1. Configuring and Extending Applications
  2. Configure Fusion Applications Identity Domain Federated with an External IdP for OCI Extensions

Configure Fusion Applications Identity Domain Federated with an External IdP for OCI Extensions

All Fusion Applications users are available in Fusion Applications identity domain automatically through synchronization. When these users attempt to sign-in to an OCI extension service, they are redirected automatically to Fusion Applications through the Oracle-delivered SSO.

However, you have the option to configure your OCI extension service to further refine access to just those users created locally in the Fusion Applications identity domain or external users that originate from an external IdP directly federated with the Fusion Applications identity domain.

This section explains how to federate the Fusion Applications identity domain with an external IdP such as Microsoft Entra ID. Using the Oracle Cloud Infrastructure Console, you can configure a policy and rules for an external IdP that’s federated with the Fusion Applications identity domain. You can then associate the policy with an OCI extension service such as Oracle Visual Builder. Note that only a single policy can be associated with the OCI extension service in a domain.

Prerequisite

Before you proceed with the configuration, make sure that Fusion Applications identity domain is federated with Microsoft Entra ID. For more information, see SSO Between OCI and Microsoft Azure in OCI documentation.

Caution: Don't edit the Fusion Applications IdP and the default IdP policy.

Create a Policy and Rules for the External IdP

Create a policy and rules that will apply for the OCI extension application and then associate the policy with the application.

  1. On the OCI UI, click Identity and Security, Domains.
  2. In the List scope section, select the root user account in the Compartment drop-down list.
  3. On the Domains page, select the domain name that’s suffixed with current domain. This is the domain that’s provisioned with Fusion Applications.
  4. On the domain Overview page, click Security on the left pane.
  5. On the Terms of use documents page, click IdP policies on the left pane.
  6. On the Identity provider (IdP) policies page, click Create IdP policy.
  7. Enter a name for the policy and click Add policy.
  8. Click Add IdP rule to assign the rule to the relevant identity providers and set the conditions.
  9. On the Add identity provider rule dialog box, enter a name for the rule and specify these additional details.
    1. In the Assign identity providers drop-down list, select the identity provider that you want to associate with this rule.
    2. Specify the required conditions.
    3. Click Add IdP rule.
  10. Click Next.
  11. Click Add apps to search for and add the applications and services that’ll use this rule.

Assign a Role to the User for Accessing the OCI Extension Application

To access the OCI extension application, the user associated with the Identity Provider must be assigned the required role.

  1. On the OCI UI, go to the current domain overview page.
  2. Click Oracle Cloud Services on the left pane.
  3. Select the Oracle Visual Builder application from the list.
  4. On the application details page, click Application roles in the left pane.
  5. Expand the role that you want, using the down arrow.
  6. Click Manage to view the list of assigned users.
  7. Select a user from the list of Available Users and click Assign.

Verify Access to the Oracle Visual Builder Application

  1. Access the Oracle Visual Builder Cloud Service instance. The URL is available in the Primary audience field in the section Configure application APIs that need to be OAuth protected on the Oracle Visual Builder Cloud Service overview page.
  2. Sign in using the credentials of the identity provider user to whom you assigned the role earlier. You can view the home page of the Oracle Visual Builder Cloud Service application.