Oracle OIC - ERP/HCM Adapter with OAuth Authentication

Oracle has introduced an OAuth authentication mechanism to access ERP and HCM applications using ERP/HCM  adapter respectively in OIC. 

This will solve the following security issues. 

1. Can maintain user credentials in IDCS. 
2. Wont require to reset the passwords during P2T refresh. 
3. Better security compared to basic authentication. 
4. Authentication will work even password will get expired in IDCS or Fusion. 

Set Up Trust Between Oracle Fusion Applications and Oracle Identity Cloud Service.

• Get the JWK signing certificates from the Oracle IDCS of Oracle Integration.
• Get the REST API of the Oracle IDCS endpoint that gives you the signing certificate endpoint.
• <IDCS_HOST_NAME>/admin/v1/SigningCert/jwk
• Note :  Before accessing the key make sure, access certificate is enabled in IDCS . Got to  Settings -> Default Settings and Toggle ON the "Access Signing Certificate"
• Copy the certificates present under "x5c" JSON element.
• Use the following template and save the certificates as .crt files.

-----BEGIN CERTIFICATE-----

 content_of_certificate

. . .

. . .

-----END CERTIFICATE----- 

• Upload the above certificates to the Oracle Fusion/HCM Applications Security Console.
• Note:  Since HCM and Fusion are using IDCS and following Authenticator provider will be in non editable mode. https://identity.oraclecloud.com/
• Raise an SR with Oracle team to upload the certificates and attached to this authentication provider. 

Create an ERP/HCM resource application. 

• Login into IDCS
• On the left Panel , Click the Applications and then click Add
• Select the confidential application option
• Provide a Name
• Go to next page
• Select the option - Configure this application as a resource server now.
• Select Is Refresh Token Allowed.
• In the Primary Audience field, add the Oracle Fusion/HCM Applications URL and port.
• https://FA_URL:443
• In the Scopes section, click Add.
• In the Scope field, enter /.
• In the Description field, enter All.
• Select Requires Consent.
• Click Add, then click Next.
• Click Finish to complete resource application creation.
• Click Activate to activate your client application.

 

Create a confidential Client application 

• In the left navigation pane, select Applications, then click Add to add a client application.
• Select Confidential Application.
• The Add Confidential Application wizard is displayed.
• Provide a Name
• Select Configure as a client application
•  Select appropriate Grant Types

• Provide callback URL 
• https://<OIC_HOST_NAME>/icsapis/agent/oauth/callback
• Select Client Type as Trusted if required and import SaaS certificate (Optional and Not Required)
• Add Scope
• Select ERP/HCM Resource application which we created earlier. 
• Select the scope
• Save changes
• Activate the application
• Collect Client Id and Secret. 

OIC Configurations:

• Login into OIC using admin or developer access.
• Make sure this user has got an access to Oracle Fusion as well. 
• Create ERP/HCM Adapter with Invoke Operation. 
• Provide SaaS URL
• Select Authentication type as OAuth Client Credentials.
• Provide Client Id and Secret which we got above. 
• Provide Authorization  and Token URL.
• https://idcs-<Id>.identity.oraclecloud.com/oauth2/v1/authorize
• https://idcs-<Id>.identity.oraclecloud.com/oauth2/v1/token
• Provide Scope Value (Get it from IDCS client application.)
• Add offline_access to the scope. 
• https://<SaaS_Host_Name>.fa.ocs.oraclecloud.com:443/ offline_access
• Select Provide Consent.
• Provide OIC user credentials. 
• Note : This user must present in Fusion as well. 
• Save and Test the connection.