Oracle® Identity Manager Administrative and User Console Guide Release 9.1.0.1 Part Number E14057-01 |
|
|
View PDF |
You can create a generic technology connector to perform provisioning operations on a target Oracle Identity Manager installation. In other words, an Oracle Identity Manager installation can be used as a provisioning-only target system for another Oracle Identity Manager installation.
See Also:
The "SPML Web Service" chapter of Oracle Identity Manager Tools Reference
Figure 27-1 illustrates the setup for sending SPML requests to an Oracle Identity Manager installation configured as a target system.
Figure 27-1 Setup for Using Oracle Identity Manager As a Provisioning Target
The following sample scenario illustrates the working of this setup:
OIM1 and OIM2 are two different Oracle Identity Manager installations. On OIM1, you have created a generic technology connector (GTC1) that contains the SPML Provisioning Format Provider and Web Services Provisioning Transport Provider. OIM2 is a target system of OIM1. The SPML Web Service is running on OIM2.
See Also:
The "SPML Provisioning Format Provider" section for information about supported SPML operationsFor OIM Users on OIM1, target resource accounts can be created, modified, or deleted on OIM2. When you create, modify, or delete an OIM2 (target resource) account of a user through OIM1, the following sequence of events takes place:
The SPML Provisioning Format Provider of GTC1 converts the provisioning operation data into an SPML request and bundles it into a SOAP packet.
The Web Services Provisioning Transport Provider of GTC1 sends the SOAP packet to the SPML Web Service of OIM2.
The SPML Web Service parses the SPML request and performs the provisioning operation.
Because the provisioning operation was successfully performed on OIM2, the SPML Web Service sends an SPML response (indicating success of the operation) back to the Web Services Provisioning Transport Provider.
The psoID
value is extracted from the SPML response by the Web Services Transport provider and passed on to the generic technology connector framework as the ID field value.
To create a generic technology connector for use as the provisioning link to a target Oracle Identity Manager installation, perform the instructions described in the "Using the Administrative and User Console to Create the Generic Technology Connector" section. Steps that are specific to creating this generic technology connector are as follows:
On the Step 1: Provide Basic Information page:
Select the Provisioning option and then select the following providers:
Web Services Provisioning Transport Provider
SPML Provisioning Format Provider
On the Step 2: Specify Parameter Values page:
Specify values for the run-time and design parameters. While performing this procedure, you need not specify a value for the Target Date Format parameter. This is because the default value of the date format is used.
On the Step 3: Modify Connector Configuration page:
The Web Services Provisioning Transport Provider and SPML Provisioning Format Provider do not have the capability to detect metadata. Therefore, you must manually add fields and create mappings on the Step 3: Modify Connector Configuration page as follows:
Create the following fields in the Provisioning Staging - Account data set. These are mandatory fields.
Users.User ID
Users.First Name
Users.Last Name
Organizations.Organization Name
Users.Xellerate Type
Users.Role
Users.Password
Because you are using the SPML Provisioning Format Provider, the following fields are automatically created in the Provisioning Staging - Account data set as part of metadata detection:
containerID
objectclass
ID
Note:
In the provisioning operation, the value of thecontainerID
field takes precedence over the value of the Organizations.Organization Name
field. If an SPML request sent by the generic technology connector contains values for both the containerID
and Organizations.Organization Name
fields, then the value of the containerID
field is used in the provisioning operation.If required, you can also create the following fields in the Provisioning Staging data set. These are nonmandatory fields.
Users.Middle Name
Users.Status
Users.Provisioned Date
Users.Creation Date
Users.Manager Login
Users.End Date
Users.Start Date
Create the mappings shown in the following table. The word "recommended" in the heading of the first column is used to indicate that it is not mandatory to use the source fields listed in that column for creating mappings with the fields listed in the second column.
Recommended Source Field in the OIM - User Data Set | Destination Field in the Provisioning Staging - Account Data Set |
---|---|
User ID | Users.User ID |
First Name | Users.First Name |
Last Name | Users.Last Name |
Organization | Organizations.Organization Name |
User Type | Users.Xellerate Type |
Employee Type | Users.Role |
Password | Users.Password |
Because you are using the SPML Provisioning Format Provider, the following mappings are created as part of metadata detection.
Source Field in the OIM - Account Data Set | Destination Field in the Provisioning Staging - Account Data Set |
---|---|
containerID
This is the recommended source field. You can use any field. |
containerID |
objectclass
This is the recommended source field. You can use any field. |
objectclass |
ID | ID |
If you add fields from the list of nonmandatory fields given in Step 3.a, then you must create mappings between those fields and the corresponding fields in the OIM data sets.
If required, create child data sets for the OIM - Account and Provisioning Staging - Account data sets and then create mappings between corresponding fields of the child data sets.
On the Step 2: Specify Parameter Values page, you specify a value for the ID Attribute for Child Dataset Holding Group Membership Information parameter. You must ensure that a field with the same name as the value you specify is included in the child data set.
See Also:
The "SPML Provisioning Format Provider" section for more information about the ID Attribute for Child Dataset Holding Group Membership Information parameterAfter you perform these steps, click Close on the Step 3: Modify Connector Configuration page.
On the Step 4: Verify Connector Form Names page:
Accept or modify the values displayed on this page.
On the Step 5: Verify Connector Information page:
Review the information displayed on this page, and then click Create.