Use the Service Integration Account with No Password Expiration

Tip:

Applies only to Oracle Integration Classic (user-managed).

For Oracle Integration Generation 2, see Use the Service Integration Account with No Password Expiration in Provisioning and Administering Oracle Integration Generation 2.

Note:

To avoid expiring credentials, it is recommend that you use the JWT user assertion grant. See Trigger Integrations with OAuth in Using the REST Adapter with Oracle Integration Generation 2 .

User credentials are typically used with the Basic Authentication security policy. Continuous use of this security policy by clients increases the performance load on the authentication service (Oracle Identity Cloud Service) because it must keep validating the same credentials repeatedly. The increased performance load is dependent on two factors.

Repeated requests to the Oracle Identity Cloud Service server for password authenticator/asserter for the same basic authentication credentials.
The Oracle Identity Cloud Service password policy requires accessing the ID store for each of the requests.

To reduce the performance load caused by repeated requests, you can use the service integration account without password expiration.

For Basic Authentication, you can use generic credentials: the client ID (that ends with _BASICAUTH) and the associated client secret. This section describes on how to create these credentials.

Obtain the PaaS Application Oracle Identity Cloud Service Application ID

In the upper left corner, click , and select Users.
Select your instance.
On the User Management page, click Identity Console.
In the upper left corner, click .
Select Applications.
Navigate to the Oracle Integration application.
Note the value in the Application ID field (for this example, referred to as ${OIC_APP_ID}).

Configure the Service Administrator Application

Click Add and select Confidential Application to create a confidential application in Oracle Identity Cloud Service. This task must be performed by an Oracle Identity Cloud Service administrator.

Description of the illustration confidential_app.png

The Add Confidential Application wizard is displayed.
Configure the confidential application.
1. On the Details page, enter an application name.
2. On the Client page, enable Client Credentials and Refresh Token.
  
  Description of the illustration add_confidential_client.png
3. At the bottom of the Client page, click Add and select the Identity Domain Administrator role.
  
  Description of the illustration add_confidential_app2.png
Click Add, then click Next until you reach the final page.
Click Finish. The Application Added dialog is displayed.
1. Note the application ID, client ID, client secret for the confidential application (for this example, referred to as ${SA_APP_ID}, ${SA_CLIENT_ID}, and ${SA_CLIENT_SECRET}), then click Close.

Configure the Service Integration Application

Create the service integration application.

Get an access token to create an application (for this example, referred to as ${SA_ACCESS_TOKEN}).

Get access token request:

curl -X POST https://${IDCS_HOST}/oauth2/v1/token -u ${SA_CLIENT_ID}:${SA_CLIENT_SECRET} 
-d 'grant_type=client_credentials&scope=urn%3Aopc%3Aidm%3A__myscopes__'

Get access token response:

{
    "access_token": "eyJ4NXQjUzI1NiI6IlVFQ1RyX25Ram9XYk9........................XV-2ei4pAUYV9aw66k_qL3b842qHw",
    "token_type": "Bearer",
    "expires_in": 3600
}

Create an application with the _BASICAUTH suffix using the above access token.

Create an application request:

curl -X POST https://${IDCS_HOST}/admin/v1/Apps -H 'Authorization: Bearer ${SA_ACCESS_TOKEN}' 
-H 'Content-Type: application/json' -d '{   "active": true,   "allUrlSchemesAllowed": false,   
"allowAccessControl": false,   "allowedGrants": ["client_credentials",   "urn:ietf:params:oauth:grant-type:
jwt-bearer"],   "attrRenderingMetadata": [{     "name": "aliasApps",     "visible": false   }],   
"basedOnTemplate": {     "value": "CustomWebAppTemplateId"   },   "clientType": "confidential",   
"displayName": "OICTEST_BASICAUTH",   "editableAttributes": [     { "name": "allowedGrants" },     
{ "name": "protectableSecondaryAudiences" },     { "name": "asOPCService" },     { "name": 
"accessTokenExpiry" },     { "name": "linkingCallbackUrl" },     { "name": "isOAuthResource" },     
{ "name": "appIcon" },     { "name": "clientType" },     { "name": "refreshTokenExpiry" },     
{ "name": "trustScope" },     { "name": "landingPageUrl" },     { "name": "audience" },     
{ "name": "samlServiceProvider" },     { "name": "isLoginTarget" },     { "name": "redirectUris" },     
{ "name": "allowedScopes" },     { "name": "tags" },     { "name": "logoutUri" },     { "name": 
"allowedOperations" },     { "name": "termsOfUse" },     { "name": "serviceParams" },     { "name": 
"certificates" },     { "name": "aliasApps" },     { "name": "schemas" },     { "name": "isWebTierPolicy" },
     { "name": "trustPolicies" },     { "name": "logoutPageUrl" },     { "name": "secondaryAudiences" },
     { "name": "displayName" },     { "name": "serviceTypeURN" },     { "name": "icon" },     { "name": 
"description" },     { "name": "isOAuthClient" },     { "name": "allowedTags" },     { "name": 
"showInMyApps" },     { "name": "isObligationCapable" },     { "name": "isMobileTarget" },     { "name": 
"allowOffline" },     { "name": "idpPolicy" },     { "name": "appSignonPolicy" },     { "name": 
"postLogoutRedirectUris" },     { "name": "isFormFill" },     { "name": "loginMechanism" },     { "name": 
"serviceTypeVersion" },     { "name": "errorPageUrl" },     { "name": "signonPolicy" },     { "name": 
"identityProviders" },     { "name": "isSamlServiceProvider" },     { "name": "appThumbnail" },     { 
"name": "loginPageUrl" },     { "name": "scopes" },     { "name": "allowAccessControl" },     { "name": 
"isKerberosRealm" },     { "name": "allUrlSchemesAllowed" },     { "name": "urn:ietf:params:scim:schemas:
oracle:idcs:extension:samlServiceProvider:App:encryptionAlgorithm" },     { "name": "urn:ietf:params:scim:
schemas:oracle:idcs:extension:samlServiceProvider:App:groupAssertionAttributes" },     { "name": "urn:ietf:
params:scim:schemas:oracle:idcs:extension:samlServiceProvider:App:includeSigningCertInSignature" },     
{ "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:samlServiceProvider:App:signResponseOrAssertion"
 },     { "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:samlServiceProvider:App:
assertionConsumerUrl" },     { "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:samlServiceProvider:
App:nameIdUserstoreAttribute" },     { "name": "urn:ietf:params:scim:schemas:oracle:idcs:
extension:samlServiceProvider:App:logoutResponseUrl" },     { "name": "urn:ietf:params:scim:schemas:oracle:
idcs:extension:samlServiceProvider:App:succinctId" },     { "name": "urn:ietf:params:scim:schemas:oracle:
idcs:extension:samlServiceProvider:App:logoutRequestUrl" },     { "name": "urn:ietf:params:scim:schemas:
oracle:idcs:extension:samlServiceProvider:App:partnerProviderId" },     { "name": "urn:ietf:params:scim:
schemas:oracle:idcs:extension:samlServiceProvider:App:nameIdFormat" },     { "name": "urn:ietf:params:
scim:schemas:oracle:idcs:extension:samlServiceProvider:App:logoutBinding" },     { "name": "urn:ietf:params
:scim:schemas:oracle:idcs:extension:samlServiceProvider:App:userAssertionAttributes" },     { "name": 
"urn:ietf:params:scim:schemas:oracle:idcs:extension:samlServiceProvider:App:signatureHashAlgorithm" },     
{ "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:samlServiceProvider:App:metadata" },     
{ "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:samlServiceProvider:App:encryptAssertion" },
     { "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:samlServiceProvider:App:logoutEnabled" },
     { "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:samlServiceProvider:
App:encryptionCertificate" },     { "name": "urn:ietf:params:scim:schemas:oracle:idcs:
extension:samlServiceProvider:App:signingCertificate" },     { "name": "urn:ietf:params:scim:schemas:
oracle:idcs:extension:samlServiceProvider:App:federationProtocol" },     { "name": "urn:ietf:params:scim:
schemas:oracle:idcs:extension:webTierPolicy:App:webTierPolicyJson" },     {"name": "urn:ietf:params:scim:
schemas:oracle:idcs:extension:managedapp:App:bundleConfigurationProperties" },     {"name": "urn:ietf:
params:scim:schemas:oracle:idcs:extension:managedapp:App:isAuthoritative" },     { "name": "urn:ietf:
params:scim:schemas:oracle:idcs:extension:managedapp:App:enableSync" },     { "name": "urn:ietf:params:
scim:schemas:oracle:idcs:extension:managedapp:App:adminConsentGranted" },     { "name": "urn:ietf:params:
scim:schemas:oracle:idcs:extension:managedapp:App:connected" },     { "name": "urn:ietf:params:scim:
schemas:oracle:idcs:extension:managedapp:App:flatFileBundleConfigurationProperties" },     { "name": 
"urn:ietf:params:scim:schemas:oracle:idcs:extension:managedapp:App:threeLeggedOAuthCredential" },     { 
"name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:managedapp:App:bundlePoolConfiguration" },     
{ "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:managedapp:App:flatFileConnectorBundle" },     
{ "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:formFillAppTemplate:AppTemplate:revealPasswordOnForm" },
     { "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:formFillAppTemplate:AppTemplate:userNameFormTemplate"
 },     { "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:formFillAppTemplate:AppTemplate:userNameFormExpression" },     
{ "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:formFillAppTemplate:AppTemplate:formCredentialSharingGroupID" },     
{ "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:formFillAppTemplate:AppTemplate:formCredMethod" },     
{ "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:formFillAppTemplate:AppTemplate:syncFromTemplate" },     
{ "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:formFillAppTemplate:AppTemplate:configuration" },     
{ "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:formFillAppTemplate:AppTemplate:formFillUrlMatch" },     
{ "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:formFillAppTemplate:AppTemplate:formType" },     
{ "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:kerberosRealm:App:masterKey" },     { "name": 
"urn:ietf:params:scim:schemas:oracle:idcs:extension:kerberosRealm:App:maxRenewableAge" },     { "name": 
"urn:ietf:params:scim:schemas:oracle:idcs:extension:kerberosRealm:App:maxTicketLife" },     { "name": 
"urn:ietf:params:scim:schemas:oracle:idcs:extension:kerberosRealm:App:supportedEncryptionSaltTypes" },     
{ "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:kerberosRealm:App:realmName" },     
{ "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:kerberosRealm:App:ticketFlags" },     
{ "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:kerberosRealm:App:defaultEncryptionSaltType" },     
{ "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:requestable:App:requestable" },     
{ "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:formFillApp:App:revealPasswordOnForm" },     
{ "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:formFillApp:App:userNameFormExpression" },     
{ "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:formFillApp:App:formType" },     
{ "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:formFillApp:App:formCredMethod" },     
{ "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:formFillApp:App:configuration" },     { "name": 
"urn:ietf:params:scim:schemas:oracle:idcs:extension:formFillApp:App:formFillUrlMatch" },     { "name": 
"urn:ietf:params:scim:schemas:oracle:idcs:extension:formFillApp:App:formCredentialSharingGroupID" },     
{ "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:formFillApp:App:userNameFormTemplate" },     
{ "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:dbcs:App:domainApp" },     { "name": "active" },     
{ "name": "grantedAppRoles" },     { "name": "userRoles" },     { "name": "adminRoles" },     { "name": "clientSecret" }         
],   "infrastructure": false,   "isAliasApp": false,   "isManagedApp": false,   "isMobileTarget": false,   "isOAuthClient": 
true,   "isOAuthResource": false,   "isOPCService": false,   "isSamlServiceProvider": false,   "isUnmanagedApp": false,   
"isWebTierPolicy": false,   "loginMechanism": "OIDC",   "migrated": false,   "name": "OICTEST_BASICAUTH",   
"showInMyApps": false,   "trustScope": "Explicit",   "urn:ietf:params:scim:schemas:oracle:idcs:extension:requestable:App": 
{     "requestable": false   },   "schemas": ["urn:ietf:params:scim:schemas:oracle:idcs:App",   "urn:ietf:params:scim:schemas:
oracle:idcs:extension:requestable:App"] }'

Create an application response:

{     "clientType": "confidential",     "isAliasApp": false,     "meta": {         
"created": "2019-04-01T07:51:47.025Z",         "lastModified": "2019-04-01T07:51:47.025Z",
         "resourceType": "App",         "location": "https://${IDCS_HOST}/admin/v1/Apps/
0c228094b0f5456289b928f979800308"     },     "active": true,     "isLoginTarget": true,     
"idcsCreatedBy": {         "display": "OIC_SI_TEST",         "type": "App",         "value": 
"5debb165fc6946708e2c1f27264fafb1",         "$ref": "https://${IDCS_HOST}/admin/v1/Apps/
5debb165fc6946708e2c1f27264fafb1"     },     "displayName": "OICTEST_BASICAUTH",     
"showInMyApps": false,     "isMobileTarget": false,     "allowOffline": false,     
"isUnmanagedApp": false,     "idcsLastModifiedBy": {         "display": "OIC_SI_TEST",         
"type": "App",         "value": "5debb165fc6946708e2c1f27264fafb1",         "$ref": 
"https://${IDCS_HOST}/admin/v1/Apps/5debb165fc6946708e2c1f27264fafb1"     },     
"isOPCService": false,     "name": "OICTEST_BASICAUTH",     "isOAuthClient": true,     
"isManagedApp": false,     "isSamlServiceProvider": false,     "infrastructure": false,     
"allUrlSchemesAllowed": false,     "trustScope": "Explicit",     "id": 
"0c228094b0f5456289b928f979800308",     "isWebTierPolicy": false,     "loginMechanism": 
"OIDC",     "allowAccessControl": false,     "isOAuthResource": false,     "migrated": 
false,     "isKerberosRealm": false,     "allowedGrants": [         "client_credentials",         
"urn:ietf:params:oauth:grant-type:jwt-bearer"     ],     "attrRenderingMetadata": [         {             
"name": "aliasApps",             "visible": false         }     ],     "basedOnTemplate": {         
"value": "CustomWebAppTemplateId",         "lastModified": "2018-05-31T22:35:08Z",         
"$ref": "https://${IDCS_HOST}/admin/v1/AppTemplates/CustomWebAppTemplateId"     },     "schemas": [         
"urn:ietf:params:scim:schemas:oracle:idcs:App"     ],     "clientSecret": "91ac1189-b2ca-4ccb-a049-bbc635927646" }

Note the application ID, client ID, and client secret from the response (for this example, referred to as ${SI_APP_ID}, ${SI_CLIENT_ID}, and ${SI_CLIENT_SECRET}).

Activate the application using the above access token.

Activate the application request:

curl -X PUT https://${IDCS_HOST}/admin/v1/AppStatusChanger/${SI_APP_ID} -H 
'Authorization: Bearer ${SA_ACCESS_TOKEN}' -H 'Content-Type: application/json' -d 
'{"schemas":["urn:ietf:params:scim:schemas:oracle:idcs:AppStatusChanger"],"id":"${SI_APP_ID}",
"active":true}'

Associate the service integration application.

Identify the AppRoleID to be granted for the Oracle Integration application. The ServiceUser role is assigned to the created application. Therefore, a search is performed for that role (for this example, referred to as ${OIC_APP_ROLE_ID}).

Get the application role ID request:

curl -X GET 'https://${IDCS_HOST}/admin/v1/AppRoles?attributes=groups,urn:ietf:params:
scim:schemas:oracle:idcs:extension:user:User:appRoles&filter=displayName+co+%22ServiceUser%22+
and+app.value+eq+%22${OIC_APP_ID}%22' -H 'Authorization: Bearer ${SA_ACCESS_TOKEN}'

Get the application role ID response:

{
    "schemas": [
        "urn:ietf:params:scim:api:messages:2.0:ListResponse"
    ],
    "totalResults": 1,
    "Resources": [
        {
            "displayName": "ServiceUser",
            "id": "20e22fd1eb2e43ac8645e105abcab201",
            "app": {
                "value": "e0eea2c9fadb42c09d33035ff41e8f57",
                "display": "OICSSA_oiccafdev7"
            }
        }
    ],
    "startIndex": 1,
    "itemsPerPage": 50
}

Grant the service integration application with the above role.

Grant the role request:

curl -X POST https://${IDCS_HOST}/admin/v1/Grants -H 'Authorization: Bearer ${SA_ACCESS_TOKEN}' -H 'Content-Type: application/json' -d '{
 "app": {
  "value": "${OIC_APP_ID}"
 },
 "entitlement": {
  "attributeName": "appRoles",
  "attributeValue": "${OIC_APP_ROLE_ID}"
 },
 "grantMechanism": "ADMINISTRATOR_TO_APP",
 "grantee": {
  "value": "${SI_APP_ID}",
  "type": "App"
 },
 "schemas": ["urn:ietf:params:scim:schemas:oracle:idcs:Grant"]
}'

Grant the role response:

{
    "app": {
        "value": "${OIC_APP_ID}",
        "$ref": "https://${IDCS_HOST}/admin/v1/Apps/${OIC_APP_ID}"
    },
    "entitlement": {
        "attributeName": "appRoles",
        "attributeValue": "${OIC_APP_ROLE_ID}"
    },
    "grantMechanism": "ADMINISTRATOR_TO_APP",
    "grantee": {
        "value": "${SI_APP_ID}",
        "type": "App",
        "$ref": "https://${IDCS_HOST}/admin/v1/Apps/${SI_APP_ID}"
    },
    "schemas": [
        "urn:ietf:params:scim:schemas:oracle:idcs:Grant"
    ],
    "id": "6832316983c545baa01e9a9488022fa7",
    "isFulfilled": true,
    "grantor": {
        "type": "App",
        "value": "${SA_APP_ID}",
        "$ref": "https://${IDCS_HOST}/admin/v1/Apps/${SA_APP_ID}"
    },
    "meta": {
        "created": "2019-04-01T08:00:33.277Z",
        "lastModified": "2019-04-01T08:00:33.277Z",
        "resourceType": "Grant",
        "location": "https://${IDCS_HOST}/admin/v1/Grants/6832316983c545baa01e9a9488022fa7"
    },
    "idcsCreatedBy": {
        "value": "${SA_APP_ID}",
        "type": "App",
        "display": "OIC_SI_TEST",
        "$ref": "https://${IDCS_HOST}/admin/v1/Apps/${SA_APP_ID}"
    },
    "idcsLastModifiedBy": {
        "value": "${SA_APP_ID}",
        "type": "App",
        "display": "OIC_SI_TEST",
        "$ref": "https://${IDCS_HOST}/admin/v1/Apps/${SA_APP_ID}"
    }
}

Using the Service Integration Credentials

Once setup is complete, the credentials ${SI_CLIENT_ID} and ${SI_CLIENT_SECRET} can be used as the user name and password for authentication to an Oracle Integration endpoint as shown below.

Oracle Integration SOAP endpoint request sample:

curl -X POST https://${OIC_HOST}/ic/ws/integration/v1/flows/soap/FLOW/1.0/ -u 
${SI_CLIENT_ID}:${SI_CLIENT_SECRET} -H 'Content-Type: text/xml;charset=UTF-8' -H 'SOAPAction: 
process' -d '<soapenv:Envelope xmlns:rp="http://xmlns.oracle.com/rp_WS_Basic_Authentication_APP/
rp_WS_Basic_Authentication/rp_Basic_Authentication_WS" xmlns:soapenv="http://schemas.xmlsoap.org/
soap/envelope/">
   <soapenv:Header>
      <wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/
oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/
oasis-200401-wss-wssecurity-utility-1.0.xsd">
         <wsu:Timestamp wsu:Id="TS-0BC1DE3F9C8F739DB815541392855881">
            <wsu:Created>2019-04-01T00:00:00.000Z</wsu:Created>
            <wsu:Expires>2019-04-02T00:00:00.000Z</wsu:Expires>
         </wsu:Timestamp>
      </wsse:Security>
   </soapenv:Header>
   <soapenv:Body>
      <rp:process>
         <rp:input>OICTEST</rp:input>
      </rp:process>
   </soapenv:Body>
</soapenv:Envelope>'