9 min read

OCI — Console Auth via Azure SAML SSO [Part 2]

OCIAzureSAMLIdentity
OCI — Console Auth via Azure SAML SSO [Part 2]

This guide walks through configuring SAML SSO between Azure Entra ID and OCI, so users can sign into the OCI Console using their Azure identities.

Organizations using Active Directory on-premises can extend that identity management to OCI through Azure Entra ID integration. Users authenticate to the OCI Cloud Console while keeping Entra ID as their primary authentication provider via federated authentication.

Critical Requirements:

  • User and group objects must exist in both Azure Entra ID and OCI IDCS (Identity Cloud Service)
  • User provisioning from Entra to IDCS is necessary for synchronization

OCI Architecture Note: OCI transitioned to a new Domain model that incorporates IDCS directly into cloud tenants, replacing the previous separate service model (similar to Azure's infrastructure-identity separation).

Best Practice: Create separate Domains for different identity sources (production/development environments, specific providers, or applications).

Azure — Enterprise Application

Step 1. Launch Entra ID from the Azure portal.

Launch Entra ID

Step 2. Select Enterprise applications from the left navigation menu.

Select Enterprise Applications

Step 3. Select the New Application option.

New Application

Step 4. Search for "Oracle" and select Oracle Cloud Infrastructure Console.

Search Oracle Cloud Infrastructure Console

Step 5. Enter your preferred name and click Create.

Configure Application Name

Step 6. Select Users and groups from the menu, then Add user/group. Find and select your tenant or functional AD group and click Assign.

Assign Users and Groups

Step 7. Go to Properties in the left menu, disable application visibility for users, and Save.

Adjust Application Visibility

OCI — Tenant Metadata

Step 1. Navigate to https://cloud.oracle.com and input your tenant name.

OCI Sign-in Screen

Step 2. Authenticate using a local tenant administrator account (typically the Default domain for newly created tenants).

OCI Login Page

Step 3. Access the Domains section from the top-left navigation menu.

Domains Menu

Step 4. Expand the root compartment dropdown on the left sidebar.

Compartment Selection

Step 5. Select the Create Domain option.

Create Domain Button

Step 6. Enter domain details and create the domain.

Domain Details Form

Step 7. Access the domain once provisioning completes.

Provisioned Domain

Step 8. For DR-configured tenants, enable domain replication. Select More actions and choose Manage Regions. Verify replication is enabled to your secondary DR region.

Region Management Options

Replication Status

Step 9. Record the Domain URL for future reference.

Domain URL Display

Step 10. Access Settings from the left navigation menu.

Settings Navigation

Step 11. Enable Configure client access and save. (This temporarily exposes the metadata endpoint — we'll disable it right after.)

Client Access Configuration

Step 12. Open a new browser tab, navigate to your Domain URL with /fed/v1/metadata appended. Right-click and save as metadata.xml locally.

Metadata File

Step 13. Return to Settings, disable Configure client access, and save changes.

Disable Client Access

Step 14. Navigate back to the domain page using breadcrumb navigation.

Breadcrumb Navigation

Step 15. Access Notifications and toggle off notification settings for all users.

Notification Settings

Azure — Configure SSO

Step 1. Return to the Azure portal with the new Enterprise Application.

Step 2. Select Single sign-on from the left navigation and then SAML from the middle section.

Azure SSO Configuration

Step 3. Click Upload Metadata file at the top and select the metadata.xml file downloaded previously.

Upload Metadata

Step 4. Fill in the Sign on URL with the IDCS URL copied earlier, appending /ui/v1/myoracle to the end. Click Save at the top.

Sign On URL Configuration

Step 5. Once updated, click Edit on the Attributes & Claims box.

Attributes and Claims

Step 6. Click the default claim at the top.

Default Claim Selection

Step 7. Select user.mail for the Source attribute and then Save.

Source Attribute Configuration

Step 8. Return to the main Single Sign-On configuration page, click Download on Federation Metadata XML and save to the desktop as CUST.xml.

Download Federation Metadata

OCI — Configure SSO

Step 1. Navigate to the OCI Overview page and select Security from the menu.

Security Menu

Step 2. Select Identity Providers from the left menu and choose Add SAML IdP from the dropdown.

Add SAML IdP

Step 3. Complete the necessary fields and click Next.

IdP Details

Step 4. Search and select the previously downloaded CUST.xml file from Azure. Click Next.

Import Azure Metadata

Step 5. Select Email Address for the Requested Name ID format. Click Next.

Name ID Format

Step 6. Review all configuration details and click Create IdP.

Review and Create

Step 7. Click Activate, then select Add to IdP policy.

Activate IdP

Step 8. Click Default Identity Provider Policy.

Select Default Policy

Step 9. Select Edit IdP rule.

Edit IdP Rule

Step 10. Remove the Username-Password option, add the new IdP Azure Ad — Contoso, and Save Changes.

Update Authentication Methods

Step 11. Select the domain from the top menu and choose Security from the left navigation.

Domain Security

Step 12. Select Sign-on policies and open Security Policy for OCI Console.

Sign-On Policies

Step 13. Click Add sign-on rule.

Add Sign-On Rule

Step 14. Complete all required fields and click Add sign-on rule.

OCI should not force MFA here — MFA should be enforced on the Azure side via Conditional Access policies.

Configure Sign-On Rule

Step 15. Select Edit priority, move the new MFA policy to Priority 1, and save changes.

Set Policy Priority

Step 16. Select Domains from the top menu, choose Policies from the left menu, and click Create Policy.

Create Policy

Step 17. Create the admin policy with the following details:

  • Name: Contoso-Tenant-Admin-Policy
  • Description: Contoso Tenant Admin
  • Policy Builder rule:
ALLOW GROUP 'Contoso'/'Domain Administrators' to manage all-resources IN TENANCY

Click Create.

Grant Admin Permissions

OCI — Configure Confidential Application

Step 1. Browse to the domain overview page and select Integrated Applications from the menu on the left.

Integrated Applications

Step 2. Select Add Application.

Add Application

Step 3. Select Confidential Application and then Launch Workflow.

Confidential Application Selection

Step 4. Add a Name, Description, and click Next.

Application Details Form

Step 5. Select and configure the following items and click Next:

  • Client Configuration > Configure this application as a client now
  • Authorization > Client credentials
  • Authorized Resources > Specific
  • Add App Roles > User Administrator

Configuration Options 1

Configuration Options 2

Step 6. Leave the default selections and click Finish.

Finish Configuration

Step 7. Click Activate at the top to finalize the application.

Activate Application

Step 8. Scroll down to general information and copy the Client ID and Client Secret.

Client Credentials

Step 9. Base64-encode the values in the format ClientID:ClientSecret. You can do this locally with PowerShell or bash — avoid pasting credentials into third-party websites.

[Convert]::ToBase64String([Text.Encoding]::UTF8.GetBytes("ClientID:ClientSecret"))
echo -n 'ClientID:ClientSecret' | base64

Save the encoded string for the next section.

Base64 Encoding

Azure — Configure User Provisioning

Step 1. Return to the Azure portal enterprise app, select Provisioning from the left menu, and click Get Started.

Provisioning Get Started

Step 2. Choose Automatic from the dropdown menu.

Automatic Provisioning

Step 3. Enter the following details, click Test Connection, and click Save once confirmed:

  • Tenant URL: IDCS URL (copied previously) with /admin/v1 appended
  • Secret Token: Base64-encoded string (from previous step)

Provisioning Credentials

Step 4. Under Mappings, click Provision Microsoft Entra ID Users.

User Mappings

Step 5. Delete all attributes except the following (refer to the screenshot for the exact list to keep):

  • userPrincipalName
  • Switch([IsSoftDeleted]...)
  • displayName
  • mail
  • active

Attribute Cleanup

Step 6. Edit the Mail attribute.

Edit Mail Attribute

Step 7. Choose UserPrincipalName for the source attribute and click OK.

UserPrincipalName Source

Step 8. Click Save and return to the Provisioning Overview blade.

Save Mappings

Step 9. Click Start Provisioning to kick off the sync from Azure to OCI.

Start Provisioning

Step 10. After a few moments, click Refresh and confirm the initial sync cycle completed successfully.

Sync Completed

Step 11. Return to the OCI portal and confirm user accounts have been provisioned. Add these users to the Domain Administrator group or create specialized policies as needed for the synced group objects to permit access to the Cloud Console.