SSO Between OCI and Microsoft Entra ID

In this tutorial, configure SSO between the OCI IAM and Microsoft Entra ID, using Entra ID as the identity provider (IdP).

This 30 minute tutorial shows you how to integrate OCI IAM, acting as a service provider (SP), with Entra ID, acting as an IdP. By setting up federation between Entra ID and OCI IAM, you enable users' access to services and applications in OCI using user credentials that Entra ID authenticates.

This tutorial covers setting up Entra ID as an IdP for OCI IAM.

  1. First, download the metadata from the OCI IAM identity domain.
  2. In the next few steps you create and configure an app in Entra ID.
  3. In Entra ID, set up SSO with OCI IAM using the metadata.
  4. In Entra ID, edit the Attributes and Claims so that the email name is used as the identifier for users.
  5. In Entra ID, add a user to the app.
  6. For the next steps, you return to your identity domain to finish the setup and configuration.In OCI IAM, update the default IdP policy to add Entra ID.
  7. Test that federated authentication works between OCI IAM and Entra ID.
Note

This tutorial is specific to IAM with Identity Domains.
Before You Begin

To perform this tutorial, you must have the following:

  • A paid Oracle Cloud Infrastructure (OCI) account, or an OCI trial account. See Oracle Cloud Infrastructure Free Tier.

  • Identity domain administrator role for the OCI IAM identity domain. See Understanding Administrator Roles.
  • An Entra ID account with one of the following Entra ID roles:
    • Global Administrator
    • Cloud Application Administrator
    • Application Administrator
Note

The user used for Single Sign On (SSO), must exist in both OCI IAM and Entra ID for SSO to work. After you complete this SSO tutorial, there is another tutorial, Identity Lifecycle Management Between OCI IAM and Entra ID. This other tutorial guides you through how to provision user accounts from Entra ID to OCI IAM or from OCI IAM to Entra ID.
1. Get the Service Provider Metadata from OCI IAM

You need the SP metadata from your OCI IAM identity domain to import into the SAML Entra ID application you create. OCI IAM provides a direct URL to download the metadata of the identity domain you are using. To download the metadata, follow these steps.

  1. Open a supported browser and enter the Console URL:

    https://cloud.oracle.com.

  2. Enter your Cloud Account Name, also referred to as the tenancy name, and click Next.
  3. Select the identity domain to sign in to. This is the identity domain that is used to configure SSO, for example Default.
  4. Sign in with your username and password.
  5. Open the navigation menu and click Identity & Security. Under Identity, click Domains.
  6. Click the name of the identity domain that you want to work in. You might need to change the compartment to find the domain that you want. Then, click Settings and then Domain settings.
  7. Under Access signing certificate, check Configure client access.

    This lets a client to access the signing certification for the identity domain without signing in to the domain.

  8. Click Save changes.

    Configure client access on the Domain Settings page

  9. Return to the identity domain overview by clicking the identity domain name in the breadcrumb navigation trail. Click Copy next to the Domain URL in Domain information and save the URL to an app where you can edit it.

    The domain information showing where the Domain URL information is.

  10. In a new browser tab, paste the URL you copied and add /fed/v1/metadata to the end.

    For example,

    https://idcs-<unique_ID>.identity.oraclecloud.com:443/fed/v1/metadata
  11. The metadata for the identity domain is displayed in the browser. Save it as an XML file with the name OCIMetadata.xml.
2. Create an Entra ID Enterprise Application

For the next few steps, you are working in Entra ID.

Create a SAML enterprise application in Entra ID.

  1. In the browser, sign in to Microsoft Entra using the URL:
    https://entra.microsoft.com
  2. Click Identity then Applications.
  3. Click Enterprise applications then New application.
  4. In Search applications, type Oracle Cloud Infrastructure Console.
  5. Click the Oracle Cloud Infrastructure Console by Oracle Corporation tile.
  6. Enter a name for the app, for example, Oracle IAM, and click Create.

    The enterprise app is created in Entra ID.

3. Set Up Single Sign-On for the Entra ID Enterprise App

Set up SSO for the Entra ID SAML application, and download the Entra ID SAML metadata. In this section, you use the OCI IAM SP metadata file you saved in 1. Get the Service Provider Metadata from OCI IAM.

  1. In the Getting Started page, click Get started under Set up single sign on.
  2. Click SAML, then click Upload metadata file (button at the top of the page). Browse to the XML file containing the OCI identity domain metadata, OCIMetadata.xml.
  3. Provide the Sign on URL. For example
    https://idcs-<domain_ID>.identity.oraclecloud.com/ui/v1/myconsole
  4. Click Save.
  5. Close the Upload metadata file page from the X in the upper right. If you are asked whether you want to test the application now, choose not to because you will test the application later in this tutorial.
  6. In the Set up Single Sign-On with SAML page, scroll down and in SAML Signing Certificate, click Download next to Federation Metadata XML.
  7. When prompted, choose Save File. The metadata is automatically saved with the default filename <your_enterprise_app_name>.xml. For example, OracleIAM.xml.

    The Entra ID SAML-based SSO page

4. Edit Attributes and Claims

Edit the Attributes and Claims in your new Entra ID SAML app so that the user email address is used as the user name.

  1. In the enterprise application, from the menu on the left, click Single sign-on.
  2. In Attributes and Claims, click Edit.
  3. Click the required claim:
    Unique User Identifier (Name ID) = user.mail [nameid-format:emailAddress]
  4. In the Manage claim page, change the Source attribute from user.userprinciplename to user.mail.

    Entra ID attributes and claims

  5. Click Save.

Additional Entra ID Configurations

In Entra ID, you can filter groups based on the group name, or sAMAccountName, attribute.

For example, suppose only the Administrators group needs to be sent over using SAML:

  1. Click the group claim.
  2. In Group Claims, expand Advanced options.
  3. Select Filter Groups.
    • For Attribute to match, select Display Name.
    • For Match with, select contains.
    • For String, provide the name of the group, for example, Administrators.

    Filter for groups

Using this option, even if the user in the administrator group is part of other groups, Entra ID only sends the Administrators group in SAML.
Note

This helps organisations to send only the required groups to OCI IAM from Entra ID.
5. Add a Test User to the Entra ID Application

Create a test user for your Entra ID application. Later, this user can use their Entra ID credentials to sign in to the OCI Console.

  1. In the Microsoft Entra admin center, click Identity then Users, then All users.
  2. Click New user then Create new user, and create a user and enter their email ID.
    Note

    Ensure that you use the details of a user present in OCI IAM with the same email id.
  3. Return to the enterprise application menu. Under Getting Started, click Assign users and groups. Alternatively, click Users from under Manage on the menu on the left.
  4. Select Add user/group, and on the next page under Users click None Selected.
  5. In the Users page, click the test user you created. As you select it, the user appears under Selected items. Click Select.
  6. Back on the Add Assignment page, click Assign.
6. Enable Entra ID as IdP for OCI IAM

For these steps, you are working in OCI IAM.

Add Entra ID as an IdP for OCI IAM. In this section, you use the Entra ID metadata file you saved in 3. Set Up Single Sign-On for the Entra ID Enterprise App, for example, Oracle IAM.xml.

  1. In the OCI Console in the domain you are working in, click Security and then Identity providers.
  2. Click Add IdP, then click Add SAML IdP.
  3. Enter a name for the SAML IdP, for example Entra ID. Click Next.
  4. Ensure that Import identity provider metadata is selected, and browse and select, or drag and drop the Entra ID metadata XML file, Oracle IAM.xml into Identity provider metadata. This is the metadata file you saved when you worked through 3. Set Up Single Sign-On for the Entra ID Enterprise App. Click Next.
  5. In Map user identity, set the following
    • Under Requested NameID format, select Email address.
    • Under Identity provider user attribute, select SAML assertion Name ID.
    • Under Identity domain user attribute, select Primary email address.

    SAML identity provider attributes

  6. Click Next.
  7. Under Review and Create, verify the configurations and click Create IdP.
  8. Click Activate.
  9. Click Add to IdP Policy Rule.
  10. Click Default Identity Provider Policy to open it, click the Actions menu (Actions Menu) and click Edit IdP rule.

    The context menu showing "Edit IdP Rule"

  11. Click Assign identity providers and then click Entra ID to add it to the list.

    adding Entra ID as an identity provider in the default IdP rule

  12. Click Save Changes.
7. Test SSO Between Entra ID and OCI
In this section, you can test that federated authentication works between OCI IAM and Entra ID.
Note

For this to work, the user used for SSO must be present in both OCI IAM and Entra ID. Also, the user must be assigned to the OCI IAM application created in Entra ID.

There are two ways to do this:

If you haven't set up users to test this tutorial, you see the following error
Sorry, but we're having trouble signing you in.
AADSTS50105: Your administrator has configured 
the application application-name ('<unique_ID>')
to block users unless they are specifically granted
('assigned') access to the application.

Test the SP initiated SSO.

  1. Open a supported browser and enter the OCI Console URL:

    https://cloud.oracle.com.

  2. Enter your Cloud Account Name, also referred to as your tenancy name, and click Next.
  3. Select the identity domain in which Entra ID federation has been configured.
  4. On the sign-in page, you can see an option to sign in with Entra ID.

    OCI IAM sign-in page

  5. Select Entra ID. You are redirected to the Microsoft login page.
  6. Provide your Entra ID credentials.
  7. On successful authentication, you are logged in to the OCI Console.
What's Next

Congratulations! You have successfully set up SSO between Entra ID and OCI IAM.

If you already had a user created in Entra ID and assigned to the application, that had been provisioned to OCI IAM, you were able to test that federation authentication works between OCI IAM and Entra ID. If you didn't have such a user, you can create one by following one of the Identity Lifecycle Management Between OCI IAM and Entra ID tutorials.

To explore more information about development with Oracle products, check out these sites: