The IDCS Connector is an OIM REST based connector for Oracle's Identity Cloud Service (IDCS). In this blog post we will look at use case scenarios for hybrid cloud solutions, that span both the Oracle Public Cloud and an on-premise Oracle identity management deployment.This blog post aims to cover the most common scenarios from an identity governance perspective.Porting identities from an on-premise system to IDCS is one such scenario and can be addressed by two options discussed below.
We will be looking at option 2, which is a push from OIM to IDCS and the steps to set up OIM Connector and define access policies for provisioning to IDCS.
Setting up OIM Connector:
1. Download the IDCS connector bundle. IDCS connector and documentation is part of latest connector pack.
2. Install the connector in OIM ( or in connector server). In this case, connector is deployed in OIM.
3.Using curl ( or Postman) make sure IDCS Tenant is accessible and able to acquire OAuth2.0 Token.
4. Define an application in IDCS Tenant with Allowed grant Types: Resource Owner and Authorization Code(optional).
5. Get ClientId and Secret for the application.
6. Update IT Resource( auto created when connector is deployed), and set following config parameters( an example from my environment).
7. Create a sandbox --> Create a form for IDCS User Resource Object --> Tag the form to IDCS Application Instance ( auto created when connector is deployed) --> Publish Sandbox.
8. Run IDCS Group Lookup* and IDCS Manager Lookup* scheduled jobs. If these jobs run successfully, IT Resource is validated and we have harvested groups from a tenant.
9. At this point, IDCS account can be provisioned.
10. You should see a welcome email from a tenant on successful user creation.
Note on SSL: Latest IDCS build enables SSL by default. In that case, few pointers are below
1.Check IDCS environment ( for SSL/non-SSL) :Response should show various endpoints and allowed ports( 8990/8943).
curl -X GET -H "Cache-Control: no-cache" "https://tenant1.idcs.internal.oracle.com:8943/.well-known/idcs-configuration"
2.If only SSL is allowed ,download the root certificate , example IDCSDevelopmentRootCA.crt
3.Import into DemoTrust Store (default for OIM) :
keytool -import -noprompt -trustcacerts -alias idcs -file /app/home/oracle/IDCSDevelopmentRootCA.crt -keystore /app/Middleware/wlserver_10.3/server/lib/DemoTrust.jks -storepass DemoTrustKeyStorePassPhrase
4.Update IT Resource connector config to SSL like below and quick check by running IDCS lookup recons successfully( any one job is fine).
Configure Access Policy for Auto-Provisioning:
Create a Role ( more like BirthRight) for the identities that fit a criterion and attach an access policy for auto provisioning.
1. My Access Policy as seen in images below is very basic, to provision users with 'IDCS Account' and a default password.
2. A 'Cloud-User' role is created with membership Access Policy set to the policy created in the previous step.
At this point, we are ready to validate if a user (who is an employee) gets the role of 'cloud-user' and auto-provisioned to 'IDCS'. Let’s see this in steps
1.Create a user of type: employee.
2.On successful create operation, Roles of the user should show ‘cloud-user’.
3. As per ‘Access Policy’ tagged to the role, this identity gets provisioned with ‘IDCS’ Account on next successful execution of scheduled job ‘Evaluate User Policies’.
4. On successful creation of a user account in IDCS, auser gets an email notification with a link to Activate Account plus reset a password. In this scenario the initial password set is if known ( if notified by OIM notification) we should also be able to access IDCS Login and would be prompted to reset password, here it is..
5.On a successful Login..
6.Tenant Administrator can also view the latest user accounts created.
Note: Tenant Admin access is needed to create Resource Server (Client Application) on IDCS. Similarly, creating and managing Access Policies is also a system administrator’s functionality in OIG
Overall the scenario discussed is here is one approach to Hybrid Governance. Few scenarios to consider are Hybrid Seggregation of Duties (SOD) , Hybrid Certification and Hybrid Reporing. I suggest goig through following links on these topics.Happy hybrid governance!