AD Bridge Azure Sync VM
The OCI Linux PAM module relies on delegated authentication to service authentication requests between the Linux host and IDCS. IDCS relies on the OCI AD Bridge application sync user objects between IDCS and the local AD domain. SAML SSO / Federated authentication cannot be used as IDCS needs to contain the user object password.
The OCI AD bridge application can be installed anywhere on the source domain; however, a dedicated system is being created in this example to keep a segmented MSP support model.
1. Create a Windows VM – Azure is being used in this example
- Server Core is not currently supported with the OCI AD Bridge software
- For Azure sizing, I recommend a D2s SKU up front with Standard SSD. We will scale this down to a B2s SKU later to save on cost once we’re done with all the configurations.
2. Join the new VM to the local domain that will handle authentication requests.
3. On this new VM, sign into the OCI tenant and select Domains from the top left menu
4. Select your organization domain from the list in the root compartment
5. Select Settings from the menu on the left
6. Select Directory Integrations from the menu on the left and then Add
7. Click Download and then copy the URL, ID, and Client Secret into notepad for future reference
8. Launch the AD Bridge executable file downloaded from the portal. Select your language and click OK>
9. Click Next
10. Click Next with the default install path
11. Click Next to skip the proxy settings unless required by your organization
12. Enter the URL, ID, and Client Secret which were copied to notepad previously and click Next
13. Enter the credentials for a local AD service account and click Next
- This service account needs no permissions aside from READ access and is used to view the AD structure for LDAP.
14. Click Close once installation is complete and log off of the AD Sync VM.