1. Administering Oracle Identity Cloud Service
  2. Complete Oracle Identity Cloud Service Scenarios
  3. Migrate from Traditional Cloud Accounts to Cloud Accounts with Identity Cloud Service
  4. Provision and Synchronize Users Between Traditional Cloud Accounts and Cloud Accounts with Identity Cloud Service

Provision and Synchronize Users Between Traditional Cloud Accounts and Cloud Accounts with Identity Cloud Service

User provisioning and synchronization are important aspects of application management. Provisioning allows you to manage the lifecycle of accounts in applications like creating and deleting accounts using Oracle Identity Cloud Service.

For example, when you grant the user access to an Oracle Cloud application that’s used to provision users with traditional cloud accounts, then this user is provisioned with the traditional cloud account automatically. This allows you to quickly add new users to traditional cloud accounts and de-provision users from these accounts instantly when they change roles or leave your organization.

After enabling provisioning, synchronization allows you to control how operations like creating and deleting traditional cloud accounts are reflected in Oracle Identity Cloud Service.

For provisioning and synchronization to occur for users between traditional cloud accounts and cloud accounts with Identity Cloud Service, you configure a traditional cloud account to be a service provider and Oracle Identity Cloud Service to be an identity provider. As a result, a user can use their federated SSO credentials to log in to the traditional cloud account through their cloud account with Identity Cloud Service.

A user must be authenticated only once. For this example, the user obtains a security token. This security token is then validated by Oracle Identity Cloud Service so that the user can access the traditional cloud account. This method is known as federated single sign-on (SSO), where a single token for the user is trusted across multiple IT systems. The same token can be used to authenticate the user against both the identity provider and the service provider (for this example, the cloud account with Identity Cloud Service and the traditional cloud account).

Get Information from the Traditional Cloud Account

In this topic, you get the identity domain, domain name, metadata, and signing certificate from the traditional cloud account. You need this information to set up an Oracle Cloud application in Oracle Identity Cloud Service so that provisioning and synchronization can occur for users between traditional cloud accounts and cloud accounts with Identity Cloud Service.

  1. Sign in to the Oracle Cloud Infrastructure Classic Console of the traditional cloud account that contains the identity domain, domain name, metadata, and signing certificate that you want to get.

  2. Expand the Navigation Drawer Navigation menu icon in the top left corner, and then click Users.

  3. Navigate to the SSO Configuration tab.

  4. In the Configure your Identity Provider Information pane:

    1. Find the value associated with the Provider id field.

    2. Copy the identity domain and the domain name to a text editor, such as Notepad or TextPad.

      Note:

      If the value of the Provider Id field is https://login.dc.migrationsample.<YOUR-DOMAIN-NAME>.com:443/oam/fed/cloud/migration_id_domain, then the domain name is dc.migrationsample.<YOUR-DOMAIN-NAME>.com and the identity domain is migration_id_domain.

    3. Click Export Metadata, and then select Provider Metadata (SAML 2.0) from the menu that appears.

    4. Click Export Metadata again, and then select Signing Certificate from the menu that appears.

Get the entityID Attribute Value from the Metadata File

In this topic, you get the entityID attribute value from the metadata file that you exported. You need this information to set up the Oracle Cloud application in Oracle Identity Cloud Service.

  1. Open the metadata file that you exported in Get Information from the Traditional Cloud Account.

  2. Locate the entityID attribute in this file.

  3. Copy the value associated with this attribute to a text editor, such as Notepad or TextPad.

Create an Oracle Cloud Application in Oracle Identity Cloud Service

In this topic, you create an Oracle Cloud application in Oracle Identity Cloud Service that’s used to provision and synchronize users between traditional cloud accounts and cloud accounts with Identity Cloud Service.

Rather than build this application from scratch, use the App Catalog to create this application. The App Catalog contains pre-configured application templates. Using the templates, you can define the application, configure SSO, and configure provisioning and synchronization for the application.

  1. Sign in to the Oracle Cloud Infrastructure Classic Console of the cloud account with Identity Cloud Service.

  2. Expand the Navigation Drawer Navigation menu icon in the top left corner, and then click Users.

  3. In the User Management page, click Identity Console. The Identity Cloud Service console appears.

  4. Expand the Navigation Drawer, and then click Applications.

  5. Click Add.

  6. In the Add Application window, click App Catalog.

  7. In the Type of Integration area of the App Catalog page, click Provisioning.

  8. In the search field, enter Oracle Cloud. The Oracle Cloud application appears.

  9. Click Add.

  10. Populate the Identity Domain, Domain Name, and SSO Domain Name fields of the Details tab with the values that you retrieved in Get Information from the Traditional Cloud Account, and then click Next.

    Note:

    Use the same value for both the Domain Name and SSO Domain Name fields.

  11. Populate the Entity ID field of the SSO Configuration tab with the entityID attribute value that you retrieved in Get the entityID Attribute Value from the Metadata File.

  12. Click Upload to the right of the Signing Certificate field, and then import the signing certificate that you exported in Get Information from the Traditional Cloud Account.

  13. Click Download Signing Certificate to import the Oracle Identity Cloud Service signing certificate into the traditional cloud account.

  14. Click Download Identity Provider Metadata to import the Oracle Identity Cloud Service identity provider metadata into the traditional cloud account. The traditional cloud account needs this information so that it can trust and process the assertion that is generated by Oracle Identity Cloud Service as part of the federation process. This information includes, for example, profile and binding support, connection endpoints, and certificate information.

  15. Click Next.

  16. In the Provisioning tab, click Continue in the Grant Consent window that appears.

  17. Turn on the Enable Provisioning switch.

  18. In the Configure Connectivity pane, configure connectivity for your application by providing values in the respective fields and by testing connectivity.

  19. Turn on the Enable Synchronization switch.

  20. In the Configure Synchronization section, modify the attributes for your application.

  21. Click Add.

Import the Identity Provider Metadata into the Traditional Cloud Account

In this topic, you import metadata from Oracle Identity Cloud Service (the identity provider) into the traditional cloud account. The account needs this data so that provisioning and synchronization can occur for a user between the traditional cloud account and a cloud account with Identity Cloud Service.

  1. In the traditional cloud account, click the Users menu, and then navigate to the SSO Configuration tab.

  2. In the Configure SSO pane, click Edit.

  3. In the Edit Single Sign-On Configuration window, select the Import identity provider metadata option, and then click Choose File to the right of the Load Provider Metadata field.

  4. Import the Oracle Identity Cloud Service identity provider metadata that you downloaded in Create an Oracle Cloud Application in Oracle Identity Cloud Service.

  5. Select the Enter identity provider metadata manually option, and then click Choose File to the right of the Load Signing Certificate field.

  6. Import the Oracle Identity Cloud Service signing certificate that you downloaded in Create an Oracle Cloud Application in Oracle Identity Cloud Service.

  7. Click Save.

Configure Single Sign-On for the Traditional Cloud Account

In this topic, you configure single sign-on for the traditional cloud account. As a result, a user can use their federated SSO credentials to log in to the traditional cloud account through their cloud account with Identity Cloud Service.

  1. In the SSO Configuration tab, click Enable SSO in the Enable SSO pane.

  2. In the Enable Sign In to Oracle Cloud Services with Identity Domain credentials pane, click Enable.

Provision a User with a Traditional Cloud Account

In this topic, you use Oracle Identity Cloud Service to create a cloud account with Identity Cloud Service for a user. Oracle Identity Cloud Service will provision the user with a traditional cloud account automatically.

  1. In the Identity Cloud Service console, open the Oracle Cloud application.

  2. Click the Groups tab, and then click Assign.

  3. In the Assign Groups window, assign the All Tenant Users group to this application.

    Note:

    The All Tenant Users group is a default group that's created by Oracle Identity Cloud Service. All Oracle Identity Cloud Service users are assigned to this group, by default. By assigning this group to the Oracle Cloud application, all users are assigned to this application indirectly.

  4. Click Users, and then click Add.

  5. In the First Name and Last Name fields of the Add User window, enter the user’s first and last name.

  6. In the User Name / Email field, enter the user’s email address.

  7. Click Next (because you want to assign the user to the All Tenant Users group).

  8. Select the check box for the All Tenant Users group, and then click Finish.

    Note:

    Because the user is assigned to the All Tenant Users group, Oracle Identity Cloud Service will provision the user with a traditional cloud account automatically.

See Verifying the Integration to confirm the integration between the traditional cloud account as the service provider and Oracle Identity Cloud Service as the identity provider.