X

Cloud Security Perspectives and Insights

Synchronising subsets of AD users and groups into IDCS

Paul Toal
Distinguished Solution Engineer - Cyber Security

Oracle Identity Cloud Service (IDCS) is a cloud native Identity-as-a-Service (IDaaS) platform, which also underpins Oracle Cloud. It serves as a single point of entry into Oracle Cloud, irrespective of whether you are using IaaS, PaaS, or SaaS. There are many ways to manage users within IDCS. However, the most common method I talk to customers about is the ability to synchronise users and groups from Active Directory (AD), either from an on-premise AD or from Azure AD. The user interface within IDCS makes it extremely simple to setup the required AD Bridge, as shown in the screenshot below. For administrators who need a hand, there is also a step-by-step tutorial within the documentation here.

As you can see, it’s a simple process of defining where in the AD tree you want to sync users and groups from, how often, which attributes, and whether you plan to use federation or have users authenticate locally to IDCS.

However, one of the areas I get asked about regularly is how you get more control over which users and groups synchronise, rather than the fairly coarse-grained OU structure represented by the two trees in the previous screenshots. The most common requirement I come across is to only synchronise certain groups as well as the users of those groups.

Here’s a scenario…..

Let’s say that I have a customer using Oracle Analytics Cloud Service (OACS). This will be accessed by a subset of the organisation, i.e. those responsible for MI dashboards, reporting etc. These users will usually be spread across various OUs within the AD tree and not all within a single container (or OU). Whilst a customer can sync all AD users to IDCS and then manage their access to OACS through group/role memberships, this approach unnecessarily syncs more users than needed.

Fortunately, the IDCS AD Bridge has the capability to apply additional filtering over users and groups, and it’s extremely easy to configure. Let’s look at how I would address this scenario.

I have created a group called Federated Users. In that group I have added 3 users from different parts of the AD tree. FedUser1 and FedUser2 are both in the cn=Users container, whilst FedUser3 is in the cn=IDCS Users container. The layout can be seen below. The first two screenshots show the users and groups and their positions in the AD tree.

Here we see that the Federated Users group contains all 3 federated users.

In order to tell the IDCS AD Bridge to only sync this group and the users who are in the group, we use the filter boxes below each tree in the IDCS AD Bridge configuration. This filter box is a standard LDAP search filter and therefore can be as complex or as simple as you need. To meet my scenario, my filters are straightforward. For the users, I select the top container in the tree (emeacloudpursuit.com), and ensure that the Include Hierarchies box is checked to process all containers. Within the filter, I add:

(memberOf=cn=federatedusers,cn=Users,dc=emeacloudpursuit,dc=com)

A similar approach is taken for groups. I select the top container again, check the Include Hierarchies box and enter the filter:

(&(objectclass=group)(cn=federatedusers))

This final configuration is shown in the screenshot below.

That’s it! Now when the sync runs, it will only sync my three federated users (by nature of them being in the federatedusers group), and will also only sync that same group, irrespective of how many users and groups I have in the rest of my AD.

If you haven't had chance to look at IDCS yet, you can take advantage of a free Oracle Cloud trial by signing up here.

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.Captcha