Configure Microsoft Azure EntraID for Oracle GoldenGate

When creating the Authorization Profile, Oracle GoldenGate maps the Entra ID security groups into four roles for authorization: Security, Administrator, Operator, User. The Entra ID user who belongs to the group has the corresponding mapped role in Oracle GoldenGate.

On the Microsoft Azure EntraID portal, perform the following tasks to configure the user groups that would map with Oracle GoldenGate:

  1. Create the appropriate user and security groups in EntraID. You will need four security Groups that will be mapped to the respective Oracle GoldenGate user roles (Security, Admin, Operator, User). The group name could be any name you choose.
    Microsoft EntraID creating groups that map to Oracle GoldenGate user roles.

  2. Select Add, Enterprise Application from the Overview page.


    Add a new enterprise application from the EntraID console.

  3. Click Create your own application.


    Select Create your own application from the EntraID Overview menu in the left-navigation pane

  4. Name your application, select Register an application to integrate with Microsoft Entra ID and click Create.


    Select to register an enterprise application with Microsoft EntraID for Oracle GoldenGate authorization profile

  5. To register the application, select Accounts in this organizational directory only (... - Single tenant).


    img/entraid_registerapp_accountdirectory.png

  6. Go back to Entra ID Overview page, under Manage, select Enterprise applications and search for the application name you created in the previously.

  7. Under Mange, select Users and groups. Click Add user/group.


    Adding users based on groups.

  8. Search for and select the groups to assign to this application and ensure that the selected groups appear in the right-hand pane.


    Select groups to be added for authorization.

  9. Select all groups, then click Select, and click Assign.

    Note:

    Make sure you assign all the Entra ID security groups created in previous steps to this application.


    Assign groups to the Oracle GoldeNGate application

  10. (Optional) Assign application owners by following these steps:

    1. Under Manage select Owners.

    2. Click Add.

    3. Search for and select owners.

    4. Make sure that selected owners appear on the right-hand pane.

  11. Register Application by creating client secrets:

    1. Go back to Microsoft Entra ID Overview page

    2. Select App registrations and then select All Applications.


      Access the registered application to determine its details.

    3. Search for and select the application name created in step 2.

    4. Now, the application shows the details. Note down the Application (client) ID and Directory (tenant) ID.


      Note down the details of the registered application displayed in the Application Details section.

      Note the Client ID, Tenant ID, and Client Secret values. These values will be used while configuring the authorization profile in Oracle GoldenGate.

      The Tenant ID is used to construct Tenant Discovery URI, as shown in the following example:

      https://login.microsoftonline.com/{tenantID}/v2.0/.well-known/openid-configuration

    5. Under Manage, select Certificates & secrets

    6. Select Client secrets and then click New client secret.


      Add a client secret.

    7. Add a description and select an expiration period.

    8. Click Add. Note down the client secret Value.


      Note down the client secret value that is displayed after adding the client secret.

  12. Create the token configuration for the OGG Application:

    1. Under Manage in the navigation pane, choose Token configuration.

    2. Click Add groups claim and select Groups assigned to the application (...) and click Add.
      Create a token configuration

  13. Create GoldenGate Service App roles:


    Create app roles for Oracle GoldenGate service

    1. Under Manage in the navigation pane, choose App Roles.

    2. Click Create app role and specify a display name.

    3. Under Allowed member types select Applications.

    4. Set Value to urn:ogg:serviceToService and fill the description.

    5. Select Do you want to enable this app role? and click Apply.

  14. Add API Permission to the GoldenGate Service App Roles and grant admin consent:


    Request API permissions for the application

    1. Under Manage, select API permissions.

    2. Click Add a permission.

    3. Click APIs my organization uses.

    4. Search for the application created in Step 2.

    5. Click Application permissions.

    6. Select urn:ogg:serviceToService and click Add permissions.


      Add the API permission for the application.

    7. The permission should appear under Configured permissions.


      API permission is added an shows under Configured Permissions.

    8. Click on urn:ogg:serviceToService.

    9. In the pop-up, notice that Admin consent required is set to Yes.


      Admin consent required is set to Yes in the urg:ogg:serviceToService.

  15. Add Microsoft Graph Application.ReadWrite.All API permissions to the Application and grant Admin consent.

    1. Click Add a permission and then select Microsoft Graph from the pop-up window.


      Add permissions and the select for Microsoft Graph option to begin adding application permissions.

    2. Select Application permissions.


      Adding the Application.ReadWrite.All permissions.

    3. Search for and select Application.ReadWrite.All.

    4. Click Add permissions.

    5. Perform the same steps done to grant consent for urn:ogg:serviceToService but for Application.ReadWrite.All.

  16. Manually update the token request properties in the Manifest:

    The following options are not available under other menus, so they must be set manually, as shown in the following image:


    Manually updating the token request in Manifest.

    Manually updating the token request in Manifest.

    Under Manage, click Manifest.

    1. Under the JSON /optionalClaims/accessToken/additionalProperties add the value cloud_displayname.

    2. Under the JSON /optionalClaims/idToken/additionalProperties, add the value cloud_displayname.

    3. Under the JSON /optionalClaims/saml2Token/additionalProperties add the value cloud_displayname.

    4. Under the JSON/api/requestedAccessTokenVersion set value to 2.


      Set the token request version value to 2

    5. Save the Manifest.


      Save the Manifest after updating JSON properties manually.

  17. (Optional) Create the redirect URL for Application Authentication.

    1. Under Microsoft Entra ID, Enterprise applications, choose the application you created in Step 2.

    2. Under Manage, click Properties and then click the application registration link.


      adf

    3. Under Manage, click Authentication and then click Add a platform.

    5. Click Web.
      Configure the redirect URI.

  18. In the Configure Web dialog box, enter Redirect URIs.

    For the Service Manager deployment, you should add the path /services/v2/authorization for the Service Manager.

    For each Microservices deployment, you should add the path /services/v2/authorization for the Administration Service.


    Enter the Redirect URIs for Service Manager and Microservices.

  19. Click Configure.

Next step is to download the RootCA certificate for Microsoft Azure EntraID and add it under the Service Manager Shared RootCA certificates.

After you set up the Root Certificate Authority, you can configure the Oracle GoldenGate Authorization Profile using the values created in this topic. See Create an Authorization Profile.

Add Root CA Certificate for Microsoft EntraID Azure

Before you start creating an authorization profile in Oracle GoldenGate, you need to add a Root Certificate Authority for Azure. Add Root CA Certificate as Trusted Certificates to the Oracle GoldenGate deployment:

  1. Download the Azure Root CA Certificates from the following location:
  2. Convert the certificates downloaded from crt to pem format by using the openssl command in any Linux operating system or Mac OS.

    openssl x509 -in <crt_file> -out <pem_file_name> -outform pem

    For example:

    openssl x509 -in DigicertRootGlobalCA.crt -out DigicertRootGlobalCA.pem -outform pem

    Assuming you are using Oracle GoldenGate on-premises or OCI Marketplace GoldenGate images, you must upload those Root CA certificates as trusted certificates through the Service Manager web interface.

  3. Find the Service Manager under Certificate Management menu, click CA Certificates +.
  4. Click the file upload button to upload the converted .pem file.

    Uploading the Microsoft Azure Root CA certificate .pem file

  5. Specify a unique name and make sure the certificate is Shared, and click Submit.