Set Up Federation Trust Between Azure AD and Identity Cloud Service
For setting up federation trust, you need to add Oracle Identity Cloud Service as a gallery application in Azure AD tenant. After an application is added to the tenant, add Azure AD as an identity provider (IDP) in Oracle Identity Cloud Service, and then configure single sign-on in Azure AD.
Before You Begin
Before you set up federation trust between Azure AD and Oracle Identity Cloud Service, prepare the following:
- You should have Azure subscription with a Contributor or greater privileged account. You must also have hands-on experience working with the Azure platform. This solution does not cover Azure IaaS and security best practices to create and run VMs and applications.
- Get Azure AD subscription and create a user with the Application Administrator or Global Administrator role in the Azure AD portal.
- You should know how to create a security group in Azure and also add users to it.
- User synchronization between Azure AD and E-Business Suite applications is a prerequisite for SSO to work. You can even use Oracle Identity Cloud Service feature to keep users synchronized between Azure AD and Oracle Identity Cloud Service. At least one attribute must match among all three systems. For example, user principal name (UPN or any other unique attribute) in Azure AD must match with the username or any other attribute in Oracle Identity Cloud Service, and that attribute must also match with the E-Business Suite application username.
Add Oracle Identity Cloud Service as a Gallery Application in Azure AD
You need admin credentials for your Oracle Identity Cloud Service tenancy to add as a gallery application in Azure AD.
https://<your_tenancy>.identity.oraclecloud.com/fed/v1/metadata
.
Add Azure AD as an Identity Provider in Oracle Identity Cloud Service
When you add an identity provider, you'll import the metadata content of the identity provider, which you downloaded while adding the gallery application. Make sure that you have the metadata XML file or the URL readily available.
- Log in to the Oracle Identity Cloud Service admin console.
- Navigate to Security, select Identity Provider and then add an Identity Provider.
- In the Add Identity Provider wizard, enter a name and click Next.
- Import the Azure AD Federation Metadata XML file, which you downloaded while adding your application to the gallery.
- In the Configure pane of the wizard, use the default value for Requested NameID Format. The value for Identity Provider User Attribute should be Name ID.
- Set the value for Oracle Identity Cloud Service User Attribute to Primary Email Address or to any other attribute in Identity Cloud Service that might hold the user principal name in Azure AD.
- Set up an IDP policy and add Webgate-App created earlier to use Azure AD for
authentication.
- In the navigation pane, click Security, and then click IDP Policies to add.
- In the wizard, enter the name for the policy, and then click Next.
- Click Assign, select Azure AD IDP from the list, and then exit the wizard. You can assign more than one application that might use this IDP.