User provisioning and synchronization are an important aspect of application management. Provisioning allows you to manage the lifecycle of accounts in applications like creating and deleting accounts using Oracle Identity Cloud Service. For example, when you grant the user access to an application such as Google Suite, then this user account is automatically created in Google Suite. This allows you to quickly add new users to multiple applications and de-provision users from those applications instantly when they change roles or leave your organization.
You can enable and configure provisioning for App Catalog applications either when adding the app or later when modifying it. When you enable provisioning by selecting the option, the following steps appear:
- Configure Connectivity
Configure your app connectivity by providing values for the respective fields and by testing connectivity.
- Configure Attribute Mapping
Using Attribute Mapping you can map Oracle Identity Cloud Service attributes to the attributes in your application account. You can verify the existing default mapping and, if necessary, change mappings by selecting appropriate values from the drop-down list for the required user attribute. You can add rows to map missed attributes and delete rows to exclude duplicate attribute mapping. To add a new attribute for provisioning, click Add Row, specify the attributes in the User and your application account columns, and then click OK. For example, if you want to add the External ID field, enter $(user.externalId) in the User column, and then select the corresponding field from the drop-down list in the applications account column.
Note:As a best practice, don't share allowed values between app templates. There must be a one-to-one mapping between an app template and an allowed value, since an associated allowed value is deleted when an app template is deleted.
- Select Provisioning Operations
Any app that supports provisioning and synchronization can be an authoritative app. If authoritative sync is configured, using Oracle Identity Cloud Service, you can automatically create, modify, delete, and activate or disable users based only on the corresponding data from the authoritative application. However, the regular provisioning operations are not allowed while authorization sync is enabled.When authoritative sync is enabled, the following actions happen automatically:
If a user is not present in Oracle Identity Cloud Service, then the user is automatically created.
If an authoritative synced user is deleted from the application, then the user is also deleted from Oracle Identity Cloud Service.
If attributes of an authoritative synced user are modified, then the attributes for the user are also modified in Oracle Identity Cloud Service.
When Authoritative Sync is enabled, then the provisioning operations aren’t permitted from Oracle Identity Cloud Service to the target application. To manage user accounts in the application using provisioning, clear the Authoritative Sync check box. The following provisioning operations appear:
Create Account: Select to create an account when the app is granted to the user.
De-activate Account: Select to disable this account. To activate the account, clear the check box.
Delete Account: Select to delete the account in the app when the Oracle Identity Cloud Service user is deleted.
Important:When you configure the connection between your app and Oracle Identity Cloud Service, check and verify any pre-filled user name and password field entries as these may not be the credentials to access your application.
Assign users or groups to your App Catalog application to start the user provisioning process for your application. See Assigning Users to Custom Applications and Assigning Groups to Custom Applications.
Enable and configure synchronization. To enable and configure synchronization, see Enable Synchronization for an App Catalog Application.