2 Set Up the Service

Here’s what you need to know to get your team set up with Oracle Mobile Cloud Service (MCS), including activating the service, creating a service instance, and assigning team members. Be sure to go through this chapter carefully to make sure that you have fully configured the service for what your team needs.

Where Do I Sign Up?

If you haven't already purchased a subscription to Oracle Mobile Cloud Service (MCS) and would like to, you can do so in either of these ways:

  • Visit https://shop.oracle.com and enter Mobile Cloud Service into the Search field to display the purchase options.

  • Contact your sales representative. If you don’t know who that is, go to the Oracle Contact List and click Live Sales Chat.

You can purchase a metered or non-metered subscription. For an overview, see Overview of Oracle Cloud Subscriptions in Getting Started with Oracle Cloud.

You can also sign up for a trial by following these steps:

  1. Navigate to https://cloud.oracle.com/en_US/tryit and click Get started for free.

  2. Click Sign up.

  3. Fill out the online form to create an Oracle account.

    See Requesting a Free Oracle Cloud Promotion if you have any questions on how to fill out the form.

Once the request is approved, you will receive an email with details for logging in (and changing your password).

What Do I Need To Do?

MCS setup activities are divided between team members with the following administrative roles, assigned in Oracle Cloud.
Task Who Does It? How Do I Do It?

Activate the service and designate administrators

Your company’s Oracle Cloud account administrator. This person is designated by your Oracle sales representative when you sign up with Oracle Cloud.

See Activate the Service

Create one or more service instances (environments) and assign a service administrator

For non-metered service, it is the account administrator or service administrator designated by the account administrator.

For metered service, it is the service administrator.

See Create Mobile Environment Service Instances

Assign MCS team member roles to define permissions

A service administrator for the MCS environment.

See Assign MCS Team Member Roles

Set up mobile users, realms and roles

A team member with the Oracle Cloud identity domain administrator role and the mobile user configuration (MobileEnvironment_MobileUserConfig) and mobile user management (MobileEnvironment_MobileUserMgmt) MCS team member roles in the MCS environment.

See Set Up Mobile Users, Realms and Roles

Set up MCS for MAX

Your company’s MCS service administrator.

See Setting Up MAX Environments, Distinguishing Between MAX Team Member Roles for Business Users and for Mobile App Developers and Mobile Users for MAX

Log in to MCS

All MCS team members.

See Get on Board

Activate the Service

When your company submits an order for MCS, your sales representative designates an account administrator, who is the activator for the service. If you're that person, you’ll receive an activation email to get started. If this is your first time logging in to Oracle Cloud, you’ll be prompted to change your temporary password.

  • Open the activation email and click Cloud Account Services Setup.

If you have a non-metered subscription, you’ve subscribed to an entitlement to create service instances of MCS (environments), so your first task is to create those environments based on your business needs, described next in Create Mobile Environment Service Instances

If you have a metered subscription, your first task is to assign MCS roles to your team, described in Assign MCS Team Member Roles.

Create Mobile Environment Service Instances

MCS uses environments to define the behavior of artifacts and control access to development and administrative features. As an account or service administrator, you define these environments, assign predefined MCS team member roles, and configure environment policies. For example, if you have more than one environment, you could designate one as a development environment and one as a production environment.

  • Development could be an environment where you create your mobile backend, define your custom APIs, create new services using custom code, set up storage for your collections, and so on. It’s the primary environment where you’ll do most of your work.

  • Production could be a completely separate environment, into which you can promote your completed project code for testing or public access. Developers and team members with broad permissions and easy access to features in the development environment might have little or no access to a production (or staging) environment where specific testing can be done by another team. You could also further separate the production environment to promote fully tested code for use by applications.

To create your mobile environment service instances:

  1. Open the welcome email you received after being assigned as the service entitlement administrator and click My Account.

    You’ll be prompted to change your temporary password.

  2. In the My Services dashboard, click the Create Instance button next to MCS in the list of services and complete the wizard that appears.

    Allow up to three hours for the instance to be created.

    Upon creation of your first environment, an MCS Portal instance is also created and your environment is associated with it.

  3. For any additional environments you want to create, repeat step 2 of this procedure and associate them with the MCS Portal instance using the Associations dropdown in the wizard.

If you need more detailed information on the wizard, see Creating Service Instances in Getting Started with Oracle Cloud.

Setting Up MCS Environments

If you’re assigned as service administrator for the mobile environment service instance, you’re granted all MCS team member roles in the environment so you can start setting up the environment:
  • To assign team member roles, open the welcome email you received when you were assigned as service administrator and follow the link to Oracle Cloud My Services. From the Users page in the My Services dashboard, you can assign team member roles for the environment as described in Assign MCS Team Member Roles.
  • To monitor activity, access administrative features and define environment policies, go to MCS, click icon to open the side menu and open Administration from the side menu. For more information on using these features, see MCS Environments.

Setting Up MAX Environments

MAX (Mobile Application Accelerator) is a development tool that enables business users to create, test, and publish mobile apps without writing code. You can find out more about MAX and how it’s used in Creating APIs Fast with the Express API Designer.

MCS doesn’t support multiple development and production environments for MAX. You can only assign one MAX development environment and one production environment.
  • A business user builds and tests apps in the MAX development environment. The MobileEnvironment_BusinessUser role in the development environment limits business users to the MAX UI only. MCS team members with the MobileEnvironment_Develop role in the environment also have access to MAX features.

  • A business user or MCS team member can use MAX to publish apps by promoting them to the MAX production environment, making them available to other people in the organization. This requires the MobileEnvironment_MAXApplicationDeploy role in the environment.

For more information on MAX roles, see Distinguishing Between MAX Team Member Roles for Business Users and for Mobile App Developers.

Tip:

Instead of accepting the default names for the MAX development and production environments, choose names that make them easy to identify. You might consider a MAX-themed naming convention and choose simple names to help you associate MAX roles with the correct environment service instances.

Assign MCS Team Member Roles

As a service administrator, you use the predefined MCS team member roles to grant permissions and capabilities to your team members in each environment. Team members and their roles are managed from Oracle Cloud My Services.

Note:

A service administrator can assign MCS roles to existing team members. To create new team members, you need to be assigned the identity domain administrator role in Oracle Cloud by the account administrator.

As account administrator, be judicious about granting the identity domain administrator role. It’s required to create team members and mobile users, but it also grants broader permissions over your MCS instance in Oracle Cloud.

To add users and assign them roles:

  1. Sign in to Oracle Cloud’s My Services and select the appropriate identity domain.

  2. On the My Services page, click Users and select the Users tab.

  3. For each team member, click Add and fill in the name, email, and other required information.

  4. In the Simple Role Selection section, select roles for each user.

    For development environments, it's generally a good idea to assign team members all of the MCS roles described below in development environments (except for the MobileEnvironment_BusinessUser role) to make sure that they can complete all of the development activities. (Use the MobileEnvironment_BusinessUser only for team members you want to go straight to Mobile Application Accelerator (MAX) without seeing the rest of the MCS interface.)

    For production environments, most team members should have more limited access.

If you need more detailed instructions, see Adding Users and Assigning Roles in Getting Started with Oracle Cloud.

MCS Team Member Roles

MCS team member roles are predefined and can’t be created or customized. Team members must be assigned at least one of the roles in the table below in each environment they should have access to.

Role Name Privileges Available Actions
MCS Team Member (MobilePortal_TeamMember) Access to the MCS UI. All team members.

The MCS UI is represented by an environment in Oracle Cloud, called the MCS UI service. All team members must be granted this role in the MCS UI service in addition to roles granted in other MCS environments.

  • Access the MCS UI

Mobile Analytics (MobileEnvironment_Analytics) Read-only access to analytics data for the environment.
  • View analytics data and define custom reports

Mobile Database Management (MobileEnvironment_DbMgmt) Use the Database Management API to to view, create, and drop tables.
  • Access the database

  • Migrate data

Mobile Deploy (MobileEnvironment_Deploy) Control artifact versions deployed within the environment and configure artifact policies and instance data.
  • Deploy versioned artifacts

  • Create, modify and remove artifact policies

  • Modify artifact instance data

Mobile Develop (MobileEnvironment_Develop) Create, configure and publish new artifacts, such as mobile APIs and custom code. Create and test mobile apps using MAX. This role is only useful in development environments.
  • Create a draft of an artifact

  • Modify artifact metadata

  • Publish an artifact

  • Test custom code by creating mobile apps using Mobile Application Accelerator (MAX)

Mobile Location Management (MobileEnvironment_LocationMgmt) Create, configure and delete location artifacts such as assets, devices and places so applications can query location data.
  • View location devices, places and assets from the UI

  • Create location devices, places, and assets from the UI

  • Modify location devices, place, and assets from the UI

  • Delete location devices, places, and assets from the UI

Mobile System (MobileEnvironment_System) Access the Location Management API from custom code.
  • Create location devices, places, and assets from custom code

  • Modify location devices, place, and assets from custom code

  • Delete location devices, places, and assets from custom code

Mobile User Configuration (MobileEnvironment_MobileUserConfig) Define realms and roles for mobile users so applications can use role-based access policies.

You must also be granted the role of identity domain administrator in Oracle Cloud to manage roles and realms.

  • Create a role

  • Delete a role

  • Create a realm

  • Modify a realm (draft/publish)

    • Add a user attribute

    • Remove a user attribute

Mobile User Management (MobileEnvironment_MobileUserMgmt) Manage mobile users within a realm, including creating mobile users and assigning roles.

You must also be granted the role of identity domain administrator in Oracle Cloud to manage users.

  • Create, update, suspend, activate and remove mobile users

  • Assign mobile roles to mobile users

  • Reset a mobile user’s password

Mobile Monitor (MobileEnvironment_Monitor) Read-only access to diagnostics data for the environment.
  • View diagnostic data and define custom reports

Mobile Notifications (MobileEnvironment_Notifications) Send and receive notifications in the environment.
  • Create (send) and query for notifications

Business User (MobileEnvironment_BusinessUser) Access to the Mobile Application Accelerator (MAX) development UI. Blocks access to the rest of the MCS UI.

Never grant the Business User role to a MCS mobile app or service developer or assign it to a production environment.

  • Create and test mobile apps using MAX

MAX Mobile App Deployment (MobileEnvironment_MAXApplicationDeploy) Access to the MAX production environment and MAX application deployment features.
  • Publish mobile apps using MAX

The naming convention for Oracle Cloud roles that correspond to MCS team member roles is: {serviceName}.{rolename}. For example, in the environment with service name paid1247mobsvc002dev the name of the Oracle Cloud role for the MobileEnvironment_Deploy team member role would be paid1247mobsvc002dev.MobileEnvironment_Deploy. Service names for MCS environments are listed on the Oracle Cloud My Services Dashboard page.

You might see some extra roles in the list in Oracle Cloud, including a Mobile Team Management role in several environments and extra Mobile Monitor and Mobile User Management roles in the UI environment. You don’t need to assign those roles to anyone, as they aren’t used in this release.

Team member roles are different from the mobile user roles that you assign to end users of your apps. For details on mobile user roles, see Creating and Managing Mobile User Roles.

Distinguishing Between MAX Team Member Roles for Business Users and for Mobile App Developers

MAX (Mobile Application Accelerator) is a development tool for business users, but MCS mobile app and service developers can also use MAX to test custom code. You can find out more about MAX and how it’s used in Creating APIs Fast with the Express API Designer.

To set up MCS so both business users and MCS developers can use MAX, take care in assigning roles. Both business users and MCS developers need the MobilePortal_TeamMember role to access the mobile portal, but these two types of users access MAX differently.
  • The MobileEnvironment_BusinessUser role must only be assigned to a business user in the MAX development environment so they can bypass the rest of MCS. Business users with this role are MAX-only users and can’t even see the MCS UI. Never assign this role to a MCS mobile app or service developer or to a production environment.

  • The MobileEnvironment_Develop role grants access to MAX from within the MCS UI. To make sure that MCS mobile app and service developers can open the Applications page and aren’t trapped in MAX, always assign them the MobileEnvironment_Develop role, and not the MobileEnvironment_BusinessUser role.

  • The MobileEnvironment_MAXApplicationDeploy role in the MAX production environment enables both business users and MCS developers to publish apps using MAX. When this role is assigned, MAX is included on the Applications page for the environment.

To find out more about accessing MAX, see Who Uses MAX?

Example Team Member Role Assignments

This table shows one way you could assign MCS team member roles by environment for the common jobs described in Get to Know Oracle Mobile Cloud Service. All team members also need to be assigned the MobilePortal_TeamMember role in the MCS UI service.

Caution:

When creating team member accounts for Mobile Application Accelerator (MAX), be sure to keep the roles and their associated environments straight. Do not grant the MAX BusinessUser role to MCS mobile app or service developers or they will be limited to the MAX UI and won’t have access to MCS development features. Also, the MAX development environment is identified by the MobileEnvironment_BusinessUser role, so take care when choosing the service instance name in the Oracle Cloud My Services Dashboard. Do not assign this role to the MAX production environment.
Job Development Environment Roles Staging Environment Roles Production Environment Roles

enterprise architect

MobileEnvironment_Analytics, MobileEnvironment_DbMgmt, MobileEnvironment_Deploy, MobileEnvironment_Develop, MobileEnvironment_LocationMgmt, MobileEnvironment_System, MobileEnvironment_MobileUserConfig, MobileEnvironment_MobileUserMgmt, MobileEnvironment_Monitor, MobileEnvironment_Notifications MobileEnvironment_Analytics, MobileEnvironment_DbMgmt, MobileEnvironment_Deploy, MobileEnvironment_LocationMgmt, MobileEnvironment_System, MobileEnvironment_MobileUserConfig, MobileEnvironment_MobileUserMgmt, MobileEnvironment_Monitor, MobileEnvironment_Notifications MobileEnvironment_Notifications

mobile cloud administrator

MobileEnvironment_Analytics, MobileEnvironment_DbMgmt, MobileEnvironment_Deploy, MobileEnvironment_Develop, MobileEnvironment_LocationMgmt, MobileEnvironment_System, MobileEnvironment_MobileUserConfig, MobileEnvironment_MobileUserMgmt, MobileEnvironment_Monitor, MobileEnvironment_Notifications MobileEnvironment_Analytics, MobileEnvironment_DbMgmt, MobileEnvironment_Deploy, MobileEnvironment_LocationMgmt, MobileEnvironment_System, MobileEnvironment_MobileUserConfig, MobileEnvironment_MobileUserMgmt, MobileEnvironment_Monitor, MobileEnvironment_Notifications MobileEnvironment_Analytics, MobileEnvironment_DbMgmt, MobileEnvironment_Deploy, MobileEnvironment_LocationMgmt, MobileEnvironment_System, MobileEnvironment_MobileUserConfig, MobileEnvironment_MobileUserMgmt, MobileEnvironment_Monitor, MobileEnvironment_Notifications

mobile app developer and service developer

MobileEnvironment_Analytics, MobileEnvironment_DbMgmt, MobileEnvironment_Deploy, MobileEnvironment_Develop, MobileEnvironment_LocationMgmt, MobileEnvironment_System, MobileEnvironment_MobileUserConfig, MobileEnvironment_MobileUserMgmt, MobileEnvironment_Monitor, MobileEnvironment_Notifications, MobileEnvironment_Analytics, MobileEnvironment_MobileUserMgmt, MobileEnvironment_Monitor, MobileEnvironment_Notifications MobileEnvironment_Notifications, MobileEnvironment_MAXApplicationDeploy

mobile program manager

MobileEnvironment_Analytics, MobileEnvironment_DbMgmt, MobileEnvironment_Deploy, MobileEnvironment_Develop, MobileEnvironment_LocationMgmt, MobileEnvironment_System, MobileEnvironment_MobileUserConfig, MobileEnvironment_MobileUserMgmt, MobileEnvironment_Monitor, MobileEnvironment_Notifications MobileEnvironment_Analytics, MobileEnvironment_Notifications MobileEnvironment_Analytics, MobileEnvironment_Notifications

business user

MobileEnvironment_BusinessUser N/A MobileEnvironment_MAXApplicationDeploy

Remember, to create new team members or mobile users, a team member also needs to be granted the identity domain administrator role in Oracle Cloud.

Set Up Mobile Users, Realms and Roles

Mobile users are your customers — the ones who use the mobile apps built with MCS. Organize your mobile users by setting up realms that define the user schema, and creating roles to grant access permissions. It’s a good idea to define some realms and roles before app developers start working with MCS. You can also set up some initial mobile users for testing and maybe import larger groups of mobile users.

Note:

To manage mobile users, roles and realms, you need to be assigned the mobile user configuration (MobileEnvironment_MobileUserConfig) and mobile user management (MobileEnvironment_MobileUserMgmt) MCS team member roles in the environment, as well as the identity domain administrator role in Oracle Cloud.

Manage mobile users, realms and roles in MCS from Applications > Mobile User Management.

Creating Realms

A realm is a container for managing mobile users within an environment. Each realm includes a user schema that defines the user data that can be stored and made accessible to mobile apps. You can define custom properties for a user schema, but the following properties are required:
  • user name

  • password

  • first name

  • last name

  • e-mail

To create a new realm, start in a development environment. Available realms are listed under Mobile User Management in the side menu.
  1. Make sure you're in the development environment where you want to create the realm.
  2. Click icon to open the side menu to open the side menu and select Applications > Mobile User Management.
  3. Click the Realms navigation link.
  4. To create a realm, click New Realm.
  5. Enter a unique name and an optional description. The realm name can’t be changed after the realm is created.
  6. If you want to add a custom property to the user schema, click New Field.
    1. Enter a unique name for the field and an optional description.
      You can’t use any of the following reserved field names: firstname, lastname, email, username, password, createdOn, createdBy, modifiedOn, modifiedBy, id, roles, and links.
    2. Select the appropriate data Type for the field: string, number, date or Boolean.
    3. Click Create to add the new field to the user schema.
  7. When you’ve finished, click Save to save your changes to the realm and return to the Realms tab.
After a realm is published, the user schema can’t be changed. Realms can’t be deleted from MCS.
Realms are deployed automatically with the associated mobile backend. Only the user schema is deployed; no user data is migrated. For detailed information on publishing and deploying realms, see Realm Lifecycle. If you want to change the realm associated with an existing mobile backend, see Changing a Mobile Backend's Realm.

Setting the Default Realm for an Environment

When you create a new mobile backend, it’s automatically associated with the default realm for the environment. You can set this default realm to any available realm in the environment.
  1. Make sure you're in the environment where you want to set the default realm.
  2. Click icon to open the side menu to open the side menu and select Applications > Mobile User Management.
  3. Click the Realms navigation link.
  4. Select the realm that you want to make the new default. Click More and select Make default realm.

Creating and Managing Mobile User Roles

Mobile user roles allow you to define permissions for your apps and assign them to mobile users. You can define as many roles as you need, and you can assign multiple roles to the same mobile user.

A mobile app can allow different access to mobile users with different roles. You could assign a Technician role to a mobile technician to grant access to specific features of the company's mobile app, and a Salesperson role to a sales rep to grant access to different features. The same mobile technician could have a Customer role in the company’s supply ordering app where the sales rep has no role assigned.

To create and manage mobile user roles:
  1. Make sure you're in the environment where you want to create the role(s).

  2. Click icon to open the side menu to open the side menu and select Applications > Mobile User Management.

    Note:

    Though it's possible to create and delete mobile user roles from My Services in Oracle Cloud, you should handle all operations on mobile user roles from Mobile User Management in the MCS UI.
  3. Click the Roles page. From here you can view and edit available mobile user roles and create new roles. As soon as you create a role, it’s added to the list on the Roles page and you can define access permissions.
    • Role names are case-sensitive.

    • Roles are deployed automatically with any object that references them.

Once you’ve defined roles, you can use them throughout MCS:

Creating Mobile Users and Assigning Roles

From the Mobile Users page in MCS Mobile User Management, you can create and edit users and assign roles, search for an existing user, and reset a user’s password to a system-generated temporary password that is sent to the user’s email address. Remember, you can only create mobile users if you have the identity domain administrator role in Oracle Cloud.
For more thorough testing or for production, you’ll probably want to import a group of users. To import groups of users into MCS, use Oracle Cloud to batch assign them to a realm. You can also use Oracle Cloud to batch assign mobile user roles. For detailed instructions, see Importing Groups of Mobile Users Into MCS Using Oracle Cloud.

Note:

In all cases, when you a create mobile users, they are sent a temporary password. The new users need to use this temporary password to log into the My Services portal, change the password, and set up their challenge questions before they can be recognized as an MCS mobile user.
Creating Individual Mobile Users for Testing

You can use the MCS UI to create individual mobile users and assign roles. Here are the steps for quickly creating a test user. Some steps include suggested values that will allow app developers to seamlessly complete the Get Started with Mobile Development tutorial on the MCS home page.

  1. Make sure you're in the environment where you want to create the mobile user(s).

  2. Click icon to open the side menu to open the side menu and select Applications > Mobile User Management.

  3. Click Mobile Users.

  4. Select the Realm where you want to create the user.

  5. Click the New User button.

  6. Enter a unique user name and fill in the remaining fields in the dialog, including an email address where you can retrieve the generated password.

    The available fields may vary depending on the realm where you’re creating the user. The Get Started with Mobile Development tutorial uses the user name Joe.

    Note:

    Both user name and email address must be unique across all services in Oracle Cloud.
  7. If you haven’t created the role you need yet, you can add a new role to the environment by clicking Create Role on the right side of the dialog.

    The Get Started with Mobile Development tutorial uses the role name Technician for the user Joe.

  8. Click Create again to create the new mobile user.

    An email is sent from Oracle Cloud to the address you entered with a temporary password.

  9. (Optional) Assign roles to an individual mobile user from the Mobile Users page in MCS.

You can only assign a mobile user to one realm via the MCS Mobile Users page, but you can associate mobile users with multiple realms using Oracle Cloud. For more thorough testing or for production, you’ll also probably want to import a group of mobile users.

Importing Groups of Mobile Users Into MCS Using Oracle Cloud

You can use Oracle Cloud to import a group of users into MCS or assign MCS roles to a group of users, using the steps below. MCS mobile user realms and roles are both represented by custom roles in Oracle Cloud. As with all mobile user operations in this section, you need the identity domain manager role in Oracle Cloud to complete these steps.

  1. Create the MCS realm and mobile user roles you want to assign to the group of users, if you haven’t already. For detailed instructions, see Creating Realms and Creating and Managing Mobile User Roles.

  2. Create a group of mobile users in Oracle Cloud using a comma-separated values (CSV) file.

    For detailed information on batch importing users, including the related CSV files, see Importing a Batch of User Accounts in Getting Started with Oracle Cloud.

  3. Import the users into MCS by assigning the group to the Oracle Cloud custom role that represents the MCS realm you created in step 1.

    The naming convention for Oracle Cloud custom roles that represent MCS realms is: {serviceName}_MobileEnvironment_{realmname}_{version with dots as underscores}_Realm where {serviceName} is the service name of the environment in Oracle Cloud. You can find the service names for all MCS environments on the My Services Dashboard page in Oracle Cloud. For example, for the default realm version 1.0 in the environment with service name “3240930apod” the custom role in Oracle Cloud would be 3240930apod_MobileEnvironment_Default_1_0_Realm, or for the MyCustomers realm version 2.5 in the environment with service name “poeo342ed” it would be poeo342ed_MobileEnvironment_MyCustomers_2_5_Realm. For detailed instructions, see Assigning One Role to Many Users in Getting Started with Oracle Cloud.

  4. (Optional) Assign MCS mobile user roles to the group by assigning Oracle Cloud custom roles using the same process you did for the realm in the previous step.

    The naming convention for Oracle Cloud custom roles that represent MCS mobile user roles is: {serviceName}_MobileEnvironment_{rolename}. For example, for a role named “APIRole” in the environment with service name “poeo342ed” the custom role in Oracle Cloud would be poeo342ed_MobileEnvironment_APIRole.

Mobile Users for MAX
In addition to their team member accounts, MAX (Mobile Application Accelerator) business users need mobile user accounts to test and use their mobile apps. For details on MAX team member roles, see Distinguishing Between MAX Team Member Roles for Business Users and for Mobile App Developers. For more information about MAX, see Using the Express API Designer with MAX.
Role Definition
test user A test user account enables MAX users to preview apps using live data. It also enables them to generate the QR code that identifies the test version of an app. For more information on creating a test user account, see Creating Individual Mobile Users for Testing.
mobile user Mobile user accounts enable everyone (business users, MCS developers, and mobile app users) to log in to MAX and use published mobile apps. Anyone who tests or uses a mobile app built using MAX needs a mobile user account. For more information, see Importing Groups of Mobile Users Into MCS Using Oracle Cloud.
Changing a Mobile User Password
As mobile cloud administrator, you can change a mobile user’s password from the Mobile Users page in MCS Mobile User Management. Mobile users can change their own passwords from Oracle Cloud Identity Self Service.
  1. Click icon to open the side menu to open the side menu and select Applications > Mobile User Management.
  2. Click Mobile Users.
  3. Select the mobile user on the Mobile Users page and click the Reset password button. MCS will send an email with a temporary password to the email address associated with the user.

Configuring Identity Management (SSO and OAuth)

MCS allows you to enable single sign-on (SSO) with OAuth so your mobile apps can use your own identity provider for authentication.

First, configure the connection between Oracle Cloud and the identity provider from the Users page in Oracle Cloud My Services. For detailed instructions, see Managing Single Sign On in Administering Oracle Cloud Identity Management.

After you configure Oracle Cloud, you can enable SSO in your MCS mobile backends. For details on these settings, see Enabling Browser-Based SSO through MCS in the Authentication in MCS chapter.

Configuring Oracle Cloud Applications as the Identity Provider

If your team will be creating mobile apps that are designed for users of Fusion Applications-based services such as Oracle Sales Cloud, Oracle HCM Cloud, and Oracle ERP Cloud, you will probably want to enable those users to sign in to the mobile app once and not have to re-enter credentials to access the Oracle Cloud application.

For your mobile app and service developers to be able to create such apps where the user only needs to sign in once, you need to get the following things in place:

  1. Have your MCS instance provisioned in the same identity domain as the Oracle Cloud application service that your apps will access.

  2. Enable SSO for the identity domain and set the Oracle Cloud application service as the identity provider.

  3. Enable sign—on with identity domain credentials. This enables team members to sign in with their Oracle Cloud credentials. Otherwise, they would be prompted to log in with credentials for the Oracle Cloud application service (which they might not have).

    The steps for this are:

    1. In My Services, go to the SSO Configuration page.

    2. Go to the Enable Sign In to Oracle Cloud Services with Identity Domain credentials section and click Enable.

Note:

You can only designate one identity provider to be used with SSO.

Once the services are set up in the same identity domain and SSO has been enabled, the mobile app developer can do the following to enable the app user’s login credentials to propagate to the Oracle Cloud application:

  • Create a Fusion Applications connector API to connect to the Oracle Cloud application service.

  • Within the connector API, designate the appropriate security policy to handle authentication and authorization with the service.

  • Create a custom API that calls the connector API.

  • Create a mobile backend, enable it to use SSO, and associate the custom API with it.

Configuring Microsoft Azure Active Directory as an Identity Provider

As an example of adding a remote identity provider, here is what you do to enable use of Microsoft Azure Active Directory as the remote identity store for apps that use MCS mobile backends.

The general sequence of steps is:

  1. In Azure, create an application and configure it to use single sign-on.

    This application will provide the context for configuring the SSO relationship and identify the set of users to whom that relationship is applicable.

  2. In Oracle Cloud, configure Azure Active Directory as the identity provider.

  3. In your Azure app, add the Oracle Cloud service provider information.

  4. In your Azure app, assign users to access the app.

  5. In Oracle Cloud, import the Azure users.

  6. In Oracle Cloud, enable the SSO configuration.

  7. In MCS, enable SSO in a mobile backend.

  8. Test the SSO with a mobile backend.

This procedure assumes that you have a Windows Azure account with Azure Active Directory Premium enabled.

Creating and Configuring the App in Azure that Will Serve as the Identity Store

The first step is to create an application in Azure and then configure that app to use single sign-on. This app doesn’t have any end-user functionality.

  1. Sign in to the Azure portal, browse to the directory you want to use, select Applications, and click Add.

  2. Select Add an application from the gallery.

  3. Select Custom, select Add an unlisted application my organization is using, provide a name, and save.

  4. On the application page, click Configure single sign-on.

  5. Select Microsoft Azure AD Single Sign-On and click Next.

  6. On the Configure App Settings page, add values for Issuer and Reply URL.

    These values are just temporary placeholders, so just enter any syntactically correct URLs, such as https://www.example.com.

    You will add the real values later once you have set up your Oracle Cloud account to use Azure Active Directory as a remote identity provider.

  7. On the Configure single sign-on at ... page, click Download Metadata (XML) and save the file as IdP-Metadata.xml.

    You will need this file to configure your Oracle Cloud account.

  8. Check Confirm that you have configured single sign-on as described above.

  9. In the next screen, confirm the notification email (optional) and save.

Configuring Azure Active Directory as the Identity Provider in Oracle Cloud

Now that you have set up the app in Azure to hold the identity store, you can configure your Oracle Cloud account to use it.

The configuration you do here will determine how an Oracle Cloud user record is identified from the information that Azure AD provides (via the SAML token).

  1. Log in to Oracle Cloud, go to Users and then SSO Configuration and click Configure SSO.

  2. In the popup window, select Import identity provider metadata and load the Azure metadata file (IdP-Metadata.xml) that you just downloaded from Azure.

  3. From the SSO Protocol dropdown, select HTTP POST.

  4. From the User Identifier dropdown, select one of the following to specify which field in the Oracle Cloud user record you will use to match with the Azure AD record.

    • User’s Email Address

    • User ID

  5. From the Contained in dropdown, select the attribute from Azure AD (such as user name or email address) that you want to be matched again the User Identifier value above.

  6. Click Save.

  7. Under Configure your Identity Provider Information, make a note of the Provider ID and Assertion Consumer Service URL values.

    You will use these values when configuring the Azure App to work with Oracle Cloud.

  8. Click Export Metadata , select Provider Metadata, and save the file.

    This metadata may come in handy later if configuration problems arise.

Adding the Oracle Cloud Service Provider Information to the Azure App

In this step, you go back to Azure and fill in the Oracle Cloud service provider information that you just generated.

  1. Go back to the Azure portal, and select your directory, then click Applications and then on the application created before.

  2. Click Configure single sign-on.

  3. Select Microsoft Active Directory again, and then click Next.

  4. In the Issuer field, enter the value of the Provider ID that you copied after configuring Azure AD as an identity provider in Oracle Cloud.

  5. In the Reply URL field, enter the value of the Assertion Consumer Service URL that you copied above.

  6. For the next steps, continue with the defaults and then save at the end.

Note:

If you have problems with the Issuer and Reply URL values, you can double-check them in the metadata you exported after configuring Azure AD as the identity provider in Oracle Cloud. The Provider ID (and thus the Issuer) value should correspond with value of the entityID attribute of the EntityDescriptor element. The Assertion Consumer Service URL (and thus the Reply URL) value should correspond with the value of the Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" attribute of the AssertionConsumerService element.

Assigning Azure Users to Access Your App

Next you populate your Azure app with the users that you want to be able to log in via the SSO feature.

  1. In the Azure portal, navigate to your directory, click Applications and choose the container application you created.

  2. Go to the Users And Groups tab, search for the groups you would like to be able to access MCS apps, and assign them by clicking the Assign button at the bottom of the page.

Importing Users Into Your MCS Realm

And now you import those users into MCS, via Oracle Cloud.

  1. Export the users from Azure, using the recommended method, depending on the source of the users.

    • If the users originate from an on-premises Active Directory installation, use the standard Active Directory tools to export them.

    • If the users originate from Azure directly, use Azure Windows Power Tools.

  2. Insert those users into a CSV file, with the following structure: First Name, Last Name, Email, User Login.

    The User Login must match the same username used to log-in to Azure.

  3. Import the users into Oracle Cloud and assign them the realm that you want to use as described in Importing Groups of Mobile Users Into MCS Using Oracle Cloud.

Enabling the SSO Configuration

Once you have assigned users for your application in Azure AD, and have imported those users into Oracle Cloud, enable the SSO Configuration by following these steps:

  1. On the Single Sign-On (SSO) Configuration page in Oracle Cloud, navigate to the Test your SSO section and click Test.

  2. If that test is successful, navigate to theEnable SSO section of the page and click Enable SSO.

Testing the SSO with an MCS Mobile Backend

Once SSO has been fully configured and enabled and you have enabled SSO in a mobile backend, you can test it with that mobile backend.

If you haven’t yet enabled SSO in a mobile backend, see Enabling Single Sign-On for a Mobile Backend.

To test SSO access to a mobile backend:

  • Open a web browser and navigate to the following URL:

    <environment URI>>/mobile/platform/sso/token?clientID=<OAuth client ID>

    where <environment URI> is the URI used to access platform APIs for the given MCS instance, and <OAuth client ID> can be obtained from the Settings page for the given mobile backend.

Enabling Apps to Access MCS Through Tokens from 3rd-Party Identity Providers

If you already have large set of users provisioned in a non-Oracle identity provider and you have a way for your apps to get a SAML or JWT authentication token directly from that identity provider, you can configure MCS to accept that token when it is presented by the app.

To get this to work, you configure MCS to trust the issuer of the tokens. Then, when MCS receives such a token, it verifies its authenticity of the issuer and then provides an MCS token in exchange.

Unlike with the configuration of the enterprise SSO feature, you do not need to the identity domain administrator role for your Oracle Cloud account to set this up. You set up the token issuer and certificate directly in MCS.

See Enabling SSO through Third-Party SAML and JWT Authentication Tokens.

Get on Board

Once you’re assigned a role in MCS, you can log in and get to work. To open MCS from the Oracle Cloud My Home page, click the Mobile Cloud Service box. (You can ignore any options labeled Mobile Environment Service.) If you’re coming from Oracle Cloud My Services, click the Open Service Console link in the MobilePortalService box. (This link is only accessible to team members with administrative roles.)

Note:

If you see an error when you try to access MCS, you probably don’t have all the roles you need. Ask your service administrator to assign you the necessary MCS roles.