OIM Connector for Identity Cloud Service

The IDCS Connector is an OIM REST based connector for Oracle’s Identity Cloud Service (IDCS). In this blog post we will look at use case scenarios for hybrid cloud solutions, that span both the Oracle Public Cloud and an on-premise Oracle identity management deployment.This blog post aims to cover the most common scenarios from an identity governance perspective.Porting identities from an on-premise system to IDCS is one such scenario and can be addressed by two options discussed below.

 

  1.  Identity Bridge: IDCS Identity Bridge is a Windows-based synchronization service to bridge tenant’s enterprise identity store (Active Directory) with IDCS IDStore.
  2.  
  3.  OIM connector: IDCS connector can be configured to provision identities and membership to groups in IDCS. Combining this with a birth-right policy for provisioning everybody that qualifies (or role based access) will effectively sync or provision all the identities, identities into groups to IDCS. The end result here is same as id-sync but  gain though is a push of only certified/confirmed identifies out of on-prem OIM to cloud.

We will be looking at option 2, which is a push from OIM to IDCS and the steps to set up OIM Connector and define access policies for provisioning to IDCS.

Setting up OIM Connector:

1. Download the IDCS connector bundle. IDCS connector and documentation is part of latest connector pack.

2. Install the connector in OIM ( or in connector server). In this case, connector is deployed in OIM.

3.Using curl ( or Postman) make sure IDCS Tenant is accessible and able to acquire  OAuth2.0 Token.

4. Define an application in IDCS Tenant with  Allowed grant Types:  Resource Owner and Authorization Code(optional).

5. Get ClientId and Secret for the application.

6. Update IT Resource( auto created when connector is deployed), and set following config parameters( an example from my environment).

1cb

7. Create a sandbox –> Create a form for IDCS User Resource Object –> Tag the form to IDCS Application Instance ( auto created when connector is deployed) –> Publish Sandbox.

8. Run IDCS Group Lookup* and IDCS Manager Lookup*  scheduled jobs. If these jobs run successfully, IT Resource is validated and we have harvested groups from a tenant.

9. At this point, IDCS account can be provisioned.
2cb

10. You should see a welcome email from a tenant on successful user creation.

Note on SSL: Latest IDCS build enables SSL by default. In that case, few pointers are below

1.Check IDCS environment ( for SSL/non-SSL) :Response should show various endpoints and allowed ports( 8990/8943).

curl -X GET  -H "Cache-Control: no-cache"  "https://tenant1.idcs.internal.oracle.com:8943/.well-known/idcs-configuration"

2.If only SSL is allowed ,download the root certificate , example IDCSDevelopmentRootCA.crt

3.Import into DemoTrust Store (default for OIM) :

    keytool -import -noprompt -trustcacerts -alias idcs -file /app/home/oracle/IDCSDevelopmentRootCA.crt
    -keystore /app/Middleware/wlserver_10.3/server/lib/DemoTrust.jks -storepass
    DemoTrustKeyStorePassPhrase

4.Update IT Resource connector config to SSL like below and quick check by running IDCS lookup recons successfully( any one job is fine).


3cb

 

 

Configure Access Policy for Auto-Provisioning:

Create a Role ( more like BirthRight)  for the identities that fit a criterion and attach an access policy for auto provisioning.

1. My Access Policy as seen in images below is very basic, to provision users with ‘IDCS Account’ and a default password.
4cb
5cb

 

2. A ‘Cloud-User’ role is created with membership Access Policy set to the policy created in the previous step.

  1. 6cb

    7cb

 

Validate Provisioning:

At this point, we are ready to validate if a user (who is an employee) gets the role of ‘cloud-user’ and auto-provisioned to ‘IDCS’. Let’s see this in steps

1.Create a user of type: employee.
8cb

 

2.On successful create operation, Roles of the user should show ‘cloud-user’.

  1. 9cb

3. As  per  ‘Access Policy’ tagged to the role, this identity gets provisioned with ‘IDCS’ Account on next successful execution of  scheduled job ‘Evaluate User Policies’.

  1. 10cb

4. On successful creation of a user account in IDCS, auser gets an email notification with a link to Activate Account plus reset a password. In this scenario the initial password set is if known ( if notified by OIM notification) we should also be able to access IDCS Login and would be prompted to reset  password, here it is..
11cb

12cb

5.On a successful Login..

  1. 13cb

6.Tenant Administrator can also view the latest user accounts created.

  1. 14cb

 

Note: Tenant Admin access is needed to create Resource Server (Client Application) on IDCS. Similarly, creating and managing Access Policies is also a system administrator’s functionality in OIG

 

 

Overall the scenario discussed is here is one approach to Hybrid Governance. Few scenarios to consider are Hybrid Seggregation of Duties (SOD) , Hybrid Certification and Hybrid Reporing. I suggest goig through following links on these topics.Happy hybrid governance!

Hybrid SOD : http://www.oracle.com/webfolder/technetwork/tutorials/obe/cloud/idcs/idcs_oim_hybrid2_obe/oim_hybrid2.html

Hybrid Certification : http://www.oracle.com/webfolder/technetwork/tutorials/obe/cloud/idcs/idcs_oim_hybrid1_obe/oim_hybrid1.html

Hybrid Reporting : http://www.oracle.com/webfolder/technetwork/tutorials/obe/cloud/idcs/idcs_oim_hybrid3_obe/oim_hybrid3.html

 

Add Your Comment