MULTICLOUD FEDERATION — AZURE AND OCI SINGLE SIGN-ON AUTHENTICATION (SINGLE SIGN-ON AUTHENTICATION)(AZURE PROJECT-2)
Solution Architecture:
Ø Project
An IT services Provider Company PRAfect Systems Inc. is engaged into providing software development solutions. Currently, they are working on multi cloud architecture and multiple applications needs an authentication. So resources have to maintain and manger numerous credentials for different application which is now became critical to manage.
There are numerous applications which are trying to access and login requests so infrastructure team has got a request to implement a mechanism which through which user can login same credentials on multiple applications.
As solution for this challenge is to implement a Single Sign-On Authentication mechanism between Oracle Cloud IAM service and from the Azure Cloud using Azure Active Directory. Once the integration is complete in the OCI, the mappings of users and groups in the Microsoft Azure through the Federation service.
Ø Solution:
What is Single Sign-On?
Single sign-on (SSO) is an authentication method that enables users to securely authenticate with multiple applications and websites by using just one set of credentials.
Single Sign-On Features:
ü Strong Passwords
ü No repeated passwords
ü Better password policy enforcement
ü Multi-factor authentication
ü Single point of enforcing password re-entry
Federated SSO makes the integration seamless and allows the users to authenticate only once to access multiple applications, without signing in separately to access each application.
Identity federation helps enterprises reduce cost, because user accounts don’t need to be created and managed separately in each identity management system. The user-synchronization process ensures that identities are propagated to all the federated systems.
What is SAML?
SAML is an acronym used to describe the Security Assertion Markup Language (SAML). Its primary role in online security is that it enables you to access multiple web applications using one set of login credentials. It works by passing authentication information in a particular format between two parties, usually an identity provider (idP) and a web application
What is SAML SSO?
SAML Single Sign-On is a mechanism that leverages SAML allowing users to log on to multiple web applications after logging into the identity provider. As the user only has to log in once, SAML SSO provides a faster, seamless user experience.
SAML SSO is easy to use and more secure from a user perspective as they only need to remember one set of user credentials. It also provides fast and seamless access to a site as every application they access does not prompt them to enter a username and password. Instead, the user logs into the identity provider and then accesses the relevant web application by clicking on its icon or navigating to the site via its URL.
Ref: https://www.onelogin.com/learn/saml
Single Sign-On SAML Protocol
This covers the SAML 2.0 authentication requests and responses that Azure Active Directory (Azure AD) supports for single sign-on (SSO).
The protocol diagram below describes the single sign-on sequence. The cloud service (the service provider) uses an HTTP Redirect binding to pass an AuthnRequest (authentication request) element to Azure AD (the identity provider). Azure AD then uses an HTTP post binding to post a Response element to the cloud service.
Ø Description
This project was a challenge project for to deploy SAML based Single Sign-On Authentication between Multi cloud environment on Oracle cloud and Azure Cloud.
Ø Project Cost Estimation:
(Note: This cost is Not any actual cost, it’s just an estimation based on high level requirement. Price may be vary based on adding and removing services based on requirement.)
https://docs.oracle.com/en-us/iaas/Content/Identity/federating/federating_section.htm
Ø Tools & Technologies covered:
Oracle Cloud — IAM
Azure Cloud — Azure Active Directory Service
SAML based Single Sign-On
Ø Solution Architecture:
This project will be completed in following implementation phases.
Ø Project implementation Phase:
Phase 1: From Azure Portal Activate Enterprise Active Directory Trial
Phase 2: From OCI Cloud download Federation metadata xml file
Phase 3: Create Enterprise Application — Oracle cloud infrastructure cloud
Task 1 — Set up Single Sign-On — SAML
Task 2 — Complete metadata file upload process
Task 3 — Configure SAML objects
Task 4 — Download metadata file from Azure
Phase 4: From Oracle Cloud-Federation — Configure Identity Provider
Task 1 — Add new Identity provider as Azure Active Directory
Task 2 — Verify that Single Sign-On works using Azure user credentials in OCI cloud
Ø Pre-requisite:
1) Oracle Cloud Free tier account
2) Azure Cloud Portal
3) Azure Active Directory Premium Trial activated
Ø Implementation in an Action:
Start Free Premium Trial
Azure Premium 2 Activated
Go to Oracle Cloud Identity — Federation
Click to Download this document
Go to Azure Portal
Go to Groups
Create New Group
Search Member
Add
Groups created
Add new applications
Go to Enterprise Applications
Browse Azure AD Gallery
Set up single sign on
Click on SAML
Upload metadata file
Metadata.xml
Go to OCI Cloud
Copy the Home Region url
https://cloud.oracle.com/identity/federations?region=us-ashburn-1
Go to Azure Portal
Paste the home region url to Sign on URL
Click to Save
Go to Attributes and claims
Click to Edit
Click claim name
Select Name: Persistent
Save
Click Add a Group Claim
Download Federation Metadata xml
Go to Users and groups
Select Group: Administrator
Click to Assign
Go to Oracle Cloud
Go to Identity > Federation
Add Identity Provider
Uplod the metadata.xml for oracle cloud which is downloaded from azure portal
Go to Azure portal
Copy the group id
Go to oracle cloud
Verify that Single Sign-On works
Signle Sign on (SSO)
Verified that using Azure IAM credentials user can access the Oracle Cloud application
Congratulations!!!! 🔥🚀