Managing Applications
Identity domains provide a secure and centralized cloud service to manage your cloud, Oracle, custom, and enterprise applications.
Required Policy or Role
- Be a member of the Administrators group
- Be granted the Identity Domain Administrator role or the Application Administrator role
- Be a member of a group granted
managedomains
To understand more about policies and roles, see The Administrators Group, Policy, and Administrator Roles, Understanding Administrator Roles, and Understanding Policies.
Cloud Applications
Cloud applications are web-based applications that function in the cloud. These applications can be accessed from anywhere, and at any time, over the web. Examples of cloud applications are Google, Salesforce, and Dropbox.
Oracle and Custom Applications
Oracle applications are a complete and modular set of enterprise applications, engineered to be cloud-ready. In Oracle Cloud, you'll find a broad range of software as a service (SaaS), platform as a service (PaaS), and infrastructure as a service (IaaS) applications. You can use these applications as part of a subscription-based service; there's no software license or hardware to buy and manage. Oracle handles all the supporting underlying technologies.
You can extend Oracle applications or even build your own custom cloud applications in Oracle Cloud. Custom applications are applications (such as a mobile application, a web page, a client application, or a server application) that you can integrate with IAM. By default, for security purposes, custom applications are trusted or confidential.
IAM leverages the power of OpenID Connect and OAuth to deliver a highly-scalable, multi-tenant token service for securing programmatic access to custom applications by other custom applications, and for federated SSO and authorization integration with these applications:
-
Use OAuth 2.0 to define authorization in IAM for your custom applications. OAuth 2.0 has an authorization framework, commonly used for third-party authorization requests with consent. Custom applications can implement both two-legged and three-legged OAuth flows.
-
Use OpenID Connect to externalize authentication to IAM for your custom applications. OpenID Connect has an authentication protocol that provides Federated SSO, leveraging the OAuth 2.0 authorization framework as a way to federate identities in the cloud. Custom applications participate in an OpenID Connect flow.
Using the OAuth 2.0 and OpenID Connect standards provides the following benefits:
-
Federated SSO between the custom application and IAM. Resource owners (users accessing the custom application) need a single login to access IAM plus all applications integrated. IAM handles the authentication and credentials itself, insulating custom applications. This capability is provided by OpenID Connect with OAuth 2.0.
-
Authorization to perform operations on third-party servers with consent. Resource owners can decide at runtime whether the custom applications should have authorization to access data or perform tasks for them. This capability is provided by OAuth 2.0.
Enterprise Applications
Enterprise applications are web applications that require App Gateway to integrate with IAM for authentication and authorization purposes.
Enterprise applications work similarly to confidential applications if you configure the Client configuration and Resource server configurations section under OAuth configuration tab.
To configure an enterprise application to work with App Gateway for authentication and authorization purposes, you need to know the following information about your web application:
-
The web application's base URL. For example, if a known URL of your application is
http://myapp.internal.example.com:3266/myapp/private/home, then the base URL ishttp://myapp.internal.example.com:3266.
-
The list of resources of your web application. For example, if your web application exposes the following URLs: functionalities A to Z in the following format
/myapp/private/funcAto/myapp/private/funcZ, a home page/myapp/private/home, a logout URL/myapp/logout, an about pagemyapp/public/about, and an index page/myapp/index, then the list of all resources of your web application is:- URLs from
/myapp/private/funcAto/myapp/private/funcZ -
/myapp/private/home -
/myapp/logout -
/myapp/public/about -
/myapp/index
- URLs from
-
For each resource, define which resources require the user to be authenticated, which don't require user authentication, and which resource represents the log out action. Below are examples of authenticated and non-authenticated resources:
- Resources from
/myapp/private/funcAto/myapp/private/funcZ, and/myapp/private/homerequire the user to be authenticated. /myapp/logoutlogs out the user.- Both
myapp/public/aboutand/myapp/indexare public resources and don't require the user to be authenticated.
- Resources from
-
For each resource, define who can access which resource and which HTTP Method will be allowed or denied access. For example, you can define that all members of group Employees are allowed access to make
GETandPOSTHTTP requests to resource/myapp/private/home, only members of group MyGroupA can access/myapp/private/funcA, and only users accessing from within network perimeter IntranetIPs can access resources from/myapp/private/funcBto/myapp/private/funcZ.
-
Identify URL patterns that apply to your list of resources. In the previous example, the URL pattern
/myapp/private/.*matches all the application's functionality URLs and the home page URL. All these URLs may require the same kind of authentication and authorization.
Use Case: Adding Applications
To understand how to add custom applications in an identity domain, read this use case.
For this use case, a user accesses the Customer Quotes trusted application. This trusted
application is a client application that makes REST API calls to the
abccorp.com resource server application. A resource server
application is a third-party application that provides services that a trusted
application can consume on behalf of the user.
For this example, the abccorp.com resource server application is a
financial application that contains REST APIs that can be used to make a quote
(/quote), request for a quote (/rfq), or get
information about the user (/user).
When the user accesses the Customer Quotes trusted application, the application makes
REST API calls to the abccorp.com resource server application on behalf
of the user. In this example, the user doesn't communicate directly with the
abccorp.com application.
Because the Customer Quotes application performs actions on behalf of the user, the
application needs access to the /quote, /rfq, and
/user REST APIs available with the abccorp.com
application. To make these REST API calls, the Customer Quotes application might ask for
the user's consent. This consent can come at any time that the Customer Quotes
application calls for these REST APIs in the abccorp.com
application.
The user logs in to IAM and
accesses the Custom Quotes application, through single sign-on, by using OAuth 2.0 and
OpenID Connect, as this is a way of federating identities in the cloud. Because the
Customer Quotes application is authorized on behalf of the user to make the
/quote, /rfq, and /user REST API
calls to the abccorp.com application, the user can use the Customer
Quotes application to make a quote, request for a quote, and get information about the
user. Any additional actions that the user wants to perform through the Customer Quotes
application isn't allowed.
-
The
abccorp.comresource server application. This application has REST APIs (resources) that other applications, such as the Customer Quotes application, can access. In this example, the user doesn't access the resource server application directly, but indirectly through the Customer Quotes application.You register resources of the
abccorp.comresource server application. Application resources are API calls that are authorized by IAM. For this example, the application resources are the/quote,/rfq, and/userREST APIs. For security and auditing purposes, you can specify whether the user must give consent to access these resources. -
The Customer Quotes trusted application. The user uses this application to access the REST APIs of the
abccorp.comapplication.When you create this custom application, you want to generate an authorization code for the user when the user logs in to IAM. The authorization code is then sent to the Customer Quotes application to retrieve an access token. The access token contains all the rights that the user has to access the resource server application. For this example, these rights include making a quote, requesting a quote, and retrieving information about the user.
Because the access token's lifetime is short, you might want to generate a refresh token. A refresh token is a secure mechanism to obtain a new access token when the current access token expires. This way, the Customer Quotes application can access the APIs of the
abccorp.comapplication without asking for user consent again.
See Add Applications, Activate Applications, and Deactivate Applications for more information about creating and activating custom applications in IAM.
Using the Console
You can add Custom Applications, if you are assigned to either the identity domain administrator role or the application administrator role.
See Assigning Users to Roles for information about assigning users to administrator roles.
-
App Catalog application: Add an application from the Application Catalog, which contains pre-configured application templates.
-
Security Assertion Markup Language (SAML) application: Accessed by multiple users and hosted in a secure and protected place (server). Create a SAML application that supports SAML for single sign-on. This allows users to single sign-on (SSO) into your software as a service (SaaS) applications that support SAML for SSO.
-
Mobile application: Hosted directly on the resource owner's browser, machine, or mobile device. An example of this type of application is an Android or iPhone application. A mobile application can run in multiple environments outside of your control. Since these environments are not trusted, this type of application has reduced integration options.
-
Confidential application: Accessed by multiple users and hosted in a secure and protected place (server). The application uses OAuth 2.0. Applications that can protect their OAuth client id and client secret are called confidential applications
-
Enterprise application: Web applications that require App Gateway to integrate with IAM for authentication purposes. App Gateway passes HTTP headers to the application after authenticating and authorizing user's access.
-
You can access the Onboarding Applications infographic to see how to add custom applications in IAM.
-
You can access the Integrating a Custom Client Application tutorial to see how to integrate a custom client application with IAM.
-
You can access the Integrating a Custom Resource Server Application tutorial to see how to integrate a custom resource server application with IAM.
- See Manage IAM App Gateways for information on integrating an enterprise application with IAM.
Oracle creates and maintains the Application Catalog, which is a collection of application templates, for you and provides step-by-step instructions on how to configure most of the popular Software as a Service (SaaS) applications, such as Amazon Web Services and Google Suite.
User provisioning and synchronization are an important aspect of application management. Provisioning allows you to manage the lifecycle of accounts in applications like creating and deleting accounts using IAM. For example, when you grant the user access to an application such as Google Suite, then this user account is automatically created in Google Suite. This allows you to quickly add new users to multiple applications and de-provision users from those applications instantly when they change roles or leave your organization.
You can enable and configure provisioning for App Catalog applications either when adding the app or later when modifying it. When you enable provisioning by turning on the switch, the following steps appear:
When you configure the connection between your app and IAM, check and verify any pre-filled username and password field entries as these might not be the credentials to access your application.
-
Assign users or groups to your App Catalog application to start the user provisioning process for your application. See Assigning Users to Custom Applications and Assigning Groups to Custom Applications.
-
Enable and configure synchronization. To enable and configure synchronization, see Enable Synchronization for an App Catalog Application.
User provisioning and synchronization is an important aspect of application management. After enabling provisioning, synchronization allows you to control how operations like creating and deleting accounts in Software as a Service (SaaS) applications are reflected in IAM.
- Open the navigation menu and click Identity & Security. Under Identity, click Domains. Select the identity domain you want to work in and click Applications.
- Click the name of the SaaS app that you want to configure.
- Under Resources, click Provisioning, and then turn on the Enable synchronization switch.
- In the Configure synchronization section, modify the attributes following the application catalog instructions for your specific SaaS application.
- Click Save changes.
Enable synchronization to import users from your SaaS app.
If the number of created objects (users) and deleted recorded objects (synced users) exceeds the maximum number allowed, the sync job quits. The maximum number of objects created or recorded objects deleted is an approximate maximum limit, not a precise limit because of the parallel processing of synced objects.
See Importing User Accounts from a Software as a Service Application.
After enabling provisioning and synchronization for your App Catalog app, you might want to import the existing users from your Software as a Service (SaaS) applications and link them to IAM users.
-
The app is activated. To activate your app, see Activating Applications.
-
Provisioning is enabled. See Enabling Provisioning for an App Catalog Application.
-
Synchronization is enabled. See Enabling Synchronization for an App Catalog Application.
After synchronizing your SaaS app with an identity domain, you will see the result of the import including the number of users created, deleted, and updated. You can do a general search based on account name, user e-mail, or username. You can also filter and search the results based on Situation and Synchronization Status. Select values from the respective lists to view users matching the search criteria. These are helpful when you have to find a set of users based on their situation or status from a huge number of results.
-
Start date is the date and time you started the import job.
-
End date determines date and time the import job finished.
-
Accounts created shows the number of identity domain accounts that got created during the import based on your synchronization settings.
-
Accounts deleted lists the number of identity domain accounts that got deleted during the import based on your synchronization settings.
-
Accounts updated notes the number of identity domain accounts that got changed during the import.
You can view the synchronization failure report of a provisioning application from the Import tab. The report contains the sync failures for the selected application. This report is useful in finding out the reason behind sync failures that occurred during account and object sync of an application.
Create a Security Assertion Markup Language (SAML) application and grant it to users so that your users can single sign-on (SSO) into your SaaS applications that support SAML for SSO.
You can edit SSO configuration information for SAML applications.
- Open the navigation menu and click Identity & Security. Under Identity, click Domains. Select the identity domain you want to work in and click Applications.
- Select the SAML application from the list of applications listed.
- Under the SSO configuration section, click Edit SSO configuration.
- In the General section, modify required SAML assertion attributes for the SAML application.
- In the Additional configurations section, modify optional advanced SAML assertion settings for the SAML application (for example, selecting Assertion from the Signed SSO list to indicate that you want the SAML assertion signed).
- In the Attribute configuration section, modify user-specific and group-specific attributes for the SAML application (for example, selecting the type of user attribute from the User attribute list or selecting the condition by which you want to filter the group memberships from the Condition list).
- Click Save changes.
Add mobile applications that use OAuth 2.0 and they cannot maintain the confidentiality of their client secrets.
Confidential applications run on a protected server.
Configuring Authorized Resources
Authorized resources define the way a client can access the resources in a Confidential application.
The All authorized resource option enables the client to access any resource within a domain.
Select All to allow your application to request an access
token for trusted or confidential client using the scope
urn:opc:resource:consumer::all. This option provides a wide
scope. The access token in the response contains the audience
urn:opc:resource:scope:account and the scope
urn:opc:resource:consumer::all, which gives access to any of
the services that are in the same domain without requiring explicit association with
target services.
Use only the urn:opc:resource:consumer::all scope in the request. An
invalid scope error is returned if you attempt to include both the
urn:opc:resource:consumer::all scope and another scope in the
same request, such as urn:opc:idm:__myscopes__.
In the account mode, clients can get token for any specific resource provided either
urn:opc:resource:consumer::all or the specific resource is
added in the allowed scopes.
Apart from the scope defined above, you can also specify fine-grained scope as follows:
-
urn:opc:resource:consumer:paas::read -
urn:opc:resource:consumer:paas:stack::all -
urn:opc:resource:consumer:paas:analytics::read
The requested scope should always exist and match, either directly or hierarchically, the client's defined allowed scopes to allow the client access to the resource.
For example, a client uses the
urn:opc:resource:consumer:paas:analytics::read scope in its
request for access to a resource. If the scope directly matches an allowed scope
defined, then in the returned access token the audience is
urn:opc:resource:scope:account and the scope is
urn:opc:resource:consumer:paas:analytics::read.
If the allowed scope defined by the client is
urn:opc:resource:consumer:paas::read, then the client is
allowed to access the resource hierarchically if the client requests one of the
following scopes:
-
urn:opc:resource:consumer:paas::read -
urn:opc:resource:consumer:paas:analytics::read
However, if the requested scope is
urn:opc:resource:consumer:paas:analytics::write with a
different qualifier, then the client isn’t allowed access to the resource.
The All option doesn't provide access to the IAM admin APIs. You must continue to use the scope
urn:opc:idm:__myscopes__ to access
the admin APIs.To generate a refresh token in addition to the access token, use the scope
urn:opc:resource:consumer::all offline_access in the
request.
The Specific authorized resource option enables the client to access only those resources where an explicit association between the client and the resource exists.
Leave Specific selected (the default) to allow your application to acquire an access token with permissions based on an explicit association between the client and target services. Then, use the Add button to select the applications that your application references.
When you create a confidential application, you use a Client ID and a Client Secret as part of your connection settings. You can regenerate your Client Secret at any time for a confidential application using the identity domains console.
- Open the navigation menu and click Identity & Security. Under Identity, click Domains. Select the identity domain you want to work in and click Applications.
- Click the confidential application for which you want to regenerate a Client Secret.
- In the General information section, click Regenerate. The new Client Secret appears in the New client secret dialog box. Copy the Client Secret if necessary.
- Click Close.
When you create a confidential application and you configure the client to use the JWT Assertion grant type, you can generate access tokens at any time using the identity domain console.
An enterprise application enables you to secure web applications that are protected by the App Gateway.
To add an enterprise application in an identity domain, you need to configure the list of application resources (web application's URLs or URL patterns), create an authentication policy for each resource, and create an authorization policy for each resource. For each authentication policy, you define an authentication method, and header variables for App Gateway to include in the request before forwarding the request to the application.
Create resources individually by adding one resource for each of your application's URLs, or use regular expression to create a resource which represents a collection of URLs for your application.
Policy mapping is hierarchical in App Gateway. So, order of the resources defined is important. See the following example:
/myapp/logout.html, and we have authentication policy in below
order: /.*(public)/.*/logout.html(Form+logout)
/.*) and the same policy
is applied which is "public" in this case./myapp/logout.html and we have authentication policy in
below order./.*/logout.html(Form+logout)/.*(public)
/.*/logout.html)
and same policy is applied which is "Form+logout".Something else to be aware
of is that applications which do their own login integrations can run into problems
when their integrations accessed static resources during login, but the resources
were not made public. This causes the login process to fail. To avoid this
happening, you should use the public authentication method for your
public static resources such as CSS, JavaScript, image files as follows:
- Group all public static resources together, for example under
/myapp/public/resources. -
State that these directories should use the
publicauthentication method using a regex such as/myapp/public/.*.
To configure resources:
Create an authentication policy for each resource you created for your enterprise application.
Use regular expressions (regex) to define a URL pattern which represents more than one URL of your enterprise application and for which you can apply the same authentication policy and the same authorization policy.
Create a list of all URLs for your application, and then to define URL patterns that map similar URLs, in which you want to define common authentication and authorization policies.
The authorization engine of App Gateway supports all tokens available to create regular expressions, such as Character Classes, Anchors, Escaped Characters, Group & References, Lookaround, Quantifiers & Alternation, and Substitution.
| Operator | Description | Example |
|---|---|---|
Match-any-character Operator
(.) |
The period character represents this operator. | a.b matches any three-character
string beginning with a and ending with
b |
Match-zero-or-more Operator
(*) |
This operator repeats the smallest possible preceding regular expression as many times as necessary (including zero) to match the pattern | a* matches any string made up of
zero or more a's. In another example,
fo* has a repeating o, not a
repeating fo. Hence, fo* matches
f, fo, foo,
and so on. |
Match-one-or-more Operator
(+) |
This operator is similar to the match-zero-or-more operator except that it repeats the preceding regular expression at least once. | ca+r matches car
and caaaar, but not cr |
Match-zero-or-one Operator
(?) |
This operator is similar to the match-zero-or-more operator except that it repeats the preceding regular expression once or not at all. | ca?r matches both
car and cr, but nothing
else. |
Negate (^) |
Negate an expression. | ^a matches any character except
a |
Grouping Operators ((...))
|
Regex treats expressions inside the parenthesis just as mathematics and programming languages treat a parenthesized expression as a unit. The expressions are processed before the expression outside the parenthesis. | f(a|b)a matches
faa and fba, which means the
operation a|b is processed before the rest. |
Alternation Operator
(|) |
Alternatives match one of a choice of regular
expressions: if you put one or more characters representing the
alternation operator between any two regular expressions
a and b, the result matches
the union of the strings that a and
b match. |
As another example, |
List Operators
([ ... ] and [^ ... ])
|
A matching list matches a single character represented by one of the list items. An item is a character, a character class expression, or a range expression. Non matching lists are similar to matching lists except that they match a single character not represented by one of the list items. |
As a non matching example, |
Range Operator (-)
|
Represents those characters that fall between two elements in the current collating sequence. | [a-f] represents all the
characters from a through f
inclusively. |
Digit (\d) |
Matches any digit character (0-9). | Same as [0-9] |
Not Digit (\D) |
Matches any character that is not a digit character (0-9). | Same as [^0-9] |
Escape (\) |
Makes the next character in the expression means the character itself but not an operator. | \. means period, not the
Match-any-character operator. |
Use of Regular Expression
For example, if you want to allow only authenticated users access for any page of the
application that starts with my and are under the path
/mybank, then you can use the regular expression
/mybank/my.*
The dot (.) and the star (*) together represents any sequence of zero or more
consecutive characters after the prefix my.
In this example, the URLs /mybank/myCredits and
/mybank/myDebits match the /mybank/my.*
pattern, but /mybank/about doesn't.
When you configure enterprise application's authentication policies, you can add header variables to requests forwarded to the application, by selecting a user attribute from a list of predefined user attributes, or by entering an expression.
In the header Value field for Authentication Policies, you can provide a simple literal string or an attribute identifier instead of selecting the user attribute from the list. If you use an attribute identifier, App Gateway attempts to replace the attribute identifier by the value of the attribute after authentication happens.
The following types of attribute identifiers are supported by authentication policies:
- Application: This attribute identifier accesses the information of
the enterprise application registered in IAM.
Format:
$subject.client.<attr> - User: This attribute identifier accesses information of the user
signed in to IAM.
Format:
$subject.user.<attr> - Request: This attribute identifier accesses request information.
Format:
$request.<attr>
For user attribute scope, App Gateway supports any simple top-level attribute in the
JSON Response from /admin/v1/Users such as string,
boolean, or int values.
App Gateway also supports user extension attributes as header value expressions for
authentication policies, using the following format
$subject.user.urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:<attributeName>,
and custom attributes using the following format
$subject.user.urn:ietf:params:scim:schemas:idcs:extension:custom:User:<customAttributeName>
|
Attribute Name |
Header Value Expression |
Description |
|---|---|---|
|
Full Name |
|
The user's full name. |
|
User Name |
|
The user's login username. |
|
Emails |
Other types of emails also supported:
|
The user's primary email address. |
|
Phone Numbers |
Other types of phone numbers supported: |
The user's phone number. |
|
Addresses |
|
The user's mailing address. |
|
Groups |
|
A list of comma-separated group names to which the user is assigned to through direct or indirect membership. |
|
idcsCreatedBy |
|
The display name of the user or application who created this resource. |
|
idcsLastModifiedBy |
|
The display name of the user or application who modified this resource. |
|
Department |
|
The user's department. |
|
Employee Number |
|
The user's employee number. |
Example of supported values for request attribute scope:
|
Attribute Name |
Header Value Expression |
Description |
|---|---|---|
|
policy_appname |
|
Returns the name of the enterprise application registered in IAM. |
|
policy_name |
|
Returns the policy name of the specific policy matched for the request. |
|
policy_res |
|
Returns the resource URL pattern matched for the request. The format is: "<type>:<pattern>" Example: |
|
policy_action |
|
Returns the HTTP Method ( |
| res_host |
|
Returns the host name from the original Request. |
|
res_port |
|
Returns the port number from the original Request. |
|
res_type |
|
Returns the protocol (HTTP or HTTPS) of the original Request. |
|
res_url |
|
Returns the full requested URL. |
By Default App Gateway adds header variables and cookies to any request forwarded to a protected enterprise application. The following is a list of these headers and cookies and their respective values.
Headers
| Header Name | Description | Authentication Method Usage |
|---|---|---|
| idcs_service_url |
The value of this header is your IAM's base URL. For example,
|
Used by all authentication method. |
| idcs_cloudgate_id |
The Client ID value for the App Gateway registered in IAM. |
Used by all authentication method. |
| idcs_client_id |
The Client ID value for the App Gateway registered in IAM. |
App Gateway adds this header to the request forwarded to the enterprise application if the resource is protected by Anonymous or Public authentication methods. |
| idcs_authn_method |
The authentication method configured in the enterprise application's authentication policy. Value depending on the authentication method used:
|
App Gateway adds this header to the request forwarded to the enterprise application if the resource is protected by any authentication method except Public. |
| idcs_authn_strength |
Identifies if the user authentication has happened in one or two steps. If the user has signed in with IAM using
their credentials only, then the authentication strength is
|
App Gateway adds this header to the request forwarded to the enterprise application if the resource is protected by any authentication method except Public and Anonymous. |
| remote_user |
Username of the user signed in to IAM. If the resource is protected by
Anonymous authentication method,
then the value of this header is
|
App Gateway adds this header to the request forwarded to the enterprise application if the resource is protected by any authentication method except Public. |
| idcs_remote_user |
Username of the user signed in to IAM. If the resource is protected by
Anonymous authentication method,
then the value of this header is
|
App Gateway adds this header to the request forwarded to the enterprise application if the resource is protected by any authentication method except Public. |
| idcs_remote_user_mappingattr |
The IAM user schema attribute used to identify the signed in user. For example, |
App Gateway adds this header to the request forwarded to the enterprise application if the resource is protected by any authentication method except Public and Anonymous. |
| idcs_session_id |
The session ID value IAM creates after user signs in. |
App Gateway adds this header to the request forwarded to the enterprise application if the resource is protected by Form or Access Token or Basic Auth+ Session authentication method. |
| idcs_user_assertion |
Value of the identity token issued by IAM. |
App Gateway adds this header to the request forwarded to the enterprise application if the resource is protected by Form or Access Token authentication method. |
| idcs_user_display_name |
Value of the |
App Gateway adds this header to the request forwarded to the enterprise application if the resource is protected by any authentication method except Public and Anonymous. |
| idcs_user_id |
Value of the unique identifier attribute of the user signed in with IAM. |
App Gateway adds this header to the request forwarded to the enterprise application if the resource is protected by any authentication method except Public and Anonymous. |
| idcs_user_tenant_name |
IAM tenant name. |
App Gateway adds this header to the request forwarded to the enterprise application if the resource is protected by any authentication method except Public and Anonymous. |
Cookies
| Cookie Name | Description | Authentication Method Usage |
|---|---|---|
| ORA_OCIS_CG_SESSION_<idcs-tenant>_<aapgateway_host> |
After the user authenticates with IAM, App Gateway sets this cookie to the request forwarded to the application. The cookie name is composed by
|
App Gateway adds this header to the request forwarded to the enterprise application if the resource is protected by Form or Access Token authentication method. |
Account Form will be visible in the user interface with account attributes for a provisioning application if the underlying App Template supports it. With Account Form, when you grant a provisioning application to a user, you can provide account values and when you edit a provisioned account, you can update existing account values.
- Open the navigation menu and click Identity & Security. Under Identity, click Domains. Select the identity domain you want to work in and click Applications.
- Click the application that you want to modify.
- Under Resources, select User and click Assign users.
- In the Assign users window, for the user who needs access to the application, click Assign from the Actions menu for that user.
- Click Next.
- (Optional) Add a path.
- Click Assign user. The user account is assigned.
- Select the next user you want to provide access to this application and repeat the steps 1 through 7.
Custom secure form fill apps give you the flexibility to define tenant-level form fill apps that are not in the global Oracle App Catalog.
Secure Form Fill is the IAM alternative for single sign-on into apps that require auto-form fill but don't support OAuth, SAML, or federated sign-on methods.
Users enter their application credentials for form-fill-enabled apps in IAM once. IAM stores and encrypts the information, and automatically fills in the login form so that users can sign in without having to reenter the information each time.
IAM stores the user's credentials in an encrypted format using strong encryption combined with a customer-specific private key. When a user opens the secure form fill application, which in turn prompts the login page, IAM detects and securely fills the user's credentials, submits the credentials to the app login page, and then the user is automatically signed in.
Learn the prerequisites for creating a custom secure form fill app.
-
A Windows operating system version 7, 8 or 10 with:
-
Local admin rights enabled
-
32-bit Java Runtime Environment (JRE) to access local help content for the Secure Form Fill Admin Client.
-
-
At least one of the following supported desktop browsers:
-
Mozilla Firefox
-
Google Chrome
-
-
Secure Form Fill Admin Client. See Install the Secure Form Fill Admin Client.
Note
The ESSO Administrative Console is part of the Secure Form Fill Admin Client. -
Administrator privileges for an identity domain. See Understanding Administrator Roles.
You use the Secure Form Fill Admin Client (Oracle Enterprise Single Sign-On (ESSO) Administrative Console) to create and update secure form fill configuration files for your custom secure form fill apps in IAM. Use these instructions to install the Secure Form Fill Admin Client.
You use the Secure Form Fill Admin Client (Oracle Enterprise Single Sign-On (ESSO) Administrative Console) to create secure form fill configuration files for your custom secure form fill apps in IAM. Use these instructions to create secure form fill configuration files and then import those files into IAM.
This documentation explains, at a high level, how to use the Secure Form Fill Admin Client only as it pertains to custom secure form fill apps and IAM. For additional instructions, see the help in the ESSO Administrative Console.
After you create a configuration file in the Oracle Enterprise Single Sign-On (ESSO) Administrative Console, the next step is to create a secure form fill app.
Install the Oracle Secure Form Fill Plugin so that you can launch secure form fill apps. Once installed, you are able to access My Apps from your browser toolbar.
If you are using Google Chrome and you need to install the plugin, you are prompted to go to the Extensions on Google Chrome and install the Oracle Secure Form Fill Plugin from the IAM user interface. You will be prompted to download the plugin from the My Apps page the first time that you access to a secure form fill app.
Installing the Mozilla Firefox Plugin
If you are using Mozilla Firefox and you need to install the plugin, instead of downloading the Secure Form Fill Mozilla Firefox plug-in from the Mozilla Store, install the Secure Form Fill Mozilla Firefox plug-in from the My Apps page. You will be prompted to download the plug-in from the My Apps page the first time that you access to a secure form fill app.
After you install the Oracle Secure Form Fill Plugin, when you are logged in to IAM you can access My Apps from your browser toolbar.
Search for apps and see favorite apps by clicking the My Apps 
icon.
After you create a custom secure form fill app in an identity domain, test the app before deploying it to your organization.
-
A custom secure form fill app created in the identity domain.
-
The custom secure form fill app is set to display on the My App page.
-
The custom secure form fill app is assigned to you as a user or as a group.
- Sign in to the identity domain console to access the My Apps page.
- Install the secure form fill plug in, if you have not already installed it, and then refresh your browser.
- Open the app, enter the credentials for the application, and then click Login.
A successful result is IAM injecting the user name and password, and then clicking the submit button.
If you are having issues, check the settings for your Web app in the Oracle Enterprise Single Sign-On (ESSO) Administrative Console, export the *.ini file if necessary, check the settings for your app in the identity domain, and try again.
To update a custom secure form fill app, you first update the Web app using the Secure Form Fill App, export the configuration file in (*.ini), and then update the custom secure form fill app in the identity domain.
-
Create a Web app in the Secure Form Fill Admin Client. See Installing the Secure Form Fill Admin Client.
-
Create a custom secure form fill app created in the identity domain.
- If you need to update the Web app and configuration file created in Secure Form Fill Admin Client, update the Web app first, and then save and export the file. See Create a Secure Form Fill Configuration File.
- To change the custom secure form fill app, access the application as an Identity domain administrator, make any necessary changes, import the new configuration file (if necessary), and then save the app. See Create a Secure Form Fill App in IAM.
You can import and synchronize users of third-party cloud applications using a flat file and manage them in an identity domain.
You can perform a full sync import of the users of third-party Cloud applications using a flat file. In a full sync import, the imported user in the CSV file replaces any existing user who is already assigned to the application.
After you import the users, if a matching user account doesn’t exist in the identity domain, you can either assign the user account to an existing user or create a new user for the user account.
If the imported user account exists, an exact match is found and no further action is required. The synchronization status of the user account is set as confirmed.
You can assign an existing user to the imported user account in the Import tab if the user is present in IAM and the import failed to match the user.
- On the row of the imported user, select Assign existing user from the Actions menu.
- In the Assign user window, search for an existing user, select the required user and click Assign.
You can create a new user and link the user with the imported user account if there are no existing users to assign.
- On the row of the imported user, select Create new user and link from the Actions menu.
- In the Assign user window, enter the following user details: First name, Last name, and Username / Email.
- Select Use the email address as the user name option if you want to use the email address as your user name and click Assign.
You can activate, deactivate, assign, and revoke imported users from the Users tab.
-
To activate an imported user account, select the Actions menu, and click Activate.
-
To deactivate an imported user account, select the Actions menu, and click Deactivate.
-
To remove any imported user account, select the user, and click Revoke.
-
To assign any other user to the application apart from the synchronized users from the flat file, click Assign. Choose a user from the list of existing users and click OK. The assigned user account is displayed and is in an activated state.
Configure the your Enterprise or Confidential application to act as a confidential application by providing client and resource server configurations.
You can use IAM to delete multiple applications simultaneously.
Activating applications reinstates the access rights to applications for users and groups.
- Open the navigation menu and click Identity & Security. Under Identity, click Domains. Select the identity domain you want to work in and click Applications.
- Select the check box for each deactivated application that you want to activate.
- Select Actions, Activate, and then Activate application.
Deactivating an application temporarily disables the access rights to applications that users or groups have.
- Open the navigation menu and click Identity & Security. Under Identity, click Domains.Select the identity domain you want to work in and click Applications.
- Select the check box for each activated application that you want to deactivate.
- Select Actions, Deactivate, and then Deactivate application.
By default, you can see the name and description for each application in IAM.
After configuring, you can modify Oracle and custom applications to assign users and groups, edit high-level information, import users and groups into the applications, export users and groups from applications, and perform specific configuration tasks for custom applications.
Modifying Oracle Applications
You can assign and remove users and groups to Oracle Applications, and import and export users and groups for Oracle Application Roles. You can view the high-level information but can't edit any of the values in Oracle Applications.
You can assign users to Oracle applications only after you activate the applications.
To remove users from Oracle applications, use the Application Roles tab. You can remove users from Oracle applications only after you activate the applications.
After you activate the applications, you can assign groups to Oracle applications by using the Application roles tab.
You can remove groups from Oracle applications from the Application Roles tab. You can remove groups from Oracle applications only after you activate the applications.
When you create an instance of an Oracle application in your identity domain, the application instance appears in the Applications page. As a Service Administrator, you can edit some of the high-level information for Oracle Applications. However, you can’t edit attributes that are protected. Even in an editable attribute, you can’t update certain values that were seeded by the system.
To view and edit high-level information about Oracle application, such as the application type, name, description, icon, URL, links, and whether the application appears on the My Apps page, click Edit application.
| UI Elements | Attributes | Update Seeded Values | Add New Values |
|---|---|---|---|
|
Description |
description |
Yes | N/A |
|
Tags |
tags |
No | Yes |
|
Allowed Scopes |
allowedScopes |
No | Yes |
|
Allowed Tags |
allowedTags |
No | Yes |
|
Redirect URL |
redirectUris |
Yes | N/A |
|
Access Token Expiration |
accessTokenExpiry |
Yes | N/A |
|
Refresh Token Expiration |
refreshTokenExpiry |
Yes | N/A |
|
Scope |
scopes |
No | Yes |
|
Secondary Audiences |
protectableSecondaryAudiences |
No | Yes |
|
Is Refresh Token Allowed |
allowOffline |
Yes | N/A |
|
Enforce Grants as Authorization |
allowAccessControl |
N/A | N/A |
|
Trust Scope |
trustScope |
N/A | N/A |
|
Activate |
active |
N/A | N/A |
-
Web tier policy tab and all the UI fields within the tab are controlled and edited by one attribute
urn:ietf:params:scim:schemas:oracle:idcs:extension:webTierPolicy:App:webTierPolicyJson. -
grantedAppRolesattribute records each App Role defined by another application that has been granted to the client. -
signonPolicyeditable attribute indicates that you can assign Oracle Applications to Sign-On Policy.
You cannot change any of the fields other than the ones listed above for Oracle Public Cloud applications. You will encounter an error if you click Save after you try editing any of these values.
-
Edit only single scope. Bulk removal of scopes is not supported.
-
Grant client access to the IAM APIs
To enable your application to access IAM APIs, click Add.
In the Add App Role window, select the application roles that you want to assign to this application. This enables your application to access the REST APIs that each of the assigned application roles can access.
For example, select Identity Domain Administrator from the list. All REST API tasks available to the identity domain administrator will be accessible to your application.
You can't remove the following:-
The assigned application roles from the application by clicking the x icon for the row of the required application role
-
The App Roles that were granted when an Oracle Public Cloud application was created because those seeded values are protected
-
Modifying Custom Applications
You can assign and remove users and edit high-level information in custom applications.
Custom applications are non Oracle Public Cloud (OPC) services. You can modify custom applications by assigning users to them. Users can access the My Apps page to view these applications.
-
The application must be activated.
-
The application must be assigned to the current user who is accessing the My Apps page
-
The Display in My Apps check box must be selected in the Details tab in the applications.
If you assigned a provisioned application to the user, then you can modify the values of the application form. To do this, click the Actions menu, select Edit, change the appropriate values, and then click Save.
You can activate or deactivate a user's account assigned to a synchronized app that's created from the App Catalog. To do so:
-
Click the Actions menu to the right of the user account that you assigned to the application.
-
Click Activate or Deactivate.
-
In the Activate account? or Deactivate account? window, click OK.
See Enabling Provisioning for an App Catalog Application for more information about configuring provisioning for an application to manage the lifecycle of users in the application.
You can modify custom applications by removing users from them. Users can no longer view these applications through the My Apps page.
- Open the navigation menu and click Identity & Security. Under Identity, click Domains. Select the identity domain you want to work in and click Applications.
- Click the application that you want to modify.
- Click Users.
- Select the check box for each user that you want to remove from the application.
- Click Revoke.
-
Complete one of the following choices:
- To remove one user from the custom application, in the Revoke user? dialog box, click Revoke user.
- To remove multiple users from the custom application, in the Revoke users? dialog box, click Revoke users.
You can modify custom applications by assigning groups to them. Users who are members of these groups can access the My Apps page to view these applications.
- Open the navigation menu and click Identity & Security. Under Identity, click Domains. Select the identity domain you want to work in and click Applications.
- Click the application that you want to modify.
- Click Groups.
- Click Assign groups.
-
In the Assign groups window, do one of the following.
- Click Assign.
If you assigned a provisioned application to the group, then you can modify the values of the application form. To do this, click the Actions menu, select Edit, change the appropriate values, and then click Save.
You can modify custom applications by removing groups from them. Users who are members of these groups can no longer view these applications through the My Apps page.
You can edit high-level information for custom applications.
- Open the navigation menu and click Identity & Security. Under Identity, click Domains.
- Click the application that you want to modify.
- Click Edit application.
- Modify any fields as necessary (for example, modify the application name in the Name field).
- Click Save changes.
You can edit configuration information for custom applications.
See Add a Confidential Application, Add a Mobile Application, and Add a SAML Application for more information about the configuration settings for client applications.
Application administrators can customize the information that appears in the OAuth consent page for applications.
- Open the navigation menu and click Identity & Security. Under Identity, click Domains. Select the identity domain you want to work in and click Applications.
- Click the application that you want to modify.
- Click Consent information.
- Provide values for the fields that you want to customize, and then click Save changes.