> ## Documentation Index
> Fetch the complete documentation index at: https://www.c1.ai/docs/llms.txt
> Use this file to discover all available pages before exploring further.
# Set up an Oracle IDCS connector
> C1 provides identity governance for Oracle Identity Cloud Service (IDCS). Integrate your Oracle IDCS instance with C1 to run user access reviews (UARs) and enable just-in-time access requests.
**Looking for Oracle WACS or Oracle CCS?** You're in the right place! Use this connector to sync access data from and provision access to Oracle apps including Work and Asset Cloud Service (Oracle WACS) and Customer Cloud Service (Oracle CCS).
## Capabilities
| Resource | Sync | Provision |
| :---------------- | :-------------------------------------------------------------- | :---------------------------------------------------------------- |
| Accounts | | |
| Groups | | |
| Applications | \* | \*\* |
| Application roles | \* | \*\* |
The Oracle IDCS connector supports [automatic account provisioning and deprovisioning](/product/admin/account-provisioning).
The connector also supports **account lifecycle actions** (enable and disable account) and **attribute push** to update user profile fields directly from C1.
\*You must opt into syncing application and application role data; these are not synced by default.
\*\*Application access and application roles that are inherited via group membership cannot be deprovisioned using C1.
## Actions
The Oracle IDCS connector supports account lifecycle actions and attribute push.
The OAuth2 confidential application in Oracle IDCS must have the **Identity Domain Administrator** role to perform any of the actions described in this section.
### Account lifecycle actions
Use the **Automation** tab on the Oracle IDCS connector page in C1 to enable or disable user accounts:
| Action | Description |
| :-------------- | :----------------------------------------------- |
| Enable account | Activates a deactivated Oracle IDCS user account |
| Disable account | Deactivates an active Oracle IDCS user account |
Both actions use SCIM PATCH to toggle the `active` field on the target user.
### Attribute push
The connector supports pushing updates to the following user profile fields directly from a user's profile page in C1:
* First Name
* Last Name
* Display Name
* Email
To push an attribute, navigate to an Oracle IDCS user's profile in C1 and use the **Push Attribute** option. Updates are applied via SCIM PATCH.
Email updates append the new address as a work email rather than replacing the existing emails array.
## Performance considerations
1. **API Latency for Grant Operations**: The Oracle IDCS API has inherent latency when creating grants (assigning access to applications or application roles). Due to this latency, we recommend avoiding performing rapid grant and revoke operations in quick succession, as this may result in failures or inconsistent states. Allow sufficient time between operations to ensure the API has completed processing the previous request before initiating the next one.
2. **Rate Limiting**: The connector implements rate limiting to respect Oracle IDCS API limits. If you encounter rate limiting errors, the connector will automatically retry with appropriate backoff strategies.
## Gather Oracle IDCS credentials
Configuring the connector requires you to pass in credentials generated in Oracle IDCS. Gather these credentials before you move on.
A user with the **Identity Domain Administrator** or **Application Administrator** in Oracle IDCS must perform this task.
To use account lifecycle actions or attribute push, the confidential application must be assigned the **Identity Domain Administrator** role (not just Identity Domain Auditor).
### Create a confidential application
In the Oracle Cloud Infrastructure console, navigate to **Identity & Security** > **Identity** and click **Domains**.
Select the appropriate domain. Your Oracle IDCS API Base Domain is the Domain URL shown on this page (for example, [https://idcs-xxxxxxxx.identity.oraclecloud.com](https://idcs-xxxxxxxx.identity.oraclecloud.com)).
In the domain's navigation menu, click **Integrated applications**.
Click **Add application**, select **Confidential application**, and then click **Launch workflow**.
Enter a name for the application, such as "C1", then click **Next**.
On the **OAuth Configuration** page, click **Edit OAuth configuration** and select **Configure this application as a client**.
For **Allowed GrantTypes**, check **Client Credentials**.
Scroll down to the **Token issuance policy** section and click **+ Add app role**.
Select a role that has permission you want to give to the integration (see below), then click **Add**.
To enable syncing (read-only), a role with read-only access to users and groups, like **Identity Domain Auditor**, is sufficient. To enable provisioning (read-write) or to use account lifecycle actions and attribute push, the application needs a role with write permissions for users and groups, such as **Identity Domain Administrator**, which includes the Users - Manage and Groups - Manage permissions.
Click **Submit**.
The **OAuth Configuration** page will display the **Client ID** (`api-access-id`) and **Client Secret** (`api-access-secret`). Carefully copy and save these credentials.
Activate the application using the **Actions** button in the top right, then click **Activate**.
**Done.** Next, move on to the connector configuration instructions.
## Configure the Oracle IDCS connector
To complete this task, you'll need:
* The **Connector Administrator** or **Super Administrator** role in C1
* Access to the set of Oracle IDCS credentials generated by following the instructions above
**Follow these instructions to use a built-in, no-code connector hosted by C1.**
In C1, navigate to **Integrations** > **Connectors** and click **Add connector**.
Search for **Oracle IDCS** and click **Add**.
Choose how to set up the new Oracle IDCS connector:
* Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren't yet managed with C1)
* Add the connector to a managed app (select from the list of existing managed apps)
* Create a new managed app
Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of C1 users. Setting multiple owners is allowed.
If you choose someone else, C1 will notify the new connector owner by email that their help is needed to complete the setup process.
Click **Next**.
Find the **Settings** area of the page and click **Edit**.
Enter the Client ID and Client secret into the **Access ID** and **Access key** fields.
Enter the your Oracle ICDS base domain into the **Base domain for API** field.
**Optional.** Click **Sync apps and roles** if you want to opt into syncing application and application role data.
If you want to sync data from apps such as Oracle WACS or Oracle CCS, make sure to opt in.
Click **Save**.
The connector's label changes to **Syncing**, followed by **Connected**. You can view the logs to ensure that information is syncing.
**Done.** Your Oracle IDCS connector is now pulling access data into C1.
**Follow these instructions to use the Oracle IDCS connector, hosted and run in your own environment.**
When running in service mode on Kubernetes, a self-hosted connector maintains an ongoing connection with C1, automatically syncing and uploading data at regular intervals. This data is immediately available in the C1 UI for access reviews and access requests.
### Resources
[Contact C1's support team](mailto:support@c1.ai) to download the latest version of the connector.
### Step 1: Set up a new Oracle IDCS connector
In C1, navigate to **Integrations** > **Connectors** > **Add connector**.
Search for **Baton** and click **Add**.
Choose how to set up the new Oracle IDCS connector:
* Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren't yet managed with C1)
* Add the connector to a managed app (select from the list of existing managed apps)
* Create a new managed app
Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of C1 users. Setting multiple owners is allowed.
If you choose someone else, C1 will notify the new connector owner by email that their help is needed to complete the setup process.
Click **Next**.
In the **Settings** area of the page, click **Edit**.
Click **Rotate** to generate a new Client ID and Secret.
Carefully copy and save these credentials. We'll use them in Step 2.
### Step 2: Create Kubernetes configuration files
Create two Kubernetes manifest files for your Oracle IDCS connector deployment:
#### Secrets configuration
```yaml expandable theme={"theme":{"light":"css-variables","dark":"css-variables"}}
# baton-oracle-idcs-secrets.yaml
apiVersion: v1
kind: Secret
metadata:
name: baton-oracle-idcs-secrets
type: Opaque
stringData:
# C1 credentials
BATON_CLIENT_ID:
BATON_CLIENT_SECRET:
# Oracle IDCS credentials
BATON_API_ACCESS_ID:
BATON_API_ACCESS_SECRET:
BATON_API_BASE_DOMAIN:
# Optional: include if you want C1 to provision access using this connector
BATON_PROVISIONING: true
# Optional: include if you want C1 to sync application and application role data
BATON_SYNC_APPS_AND_ROLES: true
```
See the connector's README or run `--help` to see all available configuration flags and environment variables.
#### Deployment configuration
```yaml expandable theme={"theme":{"light":"css-variables","dark":"css-variables"}}
# baton-oracle-idcs.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: baton-oracle-idcs
labels:
app: baton-oracle-idcs
spec:
selector:
matchLabels:
app: baton-oracle-idcs
template:
metadata:
labels:
app: baton-oracle-idcs
baton: true
baton-app: oracle-idcs
spec:
containers:
- name: baton-oracle-idcs
image: ghcr.io/conductorone/baton-oracle-idcs:latest
imagePullPolicy: IfNotPresent
env:
- name: BATON_HOST_ID
value: baton-oracle-idcs
envFrom:
- secretRef:
name: baton-oracle-idcs-secrets
```
### Step 3: Deploy the connector
Create a namespace in which to run C1 connectors (if desired), then apply the secret config and deployment config files.
Check that the connector data uploaded correctly. In C1, click **Apps**. On the **Managed apps** tab, locate and click the name of the application you added the Oracle IDCS connector to. Oracle IDCS data should be found on the **Entitlements** and **Accounts** tabs.
**Done.** Your Oracle IDCS connector is now pulling access data into C1.