Overview of Using Oracle Fusion Cloud Applications Identity Domain to Build Extensions
All Oracle Fusion Cloud Applications environments are now provisioned with the Oracle Cloud Infrastructure Identity and Access Management (IAM) identity domain.
This Fusion Applications identity domain is preintegrated with the inbuilt identity system of Fusion Applications and serves as the identity backbone for several tools of Fusion Applications, such as Oracle Visual Builder Studio. It enables federated Single Sign-On (SSO) and token-based authentication across Fusion Applications. This Fusion Applications identity domain is also available to you to deploy your extensions and integrations. Using the Fusion Applications identity domain for building extensions comes with several benefits:
- Avoids the cost for you to create additional OCI identity domains for supporting extensions. No additional licensing cost is incurred when using the Fusion Applications Identity domain to build extensions in Fusion Applications. Note that the Fusion Applications identity domain is provisioned with the Oracle Apps domain type. In addition to saving on licensing cost, using the Fusion Applications identity domain instead of creating more OCI identity domains, minimizes operational and governance overhead. It also prevents identity proliferation and any potential risks associated with it.
- User synchronization is configured by default. All users created in Fusion Applications through the security console or through batch processes are actively synchronized to the Fusion Applications identity domain. This synchronization enables assigning Fusion Applications users to OCI-based extensions and integrations.
- Federated SSO is configured by default with the Fusion Applications as the Identity Provider (IdP) and the Fusion Applications identity domain as the Service Provider (SP). This configuration enables single sign-on between the Fusion Applications and custom-built extensions.
- The OAuth token-based authentication allows custom-built applications to connect with the Fusion Applications REST APIs.
Here's a visual representation of how the overall model looks like. Note that the user is synchronized from Fusion Applications to the IAM identity domain. The synchronization ensures that the user identities and access privileges are managed centrally and consistently across the enterprise. This synchronization is configured by default and allows Fusion Applications users to also authenticate Oracle Integration Cloud extensions.
Guardrails
The Fusion Applications identity domain includes guardrails to ensure that certain Oracle-owned configurations aren't modifiable. The guardrails ensure that you can use this IAM Identity domain for building extensions without impacting Fusion Applications. For example, you're prevented from doing the following tasks:
- Activate or deactivate Fusion Applications.
- Disable or enable user synchronization.
- Add or modify scopes of Oracle resource applications.
- Update provisioning operations, such as authoritative synchronization, account creation, account updation, account activation or deactivation, and account deletion.