Currently Oracle IDCS doesn't have capability to send password expiry notifications if a user's password is going to expire or if it has expired.
We use service accounts in our integrations and if password has expired then our integrations would start failing if we have used it for ex. invoking other int using rest adapter.
So instead of taking the reactive approach we can proactively send alert of password expiry and take necessary actions before the int starts failing.
This can be done by building a simple OIC integration using IDCS rest API.
Below are the steps we can follow to achieve the same:
1). Create an OAUTH app in IDCS to access IDCS Rest Api
2). Configure the connection in OIC for IDCS Rest APi
3). Get list of users/service accounts for which we need to send alerts
4). Create an OIC Integration
Let us see each step in Detail
1). Create an OAUTH app in IDCS to access IDCS Rest Api
We can create an Oauth App in IDCS similar to THIS
2). Configure the connection in OIC for IDCS Rest API
After we have created the Oauth app , we will create OIC rest adapter connection with the help of client id and secret etc.
Host: https://tenant-base-url
We can follow below screenshots for the same:
3). Get list of users/service accounts for which we need to send alerts
We can send out password notifications for all the users but most of the times users will be logging in via SSO federation so the password expiry doesn't matter for them.
But for Service users we may need as we might be using it for different purposes like invoking any other local integration using rest adapter through basic auth.
So we can have the list of service users in a csv string like below:
'erp_integration,integrationuser,svc_tfe,erp_int_approv'
Next we need to iterate for each of these user so we need to convert the list string to nodeset.
We can refer THIS link for converting csv string to a nodeset.
After we write the string in a file and then read that file we will iterate for each user:
We will use IDCS rest API to get details for specific user filter and also get below attribute:
urn:ietf:params:scim:schemas:oracle:idcs:extension:passwordState:User:lastSuccessfulSetDate
This will give us last password reset date.
The endpoint will look like below:
{{IDCS HOST}}/admin/v1/Users?filter=userName eq "sumit_kumar"&attributes=id,userName,urn:ietf:params:scim:schemas:oracle:idcs:extension:passwordState:User:lastSuccessfulSetDate
The response will be like below:
Below is how we can configure our REST Adapter for the same in OIC:
No comments:
Post a Comment