Authenticating all of your Oracle databases using your cloud identity

Organizations continue to move databases and applications to the cloud, and almost every organization utilizes multiple cloud providers. Your Oracle databases must evolve to work within this multicloud world. That brings us to today’s topic—Oracle Database’s continuing progress in supporting the use of cloud identities.

Recently, I described how Oracle Autonomous Database works with Microsoft Azure Active Directory (AD) and Oracle Cloud Infrastructure (OCI) Identity and Access Management (IAM) to improve manageability, security, and user experience. We’re happy to announce that we have extended this capability to more Oracle databases, both in the cloud and on premises. Now, you can use OCI IAM user credentials to access databases in Base Database service (BaseDB), Exadata Database service, and Oracle Exadata Cloud@Customer. With expanding the supported platforms, enhancements to the Oracle Database client allow it to request a database token directly from OCI IAM using the OCI IAM username and the user's IAM database password. 

Oracle Database continues to bring innovations to improve user experience in the multicloud environment, adding to long-available database capabilities for centralized user management, such as enterprise user security, which enables database users to be managed in Oracle Directory Services, and centrally managed users, which enables database users to be managed in Azure AD.

Using Azure AD to authenticate users to access all Oracle databases

Organizations using Azure AD can now use standard Azure AD OAuth2 tokens to authenticate users accessing Oracle Base Database service, Oracle Exadata Database service, and any Oracle Database 19c (19.16 or higher) or Database 23c, including the recently released Oracle Databased 23c Free – developer edition—even Oracle Database on-premises! This availability expands earlier support for Azure AD in Autonomous Database and is a key capability for multicloud identity and IT resources in different clouds.

Now, Azure AD integration enables you and your applications to use Azure tokens for passwordless authentication to any Oracle databases, even if the database is running in another cloud or on-premises. 

Extending OCI IAM integration to all OCI database services

In OCI, the IAM service is the source of truth for authentication and authorization. Instead of using local accounts in each database, OCI Database service users can now use credentials managed by OCI IAM to access their database accounts, just as they do with Autonomous Database. This functionality allows them to authenticate and authorize sessions in all database services, including Autonomous Database (both dedicated and shared), Exadata Database service, Exadata Cloud@Customer, and Base Database service.

This integration supports both password-based and token-based authentication to the database. Passwords have the advantage of working with almost any database client. Tokens provide single sign-on access to the database for those applications and clients capable of consuming a token. OCI IAM groups map to database roles to provide centralized management of user privileges. This integration improves the database administrator and user experience in the following ways:

• Administrators can now manage all their OCI database platform users centrally, without making changes to each database individually when users join, change roles, or leave an organization.  
• Database users can log in using their centrally managed OCI IAM database credentials instead of remembering and using a different password for each database.
• Tools or applications that accept OCI IAM tokens can authenticate to the database without having to store or embed a database username and password.

Every OCI Database (19.18 or higher) can now authenticate and authorize their users with OCI IAM.

What’s next?

Read more about the new Azure AD multicloud capabilities in the Database Security Guide for 19c and the recently released Oracle Database 23c Free, Base Database Service,and Exadata Database Service documentation.  The database platform documentation describes the IAM integrations for Base Database Service, Exadata Database Service, and Exadata Cloud@Customer. 

This expansion of platforms is another step in our multicloud capabilities to remove barriers between clouds. Continue to keep an eye on the Oracle Cloud Security blog for more announcements.

For more information, see the following resources:

• Database Security Guide 19c – OCI IAM integration – Get database token using IAM username and IAM database password
• Database Security Guide 19c – Azure AD integration (including on-premises information)
• Base Database service-OCI IAM integration
• Base Database service-Azure AD integration
• Exadata Database service-OCI IAM integration
• Exadata Database service-Azure AD integration
• Exadata Cloud@Customer-OCI IAM integration