Capabilities
| Resource | Sync | Provision |
|---|---|---|
| Accounts | ||
| Groups | ||
| Applications | * | ** |
| Application roles | * | ** |
Performance considerations
- API Latency for Grant Operations: The Oracle IDCS API has inherent latency when creating grants (assigning access to applications or application roles). Due to this latency, we recommend avoiding performing rapid grant and revoke operations in quick succession, as this may result in failures or inconsistent states. Allow sufficient time between operations to ensure the API has completed processing the previous request before initiating the next one.
- Rate Limiting: The connector implements rate limiting to respect Oracle IDCS API limits. If you encounter rate limiting errors, the connector will automatically retry with appropriate backoff strategies.
Gather Oracle IDCS credentials
Configuring the connector requires you to pass in credentials generated in Oracle IDCS. Gather these credentials before you move on.Create a confidential application
1
In the Oracle Cloud Infrastructure console, navigate to Identity & Security > Identity and click Domains.
2
Select the appropriate domain. Your Oracle IDCS API Base Domain is the Domain URL shown on this page (for example, https://idcs-xxxxxxxx.identity.oraclecloud.com).
3
In the domain’s navigation menu, click Integrated applications.
4
Click Add application, select Confidential application, and then click Launch workflow.
5
Enter a name for the application, such as “ConductorOne”, then click Next.
6
On the OAuth Configuration page, click Edit OAuth configuration and select Configure this application as a client.
7
For Allowed GrantTypes, check Client Credentials.
8
Scroll down to the Token issuance policy section and click + Add app role.
9
Select a role that has permission you want to give to the integration (see below), then click Add.To enable syncing (read-only), a role with read-only access to users and groups, like Identity Domain Auditor, is sufficient. To enable provisioning (read-write), the application needs a role with write permissions for users and groups, such as Identity Domain Administrator, which includes the Users - Manage and Groups - Manage permissions.
10
Click Submit.
11
The OAuth Configuration page will display the Client ID (
api-access-id) and Client Secret (api-access-secret). Carefully copy and save these credentials.12
Activate the application using the Actions button in the top right, then click Activate.
Configure the Oracle IDCS connector
- Cloud-hosted
- Self-hosted
Follow these instructions to use a built-in, no-code connector hosted by ConductorOne.That’s it! Your Oracle IDCS connector is now pulling access data into ConductorOne.
1
In ConductorOne, navigate to Admin > Connectors and click Add connector.
2
Search for Oracle IDCS and click Add.
3
Choose how to set up the new Oracle IDCS connector:
- Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren’t yet managed with ConductorOne)
- Add the connector to a managed app (select from the list of existing managed apps)
- Create a new managed app
4
Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of ConductorOne users. Setting multiple owners is allowed.If you choose someone else, ConductorOne will notify the new connector owner by email that their help is needed to complete the setup process.
5
Click Next.
6
Find the Settings area of the page and click Edit.
7
Enter the Client ID and Client secret into the Access ID and Access key fields.
8
Enter the your Oracle ICDS base domain into the Base domain for API field.
9
Optional. Click Sync apps and roles if you want to opt into syncing application and application role data.If you want to sync data from apps such as Oracle WACS or Oracle CCS, make sure to opt in.
10
Click Save.
11
The connector’s label changes to Syncing, followed by Connected. You can view the logs to ensure that information is syncing.