Oracle® Identity Manager Administrative and User Console Guide Release 9.1.0.1 Part Number E14057-01 |
|
|
View PDF |
This chapter introduces the generic technology connector concept and the features that Oracle Identity Manager provides for working with generic technology connectors.
This chapter is divided into the following sections:
Predefined Oracle Identity Manager connectors are designed for commonly used target systems such as Microsoft Active Directory and PeopleSoft Enterprise Applications. A predefined connector is developed using the Adapter Factory approach, and its architecture is based on either the APIs that the target system supports or the data repository type and schema in which the target system stores user data. Because they are developed using the Adapter Factory, predefined connectors offer extensive workflow and adapter customization capabilities. The use of a predefined connector is the recommended integration method if such a connector is available for the target system.
There may be scenarios in which you want to integrate Oracle Identity Manager with a target system that has no corresponding predefined connector. The following are examples of such scenarios:
Scenario 1: All employees of Acme Inc. are allotted disk space on a backup server. Employees send requests to the system administrator for managing their accounts on the backup server. The system administrator has developed a Web-based application to capture, review, and act on requests from employees. The front end of this application is a Web service that accepts and stores data in CSV format. Employee account data stored in the back end can be exported as XML files to a specified location.
Scenario 2: Ceeam Travels Inc. owns a custom Web-based application that its customers use to request airline fare quotes. Agents, who are also employees of Ceeam Travels, respond to these requests by using the same application. Customers self-register themselves to create accounts in this application. However, Ceeam Travels employees need to have accounts auto-provisioned based on their HR job title. Account management functions (such as create, update, and delete) of the application are available through Java APIs.
In both Scenario 1 and 2, you would need to create a custom connector to link the target system and Oracle Identity Manager. If you are looking for a simple and easy way to create your custom connector and you do not need the customization features of the Adapter Factory, then you can create the connector by using the Generic Technology Connector feature of Oracle Identity Manager. As described in the "Functional Architecture of Generic Technology Connectors" section, providers are the building blocks of generic technology connectors. In Scenario 1, you can use the predefined Shared Drive Reconciliation Transport Provider and CSV Reconciliation Format Provider to create a generic technology connector that reconciles data stored in a flat file into Oracle Identity Manager. For Scenario 2, there is no predefined provider available to integrate the custom application with Oracle Identity Manager. In this case, you can use the instructions provided in Chapter 21 to create the custom providers that call the Java APIs exposed by the target application.
Like a predefined connector, a generic technology connector acts as the bridge for reconciliation and provisioning operations between Oracle Identity Manager and a target system. In terms of functionality, a generic technology connector can be divided into a reconciliation module and provisioning module. When you create a generic technology connector, you can specify whether you want to include both modules or only the reconciliation or provisioning module.
A predefined connector provides reconciliation and provisioning functionality in the context of the same target. In contrast, the reconciliation and provisioning modules of a generic technology connector are composed of reusable components that you select. Each component performs a specific function during provisioning or reconciliation. For example, you can create a connector that performs trusted source reconciliation from flat files and provides target resource provisioning using the SPML protocol to an SPML-enabled target.
In this guide, the components that constitute a generic technology connector are called providers.
Each provider performs a transport, format change, validation, or transformation function on the data that it receives as input. In other words, data items processed by a provider are moved to a new location, validated against specified criteria, or undergo modification in structure or value. In this guide, the term data sets is used to describe data structures arranged in the form of layers, with data flowing from one layer to another during provisioning and reconciliation.
While creating a generic technology connector, you can specify the fields (user identity metadata) that must be included in each data set. You can also define mappings between fields of different data sets. A mapping serves one of the following purposes:
Establishes a data flow path between fields of two data sets, for either provisioning or reconciliation
A mapping of this type forms the basis for validations or transformations to be performed on data that is fetched from the target system.
Creates a basis for comparing (matching) field values of two data sets
Figure 19-1 shows the functional architecture of a generic technology connector.
Figure 19-1 Functional Architecture of a Generic Technology Connector
The following sections describe the providers and data sets that constitute a generic technology connector:
The reconciliation module consists of the following providers and data sets:
Reconciliation Transport Provider
A Reconciliation Transport Provider carries reconciliation data from the target system to Oracle Identity Manager. The manner in which this provider carries reconciliation data depends on the implementation of the provider. For example, a Reconciliation Transport Provider can read data from a file, accept data from a Web service, or query a database.
Reconciliation Format Provider
A Reconciliation Format Provider parses the reconciliation data fetched by the Reconciliation Transport Provider and converts this data into data structures that can be stored in Oracle Identity Manager.
A Source data set holds the data processed by the Reconciliation Format Provider. This data set can have child data sets.
A Validation Provider checks the data in the Source data sets against criteria you specify before passing the data to the reconciliation engine of Oracle Identity Manager.
Note:
You can include more than one Validation Provider in a generic technology connector.A Transformation Provider included in the reconciliation module modifies data received from the Validation Providers before passing on the data for the creation of reconciliation events in Oracle Identity Manager.
The following is an example of a Transformation Provider function:
Suppose the following are the values of two fields in the target system
First Name: John
Last Name: Doe
A Transformation Provider can be used to create the following reconciliation field output:
Login ID: John.Doe
A Reconciliation Staging data set holds user data that has been processed by the Validation Providers and Transformation Providers. This data set can have child data sets.
The provisioning module consists of the following providers and data sets:
A Transformation Provider can be used to modify data items at the following stages:
During reconciliation, data can be modified before reconciliation events are created in Oracle Identity Manager.
During provisioning, data entered in Oracle Identity Manager process forms can be modified before it is sent to the target system.
The following is an example of a Transformation Provider function:
Suppose the following are the values of two fields in the target system:
First Name: John
Last Name: Doe
A Transformation Provider can be used to create the following reconciliation field output:
Login ID: john.doe
A Provisioning Staging data set holds user data before it is sent to the Provisioning Format Provider. This data is the output of the transformation functions that are run on the user data or account data stored in Oracle Identity Manager. This data set can have child data sets.
A Provisioning Format Provider converts Oracle Identity Manager provisioning data (received from the Transformation Provider) into a format that is supported by the target system.
Provisioning Transport Provider
A Provisioning Transport Provider carries provisioning data from the Provisioning Format Provider to the target system. The manner in which this provider carries reconciliation data depends on the implementation of the provider. For example, a provider can copy data into a file, send data to a Web service, or post data to a database.
The OIM data sets represent data that is stored in Oracle Identity Manager. Although these data sets are not part of the reconciliation or provisioning module, they are considered part of the generic technology connector because you can add fields to these data sets and create mappings between fields of these data sets and other data sets. The following are the OIM data sets:
The OIM - User data set holds the metadata (set of identity fields) that defines the OIM User. In trusted source reconciliation, this data set receives newly created or modified user account information from the Reconciliation Staging data set. In target resource reconciliation, the fields of the OIM - User data set can be used to establish a match between target system user accounts and existing OIM Users. This data set does not have child data sets.
The OIM - Account data set holds the user account information that is stored in the process form fields of Oracle Identity Manager. This user account information is received from the Reconciliation Staging data sets. The OIM - Account data set can have child data sets.
The following sections discuss the features of generic technology connectors:
The following features are specific to the reconciliation module:
A generic technology connector can be used for trusted source reconciliation. During reconciliation in trusted mode:
If the reconciliation engine detects new target system accounts, then it creates corresponding OIM Users.
If the reconciliation engine detects changes to existing target system accounts, then the same changes are made in the corresponding OIM Users.
Note:
While creating a generic technology connector, if you do not select the Trusted Source Reconciliation option, then target resource reconciliation is enabled. In target resource reconciliation, only modifications to target system accounts are reconciled. New target system accounts detected during reconciliation are not automatically created in Oracle Identity Manager.A generic technology connector that is used for trusted source reconciliation cannot be used for provisioning. This design feature was incorporated to ensure that you do not create or modify through Oracle Identity Manager user account information on a target system that is designated as a trusted source.
Connector objects, such as IT resources and resource objects, are created automatically at the end of the generic technology connector creation process. By default, the resource object of a generic technology connector is a trusted resource object. In other words, a generic technology connector is already compatible with the Multiple Trusted Source Reconciliation feature. This feature is discussed in the "Multiple Trusted Source Reconciliation" section of Oracle Identity Manager Design Console Guide.
Note:
In trusted source reconciliation, the reconciliation of multivalued (child) data is not supported.User account status information is used to track whether or not the owner of a target system account is to be allowed to access and use the account. If the target system does not store account status information in the format in which it is stored in Oracle Identity Manager, then you can use the predefined Translation Transformation Provider to implement account status reconciliation.
Note:
User account status reconciliation can be implemented independently of whether you select trusted source or target resource reconciliation.
The Design Console offers features for implementing account status reconciliation, without using the Translation Transformation Provider. For more information, see "Account Status Reconciliation" in Oracle Identity Manager Design Console Guide.
While creating a generic technology connector, you can specify that you want to use the connector for full or incremental reconciliation.
You select incremental reconciliation if the target system supports a method for the reconciliation engine to identify records that have changed since the last reconciliation run. For example, if the target system time stamps the creation of or changes made to user records, then the reconciliation engine can identify records that have been added or modified since the last reconciliation run. In incremental reconciliation, only target system records that have changed after the last reconciliation run are reconciled (stored) into Oracle Identity Manager.
You select full reconciliation if any one of the following conditions is true:
The target system does not support any method for the reconciliation engine to identify records that have changed since the last reconciliation run.
You want to perform first-time reconciliation of all user account records in the target system.
In full reconciliation, all the reconciliation records are extracted from the target system. However, the optimized reconciliation feature identifies and ignores records that have already been reconciled in Oracle Identity Manager. This helps reduce the space occupied by reconciliation data. If this feature were not present, then the amount of data stored in the Oracle Identity Manager database would increase rapidly with each reconciliation run.
Note:
The outcome of both full and incremental reconciliation is the same:All the target system records are reconciled during the first reconciliation run.
From the second reconciliation run onward, target system records that are created or updated after the last reconciliation run are reconciled into Oracle Identity Manager.
You can specify a batch size for reconciliation. By doing this, you can break into batches the total number of records that the reconciliation engine fetches from the target system during each reconciliation run. This feature provides more control over the reconciliation process.
You can specify whether or not you want to reconcile into Oracle Identity Manager the deletion of multivalued attribute data on the target system.
Note:
Generic technology connectors do not support the reconciliation of parent data deletion. For example, if the account of userJohn Doe
is deleted from the target system, then you cannot use a generic technology connector to reconcile this user account deletion into Oracle Identity Manager. This is also mentioned in the "General Known Issues" section.During reconciliation, Validation Providers can be used to run checks on target system data before it is stored in Oracle Identity Manager. You can set a failure threshold to automatically stop a reconciliation run if the percentage of records that fail the validation checks to the total number of records processed exceeds the specified threshold percentage.
The following features are not specific to the reconciliation or provisioning module:
While creating a generic technology connector, you can specify the identity fields and field mappings (data flow paths) that must be used during reconciliation and provisioning.
You can create custom providers if the predefined providers shipped with Oracle Identity Manager do not address the transport, format change, validation, or transformation requirements of your operating environment.
Generic technology connectors can handle both ASCII and non-ASCII user data.
While creating a generic technology connector, you can specify:
The format of date values in target system records that are extracted during reconciliation
The format in which date values must be sent to the target system during provisioning
The following is an overview of the remaining chapters and appendixes on generic technology connectors:
Chapter 20, "Predefined Generic Technology Connector Providers Shipped with Oracle Identity Manager"
This chapter describes the predefined providers that are shipped with Oracle Identity Manager.
Chapter 21, "Creating Custom Providers for Generic Technology Connectors"
This chapter describes the procedure to create custom providers.
Chapter 22, "Creating Generic Technology Connectors"
This chapter describes the procedure to create generic technology connectors.
Chapter 23, "Managing Generic Technology Connectors"
This chapter provides procedural information about modifying, exporting, and importing generic technology connectors.
Chapter 24, "Best Practices for Creating and Using Generic Technology Connectors"
This chapter discusses best practices that you must apply while creating and using generic technology connectors. Some of these guidelines have been repeated at appropriate places in this guide.
Chapter 25, "Troubleshooting Generic Technology Connector Errors"
This chapter provides solutions to some commonly encountered problems associated with using generic technology connectors for reconciliation and provisioning.
Chapter 26, "Known Issues of Generic Technology Connectors"
This chapter explains the limitations of the generic technology connector framework in this release of Oracle Identity Manager. Most of these limitations are also covered at appropriate places in the rest of the guide.
Chapter 27, "Using Oracle Identity Manager As a Target System for Provisioning Operations"
This chapter discusses instructions specific to creating a generic technology connector for use as the provisioning link to a target Oracle Identity Manager installation.
Chapter 28, "Connector Objects Created by the Generic Technology Connector Framework"
This chapter provides information about the connector objects that are automatically created by the generic technology connector framework.
Related Documentation on Connectors
The following guides provide additional information about connectors and the features that Oracle Identity Manager provides for working with connectors:
Oracle Identity Manager Design Console Guide
See this guide for additional information about Design Console procedures related to using generic technology connectors.
Oracle Identity Manager Globalization Guide
This guide contains information related to understanding globalized portions of the product, and working with resource bundles to localize user-configurable strings. This guide also provides instructions on developing resource bundles for generic technology connectors that you create.