Identity Cloud Service Provider

Overview

The Oracle Network Management System Operations Mobile App supports login using the Oracle Identity Cloud Service (IDCS). IDCS requires the same configuration as the LDAP/AD user validation in the CentricityServer.properties file described in the Using LDAP/AD User Validation section.

Identity Cloud Service – Setup

You will need to define two Applications in the Identity Cloud Service:

1. OMA Authentication Application

Define an Application for the OMA client to authenticate against.

Allowed Grant types should include Authorization Code and Implicit

Allow Non-HTTPS URLs checked

Redirect URL to a URL that runs a special IDCS login script required by OMA to get a message that the login was successful and return the login toke back to the OMA application (for example, http://frisvold.us/oracle/messagecode).

This application will be used to configure the OMA Client in the src\js\resources\config\loginSettings.js file:

self.IDCS_HOST = 'https://idcstrial09.identity.oraclecloud.com';
self.IDCS_REDIRECT_URL = 'http://frisvold.us/oracle/messagecode';
self.IDCS_CLIENT_ID = '1a11a11a11111a11aa1a11a1a1111a1a';

2. NMS Authentication Application

Define an Application for the NMS WLS to use to authenticate credentials via the IDCS Integration Provider. This Application will contain both a Client ID and a Client Secret.

The Client Configuration will have the Register Client Checked

Allowed Grant Types will include (Resource Owner, Client Credentials, SAML2 Assertion, Refresh Token, Authorization Code, Implicit)

Allow non-HTTPS URLs checked

Redirector URL to an existing URL (for example, https://google.com)

Client Type: Confidential

Authorized Resources: Specific

Resources/Add Scope: NMSWLS/OMATest

Grant the Client Access to the Identity Cloud Service APIs (Cloud Gate, Application Administrator, Me, User Administrator).

Resources will include:

• Registered Resources selected

• Access Token Expiration set to 604800

• Primary Audience set to the OMA Application Name.

3. Define Users and Groups

Users and Groups can be defined in IDCS directly or by configuring IDCS to connect to another authentication provider to get the user credentials and group membership. If using IDCS to define the users and groups, define the users and groups using the same group requirements as configured for the LDAP/AD in the CentricityServer.properties file.

4. Admin Session Duration

In the IDCS admin console, go to Settings/Session/Session Settings/Session Duration and set it to 604800

URL with IDCS Login Script

For OMA to get the IDCS login status and authorization token, you must provide a URL that the IDCS login process will call with the login status and token. This URL will contain a simple script that will analyze the parameters, pull out the login status and token, and message it back to OMA. And example of this can be found at:

http://frisvold.us/oracle/messagecode

and contains a one-page HTML document that looks like this:

<html>

<head>

<title>Untitled</title>

</head>

<body> <h2>postMessage of Code</h2>

if (window.opener) window.opener.postMessage(window.location.search.substring(1), "*");

else window.postMessage(window.location.search.substring(1), "*");

</script> </body>

</html>

NMS WebLogic Managed Server – IDCS Integration Provider

In the NMS WebLogic Managed Server, the Oracle Identity Cloud Integrator Authentication
Provider will need to be added to your security realm:

1. Go to domain structures/Security Realms and select myrealm.

2. Select the Providers Tab

3. Click the New button and give a name (for example, IDCS) and select Type OracleIdentityCloudIntegrator.

4. Set the Control Flag to Optional or Sufficient depending on whether additional providers are to be processed after this provider.

5. Set Active Types to include idcs_user_assertion, Idcs_user_assertion, and Authorization in the Chosen box, you can leave REMOTE_USER in the Available box.

6. Set the Provider Specific values as follows:

Host: identity.oraclecloud.com (Base name of the IDCS server https://idcstrial09.identity.oraclecloud.com, not including the left most component, which is the hostname to be user later).

Port: 443

SSLEnabled: Checked

Tenant: hostname (The host name from the IDCS Cloud Server:

https://idcstrial09.identity.oraclecloud.com

Client Id: Hexadecimal string from the IDCS Application Configuration General
Information Section

Client Secret: Hexadecimal string copied from the IDCS Application Configuration
Information Section

Confirm Client Secret: Same as Client Secret

Client Tenant: Leave Blank

All other values can remain defaulted.

7. Go to the Domain Structure/Security Realms and in the list of Realms, select myrealm.

8. Click the Roles and Policies tab on the screen that appears

9. Click the Realm Polices tab located on this window and expand the Domain node that appears to expose the name of the domain being used

10. Expand this node to show the Domain policies available. One of the available policies is labeled Identity Assertion which has a radio button in front of it

11. Select this radio button and click the Create Policy button which should now be active

12. Click the Add Conditions button on the page that appears, and select Allow Access to Everyone from the predicate list

13. Save the changes.

14. Go to the Domain Structure/Environment/Servers. Select your managed server in the list of servers. Go to the Configuration tab and the Start Server sub-tab. Add this to the Arguments box:

Dweblogic.security.SSL.hostnameVerifier=weblogic.security.utils.SSLWLSWildcardHostnameVerifier

15. Save the changes.

16. Restart the admin and the NMS WebLogic Managed Servers.

Configure the OMA Client

The OMA Application will need to know about the IDCS configuration. Please set the src\js\resources\config\loginSettings.js file values to match the above IDCS configuration:

self.IDCS_HOST = 'https://idcstrial09.identity.oraclecloud.com';

self.IDCS_REDIRECT_URL = 'http://frisvold.us/oracle/messagecode';

self.IDCS_CLIENT_ID = '1a11a11a11111a11aa1a11a1a1111a1a';