A resource adapter serves as a proxy between Identity Manager and an external resource, such as an application or database. The adapter defines the essential characteristics of the resource type, and this information is saved in the Identity Manager repository as a resource object. Identity Manager resource adapters are standard or Active Sync-enabled adapters.
This section contains the following topics:
Standard resource adapters provide a generic interface to resource types that are supported by Identity Manager; such as Web servers, Web applications, databases, and even legacy applications and operating systems. In Java terms, standard resource adapters extend the ResourceAdapterBase class.
These adapters push account information changes from Identity Manager to their managed, external resources and typically perform the following administrative activities:
Connect to and disconnect from a resource
Create, delete, or modify users
Enable, disable, or get users
Authenticate users
Manage objects such as group membership or directory organization structure
Standard resource adapters generally follow these steps when pushing information from Identity Manager to the resource managed by Identity Manager:
Identity Manager server initializes the resource manager.
All available resource types are registered through the Resource Adapter interface. As part of the registration process, the resource adapter provides a prototype XML definition.
User initiates process of creating a new resource.
When an Identity Manager administrator creates a new resource, the task that creates the form to display the resource type’s prototype definition is queried for the resource attribute fields. Identity Manager uses these attributes to display a form in the browser. The user who is creating the new resource fills in the information and clicks Save.
Identity Manager saves the information provided, along with the other resource fields in the resource object repository under the name of the new resource object.
When the user clicks Save during resource creation, the creation task gathers the entered data, executes any necessary validation, then serializes the data using XML before writing the serialized object to the object repository.
Identity Manager displays the list of available resources in a multi-selection box when an Identity Manager user is created or modified.
Selecting a resource causes Identity Manager to query the resource object for the available account attribute fields. Identity Manager uses these field descriptions to display a form that contains the attribute fields, which the user can fill in with the appropriate data.
The resource object is queried for the connection information when this form is saved, and a connection is established with the resource.
The adapter sends the command to perform the intended action on the account on the resource over this connection.
If this request is a create request, the adapter updates the Identity Manager user object with the resource account information.
When user account information is displayed, Identity Manager requests the list of resources on which the user has accounts from the saved account object. For each resource, Identity Manager queries the resource object and uses the connection information to establish a connection to the resource.
The adapter sends a command over this connection to retrieve account information for the user, and it uses the retrieved information to fill in the attribute fields that are defined in the resource object. The system creates a form to display these values.
Active Sync-enabled adapters are an extension of a standard resource adapter and they are used to implement the Active Sync interface for some common resources, such as Active Directory. These adapters pull data changes directly from the resource to initiate the following activities in Identity Manager:
Polling or receiving change event notification
Issuing actions to create, update, or delete resource accounts
Editing or creating users with a custom form
Saving the resource changes
Logging progress information and errors
Active Sync-enabled adapters are particularly suitable for supporting the following resource types:
Applications with audit or notification interfaces
Some applications, such as Microsoft Active Directory and PeopleSoft, have external interfaces. You can configure these application interfaces to add events to an audit log or to notify other applications when certain changes occur.
For example, you can configure the interface to record an transaction in the audit log whenever a user account is modified natively on the Active Directory server. You can configure the Identity Manager Active Directory resource to review this log every 30 minutes and trigger events in Identity Manager when any changes occur. You can register other Active Sync-enabled adapters with the resource through an API, and use event messages to notify the adapter when changes occur. These event messages can reference the item that changed, the information that was updated, and frequently the user who made the change.
Databases populated with update information
You can manage database resources by generating a table of deltas and generate this table in several different ways. For example, you can compare a snapshot of the database to current values and create a new table with the differences. The adapter pulls rows from the table of deltas, processes them, and subsequently marks them when completed.
Databases with modification timestamps
You can create Active Sync-enabled queries for database entries that have been modified after a particular time. The adapters run updates and then poll for new queries. By storing the last successfully processed row, Identity Manager can perform a “starts with” query to minimize the polling impact. Only those changes made to the resource since the previous set of modifications were made are returned for processing.
Resources with change-log entries
Most LDAP servers provide a change-log mechanism that you can use to track changes, optionally constrained to sections of interest in the DIT. By periodically querying the change-log entries, the LDAP resource adapter can update Identity Manager with detected changes; including creates, deletes, and updates.
Active Sync-enabled adapters generally follow these steps when listening or polling for changes to the resource managed by Identity Manager. When the adapter detects that a resource has changed, the Active Sync-enabled adapter:
Extracts the changed information from the resource.
Determines which Identity Manager object is affected.
Builds a map of user attributes to pass to the IAPIFactory.getIAPI method, along with a reference to the adapter and a map of any additional options, which creates an Identity Application Programming Interface (IAPI) object.
Sets the logger on the IAPI event to the adapter’s Active Sync logger.
Active Sync Manager processes the IAPI object and returns a WavesetResult object to the adapter. The WavesetResult object informs the Active Sync-enabled adapter if the operation succeeds.
The WavesetResult object might contain many results from the various steps the Identity Manager system used to update the identity. Typically, a workflow also handles errors within Identity Manager, often ending up as an Approval for a managing administrator.
Exceptions are logged in the Active Sync and Identity Manager tracing logs with the ActiveSyncUtil.logResourceException method.
When Active Sync-enabled adapters detect a change to an account on a resource, the adapter maps the incoming attributes to an Identity Manager user or, if the adapter cannot match the user account, creates an Identity Manager user account.
The following rules and parameters determine what happens when a change is detected.
If present, a Process rule determines whether the adapter uses IAPIProcess or attempts to use IAPIUser. If the adapter cannot use IAPIUser because a Correlation or Confirmation rule does not uniquely identify an Identity Manager user for the event (given the other parameter settings), and a Resolve Process rule is configured, the adapter uses the Resolve Process rule to create an IAPIProcess event. Otherwise, the adapter reports an error condition.
IAPIUser checks out a view and makes this view available to the User form.
For creates and updates, IAPIUser checks out the User view.
For deletes, IAPIUser checks out the Deprovision view.
However, a User view is not checked out or available with IAPIProcess. Either a Process rule has been set or a Resolve Process rule is invoked.
Resource objects define the capabilities and configuration of the resource you are managing in Identity Manager, including the information described in the following table.
Table 9–2 Information Defined by Resource Objects
You must define a resource object in Identity Manager for every resource that Identity Manager communicates with or manages.
You can view resource objects from Identity Manager’s Debug pages:
http://host:port/idm/debug/
Where:
host is the local server on which Identity Manager is running.
port is the TCP port number on which the server is listening.
The session.jsp page gives you the option of listing objects of type Resource. See Viewing and Editing a Resource Object for more information.
A resource adapter class implements methods that
Register the resource object in the Identity Manager repository
Enable you to manage the external resource
Push information from Identity Manager to the resource
(Optional) Pull information from the resource into Identity Manager
This optional pull capability is known as Active Sync, and a resource adapter with Active Sync capability is referred to as Active Sync-enabled. See What Are Active Sync-Enabled Resource Adapters? for more information.