IDM FA Integration flows


One of the key aspects of Fusion Applications operations is the Users and Roles management. Fusion Applications uses the Oracle Identity management for its Identity store and policy store by default.This article explains how user and roles flows work from different poin of views, using ‘key’ IDM products for each flow in detail. With a clear understanding of the workings of the Fusion Applications with Identity Management for user provisioning and roles management you will have better understanding and can improve your FA IDM environments by integrating with the rest of the enterprise assets and processes. For example: If you need to integrate your current IDM enterprise with this solution what are the flows you need to be aware of.

Main Article

FA relies on roles and privileges implemented in IDM to both authenticate and authorize users and operations respectively. FA uses jobs in the ESS system to reconcile the users and roles in OIM. OIM, in turn, gets the corresponding data from the user and policy store respectively using LdapSynch(provisioning and reconciliation process). This flow is described below

Fig1: FA IDM integration flow

Fig1: FA IDM integration flow.

Brief explanation of each topic on this main flow above:

FA OID flow: OID holds policy information from FA. Basically duty roles and privileges are created from FA to OID(Policy or Security Store).

Fig2: FusionApps and OID.

Fig2: FusionApps and OID.

FA OIM flow:FA/OIM provision users or roles to OIM/FA through SPML.

For example: Enterprise business logic may qualify the requester and initiate a role provisioning request by invoking the Services Provisioning.

Language (SPML) client module, as may occur during onboarding of internal users with Human Capital Management (HCM), in which case the SPML client submits an asynchronous SPML call to OIM.

Or OIM handles the role request by presenting roles for selection based on associated policies.

Or it communicates with each other produc providing challenge questions response , password reset procedure and more.

Fig3:picture above helps to explain the flow information that we explained above.

Fig3: picture above helps to explain the flow information that we explained above.

OID OIM flow: OIM connects into OVD through LDAP ITResource feature, that allows the connection and it is also responsible for LDAP Synch Reconciliations from OID to OIM as well as the event handlers that OIM triggers, if there is any update from there.

Fig4: Provides the visual explanation of the OID OIM flow.

Fig4: Provides the visual explanation of the third flow.

FA OIM flow: Here it’s ESS JOB from FA that create user into OID or update it from OID. 4.1)”Retrieve Latest LDAP Changes” reads from OID and updates FA if there are any things missing (users, role assignments, etc); 4.2) “Send Pending LDAP Changes” will send over to OIM any requests that have not yet been processed. (If you are using the FA UIs like Manage Users to create a user, it should happen almost immediately, but if you have bulk loaded employees and assignments, you need to run Send Pending LDAP Requests to get the requests processed.)

Fig5: OAM -FA integrated.

Fig5: OAM -FA integrated.


Implementing FA+IDM solution for an organization is a proposition that should be done with all other flows consideration, such as ‘New Hire’ and ‘Authentication and Autorization’ flows. Using a proper planning and understanding the various dimensions provided by this solution and its concepts allows an organization to discern why or even whether they need Oracle IDM and FA wired or not with their IDM enterprise solution. It also highlights, what of the enterprise is willing to protect on user details, and how best to offer Oracle protection in an integrated and effective manner.

Other useful links:

Oracle® Fusion Applications Security Guide ,11g Release 1 ( :


  1. Mark Van Tiggel says:

    Any more practical pointers as to how to integrate.
    We run OIM 11gR2 as enterprise IdM. Don’t want our on premise Fusion ( V8 ) to autocreate users for persons and parties.
    We’ll pull in the persons/parties in to our IdM, where their username and such are generated. From here they are provisioned to the target systems,

    Through OIM APIs ( for Fusion OIM ), can create the user, propagates to LDAP but the Person / Party link still needs to be established through e.g. Manage Users form in HCM…. How to automate E2E ? Is using the OIM APIs correct approach?

    • Hi Mark,

      If you have Enterprise OIM and FA-Rel8 solution you should follow 3 steps to accomplish what you are looking for:

      Supress,integration and linking.

      1-Supress user creation in FA to not synchronize FA users with OIM. On FA environment : go to FA environment and in setup Enterprise screen there is an option called ‘User and Role Provisioning Information–>User Account Creation–> set to None’.
      2-Integrate your OIM Enterprise with your OIM-FA(You can do thru SPML or OIM API). And once the user is created there it will synchronize with OID(FA). Note: Best option here is SPML.
      3-Linking FA with IDM: This can be done through manage users form through LdapRequest service or Retrieve Ldap. Or using the worker service to get the Person # and then update the user with that via SPML. We’ll get a callback from OIM and if they run Retrieve Latest LDAP Changes nightly, which they should, it will come in that way as well.

  2. uday sambhara says:

    Nice Article!

Add Your Comment