Oracle Policy Automation

Before You Begin

Introduction

This document describes how to configure Oracle Identity Cloud Service to provide Single Sign-On (SSO) using OpenID Connect and provisioning for Oracle Policy Automation.

About Oracle Policy Automation

Oracle Policy Automation enables organizations in all industries to automate service processes, policies, rules, and regulations to provide superior customer experiences across all channels, through interactive self-service advice, guided agent interviews, and offline surveys and assessments. Oracle Policy Automation includes a management console for tracking, sharing and deploying policy versions, and for configuring user permissions and connections.

After integrating Oracle Policy Automation with Oracle Identity Cloud Service:

  • Users can access the Oracle Policy Automation Hub using their Oracle Identity Cloud Service login credentials.
  • Users can start the Oracle Policy Automation Hub using the Oracle Identity Cloud Service My Apps console.
  • Admins can assign and revoke user access to the Oracle Policy Automation Hub using the Oracle Identity Cloud Service administration console.

Note: This integration is applicable to Oracle Policy Automation Hub users, including Oracle Policy Automation Mobile users, but not to Oracle Policy Automation interview users.

What Do You Need?

  • An Oracle Policy Automation Hub with a minimum supported version of Oracle Policy Automation 12.2.9 (Release 17D) or later.
  • An Oracle Policy Automation Hub user account with authorization rights to create accounts for application integration (Hub Administrator).
  • The Oracle Policy Automation Hub Server URL.
  • An Oracle Identity Cloud Service account with authorization rights to manage apps and users (Identity Domain Administrator or Application Administrator).

Configuring Oracle Policy Automation in Oracle Identity Cloud Service

Use this section to register and activate Oracle Policy Automation and to enable provisioning for Oracle Policy Automation. You can then assign users or groups to Oracle Policy Automation and start the user provisioning process.

Note: The Synchronization feature is currently not supported.

Prerequisite Steps

To enable provisioning, client ID and client secret values are required to authenticate with Oracle Policy Automation REST APIs. You obtain these values by adding a new local API client in the Oracle Policy Automation Hub.

The detailed instructions for performing these tasks are available in the Oracle Policy Automation documentation. For details, see the Add a new API client section in the Project Administrator Guide.

Registering and Activating Oracle Policy Automation

  1. Access the Oracle Identity Cloud Service administration console, select Applications, and then click Add.

  2. Click App Catalog.

  3. Search for Oracle Policy Automation, and then click Add.

  4. In the App Details section, enter the Name, Description, and OPA Server Name.

  5. Click Next to enable provisioning for Oracle Policy Automation. See the "Enabling Provisioning for Oracle Policy Automation" section.

  6. Click Finish. Oracle Identity Cloud Service displays a confirmation message.

  7. Click Activate, and then click Activate Application. Oracle Identity Cloud Service displays a confirmation message.

Enabling Provisioning for Oracle Policy Automation

Use this section to enable provisioning for managing user accounts in Oracle Policy Automation through Oracle Identity Cloud Service.

  1. On the Provisioning page, select Enable Provisioning.

  2. Use the table to enter values for establishing a connection with Oracle Policy Automation through Oracle Identity Cloud Service:

    This table lists the parameters that Oracle Identity Cloud Service requires to connect to Oracle Policy Automation.
    Parameter Value
    Host Name Enter the host name of the server hosting the Oracle Policy Automation Hub.
    Port Number Enter the port number where Oracle Policy Automation is listening.
    Client ID Enter the client ID value that you obtained in the “Prerequisite Steps” section.
    Client Secret Enter the client secret value that you obtained in the “Prerequisite Steps” section.
    Authorization Server URL Enter the URL of the Oracle Policy Automation Hub authorization server. For example, https://<OPA-ServerName>/opa-hub/api/auth/

    Note: Currently, you must create the Oracle Policy Automation application before verifying the connection with Oracle Policy Automation. To do so, perform Step 6 in the "Registering and Activating Oracle Policy Automation" section, and then continue with the following procedure.

  3. Click Test Connectivity to verify the connection with Oracle Policy Automation. Oracle Identity Cloud Service displays a confirmation message.

  4. To view predefined attribute mappings between the user account fields defined in Oracle Policy Automation and the corresponding fields defined in Oracle Identity Cloud Service, click Attribute Mapping, and then click OK.

    Note: To add a new attribute for provisioning, click Add Attribute, specify the attributes in the User and OPA Account columns, and then click OK. For example, if you want to add the User Name field, enter $(user.userName) in the User column, and then select the corresponding field from the drop-down list in the OPA Account column.

  5. Specify the provisioning operations that you want to enable for Oracle Policy Automation:

    Note: By default, the Create Account and Delete Account check boxes are selected.

    Create Account: Automatically creates an account in Oracle Policy Automation Hub when Oracle Policy Automation access is granted to the corresponding user in Oracle Identity Cloud Service.

    Delete Account: Automatically deletes an account from Oracle Policy Automation Hub when Oracle Policy Automation access is revoked from the corresponding user in Oracle Identity Cloud Service.

You can now manage Oracle Policy Automation accounts through Oracle Identity Cloud Service. For more information on performing provisioning tasks, see the Managing Oracle Identity Cloud Service Users and Managing Oracle Identity Cloud Service Groups sections in Administering Oracle Identity Cloud Service.

Configuring OpenID Connect in Oracle Identity Cloud Service

Use this section to configure OpenID Connect in Oracle Identity Cloud Service.

  1. Access the Oracle Identity Cloud Service administration console, select Applications, click OPA, and then select Configuration.

  2. Expand General Information, and write down the value of the Client ID.

  3. Next to the Client Secret field, click Show Secret, and then write down the value of the Client Secret.

  4. Expand Client Configuration, and then update the value for the Redirect URI field to https://<OPA-ServerName>/opa-hub/authenticate/idcs.

  5. Update the value for the Post Logout Redirect URL to https://<OPA-ServerName>/opa-hub/manager/logout.

  6. Expand Resources, and then update the value for the Primary Audience field to https://<OPA-ServerName>/.

Registering and Activating OpenID Connect in Oracle Policy Automation

Use this section to configure the Oracle Policy Automation Hub for registering and activating OpenID Connect.

Prerequisite Steps

Before registering and activating OpenID Connect in Oracle Policy Automation, ensure that the Oracle Policy Automation application is assigned to a user account. You use this account for verifying the integration. After the integration is successful, this account is assigned the default Hub Administrator role in Oracle Policy Automation.

Note: Ensure that you do not revoke access for the user account with the Hub Administrator role otherwise the user cannot access the Oracle Policy Automation Hub as Hub Administrator.

Configuring the Oracle Policy Automation Hub

  1. Access the Oracle Policy Automation Hub at: https://<OPA-ServerName>/opa-hub/, and then log in as an administrator.

  2. Click the Permissions icon. The Permissions page appears.

  3. From the Actions menu, select Identity Management Settings. The Identity Management Settings window appears.

  4. From the Identity Management drop-down list, select Update to manage users with IDCS (OAuth2).

  5. Use the table to enter values for establishing a connection with Oracle Identity Cloud Service through Oracle Policy Automation:

    This table lists the OAuth parameters that Oracle Policy Automation requires to connect to Oracle Identity Cloud Service.
    Parameter Value
    Authorization Server URL Enter the Oracle Identity Cloud Service host URL. For example, https://<IDCS-Service-Instance>.identity.oraclecloud.com. You obtain this information from the Oracle Identity Cloud Service administration console URL: https://<IDCS-Service-Instance>.identity.oraclecloud.com/ui/v1/adminconsole.
    Client ID Enter the client ID value that you obtained in the "Configuring OpenID Connect in Oracle Identity Cloud Service" section.
    Client Secret Enter the client secret value that you obtained in the "Configuring OpenID Connect in Oracle Identity Cloud Service" section.
    Client Primary Audience By default, this field displays the Oracle Policy Automation Server URL. For example, https://<OPA-ServerName>/. Ensure that the URL does not include a suffix after <OPA-ServerName>. For example, if the field displays the URL as https://<OPA-ServerName>/opa/idcs/, remove the opa/idcs/ suffix.

  6. Click Test Settings. Oracle Policy Automation displays a confirmation message.

  7. Click Authorize. Oracle Policy Automation displays the Oracle Identity Cloud Service login page.

  8. Log in using the credentials for a user that is assigned to the Oracle Policy Automation application. Oracle Policy Automation displays a confirmation message indicating that the setup is complete.

Verifying the Integration

Use this section to verify that OpenID Connect authentication works correctly when initiated either from Oracle Policy Automation (Relying Party) or Oracle Identity Cloud Service (IdP).

Verifying IdP Initiated Login from Oracle Identity Cloud Service

  1. Access the Oracle Identity Cloud Service My Profile console at: https://<IDCS-Service-Instance>.identity.oraclecloud.com/ui/v1/myconsole.

  2. Log in using credentials for a user that is assigned to Oracle Policy Automation. Oracle Identity Cloud Service displays a shortcut to Oracle Policy Automation under My Apps.

  3. Click OPA. The Oracle Policy Automation Hub home page appears.

  4. Confirm that the user that is logged in is the same for both Oracle Policy Automation and Oracle Identity Cloud Service.

This confirms that the login that is initiated from Oracle Identity Cloud Service works.

Verifying Relying Party Initiated Login from Oracle Policy Automation

  1. Access the Oracle Policy Automation Hub at: https://<OPA-ServerName>/opa-hub. The Oracle Identity Cloud Service login page appears.

  2. Enter the credentials for a user that is assigned to Oracle Policy Automation, and then click Sign In. The Oracle Policy Automation Hub home page appears.

  3. Confirm that the user that is logged in is the same for both Oracle Policy Automation and Oracle Identity Cloud Service.

This confirms that the login that is initiated from Oracle Policy Automation works.

Verifying Relying Party Initiated Logout from Oracle Policy Automation

  1. On the Oracle Policy Automation Hub home page, click Sign out.

  2. Access the Oracle Identity Cloud Service My Profile console at: https://<IDCS-Service-Instance>.identity.oraclecloud.com/ui/v1/myconsole, and confirm that the login page appears.

This confirms that logout works and that the user is no longer logged in to Oracle Policy Automation and Oracle Identity Cloud Service.

Troubleshooting

Use this section to locate solutions to common integration issues.

Known Issues

You may be locked out of Oracle Policy Automation if you are trying to regenerate the client secret used by an Oracle Identity Cloud Service OpenID Connect application.

Cause: Oracle Identity Cloud Service Administrator regenerates the client secret attribute in Oracle Identity Cloud Service.

Solution: The client secret attribute must be updated in the Oracle Policy Automation Hub by the Hub Administrator before logging off. If not, users will not be able to log in to the Oracle Policy Automation Hub and security will have to be reset by Support.

Oracle Identity Cloud Service displays the message, "You are not authorized to access the app. Contact your system administrator."

Cause1: The administrator revokes access for the user at the same time that the user tries to access the Oracle Policy Automation Hub using Oracle Identity Cloud Service.

Solution1: Access the Oracle Identity Cloud Service administration console, select ApplicationsOPAUsers, and then click Assign to re-assign the user.

Cause2: The OpenId Connect integration between the Oracle Identity Cloud Service and Oracle Policy Automation Cloud is deactivated.

Solution2:

  • Access the Oracle Identity Cloud Service administration console, select Applications, and then OPA.

  • Click Activate, and then click Activate Application. Oracle Identity Cloud Service displays a confirmation message.

The Identity Management Settings screen displays the message, "Internal Server Error: error initializing tokenValidator"

Cause1: After a successful Oracle Policy Automation - Oracle Identity Cloud Service configuration, the Oracle Identity Cloud Service Administrator regenerates the client secret attribute.

Solution1: Contact the Oracle Policy Automation support team and request to disable the Oracle Policy Automation - Oracle Identity Cloud Service configuration in the Oracle Policy Automation Hub. To fix this problem, run the steps detailed in the "Configuring OpenID Connect in Oracle Identity Cloud Service" section with the regenerated client secret attribute value.

Unknown Issues

For unknown issues, contact Oracle Support:

  1. Go to https://support.oracle.com.

  2. Select Cloud Support, and then sign in with your support credentials.

  3. In the Cloud Dashboard, confirm that there are no planned outages in Oracle Identity Cloud Service, and then click Create Service Request.

  4. Select Oracle Identity Cloud Service as the service type.

  5. Complete your service request.