Week09@2020: Integrating Oracle Identity Cloud Service with Oracle Fusion Application Cloud Service

Oracle Fusion Application Cloud Services is a collection of Software as a Service offering by Oracle, some of these services are Oracle ERP—Financials Cloud, Oracle HCM Cloud, Oracle SCM and Manufacturing Cloud, Oracle Customer Experience Cloud and Oracle EPM Cloud.

Subscription to these services comes with in-built Identity and Access Management features. To manage users across these Services is painful because every time you need to onboard or off-board a user individually on all subscription.

Oracle provides the option to federate Oracle Application Cloud Services with available Identity Service provides like Microsoft AD, OpenLDAP, Okta, Ping Federate and Oracle Identity Cloud Service.

In this blog, we will be talking about the Integration of Oracle Fusion APplication Cloud Service to Oracle Identity Cloud Service.

Oracle Identity Cloud Service Management provides an innovative, fully integrated service that delivers all the core identity and access management capabilities through a multi-tenant Cloud platform. The design of Identity Cloud Service (IDCS) is based on a microservice architecture which is naturally aligned with Cloud principles of Scalability, Elasticity, Resilience, Ease of Deployment, Functional Agility, Technical Adoption and Organization Alignment.

Some of the prominent features of Oracle Integration Cloud Service are:

Open and Standards-based Integration

  • Oracle Identity Cloud Service provides 100% API coverage of all product capabilities for rich integration with custom applications.
  • It provides compliance to open standards such as SCIM, REST, OAuth and OpenID Connect for easy application integrations.
  • Customers can easily consume these APIs in their applications to take advantage of identity management capabilities.

Secure defence in depth

  • Oracle Identity Cloud Service provides strong security engine that customers can use to protect all IaaS, SaaS and PaaS applications.
  • It provides security at logical, physical and data layers for custom PaaS and IaaS applications as well as Oracle-hosted IaaS, SaaS and PaaS services.
  • Customers can define their own security control by defining authentication and authorization policies.
  • Via API layers its Integration-ready with Behavioral Risk Analytics, Audit Logging, Identity Context and Policy Violations from third party vendors in application access policies.

Hybrid Identity Management

  • Oracle Identity Cloud Service seamlessly integrates with on-premises identities in Active Directory to provide Single Sign-On between Cloud and On-Premise applications.
  • Through its Identity Bridge component, IDCS can synchronize all the identities and groups from Active Directory into its own identity store in the cloud.
  • This will allow organizations to leverage their existing investment in Active Directory and they can extend their services to Oracle Public Cloud and external SaaS applications.
  • Oracle Identity Cloud Service can be integrated with On-Premise governance solution via OIM Connector for identity synchronization and OAM for federation.
  • With this approach, customers can take advantage of both on-premise governance solution for access certification, segregation-of-duties and compliance reporting while taking benefits of cloud to integrate with cloud applications.
  • This will give them complete control of when they want to move their identities from on-premise into the cloud completely.

Seamless Access to Cloud Applications

  • Identity Cloud Service provides integration with any service that can be integrated via SAML and OpenID Connect for Single Sign-On.
  • Administrations will be able to manage users into various applications via single control panel and end-users will be able to get to applications via a single click.

Modernize your applications in the Cloud

  • Customers who want to modernize their applications in the cloud can host Identities in the cloud can leverage Identity Cloud Platform as their IDP.
  • These customers can build applications rapidly and secure them with cloud IDM in minutes, not months.
  • With capabilities like self profile management and self password management, customers can keep their helpdesk costs low while maintaining or improving the quality of their end-user experience.
  • These applications can take advantages of authentication, authorization and open standards of IDCS platform.

There are two solutions to integrate Oracle Identity Cloud Service with Oracle Fusion Application Cloud Services:

Option 1: Oracle Fusion Application Cloud Service becomes Identity provider.

Option 2: Oracle Identity Cloud Service becomes Identity provider

If you planning to go with the second option, you can further have the option of creating users in Oracle Fusion application Cloud Services or Oracle Identity Cloud Service. In either of the case, you need to set up a synchronization process, which will sync the user details.

Now, let see the architecture diagram of each of the two solutions I have mentioned above.

The Architecture diagram for Oracle Fusion Application Cloud Services as Identity Provider is as below:

Option1: Oracle Fusion Application Cloud Service is the Identity Provider

The Architecture diagram shows how the user information will flow when Oracle Fusion Application Cloud Service is configured as Identity Provider. Users are created in Oracle Fusion Applications Cloud Service and other user account information are managed in Oracle Fusion Applications Cloud Service. This information is synchronized to your Oracle Identity Cloud Service instance. Once, the user details are in Oracle Identity Cloud Service, you can proceed with assigning addition Roles which are specific to PaaS or IaaS services.

Now, let’s see the Architecture diagram for Oracle Identity Cloud Service as Identity Provider:

Option 2: Oracle Identity Cloud Service as Identity Provider.

In this case, users are created in Oracle Identity Cloud Service and user infromation is synchronized with Oracle Fusion Applications Cloud Service by using the Fusion Applications application set up within Oracle Identity Cloud Service. However, roles must be created in Oracle Fusion Applications Cloud Service and assigned to users there: then, you can use the ESS Sync Job to synchronize role and role assignments to Oracle Identity Cloud Service. Oracle Identity Cloud Service can then provide user and group management for other Oracle PaaS applications.

To implement either of the solutions, you need certain roles in both the Services:

  • Oracle Fusion Applications Cloud Service: Application Diagnostics Administrator, Application Implementation Consultant, and IT Security manager
  • Oracle Identity Cloud Service: Identity Domain Administrator

In most of the cases, you will choose to have Oracle Identity Cloud Service as the Identity Provider, with it you can have a centralized place to manage users for SaaS, PaaS and IaaS. Also, Oracle provides more integration options for Oracle Identity Cloud Service with other applications.

Let me know in comments, which option you have chosen and why?

Thanks for reading, your comments will inspire to improve and post more interesting topics.