Skip Headers
Oracle® Fusion Middleware Developer's Guide for Oracle Identity Manager
11g Release 2 (11.1.2)

Part Number E27150-17
Go to Documentation Home
Home
Go to Table of Contents
Contents
Go to Index
Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

16 Understanding Generic Technology Connectors

This chapter introduces generic technology connectors and the features that Oracle Identity Manager provides for working with generic technology connectors.

This chapter contains the following sections:

16.1 Requirement for Generic Technology Connectors

Predefined Oracle Identity Manager connectors are designed for commonly used target systems such as Microsoft Active Directory and PeopleSoft Enterprise Applications. A predefined connector is developed using the Adapter Factory approach, and its architecture is based on either the APIs that the target system supports or the data repository type and schema in which the target system stores user data.

Since they are developed using the Adapter Factory, predefined connectors offer extensive workflow and adapter customization capabilities. The use of a predefined connector is the recommended integration method when such a connector is available for the target system.

There may be scenarios in which you want to integrate Oracle Identity Manager with a target system that has no corresponding predefined connector. The following are examples of such scenarios:

Scenario 1: All employees of Acme Inc. are allotted disk space on a backup server. Employees send requests to the system administrator for managing their accounts on the backup server. The system administrator has developed a Web-based application to capture, review, and act on requests from employees. The front end of this application is a Web service that accepts and stores data in CSV format. Employee account data stored in the back end can be exported as XML files to a specified location.

Scenario 2: Ceeam Travels Inc. owns a custom Web-based application that its customers use to request airline fare quotes. Agents, who are also employees of Ceeam Travels, respond to these requests by using the same application. Customers register themselves to create accounts in this application. However, Ceeam Travels employees need to have accounts auto-provisioned based on their HR job title. Account management functions (such as create, update, and delete) of the application are available through Java APIs.

In both these scenarios, you need to create a custom connector to link the target system and Oracle Identity Manager. If you are looking for a simple way to create your custom connector and do not need the customization features of the Adapter Factory, you can create the connector by using the Generic Technology Connector feature of Oracle Identity Manager. As described in the Section 16.2, "Functional Architecture of Generic Technology Connectors", providers are the building blocks of generic technology connectors.

16.2 Functional Architecture of Generic Technology Connectors

Like a predefined connector, a generic technology connector acts as the bridge for reconciliation and provisioning operations between Oracle Identity Manager and a target system. Functionally, a generic technology connector can be divided into a reconciliation module and provisioning module. When you create a generic technology connector, you can specify whether you want to include both modules, or include the reconciliation module only, or include the provisioning module only.

A predefined connector provides reconciliation and provisioning functionality in the context of the same target. In contrast, the reconciliation and provisioning modules of a generic technology connector are composed of reusable components that you choose. Each component performs a specific function during provisioning or reconciliation. For example, you can create a connector that performs trusted source reconciliation from flat files and provides target resource provisioning using the SPML protocol to an SPML-enabled target.

In this guide, the components that constitute a generic technology connector are called providers.

Each provider performs a transport, format change, validation, or transformation function on the data that it receives as input. In other words, data items processed by a provider are moved to a new location, validated against specified criteria, or undergo modification in structure or value. In this guide, the term data sets is used to describe data structures arranged in the form of layers, with data flowing from one layer to another during provisioning and reconciliation.

While creating a generic technology connector, you can specify the fields (user identity metadata) that must be included in each data set. You can also define mappings between fields of different data sets. A mapping serves one of the following purposes:

Figure 16-1 shows the functional architecture of a generic technology connector.

Figure 16-1 Functional Architecture of a Generic Technology Connector

Functional Architecture of a Generic Technology Connector

The following sections describe the providers and data sets that constitute a generic technology connector:

16.2.1 Providers and Data Sets of the Reconciliation Module

The reconciliation module consists of the following providers and data sets:

  • Reconciliation Transport Provider

    A reconciliation transport provider carries reconciliation data from the target system to Oracle Identity Manager. The manner in which this provider carries the reconciliation data depends on the implementation of the provider. For example, a reconciliation transport provider can read data from a file, or accept data from a Web service, or query a database.

  • Reconciliation Format Provider

    A reconciliation format provider parses the reconciliation data fetched by the reconciliation transport provider and converts this data into data structures that can be stored in Oracle Identity Manager.

  • Source

    A Source data set holds the data processed by the reconciliation format provider. This data set can have child data sets.

  • Validation Provider

    A validation provider checks the data in the source data sets against criteria you specify before passing the data to the reconciliation engine of Oracle Identity Manager.

    Note:

    You can include more than one validation provider in a generic technology connector.

  • Transformation Provider

    A transformation provider included in the reconciliation module modifies data received from the validation providers before passing on the data for the creation of reconciliation events in Oracle Identity Manager.

    The following is an example of a transformation provider function:

    Suppose the following are the values of two fields in the target system

    First Name: John

    Last Name: Doe

    A transformation provider can be used to create the following reconciliation field output:

    Login ID: John.Doe

  • Reconciliation Staging

    A reconciliation staging data set holds user data that has been processed by the validation providers and transformation providers. This data set can have child data sets.

16.2.2 Providers and Data Sets of the Provisioning Module

The provisioning module consists of the following providers and data sets:

  • Transformation Provider

    A transformation provider can be used to modify data items at the following stages:

    • A transformation provider included in the provisioning module modifies data entered in Oracle Identity Manager process forms before the data is sent to the target system.

  • Provisioning Staging

    A provisioning staging data set holds user data before it is sent to the provisioning format provider. This data is the output of the transformation functions that are run on the user data for a trusted source or account data for a target system, which are stored in Oracle Identity Manager. This data set can have child data sets.

  • Provisioning Format Provider

    A provisioning format provider converts Oracle Identity Manager provisioning data (received from the transformation provider) into a format that is supported by the target system.

  • Provisioning Transport Provider

    A provisioning transport provider carries provisioning data from the provisioning format provider to the target system. The manner in which this provider carries reconciliation data depends on the implementation of the provider. For example, a provider can copy data into a file, or send data to a Web service, or post data to a database.

16.2.3 Oracle Identity Manager Data Sets

The Oracle Identity Manager data sets represent data that is stored in Oracle Identity Manager. Although these data sets are not part of the reconciliation or provisioning module, they are considered part of the generic technology connector because you can add fields to these data sets and create mappings between fields of these data sets and other data sets. The following are the Oracle Identity Manager data sets:

  • OIM - User

    The OIM - User data set holds the metadata (set of identity fields) that defines the Oracle Identity Manager User. In trusted source reconciliation, this data set receives newly created or modified user account information from the reconciliation staging data set. In target resource reconciliation, the fields of the OIM - User data set can be used to establish a match between target system user accounts and existing Oracle Identity Manager users. This data set does not have child data sets.

  • OIM - Account

    The OIM - Account data set holds the user account information that is stored in the process form fields of Oracle Identity Manager. This user account information is received from the reconciliation staging data sets. The OIM - Account data set can have child data sets.

16.3 Features of Generic Technology Connectors

The following sections discuss the features of generic technology connectors:

16.3.1 Features Specific to the Reconciliation Module

The following features are specific to the reconciliation module:

16.3.1.1 Trusted Source Reconciliation

A generic technology connector can be used for trusted source reconciliation. During reconciliation in trusted mode:

  • If the reconciliation engine detects new target system accounts, it creates corresponding Oracle Identity Manager users.

  • If the reconciliation engine detects changes to existing target system accounts, the same changes are made in the corresponding Oracle Identity Manager users.

Note:

While creating a generic technology connector, if you do not select the Trusted Source reconciliation option, target resource reconciliation is enabled. In target resource reconciliation, only modifications to target system accounts are reconciled. New target system accounts detected during reconciliation are not created automatically in Oracle Identity Manager.

A generic technology connector that is used for trusted source reconciliation cannot be used for provisioning. This design feature was incorporated to ensure that you do not create or modify through Oracle Identity Manager user account information on a target system that is designated as a trusted source.

Connector objects, such as IT resources and resource objects, are created automatically at the end of the generic technology connector creation process. By default, the resource object of a generic technology connector is a trusted resource object. In other words, a generic technology connector is already compatible with the Multiple Trusted Source reconciliation feature. This feature is discussed in Chapter 5, "Developing Provisioning Processes".

Note:

In trusted source reconciliation, the reconciliation of multivalued (child) data is not supported.

16.3.1.2 Account Status Reconciliation

User account status information is used to track whether or not the owner of a target system account is to be allowed to access and use the account. If the target system does not store account status information in the format in which it is stored in Oracle Identity Manager, you can use the predefined translation transformation provider to implement account status reconciliation.

Note:

User account status reconciliation can be implemented independently of whether you select trusted source or target resource reconciliation.

The Design Console offers features for implementing account status reconciliation, without using the translation transformation provider. For more information, see Section 5.3.2.2, "Reconciliation Field Mappings Tab".

16.3.1.3 Full and Incremental Reconciliation

While creating a generic technology connector, you can specify that you want to use the connector for full or incremental reconciliation.

You select incremental reconciliation if the target system supports a method for the reconciliation engine to identify records that have changed since the last reconciliation run. For example, if the target system time stamps the creation of or changes made to user records, the reconciliation engine can identify records that have been added or modified since the last reconciliation run. In incremental reconciliation, only target system records that have changed after the last reconciliation run are reconciled (stored) into Oracle Identity Manager.

You select full reconciliation if any one of the following conditions is true:

  • The target system does not support any method for the reconciliation engine to identify records that have changed since the last reconciliation run.

  • You want to perform first-time reconciliation of all user account records in the target system.

In full reconciliation, all the reconciliation records are extracted from the target system. However, the optimized reconciliation feature identifies and ignores records that have already been reconciled in Oracle Identity Manager. This helps reduce the space occupied by reconciliation data. If this feature were not present, the amount of data stored in the Oracle Identity Manager database would increase rapidly with each reconciliation run.

Note:

The outcome of both full and incremental reconciliation is the same:

  • All the target system records are reconciled during the first reconciliation run.

  • From the second reconciliation run onward, target system records that are created or updated after the last reconciliation run are reconciled into Oracle Identity Manager.

16.3.1.4 Batched Reconciliation

You can specify a batch size for reconciliation. By doing this, you can break into batches the total number of records that the reconciliation engine fetches from the target system during each reconciliation run. This feature provides more control over the reconciliation process.

16.3.1.5 Reconciliation of Multivalued Attribute Data (Child Data) Deletion

You can specify whether or not you want to reconcile into Oracle Identity Manager the deletion of multivalued attribute data on the target system.

Note:

Generic technology connectors do not support the reconciliation of parent data deletion. For example, if the account of user John Doe is deleted from the target system, you cannot use a generic technology connector to reconcile this user account deletion into Oracle Identity Manager.

16.3.1.6 Failure Threshold for Stopping Reconciliation

During reconciliation, validation providers can be used to run checks on target system data before it is stored in Oracle Identity Manager. You can set a failure threshold to automatically stop a reconciliation run if the percentage of records that fail the validation checks to the total number of records processed exceeds the specified threshold percentage.

16.3.2 Other Features

The following features are not specific to the reconciliation or provisioning module:

16.3.2.1 Custom Data Fields and Field Mappings

While creating a generic technology connector, you can specify the identity fields and field mappings (data flow paths) that must be used during reconciliation and provisioning.

16.3.2.2 Custom Providers

You can create custom providers if the predefined providers shipped with Oracle Identity Manager do not address the transport, format change, validation, or transformation requirements of your operating environment.

16.3.2.3 Multilanguage Support

Generic technology connectors can handle both ASCII and non-ASCII data (multibyte characters), which represent a user, an account, or some other type of provisioned resource object.

16.3.2.4 Custom Date Formats

While creating a generic technology connector, you can specify:

  • The format of date values in target system records that are extracted during reconciliation

  • The format in which date values must be sent to the target system during provisioning

16.3.2.5 Propagation of Changes in Oracle Identity Manager User Attributes to Target Systems

While creating a generic technology connector, you can enable the automatic propagation of changes in Oracle Identity Manager User attributes to the target system.

16.4 Connector Objects Created by the Generic Technology Connector Framework

The list of connector objects created by the generic technology connector framework depends on the combination of the reconciliation and provisioning options that you select on the Step 1: Basic Information page:

Note:

Except for the form names, the names of the generic technology connector objects are in the GTC_NAME_GTC format, where GTC_NAME is the name that you assign to the connector.

For example, if you specify DBTables_conn as the name of a generic technology connector that you create, all the connector objects (except the forms) are named DBTables_conn_GTC.

16.4.1 Both Reconciliation and Provisioning Are Selected

The following objects are created when you select both the provisioning and reconciliation options on the Step 1: Basic Information page:

  • IT resource type

    The parameters of the IT resource type are the run-time parameters of the format and transport providers (for both reconciliation and provisioning) that you select on the first page.

  • IT resource

    The IT resource is an instance of the IT resource type. It contains the run-time parameter values of the providers.

  • Resource object

    The resource object holds the values of the fields that constitute the reconciliation staging parent data set. For each reconciliation staging child data set, multilevel reconciliation fields (with corresponding child fields as their attributes) are created automatically.

    Note:

    When you select the trusted source reconciliation option, a trusted resource object is one of the objects created automatically at the end of the connector creation process.

  • Application instance

    The combination of IT resource (target connectivity and connector configuration) and resource object (provisioning mechanism). This is a provisionable entity.

  • Parent and child forms

    Parent and child forms are based on the OIM - Account data set and its child data sets, respectively. By default, the names of the forms are the same as the names of their corresponding data sets. On the Step 3: Verify Form Names page, you can change the form names as required.

  • Process definition

    The process definition contains the reconciliation field mappings and the system-defined and provisioning-specific process tasks. See Section 19.2.6, "Configuring Provisioning" for information about the process tasks that are included in the process definition.

  • Generic adapter

    The generic adapter contains the code for all the provisioning functions that a generic technology connector performs.

  • Scheduled task

    During a reconciliation run, the scheduled task triggers the reconciliation processes in the predefined sequence. Section 19.2.5, "Configuring Reconciliation" provides information about setting up the scheduled task.

  • Reconciliation rule

    The reconciliation rule consists of rule elements. A single rule element represents a mapping created between a field of the reconciliation staging data set and a field of the OIM - User data set.

  • Action rules

    Any one of the following default action rules are created for target resource reconciliation:

    Rule Condition Action

    One Entity Match Found

    Establish Link

    One Process Match Found

    Establish Link


    Any one of the following default action rules are created for trusted source reconciliation:

    Rule Condition Action

    No Matches Found

    Create User

    One Entity Match Found

    Establish Link

    One Process Match Found

    Establish Link


The user group to which the creator of the generic technology connector belongs is made the administrator of the following connector objects that are created automatically during the generic technology connector creation process:

  • IT resource

  • Resource object (Administrator and Object Authorizer)

  • All forms

  • Process definition

  • Reconciliation fields

  • Reconciliation field mappings

16.4.2 Only Reconciliation Is Selected

See "Both Reconciliation and Provisioning Are Selected" for the list of objects that are created when you select both the Reconciliation and Provisioning options. From that list, the following objects are not created when you select only the Reconciliation option on the Step 1: Basic Information page:

  • Generic adapter.

  • Provisioning-specific process tasks.

    However, the process definition itself and its constituent system-defined process tasks are created.

16.4.3 Only Provisioning Is Selected

See "Both Reconciliation and Provisioning Are Selected" for the list of objects that are created when you select both the Reconciliation and Provisioning options. From that list, the following objects are not created when you select only the Provisioning option on the Step 1: Basic Information page:

  • Scheduled task

  • Reconciliation rule

  • Reconciliation fields

  • Reconciliation field mappings

16.5 Roadmap for Information on Generic Technology Connectors in This Guide

The following is an overview of the remaining chapters and appendixes on generic technology connectors: