4. Additional Configurations for Federated Users

  1. In the browser, log in to Microsoft Azure using the URL.
  2. Click Azure Active Directory to open the Azure Active Directory overview page.
  3. In the left menu, click Enterprise applications.
  4. Click the application you created earlier, Oracle Cloud Infrastructure Console.
  5. In the left menu under Manage, click Provisioning and then click Edit Provisioning.
  6. In the Provisioning page, click Mappings.
  7. Under Mappings, click Provision Azure Active Directory Users.
    This image shows Provisioning mode screen
  8. Under Attribute Mappings, scroll down and click Add New Mapping.

    Note:

    • In Azure User mapping, keep only the mappings shown in the below table and remove all other mappings.

    • If the target attribute is not found in the User Mapping in Azure, refer to the ‘Custom Attribute Mapping’ section to add the target attribute.

    Table 2-1 User Mappings

    Azure AD User Attribute Name OCI IAM Domain User Attribute Name IAM Domain Attribute Type Mapping Type Value Description Mandatory

    userPrincipalName

    userName

    String

    Direct

    N/A

    User name

    Yes

    surname

    name.familyName

    String

    Direct

    N/A

    Last name

    Yes

    mail

    emails[type eq "work"].value

    String

    Direct

    N/A

    Email address

    Yes

    urn:ietf:params:scim:schemas:idcs:extension:custom:User:OC_PrimaryWorkLocation

    String

    Constant

    <ENTERPRISE_ID >:E or <CHAINCODE>:C

    Mandatory Single Valued User Attribute. Indicates the User’s primary work location. Primary Work Location can have values <ENTERPRISE_ID >:E for multi-chain customers derived from the User profile. For customers having only a single chain, the source value can be set to constant <CHAINCODE>:C for all users.

    Yes

    CBool(true)

    urn:ietf:params:scim:schemas:oracle:idcs:extension:user:User:isFederatedUser

    Boolean

    Expression

    CBool("true")

    Enable Federated User flag in Identity Domain.

    Yes

    CBool(true)

    urn:ietf:params:scim:schemas:oracle:idcs:extension:user:User:bypassNotification

    Boolean

    Expression

    CBool("true")

    The bypass notification flag controls whether an email notification is sent after creating or updating a user account in Identity Domain. The bypassNotification must be set to "true" for Federated users. This disables user account activation notification in IAM Identity Domain for the user.

    Yes

    active

    active

    String

    Expression

    Not([IsSoftDeleted])

    User status. The attribute IsSoftDeleted is often part of the default mappings for an application in Azure AD. It is not recommended to remove the IsSoftDeleted attribute from your attribute mappings.

    Yes

    givenName

    name.givenName

    String

    Direct

    N/A

    First name

    No

    perferredLanguage

    preferredLanguage

    String

    Direct

    N/A

    User's preferred written or spoken language used for localized user interfaces.

    No

    displayName

    displayName

    String

    Direct

    N/A

    The display name.

    No

    jobTitle

    title

    String

    Direct

    N/A

    Title

    No

    mobile

    phoneNumbers[type eq "mobile"].value

    String

    Direct

    N/A

    User's mobile phone number.

    No

    extensionAttributeUserOwnerCode

    urn:ietf:params:scim:schemas:idcs:extension:custom:User:OC_UserOwnerCode

    String

    Direct

    N/A

    Unique code (typically, the sales manager's initials) for the owner. For example, oc_ownercode=First_Last_Initial.

    No

    employeeId

    urn:ietf:params:scim:schemas:idcs:extension:custom:User:OC_UserEmployeeNo

    String

    Direct

    N/A

    Numeric or alphanumeric identifier assigned to a person, typically based on order of hire or association with an organization.

    No

    employeeType

    urn:ietf:params:scim:schemas:idcs:extension:custom:User:OC_UserType

    String

    Direct
    Possible Values:

    • FULL-TIME EMPLOYEE

    • PART-TIME EMPLOYEE

    • TRAINEE

    • CONTRACTOR

    • CONSULTANT

    • OTHER

    Used to identify the organization-to-user relationship.

    No

    department

    urn:ietf:params:scim:schemas:idcs:extension:custom:User:OC_Department

    String

    Direct

    N/A

    Specifies the user's department.

    No

    telephoneNumber

    phoneNumbers[type eq "work"].value

    String

    Direct

    N/A

    User's work phone number.

    No

    extensionAttributeHonorificPrefix

    name.honorificPrefix

    String

    Direct

    N/A

    User’s Initials

    No

    extensionAttributeMiddleName

    name.middleName

    String

    Direct

    N/A

    User’s Middle name

    No

    extensionAttributeHonorificSuffix

    name.honorificSuffix

    String

    Direct

    N/A

    Suffix

    No

    extensionAttributeTimezone

    timezone

    String

    Direct

    N/A

    User's timezone

    No

    extensionAttributeLocale

    locale

    String

    Direct

    N/A

    Used to indicate the User's default location for purposes of localizing items such as currency, date and time format, numerical representations, and so on.

    No

    extensionAttributeActAs

    urn:ietf:params:scim:schemas:idcs:extension:custom:User:OC_ActAs

    String

    Direct
    Possible Values:

    • Reservation Sales Person

    • Conference Sales  Person

    • External System

    OPERA Cloud attribute. Determines the Originating Application value in Blocks and Manage Block (see Managing Blocks) referenced by the Origin list field in Group Rooms Control (see Using Group Rooms Control) search and in reports.

    No

    extensionAttributeActAt

    urn:ietf:params:scim:schemas:idcs:extension:custom:User:OC_ActAt

    String

    Direct
    Possible Values:

    • Property

    • Central

    OPERA Cloud attribute. Determines the Originating Application value in Blocks and Manage Block (see Managing Blocks) referenced by the Origin list field in Group Rooms Control (see Using Group Rooms Control) search and in reports.

    No

    extensionAttributeHubs

    urn:ietf:params:scim:schemas:idcs:extension:custom:User:OC_Hubs

    String array

    Direct

    N/A

    Assign one or more hubs to a user to determine their property location access in multi-property operations. oc_hubs is a String array in IAM Domain and the Identity Provider should map a multi-valued attribute to oc_hubs. Value for oc_hubs must sent in all uppercase.

    No

    extensionAttributeHubsString

    urn:ietf:params:scim:schemas:idcs:extension:custom:User:OC_Hubs_String

    String

    Direct

    N/A

    Assign one or more hubs to a user to determine their property location access in multi-property operations. OC_Hubs_String must be sent in all uppercase as comma separated values.

    No
    This image shows Add new mappings screen

Custom Attribute Mapping

To add mapping for target attributes, such as custom attributes and attributes not defined by default in the provisioning connector schema, you can edit the JSON representation of the schema to add these attribute mappings.

Note:

Editing the list of supported attributes is only recommended for administrators who have customized the schema of their applications and systems and have first-hand knowledge of how their custom attributes are defined or if a source attribute is not automatically displayed in the Microsoft Entra admin center UI. This sometimes requires familiarity with the APIs and developer tools provided by an application or system. The ability to edit the list of supported attributes is locked down by default, but customers can enable this capability by navigating to the following URL: https://portal.azure.com/?Microsoft_AAD_Connect_Provisioning_forceSchemaEditorEnabled=true.

You can navigate to your application to view the attribute list. For more information, see the "Editing the list of supported attributes" section of the Microsoft article Tutorial - Customize user provisioning attribute-mappings for SaaS applications in Microsoft Entra ID.

  1. Under Provisioning, select Mappings, and then select Provision Azure Active Directory Users.

  2. Select the Show advanced options check box at the bottom of the Attribute Mapping screen, and then select Edit attribute list for OracleIDCS.
    This image shows the Edit Attribute List.

  3. Save the mapping.

Group Attribute Mapping

  1. On the Provisioning page, click Mappings.

  2. Under Mappings, click Provision Azure Active Directory Groups. Refer to the below table to update and add the mappings for Group attributes.

Table 2-2 Group Attribute Mappings

Azure AD Attribute IAM Domain Group Attribute Name IAM Domain Attribute Type Mapping Type Value Description Mandatory Attribute

displayName

displayName

String

Direct

N/A

Group display name

Yes

members

members

String

Direct

N/A

Members of the group

No

objectId

externalId

String

Direct

N/A

External Group Id

No

description

urn:ietf:params:scim:schemas:oracle:idcs:extension:group:Group:description

String

Direct

N/A

Group description

No

Group Attribute Mapping in Azure AD


This image shows the Edit Attribute List.
Follow the below steps to add the IDCS Group Description attribute.

  1. Under Provisioning, select Mappings and then select Provision Azure Active Directory Groups.

  2. Select the Show advanced options check box at the bottom of the Attribute Mapping screen and then select Edit attribute list for OracleIDCS.

    Note:

    For this operation, you must set the Azure Portal URL with forceSchemaEditorEnabled=true as mentioned in the Note under the 'Custom Attribute Mapping' section.

  3. Add the attribute.

  4. Save the mapping.

  5. Navigate to Provision Azure Active Directory Groups and add the mapping for the Group description and save the changes.

  6. Select Provisioning from the left menu and set the Provisioning Status to “On.”

    This image shows Provisioning Status screen

  7. Save the changes.

Parent topic: Configuring Microsoft Azure AD Synchronization in OCI IAM Identity Domain