Oracle® Identity Manager Tools Reference Release 9.1.0.2 Part Number E14763-02 |
|
|
View PDF |
This chapter discusses the SPML Web Service interface of Oracle Identity Manager.
The following sections of this chapter provide basic information about the SPML Web Service:
To deploy the SPML Web Service, you can follow the approach described in one of the following sections:
The following sections describe procedures to be performed after you deploy the SPML Web Service:
The following section provides an overview of the procedure to develop a client for the SPML Web Service:
Organizations can have multiple provisioning systems that exchange information about the modification of user records. In addition, there can be applications that interact with multiple provisioning systems. Connectors can enable the interaction between two provisioning systems or between an application and a provisioning system so that each application synchronizes with the other. However, configuring a custom connector for each combination of these systems leads to a lot of overhead.
The solution to this problem is the application of one common language or protocol that all these systems understand. The answer is SPML.
The SPML Web Service provides a layer over Oracle Identity Manager to interpret SPML requests and convert them to Oracle Identity Manager calls.
See Also:
Refer to the following Web page for information about the SPML v2.0 specification:The SPML Web Service supports only inbound provisioning requests. It does not support any type of reconciliation because it does not generate reconciliation events. For example, if you request a resource to be provisioned to an OIM User in which data must be populated in the resource's process form and child table, the request will not be supported. This is because the SPML Web Service is not aware of any information associated with a resource object.
Note:
Outbound provisioning requests can be sent by using a generic technology connector containing the SPML Provisioning Format Provider. Refer to Oracle Identity Manager Administrative and User Console Guide for information about generic technology connectors.The SPML Web Service sends and receives SPML requests in the form of SOAP messages. The SPML model consists of the following entities that participate in an end-to-end provisioning scenario.
Requesting Authority (RA): An RA or requestor is the component that issues well-formed SPML requests to a provisioning service provider.
Provisioning Service Provider (PSP): A PSP or provider is the component that listens for, processes, and returns the results for well-formed SPML requests from a known requestor.
Provisioning Service Target (PST): A PST or target represents a destination or an endpoint that a provider makes available for provisioning actions.
The implementation of the SPML protocol allows for the reliable exchange of provisioning requests and a model on which you can build a more complex application-level provisioning functionality. SPML is the language of exchanging the management requests used by provisioning systems to manage and control an identity.
Figure 12-1 illustrates the functional architecture of the SPML Web Service.
The provisioning application can play the role of both an RA and a PSP. Consider the following scenarios:
Provisioning Application as PSP
In this scenario, a client application sends an SPML request to the provisioning application. The provisioning application carried out the request and returns an SPML response to the client application. The request-response exchange is either synchronous or asynchronous. This is typically described as the "inbound" scenario. In Oracle Identity Manager, this is implemented through the SPML Web Service.
Provisioning Application as RA
In this scenario, the provisioning application plays the role of the SPML client and sends an SPML request to a PST, which carries the request and returns an SPML response. The request-response exchange is synchronous or asynchronous. This is typically described as the "outbound" scenario. In Oracle Identity Manager, this is implemented through the generic technology connector containing the SPML Format Provisioning Provider.
Provisioning Application as RA and PSP
Note:
This feature is not supported in Oracle Identity Manager release 9.1.0.In this scenario, a client application sends an SPML request to the provisioning application that cannot itself fulfill the request. Here, the provisioning application forwards the request to the provisioning target that fulfills the request and returns an SPML response. The provisioning application then returns an SPML response to the client application. The request-request-response-response exchange is synchronous or asynchronous.
The SPML Web Service supports capabilities that meet the minimum conformance criteria described in the SPML v2.0 specification. This section discusses the various operations supported by the SPML Web Service.
Note:
The SPML Web Service supports requests in UTF-8 encoding only.You can use the psoID to uniquely identify an entity (User/Group/Organization) in a provisioning target. In Oracle Identity Manager, to specify an entity, the combination of an objectclass and an entity key is required. An entity key is the database key returned when you create an entity in Oracle Identity Manager. The psoID in Oracle Identity Manager is in the following format:
objectclass:entitykey
For example, objectclass can be Users and entity key can be 3. In this case, the psoID you specify is Users:3
.
The SPML Web Service supports the following provisioning operations or requests:
Add Operations
The Add Request operation creates an entry for the requested target type in Oracle Identity Manager. The supported target types are User, Group, and Organization. This operation checks if an entry exists and reports errors, if any. This operation can also include capability data for the User and Group target types when it associates a user or group with one or more groups by using the memberOf
relationship. This function also supports the administrator
reference capability, which you can use to assign one or more groups as the administrator of a new group.
See Also:
The "Add Request" section for a sample Add requestModify Operations
The Modify Request operation updates the specified target entry for the requested target type in Oracle Identity Manager. The supported target types are User, Group, and Organization. This operation checks if an entry exists and reports errors, if any. If the entry exists, then the target is updated with the given data. This operation can also modify capability data. For the User target type, the supported reference capability is memberOf
. This operation can also be used to update the references of the user. The user can be added to or removed from a group.
Similarly, for the Group target type, the supported reference capabilities are memberOf
and administrator
. Modify requests can be used to create, replace, or delete these references.
See Also:
The "Modify Request" section for a sample Modify requestDelete Operations
The Delete Request operation deletes the specified target entry from Oracle Identity Manager. The supported target types are User, Group, and Organization. This operation checks if an entry exists and reports errors, if any. If the entry exists, it is deleted. The recursive delete option is not supported.
Add, Replace, or Delete References
References are entities that can be referred to by other entities. For example, user John Doe is a member of a group. Now, you want to remove John Doe from that group and make him a member of another group. You can specify the details of the user in the new group through a reference, and the user becomes the member of the new group.
The following references are supported by SPML:
Add/Replace/Delete Group membership references for users
Add/Replace/Delete Group membership references for groups
Add/Replace/Delete Group administrator references for groups
Lookup Operations
The Lookup Request operation looks up the specified target entry in Oracle Identity Manager. The supported target types are User, Group, and Organization. This operation checks if the entry exists, and it returns the lookup data or reports back errors. The user can be looked up in Oracle Identity Manager based on the user ID. The lookup operation also returns any capability-specific data that is associated with the object if you specify everything as the value of returnData
type.
Search Operations
The Search Request operation searches for the specified target entry in Oracle Identity Manager. The supported target types are User, Group, and Organization. This operation checks if the entry exists and returns the search response based on whether or not the entry is available.
Search requests do not support query scope. Even if there is a query scope, it is ignored. The search query is formed by applying the AND operator to the search criteria specified in the request. Different search criteria can be specified in an SPML search request by using the Directory Services Markup Language (DSML) filter. The only operation supported in the DSML filter is equalityMatch
.
The includeDataForCapability
element is not supported. If you specify everything as the value of returnData
, then the search operation returns all the associated references. The search operation requires object class information based on which it can query the User, Group, and Organization containers. Therefore, it expects an object class as one of the query elements in the search query.
For example, if you want to perform a search on the Users object class, then this information must be embedded in the request. This is described in the following code sample:
<searchRequest returnData="identifier"xmlns="urn:oasis:names:tc:SPML:2:0:search" xmlns:dsml="urn:oasis:names:tc:DSML:2:0:core"> <query scope="pso"> <basePsoID ID=""/><and> <dsml:filter><dsml:equalityMatch name="Users.LastName"> <dsml:values>Doe </dsml:values> </dsml:equalityMatch> </dsml:filter> <dsml:filter><dsml:equalityMatch name="Users.XellerateType"> <dsml:values>End-User </dsml:values> </dsml:equalityMatch> </dsml:filter> <dsml:filter> <dsml:equalityMatch name="ObjectClass"><dsml:values>Users </dsml:values> </dsml:equalityMatch> </dsml:filter> </and> </query> </searchRequest>
The basePsoID
in which the search is performed must be Organization
or an empty string. (The basepsoID
is either the same as the psoID format Organization:key
or it can be an empty string.)
For example: <basePsoID ID="Organization:7"/>
, <basePsoID ID=""/>
Password Operations
There are two passwordRequest
operations, setPasswordRequest
and resetPasswordRequest
. The former enables a user to change the password while the latter generates a new, randomly generated password for the user, based on the password policy defined for that user in Oracle Identity Manager. The supported target type is User. By default, resetPasswordRequest
sets the password to default
.
Suspend, Resume, or Active User Operations
The suspend
capability specified in the SPML v2.0 specification has three operations:
suspend
: Disables the state of an active user in Oracle Identity Manager.
resume
: Enables the state of a disabled user in Oracle Identity Manager.
active
: Returns the state of a user (that is, specifies whether or not a user is in the active
state).
ListTargets Operations
The listTargets
operation can be used to determine the targets that are available for provisioning. This operation can also be used to determine the attributes that are supported by the provisioning system for each supported target type. This operation returns the schema information of all three supported target types: User, Group, and Organization.
The SPML Web Service does not support the following operations:
Search (iterate/closelterator/hasReference)
Update (updates/iterate/closelterator)
Asynchronous request (status/cancel)
Batch processing
Bulk update (bulkModify/bulkDelete)
Password expiry or validation
Note:
If you want to include the date attribute in a provisioning request, then you must use the following format:yyyy-MM-dd hh:mm:ss.fffffffff
No other date format is supported. Refer to the "Add Request With Date Format" section for a sample Add request with the date attribute assigned.
Note:
If you are using SPML Web service along with Oracle Identity Manager, then you must redeploy the SPML Web service whenever you upgrade Oracle Identity Manager.If you have customized the EAR file, then you must redo those changes in the EAR file and then redeploy it.
The SPML Web Service is packaged in a deployable Enterprise Archive (EAR) file named OIMSpmlWS.ear
. This file is generated when you install Oracle Identity Manager. This file is stored at the following location:
OIM_HOME/SPMLWS
There is a separate EAR file for each application server, and each file is stored in its respective application server folder in the SPMLWS
directory. This EAR file is generated when you install Oracle Identity Manager.
Note:
Oracle Identity Manager and the SPML Web Service must be deployed on the same application server. This is known as collocated deployment. In a clustered environment, ensure that the SPML Web Service is installed on each node on which Oracle Identity Manager is installed.Use the following batch file to run the scripts that deploy the SPML Web Service on the application server on which Oracle Identity Manager is running:
OIM_HOME/xellerate/setup/spml_AppServerName
To run this batch file, perform the steps that correspond to your operating environment:
Note:
The following log file is created when you run the batch file:OIM_HOME/xellerate/logs/spml-AppServerName.log
On a nonclustered Oracle WebLogic Server installation:
Enter the following command:
For UNIX:
OIM_HOME/setup/spml_weblogic.sh appserver_admin_password oim_db_user_password
For Microsoft Windows:
OIM_HOME\setup\spml_weblogic.cmd appserver_admin_password oim_db_user_password
On a clustered Oracle WebLogic Server installation:
Enter the following command on the administrator node:
For UNIX:
OIM_HOME/xellerate/setup/spml_weblogic.sh appserver_admin_password oim_db_user_password
For Microsoft Windows:
OIM_HOME\xellerate\setup\spml_weblogic.cmd appserver_admin_password oim_db_user_password
Perform the procedure described in the "Configuring the Apache Proxy Plug-in" appendix of Oracle Identity Manager Installation and Configuration Guide for Oracle WebLogic Server.
On a nonclustered IBM WebSphere Application Server installation:
Enter the following command:
For UNIX:
OIM_HOME/setup/spml_websphere.sh appserver_admin_password oim_db_user_password
For Microsoft Windows:
OIM_HOME\setup\spml_websphere.cmd appserver_admin_password oim_db_user_password
On a clustered IBM WebSphere Application Server installation:
Enter the following command on the administrator node:
For UNIX:
OIM_HOME/xellerate/setup/spml_websphere.sh appserver_admin_password oim_db_user_password
For Microsoft Windows:
OIM_HOME\xellerate\setup\spml_websphere.cmd appserver_admin_password oim_db_user_password
Regenerate the plugin-cfg.xml
file by performing the procedure described in the "Configuring the IIS Plug-in" section of Oracle Identity Manager Installation and Configuration Guide for IBM WebSphere Application Server.
Note:
Deployment of the SPML Web Service in clustered JBoss Application Server environments is not supported.On a nonclustered JBoss Application Server installation:
Enter the following command:
For UNIX:
OIM_HOME/xellerate/setup/spml_jboss.sh oim_db_user_password
For Microsoft Windows:
OIM_HOME\xellerate\setup\spml_jboss.cmd oim_db_user_password
On a nonclustered Oracle Application Server installation:
Enter the following command:
For UNIX:
OIM_HOME/setup/spml_oc4j.sh appserver_admin_password oim_db_user_password
For Microsoft Windows:
OIM_HOME\setup\spml_oc4j.cmd appserver_admin_password oim_db_user_password
Enter the following command script:
For UNIX:
OIM_HOME\xellerate\setup\spml_oc4j.sh appserver_admin_password oim_db_user_password
For Microsoft Windows:
OIM_HOME\xellerate\setup\spml_oc4j.cmd appserver_admin_password oim_db_user_password
Open the following file in a text editor:
OC4J_HOME/j2ee/OC4J_instance/config/application.xml
In the <imported-shared-libraries>
section of the application.xml
file, change <import-shared-library name="apache.commons.logging"/>
to <remove-inherited name="apache.commons.logging"/>
.
In other words, the <imported-shared-libraries>
section must appear as follows
<imported-shared-libraries>
<import-shared-library name="adf.oracle.domain"/>
<import-shared-library name="oracle.ifs.client"/>
<remove-inherited name="apache.commons.logging"/>
</imported-shared-libraries>
On a clustered Oracle Application Server installation:
Perform the following steps on each node of the cluster:
Enter the following command script:
For UNIX:
OIM_HOME\xellerate\setup\spml_oc4j.sh appserver_admin_password oim_db_user_password
For Microsoft Windows:
OIM_HOME\xellerate\setup\spml_oc4j.cmd appserver_admin_password oim_db_user_password
Open the following file in a text editor:
OC4J_HOME/j2ee/OC4J_instance/config/application.xml
In the <imported-shared-libraries>
section of the application.xml
file, change <import-shared-library name="apache.commons.logging"/>
to <remove-inherited name="apache.commons.logging"/>
.
In other words, the <imported-shared-libraries>
section must appear as follows
<imported-shared-libraries>
<import-shared-library name="adf.oracle.domain"/>
<import-shared-library name="oracle.ifs.client"/>
<remove-inherited name="apache.commons.logging"/>
</imported-shared-libraries>
Note:
Perform the procedure described in this section only if you want to secure the SPML Web Service by using Oracle Web Services Manager.Oracle Web Services Manager (WSM) provides features that ease the installation, configuration, and management of Web services across a wide range of deployment environments.
See Also:
Oracle Web Services Manager Administrator's Guide for detailed information about Oracle WSMYou use Oracle WSM to secure the SPML Web Service. When a request is sent to the SPML Web Service in a SOAP message, it is intercepted by Oracle WSM. The SOAP message contains the Web Services Security (wsse) tag in the SOAP header. This wsse:security
tag contains the user credentials that must be authenticated. For securing the SPML Web Service, you can use either the Oracle WSM Server Agent or the Oracle WSM Gateway.
See Also:
- Oracle Web Services Manager Installation Guide for detailed information about installing Oracle WSM
- Oracle Web Services Manager Deployment Guide for detailed information about the Oracle WSM Server Agent and the Oracle WSM Gateway
The Oracle WSM Server Agent or the Oracle WSM Gateway strips off the wsse:security
tag from the SOAP message before forwarding the request to the SPML Web Service. You must configure the Oracle WSM Server Agent or the Oracle WSM Gateway to use a custom policy step, which extracts the user credentials from the wsse:security
tag and inserts them into a custom header tag of the SOAP header from where the SPML Web Service extracts the credentials.
The following sections describe the configuration steps that you must perform to secure the SPML Web Service by using the Oracle WSM Server Agent or the Oracle WSM Gateway.
Note:
The Oracle WSM Server Agent supports IBM WebSphere Application Server and Oracle Application Server. You can use the Oracle WSM Gateway for all the application servers.The following steps are required to configure the Oracle WSM Server Agent for securing the SPML Web Service:
Note:
You configure the Oracle WSM Server Agent before deploying the SPML Web Service.To add a Server Agent:
See Also:
Chapter 6, "Installing Oracle WSM Agents" in Oracle Web Services Manager Deployment Guide for detailed information about adding a server agentUse the Web Services Manager Control (for example, http://localhost:8888/ccore) to create a server agent , and select the following values from the list:
Component type: Server Agent
Container type: Select OC4J for Oracle Application Server. Select OTHER for IBM WebSphere Application Server.
Select Register. This generates a server agent component with a component ID.
Use the Web Services Manager Control to define the policy that you want to associate with the server agent. The default implementation of the policy is provided at the following location:
OIM_HOME/SPMLWS/OWSMPolicy
See Also:
Chapter 5, "Oracle Web Services Manager Policy Management," in the Oracle Web Services Manager Administrator's Guide for detailed information about defining a policy for a server agentYou must associate a URL pattern with the policy. To do so, select Policy Management, Manage Policies, and then Policies. Then click the Edit Mapping button and enter the following as the URL pattern to associate with the policy:
/spmlws/HttpSoap11
To configure a custom policy, you must include the class file com.oracle.xl.spmlws.ws.security.owsm.CustomPolicyStep
in OIM_HOME
/SPMLWS/OWSMPolicy
into the following file:
ORACLE_HOME/owsm/lib/extlib/coresvagent.jar
After creating the server agent component, you must add your custom step to that component. You can do this by clicking the Steps link for your registered component. Then, select the CustomPolicyStep.xml
file from its location and click Upload. This XML file is located at OIM_HOME
/SPMLWS/OWSMPolicy/com/oracle/xl/spmlws/ws/security/owsm
.
At this stage, your custom policy step name is added to the list of available policies.
Note:
If you create a custom policy, then its class file must be included in thecoresvagent.jar
file that resides in the Web services EAR file.Injecting the server agent requires you to perform the following steps:
For Oracle Application Server
To inject the server agent:
Modify the attributes in the ORACLE_HOME/owsm/bin/agent.properties
file with the following values:
agent.componentType: ServerAgent
agent.containerType: OC4J
agent.containerVersion: It must be "10.1.3" for Oracle Application Server.
agent.component.id: Enter the component ID that is generated when the agent is created and registered by using Web Services Manager Control.
Edit the following properties in the agent.properties
file:
webservice.application.input
- Enter the full path and name of the EAR file.
webservice.application.webapp.name
- Uncomment and enter the WAR file name, spmlws.war
.
Note:
the WAR file is bundled in theOIMSpmlWS.ear
file.webservice.application.contexturi
- Enter the context root, /spmlws
.
Run the wsmadmin installAgent
command.
For IBM WebSphere Application Server
To inject the server agent:
Because the Server Agent for SOA 10.1.3.1 release is supported only for Oracle Application Server, for WebSphere, you must first download the required ZIP file from the following location on Oracle Technology Network:
For UNIX:
http://download.oracle.com/otn/linux/ias/101310/soa_linux_x86_ws_agent101310.zip
For Microsoft Windows:
http://download.oracle.com/otn/nt/ias/101310/soa_windows_x86_ws_agent101310.zip
Extract the contents of the ZIP file to any location (for example /owsm
).
Tip:
The Readme_Agentinstall.pdf file in the extracted ZIP file for more information about injecting the server agentBrowse to the bin
directory, open the agent.properties
file, and set the following properties in the file:
agent.componentType: serveragent
agent.containerType: For example, AXIS, WEBLOGIC, WEBSPHERE, TIBCO-BW, or OC4J
agent.containerVersion: The version of WebSphere on which you are deploying the SPML Web Service.
oc4j.home:/owsm/oc4j
(assuming that /owsm
is where you extracted the ZIP file)
oc4j.j2ee.home:/owsm/oc4j/j2ee/home
(here /owsm
is where you extracted the ZIP file)
webservice.application.input: Web application input file name with path location, that is, WAR or EAR file location. For example, /owsm/wars/HelloWorldImpl.war
webservice.application.webapp.name: not applicable if it is a WAR file
webservice.application.contexturi: not applicable if it is a WAR file
agent.component.id: Enter the component ID that is generated when the agent is created and registered by using Oracle Web Services Manager Control.
agent.policymanagerURL (for example, http://hostname:8888/policymanager
. Provide a system name instead of localhost)
Open the bin/coresv.properties
file and set the following properties:
coresv.home=/owsm
(assuming /owsm
is where you extracted the ZIP file)
ant.home: set home directory of the ANT installation
java.home: set home directory of the Java installation
lib.dir:/owsm/lib
(assuming /owsm
is where you extracted the ZIP file)
oc4j.j2ee.home:/owsm/oc4j/j2ee/home
(optional if the properties are present)
external.oc4j.home:/owsm/oc4j
(optional if the properties are present)
For configuring a custom policy, you must include the class file com.oracle.xl.spmlws.ws.security.owsm.CustomPolicyStep
in OIM_HOME
/SPMLWS/OWSMPolicy
into the following file:
/owsm/lib/extlib/coresvagent.jar
(assuming /owsm
is where you extracted the ZIP file)
In a command window, navigate to the bin
directory. Run the injectAgent
command. This command injects all the JAR files into the specified WAR or EAR file. (Before running this, set the path to the ant bin
directory.)
After you have installed the client agent, deploy the SPML Web Service. For information about how to deploy the SPML Web Service, refer to the "Deploying the SPML Web Service" section.
The following steps are required to deploy the Oracle WSM Gateway for securing the SPML Web Service:
See Also:
Oracle Web Services Manager Quick Start Guide for detailed information about specific configurations of Oracle WSMTo register the Gateway:
Click Add New Component in the Oracle Web Services Manager Control.
On the Add New Component page, enter the following values:
Component Name: for example, MyGateway
Component Type: Gateway (default value)
Container Type: Oracle Web Services Manager (default value)
Component URL: Enter the following: http://fully_qualified_host_name:http_port/gateway
where fully_qualified_host_name is the URL for Oracle WSM, and http_port is the port on which Oracle WSM is hosted
Component Groups: accept the default values for the component groups
Click Register.
Click OK.
To register the SPML Web Service with the Gateway:
From the navigation pane of Oracle Web Services Manager Control, click Policy Management.
Click Register Services.
Click the Services link.
Click Add New Service. The Add New Service page is displayed. On this page, enter the following service details:
Service Name: SPMLService
Service Version: 1.0
Service Description: Processes SPML Requests
WSDL URL: The WSDL location, for example:
http://host:port/spmlws/.../HttpSoap11?wsdl
Click Next. The Configure Messenger Step for New Service page is displayed. On this page, verify that the URL matches the URL you provided on the previous page. Click Finish to accept the default values for the remaining fields.
Click Commit Policy.
Use the Oracle Web Services Manager Control to configure a policy that you want to associate with the Gateway. The default implementation of the policy is at the following location:
OIM_HOME/SPMLWS/OWSMPolicy
See Also:
Chapter 5, "Oracle Web Services Manager Policy Management," in Oracle Web Services Manager Administrator's Guide for more information about defining a policy for a GatewayThe policy extracts user credentials from the WSSE security tags and adds them to the SOAP header in the following custom tag.
<wsa1:OIMUser soap:mustUnderstand="0" xmlns:wsa1="http://xmlns.oracle.com/OIM/provisioning"> <wsa1:OIMUserId xlmns:wsa1="http://xmlns.oracle.com/OIM/provisioning">user1</wsa1:OIMUserId> <wsa1:OIMUserPassword xlmns:wsa1="http://xmlns.oracle.com/OIM/provisioning">password1</wsa1:OIMUserPassword> </wsa1:OIMUser>
The SPML Web Service interprets and processes this tag.
For configuring a custom policy, you must include the com.oracle.xl.spmlws.ws.security.owsm.CustomPolicyStep
in OIM_HOME
/SPMLWS/OWSMPolicy
class file into the following file:
ORACLE_HOME/owsm/lib/coresv-4.0.jar
You must include the custom policy step file because the coresv-4.0.jar
file contains all the policy-specific class files. Then, restart Oracle Application Server.
After you register the Gateway, you must add a custom step. To add a custom step:
Upload the CustomPolicy.xml
file for the custom policy on the Add Step page. This XML file is located at the following path:
OIM_HOME/SPMLWS/OWSMPolicy/com/oracle/xl/spmlws/ws/security/owsm
To open the Add Step page in the Oracle Web Services Manager Control, expand Policy Management, click Manage Policies, Steps, and then Add Step. Select the CustomPolicy.xml
file from its location and then click Upload. The name of the custom policy step is added to the list of available policies.
To add the custom policy to the pipeline in the Request block, browse to the Policy page. To open the Policy page, expand Policy Management, click Manage Policies, Policies, and finally click Policy.
The Request block will enforce this configured custom policy for any valid incoming request sent to the SPML Web Service.
After you have installed the client agent, deploy the SPML Web Service. For information about how to deploy the SPML Web Service, refer to the "Deploying the SPML Web Service" section.
To view the Web Service Description Language (WSDL) file for the Web Service:
From the navigation pane of Web Services Manager Control, click Policy Management.
Click Register Services.
To access the Gateway (MyGateway), click Services.
From the list of services, click Edit for the required service.
In the Edit Service page, copy the URL displayed in the Service WSDL URL field.
You use this URL in the SPML client to access the SPML Web Service.
If you are using JBoss Application Server, Oracle WebLogic Server, or IBM WebSphere Application Server, then there are no postdeployment steps to perform.
If you are using IBM WebSphere Application Server 6.1, extract the xlDataObjectBeans.jar
file, and copy it into the WEB-INF/lib
directory of the SPML Web Service WAR file. You must restart WebSphere after you copy this file.
See Also:
"Extracting xlDataObjectBeans.jar" in Oracle Identity Manager Installation and Configuration Guide for IBM WebSphere Application ServerThis section provides information about enabling Secure Sockets Layer (SSL) communication for the SPML Web Service. It is strongly recommended that you perform the instructions given in this section.
Note:
Oracle recommends that you refer to application server-specific SSL configuration documentation for details. This section provides the minimum information required to enable SSL communication for the different application servers on which the SPML Web Service is supported.Although this section provides information for specific releases of the application servers, if you are using a different release, then some steps of the procedure can vary.
The following sections provide information required to enable SSL communication for the SPML Web Service installed on JBoss Application Server 4.2.3 GA.
The following are the prerequisites for enabling SSL communication:
JBoss Application Server is installed and Oracle Identity Manager and the SPML Web Service are deployed on it.
The JBoss Application Server home directory is E:\jboss-4.2.3.GA.
The identity store is jbossserver.jks
and the password is welcome
.
Certificate request is made for localhost.
The self-sign certificate is named jbossserver.cert
.
The private key alias is serverjboss
and the password is welcome
.
This section discusses the following procedures for setting up SSL:
Tip:
For enhanced protection, Oracle recommends that you create new certificates (either self-signed or CA certificates) and create a separate keystore and truststore for the client and the server with different passwords. Refer to the SSL configuration documentation of the application server for detail.Generating Keys
Generate keys by using the keytool
command. The following keytool command generates an identity keystore jbossserver.jks
:
keytool -genkey -alias serverjboss -keyalg RSA -keysize 1024 -dname "CN=localhost,OU=Identity,O=Oracle,C=US" -keypass welcome -keystore E:\jboss-4.2.3.GA\server\jbossserver.jks -storepass welcome -storetype jks
Signing the Certificates
Use the following keytool
command to sign the certificates that were created:
keytool -selfcert -alias serverjboss -sigalg MD5withRSA -validity 2000 -keypass welcome -keystore E:\jboss-4.2.3.GA\server\jbossserver.jks -storepass welcome
Exporting the Certificate
Use the following keytool
command to export the certificate from the identity keystore to a file (for example, jbossserver.cert
):
keytool -export -alias serverjboss -file E:\jboss-4.2.3.GA\server\jbossserver.cert -keypass welcome -keystore E:\jboss-4.2.3.GA\server\jbossserver.jks -storepass welcome -storetype jks -provider sun.security.provider.Sun
Configuring the server.xml File
Make the following entry in the server.xml
file:
<Connector port="8443" address="${jboss.bind.address}" maxThreads="100" strategy="ms" maxHttpHeaderSize="8192" emptySessionPath="true" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="E:\jboss-4.2.3.GA\server\jbossserver.jks" keystorePass="welcome" truststoreFile="E:\jboss-4.2.3.GA\server\jbossserver.jks" truststorePass="welcome"/>
After you have performed the preceding steps, restart the server for the changes to take effect.
Note:
You can use the certificate exported in the "Exporting the Certificate" step to import into the client-side truststore for SSL communication.The following sections provide information required to enable SSL communication for the SPML Web Service installed on Oracle WebLogic Server.
The following are the prerequisites for enabling SSL communication:
Oracle WebLogic Server is installed.
The WebLogic Domain directory is C:\bea\user_projects\domains\oim
.
The Oracle WebLogic Server home (WL_HOME
) directory is C:\bea\wlserver_10.3
.
The identity store is support.jks
and the password is support
.
The certificate request is made for xellerate.oracle.com host and for Oracle Identity Management Group.
The self-sign certificate is named supportcert.pem
.
The private key alias is support
, and the password is weblogic
.
The setEnv.cmd
or setEnv.sh
script is run to set up PATH, CLASSPATH, and other variables.
This section discusses the following procedures for setting up SSL:
Tip:
For enhanced protection, Oracle recommends that you create new certificates (either self-signed or CA certificates) and create a separate keystore and truststore for the client and the server with different passwords. Refer to the SSL configuration documentation of the application server for detail.Generating Keys
Generate private/public certificate pairs by using the keytool command provided. The following command creates an identity keystore (support.jks)
. Change the parameter values passed to the keytool command according to your requirements. Ensure that there is no line break in the keytool argument.
keytool -genkey -alias support -keyalg RSA -keysize 1024 -dname "CN=xellerate.oracle.com, OU=Identity, O=Oracle Corporation, L=RedwoodShores, S=California, C=US" -keypass weblogic -keystore C:\bea\user_projects\domains\oim\support.jks -storepass support
Note:
Use the same host name that you would use in thexlconfig.xml
file. For example, if you use https://xellerate.oracle.com:7002
and t3s://xellerate.oracle.com:7002
in the xlconfig.xml
file, then the value of CN in the keytool command must be xellerate.oracle.com
. Oracle recommends that you generate an SSL certificate by using the domain name (for example, xellerate.oracle.com
) instead of the IP address.Signing the Certificates
Use the following command to sign the certificates that you created.
keytool -selfcert -alias support -sigalg MD5withRSA -validity 2000 -keypass weblogic -keystore C:\bea\user_projects\domains\oim\support.jks -storepass support
Note:
Oracle recommends that you use trusted certificate authorities, for example, VeriSign or Thawte, for signing the certificates.Exporting the Certificate
Use the following command to export the certificate from the identity keystore to a file, for example, supportcert.pem
:
keytool -export -alias support -file C:\bea\user_projects\domains\oim\supportcert.pem -keypass weblogic -keystore C:\bea\user_projects\domains\oim\support.jks -storepass support
Configuring the Oracle WebLogic Server
To configure the Oracle WebLogic Server:
In the WebLogic Server Administration Console, click Environment, Servers, Server_Name, Configuration, and then General.
Click Lock & Edit.
Select SSL listen port enabled. The default port is 7002.
Click the Keystores tab
From the Keystore list, select Custom Identity and Java Standard Trust.
In the Custom Identity Keystore field, specify C:\bea\user_projects\domains\oim\support.jks
as the custom identity keystore file name.
Specify JKS as the custom identity keystore type.
Enter the password in the Custom Identity Keystore Passphrase and Confirm Custom Identity Keystore Passphrase fields.
Click Save.
Click the SSL tab.
Enter support
as the private key alias.
Enter the password (for example, support) in the Private Key Passphrase and Confirm Private Key Passphrase fields.
Click Save.
Click Activate changes.
Restart the server for the changes to take effect.
Note:
You can import the certificate exported in the "Exporting Certificate" step into the client-side truststore for SSL communication.Import the certificate into the SPML client truststore by using the following keytool command:
keytool -import -alias serverwl -trustcacerts -file D:\bea\user_projects\domains\ mydomain\wlservercert.pem -keystore <client-trust store> -storepass <client-trust-store password>
The following sections provide information required to enable SSL communication for the SPML Web Service installed on IBM WebSphere Application Server.
The following are the prerequisites for enabling SSL communication:
IBM WebSphere Application Server is installed and Oracle Identity Manager and the SPML Web Service are deployed on it.
After configuring IBM WebSphere Application Server and deploying the SPML Web Service with Oracle Identity Manager, you can access the application by using SSL and non-SSL ports.
To access the application securely by using SSL, you use port number 9443 or WC_defaulthost_secure. Consider the following example:
https://localhost:9443/spmlws/HttpSoap11
The default identity store is key.p12
, and the password is WebAS
.
The default truststore is trust.p12
, and the password is WebAS
.
Note:
For SSL communication, export the default certificate fromkey.p12
.The steps in this section enable you to do the following:
Exporting Certificate to a File
IBM WebSphere Application Server uses the IBM WebSphere default keystore (key.p12
) and its default certificate. You must export this default certificate to a file. You can use the following keytool command to achieve this:
IBM_JDK_HOME/jre/bin/keytool -export -alias default -file <Exported Certificate file> -keypass WebAS -keystore FULL_PATH_OF_IBM_WEBSPHERE "key.p12" -storepass WebAS -storetype pkcs12 -provider com.ibm.crypto.provider.IBMJCE
In the preceding command, replace the following to point to the appropriate location:
The full path of IBM WebSphere Application Server key.p12
, which is the default IBM keystore
IBM_JDK_HOME
to the IBM WebSphere Application Server Java folder
Location for the exported certificate
Importing the Certificate File
Use the following keytool command to import the certificate file to the SPML Web Service client truststore:
keytool -import -alias serverws -trustcacerts -file <Exported Certificate file> -keystore E:\SPMLTest\mykeystore -storepass mypass -storetype jks
Tip:
For enhanced protection, Oracle recommends that you create new certificates (either self-signed or CA certificates) and create a separate keystore and truststore for the client and the server with different passwords. Refer to the SSL configuration documentation of the application server for detail.The following sections provide information required to enable SSL communication for the SPML Web Service installed on Oracle Application Server.
The following are the prerequisites for enabling SSL communication:
Oracle Application Server is installed and Oracle Identity Manager and the SPML Web Service are deployed on it.
Oracle Application Server 10.1.3 installation directory is E:\product\10.1.3.1\OracleAS_1
.
The identity store is oc4jserver.jks
, and the password is welcome
.
Certificate request is made for localhost.
The self-sign certificate is named oc4jserver.cert
.
The private key alias is serveroc4j
, and the password is welcome
.
The steps in this section enable you to do the following:
Tip:
For enhanced protection, Oracle recommends that you create new certificates (either self-signed or CA certificates) and create a separate keystore and truststore for the client and the server with different passwords. Refer to the SSL configuration documentation of the application server for details.Generating Keys
Generate keys by using the keytool command provided. The following keytool command creates an identity keystore oc4jserver.jks
:
keytool -genkey -alias serveroc4j -keyalg RSA -keysize 1024 -dname "CN=localhost,OU=Identity,O=Oracle,C=US" -keypass welcome -keystore E:\product\10.1.3.1\OracleAS_1\oc4jserver.jks -storepass welcome -storetype jks
Signing the Certificates
Use the following keytool command to sign the certificates you created:
keytool -selfcert -alias serveroc4j -sigalg MD5withRSA -validity 2000 -keypass welcome -keystore E:\product\10.1.3.1\OracleAS_1\oc4jserver.jks -storepass welcome
Exporting the Certificate
Use the following keytool command to export the certificate from the identity keystore to a file:
keytool -export -alias serveroc4j -file E:\product\10.1.3.1\OracleAS_1\oc4jserver.cert -keypass welcome -keystore E:\product\10.1.3.1\OracleAS_1\oc4jserver.jks -storepass welcome -storetype jks -provider sun.security.provider.Sun
Configuring Oracle Application Server
To configure Oracle Application Server:
Make a copy of the E:\product\10.1.3.1\OracleAS_1\j2ee\home\config\default-web-site.xml
file at the same location and rename the copy to secure-web-site.xml
.
In the secure-web-site.xml
file, modify the following:
port attribute=4443
secure=true
protocol=https
For example:
web-site xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://xmlns.oracle.com/oracleas/schema/web-site-10_0.xsd" port="4443" secure="true" protocol ="https" display-name="OC4J 10g (10.1.3) Default Web Site" schema-major-version="10" schema-minor-version="0">
In the same file, under the web-site
node, add a new element ssl-config
to point to the keystore as shown in the following example:
<ssl-config keystore="E:/product/10.1.3.1/OracleAS_1/oc4jserver.jks" keystore-password="welcome" />
In the E:\product\10.1.3.1\OracleAS_1\j2ee\home\config\server.xml
file, add the following entry:
<web-site path="./secure-web-site.xml"/>
In the E:\product\10.1.3.1\OracleAS_1\opmn\conf\opmn.xml
file, add the following:
<port id="secure-web-site" range="4443" protocol="https"> under <ias-component id="default_group">
In the opmn.xml
file, add the following in the <data id="java-options" value="-Xrs" under <ias-component id="default_group">
tag:
-Djavax.net.ssl.trustStore=E:\product\10.1.3.1\OracleAS_1\oc4jserver.jks -Djavax.net.ssl.trustStorePassword=welcome -Djavax.net.ssl.keyStore=E:\product\10.1.3.1\OracleAS_1\oc4jserver.jks -Djavax.net.ssl.keyStorePassword=welcome"
Restart the server for the changes to take effect.
The following sections provide information about enabling SSL for HTTP communication to Oracle HTTP Server.
By default, the Oracle HTTP Server is configured with SSL and the SSL certificate store, which is located at ORACLE_HOME
/Apache/Apache/conf/ssl.wlt/default/
. The listen
parameter in the ORACLE_HOME
/Apache/Apache/conf/ssl.conf
file points to the SSL port being used by the Oracle HTTP Server.
You do not make any configuration change to use the default certificate store that comes along with the installation.
Tip:
For enhanced protection, Oracle recommends that you create new certificates (either self-signed or CA certificates) and create a separate keystore and truststore for the client and the server with different passwords. Refer to the SSL configuration documentation of the application server for detail.You must export the certificate from the default Oracle wallet ORACLE_HOME
/Apache/Apache/conf/ssl.wlt/default/ewallet.p12
. This certificate is used for the Design Console to trust Oracle Application Server. To export the certificate:
Open the ORACLE_HOME
/Apache/Apache/conf/ssl.wlt/default/ewallet.p12
file by using the Oracle Wallet Manager Console. To do so, click Open Wallet and browse to the location of the wallet.
When prompted, enter the store password as welcome.
Right click Certificate (Ready)
, and click Export User Certificate.
Save the file as server.cert
.
See Also:
The "Secure Sockets Layer" section in Oracle Application Server Administrator's Guide for more information about Oracle Wallet ManagerThis section provides information and guidelines that you can apply while creating a client for the SPML Web Service.
Note:
In this chapter, the client for the SPML Web Service is referred to as the SPML client.To develop an SPML client, you must refer to the WSDL file for each application server for which you develop the client. The WSDL files for each application server are in the OIM_HOME
/SPMLWS/SampleHttpClient/wsdl
directory.
The code files for a sample SPML client are available at the following location:
OIM_HOME/SPMLWS/SampleHttpClient
To keep sample code easy to understand, this SPML client uses an HTTP connection to the SPML Web Service instead of an HTTP/S connection.
This sample SPML client refers to XML files containing the SOAP requests and performs an HTTP post to the SPML Web Service.
A set of sample SOAP requests is shipped along with this release of Oracle Identity Manager. The following is the format of the path at which you can access the files for these sample SOAP requests:
SampleHttpClient/sampleRequests/Application Server
The sampleRequests
directory contains separate SOAP requests for each of the supported application servers.
Note:
As mentioned earlier, the SPML Web Service supports requests inUTF-8
encoding only. Therefore, Oracle recommends that you pass SPML requests over HTTP by specifying the charset as UTF-8
in the content-type header in any client implementation. Refer to the implementation of the sendSOAPRequest function in the sample client provided in the OIM_HOME
/SPMLWS/SampleSPMLClient/src/testspml/HttpConnect.java
file. In addition, you must serialize the data into a byte[]
before sending the request. The main
function in the SendSPMLRequest.java
file can copy files directly into a byte[]
and then send it over the HTTP connection.The following sections provide information that you can apply while developing the SPML client:
As mentioned earlier, the SPML Web Service supports the following operations:
Add operations
Modify operations
You must ensure that the psoID is included in the SPML request for the modify operations.
Delete operations
You must ensure that the psoID is included in the SPML request for the delete operations.
Add, Replace, or Delete references
Lookup operations
Search operations
Password operations
You must ensure that the psoID is included in the SPML request for the password operations.
Suspend, Resume, or Active User operations
The suspend capability includes the suspendRequest
, resumeRequest
, and the activeUser
operations. You must ensure to include psoID in the SPML request for the resumeRequest
and the activeUser
operations.
ListTargets operations
Note:
For more information about psoID, refer to the "Provisioning Operations Supported by the SPML Web Service" section.The SPML client must be authenticated for each SPML request sent. This is to ensure that unauthorized users are not allowed to use the SPML Web Service.
The SPML client can be authenticated in the following way. The SPML client sends the user credentials to the Web Service in the SOAP header. This can be done in the following ways:
The credentials are provided as header information in a custom tag.
Oracle WSM is configured to secure the SPML Web Service. In this case, the credentials are sent in standard WSSE tags. A default policy implementation processes these credentials. The default policy file, which is packaged along with the product, is located at the following path:
OIM_HOME/SPMLWS/OWSMPolicy
Note:
For details about configuring Oracle WSM with the SPML Web Service, refer to the "Enabling Security by Using Oracle Web Services Manager and Then Deploying the SPML Web Service" section.Table 12-1 lists the mandatory and nonmandatory fields that can be included in SPML requests.
Note:
In the following table, certain rows list psoID in the Mandatory Fields column. These requests do not require any Oracle Identity Manager attributes.Table 12-1 Mandatory and Nonmandatory Fields Included in SPML Requests
SPML Request | Mandatory Fields | Nonmandatory Fields |
---|---|---|
addRequest for User |
Users.User ID Users.First Name Users.Last Name Organizations.Organization Name Users.Xellerate Type Users.Role Users.Password |
The rest of the OIM User fields pertaining to the creation of users are nonmandatory. |
addRequest for Group |
Groups.Group Name |
The rest of the OIM User fields pertaining to the creation of groups are nonmandatory. |
addRequest for Organization |
Organizations.Organization Name |
Organizations.Type Organizations.Parent Name |
deleteRequest for User |
psoID ID="Users:7" |
|
deleteRequest for Group |
psoID ID="Groups:7" |
|
deleteRequest for Organization |
psoID ID="Organizations:9" |
|
modifyRequest for User |
psoID ID="Users:5" One or more modification elements, each corresponding to an attribute to be modified |
|
modifyRequest for Group |
psoID ID="Groups:5" One or more modification elements, each corresponding to an attribute to be modified |
|
modifyRequest for Organization |
psoID ID="Organizations:3" One or more modification elements, each corresponding to an attribute to be modified |
|
lookupRequest for User |
psoID ID="Users:7" |
|
lookupRequest for Group |
psoID ID="Groups:7" |
|
lookupRequest for Organization |
psoID ID="Organizations:9" |
|
suspendRequest for User |
psoID ID="Users:7" |
|
resumeRequest for User |
psoID ID="Users:7" |
|
activeRequest for User |
psoID ID="Users:7" |
|
setPasswordRequest for User |
psoID ID="Users:7" |
|
resetPasswordRequest for User |
psoID ID="Users:7" |
|
searchRequest for User |
The For example: A set of Note: The objectclass information is sent as a part of one of the filters to specify to the SPML Web Service the container on which the search must be performed. For example: <dsml:filter><dsml:equalityMatch name="Object Class"><dsml:values>Users</dsml:values></dsml:equalityMatch></dsml:filter> |
|
searchRequest for Group |
The A set of Note: The objectclass information is sent as a part of one of the filters to specify to the SPML Web Service the container on which the search must be performed. For example: <dsml:filter><dsml:equalityMatch name="Object Class"><dsml:values>Groups</dsml:values></dsml:equalityMatch></dsml:filter> |
|
searchRequest for Organization |
The A set of Note: The objectclass information is sent as a part of one of the filters to specify to the SPML Web Service the container on which the search must be performed. For example: <dsml:filter><dsml:equalityMatch name="Object Class"><dsml:values>Organizations</dsml:values></dsml:equalityMatch></dsml:filter> |
|
listTargetRequest |
None |
The SPML Web Service requires Oracle Identity Manager credentials, which must be provided in the SOAP header depending on whether Oracle WSM is used for securing SPML. This information is explained in the following sections.
Using Custom Security Tags
The custom security tags (wsa1:OIMUser
) can be used in a SOAP header to embed Oracle Identity Manager credentials when the SOAP request is sent directly to the SPML Web Service. The SPML Web Service interprets these tags, and server-side handlers extract the credential information, as illustrated in the following sample SOAP header:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <soapenv:Header> <wsa1:OIMUser soapenv:actor="http://schemas.xmlsoap.org/soap/actor/next" soapenv:mustUnderstand="0" xmlns:wsa1="http://xmlns.oracle.com/OIM/provisioning"> <wsa1:OIMUserPassword>password1</wsa1:OIMUserPassword> <wsa1:OIMUserId>user1</wsa1:OIMUserId> </wsa1:OIMUser> </soapenv:Header> ……………………</soapenv:Envelope>
Using WSSE Security Tags
If the Oracle WSM Gateway or Agent is used for securing the SPML Web Service, then the SPML SOAP message is intercepted by that Gateway or Agent. In this case, Oracle Identity Manager credentials are provided in standard wsse security tags, as illustrated in the following sample:
soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <soapenv:Header> <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> <wsse:UsernameToken> <wsse:Username>user1</wsse:Username> <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">password1</wsse:Password> </wsse:UsernameToken> </wsse:Security> </soapenv:Header> ……………………</soapenv:Envelope>
wsa1:lang tag
In addition to Oracle Identity Manager credential information, the SPML client can also send locale information to the SPML Web Service in the SOAP header by using the wsa1:lang
tag. These tags are then processed by the SPML Web Service. If Oracle Web Services Manager is configured, then the SPML Web Service ignores this tag. In this situation, the header information is as follows:
For custom tags:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <soapenv:Header> <wsa1:OIMUser soapenv:actor="http://schemas.xmlsoap.org/soap/actor/next" soapenv:mustUnderstand="0" xmlns:wsa1="http://xmlns.oracle.com/OIM/provisioning"> <wsa1:OIMUserPassword>password1</wsa1:OIMUserPassword> <wsa1:OIMUserId>user1</wsa1:OIMUserId> </wsa1:OIMUser> <wsa1:lang soapenv:actor="http://schemas.xmlsoap.org/soap/actor/next" soapenv:mustUnderstand="0" xmlns:wsa1="http://xmlns.oracle.com/OIM/provisioning"> <wsa1:language>en</wsa1:language> <wsa1:sublanguage>US</wsa1:sublanguage> </wsa1:lang> </soapenv:Header> ……………………</soapenv:Envelope>
For WSSE tags:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><soapenv:Header><wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><wsse:UsernameToken><wsse:Username>user1</wsse:Username><wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">password1</wsse:Password></wsse:UsernameToken></wsse:Security><wsa1:lang soapenv:actor="http://schemas.xmlsoap.org/soap/actor/next" soapenv:mustUnderstand="0" xmlns:wsa1="http://xmlns.oracle.com/OIM/provisioning"><wsa1:language>en</wsa1:language><wsa1:sublanguage>US</wsa1:sublanguage></wsa1:lang></soapenv:Header>……………………</soapenv:Envelope>
The following sample SOAP SPML message is an Add Request operation for the SPML Web Service on Oracle Application Server:
With custom security tags:
<?xml version="1.0" encoding="utf-8"?> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"> <soap:Header> <wsa1:OIMUser soap:mustUnderstand="0" xmlns:wsa1="http://xmlns.oracle.com/OIM/provisioning"> <wsa1:OIMUserId xmlns:wsa1="http://xmlns.oracle.com/OIM/provisioning">user1</wsa1:OIMUserId> <wsa1:OIMUserPassword xmlns:wsa1="http://xmlns.oracle.com/OIM/provisioning">password1</wsa1:OIMUserPassword> </wsa1:OIMUser> </soap:Header> <soap:Body> <SPMLv2Document xmlns="http://xmlns.oracle.com/OIM/provisioning"> <addRequest returnData="everything" xmlns="urn:oasis:names:tc:SPML:2:0" xmlns:dsml="urn:oasis:names:tc:DSML:2:0:core"> <data> <dsml:attr name="objectclass"> <dsml:value>Users</dsml:value> </dsml:attr> <dsml:attr name="Users.User ID"> <dsml:value>John Doe</dsml:value> </dsml:attr> <dsml:attr name="Users.First Name"> <dsml:value>John</dsml:value> </dsml:attr> <dsml:attr name="Users.Last Name"> <dsml:value>Doe</dsml:value> </dsml:attr> <dsml:attr name="Organizations.Organization Name"> <dsml:value>Xellerate Users</dsml:value> </dsml:attr> <dsml:attr name="Users.Xellerate Type"> <dsml:value>End-User</dsml:value> </dsml:attr> <dsml:attr name="Users.Role"> <dsml:value>Full-Time</dsml:value> </dsml:attr> <dsml:attr name="Users.Password"> <dsml:value>welcome</dsml:value> </dsml:attr> </data> </addRequest> </SPMLv2Document> </soap:Body> </soap:Envelope>
With WSSE security tags:
<?xml version="1.0" encoding="utf-8"?> <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <soapenv:Header> <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> <wsse:UsernameToken> <wsse:Username>user1</wsse:Username> <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">password1</wsse:Password> </wsse:UsernameToken> </wsse:Security> </soapenv:Header> <soapenv:Body> <SPMLv2Document xmlns="http://xmlns.oracle.com/OIM/provisioning"> <addRequest returnData="everything" xmlns="urn:oasis:names:tc:SPML:2:0" xmlns:dsml="urn:oasis:names:tc:DSML:2:0:core"> <data> <dsml:attr name="objectclass"> <dsml:value>Users</dsml:value> </dsml:attr> <dsml:attr name="Users.User ID"> <dsml:value>John Doe</dsml:value> </dsml:attr> <dsml:attr name="Users.First Name"> <dsml:value>John</dsml:value> </dsml:attr> <dsml:attr name="Users.Last Name"> <dsml:value>Doe</dsml:value> </dsml:attr> <dsml:attr name="Organizations.Organization Name"> <dsml:value>Xellerate Users</dsml:value> </dsml:attr> <dsml:attr name="Users.Xellerate Type"> <dsml:value>End-User</dsml:value> </dsml:attr> <dsml:attr name="Users.Role"> <dsml:value>Full-Time</dsml:value> </dsml:attr> <dsml:attr name="Users.Password"> <dsml:value>welcome</dsml:value> </dsml:attr> </data> </addRequest> </SPMLv2Document> </soapenv:Body> </soapenv:Envelope>