Applications Security

Get Involved. Join the Conversation.

Topic

    Prateek Parasar
    Best approach for Provisioning user ids externally and use...Answered
    Topic posted August 23, 2019 by Prateek ParasarGold Crown: 30,000+ Points, tagged HCM, Public Sector, Security 
    33 Views, 2 Comments
    Title:
    Best approach for Provisioning user ids externally and use SSO
    Summary:
    Approach to create userid outside but assign roles in fusion based on role mapping rules
    Content:

    Please comment if Option 1 is actually the best approach or not feasible. If there is another appraoch please suggest.

    Here are the details

    SSO Requirement:  System should have SSO enabled with central system identity provider (AD Shibboleth)

    Authentication and Single Sign On (SSO)

    Scenario: As per the requirement federated identity management will be used.  The Active directory component Shibboleth, which is already certified by Oracle for SSO, will be integrated for single sign on. It has been agreed that account must will be provisioned in IDM (Identity management system) outside of Oracle and then brought back into Oracle Fusion.

    Requirement: On the creation of a new employee (person not assignment) system should obtain the UUN for new employee from IDM (On Premise Identity management) to create the user account. This can have any punch-out/API functionality which could be used as part of the employee creation process.

    “IDM (On Prem Identity management) synchronises users with on prem AD Shibboleth”

    Solution:

    SSO configuration

    Single Sign on with Active directory to be configured between Oracle Fusion and On-Premise Shibboleth

     

    ID Provisioning Logic

     

    Options 1 (First choice)

    1. No Bridge for AD
    2. HCM to create userid and provision role based on mapping at the time of hiring.
    3. Send HCM data for new hire, job changes, terminations, name changed to IDM.  IDM creates the new userid (unique throughout the enterprise). IDM works with Card and email system to provision employee’s card and employee ID.
    4. IDM Updates the userid using rest service (works we have tested). IDM updates the email ID for user and person record (works too).

    (No need to provision roles as those were already provision when person was hired)

    Options 2

    1. No Bridge for AD
    2. HCM to not create ID at the time of hiring,  Automatic role Provision is enabled but The roles won’t be provisioned at this time as user id is not even getting created.
    3. Send HCM data for new hire, job changes, terminations, name changed to IDM.  IDM creates the new userid (unique throughout the enterprise). IDM works with Card and email system to provision employee’s card and employee ID.
    4. IDM creates the userid and adds the email on user using rest service (works we have tested). IDM updates the email ID person record.

     

    1. Run the Schedule process to provision roles (oracle does not recommend this to run very frequently)

     

     

     

    Options 3

    1. User Bridge for AD.
    2. Let HCM create userid and provision roles.
    3. AD to receive data and create userid based on Bridge data.
    4. AD still need to update the userid (non negotiable requirement that AD will have to have its own style of userid and not the one received from Oracle).
    5. AD does not update userid in Oracle (Or can it if bridge is used?)
    6. Separate interface to get the email ID created which gets updated in IDM/AD as well as in Oracle. AD maps the user based on email so Oracle Userid and AD userid can be different as we are not updating userid in Oracle.

     

    Best Comment

    Kiran Gowda

    We are implementing something similar, but just for external users like suppliers. We have a registration portal for suppliers to register, which will create the identity in IDM. We have decided on SAML assertion key between Federation services (OKTA) & Fusion, and users will be manually created in Fusion. 

    Comment

     

    • Kiran Gowda

      We are implementing something similar, but just for external users like suppliers. We have a registration portal for suppliers to register, which will create the identity in IDM. We have decided on SAML assertion key between Federation services (OKTA) & Fusion, and users will be manually created in Fusion. 

    • Prateek Parasar

      We are going to do PBCS manual with IDM but need automation for id card and id creation so exploring best and something which requires least effort and future maintenance