Multi-Cloud Federation — Microsoft Azure and Oracle Cloud Single Sign-On Authentication
I was responsible for designing and implementing a Multi-Cloud federation solution for users and groups using Microsoft Entra ID and OCI IAM.
There were multiple users needing to be authenticated through both Microsoft Azure and Oracle Cloud using the same login and password (single sign-on) to access resources.
Once the integration was created in the Oracle Cloud platform, the mapping of users and groups was directly related to those in Microsoft Azure through the federation service. Check out the solution below:
Prerequisites:
Oracle Cloud Account
Microsoft Azure Account
In the Microsoft Azure console, go to the Microsoft Entra ID service. Azure Active Directory was recently changed to Entra ID, but the attributes and tabs are still the same for the most part. On the left pane, click on the Usage & Insights tab:
Click Start a free Premium Trial. We only have a free account at the moment, and having a free premium account gives us the minimum requirements needed for using federation:
Click Activate under the first option titled “Enterprise Mobility + Security ES”. This gives you access to the Entra ID P2 license as well as Enterprise mobility for other cloud solutions of your choice:
Heading back to the Overview section of the Default Directory, you’ll see that we now have the Microsoft Entra ID P2 license available:
Now on your Oracle Cloud console, click on the Navigation menu in the top-left, Identity & Security, then click Federation under the Identity section:
You’ll come across a screen where it allows you to download a metadata document. This is the data that allows you to set up federated logins between identity domains and external identity providers. Right- click on the button “Download this document”, and click “Save link as”. You want to save it in a folder somewhere that it can be accessed later:
Going back to the Default Domain in the console, you’ll see a section called Groups. In that tab, you’ll see a group called Administrators. We’ll be setting up a group like this in Azure so naming conventions are kept consistent:
Head back to the Azure console, and under the Default Directory click Groups, then New group:
The only thing you’ll be adding is the Group name and description, as well as your own account to the members section at the bottom. Click Create when you’re finished:
Refresh the page after a couple minutes, then you’ll see your newly created group:
After that, click Enterprise applications in the pane under the Default Directory:
Choose New application:
Search for the Oracle Cloud Infrastructure Console in the enterprise applications, then click Create:
After the application creation, click Let’s get started under the Set up single sign-in option:
Select the SAML sign-on method:
For this, upload the XML metadata file you recently downloaded in the Oracle Cloud console in your account:
Once selected, you’ll need to enter a sign-on URL for the application. Let’s head back over to our Oracle Cloud console:
Make sure you’re logged in and the correct region is selected. Copy the URL of the homepage of your Oracle Cloud console:
Paste this URL into the sign-on field in the configuration, then click Save:
Afterwards, click Edit in the Attributes & Claims section:
A group claim is a piece of information about a user or entity that is part of a security token, used to define security permissions and roles within the application. Click in the “Name identifier format” field and change it to Persistent, then click Save:
Afterwards, click “Add a group claim”:
For groups associated with the user, select Security groups, click Advanced options, check the “Customize the name of the group claim” button, name your group claim and fill in the link for the Namespace. Click Save:
Come back to your Oracle enterprise application you created, and in the Single sign-on tab download the Metadata from Azure:
Click on the Users and groups tab and click the “Add user/group” button:
Add the Administrators group you created earlier in Azure and click Assign:
In the Oracle console, while still in the Federation tab, click Add Identity Provider:
Fill out the form as shown below with the name of your choice, and upload the metadata of the Oracle enterprise application you created in Azure earlier. Click Continue:
Now we want to map the Administrator groups to one another from both Oracle and Azure. Go into the Azure console, and in the Administrators group, copy the Object ID and paste it into the Identity Provider Group field in Oracle. After that, select the Oracle Administrators group for the OCI group field, then click Add Provider:
The Identity Provider has now been added to the Federation:
Now let’s open up an incognito window and sign in with our newly created SSO account. After following the sign-in URL from earlier, I put in my tenancy name and the Single sign-on screen came up. Select the name of your Identity Provider below and hit Continue:
The Microsoft screen comes up, signaling that SSO has been set up. Enter in the email address associated with your Azure account, then your password:
And finally, we’re logged in! You can make sure it works by clicking on your profile button at the top-right. You’ll see your SSO link and tenancy name, indicating you’re now signed in with your Azure credentials:
