For the first time in a long while we had cause to set up a demonstration of this feature. It allows the customer to create “secured” Workspaces which contain Interviews, that can only be accessed by a securely managed group of people.
As you are no doubt aware, in the case of a Cloud instance of Oracle Intelligent Advisor, a deployed Interview URL is essentially publicly available. This is precisely what you would expect and is great, to be able to (for example) stand up a new interview to respond to citizen queries in the light of a new compelling event – a flood, a pandemic or in a more positive vein, a new place to express interest in a service you are going to provide.
But in some circumstances securing interviews, the opposite is true – an interview needs to be accessed only by a small group of people – anyone else needs to be blocked. At a simple level, this is done in one of 2 ways – either through using Oracle B2C Service and setting up the interview to be an employee only interview, or (as in the case we are discussing) using Oracle Identity Cloud to set up a secure mechanism.
The basics are as follows.
- Spin up an instance of IDCS, from your OCI account. You can create a free instance which has of course limitations but is perfect for a demonstration.
- In IDCS, create a Confidential Application. Think of this as the place where we draw together information about your Oracle Intelligent Advisor setup and provide the list of people you want to have access to the workspace (and the interviews in the workspace). In the Confidential Application, fill in some information about your instance of OIA. This will in our case be pointing to the root URL of your web determinations server. There is also a authorization redirect which needs to be entered, the URL format is predefined and you just need to copy and paste.
- Specify a “scope” phrase which you will need to use later in the setup of OIA. Think of it as the specific pointer to the users of web interviews that you are connecting to a workspace (or workspaces). You may have other scopes pointing to other Workspaces and users. You might also secure Web Services for example which would need a new Confidential Application with the appropriate URL in the initial setup.
- Add some users. These users represent the consumers of your interview. They do not have anything to do with Hub users – they are just the humans who are authorized to see your interview, and who prove it by entering their IDCS login and password.
- Once active, the Confidential Application provides the secret id and secret key that you use inside Oracle Intelligent Advisor to set up an Interview Authorization Provider. This will need the URL of your IDCS instance and the various keys and scope to be entered.
- Connect the Interview Authorization Provider to the Workspace.
- Test the Interview(s) in the Workspace. Opening the interview should take you to the IDCS login page for you to authorize yourself (of course, if you already have a session of IDCS open with one of those users, you will not be asked to login again.
- Try and access your interview from anywhere, and you are forced to authorize using the IDCS login page thanks to the redirect. Authorized users can login and use the interview of course.
Below is a more detailed walkthrough. Given that IDCS can be used to federate with your own directory service, it is a great way to extend authorization to existing users in your own systems. The video is also available on YouTube.