Tagged Oracle Identity Cloud Service

Oracle Kubernetes (OKE): Deploying a Custom Node.js Web Application Integrated with Identity Cloud Service for Unique Single Sign On (SSO) User Experience

In this post we are deploying a custom Node.js web application in Oracle Kubernetes Engine (OKE).

What we want to show is how to configure the custom web application in order to have a unique Single Sing On experience.

First part

Follow this tutorial here explaining how to enable SSO to the web app running locally

Second part

Now we are making small changes to deploy on kubernetes

Create a Dockerfile in the nodejs folder of the cloned project with the following:
FROM oraclelinux:7-slim
ADD . /app
RUN curl --silent --location https://rpm.nodesource.com/setup_11.x | bash -
RUN yum -y install nodejs npm --skip-broken
CMD ["npm","start"]
Create K8s deployment file as follows:
apiVersion: v1
kind: Service
name: idcsnodeapp
type: LoadBalancer
app: idcsnodeapp
- name: client
protocol: TCP
port: 3000
Deploy to k8s:
kubectl apply -f service.yaml
Grab the url of the new external load-balancer service created in k8s and modify the file auth.js with the appropriate values in your cloud environment
var ids = {
oracle: {
"ClientId": "client id of the IdCS app",
"ClientSecret": "client secret of the IdCS app",
"ClientTenant": "tenant id (idcs-xxxxxxxxxxxx)",
"IDCSHost": "https://tenantid.identity.oraclecloud.com",
"AudienceServiceUrl" : "https://tenantid.identity.oraclecloud.com",
"TokenIssuer": "https://identity.oraclecloud.com/",
"scope": "urn:opc:idm:t.user.me openid",
"logoutSufix": "/oauth2/v1/userlogout",
"redirectURL": "http://k8sloadbalancerip:3000/callback",
Build the container and push to a repo you have write access to, such as:
docker build -t javiermugueta/idcsnodeapp .
docker push javiermugueta/idcsnodeapp
Modify the IdCS application with the public IP of the k8s load-balancer service
Create k8s deployment file as follows:
apiVersion: apps/v1
kind: Deployment
name: idcsnodeapp
app: idcsnodeapp
replicas: 1
app: idcsnodeapp
type: Recreate
app: idcsnodeapp
- image: javiermugueta/idcsnodeapp
name: idcsnodeapp
- containerPort: 3000
name: idcsnodeapp

Deploy to k8s
kubectl apply -f  deployment.yaml
Test the app and verify SSO is working:

This slideshow requires JavaScript.

Hope it helps! 🙂


How to Secure User Access to Internet-Faced Cloud Solutions

internet screen security protection
Photo by Pixabay on Pexels.com

Suppose you are in charge for the security of a bank (CISO, CSO,…) that wants to control the access of users to the new ERP in the cloud that you are implementing.

There is a very simple and safe way to control which users access the environment.
Simply configure the Single Sign On of the cloud solution side so that the Service Provider is the ERP, and the Identity Provider is your on-premises identity management infrastructure.

How does it work?

When a user requests the url of the ERP, a login form hosted on the corporate servers appears, requesting the credentials. Since this form is deployed on-premises, only users connected to the corporate network (directly or via VPN) can access it.

Oracle Identity Cloud is always provisioned when you buy clod services and allows you to configure, among other things, the following:

  • federate users between the cloud and LDAP on premises without the need to store the password in the cloud
  • configure the SSO provided by the on-premises access system
  • configure several authentication factors (MFA) for administrators
  • define network perimeters (ranges of IP’s that can access the cloud)
  • define Risk Providers and Adaptative Security, which are mechanisms to evaluate the risk in user access actions
  • define Sign On policies, which are rules that apply in different way depending on the user roles (the more powered user the more strong rules to apply)
  • out of the box reports with login attempts and application access

In addition to the out of the box features that IDCS (Identity Cloud Service) mentioned above, Oracle provides CASB (Cloud Access Security Broker)

Enjoy 😉

Oracle IdCS Tips Part I: Create Users Programatically in Node.js for Oracle Cloud Services with the REST API in less than a Basketball Quarter Length

Oracle Cloud provides Identity Cloud Services (IdCS) as the identity provider (and more) for all the cloud services offered in the stack.


Ask your identity administrator to create a trusted application in IdCS with the settings as shown in the following screenshots:

This slideshow requires JavaScript.


Ask your IdCS administrator for the ClientID and secret values for the previously created application.



Test the following code changing the values in bold with your specific values:

// jmu, april 2018

var express = require('express');
var app = express();
var https = require('https');
var fs = require('fs');
// this data comes from your IdCS administrator
const client_id = "43tgh656uhdh67ur67ruth"
const secret = "4erte-b04e-49b3-be06-534gdfg"
const idcsHost = 'idcs-45a9gsdg7876eac2935dcbd62.identity.oraclecloud.com'
// the user you want to create
var userName = "alextorrijo";
var userMail = "alextorrijo@acme.com";;
var familyName = "torrijo";
var givenName = "alex"
var userJSONData = {
"schemas": ["urn:ietf:params:scim:schemas:core:2.0:User"],
"userName": userName,
"name": {
"familyName": familyName,
"givenName": givenName
"emails": [{
"value": userMail,
"type": "work",
"primary": true
var userData = JSON.stringify(userJSONData);
const tokenData = "grant_type=client_credentials&scope=urn:opc:idm:__myscopes__";
var token = ""
var credentials = Buffer.from(client_id + ":" + secret).toString('base64');
var token_options = {
host: idcsHost,
port: 443,
path: '/oauth2/v1/token',
method: 'POST',
headers: {
"Content-Type": "application/x-www-form-urlencoded",
"Authorization": "Basic "+ credentials,
"Accept": "application/json, text/plain, */*"
app.get('/', function (req, res) {
res.send('Hi!<br>/createUser is your choice!');
app.get('/createUser', function (req, res) {
var x = https.request(token_options,function(res){
token = JSON.parse(data).access_token;
fs.appendFile('logfile.log', token + '\r\n', function(err){;});
var create_user_options = {
host: idcsHost,
port: 443,
path: '/admin/v1/Users',
method: 'POST',
headers: {
"Content-Type": "application/scim+json",
"Authorization": "Bearer "+ token,
"Accept": "application/json, text/plain, */*"
var y = https.request(create_user_options,function(res){
fs.appendFile('logfile.log', data + '\r\n', function(err){;});
res.send('Usuario creado, mira <a href="https://idcs-sdfgwrgsfsdfgsdfg.identity.oraclecloud.com/ui/v1/adminconsole?root=users" target="_blank"> aqui </a>');
app.listen(3456, function () {
console.log('Example app listening on port 3456!');
Run the file:
node idcscreateuser.js

Open a browser:


Execute the createUser method:



Verify the user was created successfully.


Enjoy -)

Oracle Identity Cloud Service: “You cannot bookmark and access the /signin URL directly”

This message happens because you are requesting the sigin page directly while it is supposed that this page comes up as a challenge when you request s resource protected by IdCS in wich you are not logged in yet.

Solution: Request a resource protected by IdCS such as an application or this url <youridentitydomainurl>/ui/v1/myconsole. If you don’t have an application already registered and have administrative privileges try with <youridentitydomainurl>/ui/v1/ adminconsole

Enjoy 😉