Note:

• This tutorial requires access to Oracle Cloud. To sign up for a free account, see Get started with Oracle Cloud Infrastructure Free Tier.
• It uses example values for Oracle Cloud Infrastructure credentials, tenancy, and compartments. When completing your lab, substitute these values with ones specific to your cloud environment.

Set sAMAccountName from Microsoft Active Directory as Username in Oracle Cloud Infrastructure

Introduction

Organizations that are witness to multiple generations of identity and security often have a mix of on-premises and cloud resources across their infrastructure. In many of the scenarios, Active Directory acts as the source of truth, and the logon name/sAMAccountName is used as the user identifier. To maintain consistency, this is extended as the standard username to all other downstream applications and services.

In this tutorial, we will learn how to push the standard username to OCI, enabling a unified identity layer for both Oracle and non-Oracle applications.

Objectives

• Use Microsoft Entra Connect to utilize extension attributes that can sync sAMAccountName.

• Validate that the new attribute is available under the user properties in Microsoft Entra ID.

• Edit the SCIM connection for OCI in Microsoft Entra ID to use the new attribute.

• Post the provisioning cycle, validate that the identities in OCI have the username mapped same as the sAMAccountName.

• This username attribute now can be utilized by Oracle applications that use Single Sign-On (SSO) through SAML, OpenID or HTTP-header based authentication protocols.

Prerequisites

Note: To set up SCIM provisioning in OCI through Microsoft Entra ID, see Identity Lifecycle Management Between OCI IAM and Entra ID.

• A hybrid architecture of Microsoft Active Directory syncing to Microsoft Entra ID through Microsoft Entra Connect.

• Domain Administrator privileges on the local Active Directory domain.

• Global Administrator privileges on the Microsoft Entra tenant.

• An active user-provisioning setup in Microsoft Entra ID for OCI using the gallery application.

• Access to an OCI tenancy. For more information, see Oracle Cloud Infrastructure Free Tier.

• Identity domain administrator role for the OCI IAM identity domain. For more information, see Understanding Administrator Roles..

Task 1: Enable Directory Extensions and Sync sAMAccountName using Microsoft Entra Connect

Task 1.1: Configure the Microsoft Entra Connect Tool

1. Log in to the local server where Microsoft Entra Connect is set up.

2. Open the Microsoft Entra Connect Sync tool.

3. Click Configure.

   

4. Select Customize synchronization options and click Next.

   

5. Authenticate using your Microsoft Entra ID global administrator credentials when prompted.

   

6. Select the Directory Type and Forest information where your users are present.

   

7. Click Next until you reach the Optional Features page. Select Directory extension attribute sync and click Next.

   

8. In the Directory Extensions page, a list of Available Attributes from your on-premises Active Directory will be displayed. Locate the sAMAccountName attribute in the list and select sAMAccountName to mark it for synchronization.

   

9. Review the configuration summary to ensure that the Directory extension attribute sync option is enabled and sAMAccountName is selected. Click Configure to apply the changes.

   

10. Once the configuration completes, click Exit.

Task 1.2: Perform a Synchronization Cycle

1. Open Windows PowerShell with administrative privileges on the server where Microsoft Entra Connect is installed.

2. Run the following command to trigger a delta synchronization cycle.

   Start-ADSyncSyncCycle -PolicyType Delta
   

   

3. Wait for the synchronization to complete. You can review the progress in the Synchronization Service Manager tool which is part of Microsoft Entra Connect.

   

Task 1.3: Verify the Synchronization in Microsoft Entra ID

1. Sign in to the Microsoft Entra Admin Center: https://entra.microsoft.com.

2. Navigate to Users and select a user account. View the user’s properties and scroll down to view the extension attributes.

   

   Validate that the sAMAccountName value is present as a directory extension.

Task 2: Reconfigure the SCIM Provisioning Setup to Use the Extension Attribute as Username

Task 2.1: Navigate to the Enterprise Application

1. Go to Enterprise Applications and select the app for Oracle Cloud Infrastructure Console.

2. Select Provisioning.

   

Task 2.2: Update the Attribute Mappings

1. Under the Overview section, click Edit Attribute Mappings.

   

2. In Mappings, click Provision Microsoft Entra ID Users.

   

3. In the Attribute Mappings list, find the mapping for the target attribute userName. By default, this might be mapped to the Microsoft Entra ID userPrincipalName. Click Edit on the userName mapping.

   

4. In the Source Attribute drop-down menu, select extension_XXX_sAMAccountName and click Ok.

   

5. Click Save. The provisioning cycle takes a while. You may wait for it to finish, or restart the cycle.

Task 3: Validate and Configure Username for SSO in Oracle Cloud Applications

1. Sign in to the OCI Console: https://cloud.oracle.com.

2. Navigate to Identity & Security. Under Identity, select Domains.

3. Navigate to users and verify that the users are now updated with the correct username.

   

Scenario 1: For SAML Based SSO Authentications

1. Find the SAML application under Integrated applications or Oracle Cloud Services.

2. Click Edit SSO configuration and change the Name ID value to Username. Click Save changes.

   

   Note: A good practice is to redo the metadata exchange. Click Download identity provider metadata and share it with the SAML application owners.

Scenario 2: For HTTP-Header Based Authentication

1. Find the enterprise application under Integrated applications.

2. Click Edit SSO configuration and navigate to Managed resources. Edit the resource that is passing the header.

   

3. Change the value pair of the header to Username and click Save changes.

Scenario 3: For OAuth 2.0/OpenIDConnect Based Authentications

No configuration changes are required in OCI IAM. ID tokens issued after the change will reflect the new username as shown in the following image as the decoded JWT.

Conclusion

Ensuring consistency in user identity across an organization’s infrastructure is crucial for seamless authentication and access management. This approach will simplify user management, enhance security, and ensure a smoother integration between on-premises and cloud environments.

Acknowledgments

• Author - Tonmendu Bose (Senior Cloud Engineer)

More Learning Resources

Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.

For product documentation, visit Oracle Help Center.

---

Title and Copyright Information

<

Set sAMAccountName from Microsoft Active Directory as Username in Oracle Cloud Infrastructure

G30455-01

Copyright ©2025, Oracle and/or its affiliates.