1 Introduction to Oracle Identity Manager Connectors

Oracle Identity Manager can be used as the single point of management for the IT resources in your organization. Oracle Identity Manager offers various solutions for integration with various kinds of resources. Oracle Identity Manager Connectors are the recommended integration solution.

An integration of a target system with Oracle Identity Manager is composed of two parts:

Together, reconciliation and provisioning are aimed at enabling Oracle Identity Manager to build an accurate picture of managed identities in all the target systems in the organization.

In data flow terms, provisioning provides the outward flow from Oracle Identity Manager. Provisioning is based on a “push” model, using which Oracle Identity Manager communicates changes to the target system. Reconciliation provides the inward flow into Oracle Identity Manager. Reconciliation is based on either a “push” or a “pull” model, using which Oracle Identity Manager finds out about any identity-related activity on the target system. Target systems that support the push model have features that enable them to send information about identity-related changes to third-party systems like Oracle Identity Manager. The pull model is used for target systems that do not support the push model. The pull model is implemented through periodic polling of the target system for identity-related changes.

This chapter contains the following sections:

1.1 Integration Solutions

Oracle Identity Manager provides a three-tier integration solutions strategy for integration with heterogeneous identity-aware IT systems. This three-tier strategy is designed to minimize custom development, maximize the reuse of code, and reduce deployment time. The three tiers are:

  • Out-of-the box integration using predefined connectors and predefined generic technology connector providers

  • Connectors created using custom generic technology connector providers

  • Custom connectors created using the Adapter Factory

Figure 1-1 illustrates the three-tier integration solutions strategy of Oracle Identity Manager.

Figure 1-1 Three-Tier Integration Solutions Strategy of Oracle Identity Manager

Description of Figure 1-1 follows
Description of "Figure 1-1 Three-Tier Integration Solutions Strategy of Oracle Identity Manager"

This section discusses the following topics:

1.1.1 Predefined Connectors

When a predefined connector is available for a target resource, it is the recommended integration method. Because a predefined connector is designed specifically for the target application, it offers the quickest integration method. Predefined connectors support popular business applications such as Oracle eBusiness Suite, PeopleSoft, Siebel, JD Edward and SAP, as well as technology applications such as Microsoft Active Directory, Java Directory Server, UNIX, databases, and RSA ClearTrust. Predefined connectors use target system recommended integration technologies and are preconfigured with target system-specific attributes.

1.1.2 Generic Technology Connectors

To integrate Oracle Identity Manager with a target system that has no corresponding predefined connector, you can create a custom connector to link the target system and Oracle Identity Manager. If you do not want to use the customization features of the Adapter Factory, then you can create the connector by using the Generic Technology Connector feature of Oracle Identity Manager.

See Also:

Part II, "Integration Solutions Features" of Oracle Identity Manager Administrative and User Console Guide for more information about generic technology connectors

1.1.3 Custom Connectors

If there is no technology interface or accessible user repository in the target system, then you can develop a custom connector for the target system. The Adapter Factory tool in the Design Console provides a definitional user interface that facilitates such custom development efforts without coding or scripting.

See Also:

The "Adapter Factory" section in Oracle Identity Manager Concepts and Oracle Identity Manager Design Console Guide for information about the Adapter Factory

1.2 Reconciliation

Oracle Identity Manager provides a centralized control mechanism to manage users and entitlements and to control user access to resources. However, you can choose not to use Oracle Identity Manager as the primary repository or the front-end entry point of your user accounts. Instead, you can use Oracle Identity Manager to periodically poll your target systems for maintaining an up-to-date profile of all accounts that exist on those systems. This is the reconciliation configuration of Oracle Identity Manager.

Note:

For some target systems, the reconciliation of updates to user data takes place in real time and does not require periodic polling of the target system by Oracle Identity Manager.

Figure 1-2 illustrates reconciliation.

Figure 1-2 Reconciliation Configuration

Description of Figure 1-2 follows
Description of "Figure 1-2 Reconciliation Configuration"

As shown in this figure, in the reconciliation configuration, Oracle Identity Manager is used only as a single updated store for all users and user groups data of the target system. Users are created, deleted, and maintained by local resource-specific administrators.

Reconciliation involves using the user discovery and account discovery features of Oracle Identity Manager.

The following sections provide more information about reconciliation:

1.2.1 Reconciliation Configuration Options

Configuring reconciliation involves selecting a combination of options from the following reconciliation parameters:

See "Sample Reconciliation Configurations" for examples of reconciliation configurations.

1.2.1.1 Reconciliation Type: Target Resource or Trusted Source

This section describes the reconciliation types, target resource and trusted source.

1.2.1.1.1 Target Resource Reconciliation

While configuring reconciliation, you can designate a target system as a target resource. In a target resource reconciliation run, resources assigned to OIM Users are synchronized with target system accounts of the same users.

The following example illustrates how target resource reconciliation works:

Suppose an account is created for user John Doe on Microsoft Active Directory. After the next target resource reconciliation run, the Microsoft Active Directory resource is allocated to the OIM User identity of John Doe. The attributes of the resource allocated to the OIM User have the same values as the attributes of the account created in Microsoft Active Directory.

If changes are made to the account in Microsoft Active Directory, then the same changes are made to the resource allocated to the OIM User during subsequent reconciliation runs.

Figure 1-3 illustrates the steps involved in target resource reconciliation.

Figure 1-3 Target Resource Reconciliation

Description of Figure 1-3 follows
Description of "Figure 1-3 Target Resource Reconciliation"

1.2.1.1.2 Trusted Source Reconciliation

While configuring reconciliation, you can designate a target system as a trusted source. The following example illustrates how trusted source reconciliation works.

Suppose an account is created for user John Doe on Microsoft Active Directory. After the next trusted source reconciliation run, an OIM User identity is created for John Doe. The attributes of the OIM User have the same values as the attributes of the account created in Microsoft Active Directory.

If changes are made to the account in Microsoft Active Directory, then the same changes are made to the OIM User during subsequent reconciliation runs.

Figure 1-4 illustrates the steps involved in trusted source reconciliation.

Figure 1-4 Trusted Source Reconciliation

Description of Figure 1-4 follows
Description of "Figure 1-4 Trusted Source Reconciliation"

In the operating environment of your organization, multiple target systems might act as trusted sources for the various attributes that constitute the user account. For example, employees' first names and last names might come from the HR system, and employees' e-mail addresses might come from Microsoft Active Directory. In such a scenario, you can configure each target system as a trusted source for a specific attribute or set of attributes of the user accounts. By doing this, you configure multiple trusted source reconciliation, which is a special implementation of trusted source reconciliation.

In another form of multiple trusted source reconciliation, you designate multiple target systems as trusted sources for user accounts belonging to specific user types. This is illustrated by the following example.

In the operating environment of your organization, Siebel is used to track transactions with customers. User accounts created for customers are grouped under the Customer user type. Sun Java System Directory is used to store information about employees in the form of user accounts that are grouped under the Employee user type. When you configure multiple trusted source reconciliation, you designate Siebel as the trusted source for all accounts of the Customer user type and you designate Sun Java System Directory as the trusted source for all accounts of the Employee user type.

In summary, multiple trusted source reconciliation can be implemented in one of the following forms:

  • Each target system is designated as the trusted source for a specific attribute or a set of attributes of the user account.

  • Each target system is designated as the trusted source for a particular user type.

1.2.1.2 Reconciliation Mode: Full or Incremental

You can use Oracle Identity Manager to perform full reconciliation with a target system. The purpose of this mode of reconciliation is to fetch all target system accounts for processing during reconciliation. Full reconciliation is performed by default during the first reconciliation run performed on a target system. The timestamp at which this reconciliation run begins is recorded in Oracle Identity Manager. For the next reconciliation run, accounts that have been added, modified, or deleted after the recorded time stamp are fetched for reconciliation. In other words, from the second reconciliation run onward, incremental reconciliation becomes the default reconciliation mode.

You can manually switch from incremental reconciliation to full reconciliation or from full reconciliation to incremental reconciliation.

1.2.1.3 Batched Reconciliation

During a reconciliation run, all changes in the target system records are reconciled into Oracle Identity Manager by default. Depending on the number of records to be reconciled, this process might take a long time to complete. In addition, if the connection breaks during reconciliation, then the process might take even more time. You can configure batched reconciliation to avoid such problems.

In batched reconciliation, the total set of records to be reconciled is divided into batches containing the number of records that you specify as the batch size.

There may be minute variations from connector to connector in the actual implementation of this feature. The following example illustrates how batched reconciliation works.

Suppose that Sun Java System Directory is configured as a target system in the operating environment of your organization. To configure batched reconciliation for this target system, you specify values for the following scheduled task attributes:

  • StartRecord: Use this attribute to specify the record number from which batched reconciliation must begin. Suppose you specify 120 as the value of this attribute.

  • BatchSize: Use this attribute to specify the number of records that must be included in each batch. Suppose you specify 50 as the value of this attribute.

  • NumberOfBatches: Use this attribute to specify the total number of batches that must be reconciled. Suppose you specify 6 as the value of this attribute.

At the start of the next reconciliation run, if there are 136 records to be reconciled, then these records will be divided into three batches of 50, 50, and 36 records and then each batch is reconciled into Oracle Identity Manager.

If you do not want to configure batched reconciliation, then do not specify a batch size. In this case, a nonbatched reconciliation will occur.

1.2.1.4 Limited Reconciliation

By default, all target system records that are added or modified after the previous reconciliation run are reconciled during the current reconciliation run. You can filter records for reconciliation by specifying the subset of newly added or modified records that must be reconciled. You implement this form of limited reconciliation by creating customized queries for reconciliation. The following example illustrates how limited reconciliation works:

For Sun Java System Directory, you implement limited reconciliation by specifying a customized query as the value of the CustomizedReconQuery IT resource parameter. The following are sample customized queries:

  • givenname=John&sn=Doe

    With this customized query, records of users whose first name is John and last name is Doe are reconciled.

  • givenname=John&sn=Doe|departmentnumber=033

    With this customized query, records of users who meet either of the following conditions are reconciled:

    • The user's first name is John and last name is Doe.

    • The user belongs to the department whose number is 033.

If you do not want to configure limited reconciliation, then do not specify a customized query, then a regular reconciliation takes place.

1.2.1.5 Periodic, On-Demand, or Real-Time Reconciliation

You can use Oracle Identity Manager for periodic, on-demand, or real-time reconciliation.

Note:

All connectors do not support all of these reconciliations.

Periodic reconciliation is reconciliation that is run at regular intervals. Typically, periodic reconciliation is scheduled using a scheduled task. For example, for a particular connector, you can schedule reconciliation to run on a daily, weekly, or monthly basis.

On-demand reconciliation refers to a reconciliation run that you start when required. Consider the following example:

Suppose you have scheduled reconciliation to run at 1:00 a.m. everyday. On a particular Saturday, major changes occurs are made in the target system, and these changes must be reconciled into Oracle Identity Manager immediately. In this situation, you can manually start the reconciliation run to copy the changes into Oracle Identity Manager.

Real-time reconciliation involves an immediate transfer of created or modified data from the target system to Oracle Identity Manager. Usually, this transfer of data is performed through a listener. Whenever data is created or modified on the target system, the target system sends the modified data to the listener. The listener parses this data and forwards it to Oracle Identity Manager.

1.2.1.6 Sample Reconciliation Configurations

As mentioned earlier, you configure reconciliation by selecting specific options from the reconciliation parameters discussed in the preceding sections. The following sample reconciliation configurations are supported in Oracle Identity Manager release 9.1.0:

Note:

Oracle Identity Manager Connectors release 9.1.0 can be deployed only on Oracle Identity Manager release 9.1.0..

  • Trusted source, full, batched, and regular reconciliation for a single target system. For example, Oracle e-Business Employee Reconciliation for all Oracle Identity Manager users.

  • Trusted source, incremental, and regular reconciliation for a single target system. For example, Oracle e-Business Employee Reconciliation for all Oracle Identity Manager users.

  • Target resource, full, and regular reconciliation. For example, IBM RACF for all user accounts.

  • Target resource, incremental, and batched reconciliation. For example, Lotus Notes for all user accounts.

In a multiple trusted source environment, the combination of the following reconciliation runs provides the complete user identity population of a single Oracle Identity Manager deployment.

  • Multiple trusted source, full, nonbatched, and limited (userType=Employee) reconciliation. For example, Oracle e-Business Employee Reconciliation used as a trusted source for only the Employee OIM User type.

  • Multiple trusted source, full, batched, and regular reconciliation. For example, Microsoft Active Directory used as a trusted source for only Contractor OIM User type.

1.2.2 Regular Reconciliation Events vs. Delete Reconciliation Events

Reconciliation events can be divided into two types depending on their expected behavior within Oracle Identity Manager. If the incoming data relates to an account that must be either created (because Oracle Identity Manager was not aware of it before) or updated (because Oracle Identity Manager has a record of it), then the reconciliation event is a regular reconciliation event.

If the input data relates to an account that must be marked as having been deleted (revoked), then the reconciliation event is a delete reconciliation event. There are two types of delete reconciliation events:

  • The data for deleting an account is provided and the Oracle Identity Manager locates the matching account based on existing rules.

  • The matching account record in Oracle Identity Manager is provided as the data for deleting an account.

The latter happens when the delete detection mechanism of reconciliation is employed. In both cases, if the accounts are matched, then the resource instance in Oracle Identity Manager is marked as revoked.

1.3 Provisioning

You can use Oracle Identity Manager to create, maintain, and delete users on target systems. In this configuration, Oracle Identity Manager acts as the front-end entry point for managing user data on the target systems. After accounts are provisioned, the users for whom the accounts have been provisioned can access the target systems without any interaction with Oracle Identity Manager. This is the provisioning configuration of Oracle Identity Manager. Figure 1-5 illustrates the provisioning configuration of Oracle Identity Manager.

Figure 1-5 Provisioning

Description of Figure 1-5 follows
Description of "Figure 1-5 Provisioning"

A provisioning operation can be started through any of the following ways:

  • Request-based provisioning

    In request-based provisioning, an individual creates a request for a target system account. The provisioning process is completed when an OIM User with the required privileges approves the request and provisions the target system account to the requester.

  • Policy-based provisioning

    This type of provisioning refers to resources being granted to users automatically through access policies. Access policies are used to define the association between user groups (or roles) and target resources. User groups are collections of users to whom you grant access to common functionality, such as access rights, roles, or permissions. You use user groups to create and collectively manage records of group members.

    You can also assign or remove membership rules to and from these groups. These rules define which users can be assigned to a particular user group. By default, each member of these user groups gets a predefined account in the target system. In addition, you can also use Oracle Identity Manager to create approval processes that can be run as part of the policy-based provisioning cycle.

    Sometimes, the introduction of or change to an access policy may entail changes in privileges assigned to users who meet the criteria specified in the policy. For example, suppose the following policy is introduced:

    All project managers working from the London office must have access to the SAP system.

    When this policy is introduced in Oracle Identity Manager, SAP user accounts are automatically provisioned to all project managers.

  • Direct provisioning

    This type of provisioning is a special administrator-only function in which an Oracle Identity Manager administrator provisions a resource to an OIM User. The workflow for this form of provisioning does not include the request and approval steps. You perform direct provisioning by using the Oracle Identity Manager Administrative and User Console.

1.4 Target System Configurations Enabled by a Connector

The type of operations that can be performed by using a connector depends on how you configure the target system:

1.4.1 Target System Configured As a Target Resource

When configured as a managed or target resource, you can provision target system accounts to OIM Users. In the Oracle Identity Manager context, these target system accounts are called resources that are assigned to OIM Users.

This section discusses connector operations that can be performed when the target system is configured as a target resource.

Lookup field synchronization involves copying data about additions or changes made to lookup field data on the target system into Oracle Identity Manager lookup fields. Lookup field synchronization is started using a scheduled task. For each lookup field in a particular target system, a lookup definition is created in Oracle Identity Manager. Oracle Identity Manager lookup fields are used during provisioning. During a lookup field synchronization run, additions or modifications to existing data in the target system lookup fields are replicated in the lookup definitions in Oracle Identity Manager.

The other actions that can be performed on a target resource are target resource reconciliation and provisioning. For target resource reconciliation, changes made to accounts on the target system itself can be reconciled into Oracle Identity Manager. In other words, resources in Oracle Identity Manager can be synchronized with changes made to the corresponding accounts on the target system. These activities constitute reconciliation.

During target resource reconciliation:

  • For a newly created target system identity that is fetched from the target system, a target resource account (resource object) is granted (provisioned) to the corresponding OIM User. This takes place only if an OIM User already exists for the target system identity.

  • For a modified target system identity that is fetched from the target system, the same modifications are made to its corresponding resource object provisioned to an entity in Oracle Identity Manager.

Typically, target systems like e-mail servers are designated as target resources.

Note:

A target resource can have a provisioning flow associated with it.

You can also create and manage resources on the target system through Oracle Identity Manager. These activities constitute provisioning. The purpose of provisioning is to automate the creation and maintenance of users on target systems. Provisioning is also used to accommodate any requirement for workflow approvals and auditing that can be a component of that provisioning life cycle.

See "Provisioning" for information about provisioning and the different types of provisioning operations that can be performed.

1.4.2 Target System Configured As a Trusted Source

A target system is known as a trusted source if it is used as the authoritative source for identity information about entities (both individuals and resources) in the organization. Each identity on a trusted source must correspond to a single OIM User on Oracle Identity Manager. An entity can have an account on other systems in the organization only if it has an account on the trusted source.

Note:

In the Oracle Identity Manager context, the term “OIM User” is used as a synonym for an Oracle Identity Manager identity created for a person.

During trusted source reconciliation:

  • For a newly created target system identity that is fetched from the target system, a corresponding OIM User is created in Oracle Identity Manager.

  • For a modified target system identity that is fetched from the target system, the same modifications are made to its corresponding OIM User.

  • If you specify certain attributes of a target system as trusted sources, then Oracle Identity Manager must be disabled from provisioning the same set of attributes in the target system.

Typically, target systems like HR systems and corporate directories are designated as trusted sources.