Oracle by Example brandingInitial OnBoard User Accounts to Applications that Don't Support Synchronization

section 0Before You Begin

This 15-minute tutorial explains how to onboard user accounts into Oracle Identity Cloud Service for newly integrated applications that don't support user account synchronization.

Background

Some applications that you integrate with Oracle Identity Cloud Service for authentication purposes require user accounts created in the application before the users can access these applications. These applications support both single sign-on (SSO) and provisioning configuration.

In this scenario, if Oracle Identity Cloud Service is configured to provision users to an application, then when you assign a user to the application, Oracle Identity Cloud Service triggers the provisioning process. This process creates a user account in the application allowing the user to sign in to Oracle Identity Cloud Service and then access the application.

For applications that support synchronization of user accounts, after you integrate these applications with Oracle Identity Cloud Service, you must import the existing user accounts into Oracle Identity Cloud Service and link these user accounts to Oracle Identity Cloud Service users.

If the application you are integrating with Oracle Identity Cloud Service doesn't support synchronization of user accounts, then you can run the initial onboard of users of this application using Oracle Identity Cloud Service file import feature.

Note: For your reference, the term users in this tutorial refers to users in Oracle Identity Cloud Service. The term user accounts refers to users in the integrated application.

What Do You Need?

Complete the following prerequisites before continuing:

  • Obtain access to an Oracle Identity Cloud Service instance.
  • Create a user in Oracle Identity Cloud Service for each user account that exists in the application. See Onboard users and groups.
  • Ensure that the value of each user's user name attribute in Oracle Identity Cloud Service must match the value user identifier or login of the corresponding user account in the application.
  • Understand how to use the Oracle Identity Cloud Service REST API. See First REST API Call.
  • Install curl software on your desktop. See https://curl.haxx.se/

section 1Request an Access Token to be Able to Use Oracle Identity Cloud Service REST API

To use Oracle Identity Cloud Service REST API, you need to create a confidential application in your Oracle Identity Cloud Service console, and then request an access token using curl.

Create a Confidential Application

  1. In the Identity Cloud Service console, expand the Navigation Drawer, Navigation Drawer and then click Applications.
  2. In the Applications page, click Add.
  3. In the Add Application window, click Confidential Application.
  4. In the Details pane of the Add Confidential Application page, enter REST APP in the Name field, and then click Next.
  5. In the Client pane, select Configure this application as a client now, and then select Client Credentials as the Allowed Grant Types.
  6. In the Client pane, scroll down, click the Add button below Grant the client access to Identity Cloud Service Admin APIs.
  7. In the Add App Role dialog box, select Identity Domain Administrator, and then click Add.
  8. Click Next in the Client pane and in the following panes until you reach the last pane, then click Finish.
  9. In the Application Added dialog box, make note of the Client ID and the Client Secret values, and then click Close.
  10. In the REST APP page, click Activate.
  11. In the Confirmation window, click OK.

    A success message appears.

Request an Access Token

  1. Open a command prompt window on your desktop, and then run the following command:
    curl -k -X POST -u "<CLIENT_ID>:<CLIENT_SECRET>" -d "grant_type=client_credentials&scope=urn:opc:idm:__myscopes__" "https://<IDCS_TENANT>/oauth2/v1/token" -o access_token.json
    Replace:
    • <CLIENT_ID>: with the Client ID value of the confidential application you created in the previous section.
    • <CLIENT_SECRET>: with the Client Secret value of the confidential application you created in the previous section.
    • <IDCS_TENANT>: with the domain name of your Oracle Identity Cloud Service instance.
  2. Open the access_token.json file in a text editor and make a note of the access token value as indicated by the <ACCESS_TOKEN_VALUE> value below.
    {
    "access_token":"<ACCESS_TOKEN_VALUE>", "token_type":"Bearer", "expires_in":3600
    }

section 2Create a Flat File Containing User Accounts Information

Create a Comma-separated values (CSV) file to import the user account.

  1. Create a CSV file on your desktop (c:\temp\app_user_accounts.csv).
  2. Insert the following text for the header row:
    ID, NAME, ACTIVE
  3. Enter the information in the data rows in this format:
    <IDCS_USER_NAME>,<APP_USER_LOGIN>,<true|false>

    Note: Each line must contain the user name of a user in Oracle Identity Cloud Service <IDCS_USER_NAME>, the user account identifier in the application <APP_USER_LOGIN>, and <true|false> indicate whether the user account is activated (true) or deactivated (false) in the application. These values must be separated by comma.


section 3Upload the CSV File to Oracle Identity Cloud Service

Upload the CSV file you created to Oracle Identity Cloud Service storage server.

  1. From the command prompt window on your desktop, run the following command:
    curl -k -X POST -H "Authorization: Bearer <ACCESS_TOKEN_VALUE>" -F "contentType=text/csv" -F "isPublic=false" -F file=@"C:\temp\app_user_accounts.csv" "https://<IDCS_TENANT>/storage/v1/Files"
    Replace:
    • <ACCESS_TOKEN_VALUE>: with the access token value you acquired in section 1.
    • <CLIENT_SECRET>: with the Client Secret value of the confidential application you created in the previous section.
    • <IDCS_TENANT>: with the domain name of your Oracle Identity Cloud Service instance.
  2. Make note of the value of the fileName attribute in the response.
  3. In the following response example, the value of the fileName attribute is CSV_FILE_URI is files/<date>/file-id.csv.
    {
    "fileName":"files/<date>/file-id.csv",
    "isPublic":false,
    "fileUrl":"https://OBJECT_STORAGE_URL/
    file-id.csv"
    }

section 4Find Your Application ID and the Corresponding Managed App ID

Every application you create using Oracle Identity Cloud Service's App Catalog has a unique identifier (ID). These App Catalog applications are based on a template, and this template has a unique identifier (ManagedAppID). Use the /admin/v1/Apps to get both the App ID and the corresponding Managed App ID values for your application.

Get Application ID

  1. From the command prompt window on your desktop, run the following command:
    curl -k -X GET -H "Authorization: Bearer <ACCESS_TOKEN_VALUE>" -H "Content-Type:application/scim+json" "https://<IDCS_TENANT>/admin/v1/Apps?filter=displayName co "<YOUR_APP_NAME>"
    Replace:
    • <ACCESS_TOKEN_VALUE>: with the value of the access token from section 1.
    • <IDCS_TENANT>: with the domain name of your Oracle Identity Cloud Service instance
    • <YOUR_APP_NAME>: with the name of your application in Oracle Identity Cloud Service.
  2. Make note of the value of the id attribute in the response.
  3. In the following response example, the APP_ID of the application is abcde123456789fgh.
    {
    "schemas": [ "urn:ietf:params:scim:api:messages:2.0:ListResponse" ], "totalResults": 1, "Resources": [ {... "displayName": "
    YOUR_APP_NAME", ... "id": "abcde123456789fgh", ...
    "schemas":["urn:ietf:params:scim:schemas:oracle:idcs:App"] }], "startIndex": 1, "itemsPerPage": 50 }

    Note: The values of the other attributes in the JSON response were suppressed for readability.

Get Managed App ID

  1. From the command prompt window on your desktop, run the following command:
    curl -k -X GET -H "Authorization: Bearer <ACCESS_TOKEN_VALUE>" -H "Content-Type:application/scim+json" "https://<IDCS_TENANT>/admin/v1/Apps/<APP_ID>?attributes=urn:ietf:params:scim:schemas:oracle:idcs:extension:managedapp:App:objectClasses"
    Replace:
    • <ACCESS_TOKEN_VALUE>: with the value of the access token from section 1.
    • <IDCS_TENANT>: with the domain name of your Oracle Identity Cloud Service instance.
    • <APP_ID>: with the ID of your application from the previous command.
  2. Make note of the value of the resourceType attribute in the response.
  3. In the following response example, the value of the MANAGED_APP_ID is ManagedApp12345abcde67890.
    {
    "isAliasApp":false,
    "displayName":"YOUR_APP_NAME",
    "id":"abcde123456789fgh",
    "urn:ietf:params:scim:schemas:oracle:idcs:extension:managedapp:App":{
    "objectClasses":[{
    ...
    "resourceType":"ManagedApp12345abcde67890",
    ...
    }]}
    }

    Note: The values of the other attributes in the JSON response were suppressed for readability.


section 5Run the Import File Job

Use the values of the access token, the App ID, Managed App ID, and the file name to import the user accounts from the CSV file into Oracle Identity Cloud Service.

  1. From the command prompt window on your desktop, run the following command:
    curl -k -X POST -H "Content-Type:application/scim+json" -H "Authorization: Bearer <ACCESS_TOKEN_VALUE>" -d "{\"schemas\": [\"urn:ietf:params:scim:schemas:oracle:idcs:JobSchedule\"],\"jobType\":\"ManagedObjectSync\",\"runNow\":true,\"parameters\": [{\"name\": \"resourceType\",\"value\":\"<MANAGED_APP_ID>\"},{\"name\":\"isIncremental\",\"value\":\"false\"},{\"name\":\"isFileBased\",\"value\":\"true\"},{\"name\":\"fileURI\",\"value\":\"<CSV_FILE_URI>\"}]}" "https://<IDCS_TENANT>/job/v1/JobSchedules"
    Replace:
    • <ACCESS_TOKEN_VALUE>: with the value of the access token from section 1.
    • <IDCS_TENANT>: with the domain name of your Oracle Identity Cloud Service instance.
    • <MANAGED_APP_ID>: with the ID of the managed application from section 4.
    • <CSV_FILE_URI>: with the csv file URI from section 3.

Depending on the amount of user accounts in the CSV file, the operation may take a while.


section 6Verify that User Accounts Have Been Imported to Your Application

Access Oracle Identity Cloud Service console and verify that the user accounts have been imported, and the corresponding users are assigned to your application.

  1. In the Identity Cloud Service console, expand the Navigation Drawer, Navigation Drawer and then click Applications.
  2. In the Applications page, click the name of your application.
  3. In your application page, click the Import tab, and then verify the status of the last import.
  4. If the status is Success, the list of user accounts appears.
  5. Verify each user has been linked to a user in Oracle Identity Cloud Service.
  6. Click Users tab, and verify that the users have been assigned to your application.

more informationWant to Learn More?