Synchronize Oracle Fusion Applications Cloud Service User Identities and Roles with Oracle Identity Cloud Service

When you’ve federated Oracle Fusion Applications Cloud Service with Oracle Identity Cloud Service, you can configure a synchronization process for user identities, roles, and role assignments.

You can synchronize the user identities and roles in Oracle Fusion Applications Cloud Service with Oracle Identity Cloud Service if both services are in the same region. You can also synchronize the identities and roles in Oracle Fusion Applications Cloud Service with a Oracle Cloud account that uses Shared Identity Management (SIM), if the account is in same identity domain.

About Synchronization Direction

You’ll set up synchronization to push user identities from one identity management system to another.

You can configure Oracle Fusion Applications Cloud Service as either an identity provider, or a service provider. When Oracle Fusion Applications Cloud Service is the identity provider, you’ll always provision users first in Oracle Fusion Applications Cloud Service. You’ll then synchronize them to your federated Oracle Identity Cloud Service instance by using the ESS sync job. When Oracle Fusion Applications Cloud Service is a service provider, Oracle Identity Cloud Service is the identity provider. In this scenario, you can either provision users in Oracle Identity Cloud Service and synchronize them to Oracle Fusion Applications Cloud Service, or provision users in Oracle Fusion Applications Cloud Service and synchronize them to Oracle Identity Cloud Service.

In all cases, you define role and role assignments first in Oracle Fusion Applications Cloud Service and then synchronize them to Oracle Identity Cloud Service.

When using the following topics, be sure to understand in which direction you’re configuring synchronization. You can skip the topics that are only for a direction of synchronization that you’re not using.

In some cases you may want to first load users from Oracle Fusion Applications Cloud Service into Oracle Identity Cloud Service, and then set up subsequent synchronization of users from Oracle Identity Cloud Service to Oracle Fusion Applications Cloud Service. To do this, set up the ESS sync job to synchronize users to Oracle Identity Cloud Service, run it until all users are synchronized, and then disable the ESS sync job. You can then set up the Oracle Identity Cloud Service to Oracle Fusion Applications Cloud Service synchronization, and create and manage users from Oracle Identity Cloud Service.

If you’re not synchronizing roles or role assignments, and you only want to synchronize user accounts from Oracle Identity Cloud Service to Oracle Fusion Applications Cloud Service, you can skip all of the topics relating to configuring, scheduling, and monitoring the ESS sync job.

About Roles and Oracle Identity Cloud Service Groups

Synchronizing role and role assignments to Oracle Identity Cloud Service creates Oracle Identity Cloud Service groups and assigns users to the groups. After the synchronization process creates new groups in Oracle Identity Cloud Service, you’ll need to assign appropriate privileges to the groups.

When the sync job synchronizes a role to Oracle Identity Cloud Service for the first time, a new group is created in Oracle Identity Cloud Service. Then, when a role assignment for the role is synchronized to Oracle Identity Cloud Service, the user is assigned to the group.

For example: suppose you want to grant PaaS-service-specific privileges to Oracle Sales Cloud users who have the sales administrator role. First, set up the synchronization job by following the procedures in this document. Run the sync job to synchronize users, roles, and role assignments to Oracle PaaS, making sure that you’re synchronizing all of the desired Oracle Sales Cloud users who have the sales administrator role, as well as the sales administrator role itself. As part of the synchronization process, a group called “sales administrator” is created in Oracle Identity Cloud Service. You then need to sign in to Oracle Identity Cloud Service and grant the PaaS service-specific role to the group that was created by the sync job. This grants the appropriate privileges to the group, and therefore to the users, in Oracle Identity Cloud Service.

Roles from Oracle Fusion Applications Cloud Service services are mapped to Oracle Identity Cloud Service groups this way:

Oracle Fusion Applications Cloud Service Role Attribute Oracle Identity Cloud Service Group Attribute
ROLE_NAME displayName
DESCRIPTION description
ROLE_COMMON_NAME externalId

In Oracle Identity Cloud Service, the externalId attribute isn’t visible in the UI.

About Duplicate Roles With Prefixes

If enterprise roles that were stored in another identity management system were then migrated to Oracle Fusion Applications Cloud Service, you may see duplicate roles in your system, some with the ORA_ prefix and some with another prefix, such as ASM_.

In these cases, only synchronize roles that have the ORA_ prefix (or no prefix). Don’t synchronize duplicate roles that have another prefix. If you try to synchronize these duplicate roles you’ll see synchronization errors.

Create an OAuth Client Application in Oracle Identity Cloud Service

In Oracle Identity Cloud Service, you’ll create an OAuth client application entry and generate an access key and secret. The Oracle Fusion Applications Cloud Service ESS Sync job uses this application as an endpoint.

  1. Sign in to Oracle Cloud My Services, click Users, and then click Identity Console.
  2. Select the Applications tab, and click Add. Then click Trusted Application.
  3. On the Details page of the Add Trusted Application wizard, give the new application a name. If you want, you can set other values such as description and tags. Click Next.
  4. On the Client page, select Configure this application as a client now.
    Additional options appear on the page. Set them this way:
    • Allowed Grant Types: Select Client Credentials.

    • Security: Leave the Trusted Client box unchecked.

    • Enable Grant the client access to Identity Cloud Service Admin APIs. This control is at the very bottom of the page.

    • In the box under Grant the client access to Identity Cloud Service Admin APIs, enter User Administrator.

  5. Click Next. On the Resources page, leave Skip for later selected and click Next. On the Authorization page, click Finish.
  6. Make a note of the client ID and client secret keys shown in the Application Added notification. You’ll need these later. Then click Close.
    You can also get the client ID and client secret keys at any time by selecting the client application, selecting the Configuration tab, and expanding General Information.
  7. To activate the application, from the Oracle Identity Cloud Service console, select Applications, and select the application. Click the Activate button to the right of the application name.

Configure an Oracle Identity Cloud Service Endpoint in Oracle Fusion Applications Cloud Service

You must set up an Oracle Identity Cloud Service endpoint in your Oracle Fusion Applications Cloud Service instance and provide it with the credentials that you generated in Oracle Identity Cloud Service.

  1. Sign in to the Oracle Identity Cloud Service administrator console.
  2. Click Settings.
  3. Click the Identity Providers icon.
  4. Select the FA identity provider from the list, and then click Edit.
  5. In the section of the dialog beneath Service Provider Metadata, copy the first part if the Assertion Consumer Service URL. For example, if the URL is https://abc.identity.example.com/fed/v1/sp/sso, copy https://abc.identity.example.com.
  6. Modify the URL by appending /admin/v1 to the end. The result should resemble, https://abc.identity.example.com/admin/v1.
    This is the modified Oracle Identity Cloud Service Assertion Consumer Service URL that you’ll need for the Full URL parameter of the third party application in step 12.
  7. Sign in to your Oracle Fusion Applications Cloud Service service using an account with administrator access.
  8. On the home page, open the Account menu and select Setup and Maintenance.
  9. Select Manage Custom Setup Content.
  10. On the Manage Custom Setup Content page, under Topology Definition, select Manage Third Party Applications.
  11. In the Search Results table, click the plus icon to create a new third party application.
  12. In the Create Third Party Application dialog, enter the following values:
    • Application Name: IDCS_REST_ENDPOINTAPP
    • Full URL: Enter the modified Oracle Identity Cloud Service Assertion Consumer Service URL that you obtained in step 6.
    • Partner Name: IDCS
    • Security Policy: oracle/wss_username_token_over_ssl_client_policy
    After you select the security policy, User Name and Password fields are displayed.
  13. Enter the client ID of the Oracle Identity Cloud Service Application as the user name. Enter the secret key of the Oracle Identity Cloud Service application as the password.
  14. Click Apply, and then click Save and Close.

Configure the Client Application Credentials in Oracle Fusion Applications Cloud Service

Create a task in your Oracle Fusion Applications Cloud Service application.

  1. Sign in to Oracle Fusion Applications Cloud Service as a user with administrator privileges.
  2. Click to open the navigator. Under Tools, select Setup and Maintenance.
  3. In the control panel on the right side of the Setup and Maintenance page, select Manage Custom Setup Content.
  4. On the Manage Custom Setup Content page, select Manage Task Lists and Tasks.
  5. On the Manage Task Lists and Tasks page, click Create Task.
  6. In the Basic Information area, enter the following values for your new task:
    Field Name Field Value
    Name Fusion Applications IDCS Sync App Credentials
    Code FUSION_APPLICATIONS_IDCS_SYNC_APP_CREDENTIALS
    Description Fusion Applications IDCS Sync App Credentials
    Deployment Method None
    Program Name /WEB-INF/oracle/apps/setup/commonSetup/setupHub/publicUi/flow/EndpointPolicyFlow.xml#EndpointPolicyFlow
    Perform Task After Import
    Enterprise Application Setup
    Module Setup
    Parameters endpointKey=FA_USER_SYNC_IDCS_CLIENT_ID&filterSecurityPolicies=oracle/wss_username_token_over_ssl_client_policy
    Task Type Data Entry
    Uses user interface Selected
    Open In Standard view
  7. Click Save and Close.

Configure Synchronization from Oracle Identity Cloud Service to Oracle Fusion Applications Cloud Service

Whenever you create new users and modify user accounts in Oracle Identity Cloud Service — such as when it’s acting as an identity provider, and your Oracle Fusion Applications Cloud Service service is acting as a service provider — you may need to synchronize users from Oracle Identity Cloud Service to your Oracle Fusion Applications Cloud Service.

Synchronize Roles and Role Assignments to Oracle Identity Cloud Service Groups

Even if you’re setting up synchronization of user accounts to Oracle Fusion Applications Cloud Service, you’ll need to use the ESS sync job to synchronize roles and role assignments from Oracle Fusion Applications Cloud Service to Oracle Identity Cloud Service.

  1. Follow the instructions to configure user synchronization from Oracle Identity Cloud Service to Oracle Fusion Applications Cloud Service.
  2. Follow the instructions in the Modify ESS Sync Job Profiles section, and set the ESS profile FND_SYNC_JOB_TYPE to ROLE .
  3. Schedule synchronization with the ESS sync job by following the instructions in the Schedule Synchronization from Oracle Fusion Applications Cloud Service to Oracle Identity Cloud Service section.
When you’ve completed all three steps, your role and role assignments will synchronize to Oracle Identity Cloud Service groups, while your Oracle Identity Cloud Service user identities will sync into your Oracle Fusion Applications Cloud Service service.

Obtain the External Host Name and Port Number of your Oracle Fusion Applications Cloud Service

You need the external server host name and port number values in order to establish a connection with Oracle Fusion Applications Cloud Service when you enable provisioning.

  1. Sign in as an administrator to Oracle Sales Cloud, Oracle Global Human Resources Cloud, or Oracle ERP Cloud, click Navigator, and then select Setup and Maintenance.
  2. Click Tasks, and then select Review Topology.
  3. Get the domain name, host name, and port number:
    • In R12, Click the Details tab, expand the hcmdomain domain name, and then note the external server host name and port number values for HCM Core Setup.
    • In R13, Click the Details tab, expand the FADomain domain name, and then note the external server host name and port number values for HCMServices.

Enable Synchronization by Modifying the Oracle Fusion Application in Oracle Identity Cloud Service

You enable synchronization by modifying the configuration of the Oracle Fusion application in Oracle Identity Cloud Service that you created when you set up federated SSO.

  1. Sign in to My Services, select Users, and then click Identity Console to access the Oracle Identity Cloud Service console.
  2. Select Applications, and then select the Oracle Fusion application that you created when you configured federated SSO and OAuth trust. Be sure to update the Fusion Application SSO and provisioning application, and not the application that manages OAuth.
  3. Select the Provisioning tab, and turn on Enable Provisioning.
  4. Set the following values:
    • Administrator Username: The user name of the Oracle Fusion Applications Cloud Service service account.

    • Administrator Password: The password of the Oracle Fusion Applications Cloud Service service account

    • Host Name: The host name of the device that hosts Oracle Fusion Applications Cloud Service (for example, myhost.oraclecloud.com).

    • Port Number: The port number at which Oracle Fusion Applications Cloud Service is listening.

    • SSL Enabled: By default, SSL communication is enabled between Oracle Identity Cloud Service and Oracle Fusion Applications Cloud Service. If SSL connectivity isn’t required, clear the SSL Enabled check box.

  5. Click Test Connectivity to verify the connection with Oracle Fusion Applications Cloud Service.
    If the connection information is correct, aConnection successful confirmation message appears next to the Test Connectivity button.
  6. To view predefined attribute mappings between the user account fields defined in Oracle Fusion Applications Cloud Service and the corresponding fields defined in Oracle Identity Cloud Service, click Attribute Mapping. If you want to add a new attribute for provisioning, click Add Attribute, specify the attributes in the User and the application columns, and then click OK.
    For example, if you want to add the External ID field, enter $(user.externalId) in the User column, and then select the corresponding field from the drop-down list in the application column.
  7. Specify the provisioning operations that you want to enable:
    • Create Account: Automatically creates an account in Oracle Fusion Applications Cloud Service when Oracle Fusion Applications Cloud Service access is granted to the corresponding user in Oracle Identity Cloud Service.
    • Delete Account: Automatically deletes an account from Oracle Fusion Applications Cloud Service when Oracle Fusion Applications Cloud Service access is revoked from the corresponding user in Oracle Identity Cloud Service.
    Don’t turn on Enable Synchronization.
  8. Use any of the following methods to identify users to be synchronized:
    • On the Users tab of the application, click Assign. In the Assign Users dialog, select one or more users and click OK. The users are added to the list on this tab, and are immediately synchronized to Oracle Fusion Applications Cloud Service .
    • On the Groups tab of the application, click Assign. Select one or more groups and click OK. All users who are members of the groups you select are immediately synchronized to Oracle Fusion Applications Cloud Service .
    • On the Users tab of the Oracle Identity Cloud Service console, select a user. On the user page, select the Access tab. Click Assign, and then select the application. The user is immediately synchronized to Oracle Fusion Applications Cloud Service .
    • On the Groups tab of the Oracle Identity Cloud Service console, select a group (or create a new group). From the group Access tab, click Assign, and then select the application. All users that are members of this group are immediately synchronized to Oracle Fusion Applications Cloud Service .
    You can remove a user from the Oracle Fusion Applications Cloud Service by using the Revoke function or by removing the user from all groups that are assigned to the application.
  9. When a user is synchronized to Oracle Fusion Applications Cloud Service , a user account is created. Make sure to associate the account with a person record and assign duty roles in Oracle Fusion Applications Cloud Service .
You’re now able to synchronize users from Oracle Identity Cloud Service to Oracle Fusion Applications Cloud Service .

Modify ESS Sync Job Profiles

You can modify the profiles that control the ESS sync job behavior, including batch size; retry attempts; maximum number of roles for the ESS sync process; whether to synchronize to SIM, Oracle Identity Cloud Service, or both; and more.If you’re setting up user and role sync to Oracle Identity Cloud Service, you must change the value of the FND_USER_IDENTITY_SYNC_TARGET profile.

The ESS synchronization process uses these profiles:

  • FND_USER_MIGRATION_FETCH_BATCH_SIZE controls the maximum number of transactions performed during one synchronization process. Transactions include each user identity synchronized, each role synchronized, and each role assignment synchronized. The default value is 1000.

  • FND_USER_MIGRATION_MAX_RETRY_ATTEMPTS controls the maximum number of times the batch job tries to synchronize a record if the initial synchronization attempt fails. The default value is 20.

  • FND_ROLE_SYNC_MAX_SELECTED_ROLES_SIZE controls the maximum number of roles that can be added to the Migrate Enterprise Roles and Assignments to PaaS Identity Store table. The default value is 15.

  • FND_USER_IDENTITY_SYNC_TARGET determines whether your Oracle Fusion Applications Cloud Service application synchronizes users to Oracle Identity Cloud Service, SIM, or both. The default value is SIM. To only synchronize to Oracle Identity Cloud Service, change the value to IDCS. To synchronize to both Oracle Identity Cloud Service and SIM, change the value to ALL.

  • FND_SYNC_JOB_TYPE determines whether the ESS synchronization process synchronizes users, roles, or both. To synchronize both users and roles (including role assignments), set the value to ALL. To synchronize users only, set the value to USER. To synchronize roles only, set the value to ROLE.

  • FND_USER_MIGRATION_FA_FEDERATION controls whether user identities synchronized to Oracle Identity Cloud Service have the Federated flag set, to enable federation with Oracle Fusion Applications Cloud Service. The default value is TRUE. Set the value to FALSE to disable setting the Federated flag.

  • FND_USER_MIGRATION_FA_ENV_NAME lets you to add a prefix to the names of roles as they are synchronized. The default value is an empty string. Add a short text value if you want all synchronized roles to have a prefix. This prefix allows you to synchronize roles with identical names from different Oracle Fusion Applications Cloud Service instances to the same Oracle Identity Cloud Service instance, by affixing a source-specific identifier. Once you’ve set a prefix to a non-empty string, you should retain the same string for all synchronization job runs, to avoid creating multiple copies of roles in the target Oracle Identity Cloud Service instance.

To modify any of these profiles:
  1. In SaaS, navigate to Setup and Maintenance, and search for Manage Administrator Profile Values in the Implementation Projects search field.
  2. On the Manage Administrator Profile Values page, enter part or all of the name of the profiles you want to modify in the Search: Profile Option section, and click Search.
    In the Search Results table, profiles that match your search are listed in a table.
  3. Select a profile in the Search Results table and edit the Profile Value in the lower table as needed. When you’re finished modifying values, click Save and Close.
The ESS sync process will use the new values the next time it runs.

Configure ESS Sync Job Role Synchronization

You can configure the ESS sync job to synchronize roles and role assignments in addition to user identities.

In some integration scenarios, you may want to select certain roles to be synchronized with your PaaS identity store. Only roles which you explicitly select to be synchronized are included. Users assigned those roles in your Oracle Fusion Applications Cloud Service have their role assignments applied to their synchronized identities in Oracle PaaS.

To configure the ESS sync job to synchronize roles:

  1. Sign in to the SaaS service by using an account that has the Administrator role.
  2. From the Setup and Maintenance panel of your service, search for the taskflow Migrate Enterprise Roles and Assignments to PaaS Identity.
    The Migrate Enterprise Roles and Assignments to PaaS Identity Store page loads showing any roles that have been selected for synchronization.
  3. To add roles to the table, select the Add Row action by clicking the plus icon or selecting it from the Actions menu.
  4. Search for roles by display name or role name. To see a list of every role in the system, leave both fields blank and click Search.
  5. In the search results, select one or more roles that you want to synchronize, and click Add.
  6. To remove roles, select a row in the table and click the red X icon or the remove action from the Actions menu.
Roles in this table will be synchronized, up to the maximum limit specified by the FND_ROLE_SYNC_MAX_SELECTED_ROLES_SIZE profile. You can’t add more roles to the table if it has reached the limit defined by this profile. Each role in the table has a SyncStatus and SyncStatusMessage field, that indicate whether the role has been synchronized, is pending synchronization, or has failed synchronization due to an error.

Schedule Synchronization from Oracle Fusion Applications Cloud Service to Oracle Identity Cloud Service

Use the Oracle Enterprise Scheduler (ESS) Scheduled Processes tool to schedule at will or repeating synchronizations of user identity, role, and role assignment data from Oracle Fusion Applications Cloud Service services to Oracle Identity Cloud Service.

The ESS synchronization process batch loads new users, roles, and role assignments, applies changes to identities and role assignments, and deletes records from Oracle Identity Cloud Service that have been deleted from your service. If Oracle Identity Cloud Service is the identity provider, user credentials in Oracle Fusion Applications Cloud Service aren’t used when user accounts synchronize from Oracle Fusion Applications Cloud Service services to Oracle Identity Cloud Service. Instead, when users are synchronized to Oracle Identity Cloud Service, they receive a welcome email and reset their passwords for the new Oracle Identity Cloud Service account. In this case, follow the steps to disable notifications in the step 1.

To schedule a one-off or repeating user identity and role synchronization process:

  1. If Oracle Fusion Applications Cloud Service is the identity provider, you generally don’t want users to receive welcome messages from Oracle Identity Cloud Service when the job synchronizes their account to Oracle Identity Cloud Service. You can turn off these notifications. Sign in to your Oracle Identity Cloud Service console. Select the Settings tab, and then click the Notifications button on the left. Deselect the Welcome Federated SSO User check box, and click Save to apply your changes.
  2. Sign in to your Oracle Fusion Applications Cloud Service service using an account with the Administrator role.
  3. On the main console, open the Navigator menu on the left side of the screen by clicking the menu icon.
  4. Select More.
  5. In the Tools submenu, Click Scheduled Processes.
    The Scheduled Processes Overview screen opens. Use this screen to review upcoming scheduled processes, and to create new scheduled processes.
  6. In the Search Results section, click the Schedule New Process button.
  7. In the Schedule New Process dialog, click the down arrow icon at the end of the Name field to open the process name list and find the User identity synchronization from this SaaS instance to the PaaS Identity Store job.
  8. Click OK to select the job. The Process Details dialog opens, showing the process you selected.
  9. Optionally, click Process Options.
    In the Process Options dialog, you can control the format of the displayed or reported job details, such as the displayed time zone, time format, and language options.
  10. Optionally, click Advanced.
    • Using the Notification tab, you can add notifications to be sent to specified recipients triggered by success, warning, and error results of the user synchronization job.
    • Using the Schedule tab, you can select between As soon as possible, which will schedule the sync job to run immediately, or Using a schedule, which allows you to create a repeating scheduled sync process. To modify the retry attempts or batch size profiles, modify the ESS Sync Job profiles.
  11. In the Process Details dialog, click Submit.
    The process is scheduled, and added to the Search Results table on the Scheduled Processes Overview screen.

Review and Monitor ESS Sync Job Results

To verify success and identify issues, you can review and monitor the results of your ESS synchronization jobs.

  1. Sign in to the service by using an account with the Administrator role.
  2. In the Setup and Maintenance panel of your service, search for the taskflow Manage User Identity Synchronization to PaaS Identity Store .
  3. On the Manage User Identity Synchronization to PaaS Identity Store page, review the Users Successfully Synchronized tab.
    After you’ve run a synchronization job that successfully synchronized user identities, each user is listed on this tab.
  4. To view the role assignment history of a user, select the user row in the Users Synchronized table.
    The Role Assignment History of <user name> user table includes role assignment data for the user. If the user has never had roles synchronized, the table will show the message No data to display.
  5. Review the Users Failed to Synchronize tab.
    The Users failed to Synchronize tab shows two tables: Users Sync failed and User Role Assignments Sync failed. Failed synchronizations will be retried the next time the sync job runs, until the maximum number of retry attempts have bee made. This limit is set in the FND_USER_MIGRATION_MAX_RETRY_ATTEMPTS profile. Failed synchronizations include a response code, error code, and failure message which can assist with troubleshooting. To configure the maximum retry attempts number, modify the ESS Sync Job profiles.
  6. Review the Users Yet to Synchronize tab.
    This tab contains a table listing that lists all users that have user identity or role changes that have not been synchronized. You can use this table to verify whether a specific user identity has been synchronized, and to help adjust how frequently you need to run the synchronization job.

Reset ESS Synchronization Data

Under certain conditions, you may need to reset synchronization data. After it’s reset, the ESS synchronization job attempts to synchronize all user identities, roles, and corresponding role assignments that are configured for synchronization.

In some cases, you may want to force the ESS synchronization job to attempt to synchronize every user identity, configured role, and corresponding role assignment for all users, even for users that were previously synchronized and for which no changes to identity or role have been made. For example, if you migrate user data from test to production, you’ll need to reset synchronization data in order to cause records that were previously synchronized with the test instance to be synchronized again to the new production instance.

All roles configured for synchronization in the Migrate Enterprise Roles and Assignments to PaaS Identity Store are removed and must be configured again.

To reset synchronization data:

  1. Sign in to Oracle Fusion Applications Cloud Service by using an account with the Administrator role.
  2. On the Setup and Maintenance panel of your service, search for the taskflow Manage User Identity Synchronization to PaaS Identity Store .
  3. On the Manage User Identity Synchronization to PaaS Identity Store page, click the Reset Synchronization Data button in the top right of the screen. Confirm that you want to reset synchronization data in the dialog.
The next time you run the ESS batch synchronization job, all user identities and, if configured, roles and role assignments, will be synchronized.