Cloud Security Perspectives and Insights

Automating User Lifecycle Management in On-Premises Applications

Co-Authored by: Atul Goyal, Senior Principal Product Manager and Ritesh Kumari, Principal Product Manager 

Oracle Identity Cloud Service (IDCS) provides single signon, user lifecycle management and API access management for a wide variety of SaaS and on-premises applications. When we set out to build user provisioning and lifecycle management in Identity Cloud Service (IDCS), we wanted to make sure that:

  1. Oracle customers would not have to re-platform or redeploy their applications
  2. Customers would not be forced to re-write application connectors
  3. Customers would not be forced to make compromises in network security
  4. Customers would always have control over which solution managed applications were managed by Enterprise IDM versus IDCS and could still get the single pane of glass

Burgeoning demand for automation and governance drives innovation
Until recently, the Identity Cloud Service Application Catalog provided Application Templates with support for user provisioning for a variety of popular SaaS applications. Customers could configure end to end user account automation for applications like Office 365, GSuite, Box and several others within minutes. Customers could work with SCIM (System for Cross-Domain Identity Management) Gateways from partners like Kapstone LLC and Aquera to automate provisioning with several hundred applications. Our customers wanted us to extend user lifecycle management support to on-premises applications as well as bespoke apps. Customers of Oracle Identity Governance (OIG) wanted IDCS to support a seamless transition to Cloud without rewrites or re-platforming. With the introduction of the Oracle Identity Cloud Provisioning Bridge, IDCS customers can now integrate with practically any application, regardless of where the application is running. The Provisioning Bridge enables customers to use the extensive set of Oracle and Partner-developed connectors. The use of the Identity Connector Framework(ICF) as the backbone for application connectors enables customers and partners to rapidly integrate their applications with IDCS.

Key Design Principles

    • Secure and Scalable Deployment
      • The Bridge can be installed in on-premises or in the cloud
      • The Bridge will be installed behind the firewall or in the DMZ.
    • No Firewall Rules – Communication between the Bridge and IDCS is always uni-directional and over HTTPS and it’s from bridge to IDCS.
    • Secure Communication – Bridge and  communicates with IDCS over SSL and uses Embedded Sign-in certificate.
    • IP Whitelisting – You can whitelist IDCS IPs to ensure that Provisioning bridge communicates to only selected IDCS Datacenters.
    • Support for all ICF Based Connectors
      • Designed to support all Oracle Identity Governance Connectors
      • Designed to support all custom connectors built by customers and partners in OIG
    • Support Cloud-native Deployment
      • Supports containerized deployments
      • Works on Windows, Linux and Mac OS platforms

Downloading the Bridge binaries
The Provisioning bridge can be downloaded from the Downloads page in the IDCS Admin Console.

Installing and configuring the Bridge
The Bridge, can be installed on Windows, Linux or a Mac, which must have connectivity to the Internet as well as network connectivity to the applications that will be managed by IDCS.

After installing the Bridge, add a Provisioning Bridge instance using the IDCS UI. You will be provided the OAuth credentials for the Bridge, which you will use as part of configuring the Bridge to securely communicate with IDCS.

You need to add provisioning bridge from the IDCS UI i.e. IDCS console->Setting-> Provisioning Bridge-> Add.

Now, install the provisioning bridge by using install script and provide client ID and secret which has been generated for the bridge. Once installation is completed after that need to run start script.

Once Provisioning bridge is up you would be able to see its status in IDCS console.

After that you can associated provisioning bridge with the on-premise applications which are available in IDCS application catalog.

In IDCS Application Catalog you will see various pre-integrated Application Templates for the Provisioning Bridge i.e.

  • Oracle Internet Directory (OID)
  • Oracle Unified Directory (OUD)
  • Oracle Virtual Directory (OVD)
  • Oracle Sun Directory (ODSEE)
  • Generic LDAP
  • Oracle E-Businesswise User Management
  • Oracle Peoplesoft User management
  • Oracle Database User Management
  • Generic Unix
  • Generic Scripting
  • Oracle Database Application Table
  • Custom ICF User and group management


All the LDAP templates have the authoritative sync (all the LDAP users would be considered as IDCS users) and provisioning (creating account in target application and synching account from target application) capabilities.  If you are interested in learning more, please watch our video, Synchronize Users from Oracle Internet Directory to Oracle Identity Cloud Service.

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.