Before You Begin
In this tutorial you learn to integrate Oracle Identity Manager (OIM) with Oracle Identity Cloud Service using a connector.
Time to Complete
Oracle Identity Cloud Service provides four different methods for managing entities (users, groups, and applications) and configurations in bulk:
|Method||CSV files||Identity Bridge||REST API||OIM Connector
Identity Domain Administrators or User Administrators manually download, edit, and upload a CSV file containing users or groups for bulk-loading in Oracle Identity Cloud Service.
An Oracle Identity Cloud Service agent installed in your environment automatically and continuously synchronizes users and groups from your Microsoft Active Directory to Oracle Identity Cloud Service.
The Oracle Identity Cloud Service REST APIs are used by your custom application for managing users and groups.
An Oracle Identity Manager (OIM) connector is used to automatically and continuously provision and reconcile users and groups from OIM to Oracle Identity Cloud Service.
In this tutorial, you learn to integrate Oracle Identity Cloud Service with Oracle Identity Manager 11gR2 PS3.
What Do You Need?
- Access to Oracle Identity Cloud Service as administrator (Identity Domain Administrator)
- Familiarity with OIM 11gR2 PS3 administration
- Administrative access to the OIM 11gR2 PS3 host, domain, and administrative consoles
Download and Install the Connector
- Access the Oracle Identity Management Connector Downloads page.
- Select Accept License Agreement and download the Oracle Identity Cloud Service connector ZIP file. If prompted, enter your Oracle single sign-on password.
- Copy the connector zip file to OIM server in a separated folder (for example,
/home/oracle/IDCS) and extract its contents.
- Access the OIM System Administration console (
https://oim.example.com:14000/sysadmin) as administrator (
- Click Manage Connector.
- Click Install.
/home/oracle/IDCSas Alternative Directory and click Refresh.
Oracle Identity Cloud Service 18.104.22.168.0as Connector List and click Load.
- Click Continue.
The connector installation page is displayed.
- Wait for few minutes until the connector installation is completed and click Exit.
- On the OIM server machine, open a terminal, and then purge the OIM cache:
cd $OIM_ORACLE_HOME/server/bin ./PurgeCache.sh ALL
Tip: If you are not familiar with the PurgeCache.sh utility, you can clean the OIM cache by restarting the OIM server.
Register the OIM Application in Oracle Identity Cloud Service
In this task, you create and activate the OIM Application entry in Oracle Identity Cloud Service.
This step is required for connecting OIM to Oracle Identity Cloud Service.
- In the Identity Cloud Service console, expand the Navigation Drawer , click Applications, and then click Add.
- Select Trusted Application or Confidential Application.
OIM Applicationas Name,
Application entry for integration between OIM and IDCSas Description, and then click Next.
- Select Configure this application as a client now.
- Select Client Credentials as Allowed Grant Types.
- In the Client pane, scroll down, click the Add button below Grant the client access to Identity Cloud Service Admin APIs.
- In the Add App Role dialog window, select User Administrator in the list, and then click Add.
- Click Next in the Client pane and in the following panes until you reach the last pane. Then click Finish.
Copy the Client ID and the Client Secret to a text file, return to the UI, and then click Close.Tip: The Client ID and Client Secret are equivalent to service credentials (ID and password) that the OIM connector will use to communicate with Oracle Identity Cloud Service.
- Click Activate, and then click Activate Application. A confirmation message appears.
At this point, you have an application entry with a Client ID and Client Secret for integrating OIM with Oracle Identity Cloud Service.
Configure the Identity Cloud Service IT Resource
In a text editor, concatenate the client_id and client_secret into the following format:
- Copy the
client_id:client_secretstring to the clipboard.
- Launch a terminal on the OIM server, and then enter the following command (to base64 encode the client id and secret):
echo -n "clientid:clientsecret" | base64
- Paste the command output into a text editor. If the output is broken into more than one line, join the results into a single line with no text wrapping.
Complement the output with
Tip: You will use this value later during the IT Resource configuration.
- Return to the OIM System Administration console and click IT Resource.
Identity Cloud Servicesas IT Resource Type and click Search.
Editnext to Identity Cloud Services.
- Modify the Identity Cloud Services IT Resource according to the table, and click Update.
|customAuthHeaders||The output obtained during the step 5. For example:
Import the Identity Cloud Service SSL Certificate into the OIM Trust Store
Important: The OIM and Oracle Identity Cloud Service integration is performed only using an encrypted protocol (HTTPS). This type of communication requires that the Oracle Identity Cloud Service certificate is available in the OIM server trust store.
In this section, you export the Oracle Identity Cloud Service HTTPS public certificate and import the same into the OIM trust store.
- Access the Oracle Identity Cloud Service UI.
- To export the HTTPS certificate in Firefox:
- In the address bar, click the lock icon, click >, and then click More Information.
- Click View Certificate.
- Click Details and then click Export.
X.509 Certificate (PEM)as type and save the certificate file in the server (for example:
- Launch the OIM server terminal and enter the following command to import the certificate into the OIM JDK trust store:
- When prompted, enter
The keytool utility should display the message Certificate was added to keystore.
- Enter the following command to import the certificate into the OIM Server trust store:
- When prompted, enter
The keytool utility should display the message Certificate was added to keystore.
keytool -import -keystore $JAVA_HOME/jre/lib/security/cacerts -file /tmp/idcs.cer -storepass changeit -alias idcs
keytool -import -keystore $WL_HOME/server/lib/DemoTrust.jks -file /tmp/idcs.cer -storepass DemoTrustKeyStorePassPhrase -alias idcs
Reconcile Identity Cloud Service Groups and Managers
- In the Oracle Identity Cloud Service UI, access the Groups page and confirm that you have groups for reconciliation.
- Optionally, create the following two groups in Oracle Identity Cloud Service: Tip: These groups are used as reference in the remaining of this tutorial.
- Access the OIM System Administration console and click Scheduler.
- Search and open the IDCS Group Lookup Reconciliation scheduled job, and click Run Now.
- After few seconds, click Refresh. Under Job History, confirm that the Job Status displayed is Success.
- To confirm that the Oracle Identity Cloud Services groups are reconciled, return to the System Administration console and click Lookups.
- Search for the lookup code
Lookup.IDCS.Groups. From the search results, confirm that the lookup value contains groups from Oracle Identity Cloud Service. This indicates that the group reconciliation was successful.
- Repeat the previous steps to run the IDCS Manager Lookup Reconciliation scheduled job and validate that the lookup
Lookup.IDCS.Managerscontains administrators from Oracle Identity Cloud Service. This indicates that the manager reconciliation was successful.
|Group Name||Group Description|
|Marketing Cloud Users||
Expose Identity Cloud Service in the Catalog
- In the OIM System Administration console, click Sandboxes.
- Click Create Sandbox and create a sandbox using the following attributes:
- Click OK and confirm that the IDCS sandbox status is Active.
- Click Form Designer
- Click Create
- Create the IDCSUser01 form as follows:
- Click Application Instances.
- Click Search.
- From the search results, click Identity Cloud Service Application Instance.
IDCSUser01as Form and click Apply. A confirmation message is displayed.
- Click Sandboxes (IDCS). Select and publish the IDCS sandbox.
- Click Published Sandboxes and confirm that the IDCS sandbox is published.
- To expose the Identity Cloud Service Application Instance, click Scheduler, open, and run the Catalog Synchronization Job scheduled job.
|Form Type||Parent Form + Child Tables (Master/Detail)|
A confirmation message is displayed
Test the Integration
Request Identity Cloud Service in OIM
- Access the OIM Identity Self Service console as
- Click Request Access > Request for Others.
- Select a user (for example,
Kenny Vesterdal), click Add, and then click Next.
- Add the
JCS Administrator, the
Marketing Cloud Users, and the
Identity Cloud Service Application Instanceitems to the cart and click Next.
- Click Update. Provide a justification and click Submit.
OIM displays a confirmation that a request is submitted for approval. Record the request number.
- Click Pending Approvals.
- Select the pending approval with the ID corresponding your request and click Actions > Approve.
OIM displays a confirmation message.
Verify the Provisioning to Oracle Identity Cloud Service
- Click Manage and then click Users.
- Click the user provisioned to Identity Cloud Service (for example,
- Click Accounts and confirm that the Identity Cloud Service Application Instance status is Provisioned.
- Click Entitlements and check the provisioning status for the Oracle Identity Cloud Service groups. This confirms that Kenny Vesterdal's provisioning is marked as successful in OIM.
- Access the Oracle Identity Cloud Service console, expand the Navigation Drawer , and then click Users.
- Click a user provisioned to Identity Cloud Service (for example,
Kenny Vesterdal) and then click Groups tab.
- Oracle Identity Cloud Service displays
Kenny Vesterdalas being provisioned to the
Marketing Cloud Usersgroups. This confirms that
Kenny Vesterdalis correctly provisioned in Oracle Identity Cloud Service.
- Sign-out of Identity Cloud Service and close your browser.
Access Identity Cloud Service as a Provisioned User
- Access the user email, open the welcome notification from Identity Cloud Service, and click Activate Account.
- Follow the instructions to activate the user account.
- Select Click here to continue and confirm that the My Apps page is displayed for the provisioned user. Tip: The My Apps page displays what cloud applications are available for the provisioned user in Identity Cloud Service.
What's Next? Explore Hybrid Identity Governance Scenarios
At this point, you have OIM integrated to Oracle Identity Cloud Service using the Identity Cloud Service connector. This integration allows you to manage Oracle Identity Cloud Service users directly from OIM, which provides the following benefits:
|User Management from a single dashboard||In this integration, you can use only the OIM Identity Self Service console to manage accounts for systems on premises and in the cloud, which simplifies the identity management work while reducing the UI redundancies.|
|Reuse of OIM features, such as mail approvals and workflows, already implemented in your own company in the cloud||This feature is implemented consistently for requests raised from OIM to target systems on-premises and in the cloud without creating configuration redundancy or silos.|
|Ability to use Identity Cloud Service as an identity hub for cloud systems, while reducing the integration burden on OIM||Oracle Identity Cloud Service offers quick ways to integrate with cloud systems relying on standards such as OAuth2 and Open ID Connect. You can leverage these capabilities for fast integration, reducing the work on OIM and OAM. The list of integrated cloud systems can rapdily grow without point to point integrations in your on-premises systems.|
As a next step, you can explore the integration and implement cross-cloud Identity Governance capabilities such as:
|Full identity automation||To implement this capability, you can configure OIM Access Policies that grant and revoke automatically access for both - on-premises systems and Oracle Identity Cloud Service. This integration can manage not only user onboarding and termination, but also events like vacation, or temporary leave. Using Identity Cloud Service as a hub extends the user status for the systems integrated in the cloud.|
|Hybrid Audit and Governance||To implement this capability, you can configure OIM governance and reporting features over systems on premises, plus the Oracle Identity Cloud Service accounts and groups. This integration allows governance and audit teams to access consolidated reports (for cloud and on-premises systems) from the same place (BI Publisher embedded with OIM).|
|Hybrid Certification|| To implement this capability, you configure OIM certification definitions across systems on premises and Oracle Identity Cloud Service. If well implemented, OIM managers can certify with a single review accesses for both - systems on premises and in the cloud, reducing the time to review.
Tip: To learn more, try the Implementing Hybrid Certification tutorial
|Hybrid Segregation of Duties|| To implement this capability, you configure OIM Identity Audit policies for systems on premises and Oracle Identity Cloud Service altogether. In this case, OIM will capture reactively and proactively toxic combinations of access. This includes even SoD violations across on-premises and cloud systems (for example, a user cannot be system administrator on a on-premises system and have access to SaaS systems in the cloud).
Tip: To learn more, try the Implementing Hybrid Segregation of Duties (SoD) tutorial
|Hybrid reporting|| To implement this capability, you just run OIM's out of the box reports from BI Publisher. These reports will provide consolidated information about users and the identity system both on premises and in the cloud.
Tip: To learn more, try the Implementing Hybrid Reporting tutorial
Want to Learn More?
- Developer(s): Frederico Hakamine.