Cloud Security Perspectives and Insights

Oracle Identity Cloud Service Integration with Kapstone Provisioning Gateway

Contributed by: Atul Goyal, Senior Principal Product Manager, Oracle, Harish Jangada, Managing Partner, Kapstone LLC, and Saurabh Sharma, Managing Partner, Kapstone LLC

Oracle Identity Cloud Service provides users with the ability to securely govern their applications and perform single sign on, multi-factor authentication, user lifecycle management and API access management for a wide variety of cloud and on-premise applications.

Working closely with our strategic partner, Kapstone Technologies LLC (KP), Oracle Identity Cloud Service now provides its customers greater flexibility and control over user lifecycle management activities through out of the box integration with 100+ cloud, on premise and legacy applications and platforms.

Kapstone Provisioning Gateway (an Oracle Identity Cloud Service certified integration) extends your ability to connect with 100+ cloud, on premise and legacy applications and platforms. The KP Provisioning gateway comes with Out of the Box (OOTB) connectors that perform user LCM activities like Create, Update, Disable, Delete user.

Simplifying User Management in Oracle Fusion Applications, EPM with Identity Cloud Service

 The KP Provisioning gateway provides an Out of the Box (OOTB) connector for Oracle Fusion HCM Cloud that automates manual user life cycle management processes. Based on the HR event, Kapstone Gateway can provision users and assign roles to target applications like Oracle Fusion Applications, Oracle EPM, Oracle Analytics Cloud, Oracle Cloud Infrastructure and various on-premises and cloud applications. Kapstone Provisioning Gateway can also detect segregation of duties (SOD) policy violation in Oracle Fusion Applications.

Oracle Fusion HCM Cloud and Oracle Identity Cloud Service integration leveraging Kapstone Integration Service provides the ability to automatically onboard employees/workers and help ensure that access to all apps and roles is as per the business policy and compliant on their first day.

Improve IT productivity:

  • Streamline assignments of apps and privileges using role-based access control
  • Keep HR data and IT systems in sync like manager, department, location, Job title.

Compliance / Enhanced Security:

  • Instantly de-provision users and disable or delete access to all apps based on triggers from the HR system

Streamline User Experience:

  • Provide birthright access for new employees
  • When users move from one role to another, help ensure employees have the right level of access

Made available natively as a cloud service, the KP Provisioning Gateway is deployed on Oracle Cloud Infrastructure and is built as a highly resilient, fault tolerant architecture. The Key Design principles for the Kapstone Provisioning Gateway are outlined below:

  • Cloud Native Deployment available as a Software as a Service
  • Highly Secure integration with on-premise applications driven through a secure on-premise agent
  • OAuth 2.0 Support
  • SCIM Compliant
  • Group Management
  • Custom Attribute Extension
  • Support for pre-process adapter

The unique capabilities of KP Provisioning Gateway that extend across all connected systems are outlined below:

1. Integration Service
Predefined connectors are designed for enterprise applications and its architecture is based on the APIs that the target system supports. There may be scenarios in which custom integration is needed to link the target system and IGA or IdaaS system. Kapstone’s gateway provides a simple way, leveraging generic REST/SQL/Script connectors, to integrate with the target applications.

2. Extendibility
Kapstone Provisioning Gateway enables customers to add custom logic before the create, update, or delete an account provisioning operation on the target application. Extend provisioning operation with custom logic to modify and validate target application account data before completing operations on the target application. Common customizations using the customization hook include operations like derive values, validate database against another database, validate if pre-requisites are met, service account password operations handling, move user to different organization unit based on various criteria.

3. Not Linked/Orphan account detection and reporting: Once the KP Provisioning Gateway is connected to target applications/platforms – it pulls the account information in the target system and verifies it against the identity information in Oracle Identity Cloud Service. In case accounts are detected in the target system, which don’t correlate to a user identity in the governance platform (Oracle Identity Cloud Service), then those accounts are marked as Not Linked/Orphan accounts. The customer admins can view a detailed report on all Orphan accounts, segregated by target application(s).

4. Inbuilt (Automated) error handling / Auto Retry Option for Failed User Operations: The KP Provisioning gateway provides customer administrators the flexibility to configure the system for re-trying the user CRUD operations in case it fails during the original operation. The admins can setup the number of automated system attempts and the time gap between those attempts uniquely for each application. This feature alone helps resolve nearly 60% of the failed CRUD operations that are typically encountered in governance solutions.

5. Intuitive Graphical interface for Application attribute mapping: On deployment, the KP Provisioning Gateway connectors perform an auto-discovery on the connected application and provide an easy, intuitive UI for customer admins to map the application attributes. Even custom attributes can easily be pulled and mapped through the user interface.

6. Application Maintenance Mode: During periods when the connected application might be unavailable due to a system failure/planned downtime/upgrade etc., the KP Provisioning Gateway provides “Maintenance Mode” feature for each application. Once the customer admin turns on the “Maintenance Mode” for a particular application, then all user operations (CRUD) performed for that application would be stored in a queue. The operations would be executed once the application is back up and made available

7. Single Click Connector Cloning: Once a connector is deployed for a lower environment (Dev/Test/Staging), then it can be cloned for the new environment through a single click. KP Provisioning Gateway provides connector cloning option in the user interface, thereby greatly reducing the time to deployment


Kapstone Provisioning Gateway is certified with Oracle Identity Cloud Service and are available through the Oracle Cloud Infrastructure Marketplace

If you are interested in learning more, please visit our Oracle Marketplace listing and Kapstone Provisioning Gateway product overview page.

About Kapstone:
Kapstone is a leading Cloud Identity Security Solution Provider that focuses on providing intelligent, simple and cost-effective Identity Governance and Administration solutions and services.



Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.