________  ________  ________  ________  ________  ________  ________ 
 ╱        ╲╱        ╲╱    ╱   ╲╱        ╲╱    ╱   ╲╱        ╲╱    ╱   ╲
╱        _╱    ╱    ╱         ╱         ╱         ╱    ╱    ╱         ╱
╱       ╱╱        _╱         ╱       --╱╲__      ╱         ╱         ╱ 
╲_____╱╱ ╲____╱___╱╲________╱╲________╱   ╲_____╱╲___╱____╱╲__╱_____╱  

OCI – Configure Delegated Authentication [Part 3]


Azure Attribute Configuration

The Linux PAM module installed on Linux systems within OCI leverages SSSD to determine access for users and groups. The goal is to present only groups within the configuration and to rely only on AD group membership to grant the access. We don’t want to revisit the configuration every time a user needs added- so groups are the ideal targets.

For this to work, both user and group objects need to have POSIX IDs that can be referenced by the PAM module. If we use custom attributes within Entra ID and sync to OCI, we can ensure the POSIX attributes are standardized across all customers and systems.

The following steps assume a custom attribute has been created, assigned to all on-prem users/groups, and has been added to the Azure Connector application to be sync’d from on-prem to Entra ID for both user and group objects. (Tutorial TBD)

This solution is not officially supported by Azure or OCI, proceed with caution – I am not responsible for any issues or errors that arise from this configuration.


1. Enable advanced schema object editing by visiting the following URL:
https://portal.azure.com/?Microsoft_AAD_Connect_Provisioning_forceSchemaEditorEnabled=true

2. Open the Azure Enterprise App and select Provisioning from the menu


3. Click Edit Attribute Mappings


4. Under mappings, select Microsoft Entra ID Groups


5. Scroll to the bottom, check Show advanced options, and select Edit attribute list for Oracle IDCS


6. Scroll to the bottom, add the gidNumber attribute as an Integer value and click Save

urn:ietf:params:scim:schemas:oracle:idcs:extension:posix:Group:gidNumber


7. Return to the provisioning page and select Provision Microsoft Entra ID Users


8. Scroll to the bottom, check Show advanced options, and select Edit attribute list for OracleIDCS


9. Scroll to the bottom, add the uidNumber attribute as an Integer value and click Save

urn:ietf:params:scim:schemas:oracle:idcs:extension:posix:User:uidNumber


10.Return to the provisioning page and select Provision Microsoft Entra ID Groups once again


11. Select Add New Mapping from the bottom of the group attribute page


12. Select linuxGID as the Source attribute, the new Group:gidNumber as Target attribute, and click OK

  • If gidNumber is not available, refresh the web browser to refresh the schema that was edited previously


13. Click Save at the top left if all attributes look correct


14. Head back to the provisioning page and select Microsoft Entra ID Users


15. Click Add New Mapping from the bottom of the page


16. Select linuxUID as the Source attribute, the new User:uidNumber as Target attribute, and click OK

  • If uidNumber is not available, refresh the web browser to refresh the schema that was edited previously


17. Click Save at the top left if all attributes look correct


Pages: 1 2 3 4 5 6 7 8