X

Antony Reynolds' Blog

Connecting to IDCS from Oracle Integration

Antony Reynolds
Senior Director Integration Strategy

Oracle IDCS is the core identity management system for many of Oracle PaaS services and can also be used with Fusion Applications. As such it is often useful to be able to manipulate identity information from within OIC. In this post I will show how to connect to IDCS from within OIC. One use case for this was the training that Oracle Integration PMs deliver. We create unique user ids for each training, and also have a need to unlock user accounts during training. By creating integrations to do this we were able to automate the provisioning of users and a simple VBCS app could be used to unlock user accounts.

Overview

There are basically three steps invovled in interfacing to IDCS from OIC.

  1. Create an IDCS Application that will be used to provide OAuth client credentials to the integration.
  2. Create an OIC Connection to IDCS using these credentials.
  3. Create the integration using the Connection to do what you want with IDCS.

Skip to the bottom of this blog for a summary of the settings required for each of the above activities or read through for details of how to configure it step by step.

Creating an IDCS Application

To create an IDCS application we follow the documentation instructions.

Login to IDCS and go to the IDCS dashboard. From there we can click on the plus icon in the top right corner of the applications panel.

There are a number of different types of application. We need to create a "Confidential Application" from the the IDCS dashboard.

We give our application a name and then move on to the next screen.

We can then choose to "Configure this application as a client now", select grant type "Client Crendetials" and add a role to allow administering of the IDCS. Note when choosing a role be sure to follow the principle of least privilege. The "IDCS Domain Administrator" shown in the screenshot is usually too powerful for what you want to do, so choose a role with lower privilege levels. The AppRole Permissions page in IDCS documentation will help you choose a role with least privilege for your required operations.

There are no resources needed to be protected so we can skip the "Expose APIs to Other Applications" screen. We also don't need to enforce grants as authorization so we can "Finish" adding our IDCS application. We will be rewarded with a popup screen showing the client ID and client credentials required to request an OAuth access token.

After activating the application we are now ready to start using it. We can use Postman to verify that we correctly configured the IDCS application.

Create an OIC Connection

We will be using the IDCS REST API so we need to create a REST connection in OIC.

We will call it "IDCS REST" and mark it as an invoke role only as we will not be implementing the IDCS API ourselves, just calling it.

We now provide the endpoint configuration. We set the following fields:

  • Connection Type to be "REST API Base URL"
  • Connection URL to be our IDCS URL (https://idcs-?????????.identity.oraclecloud.com)
  • Security Policy to be "OAuth Client Credentials"
  • Access Token URI should be based on our IDCS URL with a path of "oauth2/v1/token" (https://idcs-?????????.identity.oraclecloud.com/oauth2/v1/token)
  • Client Id as obtained from our IDCS application.
  • Client Secret as obtained from our IDCS application.
  • Scope should be "ourn:opc:idm:__myscopes__"

We can now test our connection to verify that it works.

Creating an Integration to Query IDCS

We will create an integration to return all the users in an IDCS instance. We will begin by creating an Application Driven Orchestration.

We will call it "List IDCS Users" and put it in a package called "idcs.sample".

I used the "Sample REST Trigger" that ships with OIC as the trigger to my integration.

I called the trigger "GetUsers" and left the multiple resource/verbs blank as I am only going to implement a single resource/verb in this sample.

I set the URL to be "/users" but I don't need any headers or parameters. I do however want a response.

I will return the following fields in my response:

  • DisplayName
  • Username
  • Lock Status
  • Active Status

This translates to the following json:

[
  {
    "Username" : "TheUser1",
    "DisplayName" : "Friendly User 1",
    "Active" : true,
    "Locked" : false
  },
  {
    "Username" : "TheUser2",
    "DisplayName" : "Friendly User 2",
    "Active" : true,
    "Locked" : false
  }
]

The response type is automatically marked as json.

After verifying the configuration of the trigger I am ready to add an invoke.

We will create an invoke using the connection we created earlier.

We will call it "GetUsers" and configure it to call "/admin/v1/Users" and get a response.

We can get a response sample from the IDCS REST API documentation.

Other setting for the response are automatically completed for us.

We can then review the summary to ensure everything is as we expect.

With the trigger and invoke configured we can delete the map to the invoke as we are not parameterizing the query.

We can now perform the response mapping.

We set up tracking using the "execute" input as a tracking value as there is no input to this integration.

We can now activate and test out integration.

The output from the test is shown below:

Summary

In this blog post we saw how to create an integration to interact with IDCS. Key points are:

  • Create IDCS Application
    • "Confidential Application" Type
    • Grant Type "Client Credentials"
    • Remember Client ID and Client Secret
  • Create IDCS Connection in OIC
    • REST Adapter
    • Connection Type "REST API Base URL"
    • Connection URL "https://idcs-?????????.identity.oraclecloud.com"
    • Security Policy "OAuth Client Credentials"
    • Access Token URI "https://idcs-?????????.identity.oraclecloud.com/oauth2/v1/token"
    • Client Id from IDCS application.
    • Client Secret from IDCS application.
    • Scope "ourn:opc:idm:__myscopes__"
  • Create OIC integration
    • Invoke Path "/admin/v1/Users" for listing users

We showed listing users, but we could have created or modified settings in IDCS as well, depending on the permissions granted in the IDCS application.

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.