Your organization can have multiple Active Directory accounts (for example, one for each division of the organization). You can federate multiple Active Directory accounts with Oracle Cloud Infrastructure, but each federation trust that you set up must be for a single Active Directory account.
To federate with Active Directory, you set up a trust between Active Directory and Oracle Cloud Infrastructure. To set up this trust, you perform some steps in the Oracle Cloud InfrastructureConsole and some steps in Active Directory Federation Services.
Following is the general process an administrator goes through to set up federation with Active Directory. Details for each step are given in the sections below.
Get required information from Active Directory Federation Services.
Federate Active Directory with Oracle Cloud Infrastructure:
Add the identity provider (AD FS) to your tenancy and provide the required information.
Map Active Directory groups to IAM groups.
In Active Directory Federation Services, add Oracle Cloud Infrastructure as a trusted, relying party.
In Active Directory Federation Services, add the claim rules required in the authentication response by Oracle Cloud Infrastructure.
Test your configuration by logging in to Oracle Cloud Infrastructure with your Active Directory credentials.
Federating with Active Directory
You have installed and configured Microsoft Active Directory Federation Services for your organization.
You have set up groups in Active Directory to map to groups in Oracle Cloud Infrastructure.
Consider naming Active Directory groups that you intend to map to Oracle Cloud Infrastructure groups with a common prefix, to make it easy to apply a filter rule. For example, OCI_Administrators, OCI_NetworkAdmins, OCI_InstanceLaunchers.
Step 1: Get required information from Active Directory Federation Services
Summary: Get the SAML metadata document and the names of the Active Directory groups that you want to map to Oracle Cloud Infrastructure Identity and Access Management groups.
Locate the SAML metadata document for your AD FS federation server. By default, it is at this URL:
Download this document and make a note of where you save it. You will upload this document to the Console in the next step.
Note all the Active Directory groups that you want to map to Oracle Cloud InfrastructureIAM groups. You will need to enter these in the Console in the next step.
Step 2: Add Active Directory as an identity provider in Oracle Cloud Infrastructure
Summary: Add the identity provider to your tenancy. You can set up the group mappings at the same time, or set them up later.
Go to the Console and sign in with your Oracle Cloud Infrastructure login and password.
Open the navigation menu. Under Governance and Administration, go to Identity and click Federation.
Click Add identity provider.
Enter the following:
Display Name: A unique name for this federation trust. This is the name federated users see when choosing which identity provider to use when signing in to the Console. The name must be unique across all identity providers you add to the tenancy. You cannot change this later.
Description: A friendly description.
Type: Select Microsoft Active Directory Federation Services (ADFS) or SAML 2.0 compliant identity provider.
XML: Upload the FederationMetadata.xml file you downloaded from Azure AD.
Click Show Advanced Options.
Encrypt Assertion: Selecting the check box lets the IAM service know to expect the encryption from IdP. Do not select this check box unless you have enabled assertion encryption in Azure AD.
To enable assertion encryption for this single sign-on application in Azure AD, set up the SAML Signing Certificate in Azure AD to sign the SAML response and assertion. For more information, see the Azure AD documentation.
Force Authentication: Selected by default. When selected, users are required to provide their credentials to the IdP (re-authenticate) even when they are already signed in to another session.
Authentication Context Class References: This field is required for Government Cloud customers. When one or more values are specified, Oracle Cloud Infrastructure (the relying party), expects the identity provider to use one of the specified authentication mechanisms when authenticating the user. The returned SAML response from the IdP must contain an authentication statement with that authentication context class reference. If the SAML response authentication context does not match what is specified here, the Oracle Cloud Infrastructure auth service rejects the SAML response with a 400.
Several common authentication context class references are listed in the menu. To use a different context class, select Custom, then manually enter the class reference.
Optionally, you can apply tags. If you have permissions to create a resource, you also have permissions to apply free-form tags to that resource. To apply a defined tag, you must have permissions to use the tag namespace. For more information about tagging, see Resource Tags. If you are not sure if you should apply tags, skip this option (you can apply tags later) or ask your administrator.
Set up the mappings between Active Directory groups and IAM groups in Oracle Cloud Infrastructure.
A given Active Directory group can be mapped to zero, one, or multiple IAM groups, and vice versa. However, each individual mapping is between only a single Active Directory group and a single IAM group. Changes to group mappings take effect typically within seconds in your home region, but may take several minutes to propagate to all regions.
If you don't want to set up the group mappings now, you can simply click Create and come back to add the mappings later.
To create a group mapping:
Under Identity Provider Group, enter the Active Directory group name. You must enter the name exactly, including the correct case.
Choose the IAM group you want to map this group to from the list under OCI Group.
Requirements for IAM group name: No spaces. Allowed characters: letters, numerals, hyphens, periods, underscores, and plus signs (+). The name cannot be changed later.
Repeat the above sub-steps for each mapping you want to create, and then click Create.
The identity provider is now added to your tenancy and appears in the list on the Federation page. Click the identity provider to view its details and the group mappings you just set up.
Oracle assigns the identity provider and each group mapping a unique ID called an Oracle Cloud ID (OCID). For more information, see Resource Identifiers.
In the future, come to the Federation page if you want to edit the group mappings or delete the identity provider from your tenancy.
Step 3: Copy the URL for the Oracle Cloud Infrastructure Federation Metadata document
Summary: The Federation page displays a link to the Oracle Cloud Infrastructure Federation Metadata document. Before you move on to configuring Active Directory Federation Services, you need to copy the URL.
On the Federation page, click Download this document.
In a web browser, paste the Oracle Cloud Infrastructure Federation Metadata URL in the address bar.
Save the XML document to a location that is accessible by your AD FS Management Console.
In the Select Data Source step of the Add Relying Party Trust Wizard, select Import data about the relying party from a file.
Click Browse and select the metadata.xml file that you saved.
Set the display name for the relying party (for example, Oracle Cloud Infrastructure) and then click Next.
Select I do not want to configure multi-factor authentication settings for this relying party trust at this time.
Choose the appropriate Issuance Authorization Rules to either permit or deny all users access to the relying party. Note that if you choose "Deny", then you must later add the authorization rules to enable access for the appropriate users.
Review the settings and click Next.
Check Open the Edit Claim Rules dialog for this relying part trust when the wizard closes and then click Close.
Step 5: Add the claim rules for the Oracle Cloud Infrastructure relying party
Summary: Add the claim rules so that the elements that Oracle Cloud Infrastructure requires (Name ID and groups) are added to the SAML authentication response.
Add the Name ID rule:
In the Add Transform Claim Rule Wizard, select Transform an Incoming Claim, and click Next.
Enter the following:
Claim rule name: Enter a name for this rule, for example, nameid.
Incoming claim type: Select Windows account name.
Outgoing claim type: Select Name ID.
Outgoing name ID format: Select Persistent Identifier.
Select Pass through all claim value.
The rule is displayed in the rules list. Click Add Rule.
Add the groups rule:
Any users who are in more than 100 IdP groups cannot be authenticated to use the Oracle Cloud InfrastructureConsole. To enable authentication, apply a filter to the groups rule, as described below.
To limit the groups sent to Oracle Cloud Infrastructure, create two custom claim rules. The first one retrieves all groups the user belongs to directly and indirectly. The second rule applies a filter to limit the groups passed to the service provider to only those that match the filter criteria.
Add the first rule:
In the Edit Claim Rules dialog, click Add Rule.
Under Claim rule template, select Send Claims Using a Custom Rule. Click Next.
In the Add Transform Claim Rule Wizard, enter the following:
Claim rule name: Enter a name, for example, groups.
If you haven't already, set up IAM policies to control the access the federated users have to your organization's Oracle Cloud Infrastructure resources. For more information, see Getting Started with Policies and Common Policies.
Step 7: Give your federated users the name of the tenant and URL to sign in
The federated users need the URL for the Oracle Cloud InfrastructureConsole (for example, https://console.us-ashburn-1.oraclecloud.com) and the name of your tenant. They'll be prompted to provide the tenant name when they sign in to the Console.
Managing Identity Providers in the Console
Avoid entering confidential information when assigning descriptions, tags, or friendly names to your cloud resources through the Oracle Cloud InfrastructureConsole, API, or CLI.