Entra ID is one of the new cloud native Oracle database authentication, authorization and user life cycle management architectures introduced in 2022. In addition to authentication, authorization, and user life cycle management, this architecture also adds multi-factor authentication and unified password policy complexity with on premises Active Directory (AD) because most customers sync their users and groups with their Entra ID tenancy.
- Interactive authentication flow for the humans connecting from devices that support pop-up browser
- Device code authentication flow for humans connecting through jump hosts that do not support pop-up browser
- Client credential authentication flow for service accounts
This blog post focuses on the client credential authentication flow to provide a simplified recipe for setting up Oracle database client service accounts with Entra ID integration.
The configuration encompasses configuration in each of the following three areas:
- Entra ID
- New app role in the target database
- Service account app registration
- Service account pre-shared credential
- Add service account to target database allow app ingress rules
- Database Server
- Add service account
- Apply grants to service account
- Database Client
- Create wallet with pre-shared credential
- Add TNS entry for service account with AZURE_CREDENTIALS
In this example, lets assume that we are adding a service account for the Human Resources (HR) application. The Entra ID App Role will be named app_hr.role. The HR service account configuration in Entra ID will be named dbclient_service_hr. The Oracle database server representation of this service account will be named app_hr.
