X

Best Practices from Oracle Development's A‑Team

Managing Users Between Multiple IDCS Using SAML and SCIM

KC Flynn
Staff Cloud Engineer

Overview

Identity Cloud Service (IDCS) is a great service for managing your user and group information to be consumed by various applications and services. Often people like it enough to maintain multiple instances for use cases like separating production and development environments. The ability to replicate a subset of your production users to development or vice versa to simplify user management is the next step in this process.

In this post we'll look at how to set up an app from the IDCS App Catalog to make the dream of single location user management a reality.


Configuration

Pre-requisites

Sync Select Users

Destination IDCS Instance

We will configure an application that will be able to authenticate calls with a shared secret, and authorization to perform CRUD operations on user objets

  1. On the Applications dashboard, select + Add and Confidential Application
  2. Enter a display name in Name and optionally Description then click Next >
  3. Select the Configure this application as a client now radial button to configure our provisioning endpoint
  4. For Allowed Grant Types mark the checkbox next to Client CredentialsGrant types
  5. Under Grant the client access to Identity Cloud Service Admin APIs click on + AddAdmin APIs
  6. Check the box next to Identity Domain Administrator and then Add
  7. Click the Next > button at the top of the page several times and then the green Finish button to complete configuration of the confidential application
  8. Make a note of the Client ID and Client Secret displayed for later and close the modal window
  9. Click Activate at the top right corner of the application details page to complete setup of the application

Origin IDCS Instance

We will now configure an application from the App Catalog to perform identity management on the destination instance.

  1. On the Applications dashboard, select + Add to add a new application
  2. Select App Catalog to create an application from an Oracle provided template
  3. In the Search box, enter GenericScim and click the Add button next to GenericScim - Client CredentialsGenericScim in the IDCS App Catalog
  4. Enter a display name and description for the application or accept the defaults and click Next >
  5. Click on the Enable Provisioning slider and close the notification that is displayed
  6. Enter the following values under Configure Connectivity:
    • Host Nameidcs-<xxxx>.identity.oraclecloud.com, replacing <xxxx> with the value from the destination IDCS URL
    • Base URI/admin/v1
    • Client ID and Client Secret: enter the values we recorded earlier from the confidential application
    • Scopeurn:opc:idm:__myscopes__ (Note the double underscores)
    • Authentication Server Urlhttps://idcs-<xxxx>.identity.oraclecloud.com/oauth2/v1/token
  7. Click Test Connectivity and you should receive a success messageThe provisioning configuration options in the GenericScim application
  8. For provisioning only a subset of users, leave the Select Provisioning Operations at their default valuesGenericScim provisioning options
  9. Click the Enable Synchronization slider to show the synchronization configurations
    • If needed, groups from the target instance can be synced by going to the GenericScim application, Provisioning tab, and pressing the Refresh Application Data button. From there, simply map the users and groups by editing the sync in the GenericScim Users tab.
  10. Set Synchronization schedule to the desired value
  11. Save and activate the application in the top right corner
  12. Add users and groups through the Users and Groups tabs for new accounts to be provisioned

Sync All Users

To replicate all changes from one instance to another, simply activate the Authoritative Sync checkbox under Select Provisioning Operations. This will sync all data from the target instance to the source, reversing the flow of information . Keep in mind that this will replicate all data, so there is no control or filter on what is synced.


SAML Single Sign-On

  1. Create a SAML Application by going to Applications and clicking + Add and selecting SAML Application on the stripe acting as the Identity Provider
  2. Enter a display name for the SAML application and click Next >
  3. Click on Download Identity Provider Metadata and download the metadata to upload in the Service Provider stripeSAML Application details
  4. In the Service Provider stripe, expand the Security tab and select Identity Providers and click the + Add SAML IDPIdentity Provider menu in IDCS
  5. Enter a display name for the IDP and click next, keeping in mind your users will be able to see the name you enter when logging in
  6. Click Upload and import the IDP metadata downloaded earlier and then Next > twice to the Export section
  7. Transfer the fields in the Export window to the appropriate fields in the SAML application based on the following tableService Provider details
    SP Export IDP SAML App
    Provider ID Entity ID
    Assertion Consumer Service URL Assertion Consumer URL
    Logout Service Endpoint URL Single Logout URL
    Logout Service Return URL Logout Response URL
  8. Download the Service Provider Signing Certificate and upload to the Identity Provider using the button next to Signing Certificate and click Finish and Activate
    • Note: If you have Enforce Grants as Authorization selected in the SAML application created on the IDP, you will need to add users and groups to the application to allow those users to log in
  9. Click Next on the Identity Providers screen until setup is finished and activate the new Identity Provider
  10. To add the identity Provider to the login screen, go to the Security and IDP Policies tab, and edit the default policy to add the Identity Provider to the assigned IDPsNew Login Screen

To Conclude

I'll take an automated process over a manual one any day. Set up a single IDCS instance to act as a source of truth for all your environments. This will save you from updating the same information in multiple places and reduce the chance of introducing human error. Finally, kick your feet up and feel like the security expert you always knew that you could be.

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.Captcha