1. Implementing Your Cloud Integrations
  2. Setting Up OCI Process Automation Integration

Setting Up OCI Process Automation Integration

This topic describes how to set up the integration between Oracle Permitting and Licensing and Oracle Cloud Infrastructure Automation Integration.

Before you begin your Oracle Permitting and Licensing implementation, you need to configure the connection between OCI Process Automation and Oracle Permitting and Licensing. OCI Process Automation provides the capability to design and process:

  • Workflow for your transactions.

  • Decision models for calculating fees.

These steps should be done within the Initial Set Up functional category for your offering in the Functional Setup Manager. The process involves setting up the users, groups (roles), and authentication in Oracle Identification Cloud Service (IDCS) required for OCI Process Automation and the Permitting and Licensing system to interact.

Note:

You need to complete these tasks on each pod (test, development, production, and so on) for each pairing of Oracle Identity Cloud Service and Oracle Cloud Infrastructure Process Automation.

Create a Trusted User on IDCS

  1. Sign in to the Identity Cloud Service console.

  2. Select Identity > Domains and select your domain.

  3. Select Users.

  4. Click Create User.

  5. On the Create user page, add these values:
    1. First name: PSCR
    2. Last name: PROXY_USER
    3. Use the email address as the username: Deselect
    4. Username: PSCR_PROXY­_USER
    5. Email: no-reply@oracle.com
    Note:

    The First Name, Last Name, and Email values can be any value. The Username value must be PSCR_PROXY_USER.

  6. Click Create.

Create the PSCR Submitter Group

  1. Sign in to the Identity Cloud Service console.

  2. Select Identity > Domains and select your domain.

  3. Select Groups.

  4. Click Create Group.

  5. On the Create group page, add these values:

    1. Name: PSCR Submitter Group

    2. Users grid: select the trusted user you just created.

  6. Click Create.

Set Up Cloud Service Application Roles

  1. In Functional Setup Manager, complete the Run User and Roles Synchronization Process task in the Initial Setup Functional area.

  2. In IDCS import users into the identity domain.

  3. Sign in to the Identity Cloud Service console.

  4. Select Identity > Domains and select your domain.

  5. Select Oracle Cloud Services.

  6. Open the IDCS app named Process Automation Service.

  7. Select Application roles under Resources on the left.

  8. Expand the ServiceAdministrator role and click Manage for Assigned groups.

  9. On the Manage group assignments page, click the plus sign in the Show available groups link beneath the Assigned groups grid to expose the Available groups grid.

  10. In the Available groups grid, search for and select the following groups individually, and click Assign.

    1. PSCR Submitter Group

    2. PSC System Administrator

    3. PSC Business Analyst

    4. PSC Custom Manage All Workflow Tasks

    5. PSC Custom Administer Workflow

  11. Click Close.

  12. In the Application roles list, expand the ServiceBusinessUser role and click Manage for Assigned groups.

  13. On the Manage group assignments page, search for and select the PSC Agency Staff group and click Assign.

Confirm OCI Process Automation Authentication

  1. Access the OCI Process Automation designer URL.

    It will look similar to:

    https://opa-xxx-xxx-xxxxxxx.process.oci.oraclecloud.com/process/designer

    It is recommended to create a bookmark for easy access.

    You can get the base URL by accessing the Primary Audience URL, as displayed in the IDCS App for the Process Automation Service.

    Assuming you are still on the Manage group assignments page from the previous step, you can also access this URL by clicking OAuth configuration under Resources on the left. In the Configure application APIs that need to be OAuth protected, locate the Primary audience URL.

    Note:

    Keep the Primary audience URL available as you'll need it in the next task..

  2. Enter your user ID and password and confirm you can sign in.

    Use a Fusion Application user ID assigned at least to the PSC System Administrator role.

Create OAuth Credentials

  1. Sign in directly to the individual identity domain.

    By viewing the My Profile menu, you can see if you are signed into a specific domain or through the (default) domain.

    If you are logged into the default domain, you an get the URL for an individual identity domain, by selecting Identity > Domains. In the domains grid select the domain you are currently configuring. On the Over view page for that domain click Copy for the Domain URL field.

    Open a new browser window and copy that URL into the search bar, adding /ui/vi/adminconsole to the URL.

  2. Open your REST client application, such as Postman, Curl, or similar.

  3. Add the Domain URL value to the Identity Cloud Service console and select the POST action.

    Add /admin/v1/Apps to your base Domain URL.

    The URL will look similar to:

    https://idcs-abc123xxxxxxxxxx.identity.oraclecloud.com/admin/v1/Apps

  4. In the body, copy and paste the following JSON, updating the name and the redirectUris attributes.

    The user assigned to name should be created in Permitting and Licensing with sufficient privileges to call Oracle Permitting and Licensing from OCI Process Automation through REST APIs. This isn't the user created previously in the step where you created a trusted user on IDCS. This user will be added to your workflow process connectors.

    The redirectUris URL should use the URL displayed as the Primary audience URL for your domain to which you add /icsapis/agent/oauth/callback.

    {
     "schemas": [
          "urn:ietf:params:scim:schemas:oracle:idcs:App"
        ],
     "displayName": "OPA App for PSCR OAuth Inbound",
     "isOAuthClient" : true,
     "description": "OPA App for PSCR OAuth Inbound",
     "active": true,
     "clientType": "confidential",
     "name": "xxxxx", 
     "basedOnTemplate": {
          "value": "CustomWebAppTemplateId"
     },
     "redirectUris": [
          "<OCI Process Automation Base URL>/icsapis/agent/oauth/callback"
        ],
     "logoutUri": "",
     "postLogoutRedirectUris": [""],
     "allUrlSchemesAllowed": true,
     "allowedGrants": [
          "client_credentials",
          "password",
          "urn:ietf:params:oauth:grant-type:jwt-bearer",
          "authorization_code",
          "refresh_token"
      ]
}

  5. Retrieve and copy your OAuth token.

    1. In Oracle Identity Service console, select the Profile menu in the upper right of the header.

    2. Select My profile.

    3. Under Resources, click My access tokens.

    4. Under My access tokens, click the Select app role field.

    5. Select Identity Domain Administrator.

    6. Consider the Token expires in mins field. You may want to set this to a higher value than the default to provide additional time. Keep in mind that if you need to retry this operation for any reason, your token may have expired, so you'd need to recreate the token.

    7. Click Download token.

    8. Open the downloaded token in a text editor, such as Notepad.

    9. Copy the contents of the token file.

  6. Return to your REST client, click the Authorization tab, select Bearer Token for the Type field, and copy the token file contents into the Token field.

  7. Click Send.

  8. Return to the Oracle Identity Service console and open your domain.

    In the navigation breadcrumbs at the top left, click Identity, then click Domains under Identity on the left, click on your domain in the Domains in... grid.

  9. Under Identity domain, select Integrated applications.

  10. On the Integrated applications page, select OPA App for PSCR OAuth Inbound.

  11. Under OAuth configuration, click Edit OAuth configuration.

  12. On the Edit OAuth configuration page:

    1. Select Add resources.

    2. Under Resources click Add scope.

    3. On the Add scope page, select Oracle Applications Cloud (Fusion).

    4. Expand the Oracle Applications Cloud (Fusion) row, and select the scope that appears.

      Note:

      The string reflects that your Fusion Application instance is a consumer of all Fusion Application resources.

    5. Click Add and Save changes.

Set OAuth Credentials in OCI Process Automation

  1. Return to OCI Process Automation designer.

    For example:

    https://opa-xxx-xxx-xxxxxxx.process.oci.oraclecloud.com/process/designer

  2. Select the Workspace node in the left navigation column.

  3. In the Workspace, select Credentials.

  4. In the upper right click Create global credentials, and select OAuth credentials.

  5. On the Add new OAuth credential page, add these values:

    1. Credential Name: OPAL_OPA_GLOBAL_OAUTH

    2. Target URL: Add the Fusion Application base URL for the current pod, such as https//fa-xxxx-xx-xx.fa.xx.oraclecloud.com. This is the base URL when signing on to Oracle Permitting and Licensing.

    3. Client Id: Add the name you added to the JSON in a previous step when creating the OAuth credentials.

    4. Client Secret: Return to your OAuth configuration in the Oracle Identity Service console for the current domain, and under General Information, click Show secret.

      From the Client secret pop-up window, copy the secret, and paste it into the Client Secret field.

    5. Scope: Return to your OAuth configuration in the Oracle Identity Service console for the current domain, and under Token issuance policy, select and copy the Scope value for the Oracle Applications Cloud (Fusion) resource. Paste it into the Scope field.

    6. OAuth Token URL: Select Local Identity Domain.

    7. Description: Add a description, such as, Global OAuth credentials for callbacks to <your Permitting and Licensing pod>.

    8. Click Submit.