1. Getting Started with Oracle Digital Assistant for Fusion Applications
  2. How the Integration of the Application with Digital Assistant is Secured

How the Integration of the Application with Digital Assistant is Secured

Here are the key security aspects of the integration between Oracle Digital Assistant and Oracle Fusion Cloud Applications.

Security Overview

Oracle Digital Assistant is a native Oracle Cloud Infrastructure (OCI) service, which is available in both the Public Commercial and Government regions. Digital Assistant is also accredited as FedRAMP compliant. Digital Assistant uses FIP encryption everywhere, for data in transit and data at rest.

The application is integrated with the digital assistant at provisioning time. When the Fusion Applications pod is provisioned, a dedicated digital assistant service instance is provisioned for that pod. This pairing associates the application with the digital assistant.

Here are the key aspects of the pairing:

  • The paired application package, which includes the authentication service for the application, is installed and configured on the Fusion Applications pod. Among other things, this configuration sets up the security groups and policies.
  • In the digital assistant, an Authentication Service is set up and configured to the Oracle Identity Cloud Service (IDCS) stripe of the Oracle Fusion Cloud Applications pod.
  • The Identity Cloud Service (IDCS) stripe of the Fusion Applications pod is registered as an authentication service on the digital assistant Authentication Service page.
  • In the digital assistant, an Oracle Web channel is configured. You might also add other channels based on your needs.

Runtime Security

This diagram illustrates how you converse with the Fusion Applications pod, and the security features involved in the process.

This is a diagram that illustrates the flow of conversations that FA users have with digital assistants through the Oracle Digital Assistant platform that's described in the ensuing text. The diagram has several boxes and 11 numbered arrows, each of which corresponds to one of the 11 steps in the text below.

This table describes the steps illustrated in the diagram.

Callout Number

Data Flow

Description

1

User to Channel
The user starts a conversation by entering a message through an Oracle Web channel in Digital Assistant.
Note: Configuration of the Web settings is a manual process in both the ODA service instance and the Fusion Applications Designer.

2

Channel to ODA Service Instance

The channel sends the encrypted message through the channel security to the ODA service instance. See Configure Client Authentication.

3

Fusion Applications Skill to Fusion Applications Authentication Service within ODA Service Instance

The message from the channel is routed to the Fusion Applications Skill in the ODA service instance, which then triggers the authentication service for the application.

4

Fusion Applications Authentication Service to IDCS App

The authentication service checks if the user has been authenticated with IDCS. If not, the authentication service sends an OAuth access token request to the IDCS server. This redirects to the IDCS Sign In page, prompting the user to sign in.

5

User to IDCS App

The user enters the user name and password.

6

IDCS App to Fusion Applications Authentication Service

 After the user is successfully authenticated, the IDCS server returns both an access token and a refresh token to the Fusion Applications Authentication Service. This process happens within the Fusion Applications skill’s OAuth access token flow. The access token has a default expiration period of 8 hours, and the refresh token has an expiration period of 7 days.

7

Fusion Applications Authentication Service to Fusion Applications Skill

In the same channel, if the user sends any other requests within the 8-hour expiration window, the same access token will be used. In the same channel, if the user sends any other requests beyond the 8 hours and less than 7 days, then the authentication service will request a new access token through refresh token.

8

Fusion Applications Skill to Fusion Applications Pod

The Fusion Applications Skill sends a REST API request with the access token received in step 6. The Fusion Applications Pod proceeds to do the authentication using the OAuth access token.

9

Fusion Applications Pod back to Fusion Applications Skill

The Fusion Applications Pod returns the response to one or more Fusion Applications Skills in the ODA service instance.

10

Fusion Applications Skill to Channel

The ODA service instance returns the response to the channel.

11

Channel back to the User

The channel displays the response to the User.