Federation using Azure AD

Goal – We want the same user to login into OCI from which we logged into Azure. Go to Identity & Security --> Domains  Default --> Security --> Identity Providers

Click on Export SAML Metadata, to get the details of OCI and provide it to azure

Download the file.

Now we have to go into Azure  Enterprise Application  New Application

Here we can see so many applications, we have to select Oracle

Inside Oracle --> select Oracle Cloud Infrastructure Console and click on Create

The OCI Console page will open, here we have to go to Single sign-on and select SAML method

The SAML page will open, Here we have to upload the metadata file which we downloaded above,

After adding , we can see all the details will be filled but the sign on URL is not filled

Now we have to copy the Identifier URL till 443 and paste the same in sign on URL and add ‘/ui/v1/myconsole’ in the last of the URL and click on save.

Now Azure got the details of OCI and single sign on is created.

Now we have to assign a user to this single sign on who can only access.

(We want the same user from which we logged into Azure to login into OCI)

Now In the same OCI console, go to user and groups --> Add User/Group, and select the user then the user will be added.

Now we have to go inside the user we created --> Edit Properties

Here we can see our unique mail id from which we have to login is mentioned in other emails

Now again we have to go back in Single Sign On --> Attributes & Claims

Here we can see in the Unique user Identifier, ‘user.userprincipalname’ is showing

We have to click on it and change the source attribute to ‘user.othermail’ and save it.

Now when we check again in the attributes and claims, the Unique User Identifier will change to ‘user.othermail’.

Now the SAML is ready in Azure AD.

Now we have to pass Azure SAML to OCI, Download Federation Metadata XML

Now we have to come back into OCI in the Identity Provider and Add IdP

Enter the Name of SAML IdP --> Next

Here we have to import the metadata XML file which we downloaded from Azure --> Next

In the next step we have to select the default values --> Next

Now click on Review and Create.

After Creating we have to Test the Connection , Click on Test Login

We got the error as connection failed

To View this assertion details more clearly , we can copy it and paste it in notepad ++ and change the language to XML, then we can read it more easily.

We are getting this error because we have not created the same user in OCI also to authenticate when we login.

After user is created, we have to do the test login again,

Now connection is working fine,

After testing is done , we have to activate the identity provider

Once it is activated , we have to add this IdP into IdP policies

Go to IdP Policies  Default IdP Policy  Click on three dots  Edit IdP rule

Here we have to add ‘AzureAD’ in the Assign Identity Provider section, also make sure that AzureAD comes first in sequence(Because the authentication will happen in the same sequence), so to get a failed attempt every time we follow this sequence  Save changes.

Now we will try to login into this account,

Here we can see an AzureAD option to login from Azure --> Click on it --> Select the account

Here we have to enter password of our account or select email code to this account  Enter the mail id  Send Code.

Here we will receive a mail from microsoft with the code to login

Also we have to enable secure verification --> Mobile App --> Done.

Now we will be logged into the account in OCI.