory Integrations page, then refresh your web browser. Also, you can create only one bridge per AD domain.