Oracle by Example brandingSynchronize Users and Groups Between Oracle Identity Cloud Service Instances

section 0Before You Begin

This 15-minute tutorial shows you how to use Oracle Identity Cloud Service's GenericSCIM templates to synchronize users, groups, and user-to-group assignments between two Oracle Identity Cloud Service instances.

Background

Customers who are running multiple cloud environments (for example, Development, Test, and Production) or who need to migrate users from one Identity Cloud Service to another, can benefits from GenericScim templates to synchronize users between these instances.

The GenericSCIM templates are available from the App Catalog and help you to easily integrate two Oracle Identity Cloud Service instances for provisioning and synchronization purposes.

The following scenario demonstrate the use of the GenericScim - Client Credential template to synchronize users from an Oracle Identity Cloud Service instance to another one.

Flow of syncrhonization
Description of the illustration [architecture.png]

The user synchronization process consists of the following steps:

  1. Either an application administrator or scheduler triggers the GenericScim - Client Credential application to run the synchronization job.
  2. The GenericScim - Client Credential applicaiton requests an access token to the source instance of Oracle Identity Cloud Service by using the client id and secret from a confidential application.
  3. The confidential application issues an access token.
  4. The GenericScim - Client Credential application uses the access token to make subsequent REST API calls to the source instance.
  5. These REST API calls list all users, groups, and user-to-group assignments from the source instance.
  6. The respective users, groups, and user-to-group assignments are created in the destination instance of Oracle Identity Cloud Service.

    These users are also assigned to the GenericScim - Client Credential application.

The GenericSCIM templates runs full synchronization between the source and destination. If any user is removed from the source, then next time the synchronization job runs the corresponding user will be removed from the destination instance.

What Do You Need?

You need access to two Oracle Identity Cloud Service instances.

  • SOURCE_INSTANCE: This is the instance from where users are synchronized. You need user credentials assigned to User Administrator role to be able to create users and groups, and Application Administrator role to configure a client credential application.
  • DESTINATION_INSTANCE: This is the instance to where users are synchronized. You need user credentials assigned to User Administrator and Application Administrator roles.

See About Multiple Instances.

section 1Create Users and Groups in the Source Instance

There are many methods to create multiple users, groups, and groups assignments in Oracle Identity Cloud Service. This example uses Oracle Identity Cloud Service's REST endpoint /admin/v1/Bulk

  1. Download the bulk_upload_users_groups.json file to your desktop.
  2. Register an confidential application and get an access token from the source Oracle Identity Cloud Service instance. See Make Your First REST API Call.
  3. Open a command prompt in the location where you downloaded the JSON file, and then run the following command to create multiple users: 
    curl -X POST -H "Content-Type:application/scim+json" -H "Authorization: Bearer ACCESS_TOKEN" -d @"bulk_upload_users.json" "https://SOURCE_INSTANCE/admin/v1/Bulk"

    Note: Replace the ACCESS_TOKEN and SOURCE_INSTANCE values in the above command before running.

  4. Sign in to the Identity Cloud Service console of the source instance as a user administrator.
  5. Expand the Navigation Drawer, click Users, and then verify the users from the JSON file were created.

section 2Configure a Confidential Application in the Source Instance

Create a confidential application so that the GenericScim - Client Credential template in the Oracle Identity Cloud Service destination instance can connect to the source instance.

  1. Sign in to the Identity Cloud Service console of the source instance as an application administrator.
  2. Expand the Navigation Drawer, click Applications, and then click Add.
  3. In the Add Application window, click Confidential Application.
  4. Enter name as SCIM Client Credential and then click Next.
  5. In the Client pane, click Configure this application as client now, and select Client Credentials as Allowed Grant Types
  6. Scroll down, click the Add button below Grant the client access to Identity Cloud Service Admin APIs.
  7. In the Add App Role window, select User Administrator role and then click Add.
  8. Click Next in the Client pane and in the following panes until you reach the last pane. Then click Finish.
  9. In the Application Added dialog box, make a note of the Client ID and Client Secret values (because the GenericScim template from the destination Identity Cloud Service needs these values), and then click Close.
  10. To activate the application, click Activate.

section 3Configure the GenericSCIM Template in the Destination Instance

Configure a GenericSCIM Template in your Oracle Identity Cloud Service destination instance to synchronize users from the source instance.

  1. Sign in to the Identity Cloud Service console of the destination instance as an application administrator.
  2. Expand the Navigation Drawer, click Applications, and then click Add.
  3. In the Add Application window, click App Catalog.
  4. In the App Catalog page, search for GenericScim, and then click Add for the GenericScim - Client Credentials row.
  5. In the Add GenericScim - Client Credentials page, enter name as Source Identity Cloud Service.
  6. In the Provisioning pane, click Enable Provisioning, and then click Continue in the Grant Consent window.
  7. In the Configure Connectivity section, provide the following information:
    • Host Name: For example, idcs-source.identity.oraclecloud.com
    • Base URI: /admin/v1
    • Client Id: Enter the Client ID you made note from the confidential application.
    • Client Secret: Enter the Client Secret you made note from the confidential application.
    • Scope: urn:opc:idm:__myscopes__
    • Authentication Server Url: For example, https://idcs-source.identity.oraclecloud.com/oauth2/v1/token
  8. Click Test Connectivity to test the communication between the two Oracle Identity Cloud Service instances.

    9. The success message Connection successful appears.

  9. In Select Provisioning Operations section, click Authoritative Sync.
  10. Click Enable Synchronization, and then click Save.
  11. Click Activate to activate the application.

section 4Use the GenericSCIM Template to Import Users, Groups, and Groups Assignments

Import users from one Oracle Identity Cloud Service instance to another.

  1. In the Source Identity Cloud Service application page, click the Import tab, and then click Import.

    2. The message Your job for importing accounts is running. appears.

  2. Click Refresh until the job status changes to status Succeeded.

    3. After the job finishes, the list of users synchronized from the source Identity Cloud Service appears.

  3. For every user in the list, verify the Synchronization Status is Confirmed.

section 5Verify Users are Synchronized to Oracle Identity Cloud Service Destination Instance

Verify the users are created in the destination Oracle Identity Cloud Service.

  1. Sign in to the Identity Cloud Service console of the destination instance as a user administrator.
  2. Expand the Navigation Drawer, click Users.
  3. Verify the users from the source Identity Cloud Service were created.

section 6Remove Users and Groups from the Source Instance

To demonstrate the GenericScim template full synchronization feature, remove the users and groups from the source instance, and run the import in the destination instance.

Remove Users and Groups from the Source Instance

  1. Sign in to the Identity Cloud Service console of the source instance as a user administrator.
  2. Expand the Navigation Drawer, and then click Users.
  3. In the Users page, select the users from User01 Test to User10 Test, click More, and then click Remove.
  4. In the confirmation window, click OK.
  5. In the Navigation Drawer, click Groups.
  6. In the Groups page, select the groups from Group A to Group D, and then click Remove.
  7. Sign out from the source instance.

Run Import and Verify Users and Groups in the Destination Instance

  1. Sign in to the Identity Cloud Service console of the destination instance as an application administrator.
  2. Expand the Navigation Drawer, click Applications, and then click the Source Identity Cloud Service application.
  3. In the Source Identity Cloud Service application page, click the Import tab, and then click Import.
  4. Click Refresh until the job status changes to Succeeded.

    After the job finishes, the GenericScim template lists the users synchronized from the source Identity Cloud Service.

  5. Verify users from User01 Test to User10 Test don't appear in the list.
  6. In the Navigation Drawer, click Users.
  7. Verify the users from User01 Test to User10 Test don't appear in the list.
  8. In the Navigation Drawer, click Groups.
  9. Verify the groups from Group A to Group D don't appear in the list.

section 7(Optional) Modify the Default Attribute Mapping

You can change the GenericScim template's default attribute mapping between the two instances of Oracle Identity Cloud Service.

  1. Sign in to the Identity Cloud Service console of the destination instance as an application administrator.
  2. Expand the Navigation Drawer, and then click Applications.
  3. In the Application page, click Source Identity Cloud Service.
  4. In the Source Identity Cloud Service page, click the Provisioning tab, scroll down, and then click Attribute Mapping.
  5. In the Attribute Mapping page, click the Application to Identity Cloud tab, and then verify the default attribute mapping doesn't map the Title field from the source Oracle Identity Cloud Service.
    6. Detault Attribute Mapping
    Description of the illustration [attrmapping.png]
  6. Click Add Row, to add a new entry to map the Title field.
  7. In the newly created row, provide the following values, and then click OK:
    • Source Identity Cloud Service Account: $(account.title)
    • Maps to: Select Create and Update.
    • User: select Title.
  8. In the Source Identity Cloud Service application page, click the Import tab, and then click Import.
  9. Click Refresh until the job status changes to status Succeeded.
  10. For every user in the list, verify the Synchronization Status as Confirmed.
  11. In the Navigation Drawer, click Users.
  12. Verify that each user have the Title field with value.

more informationWant to Learn More?