Identity provisioning overview

User records can be provisioned by or to external identity repositories by using Identity Management feeds.

Cloud Identity Service can interface with many types of identity repositories, such as Active Directory, LDAP v3, relational databases, SOAP services, Message Queue, and SAP. Users can be automatically added to, modified in, and deleted from Cloud Identity Service through integration with these other identity repositories by defining an inbound connection. Users can be added to, modified in, and deleted from external repositories by using an outbound connection.

Identity repositories

Identity data might be kept in many different systems throughout your organization. These systems are referred to as identity repositories. Each repository might contain different types of identity data. For example, some might contain simple account-related data to be used by a specific application, such as an SQL database. Other identity repositories might contain more comprehensive identity data that is meaningful to various systems, like Oracle PeopleSoft. The data in these repositories is composed of identity attributes. Identity attributes identify users and comprise user records. For example, a user record might be composed of a user name, given name, surname, email address, and job role. Cloud Identity Service acts as an Identity Management (IDM) system by using its identity provisioning capabilities to keep identity data accurate, consistent, and current, between the different repositories in your organization.

Feed management

As repositories are integrated with Cloud Identity Service, defining how to connect to, and provision identity data between these systems is key to synchronizing data between repositories. Feed management enables identity data, such as attributes, groups, roles, and account information, to flow between your other identity repositories and Cloud Identity Service.

An IDM system can be thought of as a hub-and-spoke model. Cloud Identity Service sits in the middle of all your identity repositories as the hub. Identity data flows into and out of Cloud Identity Service, from and to your other identity repositories. Data that flows from an identity repository to Cloud Identity Service is inbound, while data that flows from Cloud Identity Service is outbound.

An Identity Management feed contains many types of business rules that define how Cloud Identity Service interacts with other identity repositories:
  • Connection information. Connection information determines how and when Cloud Identity Service connects to a repository, and how to parse and interpret information from that repository.
  • Provisioning policy. A master provisioning policy determines under what circumstances Cloud Identity Service transmits or receives identity data to or from a repository. Provisioning policies also determine what data to ignore.
  • Attribute and group mapping information. Attributes and groups in different identity repositories do not use the same naming conventions. Identity attributes can be mapped between the different repositories to the information contained in Cloud Identity Service. The mapping functions of Cloud Identity Service Identity Management feeds allow simple and complex mapping logic, including mapping between groups.

Assembly Lines

In Cloud Identity Service, Identity Management feeds are called Assembly Lines. Assembly Lines are configured during the initial setup of Cloud Identity Service for your organization. Assembly Lines are defined by using Template Assembly Lines (TALs). Each TAL contains a number of configurable options for connections.