cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Using Azure AD with your Oracle Cloud apps
By
Alex Simons (AZURE)
Published Jun 12 2019 09:00 AM 20.1K Views
Alex Simons (AZURE)
Microsoft
‎Jun 12 2019 09:00 AM

Using Azure AD with your Oracle Cloud apps

‎Jun 12 2019 09:00 AM

Howdy folks,

 

Microsoft and Oracle recently announced a partnership that enables interoperability between Microsoft Azure and Oracle Cloud. We formed this partnership based on your feedback that you have business critical infrastructure running on each of our clouds, and that you need easy interoperability for apps that span both clouds. You also told us that you need to ensure that your users have secure and high-quality experiences to access these apps.

 

One of the coolest things about this partnership is how you can leverage your existing investments in Azure AD. For example, now your business users can get a single sign-on (SSO) experience for Oracle E-Business Suite and JD Edwards using the same accounts they already use to sign in to Microsoft Azure and Office 365. They even get a SSO experience to apps that are hosted in Microsoft Azure and access data hosted on Oracle Cloud Infrastructure. So your business can run an app on either cloud, or an app that spans both clouds. Your users can have a single set of credentials, a consistent SSO experience, and common user provisioning, regardless of the infrastructure on which the application runs.

 

This also improves your experience for identity administration. You can avoid the cost of managing password reset for a second set of user credentials. You can use the same dynamic groups, the same Multi-Factor Authentication (MFA) experiences, and the same risk-based conditional access policies to manage access to your apps, regardless of which cloud they run on. You get a single view of sign-in activity that spans apps in both clouds, along with a rich set of access analytics capabilities using Azure Log Analytics. Of course, you and your administrators also have a SSO experience to manage application infrastructure in both Microsoft Azure and Oracle Cloud.

 

The diagram below shows how federated identity with Azure AD provides a complete multi-cloud solution for identity and access across Oracle Cloud and Microsoft Azure.

Azure AD federated identity securely integrates the Microsoft and Oracle multi-cloud solution.Azure AD federated identity securely integrates the Microsoft and Oracle multi-cloud solution.

Multi-cloud solution integration is only the first part of the value. This integration sets a foundation that enables you to digitally transform your business by increasing end user productivity. It also helps you achieve a better security and compliance posture, with lower administration costs.

 

Get started

 

You can begin using Azure AD to access your Oracle applications and OCI today, using the same Azure AD administration center experience that you already use to manage access to other applications. To begin, go to the Add an application page and enter Oracle in the search box. Select an application from the Oracle applications list and add it to your Azure AD.

Oracle applications in the Azure AD ‘Add an application’ page.Oracle applications in the Azure AD ‘Add an application’ page.

The next step is to configure federated SSO between Azure AD and the Oracle application and then assign access to the users and groups who need to use the application.

 

You’ll want to ensure access is secure for a business-critical resource as an Oracle application. So the last step is to add the Oracle application to an existing conditional access policy, or create a new policy to configure the access controls for users to sign in to the Oracle application.

Setting up a conditional access policy for Oracle Cloud Infrastructure Console.Setting up a conditional access policy for Oracle Cloud Infrastructure Console.

Once you’ve completed these steps, your users can sign in to the Oracle application with the same credentials and the same SSO experience they already use to access Office 365 and Microsoft Azure. You get the peace of mind knowing that you can rely on Azure AD’s risk-based authentication, conditional access policies, and sign-in analytics to help you meet your security and governance requirements for access to the Oracle application.

 

As always, we’d love to hear any feedback or suggestions you have.

 

Best regards,

 

Alex Simons (@Alex_A_Simons ) 

Corporate VP of Program Management 

Microsoft Identity Division 

10 Comments
Massive Loop
Copper Contributor
‎Jul 31 2019 06:02 PM
‎Jul 31 2019 06:02 PM

Is there any way this can be implemented with on-premises Oracle apps like PeopleSoft? We are struggling to get Azure SSO on our onprem PeopleSoft apps without developing a custom weblogic (with CORS Java) server that will impersonate users on the endpoint or deploying a Shibboleth SP internally just for that app because Oracle basically provides no simple solution except to use their OIM platform that costs 6 figures to acquire!! Oracle is a relic of the 90's and the way they do business (for example, making people wait months for responses and years for application mods) makes me wonder how they are still in demand with so many better companies around now. If I was calling shots for application acquisition at my company I would make the second requirement be that it NOT be an Oracle application (the first one being SAML SSO or app proxy compatibility, of course :smiling_face_with_smiling_eyes:).

0 Likes
Like
marc3669
Copper Contributor
‎Sep 12 2019 11:17 PM
‎Sep 12 2019 11:17 PM

Hi Alex / experts,

On similar lines, requesting your help on below issue.

 

We are configuring SSO with Oracle Fusion ERP (as SP) from Azure Applications Gallery (as IdP), After updating Fusion details in Azure application gallery we downloaded the metadata file from here.

 

While uploading this metadata file into Oracle Fusion ERP, we are getting the following error -

"You must enter valid identity provider metadata. Ensure the metadata conforms to the SAML version 2.0 or higher standard.: schema_reference.4: Failed to read schema document 'http://docs.oasis-open.org/security/saml/v2.0/saml-schema-metadata-2.0.xsd', because 1) could not find the document;  2) the document could not be read; 3) the root element of the document is not xsd:schema."

 

Any pointers on this error, and how can we resolve it.

0 Likes
Like
Jeevan Desarda
Microsoft
‎Sep 15 2019 10:36 AM
‎Sep 15 2019 10:36 AM

Hello Marc,

 

We have many customers who are using Oracle Fusion ERP gallery app and successfully configured it. Can you please use the Federation Metadata URL instead and download that and try? Our Metadata file is compliant with SAML specifications. In case you still face the issue then please raise the support ticket with Oracle and also with Microsoft. Do let us know the ticket number and then we can add right people from Oracle side so that they can help you here and get this setup.

 

Thanks,

Jeevan Desarda

0 Likes
Like
marc3669
Copper Contributor
‎Sep 23 2019 12:39 AM
‎Sep 23 2019 12:39 AM

Thank you for the response @Jeevan Desarda

The SSO was configured successfully.

We rasied a support ticket with Oracle, and they manually uploaded the Metadata XML into the Oracle Fusion Cloud SaaS backend, and that resolved the issue !

 

Jeevan Desarda
Microsoft
‎Sep 23 2019 06:39 AM
‎Sep 23 2019 06:39 AM

Thanks for the confirmation and happy to help you here.

0 Likes
Like
BrightStar
Copper Contributor
‎Dec 06 2019 11:39 AM
‎Dec 06 2019 11:39 AM
Hi, We are having Azure Cloud. Exploring how we can connect to Oracle Siebel CRM 8.1 (which is not in Cloud) to use our Azure SSO instead of the existing custom portal (that uses Siebel Adapter to connect). Do you know how we can add Oracle Siebel CRM 8.1 with Azure SSO solution to implement? Thanks
0 Likes
Like
Jeevan Desarda
Microsoft
‎Dec 10 2019 08:31 AM
‎Dec 10 2019 08:31 AM

Hello,

 

Today Oracle Siebel CRM is not directly supported for Azure AD SSO. But we are evaluating this path right now. As we have some concrete information on this we will let you know. Can you please file this as a UserVoice item on Azure AD from here https://feedback.azure.com/forums/169401-azure-active-directory?category_id=160599? Then we can see other customer votes on this and decide the priority on it. 

 

Thanks.

0 Likes
Like
BrightStar
Copper Contributor
‎Dec 10 2019 02:09 PM
‎Dec 10 2019 02:09 PM
Thanks. We login to Azure with email id, however, the Siebel CRM authenticates with user id. Trying to see how these user ids can be mapped with azure mail ids. Thanks.
0 Likes
Like
Jeevan Desarda
Microsoft
‎Dec 19 2019 11:47 AM
‎Dec 19 2019 11:47 AM

@BrightStar Although you are login to Azure AD with your email address, you can use SAML claims mapping in Azure AD to send the user id from Azure AD so that you can map that back to Oracle Siebel. You can able to see this claims customization experience from here https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-saml-claims-customi...

0 Likes
Like
marc3669
Copper Contributor
‎Jan 13 2020 10:54 PM
‎Jan 13 2020 10:54 PM

Hi Alex / Jeevan / team,

 

We are configuring user provisioning from Azure to Oracle Fusion ERP SaaS and following the official documentation at - https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/oracle-fusion-erp-provisioning-tut...

 

However, we are unable to successfully provision a user and are getting "failure" message in the audit logs.

Log message / Status message is - 

"Failed to create User 'trial1@marc3669gmailcom.onmicrosoft.com' in OracleFusionERP; Error: The SCIM endpoint is not fully compatible with the Azure Active Directory SCIM client. Please refer to the Azure Active Directory SCIM provisioning documentation and adapt the SCIM endpoint to be able to process provisioning requests from Azure Active Directory. StatusCode: BadRequest Message: Processing of the HTTP request resulted in an exception. Please see the HTTP response returned by the 'Response' property of this exception for details. Web Response: { "Errors" : [ { "description" : "Invalid, syntactically incorrect or unparseable input provided: addresses", "code" : "400", "uri" : "urn:oracle:apps:scim:errors:1.0:input:invalid" } ] }. This operation was retried 3 times. It will be retried again after this date: 2020-01-15T04:04:51.8833073Z UTC"

ErrorCode - "SystemForCrossDomainIdentityManagementBadRequest"

Error in step 4 - Provision urn:scim:schemas:core:2.0:User in OracleFusionERP 

 

This seems weird, as we have followed steps as per official documentation and now is hindering our progress in the final connectivity and user provisioning. 

 

Request your help to guide us with resolving the issue or redirecting to the correct person who would be able to help us in this.

 

Regards,

Mark

0 Likes
Like
Version history
Last update:
‎Aug 19 2021 04:21 PM
Updated by: