1 About the Connector

Oracle Identity Manager automates access rights management, security, and provisioning of IT resources. Oracle Identity Manager connectors are used to integrate Oracle Identity Manager with external, identity-aware applications. This guide discusses the connector that enables you to use SAP Enterprise Portal either as a managed (target) resource or as an authoritative (trusted) source of identity data for Oracle Identity Manager.

In the account management (target resource) mode of the connector, information about users created or modified directly on the target system can be reconciled into Oracle Identity Manager. In addition, you can use Oracle Identity Manager to perform provisioning operations on the target system.

In the identity reconciliation (trusted source) configuration of the connector, users are created or modified only on the target system and information about these users is reconciled into Oracle Identity Manager.

Note:

It is recommended that you do not configure the target system as both an authoritative (trusted) source and a managed (target) resource.

This chapter contains the following sections:

Note:

In this guide, the term Oracle Identity Manager host computer refers to the computer on which Oracle Identity Manager is installed.

At some places in this guide, SAP Enterprise Portal has been referred to as the target system.

Section 1.1, "Certified Components"
Section 1.2, "Certified Languages"
Section 1.3, "Connector Architecture"
Section 1.4, "Features of the connector"
Section 1.5, "Lookup Definitions Used During Connector Operations"
Section 1.6, "Connector Objects Used During Target Resource Reconciliation and Provisioning"
Section 1.7, "Connector Objects Used During Trusted Source Reconciliation"
Section 1.8, "Roadmap for Deploying and Using the Connector"

1.1 Certified Components

Table 1-1 lists the certified components for this connector.

Table 1-1 Certified Components

Item	Requirement
Oracle Identity Manager	You can use one of the following releases of Oracle Identity Manager: Oracle Identity Manager release 9.0.1 through 9.0.3.2 Oracle Identity Manager release 9.1.0.1 or later Note: In this guide, Oracle Identity Manager release 9.1.0.x has been used to denote Oracle Identity Manager release 9.1.0.1 and future releases in the 9.1.0.x series that the connector will support. Oracle Identity Manager 11g release 1 (11.1.1) Note: In this guide, Oracle Identity Manager release 11.1.1 has been used to denote Oracle Identity Manager 11g release 1 (11.1.1).
Target systems	The target system can be one of the following: SAP Enterprise Portal 7.0 This target system is also known as SAP NetWeaver 7.0. SAP Enterprise Portal 7.01 with SP3 Note: The SAP Enterprise Portal connector is an application developed using the UME APIs. It is published as a Web Service. The application follows SAP Enterprise Portal best practices and provides the library and deployment descriptor as part of a PAR file deployment. As mentioned in the SAP documentation, the security settings are defined in the portalapp.xml file. The connector requires that the safety level be set to `high_security`. There must be no SAP Enterprise Portal configuration overriding this setting. If you have deployed additional login modules, servlet filters, or other security extensions that override the security setting, then the connector will not work correctly.
Infrastructure requirements	SAP Enterprise Portal running on SAP Web Application Server (WAS) SAP User Management Engine (UME) 7.0 APIs must be available on the SAP Enterprise Portal Apache Axis Web Services Framework 1.3
JDK	The JDK version can be one of the following: For Oracle Identity Manager release 9.0.1 through 9.0.3.2, use JDK 1.4 or later in the 1.4 series. For Oracle Identity Manager release 9.1.0.x, use JDK 1.5 or later in the 1.5 series. For Oracle Identity Manager release 11.1.1, use JDK 1.6 or later in the 1.6 series.

1.2 Certified Languages

The connector supports the following languages:

Arabic
Chinese (Simplified)
Chinese (Traditional)
Danish
English
French
German
Italian
Japanese
Korean
Portuguese (Brazilian)
Spanish

1.3 Connector Architecture

The architecture of the connector is the blueprint for the functionality of the connector. Figure 1-1 shows the architecture of the connector.

Figure 1-1 Architecture of the Connector

Description of "Figure 1-1 Architecture of the Connector"

The connector can be configured to run in one of the following modes:

Note:

In Oracle Identity Manager release 11.1.1, a scheduled job is an instance of a scheduled task. In this guide, the term scheduled task used in the context of Oracle Identity Manager releases 9.0.1 through 9.0.3.2 and 9.1.0.x is the same as the term scheduled job in the context of Oracle Identity Manager release 11.1.1.

See Oracle Fusion Middleware System Administrator's Guide for Oracle Identity Manager for more information about scheduled tasks and scheduled jobs.

Identity reconciliation

In the identity reconciliation mode, SAP Enterprise Portal is used as the trusted source and users are directly created and modified on it.

During reconciliation, a scheduled task establishes a connection with the target system and sends reconciliation criteria to the APIs. The APIs extract user records that match the reconciliation criteria and hand them over to the scheduled task, which brings the records to Oracle Identity Manager.

Each record fetched from the target system is compared with existing OIM Users. If a match is found, then the update made to the record on the target system is applied to the OIM User record. If no match is found, then the target system record is used to create an OIM User.
Account Management

In the account management mode, SAP Enterprise Portal is used as a target resource. The connector enables the target resource reconciliation and provisioning operations. Through provisioning operations performed on Oracle Identity Manager, user accounts are created and updated on the target system for OIM Users. During reconciliation from the target resource, the SAP Enterprise Portal connector fetches into Oracle Identity Manager data about user accounts that are created or modified on the target system. This data is used to add or modify resources allocated to OIM Users.

During provisioning operations, adapters carry provisioning data submitted through the process form to the target system. APIs on the target system accept provisioning data from the adapters, carry out the required operation on the target system, and return the response from the target system to the adapters. The adapters return the response to Oracle Identity Manager.

During reconciliation, a scheduled task establishes a connection with the target system and sends reconciliation criteria to the APIs. The APIs extract user records that match the reconciliation criteria and hand them over to the scheduled task, which brings the records to Oracle Identity Manager. The next step depends on the mode of connector configuration.

1.4 Features of the connector

The following are features of the connector:

Section 1.4.1, "Support for Both Target Resource and Trusted Source Reconciliation"
Section 1.4.2, "Support for Both Full and Incremental Reconciliation"
Section 1.4.3, "Support for Limited Reconciliation"
Section 1.4.4, "Support for Batched Reconciliation"

1.4.1 Support for Both Target Resource and Trusted Source Reconciliation

You can use the connector to configure SAP Enterprise Portal as either a target resource or trusted source of Oracle Identity Manager.

See Section 3.3, "Configuring Reconciliation" for more information.

1.4.2 Support for Both Full and Incremental Reconciliation

After you deploy the connector, you can perform full reconciliation to bring all existing user data from the target system to Oracle Identity Manager. After the first full reconciliation run, change-based or incremental reconciliation is automatically enabled from the next run of the user reconciliation.

You can perform a full reconciliation run at any time.

See Section 3.3.1, "Full Reconciliation vs. Incremental Reconciliation" for more information.

1.4.3 Support for Limited Reconciliation

You can set a reconciliation filter as the value of the CustomizedReconQuery attribute of the scheduled tasks. This filter specifies the subset of newly added and modified target system records that must be reconciled.

See Section 3.3.2, "Limited Reconciliation" for more information.

1.4.4 Support for Batched Reconciliation

You can break down a reconciliation run into batches by specifying the number of records that must be included in each batch.

See Section 3.3.3, "Batched Reconciliation" for more information.

1.5 Lookup Definitions Used During Connector Operations

During a provisioning operation, you use a lookup field on the process form to specify a single value from a set of values. For example, you use the Country lookup field to select a group name for the user's initial login group. When you deploy the connector, lookup definitions corresponding to the lookup fields on the target system are automatically created in Oracle Identity Manager. Lookup field synchronization involves copying additions or changes made to the target system lookup fields into the lookup definitions in Oracle Identity Manager.

The following lookup definitions are populated with values fetched from the target system by the SAPEP LookupRecon scheduled task:

Lookup.SAP.EP.Country
Lookup.SAP.EP.Groups
Lookup.SAP.EP.Language
Lookup.SAP.EP.Roles
Lookup.SAP.EP.TimeZone

Section 3.2, "Scheduled Task for Lookup Field Synchronization" provides information about this scheduled task.

1.6 Connector Objects Used During Target Resource Reconciliation and Provisioning

The following sections provide information about connector objects used during target resource reconciliation and provisioning:

1.6.1 User Attributes for Target Resource Reconciliation and Provisioning

Table 1-2 provides information about user attribute mappings for target resource reconciliation and provisioning.

Table 1-2 User Attributes for Target Resource Reconciliation and Provisioning

Process Form Field	Target System Attribute	Description
Street	street	Street name
City	city	City
State	state	State
Zip	zip	Zip
Country	country	Country
TimeZone	timezone	Time zone
Department	department	Department
ValidFrom	validFrom	Date from which the account on the target system is valid
ValidTo	validTo	Date up to which the account on the target system is valid
Locked	locked	Status of the account on the target system
UserID	userId	User ID
Password	password	Password
FirstName	firstname	First name
LastName	lastname	Last name
EmailID	email	E-mail address
Language	locale	Language
telephone	telephone	Telephone number
Fax	fax	Fax number
Mobile	mobile	Mobile phone number
Group	Group	Group name
Role	Role	Role name

1.6.2 Reconciliation Rule for Target Resource Reconciliation

The following is the process-matching rule:

Rule name: SAP EP Recon Rule

Rule element: User Login Equals User ID

In this rule:

User Login is one of the following:
- For Oracle Identity Manager releases 9.0.1 through 9.0.3.2:
  
  User ID attribute on the Xellerate User form
- For Oracle Identity Manager release 9.1.0.x or release 11.1.1:
  
  User ID attribute on the OIM User form
User ID is the User ID field of the account on SAP Enterprise Portal.

After you deploy the connector, you can view the reconciliation rule for target resource reconciliation by performing the following steps:

Note:

Perform the following procedure only after the connector is deployed.

Log in to the Oracle Identity Manager Design Console.
Expand Development Tools, and double-click Reconciliation Rules.
Search for SAP EP Recon Rule. Figure 1-2 shows the reconciliation rule for target resource reconciliation.

Figure 1-2 Reconciliation Rule for Target Resource Reconciliation

Description of "Figure 1-2 Reconciliation Rule for Target Resource Reconciliation"

1.6.3 Reconciliation Action Rules for Target Resource Reconciliation

Table 1-3 lists the action rules for target resource reconciliation.

Table 1-3 Action Rules for Target Resource Reconciliation

Rule Condition	Action
One Entity Match Found	Establish Link
One Process Match Found	Establish Link

Note:

No action is performed for rule conditions that are not predefined for this connector. You can define your own action rule for such rule conditions. See Oracle Identity Manager Design Console Guide for information about modifying or creating reconciliation action rules.

After you deploy the connector, you can view the reconciliation action rules for target resource reconciliation by performing the following steps:

Log in to the Oracle Identity Manager Design Console.
Expand Resource Management, and double-click Resource Objects.
Search for and open the SAP EP Resource Object resource object.
Click the Object Reconciliation tab, and then click the Reconciliation Action Rules tab. The Reconciliation Action Rules tab displays the action rules defined for this connector. Figure 1-3 shows the reconciliation action rule for target resource reconciliation.

Figure 1-3 Reconciliation Action Rules for Target Resource Reconciliation

Description of "Figure 1-3 Reconciliation Action Rules for Target Resource Reconciliation"

1.6.4 Provisioning Functions

Table 1-4 lists the provisioning functions that are supported by the connector. The Adapter column gives the name of the adapter that is used when the function is performed.

Table 1-4 Provisioning Functions

Function	Adapter
Create User	SAPEPCREATEUSER
Update User	SAPEPMODIFYUSER
Delete User	SAPEPDELETEUSER
Reset Password	SAPEPPASSWORDCHANGE
Lock User	SAPEPLOCKUNLOCKUSER
UnLock User	SAPEPLOCKUNLOCKUSER
Add Role	SAPEPADDROLE
Add Group	SAPEPADDGROUP
Remove Role	SAPEPREMOVEROLE
Remove Group	SAPEPREMOVEGROUP

1.7 Connector Objects Used During Trusted Source Reconciliation

The following sections provide information about connector objects used during trusted source reconciliation:

Section 1.7.1, "User Attributes for Trusted Source Reconciliation"
Section 1.7.2, "Reconciliation Rule for Trusted Source Reconciliation"
Section 1.7.3, "Reconciliation Action Rules for Trusted Source Reconciliation"

1.7.1 User Attributes for Trusted Source Reconciliation

Table 1-5 lists user attributes for trusted source reconciliation.

Table 1-5 User Attributes for Trusted Source Reconciliation

OIM User Form Field	Target System Attribute	Description
User ID	UserLogin	User ID
First Name	First Name	First name
Last Name	Last Name	Last name
EmailID	E-mail address	E-mail address
User Type	User Type	User type
Organization	Organization	Organization

1.7.2 Reconciliation Rule for Trusted Source Reconciliation

The following is the process matching rule:

Rule name: Trusted Source recon Rule

Rule element: User Login Equals User ID

In this rule element:

User Login is one of the following:
- For Oracle Identity Manager releases 9.0.1 through 9.0.3.2:
  
  User ID attribute on the Xellerate User form
- For Oracle Identity Manager release 9.1.0.x or release 11.1.1:
  
  User ID attribute on the OIM User form
User ID is the user ID of the SAP Enterprise Portal account.

After you deploy the connector, you can view the reconciliation rule for target resource reconciliation by performing the following steps:

Note:

Perform the following procedure only after the connector is deployed.

Log in to the Oracle Identity Manager Design Console.
Expand Development Tools, and double-click Reconciliation Rules.
Search for Trusted Source Recon Rule. Figure 1-5 shows the reconciliation rule for trusted source reconciliation.

Figure 1-4 Reconciliation Rule for Trusted Source Reconciliation

Description of "Figure 1-4 Reconciliation Rule for Trusted Source Reconciliation"

1.7.3 Reconciliation Action Rules for Trusted Source Reconciliation

Table 1-6 lists the action rules for target resource reconciliation.

Table 1-6 Action Rules for Target Source Reconciliation

Rule Condition	Action
No Matches Found	Create User
One Entity Match Found	Establish Link
One Process Match Found	Establish Link

Note:

After you deploy the connector, you can view the reconciliation action rules for target resource reconciliation by performing the following steps:

Log in to the Oracle Identity Manager Design Console.
Expand Resource Management.
Double-click Resource Objects.
Search for and open the Xellerate User resource object.
Click the Object Reconciliation tab, and then click the Reconciliation Action Rules tab. The Reconciliation Action Rules tab displays the action rules defined for this connector. Figure 1-5 shows the reconciliation action rules for trusted source reconciliation.

Figure 1-5 Reconciliation Action Rules for Trusted Source Reconciliation

Description of "Figure 1-5 Reconciliation Action Rules for Trusted Source Reconciliation"

1.8 Roadmap for Deploying and Using the Connector

The following is the organization of information in the rest of this guide:

Chapter 2, "Deploying the Connector" describes procedures that you must perform on Oracle Identity Manager and the target system during each stage of connector deployment.
Chapter 3, "Using the Connector" describes guidelines on using the connector and the procedure to configure reconciliation runs and perform provisioning operations.
Chapter 4, "Extending the Functionality of the Connector" describes procedures to perform if you want to extend the functionality of the connector.
Chapter 5, "Testing and Troubleshooting" describes the procedure that you must perform to test the connector. In addition, this chapter provides instructions for identifying and resolving some commonly encountered errors.
Chapter 6, "Known Issues" lists known issues associated with this release of the connector.