Saturday, 3 July 2021

Oracle Fusion - User and Role Sync from Fusion to IDCS

Refer my previous blogs for configuring SSO and OAuth authentication between IDCS and Fusion applications. 

In this blog , I will explain how to sync Users (Can be used to migrate Existing Users from Fusion to IDCS) and Roles from Fusion. 

Note:  As I explained in my earlier blogs, user can be originated in Fusion or IDCS. In case users are getting created in SaaS and then it requires to Sync with IDCS then we can use the following Sync configurations.  This configuration can also be used as a pre cutover activity to Sync an existing users from fusion and then use IDCS as an user Origin.  Once the Sync is done , we can disable this configuration. 

As we all know , roles will be originated only in Fusion and these roles can be synched to IDCS to create corresponding roles in IDCS.  

Pre Requisite : 
  • Create an IDCS client application with User Admin roles. 
  • Login to IDCS
  • Go to Applications
  • Create Confidential Application.
  • Provide Name as - Fusion IDCS Application. 
  • Next Page - Select configure this application as Client Now.
    • Select Allowed Grant Type - Client Credentials
    • Client Type - Confidential
    • Under Grants 
      • Select User Administrator role.
    • Select Next and Finish
    • Save 
    • Activate.
  • Note down the client id and secret. 

Oracle Fusion Setup:
  • Login to Fusion Application. Use Admin User
  • Go to Setup and Maintenance
  • Select Tasks
  • Select Manage Setup Content
    • Under Topology Definition 
    • Select Manage Integration of Additional Applications
    • Select Create ( + ) 
    • Create Application Integration page will open.
      • Application Name - IDCS_REST_APP
      • Full URL : https://<IDCS-HOST-NAME>/admin/v1
      • Partner Name : IDCS
      • Security Policy : Select - oracle/wss_username_token_over_ssl_client_policy
      • User Name : Enter the Client Id 
      • Password :  Client Id Secret. 
        • Refer Above created IDCS applications for Client Id and Secret. 
      • Apply 
      • Save and Close.





  • Create Task Lists and Tasks:
    • Go to Setup and Maintenance
    • Select Tasks
    • Select Manage Setup Content
      • Under Functional Definition
        • Select Manage Task Lists and Tasks
        • Select Create Task
        • Provide following details - You must use the same values. These values are seeded values. 
        • Click Save, but don’t close yet.
        • To save the Oracle Identity Cloud Service access credentials in the Oracle Fusion Applications Cloud Service credential store, click Test Go to Task.
        • In the Fusion Applications IDCS Sync App Credentials dialog, 
        • enter the Oracle Identity Cloud Service Admin console in the URL in the URL field. 
        • Enter the client ID of the Oracle Identity Cloud Service Application as the user name. 
        • Enter the secret key of the Oracle Identity Cloud Service application as the password.


Field Name

Field Value

Name

Fusion Applications IDCS Sync App Credentials

Code

FUSION_APPLICATIONS_IDCS_SYNC_APP_CREDENTIALS

Description

Fusion Applications IDCS Sync App Credentials

Deployment Method

None

Program Name

/WEB-INF/oracle/apps/setup/commonSetup/setupHub/publicUi/flow/EndpointPolicyFlow.xml#EndpointPolicyFlow

Perform Task

After Import

Enterprise Application

Setup

Module

Setup

Parameters

endpointKey=FA_USER_SYNC_IDCS_CLIENT_ID&filterSecurityPolicies=oracle/wss_username_token_over_ssl_client_policy

Task Type

Data Entry

Uses user interface

Selected

Open In

Standard view

 

We can update the Sync profile to control the batch process. Use the following steps to update the profile options. 

Modify Profile Options for User Sync. 

  • Go to Setup and Maintenance and search for task: Manage Administrator Profile Values
  • Edit the below Profile options at Site level
    • FND_USER_MIGRATION_FETCH_BATCH_SIZE = 1000
    • FND_USER_MIGRATION_MAX_RETRY_ATTEMPTS = 2
    • FND_ROLE_SYNC_MAX_SELECTED_ROLES_SIZE = 1000
    • FND_USER_IDENTITY_SYNC_TARGET=IDCS
    • FND_SYNC_JOB_TYPE=USER/ROLE/ALL
      • USER - To Sync Only User
      • ROLE - To Sync Only Roles
      • ALL -  To Sync Both User and Role. 
    • FND_USER_MIGRATION_FA_FEDERATION=True  -- Default value is True
Schedule User Or Role Sync Job
  • Execute the Scheduled Process: 
  • User identity synchronization from this SaaS instance to the PaaS Identity Store
  • Schedule this Job to Run Every day

Add Specific Roles to be Synched to IDCS
  • From the Setup and Maintenance panel of your service, search for the task 
  • Migrate Enterprise Roles and Assignments to PaaS Identity.
  • Add all the Roles to be synchronized in this table