Running Bridge for Active Directory (Active Directory as source)


Options



Before You Begin

Purpose

This tutorial shows you how to use the Bridge for Active Directory to synchronize user accounts between Oracle Fusion Applications and Active Directory. Active Directory is configured as the source of truth.

Time to Complete

Approximately 90 minutes

Background

The Bridge for Active Directory is a java client application (referred to as “the client” in this document) that can be used to synchronize users and groups/roles between the Oracle Fusion Applications (FA) and Active Directory (AD). User synchronization is required for setting up Single Sign-On (SSO) between Oracle Fusion Applications and Active Directory

The client synchronizes information between a source and a target

  • The Source, also called the Source of Truth, refers to the system that contains the user and role information that will be copied to the target.
  • The Target is the system that will be updated to contain the same user and role information as the Source.

In this exercise you will do the following

  • Configure the client so that Active Directory will be the source and Fusion will be the target.
  • Create user accounts in Active Directory
  • Synchronize these user accounts with Fusion Applications
  • Create persons in Fusion Applications
  • Link these persons to the user accounts that were synchronized from Active Directory
  • Log into Fusion Applications using Single Sign-On

What Do You Need?

  • You will need to enable Single Sign-On between Fusion Applications and your Active Directory Instance. Details can be found here(Fusion Applications Technology: Master Note on Fusion Federation (Doc ID 1484345.1) )
  • A computer running the Windows operating system with Java Runtime Environment (JRE) installed. The client can be run on JRE versions 6,7, and 8. Ensure that this computer can connect to your Active Directory server

Configure Bridge for Active Directory

Setup Connection Information


  1. Sign in to Oracle Fusion Applications with an account that has the "IT Security Manager" role.

  2. Click on the Navigator icon.

    Access Navigator
  3. Click on the Security Console menu option.

  4. Click on the Administration tab.

  5. Click on Bridge for Active Directory.

  6. Go to Configuration tab

  7. Expand the Base Configuration section

    • Set Source of Truth to "Oracle Fusion Applications"

    • Set Role Integration to On

    • Enter a password in Reset APPID Password. This password will be used by the client to connect to Fusion Applications

    • Accept defaults for the remaining fields

    • Base Configuration
  8. Expand the Active Directory Configuration section.

    • Enter the host name and Port Number for your Active Directory Server

    • Check the Enable SSL box if needed.

    • Set the User Base DN field to the Distinguished Name of the location in your Active Directory from where user accounts will be fetched by the Client

    • Set the Search Base DN field to the same value as the User Base DN
    • Set the "User Search" filter to an LDAP query that will be used to fetch user accounts from your Active Directory server

      • e.g. (&(objectClass=user)(!(objectClass=computer))).
    • Set the Group Base DN field to the Distinguished Name of the location in your Active Directory from where groups will be fetched by the Client

    • Set the "Group Search" filter to an LDAP query that will be used to fetch roles from your Active Directory server

      • e.g. (objectClass=group).
    Active Directory Configuration
  9. Click Save.

  10. Click OK on the Confirmation popup.

Download Bridge for Active Directory

You will now download the client to the computer which has access to your Active Directory Server

  1. Click on Launch to download the client.

    Download Client
  2. Click OK on the message - Launch Bridge for Active Directory. This will download the client installer (jnlp file)

  3. Launch the downloaded file from your browser

  4. Enter the Fusion Application credentials to log in to Fusion Applications

    • Use an account which has the "IT Security Manager" role
    • Upon successfully logging in, the client will be installed.
    Client Login
  5. Click on Run to launch the client.

    • Log in again using the account that has the "IT Security Manager" role
    • Upon successfully logging in, the client will be installed.
    Run Client
  6. Click on the Configuration tab

    • Under Active Directory, enter the username and password to connect to your Active Directory server
    • Under Oracle Fusion Applications, enter the APPID password, you created in the previous section
    • Click Save
    Configure Client
  7. The client will now synchronize setup information from Active Directory to Fusion applications

    • Click OK

Map Fusion Applications attributes to Active Directory attributes

  1. Click on User Attribute Mappings.

  2. Click Add.

  3. Map Active Directory attribute to a Fusion Applications attribute - as needed.

    Map an attribute
  4. Repeat steps 2 and 3 for as many mappings as required.

    • A typical mapping looks as follows
    • Source (AD) Target (FA)
      mail email.value
      sAMAccountName username
      displayName displayName
      givenName name.givenName
      sn name.familyName
  5. Expand Advanced Attribute Mapping

  6. Disable Synchronize User Account Status

  7. Click Save

  8. Click OK on the confirmation popup.

Map Active Directory Groups to Fusion Application Rolese

  1. Click on Group Mappings.

  2. Click Add.

  3. Map Active Directory group to Fusion role - as needed.

    Map an attribute
  4. Repeat steps 2 and 3 for as many mappings as required.

  5. Click Save

  6. Click OK on the confirmation popup.

Perform initial synchronization of users

You will now synchronize the existing users in Fusion Apllications to Active Directory
  1. Go to the Synchronization tab on the client.

  2. Click Run Now.

    Initial Synchronization

Configure policies for user account generation

Disable automatic user account creation for Persons in Fusion Applications


  1. Sign in to Oracle Fusion Applications with an account that has a administrative privileges

  2. Click on the Navigator.

  3. Click on Setup and Maintenance.

  4. Enter Manage Enterprise HCM Information in the search text box and click the search icon.

    Manage Enterprise Information
  5. Click on the Manage Enterprise HCM task.

  6. Click the Edit button and select Correct.

  7. Expand the User and Role Provisioning Information section.

    • Set User Account Creation to "None"

    • Set User Account Role Provisioning to "Both person and party users"

    • Set User Account Maintenance to "Both person and party users"

    • User and Role Provisioning
  8. Click the Submit button.

  9. Click Yes on the Warning pop-up message.

  10. Click OK on the Confirmation message.

  11. Click Done.

Create user account in Active Directory

  1. Create an account in Active Directory Users and Computers

    • Enter Name: Marcus Oxford
    • Enter UserName: marcus.oxford
    Create AD Account
  2. Click Next

    • Enter password
    Set AD password
  3. Click Next. Click Finish

  4. Click on the newly created account to view its details.

    • Click the Member Of tab
    • Assign one or more groups to this user account
    Set AD password
  5. Click OK to save changes

Synchronize user account from Active Directory to Fusion Applications

Synchronize user accounts

Using the client, synchronize the account created in Active Directory to Fusion Applications

  1. Click on the Synchronization tab.Click Run Now.

  2. Synchronize from AD to FA

Confirm that the user account has been created in Fusion Applications

  1. Sign in to Oracle Fusion Applications with an account that has the "IT Security Manager" role.

  2. Select the Navigator menu

  3. Click on Security Console.

  4. Click on the User Accounts tab

  5. Search for the newly created User Account to confirm that it is created. e.g. marcus.oxford). Note that the Person Number field is empty because the user account is not linked to a Person

    User Account Search
  6. Click on the user account to view details. Confirm that the AD groups are assigned as Fusion Application roles to the account

    User Account Details

Link user account to a Person - Oracle HCM Cloud

Use this section only if you create persons using the Oracle HCM Cloud.

You can link persons to the user account synchronized from Active Directory in the following ways

  • Option 1 - Manually create a person in the UI and link to the user account
  • Option 2 - Create a person and automatically  link to the user account using HCM Data Loader (HDL)
Note: If you would like to try out both options below, you must create and synchronize one user account for each option

Option 1 - Manually link account using the Person Management UI

Hire an Employee

  1. Sign in to Oracle HCM Cloud with an account that has a role that allows you to create Persons

  2. Click on the Navigator.

  3. Click on New Person.

  4. Click on the Panel Drawer on the right

  5. Click on Hire Employee

    Hire Employee
  6. Fill the required fields for Identification.

    • Enter Hire Date, Hire Action, Hire Reason, Legal Employer

    • Enter Last Name, First Smith (e.g. Oxford, Marcus)

    • Enter any other mandatory fields configured in your environment

    Identification
  7. Click Next.
  8. Fill the required fields for Person Information.

    • Enter Home Address

    • Enter any other mandatory fields configured in your environment

    Person Information
  9. Click Next.
  10. Fill the required fields for Employment Information.

    • Enter Business Unit, Assignment Status

    • Assignment Information

      Enter any other mandatory fields configured in your environment

  11. Click Next.
  12. Click Next.
  13. Click Submit.
  14. Click Yes on the Warning popup.
  15. Click OK at the Confirmation popup.

Link the newly created Employee (Person) to the user account

  1. Click on the Navigator icon.

  2. Click on Person Management.

  3. Search for the newly created employee (Marcus Oxford).

  4. Person Search
  5. View detail for the employee.Click on the panel drawer and select Manage User Account

  6. View Person Detail
  7. Click on the Actions menu. Select Create User Account

  8. Click Link User Account. Select Search in the pop up windows

  9. Search User Account
  10. Search for the user account that was synchronized (marcus.oxford). Select this account

  11. Search User Account
  12. Click OK. Click OK.

  13. Click Save. Click Yes on the Warning message box. The account and associated roles are now linked to this person

  14. Linked User Account
  15. Click Done. Click Yes on the Warning message box.

Option 2 - Load person information and automatically link to user account using HDL

Create and load HDL file

In this section you will create a person and link this person to the user account that was previously synchronized from Active Directory

  1. Create an HDL file called Worker.dat to load a worker. Sample provided below. You will have to tailor this file to match the data set up on your environment

  2. 
    METADATA|Worker|SourceSystemOwner|SourceSystemId|EffectiveStartDate|EffectiveEndDate|PersonNumber|StartDate|DateOfBirth|ActionCode
    MERGE|Worker|HCMQA-001|SSID1_PMH304WRKR_1|2017/01/27|4712/12/31|PMH304WRKR_1|2017/01/27|1970/01/01|HIRE
     
    METADATA|PersonName|SourceSystemOwner|SourceSystemId|EffectiveStartDate|EffectiveEndDate|PersonId(SourceSystemId)|NameType|LegislationCode|Title|LastName|FirstName|MiddleNames
    MERGE|PersonName|HCMQA-001|SSID1_PMH304PN_1|2017/01/27|4712/12/31|SSID1_PMH304WRKR_1|GLOBAL|US|MR.|Oxford|Marcus|X
     
    METADATA|PersonLegislativeData|SourceSystemOwner|SourceSystemId|EffectiveStartDate|EffectiveEndDate|PersonId(SourceSystemId)|LegislationCode|Sex|MaritalStatus
    MERGE|PersonLegislativeData|HCMQA-001|SSID1_PMH304PLD_1|2017/01/27|4712/12/31|SSID1_PMH304WRKR_1|US|M|M
      
    METADATA|WorkRelationship|SourceSystemOwner|SourceSystemId|PersonId(SourceSystemId)|LegalEmployerName|DateStart|WorkerType|PrimaryFlag
    MERGE|WorkRelationship|HCMQA-001|SSID1_PMH304WR_1|SSID1_PMH304WRKR_1|Cox-6-HX1|2017/01/27|E|Y
      
    METADATA|WorkTerms|SourceSystemOwner|SourceSystemId|PeriodOfServiceId(SourceSystemId)|ActionCode|EffectiveStartDate|EffectiveEndDate|EffectiveSequence|EffectiveLatestChange|AssignmentName|AssignmentNumber|PrimaryWorkTermsFlag
    MERGE|WorkTerms|HCMQA-001|SSID1_PMH304WT_1|SSID1_PMH304WR_1|HIRE|2017/01/27|4712/12/31|1|Y|PMH304_WTNM_1|PMH304_WTNUM_1|Y
     
    METADATA|Assignment|SourceSystemOwner|SourceSystemId|ActionCode|EffectiveStartDate|EffectiveEndDate|EffectiveSequence|EffectiveLatestChange|WorkTermsAssignmentId(SourceSystemId)|AssignmentName|AssignmentNumber|AssignmentStatusTypeCode|PersonTypeCode|BusinessUnitShortCode|PrimaryAssignmentFlag
    MERGE|Assignment|HCMQA-001|SSID1_PMH304A_1|HIRE|2017/01/27|4712/12/31|1|Y|SSID1_PMH304WT_1|PMH304_AN_1|PMH304_ANUM_1|ACTIVE_PROCESS|Employee|HDL_BU_SET1|Y
     
    METADATA|PersonUserInformation|PersonNumber|UserName|GeneratedUserAccountFlag|UsernameMatchingFlag
    MERGE|PersonUserInformation|PMH304WRKR_1|Marcus.Oxford|Y|Y
    
      In the file, we instruct HDL to link the person to the already existing user account (that was synchronized from Active Directory. This is done by setting the UserNameMatchingFlag field to Y.
    
    METADATA|PersonUserInformation|PersonNumber|UserName|GeneratedUserAccountFlag|UsernameMatchingFlag
    MERGE|PersonUserInformation|PMH304WRKR_1|Marcus.Oxford|Y|Y
    
  3. Create Worker.zip by compressing Worker.dat to zip format.

  4. Sign in to Oracle HCM Cloud with an account that has a role that allows you to access HDL (e.g. Human Capital Management Integration Specialist)

  5. Click on the Navigator.

  6. Click on Data Exchange.

  7. From the panel drawer on the right, click Import and Load Data

  8. Import and Load Data
  9. Click Import File. Click Import Local File. Click Choose File. Select Worker.zip from your local directory. Click Submit

  10. Import and Load Data
  11. Click Submit. Click OK on the confirmation

  12. Wait for the job to be completed. You can click Refresh to get latest status

  13. Get Import Status
  14. Click on the Navigator icon. Click Scheduled Processes. Click Schedule New Process

  15. Search for Send Pending LDAP Requests

    • Select and click OK
    • Click Submit on the Process Details window
  16. Submit Scheduled Process
  17. Repeat the above step and run Update Person Search Keywords

Confirm that the person is created and linked to the user account

  1. Click on the Navigator icon.

  2. Click on Person Management.

  3. Search for the newly created person (Marcus Oxford).Confirm that HDL has created the person

  4. Person Search
  5. Select the Navigator menu

  6. Click on Security Console.

  7. Click on the User Accounts tab

  8. Search for the User Account (e.g. marcus.oxford). Confirm that a Person record is now linked to the user account. The Person Number will be populated.

    User Account Search

Link user account to a Person - Oracle ERP Cloud

Use this section only if you create persons using the Oracle ERP Cloud.

Load person information and automatically link to user account using HDL

Create and load HDL file

In this section you will create a person and link this person to the user account that was previously synchronized from Active Directory

  1. Create an HDL file called Worker.dat to load a worker. Sample provided below. You will have to tailor this file to match the data set up on your environment

  2. 
    METADATA|Worker|SourceSystemOwner|SourceSystemId|EffectiveStartDate|EffectiveEndDate|PersonNumber|StartDate|DateOfBirth|ActionCode
    MERGE|Worker|HCMQA-001|SSID1_PMH304WRKR_1|2017/01/27|4712/12/31|PMH304WRKR_1|2017/01/27|1970/01/01|HIRE
     
    METADATA|PersonName|SourceSystemOwner|SourceSystemId|EffectiveStartDate|EffectiveEndDate|PersonId(SourceSystemId)|NameType|LegislationCode|Title|LastName|FirstName|MiddleNames
    MERGE|PersonName|HCMQA-001|SSID1_PMH304PN_1|2017/01/27|4712/12/31|SSID1_PMH304WRKR_1|GLOBAL|US|MR.|Oxford|Marcus|X
     
    METADATA|PersonLegislativeData|SourceSystemOwner|SourceSystemId|EffectiveStartDate|EffectiveEndDate|PersonId(SourceSystemId)|LegislationCode|Sex|MaritalStatus
    MERGE|PersonLegislativeData|HCMQA-001|SSID1_PMH304PLD_1|2017/01/27|4712/12/31|SSID1_PMH304WRKR_1|US|M|M
      
    METADATA|WorkRelationship|SourceSystemOwner|SourceSystemId|PersonId(SourceSystemId)|LegalEmployerName|DateStart|WorkerType|PrimaryFlag
    MERGE|WorkRelationship|HCMQA-001|SSID1_PMH304WR_1|SSID1_PMH304WRKR_1|Cox-6-HX1|2017/01/27|E|Y
      
    METADATA|WorkTerms|SourceSystemOwner|SourceSystemId|PeriodOfServiceId(SourceSystemId)|ActionCode|EffectiveStartDate|EffectiveEndDate|EffectiveSequence|EffectiveLatestChange|AssignmentName|AssignmentNumber|PrimaryWorkTermsFlag
    MERGE|WorkTerms|HCMQA-001|SSID1_PMH304WT_1|SSID1_PMH304WR_1|HIRE|2017/01/27|4712/12/31|1|Y|PMH304_WTNM_1|PMH304_WTNUM_1|Y
     
    METADATA|Assignment|SourceSystemOwner|SourceSystemId|ActionCode|EffectiveStartDate|EffectiveEndDate|EffectiveSequence|EffectiveLatestChange|WorkTermsAssignmentId(SourceSystemId)|AssignmentName|AssignmentNumber|AssignmentStatusTypeCode|PersonTypeCode|BusinessUnitShortCode|PrimaryAssignmentFlag
    MERGE|Assignment|HCMQA-001|SSID1_PMH304A_1|HIRE|2017/01/27|4712/12/31|1|Y|SSID1_PMH304WT_1|PMH304_AN_1|PMH304_ANUM_1|ACTIVE_PROCESS|Employee|HDL_BU_SET1|Y
     
    METADATA|PersonUserInformation|PersonNumber|UserName|GeneratedUserAccountFlag|UsernameMatchingFlag
    MERGE|PersonUserInformation|PMH304WRKR_1|Marcus.Oxford|Y|Y
    
      In the file, we instruct HDL to link the person to the already existing user account (that was synchronized from Active Directory. This is done by setting the UserNameMatchingFlag field to Y.
    
    METADATA|PersonUserInformation|PersonNumber|UserName|GeneratedUserAccountFlag|UsernameMatchingFlag
    MERGE|PersonUserInformation|PMH304WRKR_1|Marcus.Oxford|Y|Y
    
  3. Create Worker.zip by compressing Worker.dat to zip format.

  4. Sign in to Oracle HCM Cloud with an account that has a role that allows you to access HDL (e.g. Human Capital Management Integration Specialist)

  5. Click on the Navigator.

  6. Click on Data Exchange.

  7. From the panel drawer on the right, click Import and Load Data

  8. Import and Load Data
  9. Click Import File. Click Import Local File. Click Choose File. Select Worker.zip from your local directory. Click Submit

  10. Import and Load Data
  11. Click Submit. Click OK on the confirmation

  12. Wait for the job to be completed. You can click Refresh to get latest status

  13. Get Import Status
  14. Click on the Navigator icon. Click Scheduled Processes. Click Schedule New Process

  15. Search for Send Pending LDAP Requests

    • Select and click OK
    • Click Submit on the Process Details window
  16. Submit Scheduled Process
  17. Repeat the above step and run Update Person Search Keywords

Confirm that the person is created and linked to the user account

  1. Click on the Navigator icon.

  2. Click on Person Management.

  3. Search for the newly created person (Marcus Oxford).Confirm that HDL has created the person

  4. Person Search
  5. Select the Navigator menu

  6. Click on Security Console.

  7. Click on the User Accounts tab

  8. Search for the User Account (e.g. marcus.oxford). Confirm that a Person record is now linked to the user account. The Person Number will be populated.

    User Account Search