About the Microsoft Active Directory (AD) Bridge
The Microsoft Active Directory (AD) Bridge provides a link between your AD enterprise directory structure and Oracle Identity Cloud Service.
Prerequisite
Enable AD Bridge. This is Standard License feature. To learn about these features, see Standard License Tier Features for Oracle Identity Cloud Service.
Understand the Microsoft Active Directory (AD) Bridge
The Microsoft Active Directory (AD) Bridge provides a link between your AD enterprise directory structure and Oracle Identity Cloud Service. Oracle Identity Cloud Service can synchronize with this directory structure so that any new, updated, or deleted user or group records are transferred into Oracle Identity Cloud Service. Each minute, the AD Bridge polls AD for any changes to these records and brings these changes into Oracle Identity Cloud Service. So, if a user is deleted in AD, then this change will be propagated into Oracle Identity Cloud Service. Because of this synchronization, the state of each record is synchronized between AD and Oracle Identity Cloud Service.
After users are synchronized from AD to Oracle Identity Cloud Service, if you activate or deactivate a user, modify the user's attribute values, or change the group memberships for the user in Oracle Identity Cloud Service, then these changes are propagated to AD through the AD Bridge.
Note:
The AD organizational units (OUs) contain the users and groups that are imported into Oracle Identity Cloud Service.You can configure Oracle Identity Cloud Service to synchronize with one or multiple AD domains by installing an AD Bridge for each domain.
Note:
You must install the AD Bridge on the machine that’s attached to the Microsoft Active Directory domain for auto discovery. You don’t have to install the bridge on the domain controller.Figure 17-1 Inbound Directory Synchronization
Figure 17-2 Outbound Directory Synchronization
In the diagram above, Clarence Saladna (CSALADNA) is a user who's been synchronized from AD to Oracle Identity Cloud Service through the AD Bridge. In Oracle Identity Cloud Service, an administrator deactivates Clarence's account because he's on vacation. Also, because Clarence received a promotion, he has a new job title of Director and belongs to different groups that are associated with his new role, including the Executive and Management groups. The AD Bridge can be used to propagate these changes to AD.
Both the AD Bridges and your AD enterprise directory structure are in your Microsoft Windows environment (for example, Microsoft Windows 2003). Because Oracle Identity Cloud Service is an Oracle Cloud service, it's in an Oracle environment.
Figure 17-3 Bridge Security
Note:
If an AD user attribute is multi-valued, then the AD Bridge will transfer only the first value of the attribute into Oracle Identity Cloud Service.You can access the Integrating with Active Directory Using Identity Bridge tutorial to see how to integrate AD and Oracle Identity Cloud Service.
Certified Components
With the Microsoft Active Directory (AD) Bridge, Oracle Identity Cloud Service can connect to your AD enterprise directory structure.
The following table lists the certified versions for Oracle Identity Cloud Service, AD, your operating system, and the Microsoft .NET software framework (which is required for the AD Bridge to run).
| Oracle Identity Cloud Service | AD | 64–Bit | Operating System | .NET Framework |
|---|---|---|---|---|
| 20.1.3 |
Microsoft Windows Server 2008 Microsoft Windows Server 2008 R2 Microsoft Windows Server 2012 Microsoft Windows Server 2012 R2 Microsoft Windows Server 2016 Microsoft Windows Server 2019 |
Yes |
Windows 10 v1607 or later Windows Server 2016 or later |
Version 4.6+ |
Statuses
Learn about the various statuses for Microsoft Active Directory (AD) and the AD Bridge.
-
Partially Configured: The AD Bridge is installed, but it's not configured to communicate with either the AD domain or Oracle Identity Cloud Service.
-
Configured: The AD Bridge is installed and configured, and available to synchronize with the AD domain.
-
Active: The AD Bridge is installed and configured, and available to synchronize with AD to retrieve user accounts and groups.
-
Inactive: The AD Bridge is installed and configured, but it's not available to synchronize with AD. For performance reasons, this is done.
-
Unreachable: The AD Bridge is installed and configured. However, one of the following conditions has occurred:
-
The back-end service used to establish communication between Oracle Identity Cloud Service and AD is stopped.
-
The Oracle Identity Cloud Service administrator uninstalled the client associated with the AD Bridge, but the bridge couldn't be removed from the Directory Integrations page of the Identity Cloud Service console because the client can't connect to the Oracle Identity Cloud Service server. Oracle Identity Cloud Service can't use the bridge to communicate with AD. See Remove a Microsoft Active Directory (AD) Bridge.
-
The administrator regenerated the Client Secret for the AD Bridge, and then uninstalled the client for the bridge.
-