Oracle Integration provides option to create a service integration account in which the password does not expire. The service integration account consists of a generic application role created with specific predefined rules. We can use this account when we need to invoke integrations, start/install On-Premise connectivity agent and require that the account password should not expire.
There are different steps to be followed to create "Service Integration Account".
- Step 1: Register a Confidential Application in IDCS (This will be used to get the Token to create service integration account)
- Step 2: Get Client ID,Client Secret,Access Token URL, Scope and Grant Type
- Step 3: Obtain an Access Token in POSTMAN
- Step 4: Create and Configure the Service Integration Application
To make REST API calls to the Oracle Identity Cloud Service(IDCS) environment, we need an OAuth2 access token to use for authorization.It cannot be accessed using basic authentication.
Note:
We will not have OIC console access with service account(It will give error as invalid user/password) but we can access the OIC host through postman, soap ui etc using basic authentication.
Use service developer role if you want to use service integration account to Install/Start agent
Below we have taken example of service user role only.
We can assign the service developer to this application manually as well as through curl or postman.
Manual Steps are->Identity Console->applications or Oracle Cloud Services(whichever is applicable)->oic instance->application roles tab-> service developer role->assign application->add the service integration account application
Now we will see each step in detail:
- Step 1: Register a Confidential Application in IDCS
To create and register a confidential application follow the below steps and screenshots
Login to Oracle Identity Cloud Service instance
(for example: https://tenant-base-url/ui/v1/adminconsole) and log in with Identity Domain Administrator credentials.
Click on the icon as shown in the below screenshot and then click on Applications.
Now click on Add icon
Select Confidential Application as the type of application
Enter an application name and a description, and then click Next
On the Authorization page, define the following items:
- Select the Configure this application as a client now option.
- Select Client Credentials from the Allowed Grant Type section.
- At the bottom of the page select the Grant the client access to Identity Cloud Service Admin APIs plus icon.
Select Identity Domain Administrator. Your credentials and all tasks available to the Identity Domain Administrator will be accessible to you.
Click Next, Skip for later in "Resources" and then Finish.
Make note of the Client ID and the Client Secret that appear in the confirmation window, and then click Close.
Click Activate in the upper-right section of the page to activate the application
At this point Our client application is ready and activated.
------------------------------------------------------------------------------------------------------------------------
Step 2: Get Client ID,Client Secret,Access Token URL and Scope
We have noted down the client ID and secret in previous step.
We need some more details like Access token URL,scope and Grant type to generate access token in POSTMAN.
the access token URL will be in the below form:
https://tenant-base-url/oauth2/v1/token
Example:
Scope will be: urn:opc:idm:__myscopes__
Grant type will be: Client Credentials
--------------------------------------------------------------------------------------------------------------------------------
Step 3 : Obtain an Access Token in POSTMAN
- Launch POSTMAN app
- Create new request
- Go to authorization Tab and select type as "OAuth 2.0"
- Now we need to generate access token for the IDCS using the client application we had created above.
We have the required details:
Client ID- xxxxxxxxxxxxxd4ea28xxxxxx6303113605
Client Secret- xxxx-5ffa-466d-xxxx-8fa07f682104
Access Token URL- https://tenant-base-url/oauth2/v1/token
Scope- urn:opc:idm:__myscopes__
Grant type- Client Credentials
- Click on "Get New Access Token"
- Provide the required Details as mentioned above and click on "Request Token"
- An access token will get generated with name as "Token Name"
- Click on "Token Name" then you will be able to see the base64 token on the right side. Click on "Use Token"
---------------------------------------------------------------------------------------------------------------------------
- Step 4: Configure the Service Integration Application
Create the service integration application.
- Use the access token which we have obtained above
- Create an application with the
_BASICAUTHsuffix using the above access token
Endpoint : https://(IDCS Domain)/admin/v1/Apps
Example:
https://idcs-xxxxxxxxxxxxb98ab36d56bb9076778v.identity.oraclecloud.com/admin/v1/Apps
Method-> POST
Sample request JSON Payload: Make modification to the highlighted in yellow.
{
"active": true,
"allUrlSchemesAllowed": false,
"allowAccessControl": false,
"allowedGrants": [
"client_credentials",
"urn:ietf:params:oauth:grant-type:jwt-bearer"
],
"attrRenderingMetadata": [
{
"name": "aliasApps",
"visible": false
}
],
"basedOnTemplate": {
"value": "CustomWebAppTemplateId"
},
"clientType": "confidential",
"displayName": "XXOICTESTClient_BASICAUTH",
"editableAttributes": [
{
"name": "allowedGrants"
},
{
"name": "protectableSecondaryAudiences"
},
{
"name": "asOPCService"
},
{
"name": "accessTokenExpiry"
},
{
"name": "linkingCallbackUrl"
},
{
"name": "isOAuthResource"
},
{
"name": "appIcon"
},
{
"name": "clientType"
},
{
"name": "refreshTokenExpiry"
},
{
"name": "trustScope"
},
{
"name": "landingPageUrl"
},
{
"name": "audience"
},
{
"name": "samlServiceProvider"
},
{
"name": "isLoginTarget"
},
{
"name": "redirectUris"
},
{
"name": "allowedScopes"
},
{
"name": "tags"
},
{
"name": "logoutUri"
},
{
"name": "allowedOperations"
},
{
"name": "termsOfUse"
},
{
"name": "serviceParams"
},
{
"name": "certificates"
},
{
"name": "aliasApps"
},
{
"name": "schemas"
},
{
"name": "isWebTierPolicy"
},
{
"name": "trustPolicies"
},
{
"name": "logoutPageUrl"
},
{
"name": "secondaryAudiences"
},
{
"name": "displayName"
},
{
"name": "serviceTypeURN"
},
{
"name": "icon"
},
{
"name": "description"
},
{
"name": "isOAuthClient"
},
{
"name": "allowedTags"
},
{
"name": "showInMyApps"
},
{
"name": "isObligationCapable"
},
{
"name": "isMobileTarget"
},
{
"name": "allowOffline"
},
{
"name": "idpPolicy"
},
{
"name": "appSignonPolicy"
},
{
"name": "postLogoutRedirectUris"
},
{
"name": "isFormFill"
},
{
"name": "loginMechanism"
},
{
"name": "serviceTypeVersion"
},
{
"name": "errorPageUrl"
},
{
"name": "signonPolicy"
},
{
"name": "identityProviders"
},
{
"name": "isSamlServiceProvider"
},
{
"name": "appThumbnail"
},
{
"name": "loginPageUrl"
},
{
"name": "scopes"
},
{
"name": "allowAccessControl"
},
{
"name": "isKerberosRealm"
},
{
"name": "allUrlSchemesAllowed"
},
{
"name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:samlServiceProvider:App:encryptionAlgorithm"
},
{
"name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:samlServiceProvider:App:groupAssertionAttributes"
},
{
"name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:samlServiceProvider:App:includeSigningCertInSignature"
},
{
"name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:samlServiceProvider:App:signResponseOrAssertion"
},
{
"name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:samlServiceProvider:App:assertionConsumerUrl"
},
{
"name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:samlServiceProvider:App:nameIdUserstoreAttribute"
},
{
"name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:samlServiceProvider:App:logoutResponseUrl"
},
{
"name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:samlServiceProvider:App:succinctId"
},
{
"name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:samlServiceProvider:App:logoutRequestUrl"
},
{
"name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:samlServiceProvider:App:partnerProviderId"
},
{
"name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:samlServiceProvider:App:nameIdFormat"
},
{
"name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:samlServiceProvider:App:logoutBinding"
},
{
"name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:samlServiceProvider:App:userAssertionAttributes"
},
{
"name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:samlServiceProvider:App:signatureHashAlgorithm"
},
{
"name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:samlServiceProvider:App:metadata"
},
{
"name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:samlServiceProvider:App:encryptAssertion"
},
{
"name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:samlServiceProvider:App:logoutEnabled"
},
{
"name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:samlServiceProvider:App:encryptionCertificate"
},
{
"name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:samlServiceProvider:App:signingCertificate"
},
{
"name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:samlServiceProvider:App:federationProtocol"
},
{
"name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:webTierPolicy:App:webTierPolicyJson"
},
{
"name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:managedapp:App:bundleConfigurationProperties"
},
{
"name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:managedapp:App:isAuthoritative"
},
{
"name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:managedapp:App:enableSync"
},
{
"name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:managedapp:App:adminConsentGranted"
},
{
"name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:managedapp:App:connected"
},
{
"name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:managedapp:App:flatFileBundleConfigurationProperties"
},
{
"name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:managedapp:App:threeLeggedOAuthCredential"
},
{
"name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:managedapp:App:bundlePoolConfiguration"
},
{
"name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:managedapp:App:flatFileConnectorBundle"
},
{
"name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:formFillAppTemplate:AppTemplate:revealPasswordOnForm"
},
{
"name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:formFillAppTemplate:AppTemplate:userNameFormTemplate"
},
{
"name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:formFillAppTemplate:AppTemplate:userNameFormExpression"
},
{
"name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:formFillAppTemplate:AppTemplate:formCredentialSharingGroupID"
},
{
"name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:formFillAppTemplate:AppTemplate:formCredMethod"
},
{
"name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:formFillAppTemplate:AppTemplate:syncFromTemplate"
},
{
"name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:formFillAppTemplate:AppTemplate:configuration"
},
{
"name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:formFillAppTemplate:AppTemplate:formFillUrlMatch"
},
{
"name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:formFillAppTemplate:AppTemplate:formType"
},
{
"name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:kerberosRealm:App:masterKey"
},
{
"name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:kerberosRealm:App:maxRenewableAge"
},
{
"name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:kerberosRealm:App:maxTicketLife"
},
{
"name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:kerberosRealm:App:supportedEncryptionSaltTypes"
},
{
"name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:kerberosRealm:App:realmName"
},
{
"name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:kerberosRealm:App:ticketFlags"
},
{
"name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:kerberosRealm:App:defaultEncryptionSaltType"
},
{
"name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:requestable:App:requestable"
},
{
"name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:formFillApp:App:revealPasswordOnForm"
},
{
"name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:formFillApp:App:userNameFormExpression"
},
{
"name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:formFillApp:App:formType"
},
{
"name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:formFillApp:App:formCredMethod"
},
{
"name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:formFillApp:App:configuration"
},
{
"name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:formFillApp:App:formFillUrlMatch"
},
{
"name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:formFillApp:App:formCredentialSharingGroupID"
},
{
"name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:formFillApp:App:userNameFormTemplate"
},
{
"name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:dbcs:App:domainApp"
},
{
"name": "active"
},
{
"name": "grantedAppRoles"
},
{
"name": "userRoles"
},
{
"name": "adminRoles"
},
{
"name": "clientSecret"
}
],
"infrastructure": false,
"isAliasApp": false,
"isManagedApp": false,
"isMobileTarget": false,
"isOAuthClient": true,
"isOAuthResource": false,
"isOPCService": false,
"isSamlServiceProvider": false,
"isUnmanagedApp": false,
"isWebTierPolicy": false,
"loginMechanism": "OIDC",
"migrated": false,
"name": "XXOICTEST_BASICAUTH",
"showInMyApps": false,
"trustScope": "Explicit",
"urn:ietf:params:scim:schemas:oracle:idcs:extension:requestable:App": {
"requestable": false
},
"schemas": [
"urn:ietf:params:scim:schemas:oracle:idcs:App",
"urn:ietf:params:scim:schemas:oracle:idcs:extension:requestable:App"
]
}
---------------------------------------------------------------------------------------------------------------
Once we run the request We will get response as below. Note the ID of this app.
We can check the created application in IDCS as well.
Note the application ID, client ID, and client secret of this application.
Now we will fetch the app role id of "Service User" for the OIC instance to which we need to add the service integration account.
Method-> GET
URL: https://{IDCS_HOST}/admin/v1/AppRoles?attributes=groups,urn:ietf:params:scim:schemas:oracle:idcs:extension:user:User:appRoles&filter=displayName+co+%22ServiceUser%22+and+app.value+eq+%22${OIC_APP_ID}%22
Example:
https://{IDCS_HOST}/admin/v1/AppRoles?attributes=groups,urn:ietf:params:
scim:schemas:oracle:idcs:extension:user:User:appRoles&filter=displayName+co+%22ServiceUser%22+
and+app.value+eq+%224e7ad097fe434be2a4bd81414d934681%22
The response will be as below:
Now we will use the app role id of "Service User" and grant it to the Service integration Account.
Method- POST
Endpoint: https://${IDCS_HOST}/admin/v1/Grants
Sample Payload:
{
"app": {
"value": "${OIC_APP_ID}"
},
"entitlement": {
"attributeName": "appRoles",
"attributeValue": "${OIC_APP_ROLE_ID}"
},
"grantMechanism": "ADMINISTRATOR_TO_APP",
"grantee": {
"value": "${SI_APP_ID}",
"type": "App"
},
"schemas": ["urn:ietf:params:scim:schemas:oracle:idcs:Grant"]
}
Note:
OIC_APP_ID-> OIC integration instance to which we need to assign the service integration account and grant service user role.
OIC_APP_ROLE_ID-> this is the app role id for "Service User" which we have fetched in previous step.
SI_APP_ID -> this is the service integration account app id.
Example:
{"app": {
"value": "4e7ad097fe434be2a4bd81414d934681"
},
"entitlement": {
"attributeName": "appRoles",
"attributeValue": "5c6e8e23c5db4930a8f3513d5aa82d6b"
},
"grantMechanism": "ADMINISTRATOR_TO_APP",
"grantee": {
"value": "6dba35049b9f40828d2791f1089edf85",
"type": "App"
},
"schemas": ["urn:ietf:params:scim:schemas:oracle:idcs:Grant"]
}
After we run this request we can see this service integration account application has been assigned with service user role to the specified OIC integration instance.
Now if we want to use this service integration account to install/start an On-Premise agent then we need to assign "Service Developer" role to this service integration account application to this OIC integration instance.
To do this we can either do the way we have granted "Service User" similarly we can do for "Service Developer" role.
Or we can do manually as well:
The steps are:
Identity Console->applications or Oracle Cloud Services(whichever is applicable)->select OIC instance->application roles tab-> service developer role->assign application->add the service integration account application
Now that we have granted the roles , we will run some requests for the OIC integration instance to which we have assigned the Service integration account application , to check if it is working.
Go to POSTMAN-> Create new request-> Use endpoint to get list of all integrations->Autorization type as Basic and provide username and password as Client ID and Secret of Service integration Account APP-> Send request
The Response would be like below having list of integrations:
Since we have granted "Service Developer" Role as well, So we can use this account(client id and secret as username and password) to install/Start Agents.
No comments:
Post a Comment