This will allow the business users to track the changes and validate the records against a user making calls or updates to cloud.
Its expected that OIC will propagate the user credentials to SaaS or other down stream application . But this capability is not present in OIC.
As a work around , you can configure an OIC service to receive the Authentication details in custom header and propagate to target.
Client or users are expected to send two different authentication tokens or a single token with multiple scope or audiences. That is the same token will be authorized in IDCS based on the audience value in the token.
Following diagram will illustrate some of the security requirements.
We can have an individual IDCS for each application or we can use same IDCS for multiple application.
Users and Roles will be synced between IDCS and Cloud applications. A sync job will be configured in IDCS to sync the users and roles.
Above diagram illustrate the security setup and clients accessing each application using a specific token.
Following are the some of the requirements.
- Client1 is configured to invoke OIC using OIC token.
- Client2 is configured to invoke OIC and SaaS using Single token
- Client2 can invoke SaaS directly using SaaS token.
- Client2 can invoke OIC is using OIC token.
- Client3 is configured to invoke HCM using HCM token.