Microsoft Active Directory Delegated Authentication with Oracle IDCS as IDP and Citrix as SP
AD Delegated Authentication is a way to synchronise user passwords between an on-premises Microsoft Active Directory enterprise directory structure and Oracle Identity Cloud Service (IDCS). Users can use their AD passwords to sign in to IDCS to access resources and applications protected by Oracle IDCS.
With delegated authentication, identity domain administrators and security administrators don’t have to synchronize user passwords between an on-premises Microsoft Active Directory (AD) enterprise directory structure and Oracle Identity Cloud Service. Users can use their AD passwords to sign in to Oracle Identity Cloud Service to access resources and applications protected by Oracle Identity Cloud Service.
Suppose you have an AD domain that contains user accounts that you want to import into Oracle Identity Cloud Service. To transfer these accounts, you have to install and configure an AD Bridge for this domain. The AD Bridge provides a link between the domain and Oracle Identity Cloud Service. Oracle Identity Cloud Service can synchronize with this domain so that any new, updated, or deleted user records are transferred into Oracle Identity Cloud Service. Because of this, the state of each record is synchronized between AD and Oracle Identity Cloud Service.
After using an AD Bridge to transfer user accounts from the AD domain into Oracle Identity Cloud Service, you will have to configure Oracle Identity Cloud Service so that users from this domain must use their AD passwords to sign in to Oracle Identity Cloud Service. To do this, you can activate delegated authentication for the AD Bridge.
Here in this Blog, Oracle IDCS works as an Identity Provider (IDP) with delegated authentication to Microsoft Active Directory (MS AD) and Citrix working as a Service Provider (SP) protecting the applications(server side applications) running within OCI Cloud. Citrix renders these applications to end customers using the virtual streaming applications capability.
To Configure delegated authentication of Oracle IDCS and MS AD
AD Delegated Authentication is a way to synchronise user passwords between an on-premises Microsoft Active Directory enterprise directory structure and Oracle Identity Cloud Service (IDCS). Users can use their AD passwords to sign in to IDCS to access resources and applications protected by Oracle IDCS. We will use Office365 as one of the target applications. Oracle IDCS can provision user into Office365 and keep users synchronised. Details for setting up and configuring is detailed here in this document here
Steps to Configure SAML in Oracle IDCS
Name : MyCustomApp (can be any name)
Application URL/Relay State : https://<publicly_accessible_hostname/IP>:<port>/MyCustomApp
// This can be your deployed application URL
Check the “Display in My Apps” and “User can request access” checkboxes so that the app after creation shows up in “your app” in idcs.
Click Next and update the following info
+General
Entity ID: IDCS_IDP_SSO
Assertion Consumer URL: https://<publicly_accessible_hostname/IP>:<port>/saml2/
NameID Format: Unspecified
NameID Value: Expression. I am using an expression to use the uid of the user and is not the first name or last name and neither the emailid.
For this scenario e.g. expression will be: ${user.userName}@mycompany.com
+Attribute Configuration
Name: Groups
Format: Basic
Type: User Attribute
Value: Group Membership
Condition: All Groups
Also upload the Signing certificate that will be used for the SP SSO configuration. This can be any trusted partner certificate.
Download the IDP metadata -> Click on “Download Identity Provider Metadata” button on the right top of the screen.
You can use this IDCS certificate in Citrix that will be used to wire IDCS as an IDP to Citrix.
Then click Finish.
Copy the IDP metadata downloaded from IDCS console to Citrix and upload the certificate of IDCS in Citrix.
Once the Citrix SP is configured, you can create users in IDCS and access the applications protected by Citrix, the SSO redirect should get enabled and the IDCS url should come up for authentication.
