Saturday, 3 July 2021

Oracle Fusion - User and Role Sync from Fusion to IDCS

Refer my previous blogs for configuring SSO and OAuth authentication between IDCS and Fusion applications. 

In this blog , I will explain how to sync Users (Can be used to migrate Existing Users from Fusion to IDCS) and Roles from Fusion. 

Note:  As I explained in my earlier blogs, user can be originated in Fusion or IDCS. In case users are getting created in SaaS and then it requires to Sync with IDCS then we can use the following Sync configurations.  This configuration can also be used as a pre cutover activity to Sync an existing users from fusion and then use IDCS as an user Origin.  Once the Sync is done , we can disable this configuration. 

As we all know , roles will be originated only in Fusion and these roles can be synched to IDCS to create corresponding roles in IDCS.  

Pre Requisite : 
  • Create an IDCS client application with User Admin roles. 
  • Login to IDCS
  • Go to Applications
  • Create Confidential Application.
  • Provide Name as - Fusion IDCS Application. 
  • Next Page - Select configure this application as Client Now.
    • Select Allowed Grant Type - Client Credentials
    • Client Type - Confidential
    • Under Grants 
      • Select User Administrator role.
    • Select Next and Finish
    • Save 
    • Activate.
  • Note down the client id and secret. 

Oracle Fusion Setup:
  • Login to Fusion Application. Use Admin User
  • Go to Setup and Maintenance
  • Select Tasks
  • Select Manage Setup Content
    • Under Topology Definition 
    • Select Manage Integration of Additional Applications
    • Select Create ( + ) 
    • Create Application Integration page will open.
      • Application Name - IDCS_REST_APP
      • Full URL : https://<IDCS-HOST-NAME>/admin/v1
      • Partner Name : IDCS
      • Security Policy : Select - oracle/wss_username_token_over_ssl_client_policy
      • User Name : Enter the Client Id 
      • Password :  Client Id Secret. 
        • Refer Above created IDCS applications for Client Id and Secret. 
      • Apply 
      • Save and Close.

  • Create Task Lists and Tasks:
    • Go to Setup and Maintenance
    • Select Tasks
    • Select Manage Setup Content
      • Under Functional Definition
        • Select Manage Task Lists and Tasks
        • Select Create Task
        • Provide following details - You must use the same values. These values are seeded values. 
        • Click Save, but don’t close yet.
        • To save the Oracle Identity Cloud Service access credentials in the Oracle Fusion Applications Cloud Service credential store, click Test Go to Task.
        • In the Fusion Applications IDCS Sync App Credentials dialog, 
        • enter the Oracle Identity Cloud Service Admin console in the URL in the URL field. 
        • Enter the client ID of the Oracle Identity Cloud Service Application as the user name. 
        • Enter the secret key of the Oracle Identity Cloud Service application as the password.

Field Name

Field Value


Fusion Applications IDCS Sync App Credentials




Fusion Applications IDCS Sync App Credentials

Deployment Method


Program Name


Perform Task

After Import

Enterprise Application






Task Type

Data Entry

Uses user interface


Open In

Standard view


We can update the Sync profile to control the batch process. Use the following steps to update the profile options. 

Modify Profile Options for User Sync. 

  • Go to Setup and Maintenance and search for task: Manage Administrator Profile Values
  • Edit the below Profile options at Site level
      • USER - To Sync Only User
      • ROLE - To Sync Only Roles
      • ALL -  To Sync Both User and Role. 
    • FND_USER_MIGRATION_FA_FEDERATION=True  -- Default value is True
Schedule User Or Role Sync Job
  • Execute the Scheduled Process: 
  • User identity synchronization from this SaaS instance to the PaaS Identity Store
  • Schedule this Job to Run Every day

Add Specific Roles to be Synched to IDCS
  • From the Setup and Maintenance panel of your service, search for the task 
  • Migrate Enterprise Roles and Assignments to PaaS Identity.
  • Add all the Roles to be synchronized in this table

1 comment: