Saturday, 3 July 2021

Oracle Fusion - User and Role Sync from Fusion to IDCS

Refer my previous blogs for configuring SSO and OAuth authentication between IDCS and Fusion applications. 

In this blog , I will explain how to sync Users (Can be used to migrate Existing Users from Fusion to IDCS) and Roles from Fusion. 

Note:  As I explained in my earlier blogs, user can be originated in Fusion or IDCS. In case users are getting created in SaaS and then it requires to Sync with IDCS then we can use the following Sync configurations.  This configuration can also be used as a pre cutover activity to Sync an existing users from fusion and then use IDCS as an user Origin.  Once the Sync is done , we can disable this configuration. 

As we all know , roles will be originated only in Fusion and these roles can be synched to IDCS to create corresponding roles in IDCS.  

Pre Requisite : 
  • Create an IDCS client application with User Admin roles. 
  • Login to IDCS
  • Go to Applications
  • Create Confidential Application.
  • Provide Name as - Fusion IDCS Application. 
  • Next Page - Select configure this application as Client Now.
    • Select Allowed Grant Type - Client Credentials
    • Client Type - Confidential
    • Under Grants 
      • Select User Administrator role.
    • Select Next and Finish
    • Save 
    • Activate.
  • Note down the client id and secret. 

Oracle Fusion Setup:
  • Login to Fusion Application. Use Admin User
  • Go to Setup and Maintenance
  • Select Tasks
  • Select Manage Setup Content
    • Under Topology Definition 
    • Select Manage Integration of Additional Applications
    • Select Create ( + ) 
    • Create Application Integration page will open.
      • Application Name - IDCS_REST_APP
      • Full URL : https://<IDCS-HOST-NAME>/admin/v1
      • Partner Name : IDCS
      • Security Policy : Select - oracle/wss_username_token_over_ssl_client_policy
      • User Name : Enter the Client Id 
      • Password :  Client Id Secret. 
        • Refer Above created IDCS applications for Client Id and Secret. 
      • Apply 
      • Save and Close.





  • Create Task Lists and Tasks:
    • Go to Setup and Maintenance
    • Select Tasks
    • Select Manage Setup Content
      • Under Functional Definition
        • Select Manage Task Lists and Tasks
        • Select Create Task
        • Provide following details - You must use the same values. These values are seeded values. 
        • Click Save, but don’t close yet.
        • To save the Oracle Identity Cloud Service access credentials in the Oracle Fusion Applications Cloud Service credential store, click Test Go to Task.
        • In the Fusion Applications IDCS Sync App Credentials dialog, 
        • enter the Oracle Identity Cloud Service Admin console in the URL in the URL field. 
        • Enter the client ID of the Oracle Identity Cloud Service Application as the user name. 
        • Enter the secret key of the Oracle Identity Cloud Service application as the password.


Field Name

Field Value

Name

Fusion Applications IDCS Sync App Credentials

Code

FUSION_APPLICATIONS_IDCS_SYNC_APP_CREDENTIALS

Description

Fusion Applications IDCS Sync App Credentials

Deployment Method

None

Program Name

/WEB-INF/oracle/apps/setup/commonSetup/setupHub/publicUi/flow/EndpointPolicyFlow.xml#EndpointPolicyFlow

Perform Task

After Import

Enterprise Application

Setup

Module

Setup

Parameters

endpointKey=FA_USER_SYNC_IDCS_CLIENT_ID&filterSecurityPolicies=oracle/wss_username_token_over_ssl_client_policy

Task Type

Data Entry

Uses user interface

Selected

Open In

Standard view

 

We can update the Sync profile to control the batch process. Use the following steps to update the profile options. 

Modify Profile Options for User Sync. 

  • Go to Setup and Maintenance and search for task: Manage Administrator Profile Values
  • Edit the below Profile options at Site level
    • FND_USER_MIGRATION_FETCH_BATCH_SIZE = 1000
    • FND_USER_MIGRATION_MAX_RETRY_ATTEMPTS = 2
    • FND_ROLE_SYNC_MAX_SELECTED_ROLES_SIZE = 1000
    • FND_USER_IDENTITY_SYNC_TARGET=IDCS
    • FND_SYNC_JOB_TYPE=USER/ROLE/ALL
      • USER - To Sync Only User
      • ROLE - To Sync Only Roles
      • ALL -  To Sync Both User and Role. 
    • FND_USER_MIGRATION_FA_FEDERATION=True  -- Default value is True
Schedule User Or Role Sync Job
  • Execute the Scheduled Process: 
  • User identity synchronization from this SaaS instance to the PaaS Identity Store
  • Schedule this Job to Run Every day

Add Specific Roles to be Synched to IDCS
  • From the Setup and Maintenance panel of your service, search for the task 
  • Migrate Enterprise Roles and Assignments to PaaS Identity.
  • Add all the Roles to be synchronized in this table


Wednesday, 23 June 2021

ORACLE - FUSION : Common Lookup DFF Configuration.

 Following steps will let you know how to configure DFF's for common lookups and use them while configuring common lookups. 

Normal common lookups will let you configure lookup code and corresponding meaning.  If you want to configure additional values for a lookup code then you can use DFF's to configure context and use them in lookups. 

MANAGE DFF

  • Login into Fusion. 
  • Go to Manage and Setup 
  • Search for Manage Descriptive Flexfields
  • Search for Lookup values descriptive flexfield (Name)
  • Edit - Lookup values descriptive flexfield
  • Manage Contexts
  • Search for existing contexts or Create a new one. 
  • Create
    • Give a display name  - XXSCM_SHOP_ORG_MAP_LOOKUP
    • API Name - XxscmShopOrgMapLookup
  • Save
  • Under Context Sensitive Segments add segments - ( additional lookup values )
    • Give a Name - Ex: Inventory_Organization
    • Data Type as Character
    • Table Column will auto populated - Attribute1
    • Under Value Set : Either select an existing one or create new
    • Create a New Value Set
      • Value Set Code - XXSCM_INV_ORG_NAME
      • Module - Inventory Management
      • Validation Type : Table   -- This will allow us to define table, column and where clause. 
      •  Under Definition 
        • From Clause - Provide Table Name - INV_ORGANIZATION_DEFINITIONS_V
        • Value Column Name - Provide Column Name - ORGANIZATION_CODE
        • ID Column Name :  ORGANIZATION_ID
        • WHERE Clause :  INVENTORY_ENABLED_FLAG = 'Y'
      • Save 
        • This will validate TABLE and Column Values. 
      • Save and Close the value set
      • Save and Close the Segment
    • Follow the above steps to create a new segment for inventory.
    • Save and Close the Context

MANAGE COMMON LOOKUP:
  • Go to Manage and Setup 
  • Search for Manage Common Lookups
  • Add Common Lookup +
  • Lookup Type : XXSCM_SHOP_ORG_LOOKUP
  • Meaning : Give some valid meaning 
  • Description : Give some value Description
  • Module : Common
  • REST Access Secured :  Authenticated. 
    • Lookup Code
      • Add 
        • Lookup Code : Shop1
        • Meaning : Give a Name
        • Enable
        • Expand the lookup code
          • Select the context created earlier
          • Select the Org 
          • Select the Inventory

Sunday, 6 June 2021

Oracle OIC - ERP Adapter Filter Business Events

 We can use ERP adapter to consume Business Events from Fusion and process them. We can use the ERP adapter at trigger point and select Business Events Operations and select the particular business event. Example : Invoice Hold Applied. 

Sample Invoice Hold Payload:

<ns01:onEvent xmlns:ns01="http://xmlns.oracle.com/cloud/adapter/erp/XXFSCM_SUBSCRIBE_TO_INVHOLD_REQUEST/types">   <ns0:ApInvHoldAppliedInfo xmlns:ns0="http://xmlns.oracle.com/apps/financials/payables/invoices/transactions/model/entity/events">      <ns0:InvoiceId>         <ns0:newValue value="300000014255251"/>         <ns0:oldValue/>      </ns0:InvoiceId>      <ns0:OrgId>         <ns0:newValue value="300000002493031"/>         <ns0:oldValue/>      </ns0:OrgId>      <ns0:HoldId>         <ns0:newValue value="72011"/>         <ns0:oldValue/>      </ns0:HoldId>      <ns0:HoldLookupCode>         <ns0:newValue value="AMT REC"/>         <ns0:oldValue/>      </ns0:HoldLookupCode>      <ns0:HoldReason>         <ns0:newValue value="Amount billed exceeds amount received."/>         <ns0:oldValue/>      </ns0:HoldReason>      <ns0:LineNumber>         <ns0:newValue value=""/>         <ns0:oldValue/>      </ns0:LineNumber>      <ns0:HeldBy>         <ns0:newValue value="5"/>         <ns0:oldValue/>      </ns0:HeldBy>      <ns0:HoldDate>         <ns0:newValue value="2021-06-04T06:27:33"/>         <ns0:oldValue/>      </ns0:HoldDate>      <ns0:LineLocationId>         <ns0:newValue value="300000014255246"/>         <ns0:oldValue/>      </ns0:LineLocationId>      <ns0:RcvTransactionId>         <ns0:newValue value=""/>         <ns0:oldValue/>      </ns0:RcvTransactionId>   </ns0:ApInvHoldAppliedInfo></ns01:onEvent>


Use the following Filter Expression to filter a specific Hold. 


<xpathExpr xmlns:ns0="http://xmlns.oracle.com/apps/financials/payables/invoices/transactions/model/entity/events">$eventPayload/ns0:HoldLookupCode/ns0:newValue/@value='AMT REC'</xpathExpr>



$eventPayload: Inbuilt variable which will contain the payload.  


Friday, 21 May 2021

Oracle OIC - ERP Adapter with OAuth Authentication

Oracle has introduced an OAuth authentication mechanism to access ERP application using ERP adapter in OIC. 

This will solve the following security issues. 

  1. Can maintain user credentials in IDCS. 
  2. Wont require to reset the passwords during P2T refresh. 
  3. Better security compared to basic authentication. 
  4. Authentication will work even password will get expired in IDCS or Fusion. 

  • Create an ERP Enterprise resource application. 


 

  • Create a confidential application 
    • Select Configure as a client application
    •  Select appropriate Grant Types
    • Provide callback URL 
      • https://<OIC_HOST_NAME>/icsapis/agent/oauth/callback
    • Select Client Type as Trusted if required and import SaaS certificate 
    • Add Scope
      • Select ERP Enterprise application which we created earlier. 
      • Select the scope
    • Save changes
    • Activate the application
    • Collect Client Id and Secret. 
  • OIC Configurations:
    • Login into OIC using admin or developer access.
      • Make sure this user has got an access to Oracle Fusion as well. 
    • Create ERP Adapter with Invoke Operation. 
      • Provide SaaS URL
      • Select Authentication type as OAuth.
        • Provide Client Id and Secret which we got above. 
        • Provide Authorization  and Token URL.
          • https://idcs-<Id>.identity.oraclecloud.com/oauth2/v1/authorize
          • https://idcs-<Id>.identity.oraclecloud.com/oauth2/v1/token
        • Provide Scope Value (Get it from IDCS client application.)
        • Add offline_access to the scope. 
          • https://<SaaS_Host_Name>.fa.ocs.oraclecloud.com/ offline_access
      • Select Provide Consent.
        • Provide IDCS user credentials. 
      • Save and Test the connection.

Wednesday, 19 May 2021

ORACLE OIC - IDCS SEARCH TO RETRIEVE DATA

 We can IDCS search API to get the required attributes and limited user list using pagination logic. 

Use the following API details to fetch the data from IDCS. 

URL: https://idcs-<id>.identity.oraclecloud.com/admin/v1/Users/.search

Operation : POST

IDCS Scope : urn:opc:idm:__myscopes__

Sample Request Payload:

{

  "schemas" : [ "urn:ietf:params:scim:api:messages:2.0:SearchRequest" ],

  "attributes" : [ "displayName", "userName", "emails", "active", "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:employeeNumber" ],

  "filter" : "((urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:employeeNumber pr))",

  "startIndex" : 1,

  "count" : 100

}

OIC Expression  for Filter: 

filter :   conct("meta.lastModified ge ", '"', $varStartDate, '"', " and meta.lastModified le ", '"', $varEndDate, '"')

Tuesday, 11 May 2021

ORACLE OCI - Object Storage Multi Part Upload

In some cases we may have to upload larger file and uploading larger file may take more time and bandwidth.  In such cases we can split the file into multi parts and upload them in parallel. 

We can use the following steps to split and upload the files to object storage. 

  • First split the file based on the required size using split command. 
    • split -b 5M -d /tmp/bigfilename.txt /tmp/bigfilename.split
  • Create a multi part upload request. 
    • POST
    • /n/{namespaceName}/b/{bucketName}/u
    • Request Payload

{
  "object": "example_object1"
}

    • Response Payload 

{

  "namespace": "ansh8lvru1zp",
  "bucket": "MyBucket",
  "object": "MyObject1",
  "uploadId": "c892336f-ccvb-1bb8-6e75-a5649fd91178"
}
            •  Use the above upload Id to upload the files. 
            • Loop over each file and upload the files 
              • PUT
              • /n/{namespaceName}/b/{bucketName}/u/{FinalFileName}?uploadid={UploadID}&uploadPartNum={partNum/SequenceNum}
            • After Upload , get all the multi part upload details. 
              • GET
              • /n/{namespaceName}/b/{bucketName}/u/{FinalFileName}?uploadid={UploadID}
              • Sample Response
            [
              {
                "partNumber": 1,
                "etag": "3d240a5a-a2b0-45b2-bcvb-2ac6a02b422c",
                "md5": "rvr3UC1SmUw7cvb2NqPN0g==",
                "size": 8
              },
              {
                "partNumber": 2,
                "etag": "15de104e-7cvb-3513-8da1-3b5e75a65ad7",
                "md5": "3poFVtJezCVBOi8RzhUB8Q==",
                "size": 8
              }
            ]

            • Finally commit the upload. 
              • POST
              • /n/{namespaceName}/b/{bucketName}/u/{FinalFileName}?uploadid={UploadID}
              • Request Payload
             
            {
              "partsToCommit": [
                {
                  "partNum": 1,
                  "etag": "3d240a5a-a2b0-45b2-bcvb-2ac6a02b422c"
                },
                {
                  "partNum": 2,
                  "etag" : "15de104e-7cvb-3513-8da1-3b5e75a65ad7"
                }
              ]
            }


                                                                Monday, 10 May 2021

                                                                ORACLE IDCS - OAUTH2 - Get Token

                                                                Use the following details to get the OAuth Token from IDCS and invoke the service. 

                                                                Authentication URL:  https://idcs-xxxx.identity.oraclecloud.com/oauth2/v1/authorize

                                                                Authentication Token URL:  https://idcs-xxxx.identity.oraclecloud.com/oauth2/v1/token

                                                                Scope:  From IDCS application.