This topic describes how you can use SCIM to provision federated users in Oracle Cloud Infrastructure.
If your tenancy was created December 21, 2018 or later, your tenancy is automatically configured to provision your Oracle Identity Cloud Service users in Oracle Cloud Infrastructure. See Understanding User Types and Managing User Capabilities for Federated Users for information on managing these users.
SCIM (System for Cross-domain Identity Management) is an IETF standard protocol that enables user provisioning across identity systems. Oracle Cloud Infrastructure hosts a SCIM endpoint for provisioning federated users into Oracle Cloud Infrastructure.
After you configure the SCIM integration between Oracle Identity Cloud Service and Oracle Cloud Infrastructure, users that are added to groups mapped to Oracle Cloud Infrastructure groups are automatically provisioned in Oracle Cloud Infrastructure. These users are assigned a unique An Oracle-assigned unique ID called an Oracle Cloud Identifier (OCID). This ID is included as part of the resource's information in both the Console and API., and can have API keys and other service-specific credentials.
Because these users are provisioned in Oracle Cloud Infrastructure the following functionality is supported:
- An administrator can list the users in the Console
- An administrator can enable user capabilities to use other credential types (such as API keys and auth tokens)
- Federated users can access the User Settings page to see and manage these credentials for themselves
When you add or remove users to Oracle Cloud Infrastructure-mapped groups in your IdP, the updates are automatically synched with Oracle Cloud Infrastructure.
The SCIM configuration introduces the concept of the provisioned or synchronized user. The following descriptions provide details to help you understand the user types you'll be managing.
A federated user is created and managed in an identity provider. Federated users can sign in to the Console using a password managed in their identity provider. Federated users are granted access to Oracle Cloud Infrastructure based on their membership in groups that are mapped to Oracle Cloud Infrastructure groups.
Provisioned (or Synchronized) users
A synchronized user is systematically provisioned by the identity provider in Oracle Cloud Infrastructure for each federated user. Synchronized users can have Oracle Cloud Infrastructure credentials, but not Console passwords. When listing users in the Console, you can identify synchronized users using the User Type filter.
A local user is a user created and managed in Oracle Cloud Infrastructure's IAM service. Federated tenancies typically would have few, if any, local users. When listing users in the Console, you can identify local users using the User Type filter.
The following graphic summarizes the characteristics of the user types:
Who Should Set Up This Integration?
Set up this integration if your federated users need to have the specialized credentials required by some services and features. For example, if you need your federated users to access Oracle Cloud Infrastructure through the SDK or CLI, setting up this integration enables these users to get the API keys needed for this access.
If your federation with Oracle Identity Cloud service was set up before December 13, 2018, perform this one-time upgrade task.
To upgrade your Oracle Identity Cloud Service federation:
Open the navigation menu. Under Governance and Administration, go to Identity and click Federation.
A list of the identity providers in your tenancy is displayed.
- Click your Identity Cloud Service federation to view its details. If your tenancy was auto-federated, it is listed as OracleIdentityCloudService.
- Click Edit Mapping.
When prompted, provide the client ID and client secret for the Oracle Identity Cloud Service application, and then click Continue.Where do I find the client ID and client secret?
The client ID and client secret are stored in Oracle Identity Cloud Service. To get this information:
- Sign in to the Oracle Identity Cloud Service console through My Services.
- In the Identity Cloud Service console, click Applications. The list of trusted applications is displayed.
- Click COMPUTEBAREMETAL.
- Click Configuration.
Expand General Information. The client ID is displayed. Click Show Secret to display the client secret.
Allow several minutes for the changes to take effect.
What to Expect After the Upgrade
When the system has had time to synchronize, you can manage user capabilities for federated users in the Console. Users that belong to a group mapped to a group in Oracle Cloud Infrastructure are listed on the Users page in the Console. Whenever you add new users to mapped groups in Oracle Identity Cloud Service, they will be available in the Console after the system synchronizes.
By default, the following user capabilities are enabled:
- API keys
- auth tokens
- SMTP credentials
- customer secret keys
Notice that you can't enable a local password. The Oracle Cloud Infrastructure console password is still managed only in your IdP.
For more information about user capabilities, see Managing User Capabilities for Federated Users.
Use the Reset Credentials button to reset your SCIM client credentials. You can perform this task periodically as a security measure to rotate your credentials. Oracle Cloud Infrastructure automatically resets the credentials with Oracle Identity Cloud Service. You don't need to manually reset any configurations.
Actions You Still Perform in Your Oracle Identity Cloud Service
After the integration is set up, continue to perform the following actions in your Oracle Identity Cloud Service:
Create users and assign them to groups.
Users that you delete from your IdP are removed from Oracle Cloud Infrastructure when the next synching cycle completes.
- Query for group membership.
- Manage sign-in passwords for users.