1 About the Connector

Oracle Identity Manager automates access rights management, security, and provisioning of resources to various target systems. Oracle Identity Manager Connectors are used to integrate Oracle Identity Manager with target applications. This guide discusses the connector that enables you to use PeopleSoft Enterprise Applications as a managed (target) source of user data for Oracle Identity Manager.

Note:

In this guide, the term Oracle Identity Manager server refers to the computer on which Oracle Identity Manager is installed.

At some places in this guide, PeopleSoft Enterprise Applications has been referred to as the target system.

The PeopleSoft User Management connector helps you to manage PeopleTools-based PSOPRDEFN records in PeopleSoft applications including Role and Permission List assignments to these records. This is done through target resource reconciliation and provisioning.

In the target resource configuration, information about user accounts created or modified directly on the target system can be reconciled into Oracle Identity Manager. In addition, you can use Oracle Identity Manager to perform provisioning operations on the target system.

Note:

See Oracle Identity Manager Connector Concepts for detailed information about connector deployment configurations.

The connector supports reconciliation in two ways:

• Full reconciliation: This involves fetching all existing target system records into Oracle Identity Manager.

• Incremental reconciliation: This involves real-time reconciliation of changes in the target system records into Oracle Identity Manager.

The "Connector Architecture" section discusses full and incremental reconciliation in detail.

This chapter contains the following sections:

• Certified Deployment Configurations

• Features of the Connector

• Certified Languages

• Roadmap for Deploying and Using the Connector

Note:

Information for the connector with the Remote Manager has been included in this guide wherever applicable. You can refer to this information if you use the connector with the Remote Manager.

1.1 Certified Deployment Configurations

Table 1-1 lists the certified deployment configurations.

Table 1-1 Certified Deployment Configurations

Item	Requirement
Oracle Identity Manager	Oracle Identity Manager release 9.1.0 and later
	If your Oracle Identity Manager installation is running on JDK 1.5, then deploy the connector without the Remote Manager. If your Oracle Identity Manager installation does not run on JDK 1.5, then you must deploy the connector with the Remote Manager. See Oracle Identity Manager Release Notes for details about certified JDKs.
Target systems	This release of the connector supports PeopleTools 8.49. Note: The connector does not support the association of PeopleSoft CRM users with the EMP ID type.
	Ensure that the following components are installed and configured in the target system environment: Tuxedo and Jolt (the application server) PeopleSoft Internet Architecture PeopleSoft Application Designer (2-tier mode)

1.1.1 Determining the Version of PeopleTools and the Target System

Before you deploy the connector, you might want to determine the version of PeopleTools and the target system you are using to check if you are using the combination supported by this connector. To do so, perform the following steps:

1. Open a Web browser and enter the URL of PeopleSoft Internet Architecture. The URL of PeopleSoft Internet Architecture is in the following format:

   http://SERVER_NAME/psp/ps/DATABASE_NAME/?cmd=login
   

   For example:

   http://psftserver.example.com/psp/ps/TestDB/?cmd=login
   

2. Click Change My Password. On the page that is displayed, press CTRL+J. The version of the PeopleTools and target system that you are using are displayed.

1.2 Features of the Connector

This section discusses the following topics:

• The "Connector Architecture" section describes the architecture of the connector.

• If you want to configure the connector for target resource reconciliation and provisioning, then see the following sections:

  • Lookup Field Synchronization

  • Target Resource Reconciliation

  • Provisioning

1.2.1 Connector Architecture

Figure 1-1 shows the architecture of the connector.

Figure 1-1 Architecture of the Connector

Description of "Figure 1-1 Architecture of the Connector"

The architecture of the connector can be explained in terms of the connector operations it supports:

• Reconciliation

• Provisioning

1.2.1.1 Reconciliation

This connector supports reconciliation in two ways:

• Full reconciliation

  A full reconciliation run involves fetching all the records in the target system and using them for reconciliation in Oracle Identity Manager by using a flat file. The PeopleSoft Application Engine program populates the flat file that contains all the user data separated by the specified delimiter (*). The flat file is then read by an Oracle Identity Manager scheduled task that generates reconciliation events.

  The PeopleSoft Application Engine program is run using PeopleSoft Internet Architecture.

  To reconcile all existing target system records into Oracle Identity Manager, you must run full reconciliation the first time you perform a reconciliation run after deploying the connector. This is to ensure that the target system and Oracle Identity Manager contain the same data. Oracle recommends that you run full reconciliation at periodic intervals to ensure that all user records are reconciled into Oracle Identity Manager. "Configuring Full Reconciliation" describes the procedure to configure full reconciliation.

• Incremental reconciliation

  Incremental reconciliation involves real-time reconciliation of newly created or modified user data. You use incremental reconciliation to reconcile individual data changes after an initial, full reconciliation run has been performed. Incremental reconciliation is performed using PeopleSoft application messaging. "Configuring Incremental Reconciliation" describes the procedure to configure incremental reconciliation.

  Incremental reconciliation involves the following steps:

  1. When user data is added, updated, or deleted in the target system, a PeopleCode event is activated.

  2. The PeopleCode event generates an XML message containing the modified user data and sends it in real time to the PeopleSoft listener by using HTTP. If SSL is configured, then the PeopleSoft listener can also use HTTPS. The PeopleSoft listener is a Web application that is deployed on the Oracle Identity Manager host computer.

  3. The PeopleSoft listener parses the XML message and sends a reconciliation event to Oracle Identity Manager.

1.2.1.2 Provisioning

During a provisioning operation, the adapters pass on user data that is created, modified, or deleted on Oracle Identity Manager to PeopleSoft Enterprise Applications.

1.2.1.3 Architecture of the Connector With the Remote Manager

Figure 1-2 shows the architecture of the connector with the Remote Manager.

Figure 1-2 Architecture of the Connector with the Remote Manager

Description of "Figure 1-2 Architecture of the Connector with the Remote Manager"

PeopleSoft does not support JDK versions earlier than 1.5. Your Oracle Identity Manager installation might be running on JDK 1.4.2. To make your Oracle Identity Manager installation compatible with the target system, you must use the connector with the Remote Manager. If the Oracle Identity Manager environment does not match the target system environment, then the Remote Manager provides an environment that is compatible for both, in this case, JDK 1.5.

Another reason for using the Remote Manager is that you might be running different versions of the target system in which the target libraries vary between the versions. As a result, the different versions of the API conflict with each other. In this scenario, the Remote Manager is used to provide individual JVMs, each containing only a single version of the conflicting libraries.

Note:

This release of the connector supports only one version, PeopleTools 8.49.

When the connector supports multiple versions of a target system, it must be able to support all versions simultaneously. If this is not possible (for example, because of conflicting target libraries), Oracle recommends that you use the Remote Manager in such a way that each Remote Manager can manage one specific target version.

1.2.2 Lookup Field Synchronization

During a provisioning operation, you use a lookup field to specify a single value from a set of values. When you deploy the connector, lookup definitions corresponding to the lookup fields on the target system are created in Oracle Identity Manager. Lookup field synchronization involves copying additions or changes made to the target system lookup fields into the lookup definitions in Oracle Identity Manager.

Note:

As an implementation best practice, lookup fields should be synchronized before you perform reconciliation or provisioning operations.

Table 1-2 lists the lookup fields that are synchronized with their corresponding lookup definitions in Oracle Identity Manager.

Table 1-2 Lookup Fields That Are Synchronized

Lookup Definition	Target System Lookup Field	Synchronization Method
Lookup.PSFTUM.LanguageCode For the connector with the Remote Manager: Lookup.PSFTUM_RM.LanguageCode	LanguageCode	You use the PSFT UM LookUp Reconciliation scheduled task to synchronize this lookup definition. For the connector with the Remote Manager, you use the PSFT UM_RM LookUp Reconciliation scheduled task to synchronize this lookup definition.
Lookup.PSFTUM.CurrencyCode For the connector with the Remote Manager: Lookup.PSFTUM_RM.CurrencyCode	CurrencyCode	You use the PSFT UM LookUp Reconciliation scheduled task to synchronize this lookup definition. For the connector with the Remote Manager, you use the PSFT UM_RM LookUp Reconciliation scheduled task to synchronize this lookup definition.
Lookup.PSFTUM.PermissionList For the connector with the Remote Manager: Lookup.PSFTUM_RM.PermissionList	PermissionList	You use the PSFT UM LookUp Reconciliation scheduled task to synchronize this lookup definition. For the connector with the Remote Manager, you use the PSFT UM_RM LookUp Reconciliation scheduled task to synchronize this lookup definition.
Lookup.PSFTUM.EmailType For the connector with the Remote Manager: Lookup.PSFTUM_RM.EmailType	EmailTypes	You use the PSFT UM LookUp Reconciliation scheduled task to synchronize this lookup definition. For the connector with the Remote Manager, you use the PSFT UM_RM LookUp Reconciliation scheduled task to synchronize this lookup definition.
Lookup.PSFTUM.Roles For the connector with the Remote Manager: Lookup.PSFTUM_RM.Roles	UserRoles	You use the PSFT UM LookUp Reconciliation scheduled task to synchronize this lookup definition. For the connector with the Remote Manager, you use the PSFT UM_RM LookUp Reconciliation scheduled task to synchronize this lookup definition.

1.2.3 Target Resource Reconciliation

Target resource reconciliation involves fetching data about newly created or modified users on the target system and using this data to add or modify resources assigned to OIM Users.

See Also:

"Target Resource Reconciliation" in Oracle Identity Manager Connector Concepts for conceptual information about target resource reconciliation

Note:

If you delete a user from the target system, then the data of the deleted user is reconciled into Oracle Identity Manager through the Delete Reconciliation scheduled task.

This section discusses the following topics:

• User Fields for Target Resource Reconciliation

• Reconciliation Rules

• Reconciliation Action Rules

1.2.3.1 User Fields for Target Resource Reconciliation

Table 1-3 lists the target system fields whose values are fetched during a target resource reconciliation run.

Table 1-3 Fields Used for Target Resource Reconciliation

OIM PeopleSoft UM Resources Process Form Field	Target System Field	Description
Single-Valued Fields
User Id	PSOPRDEFN.OPRID	Login ID of the user profile This is a mandatory field.
Employee Id	PSOPRDEFN.EMPLID	Employee ID of the employee to which the user profile will be assigned
User Description	PSOPRDEFN.OPRDEFNDESC	Description of the user profile
Multi Language Code	PSOPRDEFN.MULTILANG	Multilanguage code
Language Code	PSOPRDEFN.LANGUAGE_CD	Language code
Currency Code	PSOPRDEFN.CURRENCY_CD	Currency code
User Id Alias	PSOPRDEFN.USERIDALIAS	Alias of user login ID
Row Security Permission List	PSOPRDEFN.ROWSECCLASS	Row security parameter
Process Profile Permission List	PSOPRDEFN.PRCSPRFLCLS	Process profile parameter
Navigator Home Permission List	PSOPRDEFN.DEFAULTNAVHP	Navigator home page address
Primary Permission List	PSOPRDEFN.OPRCLASS	Primary permission list
Primary Email Address	PSUSEREMAIL.EMAILID	E-mail address (primary e-mail account)
Primary Email Type	PSUSEREMAIL.EMAILTYPE	Email type (primary e-mail account)
Multivalued Field
RoleName	PSROLEUSER_VW.ROLENAME	The role name that is assigned to the user profile
Email Address Email Type Note: To specify the e-mail address for an account, you must also specify the e-mail type of that e-mail address.	PSUSEREMAIL.EMAILID PSUSEREMAIL.EMAILTYPE	E-mail address E-mail type

Note:

The name of the process form in the first column of the preceding table is UD_PSFT_BAS. For the connector with the Remote manager, the name of this process form is UD_PSFT_RM.

1.2.3.2 Reconciliation Rules

The following are the reconciliation rules for target resource reconciliation:

Rule Name: PSFT UM Target Res rule

Rule Element: User Login Equals Users.Oprid

For the connector with the Remote Manager:

Rule Name: PSFT UM Remote Recon Rule

Rule Element: User Login Equals Users.Oprid

In these rules:

• User Login is the User Id field on the OIM User form.

• Users.Oprid is the User Id field of the user profile on the target system.

To access the reconciliation rules:

Note:

Perform the following procedure only after the connector is deployed.

1. Log in to the Oracle Identity Manager Design Console.

2. Expand Development Tools.

3. Double-click Reconciliation Rules.

4. Locate PSFT UM Target Res rule. For the connector with the Remote Manager, locate PSFT UM Remote Recon Rule.

See Also:

Oracle Identity Manager Design Console Guide for information about modifying reconciliation rules

1.2.3.3 Reconciliation Action Rules

Table 1-4 lists the reconciliation action rules for target resource reconciliation:

Table 1-4 Action Rules for Target Resource Reconciliation

Rule Condition	Action
No Matches Found	Assign to Administrator With Least Load
One Entity Match Found	Establish Link
One Process Match Found	Establish Link

To access the reconciliation action rules for target resource reconciliation:

Note:

Perform the following procedure only after the connector is deployed.

1. Log in to the Oracle Identity Manager Design Console.

2. Expand Resource Management.

3. Double-click Resource Objects.

4. Locate the PSFT_UM_RO resource object. For the connector with the Remote Manager, locate the PSFTUM_RM resource object.

5. Click the Object Reconciliation tab, and then the Reconciliation Action Rules tab. The Reconciliation Action Rules tab displays the action rules defined for this connector.

See Also:

Oracle Identity Manager Design Console Guide for information about modifying reconciliation action rules

Note:

For any rule condition that is not predefined for this connector, Oracle Identity Manager will neither perform any action nor log an error.

1.2.4 Provisioning

Provisioning involves creating, modifying, or deleting a user's account information on the target system through Oracle Identity Manager.

See Also:

"Deployment Configurations of Oracle Identity Manager" in Oracle Identity Manager Connector Concepts for conceptual information about provisioning

This section discusses the following topics:

• User Provisioning Functions Supported by the Connector

• User Fields for Provisioning

1.2.4.1 User Provisioning Functions Supported by the Connector

Table 1-5 lists the supported user provisioning functions and the adapters that perform these functions. The functions listed in the table correspond to either a single or multiple process tasks.

See Also:

Oracle Identity Manager Connector Concepts for generic information about process tasks and adapters

Table 1-5 User Provisioning Functions Supported by the Connector

Function	Adapter
Create a user	adp PSFTUM CREATE USER For the connector with the Remote manager: adp PSFT_RM CREATE USER
Update the password of a user	adp PSFTUM Reset Password For the connector with the Remote Manager: adp PSFT_RM Reset Password
Update the description of a user	adp PSFTUM UpdateUser For the connector with the Remote Manager: adp PSFT_RM UpdateUser
Update the multilanguage code of a user	adp PSFTUM UpdateUser For the connector with the Remote Manager: adp PSFT_RM UpdateUser
Update the primary e-mail address of a user	adp PSFTUM UpdateUser For the connector with the Remote Manager: adp PSFT_RM UpdateUser
Update the primary e-mail address type of a user	adp PSFTUM UpdateUser For the connector with the Remote Manager: adp PSFT_RM UpdateUser
Update the language code of a user	adp PSFTUM UpdateUser For the connector with the Remote Manager: adp PSFT_RM UpdateUser
Update the currency code of a user	adp PSFTUM UpdateUser For the connector with the Remote Manager: adp PSFT_RM UpdateUser
Update the Employee Id of a user	adp PSFTUM Update User EmpId For the connector with the Remote Manager: adp PSFT_RM Update User EmpId
Update the Primary Permission list of a user	adp PSFTUM UpdateUser For the connector with the Remote Manager: adp PSFT_RM UpdateUser
Update the Process Profile Permission list of a user	adp PSFTUM UpdateUser For the connector with the Remote Manager: adp PSFT_RM UpdateUser
Update the Navigator Home Permission list of a user	adp PSFTUM UpdateUser For the connector with the Remote Manager: adp PSFT_RM UpdateUser
Update the Row Security Permission list of a user	adp PSFTUM UpdateUser For the connector with the Remote Manager: adp PSFT_RM UpdateUser
Update the User Id alias of a user	adp PSFTUM UpdateUser For the connector with the Remote Manager: adp PSFT_RM UpdateUser
Add a role to a user	adp PSFTUM addORDeleteRole For the connector with the Remote Manager: adp PSFT_RM addORDeleteRole
Delete a role from a user	adp PSFTUM addORDeleteRole For the connector with the Remote Manager: adp PSFT_RM addORDeleteRole
Add an e-mail address to a user	adp PSFTUM addOrDeleteEmail For the connector with the Remote Manager: adp PSFT_RM addOrDeleteEmail
Delete the e-mail address of a user	adp PSFTUM addOrDeleteEmail For the connector with the Remote Manager: adp PSFT_RM addOrDeleteEmail
Unlock a user	adp PSFTUM UnLock User For the connector with the Remote Manager: adp PSFT_RMUnLock User
Lock a user	adp PSFTUM Lock User For the connector with the Remote Manager: adp PSFT_RM Lock User
Delete a user at the target system	adp PSFTUM Delete User For the connector with the Remote Manager: adp PSFT_RM Delete User
Prepopulate the User Id on the process form with the User Id of the OIM User Note: If the PeopleSoft Employee Reconciliation and the PeopleSoft User Management connectors are deployed on a single Oracle Identity Manager installation, then the User Id field of the OIM User is populated with the value of the Employee Id of the employee reconciled from PeopleSoft.	adp PSFTUM Prepopulate UserID For the connector with the Remote Manager: adp PSFT_RM Prepopulate UserID
Prepopulate the Employee Id on the process form with the User Id of the OIM User Note: The Employee Id is used to link a user profile to the employee.	adp PSFTUM Prepopulate EmployeeID UM For the connector with the Remote Manager: adp PSFT_RM Prepopulate EmployeeID UM

1.2.4.2 User Fields for Provisioning

Table 1-6 lists the user fields for which you can specify or modify values during provisioning operations.

Table 1-6 User Fields for Provisioning

OIM PeopleSoft UM Resources Process Form Field	Target System Field	Description	Adapter
Single-Valued Fields
User Id	PSOPRDEFN.OPRID	Login Id of the user profile	adp PSFTUM CREATE USER For the connector with the Remote Manager: adp PSFT_RM CREATE USER
User Description	PSOPRDEFN.OPRDEFNDESC	Description of the user profile	adp PSFTUM CREATE USER For the connector with the Remote Manager: adp PSFT_RM CREATE USER
Employee Id	PSOPRDEFN.EMPLID	Employee Id of the employee to which the user profile will be assigned	adp PSFTUM CREATE USER For the connector with the Remote Manager: adp PSFT_RM CREATE USER
Multi Language Code	PSOPRDEFN.MULTILANG	Multilanguage code	adp PSFTUM CREATE USER For the connector with the Remote Manager: adp PSFT_RM CREATE USER
Language Code	PSOPRDEFN.LANGUAGE_CD	Language code	adp PSFTUM CREATE USER For the connector with the Remote Manager: adp PSFT_RM CREATE USER
Currency Code	PSOPRDEFN.CURRENCY_CD	Currency code	adp PSFTUM CREATE USER For the connector with the Remote Manager: adp PSFT_RM CREATE USER
User Id Alias	PSOPRDEFN.USERIDALIAS	Alias of user login Id	adp PSFTUM CREATE USER For the connector with the Remote Manager: adp PSFT_RM CREATE USER
Row Security Permission List	PSOPRDEFN.ROWSECCLASS	Row security parameter	adp PSFTUM CREATE USER For the connector with the Remote Manager: adp PSFT_RM CREATE USER
Process Profile Permission List	PSOPRDEFN.PRCSPRFLCLS	Process profile parameter	adp PSFTUM CREATE USER For the connector with the Remote Manager: adp PSFT_RM CREATE USER
Navigator Home Permission List	PSOPRDEFN.DEFAULTNAVHP	Navigator home page address	adp PSFTUM CREATE USER For the connector with the Remote Manager: adp PSFT_RM CREATE USER
Primary Permission List	PSOPRDEFN.OPRCLASS	Primary permission list	adp PSFTUM CREATE USER For the connector with the Remote Manager: adp PSFT_RM CREATE USER
Primary Email Address	PSUSEREMAIL.EMAILID	E-mail address (primary e-mail account)	adp PSFTUM CREATE USER For the connector with the Remote Manager: adp PSFT_RM CREATE USER
Primary Email Type	PSUSEREMAIL.EMAILTYPE	E-mail type (primary e-mail account)	adp PSFTUM CREATE USER For the connector with the Remote Manager: adp PSFT_RM CREATE USER
Multivalued Fields
RoleName	PSROLEUSER_VW.ROLENAME	The role name that is assigned to the user profile	adp PSFTUM addORDeleteRole For the connector with the Remote Manager: adp PSFT_RM addORDeleteRole
Email Address	PSUSEREMAIL.EMAILID	E-mail address (e-mail account)	adp PSFTUM addOrDeleteEmail For the connector with the Remote Manager: adp PSFT_RM addOrDeleteEmail
Email Type	PSUSEREMAIL.EMAILTYPE	Email type (e-mail account)	adp PSFTUM addOrDeleteEmail For the connector with the Remote Manager: adp PSFT_RM addOrDeleteEmail

Note:

(The name of the process form in the first column of the preceding table is UD_PSFT_BAS. For the connector with the Remote manager, the name of this process form is UD_PSFT_RM.

1.3 Certified Languages

The connector supports the following languages:

• Arabic

• Chinese (Simplified)

• Chinese (Traditional)

• Danish

• English

• French

• German

• Italian

• Japanese

• Korean

• Portuguese (Brazilian)

• Spanish

See Also:

Oracle Identity Manager Globalization Guide for information about supported special characters

1.4 Roadmap for Deploying and Using the Connector

The following is the organization of information in the rest of the guide:

• Chapter 2, "Deploying the Connector" describes procedures that you must perform on Oracle Identity Manager and the target system during each stage of connector deployment.

• Chapter 3, "Extending the Functionality of the Connector" describes the extended functions of the connector.

• Chapter 4, "Using the Connector" provides information on the tasks that must be performed each time you want to run reconciliation.

• Chapter 5, "Testing and Troubleshooting" provides information on testing the connector.

• Chapter 6, "Known Issues" lists the known issues that you may encounter while using the connector.