Monday, 3 April 2023

SOA Integration with IDCS

  •  SCIM - System for Cross-Domain Identity Management
    • Standard for Identity Managers API's
    • Used by multiple Identity Provider. 
  • SOA Roles will be mapped to IDCS groups. 
  • Set up Federated SSO through SAML on IDCS and SOA

High-Level Steps. 
  • Create IDCS groups for SOA
  • Create a Confidential Application in IDCS
    • Register as Client
    • Select client as Confidential
    • Allow following grants types
      • Client Credentials
      • JWT assertion
      • Token Refresh
      • SAML2 Assertion. 
    • Granted Roles
      • Identity Domain Administration
      • Cloud Gate
    • Assign groups to this application. 
  • Configure Identity Provider in SOA weblogic Console. 
    • Weblogic Console
    • Security Realms
    • Myrealm
    • Providers
      • Select New
      • Name - IDCS Provider
      • Type - OracleDentityCloudIntegrator
      • Click Okay
      • Open IDCS provide
        • Common
          • Control Flag - SUFFICENT : Meaning dont have to check other provider if the IDCS authentication is successful. 
          • Active Type
            • Authorization
            • REMOTE_USER
        • Provider Specific:
          • Provide the IDCS details. 
            • Host
            • Port - 443
            • SSL - Enabled
            • IDCS Tenant Name
            • Client Id
            • Secret. 
            • Save
      • Reorder the provider to check IDCS first and then go for default providers. 
      • Select DefaultAuthenticator
        • Common
        • Control Flag - SUFFICIENT
        • Save
    • Activate the changes. 
  • Import IDCS Certificates to Trust Store. 
    • Get the IDCS certificates using following URL
      • https://$IDCS_HOST_PORT/ui/v1/adminconsole
    • Import Certificates into System/Trust using EM console. 
    • Add the following property to SetDomainEnv.sh to support wild card certificates using common names.
      • -Dweblogic.security.SSL.hostnameverifier=weblogic.security.utils.sslwlswildcardhostnameverifier
  • Manual OPSS Configurations. 
    • Edit following file in domain dir
      • /config/fmwconfig/jps-config.xml
      • Search for idstore.ldap and replace it with idstore.scim under jpsContexts
      • Create a IDCS property file and run the script as per the following doc-id : 2916662.2
  • Configure SSO:
    • Create a SAML application in IDCS.
    • Give a name.
    • Entity Id - Give any value
    • Consumer URL - https://$SOA_LB_URL/saml2/sp/acs/post
    • NameIdFormat - Unspecified. 
    • Can add attributes.
      • Name - Groups
      • Format - Basic
      • Value - Group Membership 
      • Condition
        • equals
        • Value -  All groups
      • Add Groups
      • Activate
    • Download the idcs metadat.xml from the SAML application created above.

  • RDBMS Setup for Weblogic LB 
    • Refer the below link for more details. 
  • Configure SAML Asserter.
    • Refer the below link for more details. 


Oracle Reference : https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=111700059898561&id=2916662.2&_afrWindowMode=0&_adf.ctrl-state=nbcwpoz12_4

No comments:

Post a Comment

Oracle - OCI - Exadata Database

Exadata Database is a scalable, private database server that is completely isolated from other tenants. It can be used to run all database ...