4 Extending the Functionality of the Connector

This chapter describes procedures that you can perform to extend the functionality of the connector for addressing your specific business requirements.

This chapter discusses the following optional procedures:

4.1 Modifying Existing Field Mappings

Default mappings between fields of the target system and Oracle Identity Manager are listed in the following sections:

If you want to modify these mappings, then:

  1. Log in to the Design Console.

  2. Expand Administration, and double-click Lookup Definition.

  3. Search for and open the lookup definition that you want to modify.

    Table 4-1 describes the contents of the lookup definitions that store field mapping information for reconciliation and provisioning.

    Table 4-1 Lookup Definitions That Store Field Mapping Information

    Lookup Definition Contents of the Code Key Column Contents of the Decode Column

    Lookup.ADReconciliation.FieldMap

    This is used during reconciliation.

    Names of user fields in Microsoft Active Directory

    Names of process form fields for Microsoft Active Directory users

    Lookup.ADGroupReconciliation.FieldMap

    This is used during reconciliation.

    Names of group fields in Microsoft Active Directory

    Names of process form fields for Microsoft Active Directory groups

    Lookup.ADAMReconciliation.FieldMap

    This is used during reconciliation.

    Names of user fields in Microsoft ADAM

    Names of process form fields for Microsoft ADAM users

    Lookup.ADAMGroupReconciliation.FieldMap

    This is used during reconciliation.

    Names of group fields in Microsoft ADAM

    Names of process form fields for Microsoft ADAM groups

    Lookup.AD.BLOBAttribute.Values

    This is used during reconciliation.

    Names of Terminal Services Profile fields in Microsoft Active Directory

    Names of process form fields corresponding to the Terminal Services Profile fields in Microsoft Active Directory

    AtMap.AD

    This is used during provisioning.

    Names of process form fields for Microsoft Active Directory users

    Names of user fields in Microsoft Active Directory

    AtMap.ADGroup

    This is used during provisioning.

    Names of process form fields for Microsoft Active Directory groups

    Names of group fields in Microsoft Active Directory

    AtMap.ADAM

    This is used during provisioning.

    Names of process form fields for Microsoft ADAM users

    Names of user fields in Microsoft ADAM

    AtMap.ADAMGroup

    This is used during provisioning.

    Names of process form fields for Microsoft ADAM groups

    Names of group fields in Microsoft ADAM

    AtMap.AD.RemoteScriptlookUp

    This is used during provisioning.

    Names of process form fields corresponding to the Terminal Services Profile fields in Microsoft Active Directory

    Names of Terminal Services Profile fields in Microsoft Active Directory


  4. Make the required change in the field mappings by modifying the Code Key and Decode values.

  5. Click Save.

4.2 Adding New Fields for Target Resource Reconciliation

Note:

  • This procedure can be applied to add either user or group fields.

  • You must ensure that new fields you add for reconciliation contain only string-format data. Binary fields must not be brought into Oracle Identity Manager natively.

  • If you want to add a multivalued field for target resource reconciliation, then see "Adding New Multivalued Fields for Target Resource Reconciliation".

By default, the fields listed in Table 1-4 are mapped for reconciliation between Oracle Identity Manager and the target system. If required, you can add new fields for target resource reconciliation.

By default, the connector provides mappings for the Terminal Services Profile fields of the target system. You can add mappings for fields of the Environment, Remote Control, and Sessions categories.

Before you add a new field for target resource reconciliation, you must first determine the target system name of the field as follows:

Note:

Do not perform the procedure to determine the target system name of the field if it belongs to one of the following user data categories:
  • Remote Control

  • Sessions

  • Environment

Instead, refer to Appendix C, "Terminal Services Profile Field Names for Reconciliation and Provisioning" for information about a replacement for the target system field name.

  1. Install the target system schema, if it is not already installed.

    Refer to the Microsoft Web site for information about installing the schema.

    Note:

    The ADSIEdit tool provides an alternative to installing and using the target system schema for determining the name of the field that you want to add. The Microsoft Web site provides information about using this tool.
  2. Open the target system schema.

  3. Expand the Console Root folder, expand the target system schema, and then double-click Classes.

  4. Right-click user, and then select Properties.

    The Attributes tab displays the attributes (that is, fields) that are currently in use on the target system.

  5. Note down the name of the field that you want to add, and then click Cancel.

    For example, if you want to add the Employee ID field for reconciliation, then note down employeeID.

To add a new field for target resource reconciliation:

See Also:

For detailed information about these steps, see one of the following guides:
  1. Log in to the Oracle Identity Manager Design Console.

  2. Add the new field on the process form as follows:

    1. Expand Development Tools.

    2. Double-click Form Designer.

    3. Search for and open the UD_ADUSER process form. For groups, search for UD_ADGRP process form.

    4. Click Create New Version, and then click Add.

    5. Enter the details of the field.

      For example, if you are adding the Employee ID field, enter UD_ADUSER_EMPLOYEE_ID in the Name field and then enter other details such as Variable Type, Length, Field Label, and Field Type.

    6. Click Save, and then click Make Version Active. Figure 4-1 shows the new field added to the process form.

      Figure 4-1 New Field Added to the Process Form

      Description of Figure 4-1 follows
      Description of ''Figure 4-1 New Field Added to the Process Form''

  3. Add the new field to the list of reconciliation fields in the resource object as follows:

    1. Expand Resource Management.

    2. Double-click Resource Objects.

    3. Search for and open the AD User resource object. For groups, search for and open the AD Group resource object

    4. On the Object Reconciliation tab, click Add Field.

    5. Enter the details of the field.

      For example, enter Employee ID in the Field Name field and select String from the Field Type list.

      Later in this procedure, you will enter the field name as the Decode value of the entry that you create in the lookup definition for reconciliation.

    6. If you are using Oracle Identity Manager release 11.1.1 or 11.1.2.x, then click Create Reconciliation Profile. This copies changes made to the resource object into the MDS.

    7. Click Save. Figure 4-2 shows the new reconciliation field added to the resource object.

      Figure 4-2 New Reconciliation Field Added in the Resource Object

      Description of Figure 4-2 follows
      Description of ''Figure 4-2 New Reconciliation Field Added in the Resource Object''

  4. Create a reconciliation field mapping for the new field in the process definition as follows:

    1. Expand Process Management.

    2. Double-click Process Definition.

    3. Search for and open the AD User process definition. For groups, search for and open the AD Group process definition.

    4. On the Reconciliation Field Mappings tab of the AD User (or AD Group) process definition, click Add Field Map.

    5. In the Field Name field, select the value for the field that you want to add.

    6. Double-click the Process Data Field field, and then select UD_ADUSER_EMPLOYEE_ID.

    7. Click Save. Figure 4-3 shows the new reconciliation field mapped to a process data field in the process definition.

    Figure 4-3 New Reconciliation Field Mapped to the Process Data Field

    Description of Figure 4-3 follows
    Description of ''Figure 4-3 New Reconciliation Field Mapped to the Process Data Field''

  5. If you are using Oracle Identity Manager release 11.1.2.x, then all changes made to the Form Designer of the Design Console must be done in a new UI form as follows:

    1. Log in to Oracle Identity System Administration.

    2. Create and active a sandbox. See "Creating and Activating a Sandbox" for more information.

    3. Create a new UI form to view the newly added field along with the rest of the fields. See "Creating a New UI Form" for more information about creating a UI form.

    4. Associate the newly created UI form with the application instance of your target system. To do so, open the existing application instance for your resource, from the Form field, select the form (created in Step 5.c), and then save the application instance.

    5. Publish the sandbox. See "Publishing a Sandbox" for more information.

  6. Create an entry for the field in the lookup definition for reconciliation as follows:

    1. Expand Administration.

    2. Double-click Lookup Definition.

    3. If the field that you want to add is not an Environment, Remote Control, or Sessions field, then search for and open the following lookup definition:

      Note:

      For the target system fields, you must use the same case (uppercase or lowercase) as given on the target system. This is because the field names are case-sensitive.
      • For a user field on Microsoft Active Directory, open Lookup.ADReconciliation.FieldMap.

      • For a user field on Microsoft ADAM, open Lookup.ADAMReconciliation.FieldMap.

      • For a group field on Microsoft Active Directory, open Lookup.ADGroupReconciliation.FieldMap.

      • For a group field on Microsoft ADAM, open Lookup.ADAMGroupReconciliation.FieldMap.

    4. For a user field, if the field that you want to add is an Environment, Remote Control, or Sessions field, then search for and open the Lookup.AD.BLOBAttribute.Values lookup definition.

      Note:

      You need not make any change in the VBScript file run by the Remote Manager during provisioning operations.
    5. Click Add and enter the Code Key and Decode values for the field. The Code Key value must be the name of the field on the target system, which you determined at the start of this procedure. The Decode value is the name that you provide for the reconciliation field in Step 3.e.

      For example, enter employeeID in the Code Key field and then enter Employee ID in the Decode field.

    6. Click Save. Figure 4-4 shows the lookup code added to the lookup definition.

      Figure 4-4 Entry Added in the Lookup Definition

      Description of Figure 4-4 follows
      Description of ''Figure 4-4 Entry Added in the Lookup Definition''

4.3 Adding New Multivalued Fields for Target Resource Reconciliation

Note:

This procedure can be applied to add either user or group fields.

You must ensure that new fields you add for reconciliation contain only string-format data. Binary fields must not be brought into Oracle Identity Manager natively.

By default, the multivalued fields listed in Table 1-4 are mapped for reconciliation between Oracle Identity Manager and the target system. If required, you can add new multivalued fields for target resource reconciliation.

To add a new multivalued field for target resource reconciliation:

  1. Log in to the Oracle Identity Manager Design Console.

  2. Create a form for the multivalued field as follows:

    1. Expand Development Tools.

    2. Double-click Form Designer.

    3. Create a form by specifying a table name and description, and then click Save.

    4. Click Add and enter the details of the field.

    5. Click Save and then click Make Version Active. Figure 4-5 shows the multivalued field added on a new form.

    Figure 4-5 Multivalued Field Added on a New Form

    Description of Figure 4-5 follows
    Description of ''Figure 4-5 Multivalued Field Added on a New Form''

  3. Add the form created for the multivalued field as a child form of the process form as follows:

    1. Search for and open the UD_ADUSER process form. For groups, search for and open the UD_ADGRP process form.

    2. Click Create New Version.

    3. Click the Child Table(s) tab.

    4. Click Assign.

    5. In the Assign Child Tables dialog box, select the newly created child form, click the right arrow, and then click OK.

    6. Click Save and then click Make Version Active. Figure 4-6 shows the child form added to the process form.

    Figure 4-6 Child Form Added to the Process Form

    Description of Figure 4-6 follows
    Description of ''Figure 4-6 Child Form Added to the Process Form''

  4. Add the new field to the list of reconciliation fields in the resource object as follows:

    1. Expand Resource Management.

    2. Double-click Resource Objects.

    3. Search for and open the AD User resource object. For groups, search for and open the AD Group resource object.

    4. On the Object Reconciliation tab, click Add Field.

    5. In the Add Reconciliation Fields dialog box, enter the details of the field.

      For example, enter carLicense in the Field Name field and select Multi Valued Attribute from the Field Type list.

    6. Click Save and then close the dialog box.

    7. Right-click the newly created field.

    8. Select Define Property Fields.

    9. In the Add Reconciliation Fields dialog box, enter the details of the newly created field.

      For example, enter carLicense in the Field Name field and select String from the Field Type list.

    10. Click Save, and then close the dialog box. Figure 4-7 shows the new reconciliation field added in the resource object.

      Figure 4-7 New Reconciliation Field Added in the Resource Object

      Description of Figure 4-7 follows
      Description of ''Figure 4-7 New Reconciliation Field Added in the Resource Object''

    11. If you are using Oracle Identity Manager release 11.1.1 or 11.1.2.x, then click Create Reconciliation Profile. This copies changes made to the resource object into the MDS.

  5. Create a reconciliation field mapping for the new field as follows:

    1. Expand Process Management.

    2. Double-click Process Definition.

    3. Search for and open the AD User process definition. For groups, search for and open the AD Group process definition.

    4. On the Reconciliation Field Mappings tab of the AD User (or AD Group) process definition, click Add Table Map.

    5. In the Add Reconciliation Table Mapping dialog box, select the field name and table name from the list, click Save, and then close the dialog box.

    6. Right-click the newly created field, and select Define Property Field Map.

    7. In the Field Name field, select the value for the field that you want to add.

    8. Double-click the Process Data Field field, and then select UD_CAR_LICENSE.

    9. Select Key Field for Reconciliation Field Matching and click Save. Figure 4-8 shows the new reconciliation field mapped to a process data field in the process definition.

    Figure 4-8 New Reconciliation Field Mapped to a Process Data Field

    Description of Figure 4-8 follows
    Description of ''Figure 4-8 New Reconciliation Field Mapped to a Process Data Field''

  6. If you are using Oracle Identity Manager release 11.1.2.x, then all changes made to the Form Designer of the Design Console must be done in a new UI form as follows:

    1. Log in to Oracle Identity System Administration.

    2. Create and active a sandbox. See "Creating and Activating a Sandbox" for more information.

    3. Create a new UI form to view the newly added field along with the rest of the fields. See "Creating a New UI Form" for more information about creating a UI form.

    4. Associate the newly created UI form with the application instance of your target system. To do so, open the existing application instance for your resource, from the Form field, select the form (created in Step 6.c), and then save the application instance.

    5. Publish the sandbox. See "Publishing a Sandbox" for more information.

  7. Create an entry for the field in the lookup definition for reconciliation as follows:

    1. Expand Administration.

    2. Double-click Lookup Definition.

    3. Search for and open the Lookup.ADReconciliation.FieldMap (or Lookup.ADGroupReconciliation.FieldMap) lookup definition if the target system is Microsoft Active Directory.

      Note:

      For the target system fields, you must use the same case (uppercase or lowercase) as given on the target system. This is because the field names are case-sensitive.

      Search for and open the Lookup.ADAMReconciliation.FieldMap (or Lookup.ADAMGroupReconciliation.FieldMap) lookup definition if the target system is Microsoft ADAM.

    4. Cick Add and enter the Code Key and Decode values for the field, and then Click Save. The Code Key value must be the name of the attribute field on the target system.

      For example, enter carLicense in the Code Key field and then enter carLicense in the Decode field. Figure 4-9 shows the lookup code added to the lookup definition.

    Figure 4-9 Entry Added in the Lookup Definition

    Description of Figure 4-9 follows
    Description of ''Figure 4-9 Entry Added in the Lookup Definition''

  8. For a user field, add the multivalued field to the Lookup.AD.Configuration lookup definition as follows:

    1. Double-click Lookup Definition.

    2. Search for and open the Lookup.AD.Configuration lookup definition.

    3. Add multivalued attributes that are to be reconciled in the Decode field and click Save. The attributes must be separated by the Decode value entered in the MultiValueAttributesDelimiter field.

      For example, if MultiValueAttributesDelimiter contains the semicolon (;) as the Decode value, then the Decode value of MultiValueAttributes must be memberOf;carLicense. In this value, the semicolon has been used as the delimiter character. Figure 4-10 shows the multivalued field added to the Lookup.AD.Configuration lookup definition.

    Figure 4-10 Multivalued Field Added to the Lookup Definition

    Description of Figure 4-10 follows
    Description of ''Figure 4-10 Multivalued Field Added to the Lookup Definition''

4.4 Adding New Fields for Provisioning

By default, the fields listed in Table 1-8 are mapped for provisioning between Oracle Identity Manager and the target system. If required, you can map additional fields for provisioning.

By default, the connector provides mappings for the Terminal Services Profile fields of the target system. You can add mappings for fields of the Environment, Remote Control, and Sessions categories.

Before you add a new field for provisioning, you must first determine the target system name of the field as follows:

Note:

Do not perform the procedure to determine the target system name of the field if it belongs to one of the following user data categories:
  • Remote Control

  • Sessions

  • Environment

Instead, refer to Appendix C, "Terminal Services Profile Field Names for Reconciliation and Provisioning" for information about a replacement for the target system field name.

  1. Install the target system schema, if it is not already installed.

    Refer to the Microsoft Web site for information about installing the schema.

    Note:

    The ADSIEdit tool provides an alternative to installing and using the target system schema for determining the name of the field that you want to add. The Microsoft Web site provides information about using this tool.
  2. Open the target system schema.

  3. Expand the Console Root folder, expand the target system schema, and then double-click Classes.

  4. Right-click user, and then select Properties.

    The Attributes tab displays the attributes (that is, fields) that are currently in use on the target system.

  5. Note down the name of the field that you want to add, and then click Cancel.

    For example, if you want to add the Employee ID field for reconciliation, then note down employeeID.

To add a new field for provisioning:

See Also:

For detailed information about these steps, see one of the following guides:
  1. Log in to the Oracle Identity Manager Design Console.

  2. Add the new field on the process form.

    If you have added the field on the process form by performing Step 2 of "Adding New Fields for Target Resource Reconciliation", then you need not add the field again. If you have not added the field, then:

    1. Expand Development Tools.

    2. Double-click Form Designer.

    3. Search for and open the UD_ADUSER process form. For groups, search for and open the UD_ADGRP process form.

    4. Click Create New Version, and then click Add.

    5. Enter the details of the field.

      For example, if you are adding the Employee ID field, enter UD_ADUSER_EMPLOYEE_ID in the Name field, and then enter the rest of the details of this field.

    6. Click Save and then click Make Version Active. Figure 4-11 shows the new field added to the process form.

      Figure 4-11 New Field Added to the Process Form

      Description of Figure 4-11 follows
      Description of ''Figure 4-11 New Field Added to the Process Form''

  3. If you are using Oracle Identity Manager release 11.1.2.x, then all changes made to the Form Designer of the Design Console must be done in a new UI form as follows:

    1. Log in to Oracle Identity System Administration.

    2. Create and active a sandbox. See "Creating and Activating a Sandbox" for more information.

    3. Create a new UI form to view the newly added field along with the rest of the fields. See "Creating a New UI Form" for more information about creating a UI form.

    4. Associate the newly created UI form with the application instance of your target system. To do so, open the existing application instance for your resource, from the Form field, select the form (created in Step 3.c), and then save the application instance.

    5. Publish the sandbox. See "Publishing a Sandbox" for more information.

  4. Create an entry for the field in the lookup definition for provisioning as follows:

    1. Expand Administration.

    2. Double-click Lookup Definition.

    3. If the field that you want to add is not an Environment, Remote Control, or Sessions field, then search for and open one of the lookup definitions:

      • For a user field on Microsoft Active Directory, open AtMap.AD.

      • For a user field on Microsoft ADAM, open AtMap.ADAM.

      • For a group field on Microsoft Active Directory, open AtMap.ADGroup.

      • For a group field on Microsoft ADAM, open AtMap.ADAMGroup.

    4. If the field that you want to add is an Environment, Remote Control, or Sessions field, then search for and open the AtMap.AD.RemoteScriptlookUp lookup definition.

      Note:

      You need not make any change in the VBScript file run by the Remote Manager during provisioning operations.
    5. Cick Add and then enter the Code Key and Decode values for the field. The Decode value must be the name of the field on the target system, which you determined at the start of this procedure.

      Note:

      For the target system fields, you must use the same case (uppercase or lowercase) as given on the target system. This is because the field names are case-sensitive.

      For example, enter UD_ADUSER_EMPLOYEE_ID in the Code Key field and then enter employeeID in the Decode field. Figure 4-12 shows the entry added to the lookup definition.

      Figure 4-12 Entry Added to the Lookup Definition

      Description of Figure 4-12 follows
      Description of ''Figure 4-12 Entry Added to the Lookup Definition''

    Note:

    Perform steps 5 through 7 only if you want to perform request-based provisioning.
  5. Update the request dataset.

    When you add an attribute on the process form, you also update the XML file containing the request dataset definitions. To update a request dataset:

    1. In a text editor, open the XML file located in the OIM_HOME/DataSet/file directory for editing.

    2. Add the AttributeReference element and specify values for the mandatory attributes of this element.

      See Also:

      The "Configuring Requests" chapter of the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager guide for more information about creating and updating request datasets

      For example, while performing Step 2 of this procedure, if you added Employee ID as an attribute on the process form, then enter the following line:

      <AttributeReference
      name = "Employee ID"
      attr-ref = "Employee ID"
      type = "String"
      widget = "text"
      length = "50"
      available-in-bulk = "false"/>
      

      In this AttributeReference element:

      • For the name attribute, enter the value in the Name column of the process form without the table name prefix.

        For example, if UD_ADUSER_EMPLOYEE_ID is the value in the Name column of the process form, then you must specify Employee ID as the value of the name attribute in the AttributeReference element.

      • For the attr-ref attribute, enter the value that you entered in the Field Label column of the process form while performing Step 2.

      • For the type attribute, enter the value that you entered in the Variant Type column of the process form while performing Step 2.

      • For the widget attribute, enter the value that you entered in the Field Type column of the process form, while performing Step 2.

      • For the length attribute, enter the value that you entered in the Length column of the process form while performing Step 2.

      • For the available-in-bulk attribute, specify true if the attribute must be available during bulk request creation or modification. Otherwise, specify false.

      While performing Step 2, if you added more than one attribute on the process form, then repeat this step for each attribute added.

    3. Save and close the XML file.

  6. Run the PurgeCache utility to clear content related to request datasets from the server cache.

    See Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager for more information about the PurgeCache utility.

  7. Import into MDS, the request dataset definitions in XML format.

    See the "Importing Request Datasets into MDS" section for detailed information about the procedure.

Enabling Update of New Fields for Provisioning

After you add a field for provisioning, you must enable update operations on the field. If you do not perform this procedure, then you will not be able to modify the value of the field after you set a value for it during the Create User provisioning operation.

To enable the update of a new field for provisioning:

See Also:

For detailed information about these steps, see one of the following guides:
  1. Log in to the Oracle Identity Manager Design Console.

  2. In the process definition, add a new task for updating the field as follows:

    1. Expand Process Management.

    2. Double-click Process Definition, and then open the AD User process definition for a user attribute or the AD Group process definition for a group attribute.

    3. Click Add and enter the task name and the task description.

    4. In the Task Properties section, select the following fields:

      • Conditional

      • Required for Completion

      • Allow Cancellation while Pending

      • Allow Multiple Instances

    5. Click Save. Figure 4-13 shows the new task added to the process definition.

    Figure 4-13 New Task Added to the Provisioning Process

    Description of Figure 4-13 follows
    Description of ''Figure 4-13 New Task Added to the Provisioning Process''

  3. In the AD User process definition, select the adapter name in the Handler Type section as follows:

    1. Go to the Integration tab, click Add and select Adapter.

    2. In the Handler Type section, select adpADCSCHANGEATTRIBUTE for a user attribute or adpADCSGROUPCHANGEATTRIBUTE for a group attribute.

    3. Click Save. Figure 4-14 shows the adapter added to the handler.

    Figure 4-14 Adapter Added to the Handler

    Description of Figure 4-14 follows
    Description of ''Figure 4-14 Adapter Added to the Handler''

  4. Double-click the Variable Name field to get the value and map the adapter variable to Response Code Figure 4-15 shows the variable name mapped to Response Code.

    Figure 4-15 Adapter Return Value Mapped to Response Code

    Description of Figure 4-15 follows
    Description of ''Figure 4-15 Adapter Return Value Mapped to Response Code''

  5. Double-click the Variable Name field to get the value and map the adapter variable to a process data field. Figure 4-16 shows the variable name mapped to a process data field.

    Figure 4-16 Adapter Variable Mapped to a Process Data Field

    Description of Figure 4-16 follows
    Description of ''Figure 4-16 Adapter Variable Mapped to a Process Data Field''

  6. Double-click the Variable Name field to get the value and map the adapter variable to a process data field. Figure 4-17 shows the adapter variable mapped to a process data field.

    Figure 4-17 Adapter Variable Mapped to a Process Data Field

    Description of Figure 4-17 follows
    Description of ''Figure 4-17 Adapter Variable Mapped to a Process Data Field''

  7. Double-click the Variable Name field to get the value and map the adapter variable with the corresponding field on the target system, which you determined in the "Adding New Fields for Provisioning". For example, enter employeeID for updating Employee ID. Figure 4-18 shows the adapter variable mapped to a target system field.

    Figure 4-18 Adapter Variable Mapped to a Target System Field

    Description of Figure 4-18 follows
    Description of ''Figure 4-18 Adapter Variable Mapped to a Target System Field''

  8. If you create a copy of the Lookup.AD.Configuration lookup definition, then:

    1. Double-click the Variable Name field and select the sConfigurationLookUp variable.

    2. Map the variable to the literal value Lookup.AD.Configuration.

    Figure 4-18 shows the adapter variable mapped to the literal.

    Figure 4-19 Adapter Variable Mapped to a Literal

    Description of Figure 4-19 follows
    Description of ''Figure 4-19 Adapter Variable Mapped to a Literal''

  9. Click Save.

4.5 Adding New Multivalued Fields for Provisioning

To add new multivalued fields for provisioning:

Note:

Before starting the following procedure, perform Steps 1 through 3 as described in the section "Adding New Multivalued Fields for Target Resource Reconciliation". If these steps have been performed while adding new multivalued fields for target resource reconciliation, then you need not repeat the steps.
  1. Log in to the Oracle Identity Manager Design Console.

  2. Expand Process Management.

  3. In the process definition, add the task for provisioning multivalued attributes as follows:

    1. Double-click Process Definition.

    2. Search for and open the AD User process definition. For groups, open the AD Group process definition.

    3. Click Add and enter the task name and the description.

    4. In the Task Properties section, select the following:

      • Conditional

      • Required for Completion

      • Retry Count

      • Allow Multiple Instances

      • Child table name from the Child Table list

      • Insert, if you want to add the data, from the Trigger Type list

      • Delete, if you want to remove the data, from the Trigger Type list.

    5. Click Save. Figure 4-20 shows the multivalued task added to the process.

    Figure 4-20 Multivalued Field Added to the AD User Provisioning Process

    Description of Figure 4-20 follows
    Description of ''Figure 4-20 Multivalued Field Added to the AD User Provisioning Process''

  4. Select the adapter as follows:

    1. On the Integration tab in the AD User provisioning Process, click Add and then select Adapter. From the list of adapters:

      • If you want to add multivalued data, then select adpADCSAddMultiAttributeData and click Save.

      • If you want to remove multivalued data, then select adpADCSRemoveMultiAttributeData and click Save.

  5. Double-click and map the adapter variable to a process data field and click Save. Figure 4-21 shows the adapter variable name mapped to a process data field.

    Figure 4-21 Adapter Variable Mapped to a Process Data Field

    Description of Figure 4-21 follows
    Description of ''Figure 4-21 Adapter Variable Mapped to a Process Data Field''

  6. Double-click and map the adapter variable to a literal and specify the name of the attribute to be updated in the Literal Value field, and then click Save. Figure 4-22 shows the adapter variable mapped to a literal.

    Figure 4-22 Adapter Variable Mapped to a Literal

    Description of Figure 4-22 follows
    Description of ''Figure 4-22 Adapter Variable Mapped to a Literal''

  7. Double-click and map the adapter variable to a process data field of the newly created form. If you are removing the attribute, then select Old Value and click Save. Figure 4-23 shows the adapter variable mapped to a process data field.

    Figure 4-23 Adapter Variable Mapped to a Process Data Field

    Description of Figure 4-23 follows
    Description of ''Figure 4-23 Adapter Variable Mapped to a Process Data Field''

  8. Double-click and map the adapter variable to a process data field and click Save. Figure 4-24 shows the adapter variable name mapped to a process data field.

    Figure 4-24 Adapter Variable Mapped to a Process Data Field

    Description of Figure 4-24 follows
    Description of ''Figure 4-24 Adapter Variable Mapped to a Process Data Field''

  9. Double-click and map the adapter variable to a response code field and click Save. Figure 4-25 shows the adapter variable name mapped to a response code field.

    Figure 4-25 Adapter Variable Mapped to a Response Code Field

    Description of Figure 4-25 follows
    Description of ''Figure 4-25 Adapter Variable Mapped to a Response Code Field''

  10. Double-click and map the adapter variable to process data and click Save. Figure 4-25 shows the adapter variable name mapped to process data.

    Figure 4-26 Adapter Variable Mapped to Process Data

    Description of Figure 4-26 follows
    Description of ''Figure 4-26 Adapter Variable Mapped to Process Data''

  11. If you create a copy of the Lookup.AD.Configuration lookup definition, then:

    1. Double-click the Variable Name field and select the sConfigurationLookUp variable.

    2. Map the variable to the literal value Lookup.AD.Configuration.

    Figure 4-27 shows the adapter variable mapped to the literal.

    Figure 4-27 Adapter Variable Mapped to a Literal

    Description of Figure 4-27 follows
    Description of ''Figure 4-27 Adapter Variable Mapped to a Literal''

  12. Click Save on Process Task.

    Note:

    During a provisioning operation, you can either add or remove values of multivalued fields. You cannot update these values.
  13. If you are using Oracle Identity Manager release 11.1.2.x, then all changes made to the Form Designer of the Design Console must be done in a new UI form as follows:

    1. Log in to Oracle Identity System Administration.

    2. Create and active a sandbox. See "Creating and Activating a Sandbox" for more information.

    3. Create a new UI form to view the newly added field along with the rest of the fields. See "Creating a New UI Form" for more information about creating a UI form.

    4. Associate the newly created UI form with the application instance of your target system. To do so, open the existing application instance for your resource, from the Form field, select the form (created in Step 13.c), and then save the application instance.

    5. Publish the sandbox. See "Publishing a Sandbox" for more information.

  14. Update the request dataset.

    Note:

    Perform steps 14 through 16 only if you enabled request-based provisioning.

    When you add an attribute on the process form, you also update the XML file containing the request dataset definitions. To update a request dataset:

    1. In a text editor, open the XML file located in the OIM_HOME/DataSet/file directory for editing.

    2. Add the AttributeReference element and specify values for the mandatory attributes of this element.

      See Also:

      The "Configuring Requests" chapter of the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager guide for more information about creating and updating request datasets

      For example, if you added Car License as an attribute on the process form, then enter the following line:

      <AttributeReference
      name = "Car License"
      attr-ref = "Car License"
      type = "String"
      widget = "text"
      length = "50"
      available-in-bulk = "false"/>
      

      In this AttributeReference element:

      • For the name attribute, enter the value in the Name column of the process form without the tablename prefix.

        For example, if UD_CAR_LICENSE is the value in the Name column of the process form, then you must specify Car License as the value of the name attribute in the AttributeReference element.

      • For the attr-ref attribute, enter the value that you entered in the Field Label column of the process form.

      • For the type attribute, enter the value that you entered in the Variant Type column of the process form.

      • For the widget attribute, enter the value that you entered in the Field Type column of the process form.

      • For the length attribute, enter the value that you entered in the Length column of the process form.

      • For the available-in-bulk attribute, specify true if the attribute must be available during bulk request creation or modification. Otherwise, specify false.

      If you add more than one attribute on the process form, then repeat this step for each attribute added.

    3. Save and close the XML file.

  15. Run the PurgeCache utility to clear content related to request datasets from the server cache.

    See Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager for more information about the PurgeCache utility.

  16. Import into MDS, the request dataset definitions in XML format.

    See the "Importing Request Datasets into MDS" section for detailed information about the procedure.

4.6 Adding Mappings for New Object Classes

To create an object class and add fields of the object class for provisioning:

  1. Create the object class and assign mandatory and optional attributes to the object class.

    Refer to Microsoft documentation for information about creating the object class.

    Note:

    Assign the user object class as the parent of the object class that you create.
  2. Refresh the schema.

  3. To add the mandatory and optional attributes of the object class for provisioning, perform the procedure described in "Adding New Fields for Provisioning".

  4. Open the Lookup.AD.Configuration lookup definition and change the decode value of the LdapUserObjectClass code key value to include the new object class name.

    Refer to "Configuring the Lookup.AD.Configuration Lookup Definition" for detailed information about performing this step.

4.7 Enabling the Auto Pre-populate and Auto Save Options

Auto Pre-populate and Auto Save are two of the options available in the resource object. You use the Auto Pre-populate option to specify whether a custom form will be populated by Oracle Identity Manager or a user. You use the Auto Save option to specify that Oracle Identity Manager must save the data, without user intervention, in any resource-specific form that was created using the Form Designer form.

See Also:

For more information about both options, see one of the following guides:

If you want to use either of these options, then specify default values for mandatory check boxes of the process definition as follows:

  1. Log in to the Design Console.

  2. Expand Development Tools, and double-click Form Designer.

  3. Search for and open the AD User process definition.

  4. On the Additional Columns tab:

    • For the UD_ADUSER_MUST field, enter a value (0 or 1) in the Default column.

    • For the UD_ADUSER_NEVER field, enter a value (0 or 1) in the Default column.

  5. Click Save.

    Figure 4-28 shows the default values specified for the Checkbox field types on the process form.

    Figure 4-28 Default Values Specified for the Checkbox Field Types on the Process Form

    Description of Figure 4-28 follows
    Description of ''Figure 4-28 Default Values Specified for the Checkbox Field Types on the Process Form''

4.8 Using Your Own Provisioning Script

Note:

The information in this section does not apply to Microsoft ADAM.

The default provisioning script, ProvTerminalServiceAttr.vbs, is described in "Connector Architecture". As mentioned in that section, this script is used to work with the Terminal Services Profile fields of the target system. During a Create User provisioning operation, the Remote Manager calls the provisioning script regardless of whether or not you enter a value for any of the Terminal Services Profile fields of the process form. During an Update User provisioning operation, the Remote Manager calls the provisioning script only if any of the Terminal Services Profile fields is updated.

If you want to extend or change the functionality of the default provisioning script, then you can replace it with your own script. For example, you can create a script that manipulates the Terminal Services Profile fields and the Remote Control fields.

To use your own provisioning script:

  1. Create the script.

  2. Place the script in any directory on the target system computer.

    Note:

    Ensure that the directory into which you copy the scripts has the required read and write permissions for the target system user account that you create by performing the procedure described in "Creating a Target System User Account for Connector Operations".
  3. Edit the ADITResource IT resource, and enter the full path and name of the script as the value of the Remote Manager Prov Script Path parameter.

See Also:

The "Managing IT Resources" section in one of the following guides:

While creating the script, you can apply the following information about parameters in the default provisioning script:

  • UserID

    During a provisioning operation, this parameter accepts the user ID in the following format:

    LDAP://cn=CN_VALUE,ou=OU_VLAUE,dc=DC_VALUE,dc=DC_VALUE
    

    The following is a sample value for the UserID parameter:

    LDAP://cn=john,ou=sales,dc=globalv,dc=com
    
  • UserLookupdecodeValues

    Note:

    Although this parameter is defined in the script, the script does not use this parameter in the current release of the connector.

    During a provisioning operation, this parameter accepts a list of the following key-value pairs:

    • The key is the field name from the Decode column of the AtMap.AD lookup definition.

    • The value is the value of the field entered on the process form.

    The vertical bar (|) is used as the delimiting character in this list.

    The following is a sample value for the UserLookupdecodeValues parameter:

    givenName=John|depart=accounts|homePhone=123456 . . . 
    
  • TerminalLookupDecodeValues

    During a provisioning operation, this parameter accepts a list of the following key-value pairs:

    • The key is the field name from the Decode column of the AtMap.AD.RemoteScriptlookUp lookup definition.

    • The value is the value of the field entered on the process form.

    The vertical bar (|) is used as the delimiting character in this list.

    The following is a sample value for the TerminalLookupDecodeValues parameter:

    TerminalServicesProfilePath =C:\test|TerminalServicesHomeDirectory=C:\test1|AllowLogon=0 
    
  • BlobAttrName

    During a provisioning operation, this parameter accepts one of the following values:

    • ALL

      This value is passed to the parameter during a Create User provisioning operation. The ALL value indicates that values for all of the Terminal Services Profile fields must be updated by the script.

    • The name of a specific field that must be updated by the script.

    Note:

    If more than one Terminal Services Profile field is updated during a provisioning operation, then each field is passed to the Remote Manager one call at a time.

    The following is a sample value for the BlobAttrName parameter:

    TerminalServicesProfilePath

  • Click Save.

4.9 Removing the ExecuteRemoteScripts Process Task

During a provisioning operation, the ExecuteRemoteScripts process task is used to set values for the Terminal Services Profile fields of the target system. This process task is triggered after successful completion of the Create User process task, even if values are not entered for the Terminal Services Profile fields on the process form. If you do not want the ExecuteRemoteScripts process task to be triggered, then:

  1. Log in to the Oracle Identity Manager Design Console.

  2. Expand Process Management.

  3. Double-click Process Definition.

  4. Search and open the AD User process definition.

  5. Search for and open the Create User process task.

  6. On the Responses tab, select AD.USER_CREATION_SUCCESSFUL.

  7. From the Task Name list, select ExecuteRemoteScript and then click Delete.

  8. Click Save. Figure 4-29 shows ExecuteRemoteScript deleted from the process form.

    Figure 4-29 ExecuteRemoteScript Deleted from the Process Form

    Description of Figure 4-29 follows
    Description of ''Figure 4-29 ExecuteRemoteScript Deleted from the Process Form''

4.10 Adding New Fields for Trusted Source Reconciliation

Note:

You must ensure that new fields you add for reconciliation contain only string-format data. Binary fields must not be brought into Oracle Identity Manager natively.

By default, the attributes listed in Table 1-11 are mapped for reconciliation between Oracle Identity Manager and the target system. If required, you can add new fields for trusted source reconciliation.

Before you add a new field for trusted source reconciliation, you must first determine the target system name of the field as follows:

  1. Install the target system schema, if it is not already installed.

    Refer to the Microsoft Web site for information about installing the schema.

    Note:

    The ADSIEdit tool provides an alternative to installing and using the target system schema for determining the name of the field that you want to add. The Microsoft Web site provides information about using this tool.
  2. Open the target system schema.

  3. Expand the Console Root folder, expand the target system schema, and then double-click Classes.

  4. Right-click user, and then select Properties.

    The Attributes tab displays the attributes (that is, fields) that are currently in use on the target system

  5. Note down the name of the field that you want to add, and then click Cancel.

    For example, if you want to add the Employee ID field for reconciliation, then note down employeeID.

To add a new field for trusted source reconciliation:

See Also:

For detailed information about these steps, see one of the following guides:
  1. Log in to the Oracle Identity Manager Design Console.

  2. Add the new field on the OIM User process form as follows:

    1. Expand Administration.

    2. Double-click User Defined Field Definition.

    3. Search for and open the Users form.

    4. Click Add and enter the details of the field.

      For example, if you are adding the Employee ID field, then enter Employee ID in the Name field, set the data type to String, enter USR_UDF_EMPLOYEE_ID as the column name, and enter a field size value.

    5. Click Save. Figure 4-30 shows the new field added on the User Defined Columns tab of the Users form.

      Figure 4-30 New Field Added to the Users Form

      Description of Figure 4-30 follows
      Description of ''Figure 4-30 New Field Added to the Users Form''

  3. Add the new field to the list of reconciliation fields in the resource object as follows:

    1. Expand the Resource Management folder.

    2. Double-click Resource Objects.

    3. Search for and open the AD User Trusted resource object.

    4. On the Object Reconciliation tab, click Add Field.

    5. Enter the details of the field and click Save.

      For example, enter Employee ID in the Field Name field and select String from the Field Type list.

      Later in this procedure, you will enter the field name as the Decode value of the entry that you create in the lookup definition for reconciliation. Figure 4-31 shows the new field added to the process data field in the process form.

      Figure 4-31 New Field Added to the Resource Object

      Description of Figure 4-31 follows
      Description of ''Figure 4-31 New Field Added to the Resource Object''

    6. If you are using Oracle Identity Manager release 11.1.1 or 11.1.2.x, then click Create Reconciliation Profile. This copies changes made to the resource object into the MDS.

    7. Click Save.

  4. Create a reconciliation field mapping for the new field as follows:

    1. Expand Process Management.

    2. Double-click Process Definition.

    3. Search for and open the AD User Trusted process definition.

    4. On the Reconciliation Field Mappings tab, click Add Field Map.

    5. In the Field Name field, select the value for the field that you want to add.

      For example, select Employee ID = Employee ID.

    6. Click Save. Figure 4-32 shows the new reconciliation field mapped to a process data field in the process definition.

      Figure 4-32 New Reconciliation Field Mapped to a Process Data Field

      Description of Figure 4-32 follows
      Description of ''Figure 4-32 New Reconciliation Field Mapped to a Process Data Field''

  5. Create an entry for the field in the lookup definition for reconciliation as follows:

    1. Expand Administration.

    2. Double-click Lookup Definition.

    3. Search for and open the Lookup.ADReconciliation.FieldMap lookup definition.

      Search for and open the Lookup.ADAMReconciliation.FieldMap lookup definition if you are using Microsoft ADAM.

    4. Cick Add and then enter the Code Key and Decode values for the field. The Code Key value must be the name of the field on the target system, which you determined at the start of this procedure. The Decode value is the name that you provide for the reconciliation field in Step 3.e.

      Note:

      For the target system fields, you must use the same case (uppercase or lowercase) as given on the target system. This is because the field names are case-sensitive.

      For example, enter employeeID in the Code Key field and then enter Employee ID in the Decode field.

    5. Click Save.

  6. Select Field Type and click Save. Figure 4-33 shows the entry added to the lookup definition.

    Figure 4-33 Entry Added to the Lookup Definition

    Description of Figure 4-33 follows
    Description of ''Figure 4-33 Entry Added to the Lookup Definition''

4.11 Transforming Data Reconciled Into Oracle Identity Manager

Note:

In Oracle Identity Manager release 11.1.1 and 11.1.2.x, a scheduled job is an instance of a scheduled task. In this guide, the term scheduled task used in the context of Oracle Identity Manager release 9.1.0.x is the same as the term scheduled job in the context of Oracle Identity Manager release 11.1.1 and 11.1.2.x.

See Oracle Fusion Middleware Administrator's Guide for Oracle Identity Manager for more information about scheduled tasks and scheduled jobs.

This section discusses the Transform Lookup Code and Use Transform Mapping attributes of the scheduled tasks for target resource and trusted source reconciliation, AD User Target Recon and AD User Trusted Recon.

During reconciliation, you might want to transform the values of some target system fields before they are stored in Oracle Identity Manager. Appending a number at the end of the user ID is an example of a data transformation.

The Transform Lookup Code and Use Transform Mapping attributes provide a method for implementing such transformations. To use these attributes:

  1. Identify the fields that you want to transform during reconciliation.

  2. Create the Java file containing the code implementation of the transformation that must be performed.

  3. Compile the Java file. While compiling the file, you must reference the xliADRecon.jar in the INSTALL_MEDIA/lib directory.

  4. Create JAR files containing the code to implement the required transformations on the fields.

  5. If you are using Oracle Identity Manager release 9.1.0.x, then copy the JAR files into the following directory:

    OIM_HOME/xellerate/ScheduleTask

  6. If you are using Oracle Identity Manager release 11.1.1 or 11.1.2.x, then run the Oracle Identity Manager Upload JARs utility to post the JAR file to the Oracle Identity Manager database. This utility is copied into the following location when you install Oracle Identity Manager:

    Note:

    Verify that the WL_HOME environment variable is set to the directory in which Oracle WebLogic Server is installed.
    • For Microsoft Windows:

      OIM_HOME/server/bin/UploadJars.bat

    • For UNIX:

      OIM_HOME/server/bin/UploadJars.sh

    When you run the utility, you are prompted to enter the login credentials of the Oracle Identity Manager administrator, URL of the Oracle Identity Manager host computer, context factory value, type of JAR file being uploaded, and the location from which the JAR file is to be uploaded. Specify 2 as the value of the JAR type.

    See Also:

    The "Upload JAR and Resource Bundle Utilities" chapter of Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager for detailed information about the Upload JARs utility
  7. In the Lookup.ADReconciliation.TransformationMap lookup definition, add an entry for the transformation. In the Code Key column, enter the name of the reconciliation field (in the resource object) on which you want the transformation to be performed. In the Decode column, enter the name of the class file. For example:

    Note:

    You can use this lookup definition for both Microsoft Active Directory and Microsoft ADAM.

    Code Key: First Name

    Decode: AppendNumberToFirstName

    See Also:

    For information about working with lookup definitions, see one of the following guides:
  8. While configuring the AD User Target Recon scheduled task by performing the procedure described in "Scheduled Tasks for Target Resource Reconciliation" and AD User Trusted Recon scheduled task by performing the procedure described in "Scheduled Tasks for Trusted Source Reconciliation":

    • Enter the name of the lookup definition as the value of the Transform Lookup Code attribute.

    • Enter yes as the value of the Use Transform Mapping attribute to specify that you want transformations to be applied. If you enter no as the value, then the transformations are not applied.

4.12 Validating Data Sent to the Target System for Provisioning

This section discusses the UseFieldsValidation and ValidationLookupCode entries of the Lookup.AD.Configuration lookup definition. This section also covers the Lookup.AD.FieldsForValidation lookup definition.

During provisioning, you might want to validate the values of some process form fields before they are sent to the target system. Preventing special characters from being sent in the E-mail Address field is an example of the type of validation that you can implement.

During provisioning, if the value entered in a field for which validation is defined does not meet the validation criteria, then an exception is thrown.

To set up data validation for provisioning:

  1. Identify the fields that you want to validate during provisioning.

  2. Create the Java file containing the code implementation of the validation that must be performed.

  3. Compile the Java file. While compiling the file, you must reference the xliActiveDirectory.jar in the INSTALL_MEDIA/lib directory.

  4. Create JAR files containing the code to implement the required validations on the fields.

  5. If you are using Oracle Identity Manager release 9.1.0.x, then copy the JAR files into the following directory:

    OIM_HOME/xellerate/JavaTask

  6. If you are using Oracle Identity Manager release 11.1.1 or 11.1.2.x, then run the Upload JARs utility to post the JAR file to the Oracle Identity Manager database. This utility is copied into the following location when you install Oracle Identity Manager:

    Note:

    Verify that the WL_HOME environment variable is set to the directory in which Oracle WebLogic Server is installed.
    • For Microsoft Windows:

      OIM_HOME/server/bin/UploadJars.bat

    • For UNIX:

      OIM_HOME/server/bin/UploadJars.sh

    When you run the utility, you are prompted to enter the login credentials of the Oracle Identity Manager administrator, URL of the Oracle Identity Manager host computer, context factory value, type of JAR file being uploaded, and the location from which the JAR file is to be uploaded. Specify 1 as the value of the JAR type.

    See Also:

    The "Upload JAR and Resource Bundle Utilities" chapter of Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager for detailed information about the Upload JARs utility
  7. In the Lookup.AD.FieldsForValidation lookup definition, add an entry for the validation. In the Code Key column, enter the column name for the process form field on which you want the validation to be performed. In the Decode column, enter the name of the class file. For example:

    Note:

    You can use this lookup definition for both Microsoft Active Directory and Microsoft ADAM.

    Code Key: UD_AD_FNAME

    Decode: com.thortech.xl.integration.ActiveDirectory.utils.FirstNameValidation

    See Also:

    For information about working with lookup definitions, see one of the following guides:
  8. To enable validation, provide values for the following entries in the Lookup.AD.Configuration lookup definition:

    • UseFieldsValidation: Enter yes to specify that you want to enable validation.

    • ValidationLookupCode: Ensure that the value of this entry is Lookup.AD.FieldsForValidation.

4.13 Enabling Reconciliation and Provisioning Operations Across Multiple Domains

You can perform reconciliation and provisioning operations across domains. This means that, for example, you can assign a user in one domain to a group in another domain. You can also reconcile a user record even if the user and the user's manager belong to different domains.

Figure 4-34 shows a sample scenario in which the user and the user's manager are on different domains. The manager's DN is stored in the Manager ID field of the process form.

Figure 4-34 Reconciliation and Provisioning Across Multiple Domains

Description of Figure 4-34 follows
Description of ''Figure 4-34 Reconciliation and Provisioning Across Multiple Domains''

If you want to enable reconciliation and provisioning across domains, then perform the following procedures:

Note:

You must also set to Update the value of the Recon Type attribute of the scheduled task for lookup field synchronization, from the second synchronization run onward. See "Scheduled Tasks for Lookup Field Synchronization" for information about this attribute.

4.13.1 Setting Up the Lookup.AD.Domains Lookup Definition

In the Lookup.AD.Domains lookup definition, you must create entries in the following format:

  • Code Key: Enter the root context.

  • Decode: Enter the name of the corresponding IT resource.

The following are sample entries:

Code Key Decode
DC=ADParent,DC=com ADParent
DC=ADChild,DC=ADParent,DC=com ADChild

4.13.2 Configuring the GCADITResource IT Resource

A Global Catalog is a domain controller that stores information about all Active Directory objects in a forest. The connector uses the GCADITResource IT resource to connect to the Global Catalog. You must configure this IT resource to enable cross-domain user reconciliation.

To configure the GCADITResource IT resource:

  1. Log in to the Administrative and User Console.

  2. Expand Resource Management.

  3. Click Manage IT Resource.

  4. In the IT Resource Name field on the Manage IT Resource page, enter GCADITResource and then click Search.

  5. Click the edit icon for the IT resource.

  6. From the list at the top of the page, select Details and Parameters.

  7. Specify values for the parameters of the IT resource. Table 2-2 describes these parameters.

    Note:

    The port number must be the Global Catalog port:

    • Default port when SSL is enabled: 3269

    • Default port when SSL is not enabled: 3268

    While specifying values for the other parameters, ensure that the values are specific to the parent domain credentials.

  8. To save the values, click Update.

4.13.3 Adding Target System Attributes to the Global Catalog

By default, not all target system attributes are part of the Global Catalog. For example, accountExpires is not part of the Global Catalog by default. You must ensure that all user attributes to be reconciled into Oracle Identity Manager are added to the Global Catalog at the schema level.

To add an attribute to the Global Catalog:

  1. Open the Active Directory Schema snap-in.

  2. In the console tree, click Attributes under Active Directory Schema/Attributes.

  3. On the details pane, right-click the attribute that you want to add to the Global Catalog and then click Properties.

  4. Select the Replicate this attribute to the Global Catalog check box.

  5. Click OK.

4.14 Configuring the Connector for Multiple Trusted Source Reconciliation

The following are examples of scenarios in which there is more than one trusted source for user data in an organization:

  • One of the target systems is a trusted source for data about employees. The second target system is a trusted source for data about contractors. The third target system is a trusted source for data about interns.

  • One target system holds the data of some of the identity fields that constitute an OIM User. Two other systems hold data for the remaining identity fields. In other words, to create an OIM User, data from all three systems would need to be reconciled.

If the operating environment of your organization is similar to that described in either one of these scenarios, then this connector enables you to use the target system as one of the trusted sources of user data in your organization.

See one of the following guides for detailed information about multiple trusted source reconciliation:

4.15 Configuring the Connector for Multiple Installations of the Target System

Note:

  • Perform this procedure if your target system is installed in a cross-domain or multi-forest environment.

    If your target system is installed in a clustered environment, then you need not perform this procedure.

  • The information in this section also applies to Microsoft ADAM.

You may want to configure the connector for multiple installations of Microsoft Active Directory. The following example illustrates this requirement:

The Tokyo, London, and New York offices of Example Multinational Inc. have their own installations of Microsoft Active Directory. The company has recently installed Oracle Identity Manager, and they want to configure Oracle Identity Manager to link all the installations of Microsoft Active Directory.

To meet the requirement posed by such a scenario, you must configure the connector for multiple installations of Microsoft Active Directory.

To configure the connector for multiple installations of the target system:

See Also:

Oracle Fusion Middleware User's Guide for Oracle Identity Manager for detailed instructions on performing each step of this procedure
  1. Create IT resources of the AD Server IT resource type so that there is one IT resource for each installation of the target system.

    Refer to "Configuring the IT Resource for the Target System" for information about the values to be specified for the IT resource parameters.

  2. Create copies of the reconciliation scheduled tasks for each installation of the target system. While creating a scheduled task, specify attribute values corresponding to the target system installation for which you are creating the scheduled task.

    Refer to "Reconciliation Scheduled Tasks" for information about the values to be specified for the scheduled task attributes.

  3. Manually synchronize the lookup definitions in Oracle Identity Manager with the lookup field values on the target system.

  4. If you are using Oracle Identity Manager release 9.1.0.x, then you can configure the target system installations as attribute-level trusted sources. To achieve this:

    See Also:

    The "Multiple Trusted Source Reconciliation" section in one of the following guides:
    1. Create a trusted resource object for each target system installation.

    2. Create a reconciliation rule for each resource object.

Before you perform provisioning operations:

The User Principal Name field on the process form is pre-populated with values from the User ID field and the UPN Domain IT resource parameter. Before you switch to a different IT resource during a provisioning operation, you must change the IT resource to which the User Principal Name field is mapped.

  1. Expand Development Tools, and double-click Form designer.

  2. Search for and open the AD User form.

  3. On the Pre-Populate tab, double-click the User Principal Name row.

  4. In the Pre-Population adapter dialog box, double-click the IT resource that you are currently using (for example, ADITResource).

  5. From the Qualifier list in the Map Adapter Variables dialog box, select the IT resource that you want to use. For example, select ADITResource2. Then, click the Save icon and close the dialog box.

  6. In the Pre-Population adapter dialog box, click the Save icon and close the dialog box.

  7. Click the Save icon on the Form Designer form.

When you perform provisioning operations:

When you use the Administrative and User Console to perform provisioning, you can specify the IT resource corresponding to the Microsoft Active Directory installation to which you want to provision the user.

4.15.1 Creating Copies of the Connector

To create a copy of the connector:

  1. Create copies of the IT resource, resource object, process form, provisioning process, scheduled tasks, and lookup definitions that hold attribute mappings.

  2. Create a copy of the Lookup.AD.Configuration lookup definition. In the copy that you create, change the values of the following entries to match the details of the process form copy that you create.

    • ROUserID

    • ROUserManager

    • ROFormName

    • ROUserGUID

    See "Configuring the Lookup.AD.Configuration Lookup Definition" for information about these entries.

  3. Map the new process tasks to the copy of the Lookup.AD.Configuration lookup definition.

4.16 Creating Update Proxy User Attribute Task for Custom Fields

The connector provides support for creating Update Proxy User Attribute Task for custom fields on Oracle Identity Manager.

To create Update Proxy User Attribute Task for a custom field, perform the following procedures:

4.16.1 Adding a New Field on the Process Form

To add a new field on the process form:

  1. Log in to Oracle Identity Manager Design Console.

  2. Expand Development Tools.

  3. Double-click Form Designer.

  4. Search for and open the UD_ADPROXY process form.

  5. Click Create New Version.

  6. In the Label field, enter the version name. For example, v1.0.

  7. Click Save.

  8. Select the current version created in Step 6 from the Current Version list.

  9. Click Add to create a new attribute, and provide the values for that attribute.

    For example, if you are adding the UD_ADPROXY_UPN attribute, then enter the following values in the Additional Columns tab:

    Field Value
    Name UD_ADPROXY_UPN
    Variant Type String
    Length 256
    Field Label User Principal Name
    Field Type TextField
    Order 7

  10. Click Save.

  11. Click Make Version Active.

4.16.2 Mapping the New Field and the Attribute in Microsoft Active Directory Application Mode

To map the new field and the attribute in Microsoft Active Directory Application Mode (ADAM):

  1. Expand Administration.

  2. Double-click Lookup Definition.

  3. Search for and open the AtMap.ADProxy lookup definition.

  4. Click Add and enter the Code Key and Decode values for the attribute. The Code Key value must be the name of the attribute given in the process form. The Decode value is the name of the attribute in the target system.

    For example, enter UD_ADPROXY_UPN in the Code Key field and then enter userPrincipalName in the Decode field.

  5. Click Save.

4.16.3 Creating an Update Task for the New Field

To create the update task for the new field:

  1. Expand Process Management.

  2. Double-click Process Definition and open the AD Proxy process definition.

  3. In the process definition, add a new task for updating the field as follows:

    • Click Add and enter the task name, for example, User Principal Name Updated, and the task description.

    • In the Task Properties section, select the following fields:

      Conditional

      Required for Completion

      Allow Cancellation while Pending

      Allow Multiple Instances

    • Click Save.

  4. On the Integration tab, click Add, and then click Adapter.

  5. Select the adpADPYMODIFYPROXYUSERATTRIBUTE adapter, click Save, and then click OK in the message that is displayed.

  6. To map the adapter variables listed in the following table, select the adapter, click Map, and then specify the data given in the following table:

    Variable Name Map To Qualifier Literal Value
    Adapter return value Response code NA NA
    processKeyInstance Process Data Process Instance NA
    formFieldColumnName Literal String UD_ADPROXY_UPN

  7. Click Save and then close the dialog box.

Note:

After performing the procedures described in Section 4.16, "Creating Update Proxy User Attribute Task for Custom Fields," you can provision a new AD proxy user and update the new field.