1. Security Guide – volume 1
  2. Merchandising Cloud Service Suite Authentication, Authorization and Data Filtering
  3. Authentication and IDCS or OCI IAM

Authentication and IDCS or OCI IAM

As of version 21.0.000, Merchandising Cloud Service Suite uses either Oracle Identity Cloud Service (IDCS) or Oracle Cloud Infrastructure Identity and Access Management (OCI IAM) as its identity provider (IDP):

When a user connects to the Merchandising Cloud Service UI, Merchandising Cloud Service Suite redirects application URL requests to the IDCS or OCI IAM login screen. IDCS or OCI IAM authenticates the user. When a user logs out of the Merchandising Cloud Service, Merchandising invokes an IDCS or OCI IAM logout to disable session authentication.

IDCS and OCI IAM

IDCS and OCI IAM are Oracle's cloud native security and identity platforms. They provide a powerful set of hybrid identity features to maintain a single identity for each user across cloud, mobile, and on-premises applications. Both IDCS and OCI IAM enable single sign on (SSO) across all applications in a customer's Oracle Cloud tenancy. Customers can also integrate IDCS or OCI IAM with other on premise applications to extend the scope of this SSO.

Both IDCS and OCI IAM are available in two tiers: Foundation and Standard.

  • Oracle Identity Cloud Service Foundation: Oracle provisions this free version of Oracle Identity Cloud Service for customers that subscribe to Oracle Software-as-a-Service (SaaS), Oracle Platform-as-a-Service (PaaS), and Infrastructure-as-a-Service (IaaS) applications. A customer can use this version to provide basic identity management functionalities, including user management, group management, password management, and basic reporting.

  • Oracle Identity Cloud Service Standard: This licensed edition provides customers with an additional set of Oracle Identity Cloud Service features to integrate with other Oracle Cloud services, including Oracle Cloud SaaS and PaaS, custom applications hosted on-premises, on Oracle Cloud, or on a third-party cloud, as well as third-party SaaS applications. Features listed in this pricing tier are applicable for both Enterprise users and Consumer users.

Details of the specific features available in each tier and IDCS or OCI IAM Standard Tier licensing model are available in Administering Oracle Identity Cloud Service. Merchandising Cloud Service Suite only requires the Foundation Tier, as the Foundation Tier includes key features such as User and Group Management, Self-Service Profile Management and Password Reset, SSO. However, Oracle Retail customers may wish to consider licensing the Standard Tier of IDCS or OCI IAM to also have access to more advanced identity features including Identity Synchronization with Microsoft Active Directory, SSO for Third Party Cloud Services and Custom Applications, Multi-Factor Authentication and generic SCIM Templates.

IDCS, OCI IAM, and Oracle Retail Enterprise Roles

When any Oracle Retail cloud service is provisioned, Oracle Retail's Enterprise Roles are seeded into the customer's IDCS or OCI IAM instance as Roles. It is expected that customers will also have other roles defined for other cloud services that use this IDCS or OCI IAM instance.

IDCS, OCI IAM, and Application Users

Upon provisioning a new cloud service instance, Oracle Retail creates a single delegate customer administrator user.

The customer administrator user has the ability to define password complexity and rotation rules. All Application User maintenance is performed by Customer Administrators via IDCS or OCI IAM. A key feature of IDCS or OCI IAM is that basic user maintenance can be further delegated via identity self-service.

When application users are created in IDCS or OCI IAM, they must be associated with an appropriate Oracle Retail Enterprise Role to access Merchandising Cloud Service Suite. For more detailed information and procedures, see Managing Oracle Identity Cloud Service Users in Administering Oracle Identity Cloud Service.

Note:

IDCS or OCI IAM username will be passed to Merchandising as the application user id. It will be persisted on the database as part of the basic Merchandising transaction audit trail. If corporate email address is used as the IDCS or OCI IAM username, corporate email address will be persisted to the Merchandising database. To fully inform Merchandising users that their corporate email address will be saved, we recommend that retailers implement IDCS or OCI IAM Terms of Use functionality. The IDCS or OCI IAM Terms of Use feature enables retailers to set the terms and conditions for users to access an application, based on the user's consent. This feature allows the identity domain administrator to set relevant disclaimers for legal or compliance requirements and enforce the terms by refusing the service. The Terms of Use feature can be used to explicitly obtain user consent to persist corporate email address for Merchandising auditing. See Administering Oracle Identity Cloud Service for more information about Terms of Use.

https://docs.oracle.com/en/cloud/paas/identity-cloud/uaids/understand-terms-use.html