IDCS Applications & Groups

Photo by Chang Duong on Unsplash

IDCS Applications & Groups

Scott Spendolini's photo
Scott Spendolini
ยท

7 min read

๐Ÿ•ต
This article is part of a series called "Who Are You?". View all articles in the series here.

Navigating to the IDCS Console

IDCS has its own console - unlike IAM, whose console is integrated into the OCI Console. Thus, finding it is a little tricky.

  1. From the OCI Cloud Console main page, select the "hamburger" menu and click Identity & Security.

  2. Under the Identity heading, click Federation.

  3. Click OracleIdentityCloudService.

  4. Next, click the URL next to Oracle Identity Cloud Service Console to activate the IDCS Console. It will open up in a new window and looks like this:

Creating an Application in IDCS

The first thing we'll need to do is create an application. This will map to our APEX application and provide both AuthN and AuthZ services.

  1. From the "hamburger" menu, select Applications.

  2. Click Add.

  3. Click Confidential Application.

  4. Enter IDCS Demo for the Name.

  5. Enter the application's home page as the Application URL.

  6. Click Next.

  7. Select Configure this application as a client now

  8. Check the box for Authorization Code

  9. Enter the following for the Redirect URL, replacing [your-apex-server-name] with your actual APEX server name:

    https://[your-apex-server-name]/ords/apex_authentication.callback

  10. Enter the URL to your APEX application for the Post Logout Redirect URL. This URL should not include anything after the word "home".

  11. Click Next.

  12. Ensure Skip for later is selected and click Next.

  13. Ensure Skip for later is selected and click Next again.

  14. Click Finish.

On the next page, the Client ID & Client Secret will be displayed. Make note of these as we will need them to create a Web Credential in APEX.

  1. Once you dismiss the window with the credentials, be sure to click Activate to activate your application.

Integrating an IDCS Application with APEX

Let's switch back to APEX and configure our application to talk to IDCS. We'll start by creating the web credential that will store the Client ID & Secret.

  1. Edit the Shared Components of your APEX application.

  2. Click Credentials.

  3. Click Create.

  4. Enter IDCS for both the name and Static ID and then paste in your Client ID and Client Secret into the corresponding fields and click Create.

Next, we'll create a new Authentication Scheme and make it current.

  1. Edit the Shared Components of your APEX application.

  2. Click Authentication Schemes.

  3. Click Create.

  4. Click Next.

  5. Set or enter the following values:
    Notice: for the Discovery URL, replace [xxx] with the first portion of the URL from the IDCS console. It will look something like this:
    idcs-daef12b436e472f3b6aa4ddf463e5760

Name

IDCS

Scheme Type

Social Sign-In

Credential Store

IDCS

Authentication Provider

OpenID Connect Provider

Discovery URL

https://[xxx].identity.oraclecloud.com/.well-known/openid-configuration/

Scope

profile,groups

Username

#sub#

Additional User Attributes

groups

  1. Click Create Authentication Scheme.

At this point, the integration is technically set up, but there are a few more things we want to change in the APEX Authentication Scheme to make things smoother - such as being able to read IDCS groups and provide a proper logout URL.

  1. Edit the IDCS - Current Authentication Scheme.

  2. Enter the following code in the PL/SQL Code field under Source:

procedure group_setup
as  
  l_this_group_name varchar2(255);
  l_group_count number;
  l_group_membership_list apex_t_varchar2;
begin
  l_group_count := apex_json.get_count('groups');
  if l_group_count is not null then
    for i in 1..l_group_count
    loop
      l_this_group_name := apex_json.get_varchar2(p_path => 'groups[%d].name', p0 => i);
      apex_string.push(p_table => l_group_membership_list, p_value => l_this_group_name);
    end loop;
    apex_authorization.enable_dynamic_groups(p_group_names => l_group_membership_list);
  end if;
end group_setup;

  1. In the Login Processing region, enter group_setup for the Post-Authentication Procedure Name.

  2. In the Post-Logout URL section, set Go To to URL and enter the application URL in the URL field. This is the same value that was entered into the IDCS Application and should end with /home.

  3. Click Apply Changes.

We need to make one last change. This will allow the APEX Authorization Scheme "is in Role or Group" to look at the Dynamic Groups that IDCS populates.

  1. Edit the Shared Components of your APEX application.

  2. Click Security Attributes.

  3. In the Authorization region, set Source for Role of Group Schemes to Custom Code.

At this point, you should be able to run your APEX application and use your IDCS credentials to log in successfully.

Viewing Dynamic Group Membership

Before we start to integrate groups, let's add a simple report on Page 1 of our application. This report will return the list of groups that IDCS sends back to APEX. Displaying this list will be helpful when troubleshooting/developing your integration between APEX & IDCS.

  1. Edit Page 1 of your application.

  2. Create a new Classic Report region.

  3. Use the following SQL as the source of the report:

select WORKSPACE_ID,
       WORKSPACE_NAME,
       WORKSPACE_DISPLAY_NAME,
       APEX_SESSION_ID,
       USER_NAME,
       GROUP_NAME
  from APEX_WORKSPACE_SESSION_GROUPS
 where apex_session_id = :APP_SESSION
  1. Log out and then log in to your application to see the values populated in the report. Note that some of them could be non-APEX related, as IDCS is shared across all of OCI.

Integrating IDCS Groups with APEX

Next, we'll create a group in IDCS and integrate that with APEX. Since we've done most of the groundwork already, this won't take long at all.

  1. Login to the IDCS Console.

  2. Click on the "hamburger" menu and select Groups.

  3. Click Add.

  4. Enter users for the Name and click Finish.

  5. Click on the Users tab.

  6. Click Assign Users.

  7. Select your user and click OK.

  8. Click on the Access tab.

  9. Click Assign Applications.

  10. Select IDCS Demo by clicking Assign.

  11. Click OK.

If you switch back to your APEX application and log out and then log in again, you should see a row that contains the group users, as well as any other groups your user belongs to.

While in APEX, let's map an Authorization Scheme to this group.

  1. Edit the Shared Components of your application.

  2. Click Authorization Schemes.

  3. Click Create.

  4. Select From Scratch and click Next.

  5. Enter or select the following options:

Name

users

Scheme Type

Is In Role or Group

Type

Custom

Name(s)

users

Validate Authorization Scheme

Oner per page view

  1. Click Create Authorization Scheme.

Now that we have a new Authorization Scheme mapped to IDCS, let's associate it with a new region.

  1. Edit Page 1 of your application.

  2. Create a new Static Content region called Users.

  3. In the Security section, set the Authorization Scheme to users.

  4. Save your changes and run Page 1.

Since your user is in the users group on IDCS, you should see this new region called Users.

Next, let's revoke the Users group from your user on IDCS.

  1. Switch to the IDCS Console.

  2. From the "hamburger" menu, select Groups.

  3. Select Users.

  4. Click on the Users tab.

  5. Select your user and click on the Revoke button.

  6. Click OK to confirm the removal.

Switch back to APEX, log out and log back in, and you should no longer see the Users region.

This technique can be used to create any number of roles and associate them with any APEX component. It's as easy as creating an Authorization Scheme that points to the corresponding IDCS role.

Controlling Application Access

As it stands, any authenticated user in your IDCS stripe will be able to access the APEX application that we integrated. This is because APEX is merely checking to ensure that the user has a valid IDCS session and nothing else.

In many cases, we will want to restrict access to a sub-set of users. Fortunately, that's trivial to do with IDCS.

  1. Switch to the IDCS Console.

  2. From the "hamburger" menu, select Applications.

  3. Select IDCS Demo.

  4. Select the Configuration tab.

  5. Expand the Authentication and Authorization section.

  6. Check the box next to Enforce Grants as Authorization.

  7. Click Save.

Remove your user from any role associated with this application, and then sign out and sign in again. You should see the following message:

Summary

It's pretty trivial to create an application and groups in IDCS and map them to your Oracle APEX applications. This keeps access control consolidated in a single place that is monitored and logged automatically. It also ensures that APEX applications are seen as on par with other commercial SaaS applications when it comes to integration.

Next up: Multi-Factor Authentication

ApexOracleOCIidentity-management
ย