A Guide on Integrating IDCS with WebCenter Suite

Oracle Identity Cloud Service (IDCS) Overview:

Oracle Identity Cloud Service (IDCS) is a comprehensive security and identity platform. It allows for an integration of both cloud and on-prem applications with Single Sign-On (SSO) and provides a sophisticated security layer. IDCS offers a multitude of ways to configure applications so that users may access applications through SSO.

For an overview of the benefits of integrating IDCS with WebCenter, please see our blog, “Benefits of Integrating Oracle Identity Cloud Service (IDCS) with WebCenter Content.”

Configuring IDCS for WebCenter Suite:

Note: This guide is applicable to WebCenter domains hosted on-prem or in OCI, with the following managed servers:

  • WebCenter Content
  • WebCenter Content UI
  • WebCenter Imaging
  • WebCenter Enterprise Capture


  • The WebCenter domain is installed and accessible.
  • All current bundle patches are installed.

Note: Official documentation from Oracle does not state a specific patch level required, Oracle simply recommends that the most current bundle patch is installed.

Configure the WebCenter Domain with IDCS:

From OCI, create an IDCS Confidential Application—

1. In the Oracle Cloud Infrastructure page, in the menu select Identity → Federation

2. Select the Identity Provider link

3. Select the Oracle Identity Cloud Service Console link

4. In the menu select Applications

5. Click the + Add link

6. Select Confidential Application

7. Enter a Name

8. Click the Next button

9. Click the Next button

10. Click the Finish button

11. In the newly created application page, select the Configuration link

12. Expand Client Configuration and check the Register Client radio button

13. For the Allowed Grant Types, select the appropriate grant

14. For the Client Type, select the appropriate Client Type

15. In the Token Issuance Policy → Grant the client access to Identity Cloud Service Admin APIs section click the + Add button

16. Check the following boxes for:

  • Identity Domain Administrator
  • Cloud Gate

Note: When the domain is within OCI, these are required to allow access to the Fusion Middleware Enterprise Manager, EM. 

17. Click the Add button

18. Click the Save button

19. Expand General Configuration and note the Client ID

20. Click the Show Secret button and note the secret and the IDCS hostname

The Client ID, Secret, and IDCS hostname will be needed when configuring the WebLogic IDCS provider.

21. Click the Activate link

Note: Users and Groups do not need to be added to the Application.

Users added in Oracle Identity Cloud Service Console → Users will be able to log into the managed servers.

Update SSL.hostnameVerifier Property in Domain Environment on all Nodes

IDCS will be accessed over SSL.

1. Stop the Admin Server and all managed servers in the WebLogic domain

2. Make a backup copy of the <WCC domain>/bin/setDomainEnv.sh or <Drive>:\<WCC domain>\bin\setDomainEnv.cmd

3. Edit the setDomainEnv.sh or setDomainEnv.cmd file

For Linux or Unix, on a new line directly above the line that says JAVA_PROPERTIES=”${JAVA_PROPERTIES} ${EXTRA_JAVA_PROPERTIES}”, add the following entries:

EXTRA_JAVA_PROPERTIES=”-Dweblogic.security.SSL.hostnameVerifier=weblogic.security.utils.SSLWLSWildcardHostnameVerifier ${EXTRA_JAVA_PROPERTIES}”


For Windows, on a line directly above set EXTRA_JAVA_PROPERTIES=%EXTRA_JAVA_PROPERTIES% -Ducm.oracle.home=%UCM_ORACLE_HOME%:

set EXTRA_JAVA_PROPERTIES=%EXTRA_JAVA_PROPERTIES% -Dweblogic.security.SSL.hostnameVerifier=weblogic.security.utils.SSLWLSWildcardHostnameVerifier

4. Save and exit the file

5. Start the AdminServer for the WebLogic domain

Create the IDCS Security Provider

1. In the WebLogic domain’s AdminServer console page, select Security Realms → myrealm → Providers

2. Click the New button

3. Enter a Name

4. In the Type drop down menu select OracleIdentityCloudIntegrator

5. Click the OK button

6. Click the Reorder button and place the provider at the top

7. Select the DefaultAuthenticator link

8. Set the Control Flag to SUFFICIENT

9. Click the Save button

10. Select the new IDCS provider link

11. Set the Control Flag to SUFFICIENT

12. In the Active Types, move REMOTE_USER and AUTHORIZATION from Available to Chosen

13. Click the Save button

14. Select the Provider Specific tab

15. Enter the Host

Note: Go by the previously noted IDCS Federation console URL.

However, the host is not the entire host name, only web domain URIs.

Such as identity.oraclecloud.com

16. Enter the Port as 443

17. For the Tenant enter the IDCS Federation console hostname such as idcs-8b3d7c85b01e486b88b4e2166f5a3b13

18. Add the previously noted Client ID

19. Add the previously noted Secret

20. Click the Save button

Import Certificate in KSS Store

Obtaining the IDCS certificate

1. On the system the WCC domain AdminServer is installed on, open a shell as the user that owns the WebCenter domain files and directories

2. Run the following:

echo -n | openssl s_client -showcerts -servername <Full IDCS Federation console host> -connect <Full IDCS Federation console host>:443|sed -ne ‘/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p’ > /tmp/idcs_cert_chain.crt

As an example:

echo -n | openssl s_client -showcerts -servername idcs-NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN.identity.oraclecloud.com -connect idcs-NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN.identity.oraclecloud.com:443|sed -ne ‘/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p’ > /tmp/patch/idcs_cert_chain.crt

Import the certificate

1. Run <WC middleware>/oracle_common/common/bin/wlst.sh

2. Run the following wlst commands

connect(“weblogic”,”Welcome_1″,”t3://<System Host Name or IP Address>:<AdminServer port — Typically 7001>”)





3. Start the AdminServer

In myrealm → Users and Groups, the IDCS users and groups will not be displayed as is typical for LDAP providers and the defaultauthenticator.  It doesn’t use an All Users Filter or an All Groups Filter.

Import the OPSS SCIM Template

Note: This is required when IDCS users will be getting their WCC/WEC roles and accounts from IDCS group memberships.

If it’s planned to use IDCS just for SAML SSO and an LDAP server will be used for group memberships, skip this step.

In WebCenter 12c, the user authentication is done through the Weblogic LDAP providers, including the IDCS provider.  For user authorization and getting role and account memberships, the libOVD Identity Governance Framework API is used.

By default, libOVD doesn’t access IDCS. It has to be modified to allow access.

To do that, perform the following steps on the system that the AdminServer is running on.

1. <WCC middleware>/oracle_common/common/bin/wlst.sh  (It’s not required to connect to the AdminServer port.)

2. readDomain(<DOMAIN_HOME>)

For example:


3. addTemplate(‘<MIDDLEWARE_HOME>/oracle_common/common/templates/wls/oracle.opss_scim_template.jar’)

For example:


This step may throw a warning, which can be ignored.

WARNING: The addTemplate is deprecated. Use selectTemplate followed by loadTemplates in place of addTemplate.

4. updateDomain()

5. closeDomain()

6. Restart the AdminServer

7. Restart the managed server(s)

Verify User Login and Group Memberships

At this point, users should be able to log into the WebCenter managed server.

WCC users should get their expected roles and accounts (if accounts are being used).

Test to ensure that users can log into the WCC and that their group memberships will be displayed as roles and accounts in their profile page.

IDCS users and groups should be able to be added to Capture Application Roles.

Logging for when users are having authentication (login) or authorization (group membership) issues for authentication:

1. In the domain AdminServer console, select servers → <WC managed server> → Debug

2. Expand weblogic  → security

3. Check the box for atn, leave the atz box unchecked.

4. Click the Enable button

A managed server restart is not required.

The securityAtn entries will get written to the <WC domain>/servers/<WC MS>/logs/<WC MS>.log file

For authorization:

1. Go into the domain Enterprise Manager, EM

2. Select the <Managed Server> link

3. In the WebLogic Server drop down menu select Logs → Log Configuration

4. Expand Root Logger

5. Expand oracle → oracle.ods

6. Set the oracle.ods.virtualization to TRACE:32 (FINEST)

7. Check the box for Persist log level state across component restarts

8. Click the Apply button

A managed server restart is not required.

The oracle.ods.virtualization entries will get written to the <WC domain>/servers/<WC MS>/logs/<WC MS>-diagnostic.log file

Access logs on IDCS:

1. In the Oracle Identity Cloud Service Console drop down menu select Settings → Diagnostics

2. In the Diagnostics Type drop down menu select Service View (includes Activity View and Data View)

3. Click the Save button

4. In the drop down menu select Reports → Diagnostic Data

5. In the Log Type select Service View (includes Activity View and Data View)

6. Click the Download Report button

7. Open the CSV file

Is your organization interested in IDCS or already have IDCS and are looking to integrate IDCS into your WebCenter environment? Contact Inspired ECM to learn how we can help.