Saturday, September 17, 2022

User and Roles sync from Fusion Application to PaaS IDCS

It is a common requirement where we want to create some extension pages in VBCS and where the PaaS IDCS is different from Fusion Application IDCS.

In this case, we will be embedding or providing a link for our VBCS app in Oracle Fusion Application (FA).

By default if we click on this application link in FA it will hit PaaS IDCS and ask for user credentials for login since VBCS take identity from PaaS IDCS and indentity propogation is not enabled.

So we need to have SAML SSO authentication to enable smooth flow from FA to VBCS.

Also in addition to this we ma have requirement to to Sync FA users and Roles to PaaS IDCS to organize and restrict access based on IDCS Groups (Which will get created with name as FA roles as part of Sync).

The SSO setup between PaaS IDCS (as IDP) and Fusion Apllication (as SP) is explained in THIS  post. 

There are different ways of enabling synchronization of roles  and users between IDCS and FA

one of them is via IDCS FA App, which we will be seeing in detail here.

After the SSO setup is done and tested, we will be going to  Provisioning tab of the FA app which we created as part of SSO in IDCS: 

The provisioning can be done for all FA roles or selective roles.

If we are doing for selective FA  roles we need to mention the  ROLE CODE in provisioning.

To test this let us create a custom role in FA and assign this to users we want to create/sync in IDCS.

Login to FA and got to security console(With IT security Manager role).

 

 

Create Custom role and assign to user.


Click next, and in the user section search and add user.

Now we are good from FA side setup for provisioning.

Let us login to IDCS as admin.

 

 

Go to menu->Applications

 

 Search for the application we had created for SSO.

Click on the application to open the configuration.

Go to Provisioning tab -> enable provsioning

 

 

  • Provide the details:
  • Provide FA’s Administrator Username and Password
  • Provide FA’s FA Identity Integration Platform REST Services hostname
  •  Port Number — “443”
  •  Check “SSL Enabled” checkbox 
  • Provide the FA role code you want to sync in Fusion Admin roles.(For multiple separate them with new line)

After this test the connectivity.

 

Now Click “Attribute Mapping” button to review and configure attributes between FA and IDCS .

 

If we observe in above screenshot, Application to Identity Cloud is disabled  this option allows sync from FA to IDCS. 

To enable this we need to check  Authoritative Sync, then again if we click on attribute mapping , this will be enabled.


 it is enabled now:

 

One thing to note here is , by default federation  will be set to false  if you want to create user as federated user then make as true  as we have done in above screenshot, if you want to create non federated users then keep as false.

 

Select create and update account option.

 

Note:-  Few scenarios and result for above options are :

  1. When user has the only single role which is defined in provisioning and also this user is not assigned any other group in idcs -> if we revoke this role from this user in saas then this user gets deleted from idcs during next sync
  2. When user has the only single role which is defined in provisioning  and this user is  assigned any other group in idcs -> if we revoke this role from this user in saas then this user gets deleted from idcs during next sync
  3. When user has the multiple roles which are defined in provisioning ,the user is  assigned to those many role groups in idcs -> if we revoke one role from this user in saas then during sync this user is removed from that role group in idcs, and will be present in other role groups which is not yet revoked in saas,  this user doesn’t get deleted from idcs. 

 

We can Enable Synchronization as below selecting the desired options:

 

 

It will  auto sync based on the frequecy we have selected. We can go to import tab and see the status :


 

 

 As part of the sync this will create an IDCS group with name as FA role and will assign the respective users to this group whoc have this role access in FA(Fusion Application):


 

The user that got assigned to this group as part of Provisioning and Sync.


  Since We had  made federation as true , it created federated user:

We ned to be careful while selecting the options for provisioning and syncronization and Go throught the scenarios mentioned in Note above to have some idea. 

We can utilize these SaaS role groups created in IDCS for our VBCS app for providing accesses.

 

 



at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)