IDCS Integrations Series Part II:Integrating Fusion Application with IDCS

Overview

Last year at OOW, I conducted Hands On Lab on Fusion integration with IDCS. We had a full room of audience with loads of questions. That inspired me to write this blog.

One of the most common requirements as Fusion is deployed in OPC is, how to centrally manage users and implement Single Sign-On between Fusion and rest of the OPC services. IDCS (IDentity Cloud Service) is security backbone for all the OPC services. It is Oracle's Identity service in the cloud. It can implement Single Sign-On between OPC services and Fusion. User management can be done either in Fusion or in IDCS. If IDCS is source of truth then IDCS can provision and de-provision users to Fusion or if Fusion is source of truth then Fusion can provision and de-provision users to IDCS.

In this blog, we will focus on a scenario where IDCS is source of truth. We will implement Single Sign-On and user synchronization between the two.

As shown in the above diagram, Fusion federates with IDCS to provide Single Sign-On between Fusion and every other OPC service that is integrated with IDCS. For user provisioning to Fusion, IDCS uses Fusion SCIM APIs.

To integrate Fusion with IDCS, follow steps mentioned below.

Pre-Requisites

1. 1. Create a support request to get Fusion instance metadata and signing certificate. That is required to configure federation between Fusion and IDCS.
2. 2. Create a support request to configure federation between IDCS and Fusion. Fusion access management console is not exposed to customers. When you create a support request, devops team configures federation for the Fusion instance.

IDCS configuration

1. 1. Login to IDCS admin console using identity administrator user.
2. 2. After you login, click on 'Applications' tab. Then click on 'Add' button to add a new application.

1. 3. Select 'App Catalog' to find Fusion application from the catalog.

1. 4. Select Fusion application and click on 'Add' button.

1. 5. Select Fusion applications deployed in your environment.
2. 6. Enter Fusion environment details like Fusion tenant name and domain name and click 'Next'. You can derive that information from Fusion environment URL. Fusion environment URL is of the form, https://$TENANT_NAME.{hcm/fin/erp/fs}.$DC.$DOMAIN/$URI. So if the URL is https://ucf6-fap0670.hcm.dc1.oraclecloud.com/hcmCore/faces/FuseWelcome, then tenant name is ucf6-fap0670, and domain name is, $DC.$DOMAIN which for the above mentioned URL is, dc1.oraclecloud.com.

1. 7. Now enter provider ID for the Fusion environment. You can find provider ID from Fusion metadata that you received from support team in pre-requisite step. Also upload signing certificate that you received from support team in pre-requisite step.

1. 8. In the next step, you configure provisioning. To provision/de-provision users, IDCS uses Fusion's user management SCIM APIs. You can also test connectivity between the two as shown in the screen shot below. Host name is SCIM endpoint for the Fusion environment.It should be of the form $TENANT_NAME.hcm.$DC.$DOMAIN

User provisioning

Once Fusion application is added in IDCS, Assign a user to the application or revoke user's access from IDCS and that will provision or de-provision the user from Fusion respectively.

IDCS also supports group based provisioning to Fusion or any other application. If you assign a group to the application, all the users from the group can access the application and will also be provisioned to the application. Also if you add more users to the group, they will be provisioned to the application (Fusion in this case). However group based provisioning and de-provisioning is done through scheduled job and is not real time.