|Oracle® Fusion Middleware Developer's Guide for Oracle Identity Manager
11g Release 1 (11.1.1)
Part Number E14309-08
|PDF · Mobi · ePub|
This chapter introduces generic technology connectors and the features that Oracle Identity Manager provides for working with generic technology connectors.
This chapter contains the following sections:
Predefined Oracle Identity Manager connectors are designed for commonly used target systems such as Microsoft Active Directory and PeopleSoft Enterprise Applications. A predefined connector is developed using the Adapter Factory approach, and its architecture is based on either the APIs that the target system supports or the data repository type and schema in which the target system stores user data.
Since they are developed using the Adapter Factory, predefined connectors offer extensive workflow and adapter customization capabilities. The use of a predefined connector is the recommended integration method when such a connector is available for the target system.
There may be scenarios in which you want to integrate Oracle Identity Manager with a target system that has no corresponding predefined connector. The following are examples of such scenarios:
Scenario 1: All employees of Acme Inc. are allotted disk space on a backup server. Employees send requests to the system administrator for managing their accounts on the backup server. The system administrator has developed a Web-based application to capture, review, and act on requests from employees. The front end of this application is a Web service that accepts and stores data in CSV format. Employee account data stored in the back end can be exported as XML files to a specified location.
Scenario 2: Ceeam Travels Inc. owns a custom Web-based application that its customers use to request airline fare quotes. Agents, who are also employees of Ceeam Travels, respond to these requests by using the same application. Customers register themselves to create accounts in this application. However, Ceeam Travels employees need to have accounts auto-provisioned based on their HR job title. Account management functions (such as create, update, and delete) of the application are available through Java APIs.
In both these scenarios, you need to create a custom connector to link the target system and Oracle Identity Manager. If you are looking for a simple way to create your custom connector and do not need the customization features of the Adapter Factory, you can create the connector by using the Generic Technology Connector feature of Oracle Identity Manager. As described in the Section 18.2, "Functional Architecture of Generic Technology Connectors", providers are the building blocks of generic technology connectors.
In Scenario 1, you can use the predefined shared drive reconciliation transport provider and CSV reconciliation format provider to create a generic technology connector that reconciles data stored in a flat file into Oracle Identity Manager.
In Scenario 2, there is no predefined provider available to integrate the custom application with Oracle Identity Manager. In this case, you can use the instructions provided in Chapter 20, "Creating Custom Providers for Generic Technology Connectors" to create the custom providers that call the Java APIs exposed by the target application.
Like a predefined connector, a generic technology connector acts as the bridge for reconciliation and provisioning operations between Oracle Identity Manager and a target system. Functionally, a generic technology connector can be divided into a reconciliation module and provisioning module. When you create a generic technology connector, you can specify whether you want to include both modules, or include the reconciliation module only, or include the provisioning module only.
A predefined connector provides reconciliation and provisioning functionality in the context of the same target. In contrast, the reconciliation and provisioning modules of a generic technology connector are composed of reusable components that you choose. Each component performs a specific function during provisioning or reconciliation. For example, you can create a connector that performs trusted source reconciliation from flat files and provides target resource provisioning using the SPML protocol to an SPML-enabled target.
Each provider performs a transport, format change, validation, or transformation function on the data that it receives as input. In other words, data items processed by a provider are moved to a new location, validated against specified criteria, or undergo modification in structure or value. In this guide, the term data sets is used to describe data structures arranged in the form of layers, with data flowing from one layer to another during provisioning and reconciliation.
While creating a generic technology connector, you can specify the fields (user identity metadata) that must be included in each data set. You can also define mappings between fields of different data sets. A mapping serves one of the following purposes:
Establishes a data flow path between fields of two data sets for use either in provisioning or reconciliation.
A mapping of this type forms the basis for validations or transformations to be performed on data that is fetched from the target system.
Creates a basis for comparing (matching) field values of two data sets.
Figure 18-1 shows the functional architecture of a generic technology connector.
The following sections describe the providers and data sets that constitute a generic technology connector:
The reconciliation module consists of the following providers and data sets:
A reconciliation transport provider carries reconciliation data from the target system to Oracle Identity Manager. The manner in which this provider carries the reconciliation data depends on the implementation of the provider. For example, a reconciliation transport provider can read data from a file, or accept data from a Web service, or query a database.
A reconciliation format provider parses the reconciliation data fetched by the reconciliation transport provider and converts this data into data structures that can be stored in Oracle Identity Manager.
A validation provider checks the data in the source data sets against criteria you specify before passing the data to the reconciliation engine of Oracle Identity Manager.
You can include more than one validation provider in a generic technology connector.
A transformation provider included in the reconciliation module modifies data received from the validation providers before passing on the data for the creation of reconciliation events in Oracle Identity Manager.
The following is an example of a transformation provider function:
Suppose the following are the values of two fields in the target system
A transformation provider can be used to create the following reconciliation field output:
The provisioning module consists of the following providers and data sets:
A transformation provider can be used to modify data items at the following stages:
A transformation provider included in the provisioning module modifies data entered in Oracle Identity Manager process forms before the data is sent to the target system.
A provisioning staging data set holds user data before it is sent to the provisioning format provider. This data is the output of the transformation functions that are run on the user data for a trusted source or account data for a target system, which are stored in Oracle Identity Manager. This data set can have child data sets.
A provisioning format provider converts Oracle Identity Manager provisioning data (received from the transformation provider) into a format that is supported by the target system.
A provisioning transport provider carries provisioning data from the provisioning format provider to the target system. The manner in which this provider carries reconciliation data depends on the implementation of the provider. For example, a provider can copy data into a file, or send data to a Web service, or post data to a database.
The Oracle Identity Manager data sets represent data that is stored in Oracle Identity Manager. Although these data sets are not part of the reconciliation or provisioning module, they are considered part of the generic technology connector because you can add fields to these data sets and create mappings between fields of these data sets and other data sets. The following are the Oracle Identity Manager data sets:
The OIM - User data set holds the metadata (set of identity fields) that defines the Oracle Identity Manager User. In trusted source reconciliation, this data set receives newly created or modified user account information from the reconciliation staging data set. In target resource reconciliation, the fields of the OIM - User data set can be used to establish a match between target system user accounts and existing Oracle Identity Manager users. This data set does not have child data sets.
The OIM - Account data set holds the user account information that is stored in the process form fields of Oracle Identity Manager. This user account information is received from the reconciliation staging data sets. The OIM - Account data set can have child data sets.
The following features are specific to the reconciliation module:
A generic technology connector can be used for trusted source reconciliation. During reconciliation in trusted mode:
If the reconciliation engine detects new target system accounts, it creates corresponding Oracle Identity Manager users.
If the reconciliation engine detects changes to existing target system accounts, the same changes are made in the corresponding Oracle Identity Manager users.
While creating a generic technology connector, if you do not select the Trusted Source reconciliation option, target resource reconciliation is enabled. In target resource reconciliation, only modifications to target system accounts are reconciled. New target system accounts detected during reconciliation are not created automatically in Oracle Identity Manager.
A generic technology connector that is used for trusted source reconciliation cannot be used for provisioning. This design feature was incorporated to ensure that you do not create or modify through Oracle Identity Manager user account information on a target system that is designated as a trusted source.
Connector objects, such as IT resources and resource objects, are created automatically at the end of the generic technology connector creation process. By default, the resource object of a generic technology connector is a trusted resource object. In other words, a generic technology connector is already compatible with the Multiple Trusted Source reconciliation feature. This feature is discussed in Chapter 12, "Developing Provisioning Processes".
In trusted source reconciliation, the reconciliation of multivalued (child) data is not supported.
User account status information is used to track whether or not the owner of a target system account is to be allowed to access and use the account. If the target system does not store account status information in the format in which it is stored in Oracle Identity Manager, you can use the predefined translation transformation provider to implement account status reconciliation.
User account status reconciliation can be implemented independently of whether you select trusted source or target resource reconciliation.
The Design Console offers features for implementing account status reconciliation, without using the translation transformation provider. For more information, see Section 126.96.36.199, "Reconciliation Field Mappings Tab".
While creating a generic technology connector, you can specify that you want to use the connector for full or incremental reconciliation.
You select incremental reconciliation if the target system supports a method for the reconciliation engine to identify records that have changed since the last reconciliation run. For example, if the target system time stamps the creation of or changes made to user records, the reconciliation engine can identify records that have been added or modified since the last reconciliation run. In incremental reconciliation, only target system records that have changed after the last reconciliation run are reconciled (stored) into Oracle Identity Manager.
You select full reconciliation if any one of the following conditions is true:
The target system does not support any method for the reconciliation engine to identify records that have changed since the last reconciliation run.
You want to perform first-time reconciliation of all user account records in the target system.
In full reconciliation, all the reconciliation records are extracted from the target system. However, the optimized reconciliation feature identifies and ignores records that have already been reconciled in Oracle Identity Manager. This helps reduce the space occupied by reconciliation data. If this feature were not present, the amount of data stored in the Oracle Identity Manager database would increase rapidly with each reconciliation run.
The outcome of both full and incremental reconciliation is the same:
All the target system records are reconciled during the first reconciliation run.
From the second reconciliation run onward, target system records that are created or updated after the last reconciliation run are reconciled into Oracle Identity Manager.
You can specify a batch size for reconciliation. By doing this, you can break into batches the total number of records that the reconciliation engine fetches from the target system during each reconciliation run. This feature provides more control over the reconciliation process.
You can specify whether or not you want to reconcile into Oracle Identity Manager the deletion of multivalued attribute data on the target system.
Generic technology connectors do not support the reconciliation of parent data deletion. For example, if the account of user
John Doe is deleted from the target system, you cannot use a generic technology connector to reconcile this user account deletion into Oracle Identity Manager.
During reconciliation, validation providers can be used to run checks on target system data before it is stored in Oracle Identity Manager. You can set a failure threshold to automatically stop a reconciliation run if the percentage of records that fail the validation checks to the total number of records processed exceeds the specified threshold percentage.
The following features are not specific to the reconciliation or provisioning module:
While creating a generic technology connector, you can specify the identity fields and field mappings (data flow paths) that must be used during reconciliation and provisioning.
You can create custom providers if the predefined providers shipped with Oracle Identity Manager do not address the transport, format change, validation, or transformation requirements of your operating environment.
Generic technology connectors can handle both ASCII and non-ASCII data (multibyte characters), which represent a user, an account, or some other type of provisioned resource object.
While creating a generic technology connector, you can specify:
The format of date values in target system records that are extracted during reconciliation
The format in which date values must be sent to the target system during provisioning
The list of connector objects created by the generic technology connector framework depends on the combination of the reconciliation and provisioning options that you select on the Step 1: Basic Information page:
Except for the form names, the names of the generic technology connector objects are in the
_GTC format, where
GTC_NAME is the name that you assign to the connector.
For example, if you specify
DBTables_conn as the name of a generic technology connector that you create, all the connector objects (except the forms) are named
The following objects are created when you select both the provisioning and reconciliation options on the Step 1: Basic Information page:
IT resource type
The parameters of the IT resource type are the run-time parameters of the format and transport providers (for both reconciliation and provisioning) that you select on the first page.
The IT resource is an instance of the IT resource type. It contains the run-time parameter values of the providers.
The resource object holds the values of the fields that constitute the reconciliation staging parent data set. For each reconciliation staging child data set, multilevel reconciliation fields (with corresponding child fields as their attributes) are created automatically.
When you select the trusted source reconciliation option, a trusted resource object is one of the objects created automatically at the end of the connector creation process.
Parent and child forms
Parent and child forms are based on the OIM - Account data set and its child data sets, respectively. By default, the names of the forms are the same as the names of their corresponding data sets. On the Step 3: Verify Form Names page, you can change the form names as required.
The process definition contains the reconciliation field mappings and the system-defined and provisioning-specific process tasks. See Section 21.2.6, "Configuring Provisioning" for information about the process tasks that are included in the process definition.
The generic adapter contains the code for all the provisioning functions that a generic technology connector performs.
During a reconciliation run, the scheduled task triggers the reconciliation processes in the predefined sequence. Section 21.2.5, "Configuring Reconciliation" provides information about setting up the scheduled task.
The reconciliation rule consists of rule elements. A single rule element represents a mapping created between a field of the reconciliation staging data set and a field of the OIM - User data set.
Any one of the following default action rules are created for target resource reconciliation:
One Entity Match Found
One Process Match Found
Any one of the following default action rules are created for trusted source reconciliation:
No Matches Found
One Entity Match Found
One Process Match Found
The user group to which the creator of the generic technology connector belongs is made the administrator of the following connector objects that are created automatically during the generic technology connector creation process:
Resource object (Administrator and Object Authorizer)
Reconciliation field mappings
See "Both Reconciliation and Provisioning Are Selected" for the list of objects that are created when you select both the Reconciliation and Provisioning options. From that list, the following objects are not created when you select only the Reconciliation option on the Step 1: Basic Information page:
Provisioning-specific process tasks.
However, the process definition itself and its constituent system-defined process tasks are created.
See "Both Reconciliation and Provisioning Are Selected" for the list of objects that are created when you select both the Reconciliation and Provisioning options. From that list, the following objects are not created when you select only the Provisioning option on the Step 1: Basic Information page:
Reconciliation field mappings
The following is an overview of the remaining chapters and appendixes on generic technology connectors:
Chapter 19, "Predefined Providers for Generic Technology Connectors" provides a survey of available providers, which include the shared drive reconciliation transport provider, CSV reconciliation format provider, SPML provisioning format provider, Web Services provisioning transport provider, transformation provider, and validation provider.
Chapter 20, "Creating Custom Providers for Generic Technology Connectors" explains the role of providers during provisioning and reconciliation, and describes how to create custom providers.
Chapter 21, "Creating and Managing Generic Technology Connectors" describes how to create and maintain Generic Technology Connectors, and how to use the generic Connection Pool Framework in custom connectors.
Chapter 22, "Troubleshooting Generic Technology Connectors" describes general and configuration issues related to Generic Technology Connectors and how to troubleshoot the issues.