TEAM IM recently did an integration with Oracle Identity Cloud Service (IDCS) from our Modern UI for Oracle WebCenter Content. This integration was surprisingly easy and provided an elegant solution for registering and authenticating public users/ citizens for City provided services.
IDCS is a cloud-based user provisioning system allowing for organizations to provision users outside their traditional user stores, like Active Directory. One of the main benefits this provides is allowing a named user to be created and granted proper access to applications that are made available to the public or citizen user. In this manner the organization can easily implement the following items
- Self-registration - collecting the proper information to create a complete user object
- Application permissions – granting proper access to the application
- User data is kept separate from the organization’s internal user base
Oracle IDCS provides the ability for all of the items listed above. Further, IDCS allows the organization to create multiple defined applications, creating a logical separation for user provisioning. For example, a user can register in IDCS, and while this user object is global to the IDCS instance, the user can be granted access to one or more applications those hosted by the organization. In our case our public sector customer, a City had already provided citizen user access to online Utility bills and queries. The application we are deploying is a Utility Assistance Program where citizen struggling to pay their Utility bills can apply for various grants, rebates or other financial assistance programs. It is a large city so potentially millions of citizen users.
There are many out of the box integrations with IDCS (WebLogic SAML Federation, App Gateway, etc.), but the topic covered in this article is how we can integrate our Java application to the IDCS instance via code. This is accomplished in two steps
Redirect to IDCS
First the application determines if the user needs to login and get an application session. This applies to both new and existing users. To redirect to IDCS, obtain the following necessary parameters
- IDCS URL: the url to redirect the user for login
- Callback URL: the url where IDCS will redirect the user after login
- Entity ID: the IDCS defined application
To redirect to IDCS, create a OpenSAML redirect to IDCS, specifying the parameters noted above.
AuthnRequestBuilder authnRequestBuilder = new AuthnRequestBuilder();
AuthnRequest authRequest = authnRequestBuilder.buildObject();
authRequest.setDestination([UDCS URL]);
authRequest.setID([Entity ID]);
authRequest.setAssertionConsumerServiceURL([Callback URL]);
authRequest.setIssueInstant(new DateTime());
authRequest.setForceAuthn(false);
authRequest.setIsPassive(false);
IssuerBuilder issuerBuilder = (IssuerBuilder) Configuration.getBuilderFactory().getBuilder(Issuer.DEFAULT_ELEMENT_NAME);
Issuer issuer = issuerBuilder.buildObject();
issuer.setValue(issuerId);
authRequest.setIssuer(issuer);
// Get SAML request
String samlRequest = generateSAMLRequest(authRequest);
// Redirect to following URL
url = idpAppURL + "?SAMLRequest=" + samlRequest + "&RelayState=" + URLEncoder.encode(relayState, "UTF-8");
At this point the user has been redirected to IDCS, where they can login as an existing user or create a new user. If creating a new user, the IDCS application defined will collect any number of data elements, such as first and last name, email address, and any other pertinent information. This can be tailored to the application needs. All information added by the user will be made available to the calling application upon callback.
Handle the callback
One of the parameters sent to IDCS is the callback URL. When IDCS is complete with the user authentication it will redirect back to the calling application via the callback URL. Included in the body of this request will be all the information collected about the user. From here the application can do the following
Create the user session
Using the response from IDCS, parse out all the user information and store according to application requirements. This will persist the user’s session as well as make all user information available for any further processing
Process user data
Since we now have the user’s information, the next step is to process this information according to application requirements. Examples include
- Email – send the user an email from the application confirming access
- Security – granting the user’s application permissions based on data returned from IDCS
- User profile – implement a user profile within the application allowing the user to take appropriate actions against this data – add, edit, etc.
Response samlresponse = (Response) responseXmlObj;
Assertion assertion = samlresponse.getAssertions().get(0);
List<Attribute> attributes = assertion.getAttributeStatements().get(0).getAttributes();
String username = null;
for (Attribute attr : attributes) {
List<XMLObject> attrvals = attr.getAttributeValues();
if ("userName".equalsIgnoreCase(attr.getName())) {
username = attrvals.get(0).getDOM().getTextContent();
}
...
}
Summary
Overall, integrating with Oracle IDCS provides many benefits, including
- Allow public access to an application with security
- Public users are kept separate from the organization’s internal user store
- Easy code integration to redirect the user and receive a response with all information populated
No Comments Yet
Let us know what you think