Understanding Cloud Applications

Oracle Identity Cloud Service provides you with a secure and centralized cloud service to manage your applications.

About Cloud Applications

Cloud applications are web-based applications that function in the cloud. These applications can be accessed from anywhere, and at any time, over the web. Examples of cloud applications are Google, Salesforce, and Dropbox.

About Oracle and Custom Applications

Oracle applications are a complete and modular set of enterprise applications, engineered to be cloud-ready. In Oracle Cloud, you'll find a broad range of software as a service (SaaS), platform as a service (PaaS), and infrastructure as a service (IaaS) applications. You can use these applications as part of a subscription-based service; there's no software license or hardware to buy and manage. Oracle handles all the supporting underlying technologies.

You can extend Oracle applications or even build your own custom cloud applications in Oracle Cloud. Custom applications are applications (such as a mobile application, a web page, a client application, or a server application) that you can integrate with Oracle Identity Cloud Service. By default, for security purposes, custom applications are trusted or confidential.

Oracle Identity Cloud Service leverages the power of OpenID Connect and OAuth to deliver a highly-scalable, multi-tenant token service for securing programmatic access to custom applications by other custom applications, and for federated SSO and authorization integration with these applications:

  • Use OAuth 2.0 to define authorization in Oracle Identity Cloud Service for your custom applications. OAuth 2.0 has an authorization framework, commonly used for third-party authorization requests with consent. Custom applications can implement both two-legged and three-legged OAuth flows.

  • Use OpenID Connect to externalize authentication to Oracle Identity Cloud Service for your custom applications. OpenID Connect has an authentication protocol that provides Federated SSO, leveraging the OAuth 2.0 authorization framework as a way to federate identities in the cloud. Custom applications participate in an Open ID Connect flow.

Using the OAuth 2.0 and OpenID Connect standards provides the following benefits:

  • Federated SSO between the custom application and Oracle Identity Cloud Service. Resource owners (users accessing the custom application) need a single login to access Oracle Identity Cloud Service plus all applications integrated. Oracle Identity Cloud Service handles the authentication and credentials itself, insulating custom applications. This capability is provided by OpenID Connect with OAuth 2.0.

  • Authorization to perform operations on third-party servers with consent. Resource owners can decide at runtime whether the custom applications should have authorization to access data or perform tasks for them. This capability is provided by OAuth 2.0.

See Introduction to OAuth in Oracle Cloud in Understanding Identity Concepts.

About the Relationship Between Oracle Identity Cloud Service and Applications

In Oracle Identity Cloud Service, each custom application is represented by an application template. This configuration template is used to define the identity, access, and configuration information that Oracle Identity Cloud Service requires to communicate with the application.

When you purchase an Oracle application, an instance of the application is created in your identity domain and appears in the Applications page automatically.

For a custom application, you must configure Oracle Identity Cloud Service so that it can communicate with the application. You use an application wizard to create a custom application. By doing so, in your identity domain, you add the information that Oracle Identity Cloud Service uses to communicate with the application. See Adding Applications.

You can use Oracle Identity Cloud Service to grant users access to applications in two ways:

  • Directly: Assigning users to the applications

  • Indirectly: Assigning groups to the applications. Any users who are members of the groups are granted access to the applications.

In addition to granting users and groups access to Oracle applications, you can grant users and groups access to entitlements within applications. For example, you use Oracle Identity Cloud Service to grant John Doe and Jane Doe access to Oracle Java Cloud Service. You want John Doe to have administrator privileges for Oracle Java Cloud Service, but Jane Doe to have only user privileges.

Each entitlement in an Oracle application is represented by an application role. So by assigning John Doe to the application administrator role of Oracle Java Cloud Service, he can access this Oracle Cloud service and he can function as an administrator within it.