Learn About Integrating an Oracle SaaS Application with Oracle PaaS

You can enable a variety of integration scenarios by setting up federated trust between your Oracle Fusion Applications Cloud Service instance and your Oracle PaaS account using Oracle Identity Cloud Service. Federated trust provides Federated Single Sign-On (SSO). Identity federation is secured by SAML-based authentication. With the steps in this solution, OAuth 2.0 is also configured, allowing both user and role synchronization, and application security for role-based access control to secure Oracle Fusion Applications Cloud Service REST APIs using OAuth 2.0 tokens.

Architecture

This architecture shows the options and valid configurations for integrating your Oracle Fusion Applications Cloud Service with an Oracle PaaS account using Oracle Identity Cloud Service.

One option is to set up Oracle Fusion Applications Cloud Service as the identity provider:



When Oracle Fusion Applications Cloud Service is the identity provider, users, roles, and role assignments may be synchronized with Oracle Identity Cloud Service by using the Fusion Applications application set up within Oracle Identity Cloud Service. Oracle Identity Cloud Service can then provide user and group management for other Oracle PaaS applications. Users are created in Oracle Fusion Applications Cloud Service.

The other option is to set up Oracle Identity Cloud Service as the identity provider, with Oracle Fusion Applications Cloud Service as a service provider:



When Oracle Identity Cloud Service is the identity provider, user accounts may be synchronized with Oracle Fusion Applications Cloud Service by using the Fusion Applications application set up within Oracle Identity Cloud Service. However, roles must be created in Oracle Fusion Applications Cloud Service and assigned to users there: then, you can use the ESS Sync Job to synchronize role and role assignments to Oracle Identity Cloud Service. Oracle Identity Cloud Service can then provide user and group management for other Oracle PaaS applications. Users are created in Oracle Identity Cloud Service.

About Required Services and Roles

This solution requires the following services and roles:

  • Oracle Fusion Applications Cloud Service
  • An Oracle PaaS account using Oracle Identity Cloud Service

These are the roles needed for each service.

Service Name: Role Required to...
Oracle Fusion Applications Cloud Service: Application Diagnostics Administrator, Application Implementation Consultant, and IT Security manager Configure an endpoint in Oracle Fusion Applications Cloud Service and set up the ESS Sync Job.
Oracle Identity Cloud Service: Identity Domain Administrator Configure federated SSO, OAuth, and user and role synchronization.

See Learn how to get Oracle Cloud services for Oracle Solutions to get the cloud services you need.

About the Steps for Assembling the Integration

The articles in this solution are intended to help you assemble your own integration.

Broadly, you should follow these steps to assemble the integration described in this solution:

  1. Learn about the service environments and components you’ll be using to implement the solution.
  2. Learn about authorization strategies for your PaaS-SaaS interactions.
  3. Set up and enable federated SSO, SAML-based authentication, and OAuth-based access control by establishing a trusted connection between your Oracle Fusion Applications Cloud Service instance and your Oracle PaaS account with Oracle Identity Cloud Service. You must choose which of the two services will act as the Identity Provider and which will be a Service Provider, identify and select the user source, and then complete only the steps for your chosen configuration.
  4. If needed, enable any combination of user account, role, and role assignment synchronization between your Oracle SaaS and Oracle PaaS instances.

The steps for how you enable user and role synchronization depend on which of the following scenarios you have chosen to implement:

  • With Oracle Fusion Applications Cloud Service as the identity provider (IDP) and Oracle Identity Cloud Service as a service provider (SP), your user names, passwords, and other user account information are managed in Oracle Fusion Applications Cloud Service, and synchronized to your Oracle PaaS account's Oracle Identity Cloud Service instance.
  • With Oracle Identity Cloud Service as the IDP and Oracle Fusion Applications Cloud Service as a SP, you can choose one of the following configuration options:
    • Create and manage your users in your Oracle PaaS Oracle Identity Cloud Service instance and synchronize them to your Oracle Fusion Applications Cloud Service instance.
    • Create and manage users in Oracle Fusion Applications Cloud Service and synchronize them to your Oracle Identity Cloud Service instance. Note this alternate configuration is not shown in the previous architecture diagrams.

In any of these implementations, if you want to synchronize roles and role assignments, they should be synchronized from Oracle Fusion Applications Cloud Service to Oracle Identity Cloud Service. The steps for configuring role and role assignment synchronization are presented for each of the described scenarios.

About Synchronization Direction

In addition to configuring federation with SSO, you can set up synchronization to push user identities, roles, and role assignments, from one identity management system to the other.

When Oracle Fusion Applications Cloud Service is the identity provider, you’ll always provision users first in Oracle Fusion Applications Cloud Service. You’ll then synchronize them to your federated Oracle Identity Cloud Service instance. Roles and role assignments will also be synchronized.

When Oracle Fusion Applications Cloud Service is a service provider, Oracle Identity Cloud Service is the identity provider. In this scenario, you can choose between two options:
  • You can provision them in Oracle Fusion Applications Cloud Service and synchronize them to Oracle Identity Cloud Service. Roles and role assignments will also be synchronized.
  • You can provision users in Oracle Identity Cloud Service and synchronize them to Oracle Fusion Applications Cloud Service. Role and role assignment synchronization is optional in this case, and can only be performed by using the Oracle Fusion Applications Cloud Service ESS sync job.

You cannot use both options with the same configuration, so you must choose one option to implement.

Be sure to understand in which direction you’re configuring synchronization, and then follow the instructions in the synchronization article that matches your configuration.

About Roles and Oracle Identity Cloud Service Groups

Synchronizing role and role assignments to Oracle Identity Cloud Service creates Oracle Identity Cloud Service groups and assigns users to the groups. After the synchronization process creates new groups in Oracle Identity Cloud Service, you’ll need to assign appropriate privileges to the groups.

When the sync job synchronizes a role to Oracle Identity Cloud Service for the first time, a new group is created in Oracle Identity Cloud Service. Then, when a role assignment for the role is synchronized to Oracle Identity Cloud Service, the user is assigned to the group.

For example: suppose you want to grant PaaS-service-specific privileges to Oracle Sales Cloud users who have the sales administrator role. First, set up the synchronization job by following the procedures in this document. Run the sync job to synchronize users, roles, and role assignments to Oracle PaaS, making sure that you’re synchronizing all of the desired Oracle Sales Cloud users who have the sales administrator role, as well as the sales administrator role itself. As part of the synchronization process, a group called “sales administrator” is created in Oracle Identity Cloud Service. You then need to sign in to Oracle Identity Cloud Service and grant the PaaS service-specific role to the group that was created by the sync job. This grants the appropriate privileges to the group, and therefore to the users, in Oracle Identity Cloud Service.

Roles from Oracle Fusion Applications Cloud Service services are mapped to Oracle Identity Cloud Service groups this way:

Oracle Fusion Applications Cloud Service Role Attribute Oracle Identity Cloud Service Group Attribute
ROLE_NAME displayName
DESCRIPTION description
ROLE_COMMON_NAME externalId

In Oracle Identity Cloud Service, the externalId attribute isn’t visible in the UI.

About Duplicate Roles With Prefixes

If enterprise roles that were stored in another identity management system were then migrated to Oracle Fusion Applications Cloud Service, you may see duplicate roles in your system, some with the ORA_ prefix and some with another prefix, such as ASM_.

In these cases, only synchronize roles that have the ORA_ prefix (or no prefix). Don’t synchronize duplicate roles that have another prefix. If you try to synchronize these duplicate roles you’ll see synchronization errors.

Before You Begin

Before you begin integrating an Oracle SaaS application with Oracle PaaS, you should make sure you understand the concepts involved.