TEAM IM recently did an integration with Oracle Identity Cloud Service (IDCS) from our Modern UI for Oracle WebCenter Content. This integration was surprisingly easy and provided an elegant solution for registering and authenticating public users/ citizens for City provided services.
IDCS is a cloud-based user provisioning system allowing for organizations to provision users outside their traditional user stores, like Active Directory. One of the main benefits this provides is allowing a named user to be created and granted proper access to applications that are made available to the public or citizen user. In this manner the organization can easily implement the following items
Oracle IDCS provides the ability for all of the items listed above. Further, IDCS allows the organization to create multiple defined applications, creating a logical separation for user provisioning. For example, a user can register in IDCS, and while this user object is global to the IDCS instance, the user can be granted access to one or more applications those hosted by the organization. In our case our public sector customer, a City had already provided citizen user access to online Utility bills and queries. The application we are deploying is a Utility Assistance Program where citizen struggling to pay their Utility bills can apply for various grants, rebates or other financial assistance programs. It is a large city so potentially millions of citizen users.
There are many out of the box integrations with IDCS (WebLogic SAML Federation, App Gateway, etc.), but the topic covered in this article is how we can integrate our Java application to the IDCS instance via code. This is accomplished in two steps
Redirect to IDCS
First the application determines if the user needs to login and get an application session. This applies to both new and existing users. To redirect to IDCS, obtain the following necessary parameters
To redirect to IDCS, create a OpenSAML redirect to IDCS, specifying the parameters noted above.
At this point the user has been redirected to IDCS, where they can login as an existing user or create a new user. If creating a new user, the IDCS application defined will collect any number of data elements, such as first and last name, email address, and any other pertinent information. This can be tailored to the application needs. All information added by the user will be made available to the calling application upon callback.
Handle the callback
One of the parameters sent to IDCS is the callback URL. When IDCS is complete with the user authentication it will redirect back to the calling application via the callback URL. Included in the body of this request will be all the information collected about the user. From here the application can do the following
Create the user session
Using the response from IDCS, parse out all the user information and store according to application requirements. This will persist the user’s session as well as make all user information available for any further processing
Process user data
Since we now have the user’s information, the next step is to process this information according to application requirements. Examples include
Response samlresponse = (Response) responseXmlObj;
Assertion assertion = samlresponse.getAssertions().get(0);
List<Attribute> attributes = assertion.getAttributeStatements().get(0).getAttributes();
String username = null;
for (Attribute attr : attributes) {
List<XMLObject> attrvals = attr.getAttributeValues();
if ("userName".equalsIgnoreCase(attr.getName())) {
username = attrvals.get(0).getDOM().getTextContent();
}
...
}
Summary
Overall, integrating with Oracle IDCS provides many benefits, including