JIT Provisioning from Entra ID to OCI IAM

In this tutorial, you configure Just-In-Time (JIT) Provisioning between between the OCI Console and Entra ID, using Entra ID as the IdP.

You can set up JIT provisioning so that identities can be created in the target system during run time, as and when they make a request to access the target system.

This tutorial covers the following steps:

  1. Configure the Entra ID IdP in OCI IAM for JIT.
  2. Update the OCI IAM app configuration in Entra ID.
  3. Test that you can provision from Entra ID to OCI IAM.
Note

This tutorial is specific to IAM with Identity Domains.
Before You Begin

To perform this tutorial, you must have the following:

  • A paid Oracle Cloud Infrastructure (OCI) account, or an OCI trial account. See Oracle Cloud Infrastructure Free Tier.

  • Identity domain administrator role for the OCI IAM identity domain. See Understanding Administrator Roles.
  • An Entra ID account with one of the following Entra ID roles:
    • Global Administrator
    • Cloud Application Administrator
    • Application Administrator

In addition, you must have completed the tutorial SSO Between OCI and Microsoft Entra ID, and collected the object ID of the groups which you are going to used for JIT Provisioning.

1. Configure SAML Attributes Sent by Entra ID

In order to JIT Provisioning to work, appropriate and required SAML attributes have to be configured, which will be sent in SAML Assertion to OCI IAM by Entra ID.

  1. In the browser, sign in to Microsoft Entra ID using the URL:
    https://entra.microsoft.com
  2. Navigate to Enterprise Applications.
  3. Click the Oracle Cloud Infrastructure Console application.
    Note

    This is the app you created as part of SSO Between OCI and Microsoft Entra ID.
  4. In the left menu, click Single sign-on.
  5. In the Attributes and Claims section, click Edit.
  6. Verify that the attributes are properly configured:
    • NameID
    • Email Address
    • First Name
    • Last Name

    If you require new claims, add them.

  7. Make a note of all the configured claim names. For example

    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname

    is the claim name for First Name.

    Attributes and claims

  8. Navigate to Groups. You'll see all the groups available in Entra ID.
  9. Make a note of Object ids of the groups want to make part of SAML to send to OCI IAM.

    Group details in Entra ID

Additional Entra ID Configurations

In Entra ID, you can filter groups based on the group name, or sAMAccountName, attribute.

For example, suppose only the Administrators group needs to be sent over using SAML:

  1. Click the group claim.
  2. In Group Claims, expand Advanced options.
  3. Select Filter Groups.
    • For Attribute to match, select Display Name.
    • For Match with, select contains.
    • For String, provide the name of the group, for example, Administrators.

    Filter for groups

Using this option, even if the user in the administrator group is part of other groups, Entra ID only sends the Administrators group in SAML.
Note

This helps organisations to send only the required groups to OCI IAM from Entra ID.
2. Configure JIT Attributes in OCI IAM

In OCI IAM, update the Entra ID IdP for JIT.

  1. Open a supported browser and enter the Console URL:

    https://cloud.oracle.com

  2. Enter your Cloud Account Name, also referred to as your tenancy name, and click Next.
  3. Select the identity domain which will be used to configure SSO.
  4. Sign in with your username and password.
  5. Open the navigation menu and click Identity & Security.
  6. Under Identity, click Domains.
  7. Select the identity domain in which you have already configured Entra ID as IdP.
  8. Click Security from menu on the left, and then Identity providers.
  9. Click the Entra ID IdP.
    Note

    This is the Entra ID IdP you created as part of SSO Between OCI and Microsoft Entra ID.
  10. On the Entra ID IdP page, click Configure JIT.

    Configuration page for the Entra ID identity provider in IAM

  11. On the Configure Just-in-time (JIT) provisioning page:
    • Select Just-In-Time (JIT) provisioning.
    • Select Create a new identity domain user.
    • Select Update the existing identity domain user.

    enable just in time provisioning

  12. Under Map User attributes:
    1. Leave the first row for NameID unchanged.
    2. For other attributes, under IdP user attribute select Attribute.
    3. Provide the IdP user attribute name as follows
      • familyName: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
      • primaryEmailAddress: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
    4. Click Add Row and enter: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname.

      For the identity domain user attribute, choose First name.

      Note

      The fully qualified display name (FQDN) is from 1. Configure SAML Attributes Sent by Entra ID.

    This diagram shows what the user attributes in OCI IAM should look like (on the right), and the mapping of user attributes between Entra ID and OCI IAM.

    Mapping of user attributes between Entra ID and OCI IAM

  13. Select Assign group mapping.
  14. Enter the Group membership attribute name: http://schemas.microsoft.com/ws/2008/06/identity/claims/groups.
  15. Select Define explicit group membership mappings.
  16. In IdP Group name, provide the Object ID of the group in Entra ID from the previous step.
  17. In Identity domain group name, and select the group in OCI IAM to map the Entra ID group to.

    Assign group mappings

    This diagram shows what the group attributes in OCI IAM should look like (on the right), and the mapping of group attributes between Entra ID and OCI IAM.

    Mapping of group attributes between Entra ID and OCI IAM

  18. Under Assignment rules, select the following:
    1. When assigning group memberships: Merge with existing group memberships
    2. When a group is not found: Ignore the missing group

    setting assignment rules

    Note

    Select options based on your organization's requirements.
  19. Click Save changes.
3. Test JIT Provisioning Between Entra ID and OCI
In this section, you can test that JIT provisioning works between Entra ID and OCI IAM.
  1. In Entra ID console, create a new user with an email Id which is not present in OCI IAM.
  2. Assign the user to the required groups.

    assign user to groups

  3. In the browser, open the OCI Console.
  4. Select the identity domain in which JIT configuration has been enabled.
  5. Click Next.
  6. From the sign on options, click Entra ID.
  7. On the Microsoft login page, enter the newly created user id.

    Microsoft login page

  8. On successful authentication from Microsoft:
    • The user account is created in OCI IAM.
    • The user is logged into the OCI Console.

    My Profile in OCI IAM for user

  9. Select the Profile menu (Profile menu icon), which is on the upper-right side of the navigation bar at the top of the page, and then click My profile. Check the user properties such as email id, first name, last name, and associated groups.

    Check user properties in OCI IAM

What's Next

Congratulations! You have successfully set up JIT provisioning between Entra ID and OCI IAM.

To explore more information about development with Oracle products, check out these sites: