Oracle IDCS is the core identity management system for many of Oracle PaaS services and can also be used with Fusion Applications. As such it is often useful to be able to manipulate identity information from within OIC. In this post I will show how to connect to IDCS from within OIC. One use case for this was the training that Oracle Integration PMs deliver. We create unique user ids for each training, and also have a need to unlock user accounts during training. By creating integrations to do this we were able to automate the provisioning of users and a simple VBCS app could be used to unlock user accounts.
There are basically three steps invovled in interfacing to IDCS from OIC.
Skip to the bottom of this blog for a summary of the settings required for each of the above activities or read through for details of how to configure it step by step.
To create an IDCS application we follow the documentation instructions.
Login to IDCS and go to the IDCS dashboard. From there we can click on the plus icon in the top right corner of the applications panel.
There are a number of different types of application. We need to create a "Confidential Application" from the the IDCS dashboard.
We give our application a name and then move on to the next screen.
We can then choose to "Configure this application as a client now", select grant type "Client Crendetials" and add a role to allow administering of the IDCS. Note when choosing a role be sure to follow the principle of least privilege. The "IDCS Domain Administrator" shown in the screenshot is usually too powerful for what you want to do, so choose a role with lower privilege levels. The AppRole Permissions page in IDCS documentation will help you choose a role with least privilege for your required operations.
There are no resources needed to be protected so we can skip the "Expose APIs to Other Applications" screen. We also don't need to enforce grants as authorization so we can "Finish" adding our IDCS application. We will be rewarded with a popup screen showing the client ID and client credentials required to request an OAuth access token.
After activating the application we are now ready to start using it. We can use Postman to verify that we correctly configured the IDCS application.
We will be using the IDCS REST API so we need to create a REST connection in OIC.
We will call it "IDCS REST" and mark it as an invoke role only as we will not be implementing the IDCS API ourselves, just calling it.
We now provide the endpoint configuration. We set the following fields:
We can now test our connection to verify that it works.
We will create an integration to return all the users in an IDCS instance. We will begin by creating an Application Driven Orchestration.
We will call it "List IDCS Users" and put it in a package called "idcs.sample".
I used the "Sample REST Trigger" that ships with OIC as the trigger to my integration.
I called the trigger "GetUsers" and left the multiple resource/verbs blank as I am only going to implement a single resource/verb in this sample.
I set the URL to be "/users" but I don't need any headers or parameters. I do however want a response.
I will return the following fields in my response:
This translates to the following json:
"Username" : "TheUser1",
"DisplayName" : "Friendly User 1",
"Active" : true,
"Locked" : false
"Username" : "TheUser2",
"DisplayName" : "Friendly User 2",
"Active" : true,
"Locked" : false
The response type is automatically marked as json.
After verifying the configuration of the trigger I am ready to add an invoke.
We will create an invoke using the connection we created earlier.
We will call it "GetUsers" and configure it to call "/admin/v1/Users" and get a response.
We can get a response sample from the IDCS REST API documentation.
Other setting for the response are automatically completed for us.
We can then review the summary to ensure everything is as we expect.
With the trigger and invoke configured we can delete the map to the invoke as we are not parameterizing the query.
We can now perform the response mapping.
We set up tracking using the "execute" input as a tracking value as there is no input to this integration.
We can now activate and test out integration.
The output from the test is shown below:
In this blog post we saw how to create an integration to interact with IDCS. Key points are:
We showed listing users, but we could have created or modified settings in IDCS as well, depending on the permissions granted in the IDCS application.