While implementing Oracle, We may have situation where we will have two different IDCS(For eg, PaaS IDCS and EPM IDCS). We would want to integrate all our Oracle applications through SSO and synchronize Users and Groups.
When we have two different IDCS and if we want to have SSO and have sync between them with one as IDP then we can follow below two approaches at source IDCS:
- Use Generic SCIM Client Credentials app
- Use Oracle Identity Domain App
We will see both in this post, First we will see Generic SCIM app and its limitation and then we will see the benefit of using Oracle Identity Domain app in this use case.
We are having generic SCIM explained here first in this post even though Oracle Identity Domain app is better because we should know the working and limitation, most of the things are common in both the approaches, also this SCIM app can be used in any other use case if needed. Having working knowledge of how SCIM app works will help us.
Using generic SCIM Client Credentials App.
- Add a confidential application to the destination/target IDCS. This will be used in SCIM or Oracle identity domain app mentioned in second point below for authentication(in this case it is SCIM we will see about IDCS later).
- This app is in target IDCS, and just for providing Authentication so will be fitting for both of our example.
We can give user admin or idcs admin. Here I have given both.
Save and activate the app
In The Source IDCS
- Add the Generic SCIM client credentials application on the source IDCS from app catalog.
Under provisioning tab provide like below and test connectivity(the below details to befetched and filled from target IDCS confidential app which we have created in previous step).
Sample will look like below:
Host Name : idcs-1122222abcd.identity.oraclecloud.comBase URI: /admin/v1
Client Id:aef600ef540a64753bb4fdfd4507c56de
Client Secret : 9f66093f-7a0c-4bb3-ae89-967aa4c7f1hf
Scope: urn:opc:idm:__myscopes__
Authentication Server Url : https://idcs-1122222abcd.identity.oraclecloud.com/oauth2/v1/token
- Create an "anchor group" on both systems and assign that group to the application. Preferebly The Groups which we want to assign to user and synchronize should be present at in both (source and target IDCS).
- Assign access to the application for the source system group to be synced. While assigning the application to group or group to application there will be a popup there we need to select the group(These groups will be coming from target IDCS). We need to select and add, then only user along with group assignment or revoke will get synced to target. Otherwise only user details will get synced but group will not be assigned to that user in target IDCS.
Now click on groups tab and assign group. 
Add the anchor group to the SCIM application and added the source group as a filter within that group.
The below group is from source IDCS, when we click on assign, then a popup window appears , there we need to select specific group( this group will be from Target IDCS to which it will be synced)
Scroll down and go till groups and click on Add
Generic SCIM app template to connect to IDCS stripes which don't support the forceDelete at target. Instead of the "Generic SCIM" app template we should use the "Oracle Identity Domain" app template. This app template is specially designed to connect IDCS stripes
USING Oracle Identity Domain App
For IDCS sync Oracle provides "Oracle Identity Domain" app template. This app template is specially designed to connect IDCS stripes.Whatever we have seen in the above steps for SCIM most of them will be same for this app as well.
We will reuse the confidential app from Target IDCS but in source instead of Generic SCIM app we will use Oracle Identity Domain app.
The provisioning steps, group assignment etc all remains similar for this app as well. There is a minor
difference in the way of configuring connectivity.
Let us see in the screenshots.
search for Oracle Identity Domain App in app catalog.
Details from Target IDCS and Confidential app
Host Name : idcs-1122222abcd.identity.oraclecloud.com
Client Id:aef600ef540a64753bb4fdfd4507c56de
Client Secret : 9f66093f-7a0c-4bb3-ae89-967aa4c7f1hf
Scope: urn:opc:idm:__myscopes__
Authentication Server Url : https://idcs-1122222abcd.identity.oraclecloud.com/oauth2/v1/token
We can see that there is a little difference in connectivity configuration as compared to Generic SCIM App. We do not have Base URI here.
Apart from this there is no difference. All steps( provisioning,Attribute mapping, refreshing application data to get the groups from target idcs , way of group assignment to app etc remains same as generic scim app)
So conclusion is if we have two diff IDCS to be in sync then we will go with Oracle identity domain app instead of Generic SCIM. So that the cleanup/ forceDelete happens smoothly.
One other thing to be noted here in sync is , if we want to sync user lifecycle like deactivation, activation, mapped attribute changes sync then we need to raise SR with Oracle and they will deploy CM/CR to enable the lifecycle management feature.
Generic SCIM app can be used with System other that IDCS.
In the next post we will see how we can create a SAML app to enable SSO between these two IDCS.
