Oracle Identity Manager provides client applications with the Identity Management service, which makes use of the Service Provisioning Markup Language (SPML).
This chapter describes the SPML XSD Web service interfaces supported by Oracle Identity Manage. It contains the following topics:
Note:
Oracle Identity Manager does not support the SPML DSML service. However, you can manually deploy the spml-dsml.ear archive file for Microsoft Active Directory password synchronization usecase only.Modify Users, Roles, Change Attributes and Role Memberships (SPML Core Service: modifyRequest)
Delete an Identity or Role (SPML Core Service: deleteRequest)
Check if User is Active (SPML Suspend Service: activeRequest)
Validate a Username (SPML Username Service: validateUsername)
Lookup an Identity or Role (SPML Core Service: lookupRequest)
Lookup Username Policy (SPML Username Service: lookupUsernamePolicy)
SPML Attributes and LDAP Mappings, and Oracle Identity Manage Attributes
This section introduces the use of SPML services using XSD profile in Oracle Identity Manage.
Oracle Identity Manager provides the identity management service to enable client applications to manage identities (users and roles). The service makes use of the Service Provisioning Markup Language (SPML), which is an XML framework based on specifications from the OASIS committee that provides for exchanging user, resource and service provisioning information.
This document lists and describes the SPML interactions that Oracle Identity Manager supports.
SPML has two profiles: the XSD profile and the DSML profile. This release of Oracle Identity Manage makes use of the XSD profile.
The SPML specification allows interactions to be synchronous or asynchronous.
Oracle Identity Manage supports only asynchronous interactions for add, modify, delete, lookup, suspend, and resume request. For username services, all services are synchronous. Lookup is supported for user and role, which happens in synchronous manner and it can be performed using entity key, unique user/role name , LDAP GUID, and LDAP DN. Out of these, LDAP GUID and LDAP DN are applicable when LDAP synchronization is enabled. Oracle Identity Manage responds immediately with a pending status, and it is up to the requestor to get the current state by issuing a statusRequest.
For search APIs in the Identity Management realm, refer to Oracle Identity Management APIs in the Oracle Fusion Middleware Java API Reference for Oracle Identity Manager.
The integration interface is defined in terms of the Service Provisioning Markup Language (SPML). In Oracle Identity Manager, implementation of SPML supports managing identities and roles, and username reservation capabilities.
Both the asynchronous and synchronous execution modes are supported, although not all services support both modes. If an invalid mode is specified in a request, the service returns an unsupportedExecutionMode
SPML error code.
To use the SPML services, the application must create a Web service client. The WSDL for this client is available at the following URL:
http://OIM_HOST:OIM_PORT/spml-xsd/SPMLService?WSDL
As an alternative, you can also navigate to the WSDL and XML schema definitions using a hosted SPML Web service end-point URL.
The XSD (oracle_common_pso.xsd) is available at:$OIM_HOME/features/spml-xsd.jar
Perform the following to ensure that SPML works with Oracle Identity Manager:
Oracle Identity Manager provides an admin role for SPML. The user with this admin role is able to perform SPML requests for all usecases. The name of the SPML admin role is SPML Admin.
The SPML Admin admin role has the following permissions:
Create, modify, and delete users via request
Search users on all the attributes
Enable user status via request
Disable user status via request
Add role memberships via request
Delete role memberships via request
Search roles on all the attributes
Create, modify, and delete roles via request
The SPML Admin admin role is a global admin role published to the TOP organization. Therefore, only System Administrator or Organization Administrator of the TOP organization can assign this admin role to any user, in scope of the TOP organization.
In a new deployment of Oracle Identity Manager, the SPML Admin admin role is not assigned to any users by default. As a result, System Administrator or Organization Administrator of the TOP organization must manually assign this role to relevant users. In addition, the SPML Admin admin role can be assigned in scope of the TOP organization with include hierarchy or include sub-orgs option enabled. As a result, all permissions of the SPML Admin admin role are assigned to the user for all organizations in Oracle Identity Manager.
Note:
In an upgraded deployment of Oracle Identity Manager, the existing SPML users are upgraded to assign SPML Admin admin role so that they can continue to perform SPML requests.To assign SPML Admin admin role to a user:
Login to Oracle Identity Self Service. If you want to assign the SPML Admin admin role to a new user, then create the user.
Open the TOP organization, and click the Admin Roles tab.
Select the SPML Admin admin role, and assign the user with this role.
Modify the newly added membership to select the include-suborgs option, and then click Apply.
Autoapproval policy rules are required so that SPML requests are auto-approved. In Oracle Identity Manager 11g Release 2 (11.1.2.2.0), there are no request templates. Therefore, the autoapproval policy rules must be manually created by System Administrators for each SPML user.
The autoapproval policies created can be based on user login, and the approval process configuration for each policy must be selected as Auto Approval. You must create autoapproval policies for each SPML operation, such as create user, modify user, create role, and so on, so that all the SPML requests raised by SPML user for these operations are approved at both request level and operational level.
Note:
Only request-level approval policies are required for role create, role modify, and role delete operations.To create the autoapproval policy rules:
Create new auto approval policy rules for the following:
Create user request level
Create user operation level
Modify user request level
Modify user operation level
Delete user request level
Delete user operation level
Enable user request level
Enable user operation level
Disable user request level
Disable user operation level
Assign roles request level
Assign roles operation level
Remove roles request level
Remove roles operation level
Create role request level
Modify role request level
Delete role request level
Create rules in each policy based on the user login. Ensure that user login evaluation is case-sensitive. Figure 32-1 shows a sample rule.
Note:
The autoapproval policies created for a SPML user based on the user login cause all requests raised by the user to be auto-approved irrespective of the request being raised via SPML, UI, or any other flow.To create an identity with user or role attributes, you implement the addRequest
operation which supports asynchronous execution mode. Successful request submission returns a request submission tracking identifier and the request status is listed as pending.
When creating a user, you can also assign role memberships to that user by using the addRequest operation. To do this, you must use the SPML reference capability with typeOfReference set to memberOf and include the role GUID as PSO reference ID.
Note:
If the username or password attributes are not provided, those attributes can be autogenerated in Oracle Identity Manage if the appropriate plug-ins are installed.
For creating a user with a given password, provide the user password in Base64 encoded format within SPML create user payload. For example:
<pso:password> <pso:value>V2VsY29tZTc=</pso:value> </pso:password>
You can use any standard Java library to obtain the Base64 encoded value for a string. An example of such a library is Apache commons library - org.apache.commons.codec.binary.Base64. encodeBase64("PASSWORD".getBytes()).
Role created by user with SPML Admin role are autopublished to the TOP organization including its suborganizations.
Table 32-1 lists the features of identity creation with addRequest operation.
Table 32-1 Identity Creation with addRequest
Item/Feature | Description |
---|---|
SPML Execution Mode |
Asynchronous only |
Input |
Optional, reference capability for role memberships. |
Output |
|
Processing |
The add operation allows adding identity. Optionally, existing roles may be assigned to the identity. The runtime errors are reported by using the |
Examples |
See the Appendix for these examples: |
You implement the SPML modifyRequest
service for these tasks:
to assign or revoke role memberships from an existing user (identity)
to modify an existing role
to modify user attributes
Table 32-2 lists the features of role membership management with modifyRequest operation.
Table 32-2 Role Membership Management with modifyRequest
Item/Feature | Description |
---|---|
SPML Execution Mode |
Asynchronous |
Input |
Use modificationMode=" Role memberships declared using Reference capability, with typeOfReference=" |
Output |
|
Processing |
The This operation checks for SPML execution mode for both identity and role. Invalid execution mode returns an If the modify request does not contain identity PSO object, or contains invalid GUIDs the operation returns Other runtime errors are reported using customError SPML custom error code. |
Examples |
See the Appendix for these examples: |
You implement the SPML deleteRequest
service to delete an existing role or user, as described in Table 32-3.
Table 32-3 Role Membership Deletion with deleteRequest
Item/Feature | Description |
---|---|
SPML Execution Mode |
Asynchronous |
Input |
|
Output |
|
Processing |
The deleteRequest operation allows deletion of an existing identity or existing role. This operation checks for SPML execution mode for both identity and role. Invalid execution mode returns an If the delete request does not contain identity PSO object, or contains invalid GUIDs the operation returns Other runtime errors are reported using |
Examples |
See the example "SPML Example - Delete Role". |
The status operation enables a requestor to determine whether an asynchronous operation has:
failed
pending
completed successfully
For any async operation, after the request is submitted, any errors after validation errors cannot be returned in the response. The errors, if any, are returned in the status response. If the statusRequest returns request status as failed, then the statusResponse might have some error message as well.
Table 32-4 lists the features of the statusRequest operation.
Table 32-4 Check Request Status
Item/Feature | Description |
---|---|
SPML Execution Mode |
Synchronous |
Input |
|
Output |
|
Processing |
The status operation accepts attribute If the operation identifier is invalid the Result of the status operation is provided in the status attribute of |
Example |
See the example "SPML Example - Status Request" |
The SPML listTargets
service enables a requestor to obtain the set of targets that a provider makes available for provisioning. The service also returns:
the object types that each target supports
the set of capabilities that the provider supports for each object in each target
The only target currently supported is Oracle Identity Manage; the object types that we support are all Oracle Identity Manage object types.
Table 32-5 lists the features of obtaining targets with listTargets.
Table 32-5 Obtaining Targets with listTargets
Item/Feature | Description |
---|---|
SPML Execution Mode |
Synchronous |
Input |
|
Output |
|
Processing |
Only the XML Schema profile is supported. Any another profile request results in a failure with the A single, static provisioning target named The response is generated by inserting the PSO object schemas, the list of supported capabilities for each PSO, and the schema for the operation data capability into a |
The suspend operation enables the requestor to suspend a user.
Table 32-6 lists the features of the suspendRequest operation.
Table 32-6 Suspending a User with suspendRequest
Item/Feature | Description |
---|---|
SPML Execution Mode |
Asynchronous |
Input |
|
Output |
|
Processing |
This operation requires a valid user PSO ID and optionally an effective suspension date. If the PSO identifier is invalid, the The suspend operation is applicable for users only. It returns |
Examples |
See the example "SPML Example - Suspend User". |
The resumeRequest operation enables the requestor to resume/enable a suspended user.
Table 32-7 lists the features of the resumeRequest operation.
Table 32-7 Re-enabling a User with resumeRequest
Item/Feature | Description |
---|---|
SPML Execution Mode |
Asynchronous |
Input |
|
Output |
|
Processing |
This operation requires a valid user PSO ID and optionally an effective resumption date. If the PSO identifier is invalid, the The resume operation is applicable for users only. It returns |
Examples |
See the example "SPML Example - Resume User". |
The activeRequest operation enables a requestor to determine whether a specified user is active or has been suspended.
Table 32-8 lists the features of the activeRequest operation.
Table 32-8 Checking if User Has Been Suspended with activeRequest
Item/Feature | Description |
---|---|
SPML Execution Mode |
Synchronous |
Input |
activeRequest element as defined by [SPMLv2]. |
Output |
activeResponse element as defined by [SPMLv2]. |
Processing |
This operation requires a valid user PSO ID. If the PSO identifier is invalid, the noSuchIdentifier error code is returned. If the request is valid and if the specified user exists, the provider must get the user status. The activeRequest operation is applicable for users only. It returns unsupportedOperation error if the PSO object is not an identity. |
Examples |
See the example "SPML Example - Check If User is Active". |
The validateUsername
operation enables a requestor to determine whether a username already exists or it is reserved.
Table 32-9 lists the features of the resumeRequest operation.
Table 32-9 Checking Username Validity with resumeRequest
Item/Feature | Description |
---|---|
SPML Execution Mode |
Synchronous |
Input |
userName is the only input parameter accepted. |
Output |
|
Processing |
This operation takes a username and checks if the username exists. Processing errors are reported with SPML |
Examples |
See the example "SPML Example - Validate User Name". |
The suggestUsername
operation enables a requestor to obtain a valid username for a given policy.
Table 32-10 lists the features of the suggestUsername operation.
Table 32-10 Obtaining a Username with suggestUsername
Item/Feature | Description |
---|---|
SPML Execution Mode |
Synchronous |
Input |
|
Output |
|
Processing |
This operation takes user information and uses it to construct a username based on the applicable username policy. Processing errors are reported with SPML |
Examples |
See the example "SPML Example - Suggest User Name". |
The lookupRequest operation enables a requestor to lookup for a user or role in the system by using any one of entity key, user/role name, LDAP GUID, LDAP DN. Out of these, LDAP GUID and LDAP DN are applicable only in an environment for which LDAP synchronization is enabled. Lookup is supported only in synchronous mode.
Requestor can also choose to filter the response by using the returnData attribute, whose default value is everything
. The returnData attribute can have the following values:
returnData='identifier'
: The provider returns only the identifier of a requested object.
returnData='data'
: The provider returns the identifier of a requested object and all the attributes associated with that object.
returnData='everything'
: The provider returns the identifier of a requested object, all the attributes associated with that object, and any capability data associated with the request object. For identity lookup, capability data contains the direct or indirect roles the user has. For role lookup, capability data contains the parent roles and the direct or indirect children roles.
Any user can perform the lookup by using the SPML interface. Based on authorization, the requestor can lookup user or role. If there is no appropriate authorization privilege, then error code is returned in the SPML response. Only authorized attributes on which requestor has permission to view is returned in the response.
Table 32-11 lists the features of the lookupRequest operation.
Table 32-11 Identity/Role Lookup using lookupRequest
Item/Feature | Description |
---|---|
SPML Execution Mode |
Synchronous |
Input |
lookupRequest element as defined by [SPMLv2]. |
Output |
lookupResponse element as defined by [SPMLv2]. |
Processing |
This operation requires a valid user PSO ID in the following format: psoID ID="ENTITY_TYPE:PSO_ID_TYPE:LOOKUP_VALUE" Here: ENTITY_TYPE is identity or role. This value is mandatory. PSO_ID_TYPE is key, DN, GUID, or name. This value is optional. LOOKUP_VALUE is valid value for lookup. This value is mandatory. The following are example values: psoID ID="identity:key:6" psoID ID="identity:6" psoID ID="identity:name:JohnSmith" psoID ID="identity:dn: cn=john,cn=Users,dc=us,dc=oracle,dc=com" psoID ID="identity:guid: CEF2C4F20E5BF04DE040F20A9681408D" psoID ID="role:key:6" psoID ID="role:6" psoID ID="role:name:ManagerRole" psoID ID="role:dn: cn= ManagerRole,cn=Groups,dc=us,dc=oracle,dc=com" psoID ID="role:guid: CEF2C4F20E5BF04DE040F20A9681408D" If the PSO identifier does not exist, then an error code is returned. If the request is valid and if the specified user/role exists, then depending upon the returnData attribute, the result is returned in the lookupResponse. |
Examples |
See the example "SPML Example - Identity/Role Lookup". |
The resetPasswordRequest operation enables a requestor to reset the password for a user.
Table 32-12 lists the features of the resetPasswordRequest operation.
Table 32-12 Resetting the user password with resetPasswordRequest
Item/Feature | Description |
---|---|
SPML Execution Mode |
Synchronous |
Input |
Optional notification data for controlling end user email notification. |
Output |
|
Processing |
This operation takes user key or user GUID as an input to reset the password with random generated password. Optionally, notification data can be sent as input as:
Processing errors are reported with SPML |
Examples |
See the following examples: |
The lookupUsernamePolicy operation enables a requestor to obtain details about the configured username policy in Oracle Identity Manager. You can also provide locale in the request to obtain details in the provided locale.
Table 32-13 lists the features of the lookupUsernamePolicy operation.
Table 32-13 Lookup Username policy details with lookupUsernamePolicy
Item/Feature | Description |
---|---|
SPML Execution Mode |
Synchronous |
Input |
|
Output |
lookupUsernamePolicyResponse element as defined by [SPMLv2]. |
Processing |
This operation returns the information about configured user name policy in Oracle Identity Manager. |
Examples |
See the example "SPML Example - Lookup User Name Policy". |
The cancel request operation enables the requestor to withdraw the specified request ID. If the request is withdrawn successfully, then all the pending approvals are also withdrawn. Only the requester of the submitted request can withdraw it.
Table 32-14 lists the features of the cancelRequest operation.
Table 32-14 Cancel a Request with cancelRequest
Item/Feature | Description |
---|---|
SPML Execution Mode |
Synchronous |
Input |
cancelRequest element as defined by [SPMLv2]. |
Output |
cancelResponse element as defined by [SPMLv2]. |
Processing |
This operation cancels/withdraws the specified request. The runtime errors are reported by using the customError SPML custom error code. |
Examples |
See the example "SPML Example - Cancel Request". |
The batch operation combines any number of individual requests into a single request as defined by SPML v2. Examples of individual requests that can be combined into a single request are creating a user Robert Klein, updating a user Terrence Hill, deleting a user John Doe, and reset password for a user Jane Doe in a single request.
Batch request does not support transactional semantics, which means that the failure of a nested request does not undo a nested request that has already been completed. Each individual response occupies the same position within the <batchResponse> that the corresponding individual request occupies within the <batchRequest>.
This operation supports parallel processing only ("processing='parallel'") and runs the nested requests within the <batchRequest> in any order. When error condition occurs, it continues processing the subsequent subrequests, specified by "onError='resume'". If a request fails to be processed, then the next request is processed. If one or more of the nested requests in that batch fails, then operation returns a <batchResponse> with "status='failure'", even if some of the requests in that batch succeed.
Table 32-15 lists the features of the batchRequest operation.
Table 32-15 Executing Batch Request with batchRequest
Item/Feature | Description |
---|---|
SPML Execution Mode |
Synchronous |
Input |
|
Output |
|
Processing |
This operation supports only four types of sub requests: addRequest for identity, modifyRequest for identity, deleteRequest for identity, resetPasswordRequest. |
Examples |
See the example "SPML Example - Batch Request". |
This section explains how to secure SPML Web services. It contains these topics:
SPML XSD Web service uses Oracle Web Services Security Manager to provide security. SPML Web services is protected by using the following policies:
Note:
The SPML XSD profile Web services can be loaded only by users that are a member of the SPML_App_Role. This is done for added security.See Oracle Fusion Middleware Security and Administrator's Guide for Web Services for information about configuring the MBeans for the Web service.
SAML or username token service policy with message protection:
oracle/wss11_username_token_with_message_protection_client_policy
In the Fusion Applications environment, with the username token and message protection security:
oracle/wss11_username_token_with_message_protection_client_policy
The default policy can be changed using Oracle Enterprise Manager Fusion Middleware Control.
A sample Request looks like this:
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns1="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" > <soap:Header> <ns1:Security> <ns1:UsernameToken> <ns1:Username>weblogic</ns1:Username> <ns1:Password>weblogic1</ns1:******> </ns1:UsernameToken> </ns1:Security> </soap:Header> <soap:Body xmlns:ns1="urn:oasis:names:tc:SPML:2:0"> <ns1:listTargetsRequest /> </soap:Body> </soap:Envelope>
At deployment time, the administrator can use the Oracle Enterprise Manager Fusion Middleware Control Console to apply correct security policy to protect the service. Refer to the following documentation for details about using Fusion Middleware Control:
"Accessing the Security and Administration Tools" in the Oracle Fusion Middleware Security and Administrator's Guide for Web Services.
Oracle Identity Manager 11g Release 2 (11.1.2.2.0) does not support the following SPML operations as part of the XSD profile:
Search user
Search role
Any operation, such as create, modify, delete, or search, on organizations
The SPML XSD Web Service uses Oracle Identity Manager as a back-end service to provide provisioning functionality to Fusion applications. A key building block of the SPML Web Service is the SPML Provisioning Service Object (PSO), which defines the object to be provisioned. Examples of PSO are identity and role.
This appendix shows the supported PSO attributes and their LDAP mappings, and explains the character restrictions on Oracle Identity Manager attributes. Finally, it describes additional operational data that the application can pass to the SPML Web Service. It contains the following sections:
Table 32-16 shows identity attributes supported by the SPML implementation in Oracle Identity Manager and how these attributes map to LDAP objects/attributes.
Note:
The syntax column lists relevant attribute properties such as the type, required, and so on.Table 32-16 Identity PSO Attributes
SPML Attribute Name | Syntax | Description | LDAP Mapping (Oracle Internet Directory) |
---|---|---|---|
ID |
String, Read-Only, Required, Single |
The identifier used to identify a user for modify request. |
orclUserV2: orclguid |
activeEndDate |
Timestamp, Single |
Termination time and date for the user |
orclUserV2: orclActiveEndDate |
activeStartDate |
Timestamp, Single |
Activation time and date for the user |
orclUserV2: orclActiveStartDate |
commonName |
String, Required |
The common names of the person, typically the person's full name and any variations of the same. |
person: cn |
countryName |
String, Single |
The business country of the person, expressed as a two-letter [ISO3166] country code. |
orclUserV2: c |
departmentNumber |
String, Single |
Codes for the departments within an organization to which this person belongs. This can be strictly numeric or alphanumeric. |
inetOrgPerson: departmentNumber |
description |
String, Single |
Human-readable descriptive phrases about the person. |
person: description |
displayName |
String, Single, MLS |
The preferred name to use when displaying an entry for the person. Provides MultiLingual Support (MLS) and also accepts language values for locale, for example "en" and "fr". |
inetOrgPerson: displayName |
employeeNumber |
String, Single |
Numeric or alphanumeric identifier assigned to a person, typically based on order of hire or association with an organization. |
inetOrgPerson: employeeNumber |
employeeType |
String, Single |
Identifies the type of employee. For the list of valid values see Table 32-17. |
inetOrgPerson: employeeType |
facsimileTelephoneNumber |
String, Single |
Telephone numbers for the person's business facsimile (FAX) terminals. |
organizationalPerson: facsimileTelephoneNumber |
generationQualifier |
String, Single |
Name strings that are typically the suffix part of the person's name (e.g. "III", "3rd", "Jr."). |
N/A |
givenName |
String, Single |
Name strings that are part of a person's name that is not their surname (for example, first name). |
inetOrgPerson: givenName |
hireDate |
Timestamp, Single |
Date of hire. |
orclUserV2: orclHireDate |
homePhone |
Single, String |
Home telephone numbers associated with the person. |
inetOrgPerson:homePhone |
homePostalAddress |
Single, String |
The home postal addresses of the person. |
inetOrgPerson: homePostalAddress |
initials |
String, Single |
Some or all of an individual's names, except the surname(s) |
inetOrgPerson: initials |
localityName |
Single, String |
Names of a business locality or place, such as a city, county, or other geographic region. |
N/A |
|
Single, String |
Business Internet mail addresses of the person in Mailbox [RFC2821] form. |
inetOrgPerson: mail |
manager |
Single, String |
The manager of the person. |
N/A |
middleName |
String, Single |
The middle names of the person. |
orclUserV2: middleName |
mobile |
Single, String |
Mobile telephone numbers associated with the person. |
inetOrgPerson: mobile |
organization |
String, Single |
Name of an organization—for example, my_company. |
organization |
organizationUnit |
String, Single |
Name of a unit within an organization, for example, IT Support. |
organizationalUnitName |
pager |
Single, String |
The business pager telephone numbers of the person. |
inetOrgPerson: pager |
password |
String, Single |
Password of the user. |
person: userPassword |
postalAddress |
String, Single |
Business addresses used by a Postal Service to perform services for the person. |
organizationalPerson: postalAddress |
postalCode |
String, Single |
Codes used by a Postal Service to identify postal service zones of the person's business. |
organizationalPerson: postalCode |
postOfficeBox |
String, Single |
Postal box identifiers that a Postal Service uses when a customer arranges to receive mail at a box on the premises of the Postal Service. |
organizationalPerson: postOfficeBox |
preferredLanguage |
String, Single |
The preferred written or spoken language for the person. This is useful for international correspondence or human-computer interaction. Values for this attribute type MUST conform to the definition of the Accept-Language header field defined in [RFC2068] with one exception: the sequence "Accept-Language" ":" should be omitted. |
inetOrgPerson: preferredLanguage |
state |
String, Single |
Full names of business states or provinces of the person. |
organizationalPerson: st |
street |
String, Single |
Site information from a business postal address (that is, the street name, place, avenue, and the house number) of the person. |
organizationalPerson: street |
surname |
String, Single |
Name strings for the family names (last name) of the person. |
person: sn |
telephoneNumber |
String, Single |
Business telephone number of the person |
organizationalPerson: telephoneNumber |
title |
String, Single |
Title of the person in their organizational context. |
organizationalPerson: title |
username |
String, Single |
Computer system login names associated with the person. |
uid |
userType |
String, Single |
The type of user. This attribute is used to provide Design Console access to the end-users. The allowed values are true and false. |
Table 32-17 shows the valid values for the employeeType
attribute:
Table 32-17 Valid Values of employeeType
Value | Meaning |
---|---|
Full-Time |
Full-Time Employee |
Part-Time |
Part-Time Employee |
Temp |
Temp |
Intern |
Intern |
Consultant |
Consultant |
Contractor |
Contractor |
EMP |
Employee |
CWK |
Contingent Worker |
NONW |
Non Worker |
OTHER |
Other Employee Type |
Note:
Oracle Identity Manage passes only the codes shown in the Value column; the meaning of each code is shown for reference.Custom attributes are provided to support Oracle Identity Manager functionality; these attributes are present in Oracle Identity Manager (such as when a user-defined field is added) but not in the PSO.
The custom attribute name must match the attribute name specified in the corresponding request dataset for the mapping to work end-to-end.
Here are some examples of custom attributes:
... <data> <pso:identity> <pso:attributes> <pso:attr name="Number Format"> <pso:value>#,##0.##[.,]</pso:value> </pso:attr> <pso:attr name="Currency"> <pso:value>USD</pso:value> </pso:attr> </attributes> ...
Table 32-18 lists the role attributes supported by the SPML implementation in Oracle Identity Manager and how these attributes map to LDAP objects/attributes.
Table 32-18 PSO Role Attributes
Attribute Name | Syntax | Description |
---|---|---|
ID |
String, Read-Only, Required, Single |
The PSO identifier that uniquely identifies a role. Usually directory GUID. |
commonName |
String, Required, MLS |
The common name of the role. |
description |
Single |
Human readable role description |
displayName |
String, Single, MLS |
The preferred name to use when displaying an entry for the role. |
Custom attributes are provided to support Oracle Identity Manager functionality; these attributes are present in Oracle Identity Manager but not in the PSO.
The custom attribute name must match the attribute name specified in the corresponding request dataset for the mapping to work end-to-end.
Here is an example of a custom role attribute:
... <pso:attributes> <pso:attr name="Role Category Name"> <pso:value>Cat1</pso:value> </pso:attr> ...
Role Category Name is a special custom role attribute. It is the namespace for the roles. Each role belongs to a role category. This can be specified while creating a new role. If not specified, then the Default role category is selected. Each role category and role name uniquely identifies a role.
Table 32-19 lists the preference attributes supported by the SPML implementation in Oracle Identity Manager:
Table 32-19 Preference Attributes
Attribute Name | Syntax | Description | LDAP Mapping |
---|---|---|---|
Number Format |
String |
The format to display numbers |
orclNumberFormat Values are: #,##0.##[.,] #,##0.###[\u00A0,] #,##0.### #,##0.###;#,##0.###- #,##0.###[.,] #,##0.###;(#,##0.###)[.,] #,##0.##[\u00A0,] #,##0.###['.] #,##0.###[',] |
Currency |
String |
The symbol that must be used for currency |
orclCurrency Sample values are: USD YUN NZD INR |
Date Format |
String |
The format to display the date |
orclDateFormat Values are: MM-dd-yyyy MM-dd-yy MM.dd.yyyy MM.dd.yy MM/dd/yyyy MM/dd/yy M-d-yyyy M-d-yy M.d.yyyy M.d.yy M/d/yyyy M/d/yy dd-MM-yyyydd-MM-yy d-M-yyyy d-M-yy dd.MM.yyyy dd.MM.yy d.M.yyyy d.M.yy dd/MM/yyyy dd/MM/yy d/M/yyyy d/M/yy yyyy-MM-dd yy-MM-dd yyyy-M-d yy-M-d yyyy.MM.dd yy.MM.dd yyyy.M.d yy.M.d yy. M. d yyyy/MM/dd yy/MM/dd yyyy/M/d yy/M/d |
Time Format |
String |
The format to display the time |
orclTimeFormat Values are: HH.mm HH.mm.ss HH:mm HH:mm:ss H:mm H:mm:ss H.mm H.mm.ss a hh.mm a hh.mm.ss a hh:mm a hh:mm:ss ah:mm ah:mm:ss hh.mm a hh.mm.ss a hh:mm a hh:mm:ss a |
Embedded Help |
String |
Whether or not to show embedded help |
orclEmbeddedHelp Values are: true false |
Font Size |
String |
The size of the font |
orclFontSize Values are: LARGE MEDIUM |
Color Constrast |
String |
Constrast of the color |
orclColorContrast Values are: STANDARD HIGH |
Accessibility Mode |
String |
Accessibility mode for the user |
orclAccessibilityMode Values are: screenReader inaccessible default |
FA Language |
String |
The default preference language |
orclFALanguage |
User Name Preferred Language |
String |
The preference language of the user used to only show the display name of the user in that language Note: The value set for this attribute is not used in Oracle Identity Manager. |
orclDisplayNameLanguagePreference |
This section lists character restrictions applicable to Oracle Identity Manage attributes. Failure to observe these restrictions will cause errors when performing operations with attributes.
Alphanumeric characters (a through z, A through Z, and 0 through 9) and the underscore character (_) can be used in all Oracle Identity Manager attributes.
There are no restrictions on the usage of special character in the password field. The only restriction on the special character in the password field is imposed by the applicable password policy of the user.
The user password must be provided in Base64 encoded format within SPML payload. For example:
<pso:password> <pso:value>V2VsY29tZTc=</pso:value> </pso:password>
The single quotation mark ( ' ) can be used only in the following attributes:
Login
Manager ID
First Name
Last Name
Middle Name
Group Name
Organization Name
Resource Name
The semicolon ( ; ) can be used only in access policy names.
The following special characters are not supported in any Oracle Identity Manager attribute:
Period ( . )
Number sign ( # )
Slash ( / )
Percent sign ( % )
Equal sign ( = )
Vertical bar ( | )
Plus sign ( + )
Comma ( , )
Backslash ( \ )
Double quotation mark ( " )
Less than symbol ( < )
Greater than symbol ( > )
Requesting application such as HCM Fusion Application will act as a SPML requestor. In addition to PSO data, the application can also pass some operational data to the SPML Web Service. This section describes how applications can pass the operation data.
It is possible to pass a requestor ID for each operation. When the Fusion application supplies credentials in a request, that is an application ID. For auditing purposes, it is also possible to pass a requestor ID. Oracle Identity Manager audits this ID, instead of the application ID, as the actual requestor of the operation.
Along with the requestorID, a justification for the request can also be specified.
The following is an example of the operation data:
... </pso:identity> </data> <capabilityData capabilityURI="http://xmlns.oracle.com/idm/identity/OperationData" mustUnderstand="true"> <operationData xmlns="http://xmlns.oracle.com/idm/identity/OperationData" requestorGUID="1" justification="i need this account"> </capabilityData> </addRequest>
The application is also required to pass some reference data to SPML so that when a callback is received, it can be identified with the reference data for the callback in context. This is pass-through data, which is ignored by Oracle Identity Manager, but will be returned in the callback.
The following is an example that contains the <LdapRequestId>:
... ... </pso:identity> </data> <capabilityData capabilityURI="http://xmlns.oracle.com/idm/identity/OperationData" mustUnderstand="true"> <operationData xmlns="http://xmlns.oracle.com/idm/identity/OperationData" requestorGUID="1" justification="i need this account"> <LdapRequestId xmlns="http://xmlns.oracle.com/apps/hcm/users/ldapRequestService/">102329090340 </operationData> </capabilityData> </addRequest>
This appendix provides the following SPML XSD examples:
The Request is as follows:
<addRequest xmlns="urn:oasis:names:tc:SPML:2:0" xmlns:pso="http://xmlns.oracle.com/idm/identity/PSO" executionMode="asynchronous" locale="en" policyURI="http://www.sample.com/string/string" requestID="string" returnData="identifier" targetID="string"> <!--Zero or more repetitions:--> <data> <!--You have a CHOICE of the next 3 items at this level--> <pso:identity> <!--Optional:--> <pso:attributes> <!--Here, We are trying to set OIM Organization (act_key) --> <pso:attr name="oimOrganization"> <pso:value>3</pso:value> </pso:attr> <!--Here, My Attribute is a UDF, with 'My Attribute' also added in CreateUserDataset.xml --> <pso:attr name="My Attribute"> <pso:value>New Value</pso:value> </pso:attr> </pso:attributes> <!--Optional:--> <pso:activeEndDate>2009-06-12T00:00:00</pso:activeEndDate> <!--Optional:--> <pso:activeStartDate>2009-06-11T00:00:00</pso:activeStartDate> <pso:commonName> <pso:values> <pso:value>CommonName</pso:value> </pso:values> </pso:commonName> <!--Optional:--> <pso:countryName>India</pso:countryName> <!--Optional:--> <pso:departmentNumber> <!--1 or more repetitions:--> <pso:value>123456</pso:value> </pso:departmentNumber> <!--Optional:--> <pso:description> <!--1 or more repetitions:--> <pso:values> <!--1 or more repetitions:--> <pso:value>All Optional Fields Profile</pso:value> </pso:values> </pso:description> <!--Optional:--> <pso:displayName> <!--1 or more repetitions:--> <pso:value locale="en">All Optional Values</pso:value> </pso:displayName> <!--Optional:--> <pso:employeeNumber>24073</pso:employeeNumber> <pso:employeeType> <!--1 or more repetitions:--> <pso:values> <!--1 or more repetitions:--> <pso:value>Part-Time</pso:value> </pso:values> </pso:employeeType> <!--Optional:--> <pso:facsimileTelephoneNumber> <!--1 or more repetitions:--> <pso:number>08041085304</pso:number> </pso:facsimileTelephoneNumber> <!--Optional:--> <pso:generationQualifier> <!--1 or more repetitions:--> <pso:value>II</pso:value> </pso:generationQualifier> <!--Optional:--> <pso:givenName> <!--1 or more repetitions:--> <pso:value>OptionalGivenName</pso:value> </pso:givenName> <!--Optional:--> <pso:hireDate>2009-06-11T00:00:00</pso:hireDate> <!--Optional:--> <pso:homePhone> <!--1 or more repetitions:--> <pso:number>9999999999</pso:number> </pso:homePhone> <!--Optional:--> <pso:homePostalAddress> <!--1 or more repetitions:--> <pso:value>marathahalli</pso:value> </pso:homePostalAddress> <!--Optional:--> <pso:initials> <!--1 or more repetitions:--> <pso:value>SJ</pso:value> </pso:initials> <!--Optional:--> <pso:localityName> <!--1 or more repetitions:--> <pso:value>Munekolala</pso:value> </pso:localityName> <!--Optional:--> <!--pso:mail> <pso:value>jdong12@mycompany.com</pso:value> </pso:mail--> <!--Optional:--> <pso:middleName>MiddleName</pso:middleName> <!--Optional:--> <pso:mobile> <!--1 or more repetitions:--> <pso:number>9886078373</pso:number> </pso:mobile> <!--Optional: This sets LDAP Organization of the user.--> <pso:organization> <pso:value>Sales</pso:value> </pso:organization> <!--Optional: This sets LDAP Organization Unit of the user.--> <pso:organizationUnit> <pso:value>Marketing</pso:value> </pso:organizationUnit> <!--Optional:--> <pso:pager> <!--1 or more repetitions:--> <pso:number>7777</pso:number> </pso:pager> <!--Optional: This sets user password to Welcome7. If not provided, the password will be auto-generated.--> <pso:password> <!--1 or more repetitions:--> <pso:value>V2VsY29tZTc</pso:value> </pso:password> <!--Optional:--> <pso:postalAddress> <!--1 or more repetitions:--> <pso:value>Marathahalli</pso:value> </pso:postalAddress> <!--Optional:--> <pso:postalCode> <!--1 or more repetitions:--> <pso:value>560037</pso:value> </pso:postalCode> <!--Optional:--> <pso:postOfficeBox> <!--1 or more repetitions:--> <pso:value>999</pso:value> </pso:postOfficeBox> <!--Optional:--> <pso:preferredLanguage>en</pso:preferredLanguage> <!--Optional:--> <pso:state> <!--1 or more repetitions:--> <pso:value>Karnataka</pso:value> </pso:state> <!--Optional:--> <pso:street> <!--1 or more repetitions:--> <pso:value>Satyam Street</pso:value> </pso:street> <!--Optional:--> <pso:surname> <pso:values> <!--1 or more repetitions:--> <pso:value>Jha</pso:value> </pso:values> </pso:surname> <!--Optional:--> <pso:telephoneNumber> <!--1 or more repetitions:--> <pso:number>08041085304</pso:number> </pso:telephoneNumber> <!--Optional:--> <pso:title> <pso:value>Mr</pso:value> </pso:title> <!--Optional:--> <pso:username> <!--1 or more repetitions:--> <pso:value>jsmith</pso:value> </pso:username> <pso:manager>5</pso:manager> </pso:identity> </data> </addRequest>
The Add User Response sample if user login already exists is as follows:
<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/"><env:Header/> <env:Body> <ns3:addResponse xmlns:ns2="http://xmlns.oracle.com/idm/identity/PSO" xmlns:ns3="urn:oasis:names:tc:SPML:2:0" xmlns:ns4="urn:oasis:names:tc:SPML:2:0:suspend" xmlns:ns5="http://xmlns.oracle.com/idm/identity/spmlv2custom/Username" xmlns:ns6="urn:oasis:names:tc:SPML:2:0:password" xmlns:ns7="urn:oasis:names:tc:SPML:2:0:reference" xmlns:ns8="urn:oasis:names:tc:SPML:2:0:async" xmlns:ns9="urn:names:spml:ws:header" status="failure" error="malformedRequest" extendedError="IAM-3076048"> <ns3:errorMessage>username jsmith already exists.</ns3:errorMessage> </ns3:addResponse> </env:Body> </env:Envelope>
The Add User Response sample if multiple values are passed for attributes that accept only single value:
<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/"> <env:Header/> <env:Body> <ns3:addResponse xmlns:ns2="http://xmlns.oracle.com/idm/identity/PSO" xmlns:ns3="urn:oasis:names:tc:SPML:2:0" xmlns:ns4="urn:oasis:names:tc:SPML:2:0:suspend" xmlns:ns5="http://xmlns.oracle.com/idm/identity/spmlv2custom/Username" xmlns:ns6="urn:oasis:names:tc:SPML:2:0:password" xmlns:ns7="urn:oasis:names:tc:SPML:2:0:reference" xmlns:ns8="urn:oasis:names:tc:SPML:2:0:async" xmlns:ns9="urn:names:spml:ws:header" status="pending" requestID="5" error="malformedRequest" extendedError="IAM-3071022"><ns3:errorMessage>The attribute commonName is not multi-language enabled in OIM. Only the value John Smith will be saved.</ns3:errorMessage> <ns3:errorMessage>The attribute organization is not multi-language enabled in OIM. Only the value 1 will be saved. </ns3:errorMessage> </ns3:addResponse> </env:Body> </env:Envelope>
Note:
To find the status of the add user request, see "SPML Example - Status Request".
The displayName attribute has Multiple Language Support (MLS), and language values can be specified as "en", "fr", and so on.
The Request is as follows:
<deleteRequest xmlns="urn:oasis:names:tc:SPML:2:0" xmlns:pso="http://xmlns.oracle.com/idm/identity/PSO" executionMode="asynchronous" locale="en" policyURI="http://www.sample.com/string/string" requestID="string" returnData="identifier" targetID="string"> <psoID ID="identity:6C9B96E99FC8DC32E040E50A3D5252F5" /> </deleteRequest>
The Response is as follows:
<ns9:ResponseType xmlns="http://xmlns.oracle.com/idm/identity/PSO" xmlns:ns2="urn:oasis:names:tc:SPML:2:0" xmlns:ns3="urn:oasis:names:tc:SPML:2:0:reference" xmlns:ns4="urn:oasis:names:tc:SPML:2:0:password" xmlns:ns5="urn:oasis:names:tc:SPML:2:0:suspend" xmlns:ns6="http://xmlns.oracle.com/idm/identity/spmlv2custom/Username" xmlns:ns7="urn:names:spml:ws:header" xmlns:ns8="urn:oasis:names:tc:SPML:2:0:async" xmlns:ns9="oasis:names:tc:SPML:2:0" requestID="19" status="pending"/>
The Request is as follows:
<modifyRequest xmlns="urn:oasis:names:tc:SPML:2:0" xmlns:pso="http://xmlns.oracle.com/idm/identity/PSO" executionMode="asynchronous" locale="string" policyURI="http://www.sample.com/string/string" requestID="string" returnData="identifier"> <capabilityData capabilityURI="urn:oasis:names:tc:SPML:2:0:reference" mustUnderstand="true" /> <psoID ID="identity:6C9B96E99FC8DC32E040E50A3D5252F5" /> <modification modificationMode="add"> <component path="/identity" namespaceURI="http://www.w3.org/TR/xpath20" /> <data> <pso:identity> <pso:initials> <!--1 or more repetitions:--> <pso:value>J S</pso:value> </pso:initials> </pso:identity> </data> </modification> <modification modificationMode="replace"> <component path="/identity" namespaceURI="http://www.w3.org/TR/xpath20" /> <data> <pso:identity> <pso:localityName> <!--1 or more repetitions:--> <pso:value>new_locality</pso:value> </pso:localityName> <pso:homePhone> <!--1 or more repetitions:--> <pso:number>0123456789</pso:number> </pso:homePhone> <pso:commonName> <!--1 or more repetitions:--> <pso:values> <!--1 or more repetitions:--> <pso:value>FR Alice Krug1</pso:value> </pso:values> </pso:commonName> </pso:identity> </data> </modification> <modification modificationMode="delete"> <component path="/identity" namespaceURI="http://www.w3.org/TR/xpath20" /> <data> <pso:identity> <pso:pager> <!--1 or more repetitions:--> <pso:number>333</pso:number> </pso:pager> </pso:identity> </data> </modification> </modifyRequest>
The Response is as follows:
<ns9:ModifyResponseType xmlns="http://xmlns.oracle.com/idm/identity/PSO" xmlns:ns2="urn:oasis:names:tc:SPML:2:0" xmlns:ns3="urn:oasis:names:tc:SPML:2:0:reference" xmlns:ns4="urn:oasis:names:tc:SPML:2:0:password" xmlns:ns5="urn:oasis:names:tc:SPML:2:0:suspend" xmlns:ns6="http://xmlns.oracle.com/idm/identity/spmlv2custom/Username" xmlns:ns7="urn:names:spml:ws:header" xmlns:ns8="urn:oasis:names:tc:SPML:2:0:async" xmlns:ns9="oasis:names:tc:SPML:2:0" requestID="15" status="pending"/>
The Request is as follows:
<resumeRequest xmlns="urn:oasis:names:tc:SPML:2:0:suspend" requestID="120"> <psoID ID="6C9B96E99FC8DC32E040E50A3D5252F5" /> </resumeRequest>
The Response is as follows:
<ns9:ResponseType xmlns="urn:oasis:names:tc:SPML:2:0" xmlns:ns2="http://xmlns.oracle.com/idm/identity/PSO" xmlns:ns3="urn:oasis:names:tc:SPML:2:0:password" xmlns:ns4="urn:oasis:names:tc:SPML:2:0:suspend" xmlns:ns5="http://xmlns.oracle.com/idm/identity/spmlv2custom/Username" xmlns:ns6="urn:names:spml:ws:header" xmlns:ns7="urn:oasis:names:tc:SPML:2:0:async" xmlns:ns8="urn:oasis:names:tc:SPML:2:0:reference" xmlns:ns9="oasis:names:tc:SPML:2:0" requestID="120" status="pending"/>
The Request is as follows:
<ns4:suggestUsernameRequest xmlns:ns4="http://xmlns.oracle.com/idm/identity/spmlv2custom/Username" xmlns="http://xmlns.oracle.com/idm/identity/spmlv2custom/Username" xmlns:ns2="http://xmlns.oracle.com/idm/identity/spmlv2custom/Username" xmlns:ns3="http://xmlns.oracle.com/idm/identity/PSO"> <ns2:identity> <ns3:givenName> <ns3:value>testfn</ns3:value> </ns3:givenName> <ns3:surname> <ns3:values> <ns3:value>testln</ns3:value> </ns3:values> </ns3:surname> </ns2:identity> </ns4:suggestUsernameRequest>
The Response is as follows:
<ns9:SuggestUsernameResponseType xmlns="urn:oasis:names:tc:SPML:2:0" xmlns:ns2="http://xmlns.oracle.com/idm/identity/PSO" xmlns:ns3="http://xmlns.oracle.com/idm/identity/spmlv2custom/Username" xmlns:ns4="urn:oasis:names:tc:SPML:2:0:reference" xmlns:ns5="urn:oasis:names:tc:SPML:2:0:async" xmlns:ns6="urn:oasis:names:tc:SPML:2:0:password" xmlns:ns7="urn:names:spml:ws:header" xmlns:ns8="urn:oasis:names:tc:SPML:2:0:suspend" xmlns:ns9="oasis:names:tc:SPML:2:0" status="success"> <ns3:username>testfn.testln@mycompany.com</ns3:username> </ns9:SuggestUsernameResponseType>
The Request is as follows:
<suspendRequest xmlns="urn:oasis:names:tc:SPML:2:0:suspend" requestID="139"> <psoID ID="6C9B96E99FC8DC32E040E50A3D5252F5"/> </suspendRequest>
The Response is as follows:
<ns9:ResponseType xmlns="urn:oasis:names:tc:SPML:2:0" xmlns:ns2="http://xmlns.oracle.com/idm/identity/PSO" xmlns:ns3="urn:oasis:names:tc:SPML:2:0:password" xmlns:ns4="urn:oasis:names:tc:SPML:2:0:suspend" xmlns:ns5="http://xmlns.oracle.com/idm/identity/spmlv2custom/Username" xmlns:ns6="urn:names:spml:ws:header" xmlns:ns7="urn:oasis:names:tc:SPML:2:0:async" xmlns:ns8="urn:oasis:names:tc:SPML:2:0:reference" xmlns:ns9="oasis:names:tc:SPML:2:0" requestID="28" status="pending"/><ns9:ResponseType xmlns="urn:oasis:names:tc:SPML:2:0" xmlns:ns2="http://xmlns.oracle.com/idm/identity/PSO" xmlns:ns3="urn:oasis:names:tc:SPML:2:0:password" xmlns:ns4="urn:oasis:names:tc:SPML:2:0:suspend" xmlns:ns5="http://xmlns.oracle.com/idm/identity/spmlv2custom/Username" xmlns:ns6="urn:names:spml:ws:header" xmlns:ns7="urn:oasis:names:tc:SPML:2:0:async" xmlns:ns8="urn:oasis:names:tc:SPML:2:0:reference" xmlns:ns9="oasis:names:tc:SPML:2:0" requestID="139" status="pending"/>
The Request is as follows:
<validateUsernameRequest xmlns="http://xmlns.oracle.com/idm/identity/spmlv2custom/Username"> <username>testfn.testln</username> </validateUsernameRequest>
The Response is as follows:
<ns9:ValidateUsernameResponseType xmlns="urn:oasis:names:tc:SPML:2:0" xmlns:ns2="http://xmlns.oracle.com/idm/identity/PSO" xmlns:ns3="http://xmlns.oracle.com/idm/identity/spmlv2custom/Username" xmlns:ns4="urn:oasis:names:tc:SPML:2:0:reference" xmlns:ns5="urn:oasis:names:tc:SPML:2:0:async" xmlns:ns6="urn:oasis:names:tc:SPML:2:0:password" xmlns:ns7="urn:names:spml:ws:header" xmlns:ns8="urn:oasis:names:tc:SPML:2:0:suspend" xmlns:ns9="oasis:names:tc:SPML:2:0" valid="true" status="success"/>
The request is as follows:
<activeRequest xmlns="urn:oasis:names:tc:SPML:2:0:suspend" requestID="143"> <psoID ID="5" targetID="string"/> </activeRequest>
The Response is as follows:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <ns4:ResponseType xmlns="urn:oasis:names:tc:SPML:2:0" xmlns:ns2="urn:oasis:names:tc:SPML:2:0:suspend" xmlns:ns3="http://xmlns.oracle.com/idm/identity/PSO" xmlns:ns4="oasis:names:tc:SPML:2:0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="ns2:ActiveResponseType" active="true" requestID="143" status="success" />
The Request is as follows:
<lookupUsernamePolicyRequest xmlns="http://xmlns.oracle.com/idm/identity/spmlv2custom/Username"> </lookupUsernamePolicyRequest>
The Response is as follows:
<ns9:LookupUsernamePolicyResponseType xmlns="urn:oasis:names:tc:SPML:2:0" xmlns:ns2="http://xmlns.oracle.com/idm/identity/PSO" xmlns:ns3="http://xmlns.oracle.com/idm/identity/spmlv2custom/Username" xmlns:ns4="urn:oasis:names:tc:SPML:2:0:reference" xmlns:ns5="urn:oasis:names:tc:SPML:2:0:async" xmlns:ns6="urn:oasis:names:tc:SPML:2:0:password" xmlns:ns7="urn:names:spml:ws:header" xmlns:ns8="urn:oasis:names:tc:SPML:2:0:suspend" xmlns:ns9="oasis:names:tc:SPML:2:0" status="success" <ns3:description>Generates user name based on email id if it is available, else if first name is present then <first name>.<last name>@<domain>, else <last name>@<domain></ns3:description> >
Note:
To view policy description in a specific locale, you can set locale attribute in the payload. If this locale is not supported, then by is displayed in the server locale by default, as shown:<lookupUsernamePolicyRequest locale="th" xmlns="http://xmlns.oracle.com/idm/identity/spmlv2custom/Username"> </lookupUsernamePolicyRequest>
The Request to create user (identity) is as follows:
Note:
There can only be one toPsoID
element under a reference element. For multiple roles, individual reference element must be used.
The GUID must be of 32 characters for all requests.
<addRequest xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="urn:oasis:names:tc:SPML:2:0" xmlns:spml="urn:oasis:names:tc:SPML:2:0" executionMode="asynchronous" policyURI="create_identity_policy_prc02.xml"> <spml:data xsi:type="spml:PSOType"> <identity xmlns="http://xmlns.oracle.com/idm/identity/PSO" xmlns:pso="http://xmlns.oracle.com/idm/identity/PSO"> <pso:commonName> <pso:values> <pso:value>John Doe</pso:value> </pso:values> </pso:commonName> <pso:displayName> <pso:value>John Doe</pso:value> </pso:displayName> <pso:givenName> <pso:value>John</pso:value> </pso:givenName> <pso:mail> <pso:value>john.doe@acme.com</pso:value> </pso:mail> <pso:middleName/> <pso:organization> <pso:values> <pso:value>ACME, Inc.</pso:value> </pso:values> </pso:organization> <pso:password> <pso:value>qwert</pso:value> </pso:password> <pso:surname> <pso:values> <pso:value>Doe</pso:value> </pso:values> </pso:surname> <pso:username> <pso:value>jdoe</pso:value> </pso:username> <pso:employeeType> <pso:values> <pso:value>Full-Time</pso:value> </pso:values> </pso:employeeType> </identity> </spml:data> <spml:capabilityData capabilityURI="urn:oasis:names:tc:SPML:2:0:reference" mustUnderstand="true" > <reference xmlns="urn:oasis:names:tc:SPML:2:0:reference" typeOfReference="memberOf"> <toPsoID ID="15"/> <!--To make the user a member of a default role--> </reference> <reference xmlns="urn:oasis:names:tc:SPML:2:0:reference" typeOfReference="memberOf"> <toPsoID ID="6C9B96E99FC8DC32E040E50A3D5252F5"/> </reference> </spml:capabilityData> </addRequest>
The Response is as follows:
<spml:addResponse xmlns:spml="urn:oasis:names:tc:SPML:2:0" status="pending" requestID="10821"/>
The Add User with Role Assignment response sample containing partial invalid roles is as follows:
<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/"> <env:Header/> <env:Body> <ns3:addResponse xmlns:ns2="http://xmlns.oracle.com/idm/identity/PSO" xmlns:ns3="urn:oasis:names:tc:SPML:2:0" xmlns:ns4="urn:oasis:names:tc:SPML:2:0:suspend" xmlns:ns5="http://xmlns.oracle.com/idm/identity/spmlv2custom/Username" xmlns:ns6="urn:oasis:names:tc:SPML:2:0:password" xmlns:ns7="urn:oasis:names:tc:SPML:2:0:reference" xmlns:ns8="urn:oasis:names:tc:SPML:2:0:async" xmlns:ns9="urn:names:spml:ws:header" status="pending" requestID="5" error="malformedRequest" extendedError="IAM-3071022"> <ns3:errorMessage>Request contains an invalid Id/Guid identifier - xyzxyzxyz.</ns3:errorMessage> </ns3:addResponse> </env:Body> </env:Envelope>
The Request example is as follows:
Note:
only those roles can be granted to users via SPML Add Role Membership that are:Either published to the TOP organization with hierarchy, OR
Published to at least one member organization of the user to whom the role is to be granted via SPML
All other role grant attempts via SPML will fail authorization checks. These roles must be explicitly published to relevant organizations by using the UI or APIs to let SPML Role grant work.
<modifyRequest xmlns="urn:oasis:names:tc:SPML:2:0" xmlns:pso="http://xmlns.oracle.com/idm/identity/PSO" executionMode="asynchronous" locale="en" policyURI="gant_role_01"> <psoID ID="identity:6C9B96E99FC8DC32E040E50A3D5252F5" /> <modification modificationMode="add"> <capabilityData capabilityURI="urn:oasis:names:tc:SPML:2:0:reference" mustUnderstand="true"> <reference xmlns="urn:oasis:names:tc:SPML:2:0:reference" typeOfReference="memberOf"> <toPsoID ID="6C9B96E99FC8DC32E040E50A3D5252F5" /> </reference> </capabilityData> </modification> </modifyRequest>
The Response example is as follows:
<spml:modifyResponse xmlns:spml="urn:oasis:names:tc:SPML:2:0" status="pending" requestID="10822"/>
The Request is as follows:
<modifyRequest xmlns="urn:oasis:names:tc:SPML:2:0" xmlns:pso="http://xmlns.oracle.com/idm/identity/PSO" executionMode="asynchronous" locale="en" policyURI="revoke_role_01"> <psoID ID="identity:6C9B96E99FC8DC32E040E50A3D5252F5" /> <modification modificationMode="delete"> <capabilityData capabilityURI="urn:oasis:names:tc:SPML:2:0:reference" mustUnderstand="true"> <reference xmlns="urn:oasis:names:tc:SPML:2:0:reference" typeOfReference="memberOf"> <toPsoID ID="6C9B96E99FC8DC32E040E50A3D5252F5" /> </reference> </capabilityData> </modification> </modifyRequest>
The Response is as follows:
<spml:modifyResponse xmlns:spml="urn:oasis:names:tc:SPML:2:0" status="pending" requestID="10826"/>
The Request is as follows:
<addRequest xmlns="urn:oasis:names:tc:SPML:2:0" xmlns:pso="http://xmlns.oracle.com/idm/identity/PSO" executionMode="asynchronous" locale="en_us" policyURI="Role Creation" requestID="string" returnData="identifier" targetID="string"> <!--Zero or more repetitions:--> <capabilityData capabilityURI="urn:oasis:names:tc:SPML:2:0:reference" mustUnderstand="true" /> <data> <!--You have a CHOICE of the next 3 items at this level--> <pso:role> <pso:attributes> <pso:attr name="Role Category Name"> <!-- pso:value>OIM Roles</pso:value--> <pso:value>Default</pso:value> </pso:attr> </pso:attributes> <pso:commonName> <!--1 or more repetitions:--> <pso:values> <!--1 or more repetitions:--> <pso:value>TempAdmin</pso:value> </pso:values> </pso:commonName> <pso:description> <!--1 or more repetitions:--> <pso:values> <!--1 or more repetitions:--> <pso:value>Temporary Administrator</pso:value> </pso:values> </pso:description> <pso:displayName> <!--pso:value locale="en">Alice Krug_en_US</pso:value--> <!--pso:value locale="fr">Alice Kru_fr</pso:value--> <pso:value locale="base">Alice Kru_base</pso:value> </pso:displayName> </pso:role> </data> </addRequest>
The Response is as follows:
<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/"> <env:Header/> <env:Body> <ns3:addResponse xmlns:ns2="http://xmlns.oracle.com/idm/identity/PSO" xmlns:ns3="urn:oasis:names:tc:SPML:2:0" xmlns:ns4="urn:oasis:names:tc:SPML:2:0:suspend" xmlns:ns5="http://xmlns.oracle.com/idm/identity/spmlv2custom/Username" xmlns:ns6="urn:oasis:names:tc:SPML:2:0:password" xmlns:ns7="urn:oasis:names:tc:SPML:2:0:reference" xmlns:ns8="urn:oasis:names:tc:SPML:2:0:async" xmlns:ns9="urn:names:spml:ws:header" status="pending" requestID="21792"/> </env:Body> </env:Envelope>
The Request is as follows:
<addRequest xmlns="urn:oasis:names:tc:SPML:2:0" xmlns:pso="http://xmlns.oracle.com/idm/identity/PSO" executionMode="asynchronous" locale="en" policyURI="http://www.sample.com/string/string" requestID="string" returnData="identifier" targetID="string"> <data> <!--You have a CHOICE of the next 3 items at this level--> <pso:role> <pso:commonName> <!--1 or more repetitions:--> <pso:values> <!--1 or more repetitions:--> <pso:value>TempAdmin</pso:value> </pso:values> </pso:commonName> <pso:description> <!--1 or more repetitions:--> <pso:values> <!--1 or more repetitions:--> <pso:value>Temporary Administrator</pso:value> </pso:values> </pso:description> </pso:role> </data> <capabilityData capabilityURI="urn:oasis:names:tc:SPML:2:0:reference" mustUnderstand="true"> <reference typeOfReference="inheritsFrom" xmlns="urn:oasis:names:tc:SPML:2:0:reference"> <toPsoID ID="6C9B96E99F77DC32E040E50A3D5252F5" /> </reference> </capabilityData> </addRequest>
The Response is as follows:
<ns9:AddResponseType xmlns="http://xmlns.oracle.com/idm/identity/PSO" xmlns:ns2="urn:oasis:names:tc:SPML:2:0" xmlns:ns3="urn:oasis:names:tc:SPML:2:0:reference" xmlns:ns4="urn:oasis:names:tc:SPML:2:0:password" xmlns:ns5="urn:oasis:names:tc:SPML:2:0:suspend" xmlns:ns6="http://xmlns.oracle.com/idm/identity/spmlv2custom/Username" xmlns:ns7="urn:names:spml:ws:header" xmlns:ns8="urn:oasis:names:tc:SPML:2:0:async" xmlns:ns9="oasis:names:tc:SPML:2:0" requestID="22" status="pending"/>
The Request is as follows:
<modifyRequest xmlns="urn:oasis:names:tc:SPML:2:0" xmlns:pso="http://xmlns.oracle.com/idm/identity/PSO" executionMode="asynchronous" locale="string" policyURI="http://www.sample.com/string/string" requestID="string" returnData="identifier"> <capabilityData capabilityURI="urn:oasis:names:tc:SPML:2:0:reference" mustUnderstand="true" /> <psoID ID="role:6C9B96E99FC8DC32E040E50A3D5252F5" /> <modification modificationMode="replace"> <component path="/role" namespaceURI="http://www.w3.org/TR/xpath20" /> <data> <pso:role> <pso:description> <!--1 or more repetitions:--> <pso:values> <pso:value>UK Updated Administrator</pso:value> </pso:values> </pso:description> </pso:role> </data> </modification> </modifyRequest>
The Response is as follows:
<ns9:ModifyResponseType xmlns="http://xmlns.oracle.com/idm/identity/PSO" xmlns:ns2="urn:oasis:names:tc:SPML:2:0" xmlns:ns3="urn:oasis:names:tc:SPML:2:0:reference" xmlns:ns4="urn:oasis:names:tc:SPML:2:0:password" xmlns:ns5="urn:oasis:names:tc:SPML:2:0:suspend" xmlns:ns6="http://xmlns.oracle.com/idm/identity/spmlv2custom/Username" xmlns:ns7="urn:names:spml:ws:header" xmlns:ns8="urn:oasis:names:tc:SPML:2:0:async" xmlns:ns9="oasis:names:tc:SPML:2:0" requestID="24" status="pending"/>
The Request is as follows:
<modifyRequest xmlns="urn:oasis:names:tc:SPML:2:0" xmlns:pso="http://xmlns.oracle.com/idm/identity/PSO" executionMode="asynchronous" locale="string" policyURI="http://www.sample.com/string/string" requestID="string" returnData="identifier"> <psoID ID="role:26" targetID="target" /> <modification modificationMode="modify"> <component path="/role" namespaceURI="http://www.w3.org/TR/xpath20" /> <data> <pso:role> <pso:description> <!--1 or more repetitions:--> <pso:values> <!--1 or more repetitions:--> <pso:value>UK Updated Administrator</pso:value> </pso:values> </pso:description> </pso:role> </data> <capabilityData capabilityURI="urn:oasis:names:tc:SPML:2:0:reference" mustUnderstand="true"> <reference typeOfReference="inheritsFrom" xmlns="urn:oasis:names:tc:SPML:2:0:reference"> <toPsoID ID="25" /> </reference> </capabilityData> </modification> </modifyRequest>
The Response is as follows:
<ns9:ModifyResponseType xmlns="http://xmlns.oracle.com/idm/identity/PSO" xmlns:ns2="urn:oasis:names:tc:SPML:2:0" xmlns:ns3="urn:oasis:names:tc:SPML:2:0:reference" xmlns:ns4="urn:oasis:names:tc:SPML:2:0:password" xmlns:ns5="urn:oasis:names:tc:SPML:2:0:suspend" xmlns:ns6="http://xmlns.oracle.com/idm/identity/spmlv2custom/Username" xmlns:ns7="urn:names:spml:ws:header" xmlns:ns8="urn:oasis:names:tc:SPML:2:0:async" xmlns:ns9="oasis:names:tc:SPML:2:0" requestID="25" status="pending"/>
You cannot assign a role to multiple identities by using a SPML payload. If multiple identities are given, then the latest identity only is assigned with the role. You remove either of the identity from the payload.
The Request is as follows:
<modifyRequest xmlns="urn:oasis:names:tc:SPML:2:0" xmlns:pso="http://xmlns.oracle.com/idm/identity/PSO" executionMode="asynchronous" locale="string" policyURI="http://www.sample.com/string/string" requestID="string" returnData="identifier"> <!--Zero or more repetitions:--> <capabilityData capabilityURI="urn:oasis:names:tc:SPML:2:0:reference" mustUnderstand="true" /> <psoID ID="identity:6C9B96E99FC8DC32E040E50A3D5252F5" /> <psoID ID="identity:6C9B96E99FC8DC32E040E50A3D5252F5" /> <!--1 or more repetitions:--> <modification modificationMode="add"> <capabilityData capabilityURI="urn:oasis:names:tc:SPML:2:0:reference" mustUnderstand="true"> <reference xmlns="urn:oasis:names:tc:SPML:2:0:reference" typeOfReference="memberOf"> <toPsoID ID="6C9B96E99FC8DC32E040E50A3D5252F5" /> </reference> </capabilityData> </modification> </modifyRequest>
The Response is as follows:
<ns9:ResponseType xmlns="urn:oasis:names:tc:SPML:2:0" xmlns:ns2="http://xmlns.oracle.com/idm/identity/PSO" xmlns:ns3="urn:oasis:names:tc:SPML:2:0:password" xmlns:ns4="urn:oasis:names:tc:SPML:2:0:suspend" xmlns:ns5="http://xmlns.oracle.com/idm/identity/spmlv2custom/Username" xmlns:ns6="urn:names:spml:ws:header" xmlns:ns7="urn:oasis:names:tc:SPML:2:0:async" xmlns:ns8="urn:oasis:names:tc:SPML:2:0:reference" xmlns:ns9="oasis:names:tc:SPML:2:0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="ns4:ActiveResponseType" requestID="143" status="failure"/>
The Request is as follows:
<deleteRequest xmlns="urn:oasis:names:tc:SPML:2:0" xmlns:pso="http://xmlns.oracle.com/idm/identity/PSO" executionMode="asynchronous" locale="en" policyURI="http://www.sample.com/string/string" requestID="string" returnData="identifier" targetID="string"> <psoID ID="role:6C9B96E99FC8DC32E040E50A3D5252F5" /> </deleteRequest>
The Response is as follows:
<ns9:ResponseType xmlns="http://xmlns.oracle.com/idm/identity/PSO" xmlns:ns2="urn:oasis:names:tc:SPML:2:0" xmlns:ns3="urn:oasis:names:tc:SPML:2:0:reference" xmlns:ns4="urn:oasis:names:tc:SPML:2:0:password" xmlns:ns5="urn:oasis:names:tc:SPML:2:0:suspend" xmlns:ns6="http://xmlns.oracle.com/idm/identity/spmlv2custom/Username" xmlns:ns7="urn:names:spml:ws:header" xmlns:ns8="urn:oasis:names:tc:SPML:2:0:async" xmlns:ns9="oasis:names:tc:SPML:2:0" requestID="18" status="pending"/>
The Request is as follows:
<statusRequest xmlns="urn:oasis:names:tc:SPML:2:0:async" requestID="3456563" asyncRequestID="75779"/>
The Response is as follows:
<statusResponse xmlns="urn:oasis:names:tc:SPML:2:0:async" requestID="3456563" status="success"> <addResponse requestID="75779" status="pending"/> </statusResponse>
Another Request is as follows:
<statusRequest xmlns="urn:oasis:names:tc:SPML:2:0:async" requestID="12" asyncRequestID="1" returnResults="true" />
Here. returnResults=true. Therefore, the response will have all the attributes of the request.
The Response is as follows:
<ns9:StatusResponseType xmlns="urn:oasis:names:tc:SPML:2:0" xmlns:ns2="urn:oasis:names:tc:SPML:2:0:async" xmlns:ns3="http://xmlns.oracle.com/idm/identity/PSO" xmlns:ns4="urn:oasis:names:tc:SPML:2:0:reference" xmlns:ns5="urn:oasis:names:tc:SPML:2:0:password" xmlns:ns6="urn:oasis:names:tc:SPML:2:0:suspend" xmlns:ns7="http://xmlns.oracle.com/idm/identity/spmlv2custom/Username" xmlns:ns8="urn:names:spml:ws:header" xmlns:ns9="oasis:names:tc:SPML:2:0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="ns2:StatusResponseType" requestID="12" status="success"> <ns2:addResponse requestID="14" status="success"> <pso> <psoID targetID="Identity"/> <data> <ns4:Identity xmlns:ns4="oasis:names:tc:SPML:2:0" xmlns:ns2="http://xmlns.oracle.com/idm/identity/PSO" xmlns:ns3="urn:oasis:names:tc:SPML:2:0:async" xmlns:ns5="urn:oasis:names:tc:SPML:2:0:async" xmlns:ns6="http://xmlns.oracle.com/idm/identity/spmlv2custom/Username" xmlns:ns7="urn:oasis:names:tc:SPML:2:0:suspend"> <ns2:attributes> <ns2:attr xmlns="" xmlns:ns11="urn:oasis:names:tc:SPML:2:0" name="Organization"> <ns2:value>1</ns2:value> </ns2:attr> </ns2:attributes> <ns2:activeEndDate>2009-12-25T00:00:00.000Z</ns2:activeEndDate> <ns2:activeStartDate>2009-12-24T00:00:00.000Z</ns2:activeStartDate> <ns2:commonName> <ns2:values> <ns2:value>Alice Krug</ns2:value> </ns2:values> </ns2:commonName> <ns2:countryName>Canada</ns2:countryName> <ns2:departmentNumber> <ns2:value>123</ns2:value> </ns2:departmentNumber> <ns2:description> <ns2:values> <ns2:value>Alice Krugs profile</ns2:value> </ns2:values> </ns2:description> <ns2:displayName> <ns2:value>Alice Krug</ns2:value> </ns2:displayName> <ns2:employeeNumber>333</ns2:employeeNumber> <ns2:employeeType> <ns2:values> <ns2:value>Full-Time</ns2:value> </ns2:values> </ns2:employeeType> <ns2:facsimileTelephoneNumber> <ns2:number>6506072253</ns2:number> </ns2:facsimileTelephoneNumber> <ns2:generationQualifier> <ns2:value>II</ns2:value> </ns2:generationQualifier> <ns2:givenName> <ns2:value>Alice</ns2:value> </ns2:givenName> <ns2:hireDate>1999-12-24T00:00:00.000Z</ns2:hireDate> <ns2:homePhone> <ns2:number>8888888888</ns2:number> </ns2:homePhone> <ns2:homePostalAddress> <ns2:value>Baker street</ns2:value> </ns2:homePostalAddress> <ns2:initials> <ns2:value>J S</ns2:value> </ns2:initials> <ns2:localityName> <ns2:value>SFO</ns2:value> </ns2:localityName> <ns2:middleName>A</ns2:middleName> <ns2:mobile> <ns2:number>4083485309</ns2:number> </ns2:mobile> <ns2:organization> <ns2:values> <ns2:value>1</ns2:value> </ns2:values> </ns2:organization> <ns2:organizationUnit> <ns2:values> <ns2:value>Sales</ns2:value> </ns2:values> </ns2:organizationUnit> <ns2:pager> <ns2:number>333</ns2:number> </ns2:pager> <ns2:postalAddress> <ns2:value>Baker street 222</ns2:value> </ns2:postalAddress> <ns2:postalCode> <ns2:value>4081</ns2:value> </ns2:postalCode> <ns2:postOfficeBox> <ns2:value>333n</ns2:value> </ns2:postOfficeBox> <ns2:preferredLanguage>en</ns2:preferredLanguage> <ns2:state> <ns2:value>CA</ns2:value> </ns2:state> <ns2:street> <ns2:value>Baker</ns2:value> </ns2:street> <ns2:surname> <ns2:values> <ns2:value>Krug</ns2:value> </ns2:values> </ns2:surname> <ns2:telephoneNumber> <ns2:number>6506072253</ns2:number> </ns2:telephoneNumber> <ns2:title> <ns2:values> <ns2:value>Mr</ns2:value> </ns2:values> </ns2:title> <ns2:username> <ns2:value>akrug3478</ns2:value> </ns2:username> <ns2:userType>End-User</ns2:userType> </ns4:Identity> </data> </pso> </ns2:addResponse> </ns9:StatusResponseType>
The request is as follows:
<ns1:lookupRequest xmlns:ns1="urn:oasis:names:tc:SPML:2:0" returnData="everything"> <ns1:psoID ID="identity:key:1" /> </ns1:lookupRequest>
The response is as follows:
<ns3:lookupResponse xmlns:ns2="http://xmlns.oracle.com/idm/identity/PSO" xmlns:ns3="urn:oasis:names:tc:SPML:2:0" xmlns:ns4="urn:oasis:names:tc:SPML:2:0:suspend" xmlns:ns5="http://xmlns.oracle.com/idm/identity/spmlv2custom/Username" xmlns:ns6="urn:oasis:names:tc:SPML:2:0:password" xmlns:ns7="urn:oasis:names:tc:SPML:2:0:reference" xmlns:ns8="urn:oasis:names:tc:SPML:2:0:async" xmlns:ns9="urn:oasis:names:tc:SPML:2:0:batch" xmlns:ns10="urn:names:spml:ws:header"> <ns3:capabilityData capabilityURI="urn:oasis:names:tc:SPML:2:0:reference" mustUnderstand="true"> <ns7:reference typeOfReference="memberOf"><ns7:toPsoID ID="1"/> </ns7:reference> </ns3:capabilityData><ns3:pso> <ns3:data xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="ns2:ProvisioningObjectType"> <ns2:identity><ns2:attributes><ns2:attr name="usr_disabled"> <ns2:value>0</ns2:value></ns2:attr><ns2:attr name="Display Name"> <ns2:value>zh-TW=System Administrator</ns2:value><ns2:value>pt-BR=System Administrator</ns2:value> <ns2:value>base=System Administrator</ns2:value><ns2:value>fr=System Administrator</ns2:value> <ns2:value>en=System Administrator</ns2:value> <ns2:value>zh-CN=System Administrator</ns2:value> </ns2:attr><ns2:attr name="usr_locked"> <ns2:value>0</ns2:value> </ns2:attr><ns2:attr name="usr_created"> <ns2:value>Mon Dec 03 03:42:21 PST 2012</ns2:value> </ns2:attr><ns2:attr name="Full Name"> <ns2:value>base=null</ns2:value> </ns2:attr><ns2:attr name="usr_pwd_expire_date"> <ns2:value>Tue Apr 02 03:42:21 PDT 2013</ns2:value> </ns2:attr><ns2:attr name="Email"> <ns2:value>donotreply@mydomain.com</ns2:value> </ns2:attr><ns2:attr name="usr_data_level"> <ns2:value>2</ns2:value></ns2:attr> <ns2:attr name="usr_login_attempts_ctr"> <ns2:value>0</ns2:value></ns2:attr> <ns2:attr name="Last Name"> <ns2:value>Administrator</ns2:value> </ns2:attr><ns2:attr name="First Name"> <ns2:value>System</ns2:value> </ns2:attr><ns2:attr name="usr_createby"> <ns2:value>1</ns2:value></ns2:attr> <ns2:attr name="usr_updateby"> <ns2:value>1</ns2:value> </ns2:attr><ns2:attr name="User Login"> <ns2:value>XELSYSADM</ns2:value> </ns2:attr><ns2:attr name="Role"> <ns2:value>Full-Time</ns2:value> </ns2:attr><ns2:attr name="usr_pwd_warn_date"> <ns2:value>Tue Mar 26 03:42:21 PDT 2013</ns2:value> </ns2:attr><ns2:attr name="Organization Name"> <ns2:value>Xellerate Users</ns2:value></ns2:attr> <ns2:attr name="usr_update"><ns2:value>Mon Dec 03 03:42:21 PST 2012</ns2:value> </ns2:attr><ns2:attr name="usr_pwd_reset_attempts_ctr"> <ns2:value>0</ns2:value></ns2:attr><ns2:attr name="usr_create"> <ns2:value>Mon Dec 03 03:42:21 PST 2012</ns2:value> </ns2:attr><ns2:attr name="Xellerate Type"> <ns2:value>End-User Administrator</ns2:value> </ns2:attr><ns2:attr name="Common Name"> <ns2:value>System Administrator</ns2:value></ns2:attr> <ns2:attr name="act_key"> <ns2:value>1</ns2:value> </ns2:attr><ns2:attr name="usr_key"> <ns2:value>1</ns2:value></ns2:attr> <ns2:attr name="Common Name Generated"> <ns2:value>0</ns2:value> </ns2:attr><ns2:attr name="Status"> <ns2:value>Active</ns2:value> </ns2:attr></ns2:attributes> <ns2:commonName> <ns2:values><ns2:value>System Administrator</ns2:value> </ns2:values></ns2:commonName> <ns2:displayName> <ns2:value locale="zh-TW">System Administrator</ns2:value><ns2:value locale="pt-BR">System Administrator</ns2:value><ns2:value locale="base">System Administrator</ns2:value> <ns2:value locale="fr">System Administrator</ns2:value><ns2:value locale="en">System Administrator</ns2:value><ns2:value locale="zh-CN">System Administrator</ns2:value> </ns2:displayName><ns2:employeeType> <ns2:values> <ns2:value>Full-Time</ns2:value></ns2:values> </ns2:employeeType> <ns2:givenName> <ns2:value>System</ns2:value></ns2:givenName> <ns2:mail> <ns2:value>donotreply@mydomain.com</ns2:value> </ns2:mail><ns2:surname><ns2:values> <ns2:value>Administrator</ns2:value></ns2:values> </ns2:surname> <ns2:userId><ns2:value>XELSYSADM</ns2:value> </ns2:userId><ns2:userType>End-User Administrator</ns2:userType> </ns2:identity> </ns3:data> </ns3:pso> </ns3:lookupResponse>
Another request is as follows:
<ns1:lookupRequest xmlns:ns1="urn:oasis:names:tc:SPML:2:0" returnData="everything"> <ns1:psoID ID="role:name: FinanceRole " /> </ns1:lookupRequest>
The response is as follows:
<ns3:lookupResponse xmlns:ns2="http://xmlns.oracle.com/idm/identity/PSO" xmlns:ns3="urn:oasis:names:tc:SPML:2:0" xmlns:ns4="urn:oasis:names:tc:SPML:2:0:suspend" xmlns:ns5="http://xmlns.oracle.com/idm/identity/spmlv2custom/Username" xmlns:ns6="urn:oasis:names:tc:SPML:2:0:password" xmlns:ns7="urn:oasis:names:tc:SPML:2:0:reference" xmlns:ns8="urn:oasis:names:tc:SPML:2:0:async" xmlns:ns9="urn:oasis:names:tc:SPML:2:0:batch" xmlns:ns10="urn:names:spml:ws:header"> <ns3:capabilityData capabilityURI="urn:oasis:names:tc:SPML:2:0:reference" mustUnderstand="true"> <ns7:reference typeOfReference="inheritsFrom"> <ns7:toPsoID ID="10"/> </ns7:reference> <ns7:reference typeOfReference="inheritsFrom"> <ns7:toPsoID ID="7"/> </ns7:reference><ns7:reference typeOfReference="memberOf"> <ns7:toPsoID ID="8"/></ns7:reference> </ns3:capabilityData><ns3:pso> <ns3:data xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="ns2:ProvisioningObjectType"> <ns2:role><ns2:attributes> <ns2:attr name="Role Display Name"> <ns2:value>FinanceRole</ns2:value> </ns2:attr><ns2:attr name="Role Unique Name"> <ns2:value>FinanceRole</ns2:value> </ns2:attr><ns2:attr name="Owner Login"> <ns2:value>XELSYSADM</ns2:value> </ns2:attr><ns2:attr name="ugp_createby"> <ns2:value>1</ns2:value></ns2:attr> <ns2:attr name="ugp_create"> <ns2:value>Wed Nov 21 23:28:42 PST 2012</ns2:value> </ns2:attr><ns2:attr name="Role Owner Key"> <ns2:value>1</ns2:value></ns2:attr> <ns2:attr name="Role Description"> <ns2:value>desc</ns2:value> </ns2:attr><ns2:attr name="Role Name"> <ns2:value>FinanceRole</ns2:value> </ns2:attr><ns2:attr name="ugp_update"> <ns2:value>Wed Nov 21 23:28:42 PST 2012</ns2:value></ns2:attr> <ns2:attr name="Owner Email"> <ns2:value>donotreply@mydomain.com</ns2:value></ns2:attr> <ns2:attr name="Role Namespace"><ns2:value>Default</ns2:value></ns2:attr> <ns2:attr name="Owner Display Name"> <ns2:value>System Administrator</ns2:value> </ns2:attr><ns2:attr name="Role Key"> <ns2:value>6</ns2:value> </ns2:attr> <ns2:attr name="ugp_updateby"> <ns2:value>1</ns2:value> </ns2:attr> <ns2:attr name="Role Category Key"> <ns2:value>2</ns2:value> </ns2:attr><ns2:attr name="Owner Last Name"> <ns2:value>Administrator</ns2:value> </ns2:attr><ns2:attr name="Role Email"> <ns2:value>email@email.com</ns2:value> </ns2:attr><ns2:attr name="Owner First Name"> <ns2:value>System</ns2:value></ns2:attr> <ns2:attr name="Role Category Name"> <ns2:value>OIM Roles</ns2:value> </ns2:attr> </ns2:attributes> <ns2:commonName> <ns2:values> <ns2:value>FinanceRole</ns2:value> </ns2:values></ns2:commonName> <ns2:description> <ns2:values> <ns2:value>desc</ns2:value></ns2:values> </ns2:description> <ns2:displayName><ns2:value>FinanceRole</ns2:value> </ns2:displayName></ns2:role> </ns3:data> </ns3:pso> </ns3:lookupResponse>
The request is:
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns1="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> <soap:Header> <ns1:Security> <ns1:UsernameToken> <ns1:Username>SYSTEM_ADMINISTRATOR_LOGIN</ns1:Username> <ns1:Password>SYSTEM_ADMINISTRATOR_PASSWORD</ns1:Password> </ns1:UsernameToken> </ns1:Security> </soap:Header> <soap:Body xmlns="urn:oasis:names:tc:SPML:2:0"> <resetPasswordRequest xmlns="urn:oasis:names:tc:SPML:2:0:password"> executionMode="asynchronous" locale="en_US"> <psoID ID="BD7A621E8C7147D2E040E50AFC801934"></psoID> </resetPasswordRequest> </soap:Body> </soap:Envelope>
The response is as follows:
<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/"><env:Header/><env:Body><ns6:resetPasswordResponse xmlns:ns2="http://xmlns.oracle.com/idm/identity/PSO" xmlns:ns3="urn:oasis:names:tc:SPML:2:0" xmlns:ns4="urn:oasis:names:tc:SPML:2:0:suspend" xmlns:ns5="http://xmlns.oracle.com/idm/identity/spmlv2custom/Username" xmlns:ns6="urn:oasis:names:tc:SPML:2:0:password" xmlns:ns7="urn:oasis:names:tc:SPML:2:0:reference" xmlns:ns8="urn:oasis:names:tc:SPML:2:0:async" xmlns:ns9="urn:oasis:names:tc:SPML:2:0:batch" xmlns:ns10="urn:names:spml:ws:header" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="ns6:ResetPasswordResponseType" status="success"/></env:Body></env:Envelope>
The request is:
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns1="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> <soap:Header> <ns1:Security> <ns1:UsernameToken> <ns1:Username>SYSTEM_ADMINISTRATOR_LOGIN</ns1:Username> <ns1:Password>SYSTEM_ADMINISTRATOR_PASSWORD</ns1:Password> </ns1:UsernameToken> </ns1:Security> </soap:Header> <soap:Body xmlns="urn:oasis:names:tc:SPML:2:0"> <resetPasswordRequest xmlns="urn:oasis:names:tc:SPML:2:0:password"> executionMode="asynchronous" locale="en_US"> <psoID ID="BD7A621E8C7147D2E040E50AFC801934"></psoID> <notificationData> <sendNotification>true</sendNotification> <sendNotificationTo><emailAddress>john.doe@mycompany.com,jane.doe@mycompany.com,terrence.hill@mycompany.com</emailAddress></sendNotificationTo> </notificationData> </resetPasswordRequest> </soap:Body> </soap:Envelope>
The response is as follows:
<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/"><env:Header/><env:Body><ns6:resetPasswordResponse xmlns:ns2="http://xmlns.oracle.com/idm/identity/PSO" xmlns:ns3="urn:oasis:names:tc:SPML:2:0" xmlns:ns4="urn:oasis:names:tc:SPML:2:0:suspend" xmlns:ns5="http://xmlns.oracle.com/idm/identity/spmlv2custom/Username" xmlns:ns6="urn:oasis:names:tc:SPML:2:0:password" xmlns:ns7="urn:oasis:names:tc:SPML:2:0:reference" xmlns:ns8="urn:oasis:names:tc:SPML:2:0:async" xmlns:ns9="urn:oasis:names:tc:SPML:2:0:batch" xmlns:ns10="urn:names:spml:ws:header" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="ns6:ResetPasswordResponseType" status="success"/></env:Body></env:Envelope>
The request is:
<ns2:lookupUsernamePolicyRequest xmlns:ns2="http://xmlns.oracle.com/idm/identity/spmlv2custom/Username" requestID="" executionMode="synchronous" locale="en" policyURI="" xmlns:ns3="urn:oasis:names:tc:SPML:2:0"> </ns2:lookupUsernamePolicyRequest>
The response is as follows:
<ns5:lookupUsernamePolicyResponse xmlns:ns2="http://xmlns.oracle.com/idm/identity/PSO" xmlns:ns3="urn:oasis:names:tc:SPML:2:0" xmlns:ns4="urn:oasis:names:tc:SPML:2:0:suspend" xmlns:ns5="http://xmlns.oracle.com/idm/identity/spmlv2custom/Username" xmlns:ns6="urn:oasis:names:tc:SPML:2:0:password" xmlns:ns7="urn:oasis:names:tc:SPML:2:0:reference" xmlns:ns8="urn:oasis:names:tc:SPML:2:0:async" xmlns:ns9="urn:oasis:names:tc:SPML:2:0:batch" xmlns:ns10="urn:names:spml:ws:header" status="success"><ns5:description>Generates user name based on email id if it is available, else if first name is present then <first name>.<last name>@<domain>, else <last name>@<domain></ns5:description></ns5:lookupUsernamePolicyResponse>
The request is:
<ns1:cancelRequest xmlns:ns1="urn:oasis:names:tc:SPML:2:0:async" asyncRequestID="162"/>
The response is as follows:
A request that could be successfully withdrawn:
<ns8:cancelResponse xmlns:ns2="http://xmlns.oracle.com/idm/identity/PSO" xmlns:ns3="urn:oasis:names:tc:SPML:2:0" xmlns:ns4="urn:oasis:names:tc:SPML:2:0:suspend" xmlns:ns5="http://xmlns.oracle.com/idm/identity/spmlv2custom/Username" xmlns:ns6="urn:oasis:names:tc:SPML:2:0:password" xmlns:ns7="urn:oasis:names:tc:SPML:2:0:reference" xmlns:ns8="urn:oasis:names:tc:SPML:2:0:async" xmlns:ns9="urn:oasis:names:tc:SPML:2:0:batch" xmlns:ns10="urn:names:spml:ws:header" asyncRequestID="162" status="success"/>
A request that could not successfully withdrawn:
<ns8:cancelResponse xmlns:ns2="http://xmlns.oracle.com/idm/identity/PSO" xmlns:ns3="urn:oasis:names:tc:SPML:2:0" xmlns:ns4="urn:oasis:names:tc:SPML:2:0:suspend" xmlns:ns5="http://xmlns.oracle.com/idm/identity/spmlv2custom/Username" xmlns:ns6="urn:oasis:names:tc:SPML:2:0:password" xmlns:ns7="urn:oasis:names:tc:SPML:2:0:reference" xmlns:ns8="urn:oasis:names:tc:SPML:2:0:async" xmlns:ns9="urn:oasis:names:tc:SPML:2:0:batch" xmlns:ns10="urn:names:spml:ws:header" asyncRequestID="161" status="failure" error="malformedRequest" extendedError="IAM-3076087"><ns3:errorMessage>User cannot withdraw specified request.</ns3:errorMessage></ns8:cancelResponse>
The request is as follows:
<urn1:batchRequest processing="parallel" onError="resume" xmlns:urn1="urn:oasis:names:tc:SPML:2:0:batch" xmlns:urn2="urn:oasis:names:tc:SPML:2:0" xmlns:pso="http://xmlns.oracle.com/idm/identity/PSO" xmlns:urn3="urn:oasis:names:tc:SPML:2:0:password" > <!--Zero or more repetitions:--> <urn1:addRequest requestID="?" executionMode="asynchronous" locale="en" policyURI="User Creation" targetID="?" returnData="identifier"> <urn2:data> <!--You may enter ANY elements at this point--> <!--You have a CHOICE of the next 3 items at this level--> <pso:identity> <pso:commonName> <pso:values locale="en"> <pso:value>John Smith</pso:value> </pso:values> </pso:commonName> <pso:countryName>Canada</pso:countryName> <pso:departmentNumber> <pso:value>123</pso:value> </pso:departmentNumber> <pso:description> <pso:values> <pso:value>John Smiths profile</pso:value> </pso:values> </pso:description> <pso:displayName> <pso:value>John Smith</pso:value> </pso:displayName> <pso:employeeNumber>333</pso:employeeNumber> <pso:employeeType> <pso:values> <pso:value>Full-Time</pso:value> </pso:values> </pso:employeeType> <pso:facsimileTelephoneNumber> <pso:number>6506072253</pso:number> </pso:facsimileTelephoneNumber> <pso:generationQualifier> <pso:value>II</pso:value> </pso:generationQualifier> <pso:givenName> <pso:value>John</pso:value> </pso:givenName> <pso:hireDate>1999-12-24T00:00:00</pso:hireDate> <pso:homePhone> <pso:number>8888888888</pso:number> </pso:homePhone> <pso:homePostalAddress> <pso:value>Baker street</pso:value> </pso:homePostalAddress> <pso:initials> <pso:value>J S</pso:value> </pso:initials> <pso:jpegPhoto> <pso:value>c3RyaW5n</pso:value> </pso:jpegPhoto> <pso:localityName> <pso:value>SFO</pso:value> </pso:localityName> <pso:mail> <pso:value>jsmith@mydomain.com</pso:value> </pso:mail> <pso:middleName>Park</pso:middleName> <pso:mobile> <pso:number>4083485309</pso:number> </pso:mobile> <pso:organization> <pso:values locale="en"> <pso:value>1</pso:value> </pso:values> </pso:organization> <pso:organizationUnit> <pso:values locale="en"> <pso:value>Sales</pso:value> </pso:values> </pso:organizationUnit> <pso:pager> <pso:number>333</pso:number> </pso:pager> <pso:password> <pso:value>V2VsY29tZTE=</pso:value> </pso:password> <pso:postalAddress> <pso:value>Baker street 222</pso:value> </pso:postalAddress> <pso:postalCode> <pso:value>4081</pso:value> </pso:postalCode> <pso:postOfficeBox> <pso:value>333n</pso:value> </pso:postOfficeBox> <pso:preferredLanguage>en-US</pso:preferredLanguage> <pso:state> <pso:value>CA</pso:value> </pso:state> <pso:street> <pso:value>Baker</pso:value> </pso:street> <pso:surname> <pso:values locale="en"> <pso:value>Smith</pso:value> </pso:values> </pso:surname> <pso:telephoneNumber> <pso:number>6506072253</pso:number> </pso:telephoneNumber> <pso:title> <pso:values locale="en"> <pso:value>Mr</pso:value> </pso:values> </pso:title> <pso:username> <pso:value>jsmith</pso:value> </pso:username> </pso:identity> </urn2:data> </urn1:addRequest> <urn1:modifyRequest executionMode="asynchronous"> <urn2:psoID ID="9924000" /> <urn2:modification modificationMode="add"> <urn2:component path="/identity" namespaceURI="http://www.w3.org/TR/xpath20" /> <urn2:data> <pso:identity> <pso:initials> <pso:value>X Y</pso:value> </pso:initials> </pso:identity> </urn2:data> </urn2:modification> <urn2:modification modificationMode="replace"> <urn2:component path="/identity" namespaceURI="http://www.w3.org/TR/xpath20" /> <urn2:data> <pso:identity> <pso:localityName> <!--1 or more repetitions:--> <pso:value>new_locality</pso:value> </pso:localityName> <pso:homePhone> <!--1 or more repetitions:--> <pso:number>0123456789</pso:number> </pso:homePhone> </pso:identity> </urn2:data> </urn2:modification> <urn2:modification modificationMode="delete"> <urn2:component path="/identity" namespaceURI="http://www.w3.org/TR/xpath20" /> <urn2:data> <pso:identity> <pso:pager> <pso:number>333</pso:number> </pso:pager> </pso:identity> </urn2:data> </urn2:modification> </urn1:modifyRequest> <urn1:deleteRequest executionMode="asynchronous" locale="en" policyURI="http://www.sample.com/string/string" requestID="string" returnData="identifier" targetID="string"> <urn2:psoID ID="9924000" /> </urn1:deleteRequest> <urn1:resetPasswordRequest executionMode="asynchronous"> <urn3:psoID ID="924000" /> <urn3:notificationData> <urn2:sendNotification>true</urn2:sendNotification> <urn2:sendNotificationTo> <urn2:emailAddress>john@mydomain.com</urn2:emailAddress> </urn2:sendNotificationTo> </urn3:notificationData> </urn1:resetPasswordRequest> </urn1:batchRequest>
The response is as follows:
<urn:batchResponse xmlns:urn="urn:oasis:names:tc:SPML:2:0:batch" xmlns:urn1="urn:oasis:names:tc:SPML:2:0"> <!--Zero or more repetitions:--> <urn:addResponse status="pending" requestID="1234"/> <urn:modifyResponse status="pending" requested="2345"/> <urn:deleteResponse status="pending" requestID="3456"/> <urn:resetPasswordResponse status="success" /> </urn:batchResponse>