Oracle Identity Cloud Service: Integrating with Oracle Identity Manager (OIM)

 

Before You Begin

Purpose

In this tutorial you learn to integrate Oracle Identity Manager (OIM) with Oracle Identity Cloud Service using a connector.

Time to Complete

60 minutes.

Background

Oracle Identity Cloud Service provides four different methods for managing entities (users, groups, and applications) and configurations in bulk:

Methods supported for managing users, groups, and applications in Identity Cloud Service
Method CSV files Identity Bridge REST API OIM Connector
(this tutorial)
Description

Identity Domain Administrators or User Administrators manually download, edit, and upload a CSV file containing users or groups for bulk-loading in Oracle Identity Cloud Service.

An Oracle Identity Cloud Service agent installed in your environment automatically and continuously synchronizes users and groups from your Microsoft Active Directory to Oracle Identity Cloud Service.

The Oracle Identity Cloud Service REST APIs are used by your custom application for managing users and groups.

An Oracle Identity Manager (OIM) connector is used to automatically and continuously provision and reconcile users and groups from OIM to Oracle Identity Cloud Service.
Characteristics
  • Is the best way to manually bulkload users and groups.
  • Is quick and convenient.
  • Does not require coding and integration skills.
  • Supports only user and group creation and modification (does not support deletion).
  • Requires human interaction (cannot be automated).
  • Is the best way to automatically and continuously synchronize your company users and groups from your Microsoft Active Directory to Oracle Identity Cloud Service, when you don't have an identity management solution.
  • Leverages a windows installer for setup and configuration.
  • Does not require coding skills.
  • Supports only unidirectional integration (from Active Directory to Oracle Identity Cloud Service)
  • Is the best way to integrate a custom application with Oracle Identity Cloud Service.
  • Can be integrated with any code language that supports cloud standards (REST, JSON, OAuth, and SCIM).
  • Requires coding skills.
  • Is the best way to automatically and continuously synchronize your on-premises OIM with Oracle Identity Cloud Service in a hybrid cloud solution.
  • Leverages an out-of-the-box connector for integration.
  • Does not require coding skills.
  • Can leverage OIM enterprise governance features, such as Certification and Segregation of Duties with closed loop remediation for a complete identity governance.

In this tutorial, you learn to integrate Oracle Identity Cloud Service with Oracle Identity Manager 11gR2 PS3.

What Do You Need?

  • Access to Oracle Identity Cloud Service as administrator (Identity Domain Administrator)
  • Familiarity with OIM 11gR2 PS3 administration
  • Administrative access to the OIM 11gR2 PS3 host, domain, and administrative consoles
 

Download and Install the Connector

  1. Access the Oracle Identity Management Connector Downloads page.
  2. Select Accept License Agreement and download the Oracle Identity Cloud Service connector ZIP file. If prompted, enter your Oracle single sign-on password.
  3. Copy the connector zip file to OIM server in a separated folder (for example, /home/oracle/IDCS) and extract its contents.
  4. Access the OIM System Administration console (https://oim.example.com:14000/sysadmin) as administrator (xelsysadm).
  5. Click Manage Connector.
  6. Click Install.
  7. Enter /home/oracle/IDCS as Alternative Directory and click Refresh.
  8. Select Oracle Identity Cloud Service 11.1.1.5.0 as Connector List and click Load.
  9. Click Continue.
    The connector installation page is displayed.
  10. Wait for few minutes until the connector installation is completed and click Exit.
    Connector Installation completed screen
    Description of this image
  11. On the OIM server machine, open a terminal, and then purge the OIM cache:
    12. cd $OIM_ORACLE_HOME/server/bin
./PurgeCache.sh ALL

    Tip: If you are not familiar with the PurgeCache.sh utility, you can clean the OIM cache by restarting the OIM server.

 

Register the OIM Application in Oracle Identity Cloud Service

In this task, you create and activate the OIM Application entry in Oracle Identity Cloud Service.
This step is required for connecting OIM to Oracle Identity Cloud Service.

  1. In the Identity Cloud Service console, expand the Navigation Drawer , click Applications, and then click Add.
  2. Select Trusted Application or Confidential Application.
  3. Enter OIM Application as Name, Application entry for integration between OIM and IDCS as Description, and then click Next.
  4. Select Configure this application as a client now.
  5. Select Client Credentials as Allowed Grant Types.
    Allowed Grant Types with just Client Credentials selected
    Description of this image
  6. In the Client pane, scroll down, click the Add button below Grant the client access to Identity Cloud Service Admin APIs.
  7. In the Add App Role dialog window, select User Administrator in the list, and then click Add.
  8. Click Next in the Client pane and in the following panes until you reach the last pane. Then click Finish.

  9. Copy the Client ID and the Client Secret to a text file, return to the UI, and then click Close.

    Application Added screen in Identity Cloud Service UI - Copying the client ID and Secret
    Description of this image
    Tip: The Client ID and Client Secret are equivalent to service credentials (ID and password) that the OIM connector will use to communicate with Oracle Identity Cloud Service.
  10. Click Activate, and then click Activate Application. A confirmation message appears.

At this point, you have an application entry with a Client ID and Client Secret for integrating OIM with Oracle Identity Cloud Service.

 

Configure the Identity Cloud Service IT Resource

  1. In a text editor, concatenate the client_id and client_secret into the following format:

    client_id:client_secret
  2. Copy the client_id:client_secret string to the clipboard.
  3. Launch a terminal on the OIM server, and then enter the following command (to base64 encode the client id and secret): 
    echo -n "clientid:clientsecret" | base64
  4. Paste the command output into a text editor. If the output is broken into more than one line, join the results into a single line with no text wrapping.
    Terminal window in the background with a result broken in two lines. Text editor in the front with the result in a single line
    Description of this image

  5. Complement the output with "Authorization=Basic and " as follows:

    "Authorization=Basic command_output"
    Tip: You will use this value later during the IT Resource configuration.
  6. Return to the OIM System Administration console and click IT Resource.
  7. Select Identity Cloud Services as IT Resource Type and click Search.
  8. Click Edit next to Identity Cloud Services.
  9. Modify the Identity Cloud Services IT Resource according to the table, and click Update.
    10. Identity Cloud Services - IT Resource Values
    Attribute Value
    acceptType application/json
    authenticationServerUrl https://example.oraclecloud.com/oauth2/v1/token
    Note: Replace example.oraclecloud.com with your Oracle Identity Cloud Service URL
    baseURI /admin/v1
    contentType application/json
    customAuthHeaders The output obtained during the step 5. For example:
    "Authorization=Basic MjYTl2ItYTQ1NC00ZTZlLWJmMGYtYzk2ZjIwZTljMjg0"
    grantType client_credentials
    host example.oraclecloud.com
    Note: Replace example.oraclecloud.com with your Oracle Identity Cloud Service URL
    port 443
    scope urn:opc:idm:__myscopes__
    sslEnabled true
 

Import the Identity Cloud Service SSL Certificate into the OIM Trust Store

Important: The OIM and Oracle Identity Cloud Service integration is performed only using an encrypted protocol (HTTPS). This type of communication requires that the Oracle Identity Cloud Service certificate is available in the OIM server trust store.
In this section, you export the Oracle Identity Cloud Service HTTPS public certificate and import the same into the OIM trust store.

  1. Access the Oracle Identity Cloud Service UI.
  2. To export the HTTPS certificate in Firefox:
    1. In the address bar, click the lock icon, click >, and then click More Information.
    2. Click View Certificate.
    3. Click Details and then click Export.
    4. Select X.509 Certificate (PEM) as type and save the certificate file in the server (for example: /tmp/idcs.cer).
  3. Launch the OIM server terminal and enter the following command to import the certificate into the OIM JDK trust store:
    4. keytool -import -keystore $JAVA_HOME/jre/lib/security/cacerts -file /tmp/idcs.cer -storepass changeit -alias idcs
  4. When prompted, enter yes.
    The keytool utility should display the message Certificate was added to keystore.
  5. Enter the following command to import the certificate into the OIM Server trust store:
    6. keytool -import -keystore $WL_HOME/server/lib/DemoTrust.jks -file /tmp/idcs.cer -storepass DemoTrustKeyStorePassPhrase -alias idcs
  6. When prompted, enter yes.
    The keytool utility should display the message Certificate was added to keystore.
 

Reconcile Identity Cloud Service Groups and Managers

  1. In the Oracle Identity Cloud Service UI, access the Groups page and confirm that you have groups for reconciliation.
  2. Optionally, create the following two groups in Oracle Identity Cloud Service: Tip: These groups are used as reference in the remaining of this tutorial.
    3. Identity Cloud Services - Groups for creation
    Group Name Group Description
    JCS Administrators Manages JCS instances
    Marketing Cloud Users Users that will use Marketing Systems in the Cloud
  3. Access the OIM System Administration console and click Scheduler.
  4. Search and open the IDCS Group Lookup Reconciliation scheduled job, and click Run Now.
  5. After few seconds, click Refresh. Under Job History, confirm that the Job Status displayed is Success.
  6. To confirm that the Oracle Identity Cloud Services groups are reconciled, return to the System Administration console and click Lookups.
  7. Search for the lookup code Lookup.IDCS.Groups. From the search results, confirm that the lookup value contains groups from Oracle Identity Cloud Service.
    Lookup.IDCS.Groups lookup with groups imported from Oracle Identity Cloud Service
    Description of this image
    This indicates that the group reconciliation was successful.
  8. Repeat the previous steps to run the IDCS Manager Lookup Reconciliation scheduled job and validate that the lookup Lookup.IDCS.Managers contains administrators from Oracle Identity Cloud Service.
    Lookup.IDCS.Managers lookup with managers imported from Oracle Identity Cloud Service
    Description of this image
    This indicates that the manager reconciliation was successful.
 

Expose Identity Cloud Service in the Catalog

  1. In the OIM System Administration console, click Sandboxes.
  2. Click Create Sandbox and create a sandbox using the following attributes:
    3. Attributes for the IDCS sandbox
    Attribute Value
    Sandbox Name IDCS
    Sandbox Description Expose IDCS in the catalog
    Activate Sandbox selected
  3. Click OK and confirm that the IDCS sandbox status is Active.
  4. Click Form Designer
  5. Click Create
  6. Create the IDCSUser01 form as follows:
    7. Attributes for the IDCSUser01 Form
    Attribute Value
    Resource Type IDCS User
    Form Name IDCSUser01
    Form Type Parent Form + Child Tables (Master/Detail)
    IDCSUser01 user form creation screen
    Description of this image

    A confirmation message is displayed

  7. Click Application Instances.
  8. Click Search.
  9. From the search results, click Identity Cloud Service Application Instance.
  10. Select IDCSUser01 as Form and click Apply.
    Identity Cloud Service application instance with the IDCSUser01 selected
    Description of this image
    A confirmation message is displayed.
  11. Click Sandboxes (IDCS). Select and publish the IDCS sandbox.
  12. Click Published Sandboxes and confirm that the IDCS sandbox is published.
    IDCS sandbox published on OIM
    Description of this image
  13. To expose the Identity Cloud Service Application Instance, click Scheduler, open, and run the Catalog Synchronization Job scheduled job.
 

Test the Integration

 

Request Identity Cloud Service in OIM

  1. Access the OIM Identity Self Service console as xelsysadm.
  2. Click Request Access > Request for Others.
  3. Select a user (for example, Kenny Vesterdal), click Add, and then click Next.
  4. Add the JCS Administrator, the Marketing Cloud Users, and the Identity Cloud Service Application Instance items to the cart and click Next.
  5. Click Update. Provide a justification and click Submit.
    Checkout page in Oracle Identity Manager with the request for Oracle Identity Cloud Service application instance and groups
    Description of this image

    OIM displays a confirmation that a request is submitted for approval. Record the request number.

  6. Click Pending Approvals.
  7. Select the pending approval with the ID corresponding your request and click Actions > Approve.
    OIM displays a confirmation message.
 

Verify the Provisioning to Oracle Identity Cloud Service

  1. Click Manage and then click Users.
  2. Click the user provisioned to Identity Cloud Service (for example, Kenny Vesterdal).
  3. Click Accounts and confirm that the Identity Cloud Service Application Instance status is Provisioned.
    Oracle Identity Cloud Service Application Instance marked as provisioned in OIM
    Description of this image
  4. Click Entitlements and check the provisioning status for the Oracle Identity Cloud Service groups.
    Oracle Identity Cloud Service groups marked as provisioned in OIM
    Description of this image
    This confirms that Kenny Vesterdal's provisioning is marked as successful in OIM.
  5. Access the Oracle Identity Cloud Service console, expand the Navigation Drawer ,  and then click Users.
  6. Click a user provisioned to Identity Cloud Service (for example, Kenny Vesterdal) and then click Groups tab.
  7. Oracle Identity Cloud Service displays Kenny Vesterdal as being provisioned to the JCS Administrators and Marketing Cloud Users groups.
    Kenny Vesterdal profile and groups displayed in Oracle Identity Cloud Service
    Description of this image
    This confirms that Kenny Vesterdal is correctly provisioned in Oracle Identity Cloud Service.
  8. Sign-out of Identity Cloud Service and close your browser.
 

Access Identity Cloud Service as a Provisioned User

  1. Access the user email, open the welcome notification from Identity Cloud Service, and click Activate Account.
    Oracle Identity Cloud Service Welcome notification
    Description of this image
  2. Follow the instructions to activate the user account.
  3. Select Click here to continue and confirm that the My Apps page is displayed for the provisioned user.
    Oracle Identity Cloud Service My Profile page
    Description of this image
    Tip: The My Apps page displays what cloud applications are available for the provisioned user in Identity Cloud Service.
 

What's Next? Explore Hybrid Identity Governance Scenarios

At this point, you have OIM integrated to Oracle Identity Cloud Service using the Identity Cloud Service connector. This integration allows you to manage Oracle Identity Cloud Service users directly from OIM, which provides the following benefits:

OIM and Identity Cloud Service integration benefits
Benefit Description
User Management from a single dashboard In this integration, you can use only the OIM Identity Self Service console to manage accounts for systems on premises and in the cloud, which simplifies the identity management work while reducing the UI redundancies.
Reuse of OIM features, such as mail approvals and workflows, already implemented in your own company in the cloud This feature is implemented consistently for requests raised from OIM to target systems on-premises and in the cloud without creating configuration redundancy or silos.
Ability to use Identity Cloud Service as an identity hub for cloud systems, while reducing the integration burden on OIM Oracle Identity Cloud Service offers quick ways to integrate with cloud systems relying on standards such as OAuth2 and Open ID Connect. You can leverage these capabilities for fast integration, reducing the work on OIM and OAM. The list of integrated cloud systems can rapdily grow without point to point integrations in your on-premises systems.

As a next step, you can explore the integration and implement cross-cloud Identity Governance capabilities such as:

OIM and Identity Cloud Service integration capabilities
Capability Description
Full identity automation To implement this capability, you can configure OIM Access Policies that grant and revoke automatically access for both - on-premises systems and Oracle Identity Cloud Service. This integration can manage not only user onboarding and termination, but also events like vacation, or temporary leave. Using Identity Cloud Service as a hub extends the user status for the systems integrated in the cloud.
Hybrid Audit and Governance To implement this capability, you can configure OIM governance and reporting features over systems on premises, plus the Oracle Identity Cloud Service accounts and groups. This integration allows governance and audit teams to access consolidated reports (for cloud and on-premises systems) from the same place (BI Publisher embedded with OIM).
Hybrid Certification To implement this capability, you configure OIM certification definitions across systems on premises and Oracle Identity Cloud Service. If well implemented, OIM managers can certify with a single review accesses for both - systems on premises and in the cloud, reducing the time to review.

Tip: To learn more, try the Implementing Hybrid Certification tutorial
Hybrid Segregation of Duties To implement this capability, you configure OIM Identity Audit policies for systems on premises and Oracle Identity Cloud Service altogether. In this case, OIM will capture reactively and proactively toxic combinations of access. This includes even SoD violations across on-premises and cloud systems (for example, a user cannot be system administrator on a on-premises system and have access to SaaS systems in the cloud).

Tip: To learn more, try the Implementing Hybrid Segregation of Duties (SoD) tutorial
Hybrid reporting To implement this capability, you just run OIM's out of the box reports from BI Publisher. These reports will provide consolidated information about users and the identity system both on premises and in the cloud.

Tip: To learn more, try the Implementing Hybrid Reporting tutorial
 

Want to Learn More?

 

Credits

  • Developer(s): Frederico Hakamine.