This architecture shows how a REST or SOAP web service call from Oracle Fusion Applications Cloud Service can be securely passed to an API running on a federated Oracle PaaS instance.
When your Oracle Fusion Applications Cloud Service is federated with Oracle Identity Cloud Service, you can, with some configuration, secure a web services call by using OWSM OAuth policies.
This architecture supports the following components:
- One Oracle Fusion Applications Cloud Service instance
- One Oracle Cloud account, consisting of an Oracle Identity Cloud Service and one or more Oracle PaaS services
Your Oracle Fusion Applications Cloud Service needs to be federated with Oracle Identity Cloud Service, with OAuth trust and user and role synchronization configured. Either Oracle Fusion Applications Cloud Service or Oracle Identity Cloud Service can be configured as the identity provider (IDP), with the other component acting as a service provider (SP).
Considerations for Configuring the Web Service Integration
You will need to consider the following important requirements and options, in order to decide whether and how to set up your services for web services calls.
This solution requires that your Oracle Fusion Applications Cloud Service instance is already federated with an Oracle Identity Cloud Service instance in an Oracle Cloud account.
Some Oracle PaaS services expose web services, which you can access using the configuration described in this solution. Or, you could develop and deploy your own custom REST or SOAP web service running on an Oracle PaaS service such as Oracle Java Cloud Service.
When developing and deploying your own RESTful web service on Oracle Java Cloud Service, keep these restrictions in mind:
- In Oracle Fusion Applications Cloud Service, Applicaiton Composer consumes only JSON or XML MediaType Responses, so use the
application/xmlmedia type in your REST service.
- Deploy your application to Oracle Java Cloud Service using an unprotected app for root context. That is, do not prefix the root
context with the
Similarly, when developing and deploying your own SOAP web service on Oracle Java Cloud Service keep the WSDL unprotected.
As part of the configuration for accessing web services on your Oracle PaaS service, you will need to create a new trusted client app in your Oracle Identity Cloud Service, as described in this solution. When deployed in your Oracle Cloud account, PaaS services like Oracle Java Cloud Service are already configured with Oracle Identity Cloud Service, including an application in Oracle Identity Cloud Service for OAuth trust and scope. That app has a client and resource, but the client is for Oracle Java Cloud Service only, so it can't be used by Oracle Fusion Applications Cloud Service.
Consequently, you need a new OAuth client application for Oracle Fusion Applications Cloud Service, with the scope set to the Oracle PaaS service's web service endpoints. This will be a client app only, and there we will select the scopes.
Oracle Fusion Applications Cloud Service now provides a Switch Identity feature in Application Composer, which allows you to switch the precedence of user IDs to be used when requesting a token from Oracle Identity Cloud Service. That is, you can configure your web service call to use either the logged in user's ID, or, a different user ID specified in the credential key. In Application Composer:
- Subject Precedence check box: When checked, the logged in user's ID will be used to create the JWT token. When not checked, the user ID specified in the Credential Key will be used to create the JWT token. If no value is set for Credential Key, then the Client Credential Key is used.
- Credential key: Specifies a name for the secret key that is used to access the web service. This key is used when Subject Precedence is not checked. This key name along with the username and password is stored in the credential store.
You should consider whether you want to use a single user ID for all web service calls from a given page, or if you want to use the logged-in user's ID. This in turn affects which users you will need to synchronize with your Oracle PaaS identity management. The user ID used to request a token needs to exist, and have appropriate privileges, on the Oracle Identity Cloud Service instance.
About Required Services and Roles
This solution requires the following services and roles:
- Oracle Fusion Applications Cloud Service: For example, Oracle Engagement Cloud, Oracle Global Human Resources Cloud, or Oracle Enterprise Resource Planning Cloud.
- Oracle PaaS services: For example, Oracle Java Cloud Service, Oracle Visual Builder, or Oracle SOA Cloud Service.
- Oracle Identity Cloud Service: The identity management service included with your Oracle Cloud account.
These are the roles needed for each service.
|Service Name: Role||Required to...|
|Oracle Fusion Applications Cloud Service: Application Implementation Consultant||Create a sandbox, and customize the visibility of user interface components.|
|Oracle Identity Cloud Service: Identity Domain Administrator||Configure the trusted client application in Oracle Identity Cloud Service|
|Oracle PaaS: service administrator. For example, for Oracle Java Cloud Service: Java administrator. You may also need WebLogic Administrator.||Create or deploy REST or SOAP APIs, administer load balancers, and monitor and manage service usage. You may also need to access and use the WebLogic Server Administration Console, configure identity providers, and deploy and undeploy applications.|
See Learn how to get Oracle Cloud services for Oracle Solutions to get the cloud services you need.
Before You Begin
Before you begin accessing accessing PaaS data from a cloud application using web services:
You must set up the required federation, OAuth-based trust, and user and role synchronization by following the steps in the Integrate solution Integrate an Oracle SaaS application with Oracle PaaS.
You should also be familiar with the use of OWSM policies, as described in Securing Web Services and Managing Policies with Oracle Web Services Manager.