Oracle Cloud Infrastructure Documentation

User Provisioning with Oracle Identity Cloud Service

This topic describes how you can use SCIM to provision federated users in Oracle Cloud Infrastructure.

Important

If your tenancy was created December 21, 2018 or later, your tenancy is automatically configured to provision your Oracle Identity Cloud Service users in Oracle Cloud Infrastructure. See Understanding User Types and Managing User Capabilities for Federated Users for information on managing these users.

Overview

SCIM (System for Cross-domain Identity Management) is an IETF standard protocol that enables user provisioning across identity systems. Oracle Cloud Infrastructure hosts a SCIM endpoint for provisioning federated users into Oracle Cloud Infrastructure.

After you configure the SCIM integration between Oracle Identity Cloud Service and Oracle Cloud Infrastructure, users that are added to groups mapped to Oracle Cloud Infrastructure groups are automatically provisioned in Oracle Cloud Infrastructure. These users are assigned a unique An Oracle-assigned unique ID called an Oracle Cloud Identifier (OCID). This ID is included as part of the resource's information in both the Console and API., and can have API keys and other service-specific credentials.

Because these users are provisioned in Oracle Cloud Infrastructure the following functionality is supported:

  • An administrator can list the users in the Console
  • An administrator can enable user capabilities to use other credential types (such as API keys and auth tokens)
  • Federated users can access the User Settings page to see and manage these credentials for themselves

When you add or remove users to Oracle Cloud Infrastructure-mapped groups in your IdP, the updates are automatically synched with Oracle Cloud Infrastructure.

Understanding User Types

The SCIM configuration introduces the concept of the provisioned or synchronized user. The following descriptions provide details to help you understand the user types you'll be managing.

  • Federated users

    A federated user is created and managed in an identity provider. Federated users can sign in to the Console using a password managed in their identity provider. Federated users are granted access to Oracle Cloud Infrastructure based on their membership in groups that are mapped to Oracle Cloud Infrastructure groups.

  • Provisioned (or Synchronized) users

    A synchronized user is systematically provisioned by the identity provider in Oracle Cloud Infrastructure for each federated user. Synchronized users can have Oracle Cloud Infrastructure credentials, but not Console passwords. When listing users in the Console, you can identify synchronized users using the User Type filter.

  • Local users

    A local user is a user created and managed in Oracle Cloud Infrastructure's IAM service. Federated tenancies typically would have few, if any, local users. When listing users in the Console, you can identify local users using the User Type filter.

The following graphic summarizes the characteristics of the user types:

This image summarizes the characteristics of the user types.

Who Should Set Up This Integration?

Set up this integration if your federated users need to have the specialized credentials required by some services and features. For example, if you need your federated users to access Oracle Cloud Infrastructure through the SDK or CLI, setting up this integration enables these users to get the API keys needed for this access.

Upgrading Your Oracle Identity Cloud Service Federation

If your federation with Oracle Identity Cloud service was set up before December 13, 2018, perform this one-time upgrade task.

To upgrade your Oracle Identity Cloud Service federation:

  1. Open the navigation menu. Under Governance and Administration, go to Identity and click Federation.

    A list of the identity providers in your tenancy is displayed.

  2. Click your Identity Cloud Service federation to view its details. If your tenancy was auto-federated, it is listed as OracleIdentityCloudService.
  3. Click Edit Mapping.
  4. When prompted, provide the client ID and client secret for the Oracle Identity Cloud Service application, and then click Continue.

    Where do I find the client ID and client secret?

Allow several minutes for the changes to take effect.

What to Expect After the Upgrade

When the system has had time to synchronize, you can manage user capabilities for federated users in the Console. Users that belong to a group mapped to a group in Oracle Cloud Infrastructure are listed on the Users page in the Console. Whenever you add new users to mapped groups in Oracle Identity Cloud Service, they will be available in the Console after the system synchronizes.

By default, the following user capabilities are enabled:

  • API keys
  • auth tokens
  • SMTP credentials
  • customer secret keys

Notice that you can't enable a local password. The Oracle Cloud Infrastructure console password is still managed only in your IdP.

For more information about user capabilities, see Managing User Capabilities for Federated Users.

Resetting Credentials

Use the Reset Credentials button to reset your SCIM client credentials. You can perform this task periodically as a security measure to rotate your credentials. Oracle Cloud Infrastructure automatically resets the credentials with Oracle Identity Cloud Service. You don't need to manually reset any configurations.

Actions You Still Perform in Your Oracle Identity Cloud Service

After the integration is set up, continue to perform the following actions in your Oracle Identity Cloud Service:

  • Create users and assign them to groups.

  • Delete users.

    Users that you delete from your IdP are removed from Oracle Cloud Infrastructure when the next synching cycle completes.

  • Query for group membership.
  • Manage sign-in passwords for users.