Oracle has introduced an OAuth authentication mechanism to access ERP and HCM applications using ERP/HCM adapter respectively in OIC.
This will solve the following security issues.
- Can maintain user credentials in IDCS.
- Wont require to reset the passwords during P2T refresh.
- Better security compared to basic authentication.
- Authentication will work even password will get expired in IDCS or Fusion.
Set Up Trust Between Oracle Fusion Applications and Oracle Identity Cloud Service.
- Get the JWK signing certificates from the Oracle IDCS of Oracle Integration.
- Get the REST API of the Oracle IDCS endpoint that gives you the signing certificate endpoint.
- <IDCS_HOST_NAME>/admin/v1/SigningCert/jwk
- Note : Before accessing the key make sure, access certificate is enabled in IDCS . Got to Settings -> Default Settings and Toggle ON the "Access Signing Certificate"
- Copy the certificates present under "x5c" JSON element.
- Use the following template and save the certificates as .crt files.
-----BEGIN CERTIFICATE-----content_of_certificate. . .. . .-----END CERTIFICATE-----
- Upload the above certificates to the Oracle Fusion/HCM Applications Security Console.
- Note: Since HCM and Fusion are using IDCS and following Authenticator provider will be in non editable mode. https://identity.oraclecloud.com/
- Raise an SR with Oracle team to upload the certificates and attached to this authentication provider.
- Login into IDCS
- On the left Panel , Click the Applications and then click Add
- Select the confidential application option
- Provide a Name
- Go to next page
- Select the option - Configure this application as a resource server now.
- Select Is Refresh Token Allowed.
- In the Primary Audience field, add the Oracle Fusion/HCM Applications URL and port.
- https://FA_URL:443
- In the Scopes section, click Add.
- In the Scope field, enter /.
- In the Description field, enter All.
- Select Requires Consent.
- Click Add, then click Next.
- Click Finish to complete resource application creation.
- Click Activate to activate your client application.
Create a confidential Client application
- In the left navigation pane, select Applications, then click Add to add a client application.
- Select Confidential Application.
- The Add Confidential Application wizard is displayed.
- Provide a Name
- Select Configure as a client application
- Select appropriate Grant Types
- Provide callback URL
- https://<OIC_HOST_NAME>/icsapis/agent/oauth/callback
- Select Client Type as Trusted if required and import SaaS certificate (Optional and Not Required)
- Add Scope
- Select ERP/HCM Resource application which we created earlier.
- Select the scope
- Save changes
- Activate the application
- Collect Client Id and Secret.
- Login into OIC using admin or developer access.
- Make sure this user has got an access to Oracle Fusion as well.
- Create ERP/HCM Adapter with Invoke Operation.
- Provide SaaS URL
- Select Authentication type as OAuth Client Credentials.
- Provide Client Id and Secret which we got above.
- Provide Authorization and Token URL.
- https://idcs-<Id>.identity.oraclecloud.com/oauth2/v1/authorize
- https://idcs-<Id>.identity.oraclecloud.com/oauth2/v1/token
- Provide Scope Value (Get it from IDCS client application.)
- Add offline_access to the scope.
- https://<SaaS_Host_Name>.fa.ocs.oraclecloud.com:443/ offline_access
- Select Provide Consent.
- Provide OIC user credentials.
- Note : This user must present in Fusion as well.
- Save and Test the connection.
