Oracle® Identity Manager Generic Technology Connector Administrator's Guide Release 9.0.3.1 Part Number B32445-02 |
|
|
View PDF |
This chapter introduces the generic technology connector concept and the features that Oracle Identity Manager provides for working with generic technology connectors.
This chapter is divided into the following sections:
Application-specific Oracle Identity Manager connectors are designed for target systems such as Microsoft Active Directory and PeopleSoft User Management. The architecture of such a connector is based on either the APIs that the target system supports or the data repository type and schema in which the target system stores identity data. This means that the connector is tightly integrated with its target system. The use of an application-specific connector is the preferred integration method if one is available for the target system.
Consider a scenario in which you use a provisioning system for which there is no corresponding application-specific connector. The following is an example of such a scenario:
All employees of Acme Inc. are allotted disk space on a backup server. An employee sends requests to the system administrator for managing the employee's account on the backup server. The system administrator has developed a Web-based application to capture, review, and act on requests from employees. The front end of this application is a Web service that accepts and stores data in CSV format. Employee account data stored in the back end can be exported as XML files to a specified location. The company has recently installed Oracle Identity Manager, and they want to set up the Web-based application as a target system.
Application-specific connector functionality does not support this scenario.
In such scenarios, you can create a custom connector to link the target system and Oracle Identity Manager. If the data format and data transport mechanism used by the target system can be converted to those supported by Oracle Identity Manager, then you can use Oracle Identity Manager to create the custom connector.
A custom connector created using Oracle Identity Manager is called a generic technology connector, because it is independent of the APIs that the target system supports and the data repository type and schema in which the target system stores identity data.
Note:
A single generic technology connector can be used as the link between Oracle Identity Manager and multiple target systems that support the same input and output data formats and data transport mechanisms.A generic technology connector is a collection of components. A component provides a service that is used by another component, the target system, or Oracle Identity Manager. Together, these components can be linked to support a wide variety of data formats and data transport mechanisms.
In this guide, the components that constitute a generic technology connector are called providers.
The following figure shows the provider-level architecture of a generic technology connector.
Oracle Identity Manager supports the following provider types:
Reconciliation Transport provider
This provider carries reconciliation data from the target system to Oracle Identity Manager. The manner in which a Reconciliation Transport provider carries reconciliation data depends on the implementation of the provider. For example, a provider can read data from a file, accept data from a Web service, or query a database.
Reconciliation Format provider
This provider parses a target system message (containing reconciliation data fetched by the Reconciliation Transport provider) into data structures that can be stored in Oracle Identity Manager.
This provider validates data received from the Reconciliation Format provider before passing it on to the reconciliation engine of Oracle Identity Manager. You can define the rules that the Validation provider uses to validate reconciliation data.
This provider converts Oracle Identity Manager provisioning data into a format that is supported by the target system.
Provisioning Transport provider
This provider carries provisioning data from the Provisioning Format provider to the target system.
A data set is a representation of data that is at a particular stage of transit between the target system and Oracle Identity Manager. Data sets can be visualized as data structures arranged in the form of layers, with data flowing from one layer to another during provisioning and reconciliation. Oracle Identity Manager provides features that enable you to specify the fields that constitute these data sets.
The following data set definitions are supported:
This is data that has been extracted from the target system by the Reconciliation Transport provider and processed by the Reconciliation format provider.
Reconciliation Staging data set
This is source data that has been processed by the Validation provider before it is used to populate the reconciliation fields and passed to the reconciliation engine.
This is user account information that is stored in the process form fields of Oracle Identity Manager.
This is the metadata (identity data attributes) that define the OIM User account. This data set cannot have child data sets.
This is the data that is sent to the Provisioning Format provider for conversion into a structure that can be accepted by the target system.
While defining data sets, you can also define:
Mappings between fields of different data sets
A mapping serves one of the following purposes:
Establishes a data flow path between fields of two data sets, for either provisioning or reconciliation
Creates a basis for comparing (matching) field values of two data sets
Validations to be performed on data that is fetched from the target system
In this guide, the term generic technology connector framework refers to the Oracle Identity Manager module that is used to create and work with generic technology connectors.
The following is a summary of the features offered by the generic technology connector framework:
Data set definition and modification
You can create data sets to represent the structure of data at various stages of transit between the target system and Oracle Identity Manager. You can define parent data sets and child data.
Note:
A child data set holds multivalued identity attributes. Each record of a child data set is uniquely related to a single record of the corresponding parent data set.For example, suppose a parent data set holds information such as the last name, e-mail address, and employee ID of users in a company. This parent data set can have a child data set that holds information about group membership of the users. Each child data set record can contain an employee ID, group ID, group name, and group membership expiry date.
While defining data sets, you can also define mappings between the fields that constitute the various data sets.
Reconciliation can be either full or incremental
While creating a generic technology connector, you can specify that you want to use the connector for full or incremental reconciliation.
In incremental reconciliation, only those target system records that have changed after the last reconciliation run are reconciled (stored) into Oracle Identity Manager.
In full reconciliation, all the reconciliation records are extracted from the target system. However, the optimized reconciliation feature identifies and ignores records that have already been reconciled in Oracle Identity Manager. This helps reduce the space occupied by reconciliation data. If this feature were not present, then the amount of data stored in the Oracle Identity Manager database would increase rapidly with each reconciliation run.
Batched reconciliation
You can specify a batch size for reconciliation. By doing this, you can break into batches the total number of records that the reconciliation engine fetches from the target system during each reconciliation run. This feature provides more control over the reconciliation process.
Failure threshold for stopping reconciliation
During reconciliation, Validation providers can be used to run checks on target system data before it is stored in Oracle Identity Manager. You can use this feature to automatically stop a reconciliation run if the percentage of records that fail the validation checks to the total number of records processed exceeds a specified threshold percentage.
Management of generic technology connectors
You can modify, export, and import generic technology connectors.
Multilanguage support
The generic technology connector framework has been designed to handle non-ASCII data.
Using a single generic technology connector for multiple target systems
You can use a single generic technology connector for multiple target systems that support the same data format and data transport mechanism.
Note:
This release of the generic technology connector does not support trusted source reconciliation.The following is an overview of the remaining chapters and appendixes of this guide:
Chapter 2, "Creating Generic Technology Connectors"
This chapter provides conceptual and procedural information about creating generic technology connectors.
Chapter 3, "Managing Generic Technology Connectors"
This chapter provides procedural information about modifying, exporting, and importing generic technology connectors.
Chapter 4, "Standard Features of the Generic Technology Connector Framework"
This chapter explains the features that generic technology connectors share with application-specific connectors.
This chapter provides solutions to some commonly encountered problems associated with using generic technology connectors for reconciliation and provisioning.
This chapter explains the limitations of the generic technology connector framework in this release of Oracle Identity Manager. Most of these limitations are also covered at appropriate places in the rest of the guide.
Appendix A, "Predefined Providers Shipped with Oracle Identity Manager"
This appendix provides information about the predefined providers.
Appendix B, "Connector Objects Created by the Generic Technology Connector Framework"
This appendix provides information about the connector objects that are automatically created by the generic technology connector framework.
Appendix C, "Validations Applied When Data Set Fields Are Added or Modified"
This appendix lists the validations that are applied when you add or modify fields of data sets.
Related Documentation on Connectors
The following guides provide additional information about connectors and the features that Oracle Identity Manager provides for working with connectors:
Oracle Identity Manager Connector Framework Guide
Refer to this guide for generic information about Oracle Identity Manager connectors. You can access this guide from the Oracle Identity Manager Connector Pack documentation library.
Oracle Identity Manager Glossary of Terms
This is a glossary of frequently used terms related to Oracle Identity Manager. You can access this guide from the Oracle Identity Manager documentation library.
Oracle Identity Manager Administrative and User Console Guide
Refer to this guide for information about using Administrative and User Console features that are not discussed in the following chapters. This information includes the procedures to perform reconciliation and provisioning. You can access this guide from the Oracle Identity Manager documentation library.
Oracle Identity Manager Design Console Guide
Refer to this guide for additional information about Design Console procedures discussed in Chapter 2. You can access this guide from the Oracle Identity Manager documentation library.