X

Best Practices from Oracle Development's A‑Team

A comparison of options to synchronize users and roles between Oracle Applications Cloud and identity providers.

Mani Krishnan

Introduction

Oracle Applications Cloud includes HCM, ERP, Supply Chain and Sales applications. A common aspect of architecture between most Oracle applications customers is requirement to federate logins with a customer-specific identity and access provider. A key requirement of such federation is synchronizing users and group memberships from Identity Provider to Oracle Applications Cloud regularly. In this blog, let's look at the federation configurations at a high-level and then compare some alternatives for user and role synchronization

Oracle Application Cloud Federation

Often, customers want to delegate user authentication to their primary identity and access management service, also known as Identity Providers (IDP). Oracle IDCS, Microsoft Active directory federation or OKTA are some common examples for Identity Providers. Federation between Identity Providers and services, such as Oracle HCM cloud, allows leveraging existing security infrastructure for newly provisioned services and centralizing control of identity and access management. SAML-based identity federation is commonly used by customers. A simple SAML-based federation of Oracle applications cloud looks like this:


High-level view of federation

Above graphics shows a simple, straight forward configuration. Customer’s identity provider is configured as SAML IDP in Oracle applications. This can be accomplished in security console by customers' Oracle applications administrator. See References section for detailed steps.  In turn, Oracle applications cloud is registered as a service provider in the identity provider. A more complex scenario might have multiple service providers in different configurations, as shown in the graphic below.

Example configurations for multiple service providers

Both example configurations above have two Service Providers configured with an Identity Provider. The scenario on the right is most typical, where each Service Provider requires that user has an active session with Identity provider or log in afresh. 

The scenario on left has the service providers configured in an IDP-SP relationship. The is useful when a customer requires users to login to IDP and into Oracle Applications Cloud before allowing access to a web application extension on PaaS. 

The common requirement between these configurations is that the same set of users must be recognized by all providers in the topology. This is accomplished by user and role synchronization, discussed in the next section.

User and role synchronization

As users are hired, terminated or assigned with new responsibilities, their access to applications change. This is achieved by creating a user, deleting a user or adding users to groups or removing users from groups. Oracle HCM cloud generates ATOM feed for such events that can be used as triggers for user lifecycle events, which deserves a separate topic for discussion. The IDP in the topology usually receives these updates first  (where users are ‘born’) and makes changes such as adding or removing the users or assigning or removing groups for users. Then, the IDP synchronizes these changes with one or more service providers. 

There are several ways to implement user and role synchronization to Oracle applications cloud.  To synchronize with Active Directory, the AD Bridge for Fusion applications has been used widely. Note that the AD Bridge has very limited in its support for Windows server and Java runtime (currently Window 2012 and Java 1.8 and there are no plans to support later versions), so other alternatives must be considered in its place. This graphics shows the alternatives for user and role synchronization, to be addressed in following sections.

Tools for user and role synchronization

HCM data loader (HDL) and HCM Spreadsheet loader 

HDL and HSDL are integral of Oracle HCM cloud. HDL is a file-based integration tool used for historic imports and ongoing imports and can be invoked through web services or from HCM UI. HDL has a specific file format for loading users and assigning them roles, in a file named User.dat.
HCM Spreadsheet loader permits loading objects from a spreadsheet, which is suitable for one-off updates.
Refer to documentation in References section for more information on these tools.

SCIM API

SCIM or System for Cross-domain Identity Management is a specification from IETF meant to simplify integration between identity management systems. Oracle Cloud applications and Oracle Identity cloud both provide REST API that conforms to SCIM specification. 
Customers can write integration applications that use the SCIM API to create users, groups and assign users to groups. These integration applications should be triggered based on events in the IDP on run periodically, from an integration platform. 
Refer to documentation to SCIM API in References section.

Other Oracle tools

Oracle Identity Cloud provides pre-built application templates that can be used to synchronize users and roles with Oracle applications cloud.  Check the references section for blogs and documentation. These application templates use SCIM API for synchronization. Oracle Identity Cloud also provides an Activity Directory bridge tool that can synchronize users and roles from Active Directory to Identity cloud.  

3rd party tools

There also SCIM-based connectors provided by vendors such as Microsoft, that allow synchronizing users and groups from Azure AD to Oracle ERP Cloud. These tools are not supported by Oracle. Please check with the respective vendors for support.

Comparison

Finally, here is a comparison of the alternatives.

Tool

Support

Use

Coding required?

Note

Oracle applications (Fusion) AD bridge

Supports only Windows 2012 and Java 1.8

Scheduled synchronization

No.

Not recommended

HDL and HSDL

Supported

Scheduled synchronization, one-off updates

Depends on type of use.

For one-off loads, coding not required. 

SCIM API

Supported

Scheduled or even-based synchronization

Yes.

Integration code must be written and hosted to use the API.

Other Oracle tools

Supported

Scheduled synchronization

No.

Identity cloud-based tools, IDCS AD bridge and SCIM connector

3rd party tools

Not supported by Oracle.

Depends on tool.

Depends on tool.

None.

References

How to enable single sign-on using Security console on Oracle applications cloud?

How to bring Azure AD users and groups into IDCS

Documentation for Oracle applications cloud AD bridge

Link to SCIM API on Oracle Identity Cloud Service

Using HCM Cloud ATOM feeds

In My Oracle Support (MOS):

Using SCIM REST API for Oracle applications cloud (Doc ID 2346455.1)

HCM Data Loader: Loading User Update Requests (Doc ID 2089377.1)

How To Upload Multiple Roles To The Same Employee (Doc ID 2364273.1)