1. Securing Oracle Enterprise Data Quality
  2. Integrating EDQ with Oracle Identity Cloud Service

9 Integrating EDQ with Oracle Identity Cloud Service

This chapter describes how to integrate Oracle Identity Cloud Service (IDCS) with Oracle Enterprise Data Quality (EDQ).

Note:

This feature is applicable for EDQ 12.2.1.4.2 and later releases.

This chapter includes the following sections:

  • Creating an IDCS Application
    EDQ uses the IDCS REST APIs to authenticate credentials and retrieve lists of users and groups. These APIs are authenticated with the OAuth2 client credentials flow using tokens obtained from an IDCS application.
  • Configuring the EDQ login.properties File
    You need to edit login.properties and define a realm for IDCS.
  • Enabling SSO using OpenID Connect
    You can configure EDQ for SSO with IDCS using OpenID Connect with OAuth2. When a user visits the EDQ Launchpad they are redirected to the IDCS login page. After successful login the user is redirected back to EDQ. Applications are also logged in automatically using the IDCS identity.
  • Enabling OAuth2 Bearer Authentication for Web Services
    If OpenID connect SSO is configured, EDQ supports web service authentication using OAuth2 Bearer access tokens. A caller will use the client credentials or authorization code flows to acquire an access token and then pass this to EDQ in an Authorization header.

Creating an IDCS Application

EDQ uses the IDCS REST APIs to authenticate credentials and retrieve lists of users and groups. These APIs are authenticated with the OAuth2 client credentials flow using tokens obtained from an IDCS application.

To create an application to use with EDQ, follow these steps.

  1. Login to the IDCS console as an administrator.
    For logins from the main OCI console, you can find the link to the IDCS console by navigating to Identity > Federation > OracleIdentityCloudService. The console link will be similar to the following:

    https://idcs-xxxxxxxxxxxxxxxxxxxxxx.identity.oraclecloud.com/ui/v1/adminconsole

    The portion of the URL before .identity.oraclecloud.com is the IDCS instance identifier and is required when configuring EDQ. In this example it is idcs-xxxxxxxxxxxxxxxxxxxxxx
  2. On the Applications and Services page click + Add to create a new Application.
  3. Select Confidential Application.
  4. Enter a name and, optionally, a description. No other information is required on the first page.
  5. Click Next .
  6. Select Configure this application as a client now.
  7. In the Authorization section, select Client Credentials from the Allowed Grant Types.
  8. Under Grant the client access to Identity Cloud Service Admin APIs click Add.
  9. Select Application Administrator and Authenticator Client.
  10. Click Next through the remaining steps, and then click Finish.
  11. Copy and save the Client ID and Client Secret values that are displayed. You can also retrieve these values from the Application Configuration in the General Information section.
  12. Click Activate to enable the application for use.

Parent topic: Integrating EDQ with Oracle Identity Cloud Service

Configuring the EDQ login.properties File

You need to edit login.properties and define a realm for IDCS.

Set login.properties as follows: 

# Realms 
realms            = internal, idcs 

idcs.realm        = IDCS
idcs.label        = IDCS
idcs.type         = idcs

idcs.clientid     = 61a155a32c39486c95a18ed1de7cc934
idcs.clientsecret = 53d09389-3645-4963-b0aa-152dd7505e7f
idcs.instance     = idcs-xxxxxxxxxxxxxxxxxxxxxxxxxxxx
# Add this if a proxy is required to reach https://idcs-xxxxxxxxxxxxxxxxxxxxxxxxxxxx.identity.oraclecloud.com
#idcs.proxy = host:port

Enter the Client ID and Client Secret that was generated when the application was created, and the IDCS instance identifier portion of the URL.

Restart the EDQ server. To verify the integration check the External Groups page on the EDQ Launchpad.

Parent topic: Integrating EDQ with Oracle Identity Cloud Service

Additional Configuration

Many IDCS instances are configured to use the user's email address as the user name. By default external users in EDQ are identified by username@REALM. If IDCS is configured with email addresses as user names, for a user named John Sheridan who works with Interstellar Alliance, for example, this would appear as john.sheridan@interstellaralliance.org@IDCS.

To remove the @IDCS portion from the user name, add the following to login.properties: 

idcs.prof.userdisplayname = userName

To setup some bootstrap group mappings, use the xgmap property: 

idcs.xgmap = EDQ admins -> Adminstrators

Members of the IDCS group EDQ admins will login to EDQ as members of the Administrators group. You can define more group mappings using the EDQ console.

To limit the set of users displayed in EDQ, add a default group assignment, for example:

 idcs.prof.defaultusergroup = EDQ users

Parent topic: Configuring the EDQ login.properties File

Enabling SSO using OpenID Connect

You can configure EDQ for SSO with IDCS using OpenID Connect with OAuth2. When a user visits the EDQ Launchpad they are redirected to the IDCS login page. After successful login the user is redirected back to EDQ. Applications are also logged in automatically using the IDCS identity.

To enable SSO using OpenID Connect, see the following sections:

Parent topic: Integrating EDQ with Oracle Identity Cloud Service

Configure the EDQ Application in IDCS

You need to configure the redirect URIs to the EDQ servers to enable SSO using OpenID Connect.

Note:

IDCS supports multiple values for the redirect URLs. You can use the same application to support several EDQ instances. However, this section describes setting the redirect URIs using the IDCS console, which does not support the configuration of multiple values. You need to use the IDCS REST API to set the URLs for such cases.
  1. Login to the IDCS console and navigate to the application you created in Creating an IDCS Application.
  2. On the Configuration tab, open the Client Configuration section and select Authorization Code as an allowed grant type.
  3. If your server does not have HTTPS enabled, select the Allow non-HTTPS URLs checkbox.
  4. Set the Redirect URL to https://yourserver/edq/oidc/callback where yourserver is the full host name of your EDQ server. Include the port, if required.
  5. Set the Post Logout Redirect URL to https://yourserver/edq/oidc/loggedout.
  6. Save the changes made to the application.
  7. Select the Users or Groups tabs to add users to the application.
    If you have a defaultusergroup defined in login.properties, the simplest approach would be to add the group so that all EDQ users can use the application.

Parent topic: Enabling SSO using OpenID Connect

Configuring EDQ for OpenID Connect SSO

Add these settings to login.properties:
idcs.extra.oidc    = true
idcs.extra.oidc.redirect_uri    = https://yourserver/edq/oidc/callback

The redirect_url value must match the Redirect URL entered for the application in Configure the EDQ Application in IDCS.

Restart EDQ. When you browse to the Launchpad you will be redirected to the IDCS login page.

EDQ 12.2.1.4.3 onwards you can configure login.properties to map the host name to multiple redirect URIs. See Enabling Multiple URI Redirects for OpenID Authentication for more information.

Parent topic: Enabling SSO using OpenID Connect

Enabling OAuth2 Bearer Authentication for Web Services

If OpenID connect SSO is configured, EDQ supports web service authentication using OAuth2 Bearer access tokens. A caller will use the client credentials or authorization code flows to acquire an access token and then pass this to EDQ in an Authorization header.

For example,

Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Im5PbzNa ......

User credentials obtained from the authorization code flow are mapped using the user identity in the same way as normal logins.

See the IDCS documentation for more information about access tokens and token validation.

Client credentials are mapped using request scopes, as described in the following sections:

Parent topic: Integrating EDQ with Oracle Identity Cloud Service

Configuring Application Scopes

To configure the IDCS application to support Bearer authentication with EDQ, define a protected resource and associated scopes. The scopes can be mapped to EDQ groups, allowing different client applications to request different permissions.

To define a resource, follow these steps:

  1. Navigate to the IDCS application.
  2. Click the Configuration tab and open the resources area.
  3. Select Register Resources.
  4. Enter a value in the Primary Audience field. The value can be any string ending in a colon. For example, urn:edq:
  5. In the Scopes section, click Add to add scopes corresponding to the required EDQ access. For example, admininstration and callers.
  6. Configure the client application to request access tokens using the configured scope. For example, urn:edq:administration or urn:edq:callers.

Parent topic: Enabling OAuth2 Bearer Authentication for Web Services

Configuring EDQ

In login.properties add settings to verify the Audience and map scopes to groups: 

idcs.extra.oauth2.token.aud    = urn:edq:
idcs.extra.oauth2.scopemap    = administration -> Administrators, callers -> Data Stewards
Where,
  • token.aud enables verification of the aud claim in access tokens.
  • scopemap maps the administration scope to the EDQ Administrators group and the callers scope to the EDQ Data Stewards group.

Parent topic: Enabling OAuth2 Bearer Authentication for Web Services