Use the Service Integration Account with No Password Expiration

Oracle Integration provides a service integration account in which the password does not expire. The service integration account consists of a generic application role created with specific predefined rules. Use this account when you need to invoke integrations and require that the account password not expire.

User credentials are typically used with the Basic Authentication security policy. Continuous use of this security policy by clients increases the performance load on the authentication service (Oracle Identity Cloud Service) because it must keep validating the same credentials repeatedly. The increased performance load is dependent on two factors.

  • Repeated requests to the Oracle Identity Cloud Service server for password authenticator/asserter for the same basic authentication credentials.
  • The Oracle Identity Cloud Service password policy requires accessing the ID store for each of the requests.

To reduce the performance load caused by repeated requests, you can use the service integration account without password expiration.

For Basic Authentication, you can use generic credentials: the client ID (that ends with _BASICAUTH) and the associated client secret. This section describes on how to create these credentials.

Obtain the PaaS Application Oracle Identity Cloud Service Application ID

  1. Click hamburger menu in the top left corner of the Oracle Cloud Infrastructure Console. Any Oracle Integration user can do this.
  2. Click Platform Services, then Integration.
  3. In the upper right corner, click Users.
  4. On the User Management page, click Identity Console.
  5. In the upper left corner, click Navigation menu icon.
  6. Select Applications.
  7. Navigate to the Oracle Integration application.
  8. Note the value in the Application ID field (for this example, referred to as ${OIC_APP_ID}).

Configure the Service Administrator Application

  1. Click Add and select Confidential Application to create a confidential application in Oracle Identity Cloud Service. This task must be performed by an Oracle Identity Cloud Service administrator.

    The Add Confidential Application wizard is displayed.

  2. Configure the confidential application.
    1. On the Details page, enter an application name.
    2. On the Client page, enable Client Credentials and Refresh Token.

    3. At the bottom of the Client page, click Add and select the Identity Domain Administrator role.

  3. Click Add, then click Next until you reach the final page.
  4. Click Finish. The Application Added dialog is displayed.
    1. Note the application ID, client ID, client secret for the confidential application (for this example, referred to as ${SA_APP_ID}, ${SA_CLIENT_ID}, and ${SA_CLIENT_SECRET}), then click Close.

Configure the Service Integration Application

  1. Create the service integration application.
    1. Get an access token to create an application (for this example, referred to as ${SA_ACCESS_TOKEN}).
      • Get access token request:
        curl -X POST https://${IDCS_HOST}/oauth2/v1/token -u ${SA_CLIENT_ID}:${SA_CLIENT_SECRET} 
        -d 'grant_type=client_credentials&scope=urn%3Aopc%3Aidm%3A__myscopes__'
      • Get access token response:
        {
            "access_token": "eyJ4NXQjUzI1NiI6IlVFQ1RyX25Ram9XYk9........................XV-2ei4pAUYV9aw66k_qL3b842qHw",
            "token_type": "Bearer",
            "expires_in": 3600
        }
    2. Create an application with the _BASICAUTH suffix using the above access token.
      • Create an application request:
        curl -X POST https://${IDCS_HOST}/admin/v1/Apps -H 'Authorization: Bearer ${SA_ACCESS_TOKEN}' 
        -H 'Content-Type: application/json' -d '{   "active": true,   "allUrlSchemesAllowed": false,   
        "allowAccessControl": false,   "allowedGrants": ["client_credentials",   "urn:ietf:params:oauth:grant-type:
        jwt-bearer"],   "attrRenderingMetadata": [{     "name": "aliasApps",     "visible": false   }],   
        "basedOnTemplate": {     "value": "CustomWebAppTemplateId"   },   "clientType": "confidential",   
        "displayName": "OICTEST_BASICAUTH",   "editableAttributes": [     { "name": "allowedGrants" },     
        { "name": "protectableSecondaryAudiences" },     { "name": "asOPCService" },     { "name": 
        "accessTokenExpiry" },     { "name": "linkingCallbackUrl" },     { "name": "isOAuthResource" },     
        { "name": "appIcon" },     { "name": "clientType" },     { "name": "refreshTokenExpiry" },     
        { "name": "trustScope" },     { "name": "landingPageUrl" },     { "name": "audience" },     
        { "name": "samlServiceProvider" },     { "name": "isLoginTarget" },     { "name": "redirectUris" },     
        { "name": "allowedScopes" },     { "name": "tags" },     { "name": "logoutUri" },     { "name": 
        "allowedOperations" },     { "name": "termsOfUse" },     { "name": "serviceParams" },     { "name": 
        "certificates" },     { "name": "aliasApps" },     { "name": "schemas" },     { "name": "isWebTierPolicy" },
             { "name": "trustPolicies" },     { "name": "logoutPageUrl" },     { "name": "secondaryAudiences" },
             { "name": "displayName" },     { "name": "serviceTypeURN" },     { "name": "icon" },     { "name": 
        "description" },     { "name": "isOAuthClient" },     { "name": "allowedTags" },     { "name": 
        "showInMyApps" },     { "name": "isObligationCapable" },     { "name": "isMobileTarget" },     { "name": 
        "allowOffline" },     { "name": "idpPolicy" },     { "name": "appSignonPolicy" },     { "name": 
        "postLogoutRedirectUris" },     { "name": "isFormFill" },     { "name": "loginMechanism" },     { "name": 
        "serviceTypeVersion" },     { "name": "errorPageUrl" },     { "name": "signonPolicy" },     { "name": 
        "identityProviders" },     { "name": "isSamlServiceProvider" },     { "name": "appThumbnail" },     { 
        "name": "loginPageUrl" },     { "name": "scopes" },     { "name": "allowAccessControl" },     { "name": 
        "isKerberosRealm" },     { "name": "allUrlSchemesAllowed" },     { "name": "urn:ietf:params:scim:schemas:
        oracle:idcs:extension:samlServiceProvider:App:encryptionAlgorithm" },     { "name": "urn:ietf:params:scim:
        schemas:oracle:idcs:extension:samlServiceProvider:App:groupAssertionAttributes" },     { "name": "urn:ietf:
        params:scim:schemas:oracle:idcs:extension:samlServiceProvider:App:includeSigningCertInSignature" },     
        { "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:samlServiceProvider:App:signResponseOrAssertion"
         },     { "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:samlServiceProvider:App:
        assertionConsumerUrl" },     { "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:samlServiceProvider:
        App:nameIdUserstoreAttribute" },     { "name": "urn:ietf:params:scim:schemas:oracle:idcs:
        extension:samlServiceProvider:App:logoutResponseUrl" },     { "name": "urn:ietf:params:scim:schemas:oracle:
        idcs:extension:samlServiceProvider:App:succinctId" },     { "name": "urn:ietf:params:scim:schemas:oracle:
        idcs:extension:samlServiceProvider:App:logoutRequestUrl" },     { "name": "urn:ietf:params:scim:schemas:
        oracle:idcs:extension:samlServiceProvider:App:partnerProviderId" },     { "name": "urn:ietf:params:scim:
        schemas:oracle:idcs:extension:samlServiceProvider:App:nameIdFormat" },     { "name": "urn:ietf:params:
        scim:schemas:oracle:idcs:extension:samlServiceProvider:App:logoutBinding" },     { "name": "urn:ietf:params
        :scim:schemas:oracle:idcs:extension:samlServiceProvider:App:userAssertionAttributes" },     { "name": 
        "urn:ietf:params:scim:schemas:oracle:idcs:extension:samlServiceProvider:App:signatureHashAlgorithm" },     
        { "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:samlServiceProvider:App:metadata" },     
        { "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:samlServiceProvider:App:encryptAssertion" },
             { "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:samlServiceProvider:App:logoutEnabled" },
             { "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:samlServiceProvider:
        App:encryptionCertificate" },     { "name": "urn:ietf:params:scim:schemas:oracle:idcs:
        extension:samlServiceProvider:App:signingCertificate" },     { "name": "urn:ietf:params:scim:schemas:
        oracle:idcs:extension:samlServiceProvider:App:federationProtocol" },     { "name": "urn:ietf:params:scim:
        schemas:oracle:idcs:extension:webTierPolicy:App:webTierPolicyJson" },     {"name": "urn:ietf:params:scim:
        schemas:oracle:idcs:extension:managedapp:App:bundleConfigurationProperties" },     {"name": "urn:ietf:
        params:scim:schemas:oracle:idcs:extension:managedapp:App:isAuthoritative" },     { "name": "urn:ietf:
        params:scim:schemas:oracle:idcs:extension:managedapp:App:enableSync" },     { "name": "urn:ietf:params:
        scim:schemas:oracle:idcs:extension:managedapp:App:adminConsentGranted" },     { "name": "urn:ietf:params:
        scim:schemas:oracle:idcs:extension:managedapp:App:connected" },     { "name": "urn:ietf:params:scim:
        schemas:oracle:idcs:extension:managedapp:App:flatFileBundleConfigurationProperties" },     { "name": 
        "urn:ietf:params:scim:schemas:oracle:idcs:extension:managedapp:App:threeLeggedOAuthCredential" },     { 
        "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:managedapp:App:bundlePoolConfiguration" },     
        { "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:managedapp:App:flatFileConnectorBundle" },     
        { "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:formFillAppTemplate:AppTemplate:revealPasswordOnForm" },
             { "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:formFillAppTemplate:AppTemplate:userNameFormTemplate"
         },     { "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:formFillAppTemplate:AppTemplate:userNameFormExpression" },     
        { "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:formFillAppTemplate:AppTemplate:formCredentialSharingGroupID" },     
        { "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:formFillAppTemplate:AppTemplate:formCredMethod" },     
        { "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:formFillAppTemplate:AppTemplate:syncFromTemplate" },     
        { "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:formFillAppTemplate:AppTemplate:configuration" },     
        { "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:formFillAppTemplate:AppTemplate:formFillUrlMatch" },     
        { "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:formFillAppTemplate:AppTemplate:formType" },     
        { "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:kerberosRealm:App:masterKey" },     { "name": 
        "urn:ietf:params:scim:schemas:oracle:idcs:extension:kerberosRealm:App:maxRenewableAge" },     { "name": 
        "urn:ietf:params:scim:schemas:oracle:idcs:extension:kerberosRealm:App:maxTicketLife" },     { "name": 
        "urn:ietf:params:scim:schemas:oracle:idcs:extension:kerberosRealm:App:supportedEncryptionSaltTypes" },     
        { "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:kerberosRealm:App:realmName" },     
        { "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:kerberosRealm:App:ticketFlags" },     
        { "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:kerberosRealm:App:defaultEncryptionSaltType" },     
        { "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:requestable:App:requestable" },     
        { "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:formFillApp:App:revealPasswordOnForm" },     
        { "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:formFillApp:App:userNameFormExpression" },     
        { "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:formFillApp:App:formType" },     
        { "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:formFillApp:App:formCredMethod" },     
        { "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:formFillApp:App:configuration" },     { "name": 
        "urn:ietf:params:scim:schemas:oracle:idcs:extension:formFillApp:App:formFillUrlMatch" },     { "name": 
        "urn:ietf:params:scim:schemas:oracle:idcs:extension:formFillApp:App:formCredentialSharingGroupID" },     
        { "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:formFillApp:App:userNameFormTemplate" },     
        { "name": "urn:ietf:params:scim:schemas:oracle:idcs:extension:dbcs:App:domainApp" },     { "name": "active" },     
        { "name": "grantedAppRoles" },     { "name": "userRoles" },     { "name": "adminRoles" },     { "name": "clientSecret" }         
        ],   "infrastructure": false,   "isAliasApp": false,   "isManagedApp": false,   "isMobileTarget": false,   "isOAuthClient": 
        true,   "isOAuthResource": false,   "isOPCService": false,   "isSamlServiceProvider": false,   "isUnmanagedApp": false,   
        "isWebTierPolicy": false,   "loginMechanism": "OIDC",   "migrated": false,   "name": "OICTEST_BASICAUTH",   
        "showInMyApps": false,   "trustScope": "Explicit",   "urn:ietf:params:scim:schemas:oracle:idcs:extension:requestable:App": 
        {     "requestable": false   },   "schemas": ["urn:ietf:params:scim:schemas:oracle:idcs:App",   "urn:ietf:params:scim:schemas:
        oracle:idcs:extension:requestable:App"] }'
      • Create an application response:
        {     "clientType": "confidential",     "isAliasApp": false,     "meta": {         
        "created": "2019-04-01T07:51:47.025Z",         "lastModified": "2019-04-01T07:51:47.025Z",
                 "resourceType": "App",         "location": "https://${IDCS_HOST}/admin/v1/Apps/
        0c228094b0f5456289b928f979800308"     },     "active": true,     "isLoginTarget": true,     
        "idcsCreatedBy": {         "display": "OIC_SI_TEST",         "type": "App",         "value": 
        "5debb165fc6946708e2c1f27264fafb1",         "$ref": "https://${IDCS_HOST}/admin/v1/Apps/
        5debb165fc6946708e2c1f27264fafb1"     },     "displayName": "OICTEST_BASICAUTH",     
        "showInMyApps": false,     "isMobileTarget": false,     "allowOffline": false,     
        "isUnmanagedApp": false,     "idcsLastModifiedBy": {         "display": "OIC_SI_TEST",         
        "type": "App",         "value": "5debb165fc6946708e2c1f27264fafb1",         "$ref": 
        "https://${IDCS_HOST}/admin/v1/Apps/5debb165fc6946708e2c1f27264fafb1"     },     
        "isOPCService": false,     "name": "OICTEST_BASICAUTH",     "isOAuthClient": true,     
        "isManagedApp": false,     "isSamlServiceProvider": false,     "infrastructure": false,     
        "allUrlSchemesAllowed": false,     "trustScope": "Explicit",     "id": 
        "0c228094b0f5456289b928f979800308",     "isWebTierPolicy": false,     "loginMechanism": 
        "OIDC",     "allowAccessControl": false,     "isOAuthResource": false,     "migrated": 
        false,     "isKerberosRealm": false,     "allowedGrants": [         "client_credentials",         
        "urn:ietf:params:oauth:grant-type:jwt-bearer"     ],     "attrRenderingMetadata": [         {             
        "name": "aliasApps",             "visible": false         }     ],     "basedOnTemplate": {         
        "value": "CustomWebAppTemplateId",         "lastModified": "2018-05-31T22:35:08Z",         
        "$ref": "https://${IDCS_HOST}/admin/v1/AppTemplates/CustomWebAppTemplateId"     },     "schemas": [         
        "urn:ietf:params:scim:schemas:oracle:idcs:App"     ],     "clientSecret": "91ac1189-b2ca-4ccb-a049-bbc635927646" }
    3. Note the application ID, client ID, and client secret from the response (for this example, referred to as ${SI_APP_ID}, ${SI_CLIENT_ID}, and ${SI_CLIENT_SECRET}).
    4. Activate the application using the above access token.
      • Activate the application request:
        curl -X PUT https://${IDCS_HOST}/admin/v1/AppStatusChanger/${SI_APP_ID} -H 
        'Authorization: Bearer ${SA_ACCESS_TOKEN}' -H 'Content-Type: application/json' -d 
        '{"schemas":["urn:ietf:params:scim:schemas:oracle:idcs:AppStatusChanger"],"id":"${SI_APP_ID}",
        "active":true}'
  2. Associate the service integration application.
    1. Identify the AppRoleID to be granted for the Oracle Integration application. The ServiceUser role is assigned to the created application. Therefore, a search is performed for that role (for this example, referred to as ${OIC_APP_ROLE_ID}).
      • Get the application role ID request:
        curl -X GET 'https://${IDCS_HOST}/admin/v1/AppRoles?attributes=groups,urn:ietf:params:
        scim:schemas:oracle:idcs:extension:user:User:appRoles&filter=displayName+co+%22ServiceUser%22+
        and+app.value+eq+%22${OIC_APP_ID}%22' -H 'Authorization: Bearer ${SA_ACCESS_TOKEN}'
      • Get the application role ID response:
        {
            "schemas": [
                "urn:ietf:params:scim:api:messages:2.0:ListResponse"
            ],
            "totalResults": 1,
            "Resources": [
                {
                    "displayName": "ServiceUser",
                    "id": "20e22fd1eb2e43ac8645e105abcab201",
                    "app": {
                        "value": "e0eea2c9fadb42c09d33035ff41e8f57",
                        "display": "OICSSA_oiccafdev7"
                    }
                }
            ],
            "startIndex": 1,
            "itemsPerPage": 50
        }
    2. Grant the service integration application with the above role.
      • Grant the role request:
        curl -X POST https://${IDCS_HOST}/admin/v1/Grants -H 'Authorization: Bearer ${SA_ACCESS_TOKEN}' -H 'Content-Type: application/json' -d '{
         "app": {
          "value": "${OIC_APP_ID}"
         },
         "entitlement": {
          "attributeName": "appRoles",
          "attributeValue": "${OIC_APP_ROLE_ID}"
         },
         "grantMechanism": "ADMINISTRATOR_TO_APP",
         "grantee": {
          "value": "${SI_APP_ID}",
          "type": "App"
         },
         "schemas": ["urn:ietf:params:scim:schemas:oracle:idcs:Grant"]
        }'
      • Grant the role response:
        {
            "app": {
                "value": "${OIC_APP_ID}",
                "$ref": "https://${IDCS_HOST}/admin/v1/Apps/${OIC_APP_ID}"
            },
            "entitlement": {
                "attributeName": "appRoles",
                "attributeValue": "${OIC_APP_ROLE_ID}"
            },
            "grantMechanism": "ADMINISTRATOR_TO_APP",
            "grantee": {
                "value": "${SI_APP_ID}",
                "type": "App",
                "$ref": "https://${IDCS_HOST}/admin/v1/Apps/${SI_APP_ID}"
            },
            "schemas": [
                "urn:ietf:params:scim:schemas:oracle:idcs:Grant"
            ],
            "id": "6832316983c545baa01e9a9488022fa7",
            "isFulfilled": true,
            "grantor": {
                "type": "App",
                "value": "${SA_APP_ID}",
                "$ref": "https://${IDCS_HOST}/admin/v1/Apps/${SA_APP_ID}"
            },
            "meta": {
                "created": "2019-04-01T08:00:33.277Z",
                "lastModified": "2019-04-01T08:00:33.277Z",
                "resourceType": "Grant",
                "location": "https://${IDCS_HOST}/admin/v1/Grants/6832316983c545baa01e9a9488022fa7"
            },
            "idcsCreatedBy": {
                "value": "${SA_APP_ID}",
                "type": "App",
                "display": "OIC_SI_TEST",
                "$ref": "https://${IDCS_HOST}/admin/v1/Apps/${SA_APP_ID}"
            },
            "idcsLastModifiedBy": {
                "value": "${SA_APP_ID}",
                "type": "App",
                "display": "OIC_SI_TEST",
                "$ref": "https://${IDCS_HOST}/admin/v1/Apps/${SA_APP_ID}"
            }
        }

Using the Service Integration Credentials

Once setup is complete, the credentials ${SI_CLIENT_ID} and ${SI_CLIENT_SECRET} can be used as the user name and password for authentication to an Oracle Integration endpoint as shown below.

Oracle Integration SOAP endpoint request sample:
curl -X POST https://${OIC_HOST}/ic/ws/integration/v1/flows/soap/FLOW/1.0/ -u 
${SI_CLIENT_ID}:${SI_CLIENT_SECRET} -H 'Content-Type: text/xml;charset=UTF-8' -H 'SOAPAction: 
process' -d '<soapenv:Envelope xmlns:rp="http://xmlns.oracle.com/rp_WS_Basic_Authentication_APP/
rp_WS_Basic_Authentication/rp_Basic_Authentication_WS" xmlns:soapenv="http://schemas.xmlsoap.org/
soap/envelope/">
   <soapenv:Header>
      <wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/
oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/
oasis-200401-wss-wssecurity-utility-1.0.xsd">
         <wsu:Timestamp wsu:Id="TS-0BC1DE3F9C8F739DB815541392855881">
            <wsu:Created>2019-04-01T00:00:00.000Z</wsu:Created>
            <wsu:Expires>2019-04-02T00:00:00.000Z</wsu:Expires>
         </wsu:Timestamp>
      </wsse:Security>
   </soapenv:Header>
   <soapenv:Body>
      <rp:process>
         <rp:input>OICTEST</rp:input>
      </rp:process>
   </soapenv:Body>
</soapenv:Envelope>'