This document describes how to configure identity domain integration with other identity domains in IAM. For more information identity domains in IAM, see Managing Identity Domains.
About Identity Domains π
An identity domain is a container for managing users and roles, federating and provisioning of users, secure application integration through Oracle Single Sign-On (SSO) configuration, and SAML/OAuth based Identity Provider administration. It represents a user population in Oracle Cloud Infrastructure and its associated configurations and security settings (such as MFA).
Note regarding the terminology in this document:
The following terminology is used in this document:
Source Identity Domain: The identity domain on which youβre creating the integration application.
Target Identity Domain: The identity domain to which you are pushing the users or syncing the users, groups and user-group memberships.
Operations Supported π
Operation
Supported
Description
Authoritative Sync
Yes
Syncs users, groups, and user-group memberships from the Target Identity Domain and creates or modifies those identities in the Source Identity Domain.
Sync
Yes
Syncs users, groups, and user-group memberships from the Target Identity Domain and links those identities in the Source Identity Domain.
Incremental Authoritative Sync
Yes
Syncs users, groups, and user-group memberships from the Target Identity Domain periodically when a user profile is updated. Note: Incremental synchronization supports only user changes and not user-group membership changes.
Incremental Sync
Yes
syncs users, groups, user-group memberships from the Target Identity Domain periodically when a user profile is update. Note: Incremental synchronization supports only user changes and not user-group membership changes.
Create User
Yes
Creates the user in the Target Identity Domain.
Update User
Yes
Updates the user in the Target Identity Domain.
Enable User
Yes
Enables the user in the Target Identity Domain.
Disable User
Yes
Disables the user in the Target Identity Domain.
Delete User
Yes
Deletes the user in the Target Identity Domain.
Prerequisites π
Register a Client Application π
Create a Confidential application with client credentials on the target identity domain with identity domain administrator permissions.
This task is required to obtain the credentials (Client ID and Client Secret) that are used for authentication in REST API calls. The credentials are equivalent to service credentials (ID and password) that your client uses to communicate with an identity domain in IAM. This task also helps you determine which requests are authorized through the REST API.
Access the OCI Console.
Open the navigation menu and click Identity & Security. Under Identity, click Domains.
Click the name of the identity domain that you want to work in. You might need to change the compartment to find the domain that you want.
On the domain details page, click Integrated applications.
Click Add application.
In the Add application dialog box, select Confidential Application, and then click Launch workflow.
On the Add application details page, enter an application name and description, and then click Next.
On the Configure OAuth page, under Client configuration, select Configure this application as a client now.
Under Authorization, select only Client Credentials as the Allowed Grant Type.
At the bottom of the page, select Add app roles and then click Add roles.
In the Add app roles panel, select Identity Domain Administrator and Me, and then click Add.
Under the Configure attribute mapping section, click Attribute mapping to map identity domain attributes to attributes in your application account. Important: Don't provision a Federated user with password mapping.
Under Select provisioning operations, select the required operations needed for your use case.
Turn on Enable synchronization and click Finish.
Click Activate, and then click Activate application
Verifying the Integration π
Use this section to verify the connection to the target identity domain.
Verifying Provisioning, Connection, and Configuration π
Open the application you just activated.
Under Provisioning, click Test connectivity to validate the connection with the Target Identity Domain.
Sync π
A sync job run to import users, groups and user-group memberships. You can run a manual sync at any time using the following steps.
Open the application.
Under Import, click the Import button.
Troubleshooting π
Use this section to locate solutions to common integration issues.