Configure Oracle Identity Cloud Service with Microsoft Active Directory

Configure the connectivity between Oracle Identity Cloud Service and Microsoft Active Directory. This is an optional step.

Register Microsoft Active Directory Federation Service as an Identity Provider

Register Microsoft Active Directory Federation Service as the identity provider for Oracle Identity Cloud Service.

  1. Modify the following URL to use your service domain and open it in a browser to access the Microsoft Active Directory Federation Service metadata file: https://your_service_domain/FederationMetadata/2007-06/FederationMetadata.xml
  2. Save the FederationMetadata.xml file.
    You will use this file to register Microsoft Active Directory Federation Service with Oracle Identity Cloud Service.
  3. In the Oracle Identity Cloud Service console, expand the Navigation menu , click Security, and then click Identity Providers.
  4. Click Add or Add SAML IDP.
  5. Enter a name and a description for the identity provider, and click Next.
    Use a name and description that the users that authenticate with the identity provider can recognize easily.
  6. Select Import Identity Provider metadata, and click Upload.
  7. Locate and select the FederationMetadata.xml file, click Open, and then click Next.
  8. From the Oracle Identity Cloud Service User Attribute list, select Primary Email Address.
  9. From the Requested NameID Format list, select Email Address.
  10. Click Next, and then click Finish.
  11. Verify that the identity provider you created appears in the Identity Providers page.
  12. Modify the following URL to use your tenant value, and open it in a browser to call the Oracle Identity Cloud Service federation metadata endpoint: https://your_tenant.identity.oraclecloud.com/fed/v1/metadata?adfsmode=true

    You can obtain your tenant value from the URL of your Oracle Identity Cloud Service console. For example, if the URL is https://idcs-1234567890.identity.oraclecloud.com/ui/v1/adminconsole, then your tenant value is idcs-1234567890.

    To access the Oracle Identity Cloud Service console, click the Users link on the Oracle Cloud My Services dashboard, and then click Identity Console.

  13. Use your web browser to save the file to your computer and name it: Metadata.xml
    Don't copy the content that appears in your web browser to another file. Save the file instead.
  14. Transfer the Metadata.xml file to the Windows Server where the Microsoft Active Directory Federation Service is managed.
Microsoft Active Directory Federation Service is now registered as identity provider in Oracle Identity Cloud Service.

Register Oracle Identity Cloud Service as a Trusted Relying Party

Configure Microsoft Active Directory to authenticate users when they log in and send the users information to Oracle Identity Cloud Service.

  1. Open Microsoft Active Directory Federation Service Management utility and add a relying party trust. Select the option to import the data from a file and use the Metadata.xml file that you downloaded from Oracle Identity Cloud Service.
  2. Enter a display name and description, and leave the default values for the rest of the fields.
    A window to edit the claim rules appears. Claim rules define the information to send to Oracle Identity Cloud Service when a user authenticates successfully.
  3. Add a claim rule to define that when a user logs in their email address is sent to Oracle Identity Cloud Service:
    1. Select Send LDAP Attributes as Claims as the rule template.
    2. Name the claim rule Email.
    3. Use Active Directory as the attribute store.
    4. Map the LDAP attribute E-Mail-Addresses to the outgoing claim type E-Mail Address.
  4. Add a claim rule to use the email as the Name ID when sending the information to Oracle Identity Cloud Service after a user authenticates successfully:
    1. Select Transform an Incoming Claim as the rule template.
    2. Name the claim rule Name ID.
    3. Select E-Mail Address as the incoming claim type.
    4. Select Name ID as the outgoing claim type.
    5. Select E-Mail as the outgoing name ID format.
  5. Click Finish.
    The Edit Claim Rules for Oracle Cloud now shows the rules you created in theEmail and Name ID rules.
After completing this task, the Microsoft Active Directory Federation Service and Oracle Identity Cloud Service have enough information to authenticate using single sign-on.