6Bridge for Microsoft Active Directory

This chapter contains the following:

Overview

The bridge for Microsoft Active Directory synchronizes user account information between Oracle Applications Cloud and Microsoft Active Directory. Using the bridge, you can copy user or role details from Oracle Applications Cloud (as the source) to Active Directory (as the target), or the other way around. Depending on the direction in which data synchronization is planned, you can specify one of them as the source and the other one as the target.

The current configuration of the bridge supports single Active Directory Forest with a single domain controller topology. The bridge uses REST API (Representational State Transfer) over HTTPS to communicate with the Oracle Applications Cloud and the LDAP (Lightweight Directory Access Protocol) to communicate with the Active Directory server. The Microsoft Active Directory server may not be reachable outside the corporate firewall but must be reachable from the computer hosting the bridge.

Prerequisites

Before setting up the bridge between Active Directory and Oracle Applications Cloud, you must:

  • Install Java Runtime environment (JRE). The bridge is compatible with JRE versions 6, 7, and 8.

  • Install the bridge on a computer that can connect to your Active Directory server.

  • Enable Single Sign-On (SSO) between Oracle Applications Cloud and your Active Directory instance.

System Requirements for the Bridge:

  • Windows Server Version: 2008 and 2012

  • RAM and CPU: As per the OS requirements

  • Disk Space: Minimum 10 GB of free space

Setting Up the Bridge for Microsoft Active Directory

To use the bridge for Active Directory and synchronize information between Oracle Applications Cloud and Active Directory, perform the following steps:

  1. Set the relevant options on the Administration tab in the Security Console to complete the configuration.

  2. Download and install the bridge for Active Directory.

  3. Map attributes between source and target applications for synchronization.

  4. Perform initial synchronization of users.

  5. Perform manual or automatic synchronization regularly to maintain consistency of data on the source and target applications.

Active Directory Synchronization

The bridge for Active Directory synchronizes user account information between Oracle Applications Cloud and Microsoft Active Directory.

After you provide the bridge configuration details, install and run the bridge for Active Directory. Save the credentials to access Active Directory and Oracle Fusion Application, then return to Security Console AD Bridge setup to complete the user account mapping configuration. When mapping is complete, return to the bridge application and initiate the initial synchronization of users between the source and target applications.

During synchronization, the bridge extracts data from the source and target applications, compares the data, and identifies the task that must be performed on the target application for consistency.

When synchronization completes, the bridge performs the required tasks on the target application. Any errors encountered during synchronization are recorded in the log files for review and correction.

After the initial synchronization is complete, you can configure the bridge to synchronize any changes between the source and target at regular intervals or on-demand.

The bridge for active directory can perform:

  • Full synchronization

  • Incremental synchronization

Full Synchronization

The bridge starts full synchronization or full reconciliation when any of the following conditions are true:

  • The source and target applications are synchronized for the first time.

  • The bridge configuration for the active directory has changed.

  • The Run Full Synchronization button is clicked.

To manually perform a full synchronization:

  1. Click the Bridge for Active Directory tab on the Administration page in the Security Console.

  2. Click User Attribute Mappings.

  3. Expand the On Demand Synchronization section and click Run Full Synchronization.

    Note: To disable Forced Full synchronization, click Cancel Full Synchronization.

Incremental Synchronization

The bridge starts incremental synchronization when: any of the following conditions are true:

  • The source and target were previously synchronized.

  • The bridge configuration for the active directory hasn't changed.

  • The Run Full Synchronization button isn't clicked.

Incremental synchronization can be either on-demand (manually) or at regular intervals (automatically).

User Account Attribute Mapping

After you install and configure the bridge, map the user account attributes between Oracle Applications Cloud and Microsoft Active Directory. Only when the mapping is complete, you can initiate the initial synchronization of users between the source and target applications.

Caution: Don't use Active Directory Bridge with SSO Chooser enabled, as it will cause synchronization issues. If you sign in to Oracle Applications Cloud locally and create new users, they won't reflect in the Active Directory after synchronization.

Map the following user attributes:

  • User account attributes

  • Advanced user account attributes

  • Group attributes

Mapping User Attributes

The following attributes of an Oracle Fusion Applications user account are mapped to the corresponding attributes of an Active Directory user account:

  • displayName: Display name of the user account

  • emails.value: Primary email associated with the user account

  • name.familyName: Last name of the user

  • name.givenName: First name of the user

  • userName: User name associated with the user account

During synchronization, the attribute values from the source are copied to the mapped target attributes. Some Active Directory attributes have size restrictions. For example, length of the sAMAccountName attribute is limited to 20 characters when used as a user attribute and can be up to 64 characters when used to name groups. Synchronization will fail if the user name has a larger value than the Active Directory attribute configured.

The following table lists a typical mapping of attributes when Oracle Fusion Application is the source.

Oracle Cloud Application as Source Microsoft Active Directory as Target

emails.value

Mail

Username

cn

displayName

displayName

name.familyName

sn

name.givenName

givenName

UserName

userPrincipalName

UserName

sAMAccountName

The following table lists a typical mapping of attributes when Microsoft Active Directory is the source.

Microsoft Active Directory as Source Oracle Cloud Applications as Target

Mail

emails.value

sAMAccountName

UserName

displayName

displayName

givenName

name.givenName

sn

name.familyName

On the Security Console, click Administration > Bridge for Active Directory tab > User Attribute Mappings. Click Add to add or update the mapping between attributes of the source and target applications.

Mapping Advanced Attributes

Use this option when Active Directory is the source. Select Synchronize User Status to enable the account status, such as Disabled, to propagate to Oracle Applications Cloud.

Microsoft Active Directory Bridge Setup

Prepare Oracle Applications Cloud to Connect With Microsoft Active Directory

Follow this procedure to configure the Bridge for Microsoft Active Directory. Sign in to Oracle Applications Cloud environment as an administrator with the IT Security Manager (ORA_FND_IT_SECURITY_MANAGER_JOB) role.

  1. Click Navigator > Security Console.

  2. On the Administration page, click the Bridge for Active Directory tab.

  3. Click Configuration.

  4. Expand the Base Configuration section and provide the following details:

    Field Description

    Source of Truth

    Select the source, such as Oracle Fusion Applications or Active Directory.

    Synchronization Interval (Hours)

    Enter the time interval (in hours) that the bridge uses to begin synchronization automatically. The default value is one hour.

    Synchronization Paging Size

    Enter the number of accounts that are synchronized in a single operation. The default value is 100 records.

    Synchronization Error Threshold

    Enter the maximum number of errors that can occur during synchronization. When the limit is reached, synchronization fails and stops. By default, synchronization stops after 50 errors have occurred.

    Scheduler

    Specify whether you want to automatically schedule synchronizations. If enabled, the synchronizations will run automatically as per the specified schedule and interval.

    Role Integration

    Specify whether you want to use role integration. It is applicable when Active Directory is the source. When enabled, the synchronization will read groups the users are directly or indirectly assigned to in Active Directory. If a user has been assigned to or removed from a group of the group mapping, the corresponding user in Oracle Applications Cloud will be added to or removed from the corresponding mapped role in Oracle Applications Cloud.

    Reset APPID Password

    Enter a new password. During synchronization, this password is used by the bridge to connect to Oracle Applications Cloud.

  5. Expand the Logging Configuration section and provide the following details:

    Field Description

    File Name

    Enter the name of the log file. This file is created in the Active Directory folder on the computer where the Active Directory bridge is installed. The default value is ad_fa_synch.log

    Log Level

    Specify the level at which messages must be logged during synchronization. The default level is set to Information.

    Maximum Log Size

    Specify the maximum size of the log file. The default value is 4 GB. When the maximum size is reached, a new log file is created.

  6. Expand the Active Directory Configuration section and provide the following details. The bridge uses this information to connect to the Active Directory server.

    Field Description

    Host

    Enter the host address of the Active Directory server.

    Port

    Enter the port of the Active Directory server. The default non-SSL port is 389.

    Enable SSL

    Select this option for secure communication with the Active Directory server. When you select this option, the default port changes to 636.

    Synchronization Strategy

    Select the algorithm that must be used for synchronization. You can select Directory Synchronization or Update Sequence Number. The default value is Directory Synchronization.

    Note: If you change the sequence number after the initial configuration, the synchronization process resets.

    User Base DN

    Enter the distinguished name of the location in your Active Directory where the user accounts are created or retrieved by the bridge.

    Search Base

    Enter the same value as the User Base DN.

    User Search Filter

    Enter the LDAP query that's used by the bridge to retrieve the user account objects from the Active Directory. For example, (&(objectClass=user)(!(objectClass=computer))).

    Group Base DN

    Enter the distinguished name of the location in your Active Directory from where the bridge fetches the groups.

    Note: This field is applicable only when Active Directory is the source.

    Group Search Filter

    Enter the LDAP query that's used to fetch roles from your Active Directory server. For example, (objectClass=group).

    Note: This field is applicable only when Active Directory is the source.

  7. Expand the Network Proxy Configuration section and provide the details.

    Note: Provide these details only when Active Directory is the source, and the bridge uses a proxy to connect to the Active Directory server.
    Field Description

    Enable Proxy Settings

    Select this option to enable communication through a proxy between Oracle Applications Cloud and your Active Directory bridge. Use this option when you need to connect from an isolated network host.

    Host

    Enter a host name and address for the proxy.

    Port

    Enter a port for the proxy.

    Enable SSL

    Select this option for secure communication with the proxy.

  8. Expand the Heartbeat section and update the following details.

    Field Description

    Heartbeat Interval

    Enter the time interval, in seconds, at which heartbeat notifications are sent from the bridge to Oracle Applications Cloud to signal that the bridge is active. It is set to 60 seconds by default.

  9. Click Save and click OK.

Download and Install the Bridge for Active Directory

Once you have set the configuration details for the bridge, download the bridge for Active Directory on a computer connected to your network. This computer must connect to both Oracle Applications Cloud and your Microsoft Active Directory server instance. Before you configure and install the bridge, ensure that you have the IT Security Manager role (ORA_FND_IT_SECURITY_MANAGER_JOB) access.

  1. Click Navigator > Tools > Security Console.

  2. On the Administration page, click the Bridge for Active Directory tab.

  3. Click Launch.

  4. Review the message that appears and click OK.

  5. Accept the notification to download the bridge file (adbridge.jnlp).

  6. Open the bridge file (adbridge.jnlp) from your Web browser.

  7. Enter User name and Password to sign in. You can use your Oracle Applications Cloud credentials to sign in.

  8. Click OK.

    The bridge for Active Directory is installed. Once the bridge is installed, you can open it.

  9. Click Run to start the bridge.

  10. Enter User name and Password. You can use your Oracle Applications Cloud credentials to sign in.

  11. Click OK.

  12. Open the Bridge for Active Directory. The bridge automatically displays the necessary information configured through the Security Console.

  13. Click the Configuration tab

  14. In the Active Directory section, enter the User name and Password for the Active Directory server.

  15. In the Oracle Applications Cloud section, enter the Password for the Oracle Applications Cloud host. Use the Reset APPID Password that you provided while configuring the bridge.

  16. You can change the Oracle Applications Cloud network settings. Click Network Settings to update the details.

  17. Click Save and click Close.

    The bridge updates the setup information from Active Directory (attributes, groups) to Oracle Applications Cloud. Use this setup information to perform mapping in the Security Console.

Map Attributes and Groups for Synchronization

Once you have set the configuration details for the bridge through the Security Console, download the bridge to a computer connected to your network. This computer must connect to both Oracle Applications Cloud and your Microsoft Active Directory server instance.

  1. Click Navigator > Security Console.

  2. On the Administration page, click the Bridge for Active Directory tab.

  3. Click User Attribute Mappings.

  4. Two attributes appear by default. Select source and target use attributes from the lists. Click Add to map more attributes between the source and target.

  5. Select the source attribute from the Source User Attribute list.

  6. Select the target attribute from the Target User Attribute list.

  7. Click OK.

  8. Repeat steps 4 to 7 to map more attributes.

  9. Click Save.

  10. Expand the Advanced Attribute Mappings section.

  11. Set the Synchronize User Account Status to either enable or disable, to determine whether to synchronize the account or not.

  12. Click Save.

  13. Click Group Mappings to map active directory groups to Oracle Cloud Application roles.

  14. Click Add to add new group to role mapping or select an existing mapping and click the Actions drop-down list.

  15. On the Add Role Mapping dialog box, select the Group and the Roles. When a user account is added to or removed from a group in the Active Directory, the corresponding Oracle Cloud Application user account is added to or removed from the mapped role in Oracle Cloud Applications.

  16. Click OK.

  17. Click Save.

Perform Initial Synchronization

Follow these steps to perform the initial synchronization of users:

  1. Start the Bridge for Active Directory.

  2. Sign in to bridge using your Oracle Fusion Applications login credentials.

  3. Click the Synchronization tab.

  4. Click Run Now.

  5. Click See Log Files to view the log files for any errors.

  6. Click Close.

Run Synchronization

In the initial synchronization, data is copied from the source application to the target application. After the initial synchronization is complete, you can configure the bridge to synchronize any changes between the source and target applications, either on-demand (manually) or at regular intervals (automatically).

Manual Synchronization

Perform manual synchronization whenever you want to synchronize the source and target applications after the initial synchronization. To manually synchronize data, perform the following steps on the bridge:

  1. Navigate to the Security Console and click the Active Directory tab.

  2. Click the Synchronization tab and click Run Now.

Automatic Synchronization

You can configure the bridge to perform synchronization periodically as a Microsoft Windows service. Perform the following steps to configure automatic synchronization:

Note: For setting up the Windows service, use the same domain and user credentials that you used for installing the Active Directory Bridge.
  1. Start the bridge.

  2. Click Service Installation.

  3. Enter the user name and password of the account that's used to run the service. The account must have administrative and Log on as a service privileges.

  4. Click Install Windows Service.

On successful installation, the bridge is registered as a service with the name Bridge for Active Directory.

Specifying the Synchronization Interval

Once the bridge is set up to run as a Windows Service, it periodically performs synchronization. The synchronization interval is specified in the Security Console and must be specified before the bridge is downloaded.

  1. Select Navigator > Security Console.

  2. Click the Administration tab.

  3. Click the Bridge for Active Directory link.

  4. Go to the Configuration tab and specify the Synchronization Interval (in hours).

Uninstall the Bridge for Active Directory

You can uninstall the bridge for Active Directory when you don't need it. If you had earlier installed the Windows Service associated with Active Directory Bridge, you must uninstall that service before uninstalling the Bridge for Active Directory.

Uninstall Windows Service

  1. Open the bridge application and click Uninstall Windows Service on the Service Uninstall tab.

  2. Review the confirmation message that appears and click OK.

  3. Close the bridge application.

Uninstall the Bridge for Active Directory

  1. Go to Control Panel > Programs and Features.

  2. Select Bridge for Active Directory and click Uninstall.

  3. Review the message that appears and click OK.

  4. Enter User name and Password. Use the same credentials that you used to sing into Oracle Applications Cloud.

  5. Click OK to finish the uninstallation process.

  6. Delete the folder APPDATA\Oracle\AD Bridge to remove all traces of Active Directory Bridge.

FAQs on Working with the Bridge for Microsoft Active Directory

Can the bridge support other LDAP directories?

No, the bridge can only be used for synchronization between Oracle Cloud Applications and Microsoft Active Directory.

How often can I synchronize information?

Using the Microsoft Windows service, you can configure the bridge to perform synchronization periodically. The minimum interval between two synchronizations must be one hour.

What Active Directory objects can I synchronize?

You can synchronize Active Directory users and groups.

Use the following synchronization options:

  • Synchronize users with Oracle Applications Cloud user accounts.

  • Synchronize groups with Oracle Applications Cloud roles.

You can synchronize users when the source is either Oracle Applications Cloud or Active Directory. However, you can synchronize groups when the source is only Active Directory.

What attributes can I synchronize?

You can synchronize the following predefined attributes in Oracle Applications Cloud with any Active Directory attributes:

Attribute Description

displayName

Display name of the user account.

emails.value

Primary email address associated with the user account.

name.familyName

Last name of the user.

name.givenName

First name of the user.

Username

User name (name for signing in) associated with the user.

You can't change or format an attribute during synchronization.

Note: You can synchronize only the predefined attributes, not any user-defined attribute.

How can I view the log files?

To view the log files, click the Synchronization tab on the bridge application and click the See Log Files link.

Information about each synchronization is recorded in the log files. The path to the log file on a Windows operating system is: %APPDATA%\Oracle\AD Bridge\log.