Use the Service Integration Account with No Password Expiration
Oracle Integration provides a service integration account in which the password does not expire. The service integration account consists of a generic application role created with specific predefined rules. Use this account when you need to invoke integrations and require that the account password not expire.
Tip:
Applies only to Oracle Integration Classic (user-managed).
For Oracle Integration Generation 2, see Use the Service Integration Account with No Password Expiration in Provisioning and Administering Oracle Integration Generation 2.Note:
To avoid expiring credentials, it is recommend that you use the JWT user assertion grant. See Trigger Integrations with OAuth in Using the REST Adapter with Oracle Integration Generation 2 .User credentials are typically used with the Basic Authentication security policy. Continuous use of this security policy by clients increases the performance load on the authentication service (Oracle Identity Cloud Service) because it must keep validating the same credentials repeatedly. The increased performance load is dependent on two factors.
- Repeated requests to the Oracle Identity Cloud Service server for password authenticator/asserter for the same basic authentication credentials.
- The Oracle Identity Cloud Service password policy requires accessing the ID store for each of the requests.
To reduce the performance load caused by repeated requests, you can use the service integration account without password expiration.
For Basic Authentication, you can use generic credentials: the client ID (that ends with _BASICAUTH
) and the associated client secret. This section describes on how to create these credentials.
Obtain the PaaS Application Oracle Identity Cloud Service Application ID
- In the upper left corner, click , and select Users.
- Select your instance.
- On the User Management page, click Identity Console.
- In the upper left corner, click .
- Select Applications.
- Navigate to the Oracle Integration application.
- Note the value in the Application ID field (for this example, referred to as ${OIC_APP_ID}).
Configure the Service Administrator Application
- Click Add and select Confidential
Application to create a confidential application in Oracle Identity Cloud
Service. This task must be performed by an Oracle Identity Cloud
Service administrator.
The Add Confidential Application wizard is displayed.
- Configure the confidential application.
- On the Details page, enter an application name.
- On the Client page, enable Client Credentials and Refresh Token.
- At the bottom of the Client page, click Add and select the Identity Domain Administrator role.
- Click Add, then click Next until you reach the final page.
- Click Finish. The Application Added dialog is displayed.
- Note the application ID, client ID, client secret for the confidential application (for this example, referred to as ${SA_APP_ID}, ${SA_CLIENT_ID}, and ${SA_CLIENT_SECRET}), then click Close.
Configure the Service Integration Application
- Create the service integration application.
- Get an access token to create an application (for this example, referred to as ${SA_ACCESS_TOKEN}).
- Get access token request:
curl -X POST https://${IDCS_HOST}/oauth2/v1/token -u ${SA_CLIENT_ID}:${SA_CLIENT_SECRET} -d 'grant_type=client_credentials&scope=urn%3Aopc%3Aidm%3A__myscopes__'
- Get access token response:
{ "access_token": "eyJ4NXQjUzI1NiI6IlVFQ1RyX25Ram9XYk9........................XV-2ei4pAUYV9aw66k_qL3b842qHw", "token_type": "Bearer", "expires_in": 3600 }
- Get access token request:
- Create an application with the
_BASICAUTH
suffix using the above access token.- Create an application request:
curl -X POST https://${IDCS_HOST}/admin/v1/Apps -H 'Authorization: Bearer ${SA_ACCESS_TOKEN}' -H 'Content-Type: application/json' -d '{ "active": true, "allUrlSchemesAllowed": false, "allowAccessControl": false, "allowedGrants": ["client_credentials", "urn:ietf:params:oauth:grant-type: jwt-bearer"], "attrRenderingMetadata": [{ "name": "aliasApps", "visible": false }], "basedOnTemplate": { "value": "CustomWebAppTemplateId" }, "clientType": "confidential", "displayName": "OICTEST_BASICAUTH", "editableAttributes": [ { "name": "allowedGrants" }, { "name": "protectableSecondaryAudiences" }, { "name": "asOPCService" }, { "name": "accessTokenExpiry" }, { "name": "linkingCallbackUrl" }, { "name": "isOAuthResource" }, { "name": "appIcon" }, { "name": "clientType" }, { "name": "refreshTokenExpiry" }, { "name": "trustScope" }, { "name": "landingPageUrl" }, { "name": "audience" }, { "name": "samlServiceProvider" }, { "name": "isLoginTarget" }, { "name": "redirectUris" }, { "name": "allowedScopes" }, { "name": "tags" }, { "name": "logoutUri" }, { "name": "allowedOperations" }, { "name": "termsOfUse" }, { "name": "serviceParams" }, { "name": "certificates" }, { "name": "aliasApps" }, { "name": "schemas" }, { "name": "isWebTierPolicy" }, { "name": "trustPolicies" }, { "name": "logoutPageUrl" }, { "name": "secondaryAudiences" }, { "name": "displayName" }, { "name": "serviceTypeURN" }, { "name": "icon" }, { "name": "description" }, { "name": "isOAuthClient" }, { "name": "allowedTags" }, { "name": "showInMyApps" }, { "name": "isObligationCapable" }, { "name": "isMobileTarget" }, { "name": "allowOffline" }, { "name": "idpPolicy" }, { "name": "appSignonPolicy" }, { "name": "postLogoutRedirectUris" }, { "name": "isFormFill" }, { "name": "loginMechanism" }, { "name": "serviceTypeVersion" }, { "name": "errorPageUrl" }, { "name": "signonPolicy" }, { "name": "identityProviders" }, { "name": "isSamlServiceProvider" }, { "name": "appThumbnail" }, { "name": "loginPageUrl" }, { "name": "scopes" }, { "name": "allowAccessControl" }, { "name": "isKerberosRealm" }, { "name": "allUrlSchemesAllowed" }, { "name": "urn:ietf:params:scim:schemas: oracle:idcs:extension:samlServiceProvider:App:encryptionAlgorithm" }, { "name": "urn:ietf:params:scim: schemas:oracle:idcs:extension:samlServiceProvider:App:groupAssertionAttributes" }, { "name": "urn:ietf: params:scim:schemas:oracle:idcs:extension:samlServiceProvider:App:includeSigningCertInSignature" }, { "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:samlServiceProvider:App:signResponseOrAssertion" }, { "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:samlServiceProvider:App: assertionConsumerUrl" }, { "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:samlServiceProvider: App:nameIdUserstoreAttribute" }, { "name": "urn:ietf:params:scim:schemas:oracle:idcs: extension:samlServiceProvider:App:logoutResponseUrl" }, { "name": "urn:ietf:params:scim:schemas:oracle: idcs:extension:samlServiceProvider:App:succinctId" }, { "name": "urn:ietf:params:scim:schemas:oracle: idcs:extension:samlServiceProvider:App:logoutRequestUrl" }, { "name": "urn:ietf:params:scim:schemas: oracle:idcs:extension:samlServiceProvider:App:partnerProviderId" }, { "name": "urn:ietf:params:scim: schemas:oracle:idcs:extension:samlServiceProvider:App:nameIdFormat" }, { "name": "urn:ietf:params: scim:schemas:oracle:idcs:extension:samlServiceProvider:App:logoutBinding" }, { "name": "urn:ietf:params :scim:schemas:oracle:idcs:extension:samlServiceProvider:App:userAssertionAttributes" }, { "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:samlServiceProvider:App:signatureHashAlgorithm" }, { "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:samlServiceProvider:App:metadata" }, { "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:samlServiceProvider:App:encryptAssertion" }, { "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:samlServiceProvider:App:logoutEnabled" }, { "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:samlServiceProvider: App:encryptionCertificate" }, { "name": "urn:ietf:params:scim:schemas:oracle:idcs: extension:samlServiceProvider:App:signingCertificate" }, { "name": "urn:ietf:params:scim:schemas: oracle:idcs:extension:samlServiceProvider:App:federationProtocol" }, { "name": "urn:ietf:params:scim: schemas:oracle:idcs:extension:webTierPolicy:App:webTierPolicyJson" }, {"name": "urn:ietf:params:scim: schemas:oracle:idcs:extension:managedapp:App:bundleConfigurationProperties" }, {"name": "urn:ietf: params:scim:schemas:oracle:idcs:extension:managedapp:App:isAuthoritative" }, { "name": "urn:ietf: params:scim:schemas:oracle:idcs:extension:managedapp:App:enableSync" }, { "name": "urn:ietf:params: scim:schemas:oracle:idcs:extension:managedapp:App:adminConsentGranted" }, { "name": "urn:ietf:params: scim:schemas:oracle:idcs:extension:managedapp:App:connected" }, { "name": "urn:ietf:params:scim: schemas:oracle:idcs:extension:managedapp:App:flatFileBundleConfigurationProperties" }, { "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:managedapp:App:threeLeggedOAuthCredential" }, { "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:managedapp:App:bundlePoolConfiguration" }, { "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:managedapp:App:flatFileConnectorBundle" }, { "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:formFillAppTemplate:AppTemplate:revealPasswordOnForm" }, { "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:formFillAppTemplate:AppTemplate:userNameFormTemplate" }, { "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:formFillAppTemplate:AppTemplate:userNameFormExpression" }, { "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:formFillAppTemplate:AppTemplate:formCredentialSharingGroupID" }, { "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:formFillAppTemplate:AppTemplate:formCredMethod" }, { "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:formFillAppTemplate:AppTemplate:syncFromTemplate" }, { "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:formFillAppTemplate:AppTemplate:configuration" }, { "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:formFillAppTemplate:AppTemplate:formFillUrlMatch" }, { "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:formFillAppTemplate:AppTemplate:formType" }, { "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:kerberosRealm:App:masterKey" }, { "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:kerberosRealm:App:maxRenewableAge" }, { "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:kerberosRealm:App:maxTicketLife" }, { "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:kerberosRealm:App:supportedEncryptionSaltTypes" }, { "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:kerberosRealm:App:realmName" }, { "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:kerberosRealm:App:ticketFlags" }, { "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:kerberosRealm:App:defaultEncryptionSaltType" }, { "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:requestable:App:requestable" }, { "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:formFillApp:App:revealPasswordOnForm" }, { "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:formFillApp:App:userNameFormExpression" }, { "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:formFillApp:App:formType" }, { "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:formFillApp:App:formCredMethod" }, { "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:formFillApp:App:configuration" }, { "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:formFillApp:App:formFillUrlMatch" }, { "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:formFillApp:App:formCredentialSharingGroupID" }, { "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:formFillApp:App:userNameFormTemplate" }, { "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:dbcs:App:domainApp" }, { "name": "active" }, { "name": "grantedAppRoles" }, { "name": "userRoles" }, { "name": "adminRoles" }, { "name": "clientSecret" } ], "infrastructure": false, "isAliasApp": false, "isManagedApp": false, "isMobileTarget": false, "isOAuthClient": true, "isOAuthResource": false, "isOPCService": false, "isSamlServiceProvider": false, "isUnmanagedApp": false, "isWebTierPolicy": false, "loginMechanism": "OIDC", "migrated": false, "name": "OICTEST_BASICAUTH", "showInMyApps": false, "trustScope": "Explicit", "urn:ietf:params:scim:schemas:oracle:idcs:extension:requestable:App": { "requestable": false }, "schemas": ["urn:ietf:params:scim:schemas:oracle:idcs:App", "urn:ietf:params:scim:schemas: oracle:idcs:extension:requestable:App"] }'
- Create an application response:
{ "clientType": "confidential", "isAliasApp": false, "meta": { "created": "2019-04-01T07:51:47.025Z", "lastModified": "2019-04-01T07:51:47.025Z", "resourceType": "App", "location": "https://${IDCS_HOST}/admin/v1/Apps/ 0c228094b0f5456289b928f979800308" }, "active": true, "isLoginTarget": true, "idcsCreatedBy": { "display": "OIC_SI_TEST", "type": "App", "value": "5debb165fc6946708e2c1f27264fafb1", "$ref": "https://${IDCS_HOST}/admin/v1/Apps/ 5debb165fc6946708e2c1f27264fafb1" }, "displayName": "OICTEST_BASICAUTH", "showInMyApps": false, "isMobileTarget": false, "allowOffline": false, "isUnmanagedApp": false, "idcsLastModifiedBy": { "display": "OIC_SI_TEST", "type": "App", "value": "5debb165fc6946708e2c1f27264fafb1", "$ref": "https://${IDCS_HOST}/admin/v1/Apps/5debb165fc6946708e2c1f27264fafb1" }, "isOPCService": false, "name": "OICTEST_BASICAUTH", "isOAuthClient": true, "isManagedApp": false, "isSamlServiceProvider": false, "infrastructure": false, "allUrlSchemesAllowed": false, "trustScope": "Explicit", "id": "0c228094b0f5456289b928f979800308", "isWebTierPolicy": false, "loginMechanism": "OIDC", "allowAccessControl": false, "isOAuthResource": false, "migrated": false, "isKerberosRealm": false, "allowedGrants": [ "client_credentials", "urn:ietf:params:oauth:grant-type:jwt-bearer" ], "attrRenderingMetadata": [ { "name": "aliasApps", "visible": false } ], "basedOnTemplate": { "value": "CustomWebAppTemplateId", "lastModified": "2018-05-31T22:35:08Z", "$ref": "https://${IDCS_HOST}/admin/v1/AppTemplates/CustomWebAppTemplateId" }, "schemas": [ "urn:ietf:params:scim:schemas:oracle:idcs:App" ], "clientSecret": "91ac1189-b2ca-4ccb-a049-bbc635927646" }
- Create an application request:
- Note the application ID, client ID, and client secret from the response (for this example, referred to as ${SI_APP_ID}, ${SI_CLIENT_ID}, and ${SI_CLIENT_SECRET}).
- Activate the application using the above access token.
- Activate the application request:
curl -X PUT https://${IDCS_HOST}/admin/v1/AppStatusChanger/${SI_APP_ID} -H 'Authorization: Bearer ${SA_ACCESS_TOKEN}' -H 'Content-Type: application/json' -d '{"schemas":["urn:ietf:params:scim:schemas:oracle:idcs:AppStatusChanger"],"id":"${SI_APP_ID}", "active":true}'
- Activate the application request:
- Get an access token to create an application (for this example, referred to as ${SA_ACCESS_TOKEN}).
- Associate the service integration application.
- Identify the
AppRoleID
to be granted for the Oracle Integration application. TheServiceUser
role is assigned to the created application. Therefore, a search is performed for that role (for this example, referred to as${OIC_APP_ROLE_ID}
).- Get the application role ID
request:
curl -X GET 'https://${IDCS_HOST}/admin/v1/AppRoles?attributes=groups,urn:ietf:params: scim:schemas:oracle:idcs:extension:user:User:appRoles&filter=displayName+co+%22ServiceUser%22+ and+app.value+eq+%22${OIC_APP_ID}%22' -H 'Authorization: Bearer ${SA_ACCESS_TOKEN}'
- Get the application role ID
response:
{ "schemas": [ "urn:ietf:params:scim:api:messages:2.0:ListResponse" ], "totalResults": 1, "Resources": [ { "displayName": "ServiceUser", "id": "20e22fd1eb2e43ac8645e105abcab201", "app": { "value": "e0eea2c9fadb42c09d33035ff41e8f57", "display": "OICSSA_oiccafdev7" } } ], "startIndex": 1, "itemsPerPage": 50 }
- Get the application role ID
request:
- Grant the service integration application with the above role.
- Grant the role request:
curl -X POST https://${IDCS_HOST}/admin/v1/Grants -H 'Authorization: Bearer ${SA_ACCESS_TOKEN}' -H 'Content-Type: application/json' -d '{ "app": { "value": "${OIC_APP_ID}" }, "entitlement": { "attributeName": "appRoles", "attributeValue": "${OIC_APP_ROLE_ID}" }, "grantMechanism": "ADMINISTRATOR_TO_APP", "grantee": { "value": "${SI_APP_ID}", "type": "App" }, "schemas": ["urn:ietf:params:scim:schemas:oracle:idcs:Grant"] }'
- Grant the role response:
{ "app": { "value": "${OIC_APP_ID}", "$ref": "https://${IDCS_HOST}/admin/v1/Apps/${OIC_APP_ID}" }, "entitlement": { "attributeName": "appRoles", "attributeValue": "${OIC_APP_ROLE_ID}" }, "grantMechanism": "ADMINISTRATOR_TO_APP", "grantee": { "value": "${SI_APP_ID}", "type": "App", "$ref": "https://${IDCS_HOST}/admin/v1/Apps/${SI_APP_ID}" }, "schemas": [ "urn:ietf:params:scim:schemas:oracle:idcs:Grant" ], "id": "6832316983c545baa01e9a9488022fa7", "isFulfilled": true, "grantor": { "type": "App", "value": "${SA_APP_ID}", "$ref": "https://${IDCS_HOST}/admin/v1/Apps/${SA_APP_ID}" }, "meta": { "created": "2019-04-01T08:00:33.277Z", "lastModified": "2019-04-01T08:00:33.277Z", "resourceType": "Grant", "location": "https://${IDCS_HOST}/admin/v1/Grants/6832316983c545baa01e9a9488022fa7" }, "idcsCreatedBy": { "value": "${SA_APP_ID}", "type": "App", "display": "OIC_SI_TEST", "$ref": "https://${IDCS_HOST}/admin/v1/Apps/${SA_APP_ID}" }, "idcsLastModifiedBy": { "value": "${SA_APP_ID}", "type": "App", "display": "OIC_SI_TEST", "$ref": "https://${IDCS_HOST}/admin/v1/Apps/${SA_APP_ID}" } }
- Grant the role request:
- Identify the
Using the Service Integration Credentials
Once setup is complete, the credentials ${SI_CLIENT_ID} and ${SI_CLIENT_SECRET} can be used as the user name and password for authentication to an Oracle Integration endpoint as shown below.
curl -X POST https://${OIC_HOST}/ic/ws/integration/v1/flows/soap/FLOW/1.0/ -u
${SI_CLIENT_ID}:${SI_CLIENT_SECRET} -H 'Content-Type: text/xml;charset=UTF-8' -H 'SOAPAction:
process' -d '<soapenv:Envelope xmlns:rp="http://xmlns.oracle.com/rp_WS_Basic_Authentication_APP/
rp_WS_Basic_Authentication/rp_Basic_Authentication_WS" xmlns:soapenv="http://schemas.xmlsoap.org/
soap/envelope/">
<soapenv:Header>
<wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/
oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/
oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsu:Timestamp wsu:Id="TS-0BC1DE3F9C8F739DB815541392855881">
<wsu:Created>2019-04-01T00:00:00.000Z</wsu:Created>
<wsu:Expires>2019-04-02T00:00:00.000Z</wsu:Expires>
</wsu:Timestamp>
</wsse:Security>
</soapenv:Header>
<soapenv:Body>
<rp:process>
<rp:input>OICTEST</rp:input>
</rp:process>
</soapenv:Body>
</soapenv:Envelope>'