Oracle IDCS (Identity Cloud Service) can be used for role-based provisioning from Oracle Fusion Applications to Oracle Identity Cloud Service(IDCS) when users are born in Oracle Fusion Applications or when Oracle Fusion is acting trusted source for user data.
The Fusion application template(in authoritative sync) within Oracle Identity Cloud Service(IDCS) by default will synchronize all the users and groups from Oracle Fusion Application to Oracle IDCS.
In some of the certain situations mentioned below, there is a need to sync a subset of users based on a Fusion Application role in certain situations mentioned below. This blog talks about configuring and syncing all the users or a specific set of users based on a particular Fusion role within the Oracle Fusion Application.
Use Case #1: If you want to Sync Supplier or External users to IDCS for the Fusion ERP Supplier portal.
Use Case #2: If you have built analytics for Fusion using the Analytics cloud, you can sync a subset of users from fusion who require access to the Analytics cloud.
The following steps can be used to provisioning users based on the particular roles from Oracle Fusion Application.
1. Log into IDCS as Identity domain administrator role or the Application administrator role and go to "Application" and click "App" and click on "App Catalog"
Note: You can only add Oracle Applications or Custom Applications in Oracle Identity Cloud Service if you are assigned to either the Identity domain administrator role or the Application administrator role.
2. Search for "Oracle Fusion Applications Release 13" and click "Add" and enter "Name", "Description" and Application URL / Relay State (Optional). Click "Next"
Note: Application URL / Relay State is the URL that users will be directed to after a successful authentication through SAML.
3. Enter "Entity ID" and "Assertion Consumer URL" from Oracle Fusion Metadata. Upload "Signing certificate" from Oracle Fusion. Download "Identity Provider Metadata" and "Signing Certificate". Expand Advanced Settings and enter Single Logout URL and Logout Response URL. Click "Next"
Note: An entity ID is a globally unique name for a SAML entity. "Entity ID", "Assertion Consumer URL" and "Signing certificate" need to obtain from the Oracle SaaS environment, and how to get these details can be found here.
4. Enable "Provisioning" and Enter "Configure Connectivity" details
Use this section to enable provisioning and synchronization between your Oracle Fusion Applications Cloud Service environment and Oracle Identity Cloud Service. For each account in the source system(Oracle Fusion Application), the respective user will be created in the target system(Oracle IDCS).
|Administrator Username||Enter the service account user name of Oracle Fusion Applications Cloud Service.|
|Administrator Password||Enter the service account password of Oracle Fusion Applications Cloud Service.|
Enter the external hostname of your Oracle Fusion Applications Cloud Service environment. For example example.fa.mydomain.com
|Port Number||Enter the external server port of your Oracle Fusion Applications Cloud Service environment.|
|SSL Enabled||Select the checkbox for SSL communication between Oracle Identity Cloud Service and Oracle Fusion Applications Cloud Service.|
Click Test Connectivity to verify the connection with your Oracle Fusion Applications Cloud Service environment. Oracle Identity Cloud Service displays a confirmation message.
5. Select "Override Custom Sync" if you want to sync all users and groups.
Note: If this option is selected, it ignores values provided under "Fusion Admin Roles" and brings all users and groups from the Fusion Application. By default, IDCS is going to provision all the users and groups from Oracle Fusion Application.
6. If you want to provision only a specific set of users and groups then provide the value of Fusion role code as shown in the below snippet.
Note: If the values are provided, it will bring only provided roles and members of those roles.
Note: if no values are provided, then the application template will bring all users and groups into IDCS.
For Example: If you are looking to sync only the Supplier Accounts Receivable Specialist and the related roles then, specify ORA_POS_SUPPLIER_ACCOUNTS_RECEIVABLE_SPECIALIST_JOB and this will sync only the Supplier Account Receivable Specialist user and the related roles.
Note: If there are multiple roles then specify the new roles on the new line as shown in the above snippet.
Note: This option can be used for both authoritative or non-authoritative sync. But mostly used for authoritative source to bring only certain users who are part of configured admin roles.
Following table summaries the two options
Override custom sync
Specify whether to Sync all users and groups
If this option is selected, it ignores values provided under "Fusion Admin Roles" and brings all users and groups from Fusion App
Fusion Admin Roles
Specify set of admin roles to be Synchronized
If the values are provided, it will bring only provided roles and members of those roles. if no values are provided, it brings all users and groups.
7. Select "Authoritative Sync" under "Select Provisioning Operation" when you want to provision the user in IDCS automatically from Oracle Fusion Application.
Note: Authoritative Sync is used to synchronize users, roles, and role assignments from Oracle Fusion Applications Cloud Service to Oracle Identity Cloud Service. i.e. all users, roles, and role assignments in Oracle Fusion Applications Cloud Service will be pulled into Oracle Identity Cloud Service.
8. Enable "Synchronization" If you want to automatically synchronize users, roles, and role assignments from Oracle Fusion Applications to IDCS. Under "Configure Synchronization" select "User Identifier" and "Application Identifier" as shown in the below snippet.
Note: Use the Link and Confirm option for when an exact match is found(from Oracle Fusion Application to IDCS).
Note: You can select the Synchronization schedule to determine how often synchronization will occur.
9. Click Test Connectivity to verify the connection with Oracle Fusion Applications. A Connection Successful confirmation message appears next to the Test Connectivity button if the connection information is correct. Click Finish.
10. To being the provision the users from Oracle Fusion Application to IDCS, Go to the "Import" tab and click on "Import" as shown below. The Import job should start and you should see the message "Your job for importing accounts is running."
After some time the status of "Last Import" should change to "Succeeded" with the time showing "Start Date" and "End Date" as shown in the snippet.
The user and the respective members of the groups as per the Fusion code mentioned in #6 should get provisioning into IDCS as shown below.
11. At this point, the user is synchronized from Oracle Fusion Applications to IDCS and a user account gets created in IDCS. You can confirm this by going to IDCS Dashboard. Click "Users" and search the user that got provisioned from Oracle Fusion Application as seen in Step #9. Please refer to the below picture for details. You can also verify the membership by clicking on "Groups" and confirming the Role member assigned to this user.
12. You’re now able to synchronize users based on the role member from Oracle Fusion Applications to IDCS.
The Fusion application template within IDCS can be used to sync a specific set of users and groups or it can also be used to sync all the users and groups with IDCS when Oracle Fusion Application is acting as the single source of truth. This blog talks about the two options of synchronization of the users from Oracle Fusion to Oracle IDCS.
After integrating Oracle Fusion Applications Cloud Service with Oracle Identity Cloud Service for both SSO and provisioning: