Synchronize Oracle Fusion Applications Cloud Service User Identities and Roles with a Traditional Account

Federated SSO functionality between Oracle Fusion Applications Cloud Service and Oracle PaaS requires SaaS identities to be regularly synchronized to the Oracle PaaS user store. You may also want to synchronize roles and corresponding role assignments in order to support role-based access control by custom applications deployed on Oracle PaaS to content stored in your Oracle Fusion Applications Cloud Service instance. When federating services with a Traditional Account, you should configure a synchronization process for user identities and roles. You can configure Oracle Fusion Applications Cloud Service services to sync identities and roles once, or to automatically sync on a schedule of your choosing, using the Oracle Enterprise Scheduler Service (ESS).

You can synchronize your Oracle Fusion Applications Cloud Service user identities and roles with your Traditional Account if you have both services in the same identity domain. You may also (at the same time or instead) synchronize identities and roles with Oracle Identity Cloud Service.

About User Identity and Role Synchronization

The Oracle Enterprise Scheduler (ESS) Scheduled Processes tool can schedule ad-hoc or repeating synchronizations of user identity and role data between Oracle Fusion Applications Cloud Service services and an Oracle PaaS Traditional account.

Synchronization of Edit and Delete Record Operations

When user records and role assignments are deleted or updated in the Oracle SaaS service, the update and delete operations are also monitored in the service tables. A corresponding Update or Delete operation is sent to the Traditional account identity manager using REST PUT and DELETE calls.

Retrying Synchronization Attempts

Each time the ESS process runs, it fetches user identity data, roles, and role assignments that have changed (added, modified, or deleted). It is possible that one or more records may fail to synchronize. If the job fails to synchronize a record, it moves the fetched record to a retry table.

Whenever the ESS sync job starts or resumes, it checks the migration retry table and first attempts to synchronize those entries. When there are no entries, then the job queries the service for newly created, updated, or deleted user records, roles, and role assignments.

The FND_USER_MIGRATION_MAX_RETRY_ATTEMPTS profile controls how many times a failed synchronization attempt is retried before the record is written to the retry table. The default value is 20.

Batch Size

Each time the ESS process runs, it attempts to synchronize a number of records up to the pre-configured batch size limit. The FND_USER_MIGRATION_FETCH_BATCH_SIZE profile controls how many user identity, role, and role assignment records are fetched for each run of the ESS process. The default value is 1000.

Because records are processed one at a time over REST calls, very large batches may take hours to complete.

Maximum Roles

Each time the ESS process runs, enterprise roles and role assignments may be synchronized, if you previously selected roles to synchronize. The FND_ROLE_SYNC_MAX_SELECTED_ROLES_SIZE profile limits how many roles may be migrated. The default value is 15. This does not limit the number of role assignment transactions or changes might be synchronized in one batch: that number is limited by batch size. A given role might be assigned to many users, and each role assignment change (add, modify, delete) is a transaction included in the batch. The maximum roles profile, however, limits how many different enterprise roles may be set up to be synchronized to the Traditional account.

User Identity and Role Synchronization when Oracle Cloud Federates from an External Identity Provider

The ESS synchronization job always monitors Oracle Fusion Applications Cloud Service tables for new inserts, updates, and deletes, which may include updates from an external repository. In some cases, your Oracle Cloud SaaS service may be federated with an on-premise or third-party identity management system. Even when user identities and passwords are mastered in an external identity system federated with Oracle Cloud, user identity data is loaded into Oracle Fusion Applications Cloud Service through a file-based loader or import export process. As a result, you can still use the ESS job to synchronize your user identity data to anOracle PaaS Traditional account.

Configure ESS Sync Job Role Synchronization

You can configure the ESS sync job to synchronize roles and role assignments in addition to user identities.

In some integration scenarios, you may want to select certain roles to be synchronized with your PaaS identity store. Only roles which you explicitly select to be synchronized are included. Users assigned those roles in your Oracle Fusion Applications Cloud Service have their role assignments applied to their synchronized identities in Oracle PaaS.

To configure the ESS sync job to synchronize roles:

  1. Sign in to the SaaS service by using an account that has the Administrator role.
  2. From the Setup and Maintenance panel of your service, search for the taskflow Migrate Enterprise Roles and Assignments to PaaS Identity.
    The Migrate Enterprise Roles and Assignments to PaaS Identity Store page loads showing any roles that have been selected for synchronization.
  3. To add roles to the table, select the Add Row action by clicking the plus icon or selecting it from the Actions menu.
  4. Search for roles by display name or role name. To see a list of every role in the system, leave both fields blank and click Search.
  5. In the search results, select one or more roles that you want to synchronize, and click Add.
  6. To remove roles, select a row in the table and click the red X icon or the remove action from the Actions menu.
Roles in this table will be synchronized, up to the maximum limit specified by the FND_ROLE_SYNC_MAX_SELECTED_ROLES_SIZE profile. You can’t add more roles to the table if it has reached the limit defined by this profile. Each role in the table has a SyncStatus and SyncStatusMessage field, that indicate whether the role has been synchronized, is pending synchronization, or has failed synchronization due to an error.

Schedule Synchronization to Oracle PaaS Identity Management

Use the Oracle Enterprise Scheduler (ESS) Scheduled Processes tool to schedule ad-hoc or repeating synchronizations of user identity, role, and role assignment data from Oracle Fusion Applications Cloud Service to an Oracle PaaS Traditional account.

The ESS synchronization process will batch load new users, roles, and role assignments, apply changes to identities and role assignments, and delete records from the traditional account that have been deleted from your service.

To schedule a one-off or repeating user identity and role sync process:

  1. Log in to the SaaS service using an account with the Administrator role.
  2. From the main console, open the Navigator menu.
  3. Select More...
  4. Click Scheduled Processes.
    The Scheduled Processes Overview screen opens. Use this screen to review upcoming scheduled processes, and to create new scheduled processes.
  5. In the Search Results section, click the Schedule New Process button.
  6. Click the down arrow icon at the end of the Name field to open the process name list and find the User identity synchronization from this SaaS instance to the PaaS Identity Store job, and then click OK to select it.
    • Click Search... at the bottom of the name list to locate the job by searching for it.
    • Or, scroll down the drop down list to locate the job by its name.
    The Process Details dialog opens, showing the process you selected.
  7. Optionally, click Process Options.
    In the Process Options dialog, you can control the format of the displayed or reported job details, such as the displayed time zone, time format, and language options.
  8. Optionally, click Advanced. Two tabs are shown in the Process Details dialog:
    • Using the Notification tab, you can add notifications to be sent to specified recipients triggered by success, warning, and error results of the user sync job.
    • Using the Schedule tab, you can select between As soon as possible, which will schedule the sync job to run immediately, or Using a schedule, which allows you to create a repeating scheduled sync process.
  9. After choosing your process options, in the Process Details dialog, click Submit.
    The process is scheduled, and added to the Search Results table on the Scheduled Processes Overview screen.
When the process runs, user identities that exist in your service’s user repository (or in an external repository federated with your service) will be synchronized to identities in your Oracle PaaS identity management system. If you have configured any roles to sync, those roles and role assignments will also be synchronized.
For additional details about using scheduled processes, search the Oracle Applications help for scheduled processes.

Review and Monitor ESS Sync Job Results

To verify success and identify issues, you can review and monitor the results of your ESS synchronization jobs.

  1. Sign in to the service by using an account with the Administrator role.
  2. In the Setup and Maintenance panel of your service, search for the taskflow Manage User Identity Synchronization to PaaS Identity Store .
  3. On the Manage User Identity Synchronization to PaaS Identity Store page, review the Users Successfully Synchronized tab.
    After you’ve run a synchronization job that successfully synchronized user identities, each user is listed on this tab.
  4. To view the role assignment history of a user, select the user row in the Users Synchronized table.
    The Role Assignment History of <user name> user table includes role assignment data for the user. If the user has never had roles synchronized, the table will show the message No data to display.
  5. Review the Users Failed to Synchronize tab.
    The Users failed to Synchronize tab shows two tables: Users Sync failed and User Role Assignments Sync failed. Failed synchronizations will be retried the next time the sync job runs, until the maximum number of retry attempts have bee made. This limit is set in the FND_USER_MIGRATION_MAX_RETRY_ATTEMPTS profile. Failed synchronizations include a response code, error code, and failure message which can assist with troubleshooting. To configure the maximum retry attempts number, modify the ESS Sync Job profiles.
  6. Review the Users Yet to Synchronize tab.
    This tab contains a table listing that lists all users that have user identity or role changes that have not been synchronized. You can use this table to verify whether a specific user identity has been synchronized, and to help adjust how frequently you need to run the synchronization job.

Reset ESS Synchronization Data

Under certain conditions, you may need to reset synchronization data. After it’s reset, the ESS synchronization job attempts to synchronize all user identities, roles, and corresponding role assignments that are configured for synchronization.

In some cases, you may want to force the ESS synchronization job to attempt to synchronize every user identity, configured role, and corresponding role assignment for all users, even for users that were previously synchronized and for which no changes to identity or role have been made. For example, if you migrate user data from test to production, you’ll need to reset synchronization data in order to cause records that were previously synchronized with the test instance to be synchronized again to the new production instance.

All roles configured for synchronization in the Migrate Enterprise Roles and Assignments to PaaS Identity Store are removed and must be configured again.

To reset synchronization data:

  1. Sign in to Oracle Fusion Applications Cloud Service by using an account with the Administrator role.
  2. On the Setup and Maintenance panel of your service, search for the taskflow Manage User Identity Synchronization to PaaS Identity Store .
  3. On the Manage User Identity Synchronization to PaaS Identity Store page, click the Reset Synchronization Data button in the top right of the screen. Confirm that you want to reset synchronization data in the dialog.
The next time you run the ESS batch synchronization job, all user identities and, if configured, roles and role assignments, will be synchronized.

Modify ESS Sync Job Profiles

You can modify the profiles that control the ESS sync job behavior, including batch size; retry attempts; maximum number of roles for the ESS sync process; whether to synchronize to a Traditional account, Oracle Identity Cloud Service, or both; and more.If you’re setting up user and role sync to Oracle Identity Cloud Service, you must change the value of the FND_USER_IDENTITY_SYNC_TARGET profile.

The ESS synchronization process uses these profiles:

  • FND_USER_MIGRATION_FETCH_BATCH_SIZE controls the maximum number of transactions performed during one synchronization process. Transactions include each user identity synchronized, each role synchronized, and each role assignment synchronized. The default value is 1000.

  • FND_USER_MIGRATION_MAX_RETRY_ATTEMPTS controls the maximum number of times the batch job tries to synchronize a record if the initial synchronization attempt fails. The default value is 20.

  • FND_ROLE_SYNC_MAX_SELECTED_ROLES_SIZE controls the maximum number of roles that can be added to the Migrate Enterprise Roles and Assignments to PaaS Identity Store table. The default value is 15.

  • FND_USER_IDENTITY_SYNC_TARGET determines whether your Oracle Fusion Applications Cloud Service application synchronizes users to Oracle Identity Cloud Service, a Traditional account (referred to as SIM), or both. The default value is SIM. To only synchronize to Oracle Identity Cloud Service, change the value to IDCS. To synchronize to both Oracle Identity Cloud Service and a Traditional account, change the value to ALL.

  • FND_SYNC_JOB_TYPE determines whether the ESS synchronization process synchronizes users, roles, or both. To synchronize both users and roles (including role assignments), set the value to ALL. To synchronize users only, set the value to USER. To synchronize roles only, set the value to ROLE.

  • FND_USER_MIGRATION_FA_FEDERATION controls whether user identities synchronized to Oracle Identity Cloud Service have the Federated flag set, to enable federation with Oracle Fusion Applications Cloud Service. The default value is TRUE. Set the value to FALSE to disable setting the Federated flag.

  • FND_USER_MIGRATION_FA_ENV_NAME lets you add a prefix to the names of roles as they are synchronized. The default value is an empty string. Add a short text value if you want all synchronized roles to have a prefix. This prefix allows you to synchronize roles with identical names from different Oracle Fusion Applications Cloud Service instances to the same Oracle Identity Cloud Service instance, by affixing a source-specific identifier. Once you’ve set a prefix to a non-empty string, you should retain the same string for all synchronization job runs, to avoid creating multiple copies of roles in the target Oracle Identity Cloud Service instance.

To modify any of these profiles:
  1. In Oracle Fusion Applications Cloud Service, navigate to Setup and Maintenance, and search for Manage Administrator Profile Values in the Implementation Projects search field.
  2. On the Manage Administrator Profile Values page, enter part or all of the name of the profiles you want to modify in the Search: Profile Option section, and click Search.
    In the Search Results table, profiles that match your search are listed in a table.
  3. Select a profile in the Search Results table and edit the Profile Value in the lower table as needed. When you’re finished modifying values, click Save and Close.
The ESS sync process will use the new values the next time it runs.