About the Oracle Directory Provisioning Integration Service

This section describes how the components of an Oracle Directory Provisioning Integration Service environment interact throughout the provisioning process. It contains these topics:

• About Provisioning

• How the Oracle Directory Provisioning Integration Service Retrieves Changes from Oracle Internet Directory

• How an Application Registers with the Oracle Directory Provisioning Integration Service

• How an Application Receives Provisioning Information from Oracle Internet Directory

• How Oracle Internet Directory Receives Provisioning Information from an Application

• How an Application Unsubscribes from the Oracle Directory Provisioning Integration Service

About Provisioning

Provisioning involves:

• Applications subscribing to receive changes to particular data in the directory

• The directory sending those changes to the subscribing applications

At times, you may want to synchronize all entities in an application-specific directory with those in the central directory, but provision the application to receive notification about only some of them. For example, the directory for Oracle Human Resources typically contains data for all employees in an enterprise, and you would probably want to synchronize all of that data with the central directory. However, you might want to provision a given application to be notified only when members join or leave a particular group.

When it is first installed, an application subscribes to provisioning by creating a provisioning profile in the directory. There must be a profile for each application in each identity management realm.

Provisioning Procedures

In a directory-enabled environment, provisioning involves:

1. Creating the user in the central directory

2. Enrolling the user in the application--that is, creating application-specific user accounts and entitlements

3. Synchronizing those accounts and entitlements with the central directory

For example, provisioning a user to access an e-mail application involves:

1. Creating the user in the central directory

2. Enrolling the user in the e-mail application. This involves setting up an e-mail account and quota for that user and creating the necessary public folders.

3. Synchronizing the user information in the e-mail application with that in the central directory

You can change information for users, groups, and user subscriptions from any of the following:

• Oracle Delegated Administration Services

• Oracle Human Resources or other applications integrated with the Oracle Directory Integration and Provisioning platform

• Oracle Directory Manager

• Oracle Enterprise Manager tools--for example, Enterprise Security Manager

User Enrollment in Applications

User enrollment in an application can happen either automatically or manually.

Automatic Enrollment

This method is sometimes called "on-demand enrollment." Instead of continuously synchronizing with the central directory, the application creates the user footprint when the user first accesses the application. Oracle Application Server Single Sign-On uses this method to enroll a user accessing an application.

Manual Enrollment

In this method, an administrator provides application-specific information by using an application-specific administrative tool.

For example, you might want users to obtain their manager's approval before enrollment. In this case, rather than use on-demand enrollment, you might want the application administrator, after the necessary approvals are complete, to enroll the user manually.

Provisioning Information

Provisioning a user typically involves creating two kinds of information:

• Shared user metadata in Oracle Internet Directory

  This data includes the user's identity, credentials, profiles, and preferences. It is represented by standard directory user attributes--for example, mailing address or language preferences.

• Application-specific user data in the application

  This could include, for example, data in the user's e-mail message folder, or, for the calendaring application, the user's appointment data. It is typically represented by using application-specific conventions either in the directory or in application-specific repositories.

How the Oracle Directory Provisioning Integration Service Retrieves Changes from Oracle Internet Directory

In an Oracle Directory Provisioning Integration Service environment:

• Oracle Internet Directory acts as the central repository for all information for users, groups, and user subscriptions.

• Applications subscribe to receive the provisioning events by creating provisioning profiles in the directory.

• The Oracle Directory Provisioning Integration Service monitors Oracle Internet Directory for any changes to relevant information, and conveys these changes to applications in the form of provisioning events.

To retrieve changes from Oracle Internet Directory, the Oracle Directory Provisioning Integration Service subscribes to the Oracle Internet Directory change log. The changes in the change log are filtered so that only the needed changes get passed to the applications. If an application is interested only in the events of a particular subtree, then the Oracle Directory Provisioning Integration Service notifies it of those changes only.

Figure 34-1 shows the relation between components in an Oracle Directory Provisioning Integration Service environment.

Figure 34-1 Typical Deployment of The Oracle Directory Provisioning Integration Service Environment

Text description of the illustration oidag073.gif

As Figure 34-1 shows:

• Oracle Internet Directory acts as the central repository for all information for users, groups, and user subscriptions

• Various components can add, modify, or delete user, group and user subscription entries in Oracle Internet Directory. These components are:
  • Oracle Directory Integration and Provisioning platform synchronizing with, for example, Oracle Human Resources or other repositories

  • The Oracle Delegated Administration Services

  • Oracle Directory Manager

  • Oracle Enterprise Manager tools--for example, the Enterprise Security Manager

  The Oracle Internet Directory change log records these changes.

• The Oracle Directory Provisioning Integration Service retrieves changes to information for users, groups, and user subscriptions from Oracle Internet Directory. It then sends those changes to subscribed applications. In this example, the applications are OracleAS Portal, Oracle Unified Messaging, Oracle Content Management Software Development Kit, and third-party enrollees.

How an Application Registers with the Oracle Directory Provisioning Integration Service

After the application is installed and an application identity has been created in Oracle Internet Directory, application registration with the Oracle Directory Provisioning Integration Service can occur in one of two ways:

• The application registers itself automatically during application installation by using the Provisioning Subscription Tool

• The administrator manually registers it by using the Provisioning Subscription Tool.

This registration information includes:

• The host name and port number of the Oracle directory server instance

• The user name and password of the Oracle Internet Directory user

• Information to register the application with Oracle Internet Directory

• Information to register the database connect information with Oracle Internet Directory

• Information for the Oracle Directory Provisioning Integration Service to service the application--for example, the kind of changes required, or scheduling properties

  See Also: Appendix A, "Syntax for LDIF and Command-Line Tools" for instructions about how to use the Provisioning Subscription Tool

How an Application Receives Provisioning Information from Oracle Internet Directory

The Oracle Directory Provisioning Integration Service monitors Oracle Internet Directory for any changes to user, group or user subscription information. It conveys these changes to applications in the form of provisioning events.

Figure 34-3 shows how an application receives the provisioning events from Oracle Internet Directory.

Figure 34-2 How an Application Receives Provisioning Information by Using the Oracle Directory Provisioning Integration Service

Text description of the illustration oidag086.gif

Provisioning information is sent from Oracle Internet Directory to an application by using the following process:

1. The Oracle Directory Provisioning Integration Service obtains from Oracle Internet Directory any changes to the subscription information for that application.

2. The Oracle Directory Provisioning Integration Service translates the subscription information to account provisioning events, which it periodically sends to the application. This information is based on application-specific database connect information.

3. The Oracle Directory Provisioning Integration Service obtains from Oracle Internet Directory any changes to the information about identities.

4. The Oracle Directory Provisioning Integration Service translates the changes to the information about identities to identity provisioning events, which it periodically sends to the application.

How Oracle Internet Directory Receives Provisioning Information from an Application

The way Oracle Internet Directory receives provisioning information from an application is the reverse of the way an application receives it from Oracle Internet Directory. That latter process was described in the previous section, "How an Application Receives Provisioning Information from Oracle Internet Directory".

Figure 34-3 shows how an application sends notifications of provisioning events to Oracle Internet Directory.

Figure 34-3 How Oracle Internet Directory Receives Provisioning Information from an Application

Text description of the illustration oidag087.gif

Provisioning information is sent from an application to Oracle Internet Directory by using the following process:

1. The Oracle Directory Provisioning Integration Service obtains from the application any account provisioning events for that application.

2. The Oracle Directory Provisioning Integration Service translates the account provisioning events to subscription changes, which it periodically sends to Oracle Internet Directory.

3. The Oracle Directory Provisioning Integration Service obtains from the application any identity provisioning events for that application.

4. The Oracle Directory Provisioning Integration Service translates the identity provisioning events to identity changes, which it periodically sends to Oracle Internet Directory.

How an Application Unsubscribes from the Oracle Directory Provisioning Integration Service

You can unsubscribe an application from the Oracle Directory Provisioning Integration Service in one of two ways:

• Let the application de-install itself automatically

• Manually unsubscribe it by using the Provisioning Subscription Tool

  See Also: "The Provisioning Subscription Tool (oidprovtool) Syntax" for instructions about how to use the Provisioning Subscription Tool