Introduction

Oracle Sales Cloud provides web services as one of many mechanisms to integrate with and extend Sales Cloud in Oracle Applications Cloud Services. The web services are typically based on business objects and allow the caller to perform operations on the business objects. As an example, the Account Service can be used to perform a find operation to identify accounts meeting a search criterion or to perform an update to a field, like address on a particular account. These web services can be accessed by custom applications deployed on Oracle PaaS (Platform As A Service) like Java Cloud Service - SaaS Extension (JCS-SX) and access data residing in Sales Cloud.

Oracle SaaS (Software As A Service) extensions also enables Sales Cloud to call a web service deployed in Oracle PaaS and thereby utilizing the capabilities built into the custom applications.

Oracle PaaS

Oracle PaaS (JCS-SX in particular) enables customers and partners to extend their Oracle SaaS applications and provide custom functionality to address their specific business needs.

Oracle SaaS comes with tools that allow you to customize and extend the applications. These tools can be used to add new UI elements, add validations, enrich data model, and to create interfaces with external applications.

Customizations/extensions for SaaS applications can be built by utilizing the capabilities offered by the PaaS platform.

This blog focuses on the options available for web service authentication to integrate Oracle Sales cloud with Oracle PaaS (JCS-SX)

Service Association between Oracle Sales Cloud and JCS-SX

Pre-wired security

Oracle Sales Cloud and PaaS instances in the same identity domain (such as JCS - SX) are automatically enabled for SSO capability, with Oracle Sales Cloud acting as the identity provider.

Oracle Sales Cloud and JCS - SX instances in the same identity domain can be associated. Association enables SAML-based identity propagation for Oracle Sales Cloud and JCS - SX web service interactions. Please refer to Security Strategies for JCS-SX and Sales Cloud interactions for more information on authentication and authorization options for interactions between JCS-SX and Oracle Sales Cloud.

 

Types of Authentication

Authentication of web service requests between associated services is provided by the Oracle Web Services Manager (OWSM) framework. The following mechanisms can be used for authenticating user identity between the service calls:


Username Token (UNT)

The username token authentication is the simplest of the authentication techniques and supported by most of third party clients

  • Client needs to send the username and password to the web service
  • Useful when a client needs to connect to a web service with an identifier that is different from the actual user name
  • Password must be made available to the client in the credential store

 

Security Assertion Markup Language (SAML) Token

Client needs to send a SAML assertion that contains the user name to the service provider.

  • Client constructs the SAML assertion, server needs to be set up to trust the client
  • Useful for identity propagation where a particular user has already authenticated to the client, and the client needs to propagate this user to the Web service, without having to know user's password
  • Should not be used when the clients are completely outside the domain (ex: end user’s desktop)

 

JSON Web Token (JWT)

JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object.

  • Because of its size, it can be sent through an URL, POST parameter, or inside an HTTP header. Additionally, due to its size its transmission is fast.
  • The payload contains all the required information about the user, to avoid querying the database more than once.
  • JWTs can be signed using a secret (with HMAC algorithm) or a public/private key pair using RSA

Invoke Oracle Sales Cloud Web Services from JCS-SX

Authentication

When JCS - SX invokes Oracle Sales Cloud web services, associated services have the SAML trust pre-established by Oracle. Oracle Sales Cloud can use UNT, SAML or JWT for authentication and authorization with the JCS - SX application.

Configuring Service Client

Assuming that SalesPartyService is a web service proxy used for invoking the Sales Party web service defined in Oracle Sales Cloud, the following code snippet illustrates the security policy configurations required on the client side using UNT and SAML respectively.


UNT 

SecurityPolicyFeature[] securityFeatures =  new SecurityPolicyFeature[] { new SecurityPolicyFeature("oracle/wss_username_token_over_ssl_client_policy") };

salesPartyService_Service = new SalesPartyService_Service();

SalesPartyService salesPartyService = salesPartyService_Service.getSalesPartyServiceSoapHttpPort(securityFeatures);

//Using wss_username_token_over_ssl_client_policy, provide the username/password

WSBindingProvider wsbp = (WSBindingProvider)salesPartyService;  

       wsbp.getRequestContext().put(BindingProvider.USERNAME_PROPERTY,"your_sales_cloud_user_name"); wsbp.getRequestContext().put(BindingProvider.PASSWORD_PROPERTY,"your_sales_cloud_password");

FindSalesParty fSalesParty = new FindSalesParty();

  fSalesParty.setFindCriteria(findCriteria);

  try {

            SalesParties = salesPartyService.findSalesParty(fSalesParty).getResult();

  } catch (Exception e) { e.printStackTrace();}

 

Note: The above code snippet specifies user name and password in clear text for simplicity. Use Oracle Credential Store Framework (CSF) to ensure secure management of credentials.


SAML

    SecurityPolicyFeature[] securityFeatures = new SecurityPolicyFeature[] { new

    SecurityPolicyFeature("oracle/wss_saml_token_bearer_over_ssl_client_policy") };

    salesPartyService_Service = new SalesPartyService_Service();

    SalesPartyService salesPartyService =   salesPartyService_Service.getSalesPartyServiceSoapHttpPort(securityFeatures);

    FindSalesParty fSalesParty = new FindSalesParty();

    fSalesParty.setFindCriteria(findCriteria);

    try {          

           SalesParties = salesPartyService.findSalesParty(fSalesParty).getResult();

    } catch (Exception e) {

            e.printStackTrace(); }

 

JWT

The following code snippet assumes that AccountService_Service is a web service proxy used for invoking the Account web service defined in Oracle Sales Cloud and illustrate the security policy configurations required to pass a JWT token obtained from a JSF page in the request HTTP header when making the web service call. Please refer to Using JSON Web Token for Oracle Sales Cloud Mashups for more details on using JWT in Sales Cloud.

 

   SecurityPolicyFeature[] secFeatures = new SecurityPolicyFeature[] {new SecurityPolicyFeature("")};

   service_Service = new AccountService_Service();

   service = service_Service.getAccountServiceSoapHttpPort(secFeatures);

   String jwt = JSFUtils.resolveExpressionAsString("#{pageFlowScope.jwt}");

  // add JWT auth map to HTTP header

   BindingProvider bp = (BindingProvider)service;

   Map<String,List<String>> authMap=new HashMap<String,List<String>>();

   List<String> authZlist=new ArrayList<String>();

   authZlist.add(new StringBuilder().append("Bearer ").append(jwt).toString());

   authMap.put("Authorization",authZlist) ;

   bp.getRequestContext().put(MessageContext.HTTP_REQUEST_HEADERS,authMap);

 

Invoke Web Service deployed in JCS-SX from Oracle Sales Cloud

There could be scenarios where SaaS applications would want to leverage the functions/capabilities provided by web services deployed on JCS-SX. Using the application composer function of Sales Cloud, a reference to the web service can be created as follows:

Click on “Application Composer”, click on “Web Services” link under “Common Setup” on the left pane and click on the “Create a new web service reference” icon and provide the required details:

  • Name: <WSSoapEndpoint_Name>
  • WSDL URL: <JCS-SX_WSDL_URL> (the WSDL endpoint obtained after the deployment in JCS-SX)
  • Security Policy: Select “Invoke with current user credentials using SAML”.

  Security policy can be configured in Oracle Sales Cloud when creating the web service reference enabling secured web service invocation as depicted below:

SOAP Connection.png

 

In cases where user identities or services are not in the same identity domain, only UNT or HTTP Basic authentication strategies are possible. Please refer to Consuming SOAP Web Services in Oracle Sales Cloud for more details.

References

 

The views expressed in this post are my own and do not necessarily reflect the views of Oracle.