Delegate User Authentication to an External ID Provider

Learn about delegating user authentication and authorization to an external ID providers such as IAM, IDCS, and OAM.

Oracle GoldenGate supports IDCS and IAM as cloud-based identity providers and OAM as an on-premise identity provider. In the following section, IAM and OAM have been discussed.

An authorization profile created in Oracle GoldenGate allows integration with external identity providers (IdPs) such as IAM, IDCS, and OAM, which can be configured in Oracle GoldenGate using Authorization Profiles. External IdPs provide user management (using users, groups, and alignment between users, groups, and applications) capabilities. To set up a connection between an external IdP and Oracle GoldenGate, a confidential application needs to be created using OAuth2. From this confidential application, Oracle GoldenGate derives the Client ID and Client Secret for authenticating the IdP system.

The external IdP system gets the information including the redirect URIs and post-logout URLs from Oracle GoldenGate.

This allows managing Oracle GoldenGate user access through external servers instead of creating users for accessing Oracle GoldenGate.

A prerequisite for setting up authorization profiles is to have a secure deployment. The deployment can be secured using Server certificates or a Reverse Proxy configuration.

Configure the Authorization Profile to Set Up IDCS Access Credentials

Oracle GoldenGate interoperates with external identity provider Oracle Identity Cloud Service (IDCS) for authentication and authorization of user credentials that are associated with your deployment.

After you set up the Oracle Identity Cloud Service (IDCS) user credentials in OGGCA on the Administrator Account screen, you need to perform these steps to set up an authorization profile for IDCS. This authorization profile will allow connecting and accessing the IDCS server to authorize users for Oracle GoldenGate.

To configure this type of user authentication and authorization, you need to create an authorization profile in Oracle GoldenGate.

Access the Authorization Profile

Use the following steps to set up this type of authorization profile for your deployment:

1. Click the deployment name or the Service Manager name from the Service Manager Overview page's Deployment section.
2. From the Deployment or Service Manager Information page, click the Authorization Profiles tab.
3. Click the plus sign (+) next to the Profiles section to start creating an authorization profile. Enter the following details for the profile:
   • Profile Name: Name of the authorization profile.
   • Description (optional): Short summary of the profile being created.
   • Enable Profile: Activates the profile for the deployment.
   • Authorization Profile Type: IDCS
   • Tenant Discovery URI: IDP server's OpenID Discovery Docs endpoint (/.well-known/openid-configuration).
   • Client ID: IDP application’s client ID
   • Client Secret: IDP application’s client secret (securely stored)
4. In the Group Mapping section, the user mapping for IDCS groups to Oracle GoldenGate user roles is configured. You need to enter the name of the IDCS group with the corresponding user role. These values are case-sensitive. The user role options that map the name of a group with respective role in IDCS include Security Role, Administrator Role, Operator Role, User Role.
5. Click Submit to create an authorization profile.
6. To enable the authorization profile for your deployment, select the authorization profile that you want to enable and click the Enable Profile toggle switch.