Oracle Cloud Infrastructure Documentation

Configure Integration with Oracle Configure, Price, Quote (CPQ)

You can establish a connection between Oracle Access Governance and Oracle Cloud Enterprise Performance Management application as a Managed System. To configure, use Orchestrated Systems in the Oracle Access Governance Console.

Prerequisites

Before you install and configure the Oracle Configure, Price, Quote (CPQ) orchestrated system. You should consider the following prerequisites and tasks.

Understanding Prerequisites Workflow

Create a Service User in Oracle Configure, Price, Quote (CPQ) for Basic Authentication

Create a new service user in Oracle Configure, Price, Quote (CPQ) as a User Administrator.

Create a service user account in the Oracle Configure, Price, Quote (CPQ) cloud account and assign Full Access and User Administrator user. This is required for Basic Authentication.
  1. Go to the Oracle Configure, Price, Quote (CPQ) cloud account.
  2. From the user profile settings, select Users.
  3. Enter the user details, as follows:
    • Login: User name for this user.
    • Password: Enter the password.
    • Email: Enter the email address.
    • First Name: Enter user's first name
  4. In the User Settings section, in the Type list, select FullAccess.
  5. Click Add. The group
Create Groups with User Access
  1. From the user profile settings, select Groups.
  2. Select Add. The Group Administration page is opened.
  3. Enter Group Name and Variable Name.
  4. In the Type list, select Administrator.
  5. In the Available Access list, select Users with all permissions selected
Assign Required Permissions and Groups to the Service User
  1. Search and open the service user.
  2. In the Permissions option, select User Administrator.
  3. From the Administrator Group List, assign the custom group created above.
  4. Select Update.

Create an Integrated Confidential Type Application

To create an integrated application of Confidential type in OCI IAM, you must have the Identity Domain Administrator role.

  1. Navigate to Identity & Security, and click Domains.
  2. Select Domains.
  3. Click the Integrated applications tab.
  4. Click Add application.
  5. Select Confidential Application tile, and then click Launch workflow.
  6. In the Details page, enter the following:
    1. Enter name and description for the confidential application.
    2. Click Submit.
Edit OAuth configurations
  1. Select the OAuth configuration tab.
  2. Select Edit OAuth configuration.
Resource server configuration
  1. Select Configure this application as a resource server now.
  2. Enter Primary audience: https://cpq12354.cpq.[region_identifier].ocs.oraclecloud.com.
Scopes
  1. Enable the Add scopes button.
  2. Add and enter scope as /api, enter display name and description.
  3. Click Add.
Client configuration
  1. Select Configure this application as a client now.
  2. Select the following grant types: and Refresh token grant types:
    • JWT assertion
    • Client Credentials
    • Authorization code
  3. Enter the Redirect URL in the following format: https://cpq12354.cpq.[region_identifier].ocs.oraclecloud.com/sso/openid_connect_redirect.jsp.
  4. Enter the Logout URL in the following format: https://cpq12354.cpq.[region_identifier].ocs.oraclecloud.com/logout.jsp
  5. Enter the Post-logout URL in the following format: https://cpq12354.cpq.[region_identifier].ocs.oraclecloud.com/sso/openid_connect_request.jsp
  6. Choose Trusted as the Client type option.
  7. Import the certificate. See Configure OAuth Provider in Oracle Configure, Price, Quote (CPQ) .
  8. Click Submit.
  9. Activate the application, click the Actions icon and then select Activate. The status should change from Inactive to Active.
Copy and save the Client ID.

Extract Private Key and Compute Certificate Thumbprint

Use certificate thumbprint, private key, public certificate from a Java keystore (.jks) file.

Retrieve the Certificate Thumbprint

Generate the certificate thumbprint from the downloaded certificate.

  1. Export public certificate from Java keystore file (.jks) 
    
                                    keytool -exportcert -alias key4oauth -keystore cpq.keystore -file public_cert.cer
    Obtain cpq.keystore securely from your CPQ system administrator or backend server.
  2. Enter the keystore password.
  3. For compatibility, convert JKS to PKCS12 using: 
    
                                    keytool -importkeystore -srckeystore cpq.keystore -destkeystore keystore.p12 -deststoretype PKCS12 -srcalias key4oauth
  4. Enter the destination keystore new password and the source keystore password.
  5. Extract the Private Key from PKCS12 
    openssl pkcs12 -in keystore.p12 -nocerts -nodes -out private_key.pem
  6. Enter the password set in Step 4.
  7. Convert Public Certificate from DER to PEM Format 
    openssl x509 -inform DER -in public_cert.cer -out public_cert.pem
  8. Compute Certificate Thumbprint (SHA-1, base64url) 
    openssl x509 -in cpq_prod_oauth_cert.pem -outform der | openssl dgst -sha1 -binary | openssl base64 -A | tr '+/' '-_' | tr -d '='

Configure OAuth Provider in Oracle Configure, Price, Quote (CPQ) Integration Center

Configure OAuth assertion in the Oracle Configure, Price, Quote (CPQ) integration center.

  1. Go to the Oracle Configure, Price, Quote (CPQ) cloud account.
  2. Select the settings gear icon Admin icon. The Administration Platform is opened.
  3. On the Integration Platform section, select Integration Center.
  4. On the left pane, select OAuth Provider - Identity Cloud Service
  5. Configure the OAuth details, as follows:
    OptionDescription
    Issuer Enter the OCI IAM URL. 
    https://identity.oraclecloud.com
    Tenant URL Enter the Domain URL. To find your Domain URL, see Finding an Identity Domain URL 
    https://[idcs-identifier].identity.oraclecloud.com
    Token Endpoint Enter OAuth endpoint
    /oauth2/v1/token
    Scope Enter the scope of the OCI IAM Domain
    urn:opc:idm:__myscopes__
    Certification Setup Enter the following:
    1. JWKS Endpoint: Enter JSON Web Key Set Endpoint. For example, /admin/v1/SigningCert/jwk
    2. Enter the integrated application client ID
    Note

    Contact your business operation team to fetch certification details for your service instance.
    Client App Configuration Enter the integrated application client ID.
  6. Download the CPQ Public Key.
Import certificate in the Integrated Application
  1. In the Integrated application, click Edit OAuth Configuration
  2. Click Import certificate and import the downloaded certificate.
  3. Submit and save it.

Create a Service user in Oracle Configure, Price, Quote (CPQ) for OCI IAM Integration

Create a service user in Oracle Configure, Price, Quote (CPQ) to integrate with OCI IAM.

In the Oracle Configure, Price, Quote (CPQ) console, from the Admin menu, select System Properties. Set BMContext.user_management_delegated_to_idp = true. You can also contact Oracle Support for Enabling User Management Delegation to IDP.
Create a Service User in OCI IAM
  1. Create a User
Create a corresponding Service User for enabling provisioning in Oracle Configure, Price, Quote (CPQ)
  1. Go to the Oracle Configure, Price, Quote (CPQ) cloud account.
  2. From the user profile settings, select Users.
  3. Enter the user details, as follows:
    • Login: User name for this user. It should match the OCI IAM username.
    • Password: Enter the password.
    • Email: Enter the email address.
    • First Name: Enter user's first name
  4. In the User Settings section, in the Type list, select FullAccess.
  5. Select Enabled for SSO.
  6. Click Add.
Assign Required Permissions and Groups to the Service User
  1. Search and open the service user.
  2. In the Permissions option, select User Administrator and Web Services Only.
  3. Select Update.
Assign Required Permissions and Groups to the Service User
  1. Open the service user that you just created.
  2. Select User Integration.
  3. In the CRM/IdP tab, enter the login details of the service user.

Configure

You can establish a connection between Oracle Configure, Price, Quote (CPQ) and Oracle Access Governance by entering connection details. To achieve this, use the orchestrated systems functionality available in the Oracle Access Governance Console.

Navigate to the Orchestrated Systems Page

The Orchestrated Systems page of the Oracle Access Governance Console is where you start configuration of your orchestrated system.

Navigate to the Orchestrated Systems page of the Oracle Access Governance Console, by following these steps:
  1. From the Oracle Access Governance navigation menu  icon Navigation menu, select Service Administration → Orchestrated Systems .
  2. Select the Add an orchestrated system button to start the workflow.

Select system

On the Select system step of the workflow, you can specify which type of system you would like to integrate with Oracle Access Governance.

You can search for the required system by name using the Search field.

  1. Select Oracle Configure, Price, Quote (CPQ) .
  2. Click Next.

Add details

Add details such as name, description, and configuration mode.

On the Add Details step of the workflow, enter the details for the orchestrated system:
  1. Enter a name for the system you want to connect to in the Name field.
  2. Enter a description for the system in the Description field.
  3. For this orchestrated system, Oracle Access Governance can manage permissions
  4. Click Next.

Account settings

Manage account settings when setting up your orchestrated system including notification settings, and default actions when an identity moves or leaves your organization.

  1. Select to allow Oracle Access Governance to create new accounts when a permission is requested, if the account does not already exist. By default, the account is be created if it doesn't exist, when a permission is requested. If the option is cleared, then permissions can only be provisioned where the account already exists in the orchestrated system. If permission is requested where no user exists then the provisioning operation is failed.
  2. Select where and who to send notification emails when an account is created. The default setting is User. You can select one, both, or none of these options. If you select no options then notifications is not sent when an account is created.
    • User
    • User manager
  3. When an identity leaves your enterprise you must remove access to their accounts. You can select what to do with the account when this happens. Select one of the following options:
    • Delete
    • Disable
    • No action
    Note

    These options are displayed only if supported in the orchestrated system type being configured. For example, if Delete isn't supported, then Disable and No action options are displayed.
  4. When all permissions for an account are removed, for example when moving from one department to another, you might need to adjust what accounts the identity has access to. You can select what to do with the account when this happens. Select one of the following options:
    • Delete
    • Disable
    • No action
    Note

    These options are displayed only if supported in the orchestrated system type being configured. For example, if Delete isn't supported, then Disable and No action options are displayed.
  5. If you want Oracle Access Governance to manage accounts created directly in the orchestrated system you can select the Manage accounts that are not created by Access Governance option. This reconciles accounts in the managed system and allows to manage them from Oracle Access Governance.

Add Owners

Add primary and additional owners to your orchestrated system to allow them to manage resources.

You can associate resource ownership by adding primary and additional owners. This drives self-service as these owners can then manage (read, update or delete) the resources that they own. By default, the resource creator is designated as the resource owner. You can assign one primary owner and up to 20 additional owners for the resources.
Note

When setting up the first Orchestrated System for your service instance, you can assign owners only after you enable the identities from the Manage Identities section.
To add owners:
  1. Select an Oracle Access Governance active user as the primary owner in the Who is the primary owner? field.
  2. Select one or more additional owners in the Who else owns it? list. You can add up to 20 additional owners for the resource.
You can view the Primary Owner in the list. All the owners can view and manage the resources that they own.

Integration settings

Enter details of the connection to your Oracle Configure, Price, Quote (CPQ) system.

  1. On the Integration settings step of the workflow, enter the details.
    Integration settings
    Authentication Parameter Name Description
    Basic Authentication Do you want to use basic authentication? Select the checkbox to allow authentication using user credentials.
    • Basic Authentication
    • OAuth
    		 Host Name Enter the host name/instance value from the URL. For example, in the URL https://cpq12354.cpq.[region_identifier].ocs.oraclecloud.com/ui, enter
    cpq12354.cpq.[region_identifier].ocs.oraclecloud.com
    • Basic Authentication
    • OAuth
    		 Username Enter username
    Basic Authentication Password Enter password
    Basic Authentication Confirm Password Confirm your password
    OAuth

    Authentication Server URL

    		Client ID of the OCI IAM confidential application.
    Client ID Client ID of the OCI IAM confidential application.
    Private Key Enter the contents in the private key (.PEM) file.

    Certificate fingerprint

    		Enter the value between <dsign:X509Certificate> and </dsign:X509Certificate> from the IdP metadata file. See Saving the IdP X509 Certificate or Generate one for your certificate, see Generate Certificate Thumbprint.

    What is the scope?

    		Enter applicable scopes allowed to your confidential application. For example:
    https://cpq12354.cpq.[region_identifier].ocs.oraclecloud.com/api
  2. Click Add to create the orchestrated system.

Finish Up

Finish up configuration of your orchestrated system by providing details of whether to perform further customization, or activate and run a data load.

The final step of the workflow is Finish Up.

You are given a choice whether to further configure your orchestrated system before running a data load, or accept the default configuration and initiate a data load. Select one from:
  • Customize before enabling the system for data loads
  • Activate and prepare the data load with the provided defaults