Understanding Identity Propagation

Oracle Java Cloud Service - SaaS Extension/SaaS association relies on a shared identity domain wherein an individual user’s identity credentials are passed—or “propagated”—by using trusted security tokens between the services.

Note:

To associate instances, they must be provisioned in the same identity domain. You cannot readily associate two instances with each other if they were provisioned in different identity domains. When this occurs, you should contact your Oracle representative and raise a service request to evaluate the feasibility of such an association.

Identity Propagation is the replication of authenticated identities and can happen through multiple business systems and processes. Identity Propagation is used by the client application to send a user assertion on behalf of the user. When Java Cloud Service - SaaS Extension is established as the Identity Provider, it authenticates the requests from associated Service Providers and establishes the user identity; that identity is then used as the basis for authorization. A user assertion is a user token that contains identity and security information about the user and can be used to authenticate the user. An assertion can be used instead of a username and password as it contains information that will be useful to validate the client. The intent of the client assertion is to provide an alternative client authentication mechanism (one that doesn't send client secrets). Oracle Cloud supports two protocols for propagating identity:

• Security Assertion Markup Language (SAML)

• OAuth