Azure AD Federation Configuration and Setup Guide

Azure AD federation allows you to extend your on-premises Active Directory to the cloud, enabling users to access cloud-based applications with their existing on-premises credentials. This is done by configuring a trust between your on-premises AD and Azure AD.

To set up federation, you'll need to enable the federation feature in your Azure AD tenant, which involves creating a new directory role and assigning it to a user or group. This role is responsible for managing the federation configuration.

Azure AD supports multiple federation protocols, including SAML 2.0, WS-Federation, and OAuth 2.0. You can choose the protocol that best suits your organization's needs, depending on the applications you want to federate.

The Federation Service is a key component in Azure AD federation, responsible for handling authentication requests and responses between your on-premises AD and Azure AD.

To begin with Azure AD federation, you'll need to gather some essential information. You'll need an Organisation reference for the Advanced SSO you want users to access.

You'll also need to access the Azure AD console, which is a Microsoft cloud service. To do this, you'll need to be a Customer admin to access the Organisations page within MyWorkplace.

To set up a federation with Azure AD, you'll need to create a new application in Azure AD Enterprise application, specifically configuring Single sign-on.

First, select Single sign-on from the menu on the left. After a short loading screen, you'll be taken to the SAML configuration page, where you'll need to edit a few things in the Basic SAML Configuration box.

You'll need to replace the values for Identifier and Reply URL with the following pieces of information: https://identity.oneadvanced.com/auth/realms/[Organisation Reference] and https://identity.oneadvanced.com/auth/realms/[organisation Reference]/broker/[Federation Alias]/endpoint, respectively.

To do this, scroll down to the section labelled "Set up [Application name]", and copy the value next to Login URL, which you'll need later when you come back to MyWorkplace.

To federate with Azure AD, you'll need to perform several steps in both the Oracle Cloud Infrastructure Console and Azure AD. Here's a simplified overview of the process:

To set up an enterprise application in Azure AD, you'll need to add it from the gallery. This involves searching for the application, such as Oracle Cloud Infrastructure Console, and selecting it from the results.

In Azure AD, you can find the Enterprise applications section under the Azure Active Directory pane. From here, you can click New application to add a new enterprise application.

To configure the enterprise application, you'll need to select Single sign-on and then SAML to configure single sign-on. You'll then need to upload the federation metadata file, which will automatically populate the Basic SAML Configuration fields.

Here's a summary of the steps:

The alias is an identifying name given to Azure AD, used to connect to Advanced SSO for your organisation. It needs to be unique within an Organisation, but not between different Organisations.

You can use any combination of letters as long as it doesn't contain more than 30 characters. Federation aliases are always in lower case and can contain hyphens.

Here are some important facts about the alias:

It's a good idea to name it something simple, like "azuread", to avoid confusion. But ultimately, the choice is up to you.

To add an enterprise application in Azure AD, you need to go to the Azure portal and select Enterprise applications. From there, click New application and search for the application you want to add. In this case, we're using Oracle Cloud Infrastructure Console as an example.

You'll then need to fill in the application-specific form, which includes editing the name of the application. Once you're finished, click Create, and you'll be taken to the getting started page with options for configuring the application.

To configure Oracle Cloud Infrastructure as an enterprise application, you'll need to select Single sign-on under the Manage section. Then, select SAML to configure single sign-on, and click Upload metadata file to upload the federation metadata file you downloaded from Oracle Cloud Infrastructure.

In the Basic SAML Configuration section, you'll need to edit the Identifier and Reply URL fields, replacing the values with the following information:

Make sure to save the value next to Login URL on the SAML configuration page, as you'll need it later when setting up MyWorkplace.

When configuring the application, you may also need to provide metadata information for the IDP, which can be done by clicking Get Service Provider to download the portal's metadata file. This file will be used to register the portal as the trusted service provider with Azure AD.

In the future, you can come back to the Federation page to edit the group mappings or delete the identity provider from your tenancy.

Group mappings are a crucial step in setting up an enterprise application. You can map Azure AD groups to Oracle Cloud Infrastructure (OCI) groups, and each mapping is a separate entity with its own OCID.

To set up group mappings, you'll need to have your Azure AD groups page open and the Object ID of the group you want to map. This ID looks like aa0e7d64-5b2c-623g-at32-65058526179c, and you must enter it exactly, including the correct case.

You can map a single Azure AD group to zero, one, or multiple OCI groups, and vice versa. However, each individual mapping is between only a single Azure AD group and a single OCI group.

Here's a step-by-step guide to setting up group mappings:

Changes to group mappings take effect typically within seconds in your home region, but may take several minutes to propagate to all regions.

Identity federation refers to a situation where a service provider (SP) trusts identities provided by an identity provider (IdP). The IdP provides a security token (ST) containing user information, signed by the IdP's private key.

There are two authentication flows: SP-initiated and IdP-initiated. In SP-initiated flow, the user tries to access the SP, which sends a redirect to the user's browser. The browser then connects to the IdP, which performs an authentication. After successful authentication, the SP creates a ST and redirects the browser back to the SP.

In SP-initiated flow, the required query parameters are RelayState, SAMLResponse, wa, wctx, and wresult. These parameters must be resent to the SP unmodified, except for wctx, which can be left empty in IdP-initiated authentication.

Azure AD supports two authentication protocols: SAMLP (SAML 2.0) and WSFED (WS-Federation). The first step of the authentication flow is to check the syntax of the authentication request, which is sent to https://login.microsoftonline.com/login.srf using HTTP POST protocol.

To grant access to users, you'll need to configure what users can use Advanced SSO to sign in. This involves selecting users and groups from your registered users.

Select the "Users and groups" option from the left-hand navigation bar. From there, you can add users or groups by clicking the "Add user/group" button on the toolbar at the top.

You can search through your registered users and/or groups and add them to a list of users who would like to use the federation. Once you've selected your users, click the "Assign" button in the bottom left-hand corner of the page.

Here's a step-by-step guide to adding users:

Identity is a complex concept, but at its core, it's about verifying who you are so you can access the things you need. This is where identity federation comes in, which is a situation where a service provider trusts the identities provided by an identity provider.

The identity provider gives the service provider a security token that contains information about the user. This token is signed by the identity provider using a private key from an agreed-upon certificate.

The service provider then verifies this token using the public key from the same certificate. If the signature is valid, the authentication flow proceeds to the next step. If the signature is not valid, an error is shown.

Some common error codes for invalid signatures include AADSTS50008 and AADSTS50006. These errors indicate that the signature verification failed or that the SAML assertion is missing or misconfigured in the token.

After successful authentication, post-authentication steps like Multi-Factor Authentication (MFA) and Conditional Access Policies are applied.

Authentication flows are the processes by which users access a service provider (SP) while leveraging the identity provided by an identity provider (IdP). There are two main types of authentication flows: SP-initiated and IdP-initiated.

In SP-initiated authentication, the user tries to access the SP using a browser, and the SP sends a redirect to the user's browser. The browser then connects to the IdP, which performs an authentication. After successful authentication, the SP creates a security token (ST) and redirects the browser back to the SP. The browser then accesses the SP.

The IdP-initiated authentication flow is similar, but the user connects to the IdP with their browser first, which performs an authentication. After successful authentication, the SP creates an ST and redirects the browser back to the SP. The browser then accesses the SP.

Here are the key parameters required for the authentication request in Azure AD identity federation: