Note the following items when creating and configuring resources for use with Service Provider:
You must configure the user directory as a resource. The directory can be maintained from the Service Provider Configuration pages in the Administrator Interface.
Any resources that are to be synchronized with the user directory should be configured from the Edit Synchronization Policy resource action, and configured for the target object type “Service Provider User.”
Service Provider stores all of its meta information in the LDAP attribute mapped to xml in the resource definition schema map. (For example, jpegPhoto) The size of the data stored in this attribute is usually small (<1KB) but can be larger, depending on the number of resources assigned to the user.
If the Retro Changelog is enabled in your Sun Java System Directory Server, add the attribute that corresponds to the xml LDAP attribute (for example, jpegPhoto) to the list of ignore_attributes in the Retro Changelog plugin’s configuration. This can be accomplished by using the Directory Server administration console.
The default user form and rules associated with each resource might need to be customized to work with Service Provider. See the following sections for more details:
The following list describes the differences between user forms in Identity Manager and Service Provider:
In Identity Manager, both the Synchronization Input form and the default user form are processed. In Service Provider, only the Synchronization Input form is processed.
The IDMXUser view is used instead of a User view. See Chapter 4, IDMXUser View for more information.
In both Identity Manager and Service Provider, all of the attributes received are placed under the activeSync top-level attribute.
Identity Manager also sets the following attributes to contain information about the resource definition itself:
activeSync.resourceName activeSync.resourceId activeSync.resource
Other attributes are culled from the resource. Service Provider does not set these.
The nature of the following rules varies in Service Provider:
Correlation rules
Confirmation rules
Delete Rules
Because reconciliation is not performed on a Service Provider resource, a correlation rule is invoked on-demand to discover existing account information.
In the Identity Manager User view, the account attribute may contain numerous account attributes. In the IDMXUser view, these account attributes are defined at the top-level of the view. For example, in Identity Manager, a correlation rule might make a reference to <ref>account.accountId</ref> . In Service Provider, the reference would simply be <ref>accountId</ref> .
A Identity Manager confirmation rule may reference the following attributes:
account — The attributes from the Active Sync account
user — The User view
A Service Provider confirmation rule sets the same attributes, but the contents of the user attribute contains only the user attributes stored in the directory. It will not contain a full IDMXUser view.
An Identity Manager delete rule may reference the following attributes:
activeSync — The attributes from the Active Sync account
account — Identical to activeSync.
In a Service Provider delete rule, the Active Sync account attributes are at top-level. They are not wrapped in either activeSync or account.
The linkTargets IDMXUser view option allows the caller to specify the list of resources that should be targeted for linking. When using forms, the list can be provided as a form property with the same name. Form properties are assimilated into view options when the IDMXUser view is checked in.
A link correlation rule selects resource accounts that the user might own. Given the view of the user, a link correlation rule returns an identity, a list of identities, or an option map.
If the rule returns an option map, then the view handler uses the map to look for resource accounts and obtains a list of identities that satisfy these options. For example, the searchFilter option of the getResourceObjects FormUtil method can be used to pass a search filter to an LDAP resource adapter.
A link correlation rule must have the authType attribute set to SPERule with the subtype set to SUBTYPE_SPE_LINK_CORRELATION_RULE.
A link confirmation rule eliminates any resource accounts from the list of potential accounts that the link correlation rule selects. Given the view of the user and the list of candidate resource accounts, a link confirmation rule selects at most one resource account from the candidate list. The view of the user is visible under the ’view’ path, while the list of candidates is available under the ’candidates’ path.
If the link correlation rule selects no more than one resource account, the link confirmation rule is optional.
Unlike Identity Manager confirmation rules , a link confirmation rule is invoked only once during the linking process.
A link confirmation rule must have the authType attribute set to SPERule with the subtype set to SUBTYPE_SPE_LINK_CONFIRMATION_RULE.