Sunday, June 20, 2021

How to setup AD bridge on IDCS

What is AD bridge

The Microsoft Active Directory (AD) Bridge provides a link between your AD enterprise directory structure and Oracle Identity Cloud Service. Oracle Identity Cloud Service can synchronize with this directory structure so that any new, updated, or deleted user or group records are transferred into Oracle Identity Cloud Service.

Synchronization Flow & Allowed Operations:

AD to IDCS synchronization (Mandatory) - Create/Update/Delete users from AD to IDCS

IDCS to AD synchronization (optional) - Update/Deactivate ( No create/Delete operations allowed)


Prerequisites :

Set Permissions for Your Microsoft Active Directory (AD) Account

1. Create the service account in AD

2. In order to setup AD to IDCS synchronization, Please grant Generic Read permissions for the users, groups, and organizational units (OU) in the AD domain that you want to import into Oracle Identity Cloud Service:

dsacls "DC=jay,DC=local" /I:T /g "jay.local\sanjeev:GR"

3. If you want to setup IDCS to AD sync (optional) , then please grant Generic Write permission for the users, groups, and organizational units (OU) in the AD domain,

dsacls "DC=jay,DC=local" /I:T /g "jay.local\sanjeev:GW"

Certified Components

  • With the Microsoft Active Directory (AD) Bridge, Oracle Identity Cloud Service can connect to your AD enterprise directory structure.  The  following table lists the certified versions for Oracle Identity Cloud Service,AD, your operating system, and the Microsoft .NET software framework (which is required for the AD Bridge to run).

  • Please create the machine (for deploying AD bridge) that’s attached to the Microsoft Active Directory domain for auto discovery & Make sure firewall is opened to reach IDCS.

Create a Microsoft Active Directory (AD) Bridge

To create a Microsoft Active Directory (AD) Bridge that provides a link between your AD enterprise directory structure and Oracle Identity Cloud Service, you must be assigned to either the identity domain administrator role or the security administrator role
  • In the Identity Cloud Service console, expand the Navigation Drawer, click Settings, and then click Directory Integrations and click Add a Microsoft Active Directory Bridge.


  • Make a note of the Identity Cloud Service URL, Client ID, and Client Secret.
  • Click Download. Oracle Identity Cloud Service downloads the client for the AD Bridge.
  • FTP the ad-id-bridge.exe file to window server which was created in earlier step.

Install AD bridge

  • To install the client for the AD Bridge, double-click the ad-id-bridge.exe file.The Welcome to AD Bridge Installer window appears.In the Language Selection area,
  • select the language that you want to use to install the client for the AD Bridge, and then click OK. The Identity Cloud Service Microsoft Active Directory Bridge Installer appears.


  • In the Welcome dialog box, click Next.

  • In the Destination Folder dialog box, choose one of the following install choices:





  • In the Specify Proxy Server dialog box:

    1. If your organization has a firewall in place and requires communication to be handled using an HTTP Proxy Server, then select Use Proxy Server. If you select this check box, then provide the full path (or address) of the proxy server and the administrator credentials for connecting to the proxy server.

    2. If your organization doesn’t require communication to be handled using an HTTP Proxy Server, then don't select Use Proxy Server.

    3. Click Next.


  • In the Specify Identity Cloud Service Credentials dialog box:

    1. Provide the Cloud Service URL, Client ID, and Client Secret.

    2. Click Test.

      The AD Bridge attempts to connect to the Oracle Identity Cloud Service server.

      If a connection can be established, then a Connection Successful! confirmation message appears.

      Otherwise, you’ll receive an error message, indicating that you entered an incorrect Cloud Service URL, Client ID, or Client Secret. Modify the incorrect values, and click Test again.

    3. Click Next.





  • In the Specify Microsoft Active Directory Credentials dialog box, provide the following connection details to the AD server:

    1. Username: The AD account that the AD Bridge uses to access the AD server.

    2. Password: The password for the AD account.

    3. Use SSL: If you're connecting to the server via an SSL connection, then leave this check box selected. Otherwise, deselect it.




  • Click Next -->Click Close


  • In the Identity Cloud Service console, access the Directory Integrations page. The AD Bridge that you created for the AD domain appears with a status of Partially Configured. The bridge is created, but not configured. See Configure a Microsoft Active Directory (AD) Bridge for more information about configuring this bridge.

    Note:

    If you don't see the AD Bridge in the Directory Integrations page, then refresh your web browser. Also, you can create only one bridge per AD domain.




Configure a Microsoft Active Directory (AD) Bridge


You can access the Managing Security Settings infographic to see how to configure an AD Bridge.

  1. In the Identity Cloud Service console, expand the Navigation Drawer, click Settings, and then click Directory Integrations -->Click the AD Bridge that you want to configure.

    Note : The bridge has a status of Partially Configured.

  2. In the Configure the Microsoft Active Directory Domain page, configure the AD domain to poll for changes to users or groups in AD and import those changes into Oracle Identity Cloud Service. In the Select organizational units (OUs) for users and Select organizational units (OUs) for groups panes:


3. In the Supported Operations area, choose which operations for Oracle Identity Cloud Service users or groups will be propagated to AD: (didn't choose anything as we don't to propogate changes from IDCS to AD)


4. In the Set import frequency area, schedule how often, in hours and minutes, you want Oracle Identity Cloud Service to use the AD Bridge to import users and groups from AD.

5. In the Configure Attribute Mappings area, click Edit Attribute Mappings to define custom attribute mappings between AD and Oracle Identity Cloud Service. (We didn't change anything)



6. In the Authentication Settings area, select Enable local authentication if you want users to use their Oracle Identity Cloud Service or their AD passwords (requires delegated auth setup which has not been setup as of now) to authenticate into Oracle Identity Cloud Service to access Oracle Identity Cloud Service-protected resources.




7.Click Save

8. In the Confirmation window, click OK.The status of the AD Bridge changes from Partially Configured to Configured. The bridge is created and configured.

9. Click on Bridge we have created in IDCS and go to import tab



10 . We can do the full import during first time & subsequently scheduled job will sync the changes from AD to IDCS.










at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

How to Compile Forms , Reports & Custom.pll in R12.2

How to Compile Custom.pll   cd $AU_TOP/resource  cp CUSTOM.plx CUSTOM.plx_bkup  cp CUSTOM.pll CUSTOM.pll_bkup  frmcmp_batch module=CUSTOM.pl...

  • Terraform - count vs for_each
      Count: Before Terraform 0.12.6, the only way to create multiple instances of the same resource was to use a  count  parameter. One o...
  • How to check If a patch is applied in R12.2
    In eBusiness Suite (EBS) 12.2.x you cannot query the AD_BUGS table to check if patches have been applied.The AD_BUGS table may have entries...
  • How to Export DB_LINKS
    We used to refresh our DEV database from production.so we need to preserve the DEV dblinks before we start refresh . we need to restore aft...