Note:

• This tutorial requires access to Oracle Cloud. To sign up for a free account, see Get started with Oracle Cloud Infrastructure Free Tier.
• It uses example values for Oracle Cloud Infrastructure credentials, tenancy, and compartments. When completing your lab, substitute these values with ones specific to your cloud environment.

Enable Sign-In Automation Without Screen Scraping After Migration to OCI IAM Identity Domains

Introduction

Oracle merged the capabilities of Oracle Identity Cloud Service into the native Oracle Cloud Infrastructure Identity and Access Management (OCI IAM) service. This enables Oracle Cloud customers with a rich, enterprise-class set of Identity and Access Management (IAM) features for use with OCI, Oracle Cloud applications, and third-party applications.

With this change, customers who have integrated their privilege access management (PAM) solutions with Oracle Cloud Infrastructure Identity and Access Management (OCI IAM) or using UI automation to log in to either OCI with local accounts or with external identity providers (IDPs) or use screen scraping of any other OCI IAM screen might have issues with their automation scripts failing or providing incorrect results due to the screen changes.

What is screen scraping?

A technique to perform end user interactions in a website using a software tool in an automated way. All interactions in the UI, such as entering data in the UI form, button clicks and navigation are performed by the tool.

Remove UI automation approaches based on screen scraping

We recommend eliminating screen scraping of any of the OCI IAM screens. OCI IAM is built on the API first approach and you can use the APIs to implement any task that you do from the console. We do have SDK, CLI, APIs, and terraform available. Identify what operations you are doing for screen scraping and find the equivalent to do the same using APIs, SDK, CLI, or terraform. We are adding more APIs to our terraform, SDK, and CLI collections. If you do not see an operation available in the SDK/CLI/terraform, Use the domain REST APIs. Documentation links for quick access:

• OCI IAM Identity domain all REST end points

  Note : If you are using Oracle Identity Cloud Service, these APIs are available in Oracle Identity Cloud Service as well and any integration built using these APIs will work AS IS post migration to the identity domains. Therefore, you can plan to identify the screen scraping operation and use the equivalent APIs instead so that you have no impact of migration to identity domains.

• OCI IAM Identity domain CLI

• OCI IAM SDK

Objective

In this tutorial, we will talk about typical scenarios where screen scraping of OCI IAM UI pages is used and provide the solution to remove it.

Scenario 1: Log in to External Identity Provider (IdP) like Azure, Okta and OCI IAM.

Customers who have federated OCI IAM with external IdPs and have done UI automation of the OCI IAM IdP picker as shown in the below screenshot. Here customers automation tool will select the IdP from the list and then click Continue to navigate to the IdP login page. Customers can remove screen scraping this page by making changes in their tool to navigate directly to the external IdP and skip this page altogether.

Solution

• In OCI IAM, you can directly go to the configured IDP using query parameter. This will make sure there is no dependency on the changes in the OCI IAM login UI today and in future. Direct URL to navigate to an external IdP is https://cloud.oracle.com/?tenant=<tenant_name>&provider=<provider_id>, where:

  • <tenant_name> - Name of the tenant.
  • <provider_id> - Name of an external IDP, the one you see in the login page drop down.

  For example, for the above screenshot, the direct URL for the IDPs will be:

  • Okta - https://cloud.oracle.com/?tenant=iaamdemo&provider=oktaidp

  • Azure - https://cloud.oracle.com/?tenant=iaamdemo&provider=azure-ad

• If you make above changes in your environment, your existing solution will work post migration because you are no longer dependent upon the OCI IAM UI either pre or post migration.

• Post migration, you will also have an option to move your existing federation to identity domain and can still achieve skipping OCI IAM login UI by directly going to the domain by defining an IDP policy that has just one IDP attached to it.

Scenario 2: Change User password use case

Customers who are using UI automation to change user password from the profile menu. Typically customer who are using PAM, have requirement to periodically change and verify OCI IAM local user password, where passwords are managed by the PAM tool and end users check-in and check out their password from the tool to login.

There are APIs to reset the console password in OCI IAM but it creates a temp password that needs to entered again in the UI to change end user password therefore customer screen scrap the password change UI, where they can reset the password to a known value and then end user can check-in and check-out password from the third party tool.

Solution

With identity domains, you can avoid using UI automation to change password and instead use identity domain REST API to change password to a known value and to verify existing password in the PAM tool. Following are the REST APIs doc for quick access.

• Change a User Password (Known Value).

• Check Password of Specified User or App.

Note : This change has to be done post migration where OCI IAM local users are migrated to the default identity domain.

Scenario 3: Use UI automation for OCI IAM Federated login page

Customers who are screen scraping the out-of-the-box Oracle Identity Cloud Service login page as shown in the following screenshot. We recommend to find out what operations you are doing in the OCI console and use APIs instead. However, if you still want to do screen scraping of the Oracle Identity Cloud Service login page, it uses the following elements for username, password and submit button.

• Element name for username : idcs-signin-basic-signin-form-username
• Element name for password : idcs-signin-basic-signin-form-password|input
• Element name for submit : idcs-signin-basic-signin-form-submit

Once your tenancy is migrated to Identity domain, Identity domain login page replaces the Oracle Identity Cloud Service login page and it uses the same elements. Therefore, if your automation tool is relying only on the above mentioned UI elements then your existing solution should work AS IS post migration. The Oracle Identity Cloud Service URL remains same post migration. We recommend you to review your solution and the new identity domain login page elements if you are using any other elements of the existing login page.

Scenario 4: Use UI automation for OCI IAM local login page

Customers who are screen scraping OCI IAM login page as shown in the following screenshot. We recommend to find out what operations you are doing in the OCI console and use APIs instead. However, if you still want to do screen scraping, OCI IAM login page uses following UI elements.

• Element name for username: username
• Element name for password: password
• Element name for submit: submit-native
• Element name to toggle: native-toggle-trigger

Once your tenancy is migrated to the Identity domain, domain login page replaces the OCI IAM local login page and it uses different elements. Therefore, your existing solution will break and your tools need to lookup for the following elements instead.

• element name for username: username, replace with idcs-signin-basic-signin-form-username
• element name for password: password, replace with idcs-signin-basic-signin-form-password|input
• element name for submit: submit-native, replace with idcs-signin-basic-signin-form-submit
• element name to toggle: native-toggle-trigger, None, there is no toggle button in the new login page.

Scenario 5: Navigate directly to the domain login page

Once you have migrated to the OCI IAM identity domain, there is a new page added, as shown in the following screenshot, that allows you to pick up the domain. Here also, you do not have to screen scrap the domain picker page and instead you can directly go the domain sign in page using this URL: https://cloud.oracle.com/?tenant=<tenant_name>&domain=<domain_name>, where

• <tenant_name> - Name of the tenant.
• <domain_name> - Name of the domain.

If you are using any other elements of the OCI IAM login page, we recommend you to review your solution and the new identity domain login page elements.

Related links

• What OCI IAM customers should expect post migration

• What IDCS customers should expect post migration

• Identity domains documentation home

Acknowledgments

• Authors: Matt Flynn, Sunil Joshi (OCI IAM)

More Learning Resources

Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.

For product documentation, visit Oracle Help Center.

---

Title and Copyright Information

Enable Sign In Automation Without Screen Scraping After Migration to OCI IAM Identity Domains

F88985-01

November 2023

Copyright © 2023, Oracle and/or its affiliates.