Go to main content
|
|
You can extend the functionality of the connector to address your specific business requirements.
By default the connector is configured to perform a certain set of tasks. For addressing your specific business requirements, you can extend the functionality of the connector by performing the procedures described in the following sections:
Note:
From Oracle Identity Manager Release 11.1.2 onward, lookup queries are not supported. See Managing Lookups in Administering Oracle Identity Manager for information about managing lookups by using the Form Designer in the Oracle Identity Manager System Administration console.
Adding Dynamic Auxiliary Object Classes and Their Attributes to Users
Adding New Multivalued Fields for Target Resource Reconciliation
Adding Terminal Services Fields for Reconciliation and Provisioning
Adding Dynamic Auxiliary Object Classes and Their Attributes to Users
Configuring Validation of Data During Reconciliation and Provisioning
Enabling Reconciliation and Provisioning Operations Across Multiple Domains
About Using the Connector for Multiple Trusted Source Reconciliation
Creating a Home Directory After User Create Provisioning Operation
Configuring the Connector for Provisioning Groups of the Security Group - Universal Group Type
Configuring the Connector for Provisioning and Reconciling Custom Object Categories
You can add additional fields for user, group, or organizational unit reconcliation.
Note:
This section describes an optional procedure. You need not perform this procedure if you do not want to add custom fields for reconciliation.
By default, the fields listed in Table 1-14 are mapped for reconciliation between Oracle Identity Manager and the target system. If required, you can map additional fields for user, group, or organizational unit reconciliation.
To add a custom field for target resource reconciliation:
Log in to the Oracle Identity Manager Design Console.
Add the custom field to the list of reconciliation fields in the resource object as follows:
Expand Resource Management and then double-click Resource Objects.
Search for and open one of the following resource objects:
For users: AD User
For groups: AD Group
For organizational units: AD Organizational Unit
On the Object Reconciliation tab, click Add Field.
In the Add Reconciliation Field dialog box, enter the details of the field.
For example, enter Description
in the Field Name field and select String from the Field Type list.
Note that if you are adding a boolean field, then select String as the field type.
Click Save and close the dialog box.
Click Create Reconciliation Profile. This copies changes made to the resource object into MDS.
Click Save.
Create an entry for the field in the lookup definition for reconciliation as follows:
Expand Administration and then double-click Lookup Definition.
Search for and open one of the following lookup definitions:
For users: Lookup.ActiveDirectory.UM.ReconAttrMap
For groups: Lookup.ActiveDirectory.GM.ReconAttrMap
For organizational units: Lookup.ActiveDirectory.OM.ReconAttrMap
Click Add and enter the Code Key and Decode values for the field. The Code Key value is the name of the field that you provide for the reconciliation field in Step 2.d. The Decode value is the name of the target system field.
For example, enter Description
in the Code Key field and then enter description
in the Decode field.
Click Save.
Add the custom field on the process form as follows:
Expand Development Tools and then double-click Form Designer.
Search for and open one of the following process forms:
For users: UD_ADUSER
For groups: UD_ADGRP
For organizational units: UD_ADOU
Click Create New Version, and then click Add.
Enter the details of the field.
For example, if you are adding the Description field, enter UD_ADUSER_DESCRIPTION
in the Name field, and then enter the rest of the details of this field.
Click Save and then click Make Version Active.
If you are using Oracle Identity Manager release 11.1.2.x or later, then all changes made to the Form Designer of the Design Console must be done in a new UI form as follows:
Log in to Oracle Identity System Administration.
Create and active a sandbox. See Creating and Activating a Sandbox for more information.
Create a new UI form to view the newly added field along with the rest of the fields. See Creating a New UI Form for more information about creating a UI form.
Associate the newly created UI form with the application instance of your target system. To do so, open the existing application instance for your resource, from the Form field, select the form (created in Step 5.c), and then save the application instance.
Publish the sandbox. See Publishing a Sandbox for more information.
Create a reconciliation field mapping for the custom field in the provisioning process as follows:
Log in to the Design Console.
Expand Process Management and then double-click Process Definition.
Search for and open one of the following provisioning process:
For users: AD User
For groups: AD Group
For organizational units: AD Organizational Unit
On the Reconciliation Field Mappings tab of the provisioning process, click Add Field Map.
In the Add Reconciliation Field Mapping dialog box, from the Field Name field, select the value for the field that you want to add.
For example, from the Field Name field, select Description.
Double-click the Process Data field, and then select UD_ADUSER_DESCRIPTION.
Click Save and close the dialog box.
Click Save.
You can add multivalued fields for reconciliation between Oracle Identity Manager and the target system.
Note:
This procedure can be applied to add either user, group, or organizational unit fields.
You must ensure that new fields you add for reconciliation contain only string-format data. Binary fields must not be brought into Oracle Identity Manager natively.
By default, the multivalued fields listed in Table 1-14 are mapped for reconciliation between Oracle Identity Manager and the target system. If required, you can add new multivalued fields for target resource reconciliation.
To add a new multivalued field for target resource reconciliation:
Log in to the Oracle Identity Manager Design Console.
Create a form for the multivalued field as follows:
Expand Development Tools and double-click Form Designer.
Create a form by specifying a table name and description, and then click Save.
Click Add and enter the details of the field.
Click Save and then click Make Version Active. Figure 4-1 shows the multivalued field added on a new form.
Figure 4-1 Multivalued Field Added on a New Form
Add the form created for the multivalued field as a child form of the process form as follows:
Search for and open one of the following process forms:
For users: UD_ADUSER
For groups: UD_ADGRP
For organizational units: UD_ADOU
Click Create New Version.
Click the Child Table(s) tab.
Click Assign.
In the Assign Child Tables dialog box, select the newly created child form, click the right arrow, and then click OK.
Click Save and then click Make Version Active. Figure 4-2 shows the child form added to the process form.
Figure 4-2 Child Form Added to the Process Form
If you are using Oracle Identity Manager release 11.1.2.x or later, then all changes made to the Form Designer of the Design Console must be done in a new UI form as follows:
Log in to Oracle Identity System Administration.
Create and active a sandbox. See Creating and Activating a Sandbox for more information.
Create a new UI form to view the newly added field along with the rest of the fields. See Creating a New UI Form for more information about creating a UI form.
Associate the newly created UI form with the application instance of your target system. To do so, open the existing application instance for your resource, from the Form field, select the form (created in Step 4.c), and then save the application instance.
Publish the sandbox. See Publishing a Sandbox for more information.
Add the new multivalued field to the list of reconciliation fields in the resource object as follows:
Log in to the Design Console.
Expand Resource Management and then double-click Resource Objects.
Search for and open one of the following resource objects:
For users: AD User
For groups: AD Group
For organizational units: AD Organizational Unit
On the Object Reconciliation tab, click Add Field.
In the Add Reconciliation Fields dialog box, enter the details of the field.
For example, enter carlicenses
in the Field Name field and select Multi-Valued Attribute from the Field Type list.
Click Save and then close the dialog box.
Right-click the newly created field and select Define Property Fields.
In the Add Reconciliation Fields dialog box, enter the details of the newly created field.
For example, enter carlicense
in the Field Name field and select String from the Field Type list.
Click Save, and then close the dialog box. Figure 4-3 shows the new reconciliation field added in the resource object.
Figure 4-3 New Reconciliation Field Added in the Resource Object
Click Create Reconciliation Profile. This copies changes made to the resource object into the MDS.
Create an entry for the field in the lookup definition for reconciliation as follows:
Expand Administration and then double-click Lookup Definition.
Search for and open one of the following lookup definitions:
For users: Lookup.ActiveDirectory.UM.ReconAttrMap
For groups: Lookup.ActiveDirectory.GM.ReconAttrMap
For organizational units: Lookup.ActiveDirectory.OM.ReconAttrMap
Note:
For the target system fields, you must use the same case (uppercase or lowercase) as given on the target system. This is because the field names are case-sensitive.
Cick Add and enter the Code Key and Decode values for the field, and then Click Save. The Code Key and Decode values must be in the following format:
Code Key: MULTIVALUED_FIELD_NAME~CHILD_RESOURCE_OBJECT_FIELD_NAME
Decode: Corresponding target system attribute.
For example, enter carlicenses~carlicense
in the Code Key field and then enter carlicense
in the Decode field. Figure 4-4 shows the lookup code added to the lookup definition.
Figure 4-4 Entry Added in the Lookup Definition
Create a reconciliation field mapping for the new field as follows:
Expand Process Management and double-click Process Definition.
Search for and open one of the following process definitions:
For users: AD User
For groups: AD Group
For organizational units: AD Organizational Unit
On the Reconciliation Field Mappings tab of the AD User (or AD Group, or AD Organizational Unit process definition, click Add Table Map.
In the Add Reconciliation Table Mapping dialog box, select the field name and table name from the list, click Save, and then close the dialog box.
Right-click the newly created field, and select Define Property Field Map.
In the Field Name field, select the value for the field that you want to add.
Double-click the Process Data Field field, and then select UD_CARLICEN.
Select Key Field for Reconciliation Field Matching and click Save. Figure 4-5 shows the new reconciliation field mapped to a process data field in the process definition.
Figure 4-5 New Reconciliation Field Mapped to a Process Data Field
You can map additional attributes for provisioning apart from the default attributes.
By default, the attributes listed in Table 1-19 are mapped for provisioning between Oracle Identity Manager and the target system.
To add a custom field for provisioning, perform the procedures listed in the following sections:
If you have added the field on the process form by performing Step 4 of Adding Custom Fields for Target Resource Reconciliation, then you need not add the field again. If you have not added the field, then add it as follows:
If you are using Oracle Identity Manager release 11.1.2.x or later, then all changes made to the Form Designer of the Design Console must be done in a new UI form as follows:
Create an entry for the field in the lookup definition for provisioning as follows:
After adding the custom field, you must enable update provisioning operations on that field as follows:
In the provisioning process, add a new task for updating the field as follows:
Expand Process Management and then double-click Process Definition.
Search for and open one of the following provisioning process:
For users: AD User
For groups: AD Group
For organizational units: AD Organizational Unit
Click Add and enter the task name and task description. The following are sample values:
Task Name: Description Updated
Task Description: Process Task for handling update of the description field.
In the Task Properties section, select the following fields:
Conditional
Allow Cancellation while Pending
Allow Multiple Instances
Click Save.
In the provisioning process, select the adapter name in the Handler Type section as follows:
Go to the Integration tab, click Add.
In the Handler Selection dialog box, select Adapter.
From the Handler Name column, select adpADIDCUPDATEATTRIBUTEVALUE.
Click Save and close the dialog box.
In the Adapter Variables region, click the procInstanceKey variable.
In the dialog box that is displayed, create the following mapping:
Variable Name: procInstanceKey
Map To: Process Data
Qualifier: Process Instance
Click Save and close the dialog box.
If you are enabling update provisioning operations for a User custom field, then repeat Steps 3 through 5 for the remaining variables listed in the Adapter Variables region. The following table lists values that you must select from the Map To, Qualifier, and Literal Value lists for each variable:
Variable | Map To | Qualifier | Literal Value |
---|---|---|---|
Adapter Return Variable |
Response Code |
NA |
NA |
itResourceFieldName |
Literal |
String |
UD_ADUSER_SERVER |
attrFieldName |
Literal |
String |
Description |
objectType |
Literal |
String |
User |
If you are enabling update provisioning operations for a Group custom field, then repeat Steps 3 through 5 for all the variables listed in the following table. This table lists values that you must select from the Map To, Qualifier, and Literal Value lists for each variable:
Variable | Map To | Qualifier | Literal Value |
---|---|---|---|
procInstanceKey |
Process Data |
Process Instance |
NA |
Adapter Return Variable |
Response Code |
NA |
NA |
itResourceFieldName |
Literal |
String |
UD_ADGRP_SERVER |
attrFieldName |
Literal |
String |
CUSTOM_FIELD_NAME |
objectType |
Literal |
String |
Group |
If you are enabling update provisioning operations for an Organizational Unit custom field, then repeat Steps 3 through 5 for all the variables listed in the following table. This table lists values that you must select from the Map To, Qualifier, and Literal Value lists for each variable:
Variable | Map To | Qualifier | Literal Value |
---|---|---|---|
procInstanceKey |
Process Data |
Process Instance |
NA |
Adapter Return Variable |
Response Code |
NA |
NA |
itResourceFieldName |
Literal |
String |
UD_ADOU_SERVER |
attrFieldName |
Literal |
String |
CUSTOM_FIELD_NAME |
objectType |
Literal |
String |
organizationalUnit |
On the Responses tab, click Add to add at least the SUCCESS response code, with Status C.
This ensures that if the custom task is successfully run, then the status of the task is displayed as Completed.
Click the Save icon and close the dialog box, and then save the process definition.
When you add an attribute on the process form, you also update the XML file containing the request dataset definitions. To update a request dataset:
Run the PurgeCache utility to clear content related to request datasets from the server cache.
See Purging Cache in Oracle Fusion Middleware Administering Oracle Identity Manager for more information about running the PurgeCache utility.
Note:
Perform the procedure described in this section only if you have enabled request-based provisioning.
Import into MDS, the request dataset definitions in XML format.
See Importing Request Datasets for detailed information about the procedure.
You can add new multivalued fields for provisioning.
Note:
Before starting the following procedure, perform Steps1 through 4 as described in Adding New Multivalued Fields for Target Resource Reconciliation. If these steps have been performed while adding new multivalued fields for target resource reconciliation, then you need not repeat the steps.
To add new multivalued fields for provisioning:
Create an entry for the field in the lookup definition for provisioning as follows:
Enable update provisioning operations on the multivalued field as follows:
Note:
Perform the procedure described in this section only if you have enabled request-based provisioning.
When you add an attribute on the process form, you also update the XML file containing the request dataset definitions. To update a request dataset:
Note:
Perform the procedure described in this section only if you have enabled request-based provisioning.
Run the PurgeCache utility to clear content related to request datasets from the server cache. See Purging Cache in Administering Oracle Identity Manager for more information about the PurgeCache utility.
Note:
Perform the procedure described in this section only if you have enabled request-based provisioning.
Import into MDS, the request dataset definitions in XML format.
See Importing Request Datasets for detailed information about the procedure.
You can add additional terminal services fields for reconciliation and provisioning operations.
Note:
The information in this section is applicable only to the Microsoft Active Directory target system and only if you are going to use the target system as a target resource.
Terminal Services fields are only supported for Microsoft Active Directory and not Microsoft AD LDS. Skip this section you are using Microsoft AD LDS as the target system.
By default, the following terminal services fields are readily available for reconciliation and provisioning:
AllowLogon
TerminalServicesProfilePath
TerminalServicesHomeDirectory
If required, you can add the following terminal services fields for reconciliation and provisioning operations:
TerminalServicesInitialProgram
TerminalServicesWorkDirectory
AllowLogon
MaxConnectionTime
MaxDisconnectionTime
MaxIdleTime
ConnectClientDrivesAtLogon
ConnectClientPrintersAtLogon
DefaultToMainPrinter
BrokenConnectionAction
ReconnectionAction
EnableRemoteControl
TerminalServicesProfilePath
TerminalServicesHomeDirectory
TerminalServicesHomeDrive
You can configure the connector for user-defined or custom object class for connector operations.
By default, the Active Directory User Management connector supports the User object class. If you want the connector to use a user-defined or custom object class for connector operations, then:
Create the object class and assign mandatory and optional attributes to the object class.
Refer to Microsoft documentation for information about creating the object class.
Note:
Assign the user object class as the parent of the object class that you create.
Refresh the schema.
Add the mandatory and optional attributes of the object class for provisioning.
Note:
Ensure that the attribute mapping for provisioning and reconciliation contain only attributes supported by the user-defined object class (created in Step 1).
Update the Lookup.Configuration.ActiveDirectory lookup definition as follows:
Search for and open the Lookup.Configuration.ActiveDirectory lookup definition.
Search for the ObjectClass code key entry and change its decode value to include the name of the new object class.
If the object class contains more than one mandatory attribute, then add a new lookup entry with the following values:
Code Key: ObjectClassMandatoryAttributes
Decode: "CUSTOM_MANDATORY_ATTRIBUTE_NAME"
Note:
While adding the value in the decode column, two or more mandatory attributes must be separated by a comma (,). For example, "CustomIntAttr","CustomStringAttr".
Click the Save icon.
You can add dynamic auxiliary object classes and their attributes to users.
To perform the procedure described in this section, all domain controllers in the forest must be running Microsoft Windows Server 2003 or later, and the forest functional mode must be Microsoft Windows Server 2003 or later. For more information on dynamic auxiliary object classes, see "Dynamically Linked Auxiliary Classes (Windows)" at the following Web site:
http://msdn.microsoft.com/en-us/library/windows/desktop/ms676289%28v=vs.85%29.aspx
To add dynamic auxiliary object classes and their attributes to users:
Create an entry for the dynamic auxiliary object class in the main configuration lookup definition as follows:
Expand Administration and then double-click Lookup Definition.
Search for and open the Lookup.Configuration.ActiveDirectory lookup definition.
Click Add and enter the Code Key and Decode values as follows:
Code Key: 'AccountObjectClasses'
Decode: "NAME_OF_THE_CUSTOM_AUXILIARY_OBJECT_CLASS
"
Note:
While adding the value in the decode column, two or more auxiliary classes must be separated by a comma (,). For example, "AuxIntAttr","AuxStringAttr".
If the dynamic auxiliary class contains more than one mandatory attribute, then add a new lookup entry with the following values:
Code Key: ObjectClassMandatoryAttributes
Decode: "MANDATORY_ATTRIBUTE_NAME_OF_THE_AUX_CLASS"
Note:
Two or more mandatory attributes must be separated by a comma (,). For example, "AuxIntAttr","AuxStringAttr".
Click the Save icon.
Run the PurgeCache utility.
To add attributes of the custom auxiliary classes (added in Step 1) for target resource reconciliation and provisioning, perform the procedure described in the following sections:
Note:
While performing the procedure described in these sections, ensure that you follow instructions that are specific only to the User object class.
You can add a group name (pre-Windows 200) attribute for reconciliation and provisioning.
This section discusses the following topics related to adding the Group Name (pre-Windows 2000 ) attribute for reconciliation and provisioning:
Group Name and Group Name (pre-Windows 2000) are two of the attributes specific to groups in the target system. Oracle Identity Manager contains only the Group Name field in its process form. By default, during group provisioning, the value that you specify for the Group Name field in the OIM process form, is entered as the value of the Group Name and Group Name (pre-Windows 2000) attributes. If you want to specify different values for the Group Name and Group Name (pre-Windows 2000) attributes in the target system, then you must create the Group Name (pre-Windows 2000) field on the OIM process form.
To do so, you must add a new field (Group Name Pre Windows) in Oracle Identity Manager for reconciliation and provisioning operations.
To add the Group Name Pre Windows field for reconciliation:
Log in to the Oracle Identity Manager Design Console.
Add the Group Name Pre Windows field to the list of reconciliation fields in the resource object as follows:
Expand Resource Management and then double-click Resource Objects.
Search for and open the AD Group resource object.
On the Object Reconciliation tab, click Add Field.
In the Add Reconciliation Field dialog box, enter Group Name Pre Windows
in the Field Name field and select String from the Field Type list.
Click Save and close the dialog box.
Click Create Reconciliation Profile. This copies changes made to the resource object into MDS.
Click Save.
Update the Lookup.ActiveDirectory.GM.ReconAttrMap lookup definition for reconciliation as follows:
Expand Administration and then double-click Lookup Definition.
Search for and open the Lookup.ActiveDirectory.GM.ReconAttrMap lookup definition.
Click Add to create an entry for the Group Name Pre Windows field.
In the Code Key column, enter Group Name Pre Windows.
In the Decode column, enter sAMAccountName.
In the Code Key column, locate Group Name and change its Decode value to cn.
Table 4-1 lists the updated list of entries in the Lookup.ActiveDirectory.GM.ReconAttrMap lookup definition.
Table 4-1 Entries in the Updated Lookup.ActiveDirectory.GM.ReconAttrMap Lookup Definition
Group Field on Oracle Identity Manager | Microsoft Active Directory Field |
---|---|
Display Name |
displayName |
Group name |
cn |
Group Name Pre Windows |
sAMAccountName |
Group Type |
groupType |
OIM Org Name |
sAMAccountName |
Organization Name[LOOKUP] |
ad_container |
Org Name |
sAMAccountName |
Org Type |
OIM Organization Type |
Unique Id |
__UID__ |
Click Save.
Add the Group Name Pre Windows field on the process form as follows:
Expand Development Tools and then double-click Form Designer.
Search for and open the UD_ADGRP process form.
Click Create New Version, and then click Add.
Enter the details of the new field. In the Name field, enter UD_ADUSER_GROUPNAME_PREWINDOWS.
In the Field Label column, enter Group Name Pre Windows.
Enter the rest of the details of this field.
On the Properties tab, select the Group Name Pre Windows field, and then click Add Property. The Add Property dialog box displays.
From the Property Name list, select Required.
In the Property Value field, enter True.
Click the Save icon and close the dialog box.
Click Save and then click Make Version Active.
Create a reconciliation field mapping for the new field in the provisioning process as follows:
Expand Process Management and then double-click Process Definition.
Search for and open the AD Group provisioning process.
On the Reconciliation Field Mappings tab of the provisioning process, click Add Field Map.
In the Add Reconciliation Field Mapping dialog box, from the Field Name field, select Group Name Pre Windows.
Double-click the Process Data field, and then select UD_ADGRP_GROUPNAME_PREWINDOWS.
Click Save and close the dialog box.
Click Save.
Expand Resource Management and then double-click Resource Objects.
Click Create Reconciliation Profile.
You can add the Group Name Pre Windows field for provisioning.
To do so, perform the following procedures:
If you have added the field on the process form by performing Step 4 of Adding the Group Name Pre Windows Field for Reconciliation, then you need not add the field again. If you have not added the field, then:
UD_ADUSER_GROUPNAME_PREWINDOWS.
Group Name Pre Windows.
Then, enter values for the rest of the columns as listed for the Group Name field.True.
Update the Lookup.ActiveDirectory.GM.ProvAttrMap lookup definition for provisioning as follows:
Enable update provisioning operations on the Group Name Pre Windows field as follows:
In the provisioning process, add a new task for updating the field as follows:
Expand Process Management and then double-click Process Definition.
Search for and open the AD Group provisioning process.
Click Add and enter the task name and task description as follows:
Task Name: Group Name Pre Windows Updated
Task Description: Process Task for handling update of the Group Name Pre Windows field.
In the Task Properties section, select the Conditional, Allow Cancellation while Pending, and Allow Multiple Instances fields.
Click Save.
In the provisioning process, select the adapter name in the Handler Type section as follows:
Go to the Integration tab, click Add.
In the Handler Selection dialog box, select Adapter.
From the Handler Name column, select adpADIDCUPDATEATTRIBUTEVALUE.
Click Save and close the dialog box.
In the Adapter Variables region, click the procInstanceKey variable.
In the dialog box that is displayed, create the following mapping:
Variable Name: procInstanceKey
Map To: Process Data
Qualifier: Process Instance
Click Save and close the dialog box.
Repeat Steps 3 through 5 for all the variables listed in the following table. This table lists values that you must select from the Map To, Qualifier, and Literal Value lists for each variable:
Variable | Map To | Qualifier | Literal Value |
---|---|---|---|
procInstanceKey |
Process Data |
Process Instance |
NA |
Adapter Return Variable |
Response Code |
NA |
NA |
itResourceFieldName |
Literal |
String |
UD_ADGRP_SERVER |
attrFieldName |
Literal |
String |
Group Name Pre Windows |
objectType |
Literal |
String |
Group |
On the Responses tab, click Add to add at least the SUCCESS response code, with Status C.
This ensures that if the custom task is successfully run, then the status of the task is displayed as Completed.
Click the Save icon and close the dialog box, and then save the process definition.
If the Group Name Updated process task calls the adpADIDCUPDATEATTRIBUTEVALUES adapter, then:
Note:
Perform the procedures described in this section only if you want to perform request-based provisioning.
When you add an attribute on the process form, you also update the XML file containing the request dataset definitions. To update a request dataset:
Note:
Perform the procedures described in this section only if you want to perform request-based provisioning.
Run the PurgeCache utility to clear content related to request datasets from the server cache. See Purging Cache in Administering Oracle Identity Manager for more information about the PurgeCache utility.
You can add new fields for trusted source reconciliation.
Note:
You must ensure that new fields you add for reconciliation contain only string-format data. Binary fields must not be brought into Oracle Identity Manager natively.
By default, the attributes listed in Table 1-22 are mapped for reconciliation between Oracle Identity Manager and the target system. If required, you can add new fields for trusted source reconciliation. This section discusses the following topics:
To add new fields for trusted source reconciliation, you must perform the following steps:
Before you add a new field for trusted source reconciliation, you must first determine the target system name of the field as follows:
To add a new field for trusted source reconciliation:
Log in to the Oracle Identity Manager Design Console.
Add the new field on the OIM User process form as follows:
Note:
If you are using Oracle Identity Manager 11g Release 1 PS1 or later, then you must use the Oracle Identity Manager Advanced Administration page to create UDFs.
If you are using Oracle Identity Manager 11g Release 2 or later, then see Configuring Custom Attributes in Administering Oracle Identity Manager for information on creating UDFs.
Expand Administration.
Double-click User Defined Field Definition.
Search for and open the Users form.
Click Add and enter the details of the field.
For example, if you are adding the Employee ID field, then enter Employee ID
in the Name field, set the data type to String, enter USR_UDF_EMPLOYEE_ID
as the column name, and enter a field size value.
Click Save.
Add the new field to the list of reconciliation fields in the resource object as follows:
Expand the Resource Management folder.
Double-click Resource Objects.
Search for and open one of the following resource objects:
For users: AD User Trusted
For groups: AD Group
For organizational units: AD Organizational Unit
On the Object Reconciliation tab, click Add Field.
Enter the details of the field and click Save.
For example, enter Employee ID
in the Field Name field and select String from the Field Type list.
Later in this procedure, you will enter the field name as the Decode value of the entry that you create in the lookup definition for reconciliation.
Click Create Reconciliation Profile. This copies changes made to the resource object into the MDS.
Create a reconciliation field mapping for the new field as follows:
Expand Process Management.
Double-click Process Definition.
Search for and open the AD User Trusted process definition.
On the Reconciliation Field Mappings tab, click Add Field Map.
In the Field Name field, select the value for the field that you want to add.
For example, select Employee ID = Employee ID.
Click Save.
Create an entry for the field in the lookup definition for reconciliation as follows:
Expand Administration and then double-click Lookup Definition.
Search for and open the Lookup.ActiveDirectory.UM.ReconAttrMap.Trusted lookup definition.
Search for and open the Lookup.ActiveDirectoryLDS.UM.ReconAttrMap.Trusted lookup definition if you are using Microsoft AD LDS.
Cick Add and then enter the Code Key and Decode values for the field. The Code Key value must be the name of the field created in the AD User Trusted resource object. The Decode value is the name of the corresponding field on the target system.
Note:
For the target system fields, you must use the same case (uppercase or lowercase) as given on the target system. This is because the field names are case-sensitive.
For example, enter employeeID
in the Code Key field and then enter Employee ID
in the Decode field.
Click Save.
Select Field Type and click Save.
You can configure transformation of reconciled single-valued account data according to your requirements. For example, you can use User Name and Last Name values to create a value for the Full Name field in Oracle Identity Manager.
Note:
This section describes an optional procedure. Perform this procedure only if you want to configure transformation of data during reconciliation.
You can configure transformation of reconciled data according to your requirements. For example, you can automate the look up of the field name from an external system and set the value based on the field name.
To configure transformation of data:
Write code that implements the required transformation logic in a Java class.
The only criteria for the class is that it should have a method with the following name and signature:
public Object transform(HashMap hmUserDetails, HashMap hmEntitlementDetails, String sField) {}
The following is a sample transformation class:
import java.util.*; public class MyTransformer { /* Description:Abstract method for transforming the attributes param hmUserDetails<String,Object> HashMap containing parent data details param hmEntitlementDetails <String,Object> HashMap containing child data details */ public Object transform(HashMap hmUserDetails, HashMap hmEntitlementDetails, String sField) { /* * You must write code to transform the attributes. Parent data attribute values can be fetched by using hmUserDetails.get("Field Name"). *To fetch child data values, loop through the * ArrayList/Vector fetched by hmEntitlementDetails.get("Child Table") * Return the transformed attribute. */ String firstName= (String)hmUserDetails.get("First Name"); firstName= "blahPrefix" + firstName + "blahSuffix"; System.out.println("First Name Value is changed to: " + firstName); return firstName; } } /* End */
The method defined in this class transforms the value of the First Name attribute by prefixing the first name with blahPrefix and suffixing the first name with blahSuffix, and returns the transformed value.
Create a JAR file to hold the Java class.
Run the Oracle Identity Manager Upload JARs utility to post the JAR file to the Oracle Identity Manager database. This utility is copied into the following location when you install Oracle Identity Manager:
Note:
Before you use this utility, verify that the WL_HOME
environment variable is set to the directory in which Oracle WebLogic Server is installed.
For Microsoft Windows:
OIM_HOME/server/bin/UploadJars.bat
For UNIX:
OIM_HOME/server/bin/UploadJars.sh
When you run the utility, you are prompted to enter the login credentials of the Oracle Identity Manager administrator, URL of the Oracle Identity Manager host computer, context factory value, type of JAR file being uploaded, and the location from which the JAR file is to be uploaded. Specify 1 as the value of the JAR type.
Add an entry in the lookup definition for transformation as follows:
Log in to the Design Console.
Search for and open the Lookup.ActiveDirectory.UM.ReconTransformation lookup definition.
In the Code Key column, enter the reconciliation field name for the attribute on which you want to apply the transformation. For example: First Name.
In the Decode column, enter the name of the class file. For example: com.transformationexample.MyTransformer.
Save the changes to the lookup definition.
Note:
To configure the transformation of data during trusted source reconciliation, then add the following entries in the Lookup.ActiveDirectory.UM.Configuration.Trusted lookup definition:
Code Key value: Recon Transformation Lookup
Decode value: Lookup.ActiveDirectory.UM.ReconTransformation
You can configure validation of reconciled and provisioned single-valued data according to your requirements. For example, you can validate data fetched from the First Name attribute to ensure that it does not contain the number sign (#). In addition, you can validate data entered in the First Name field on the process form so that the number sign (#) is not sent to the target system during provisioning operations.
To configure validation of data:
Write code that implements the required validation logic in a Java class.
This validation class must implement the validate method.
See Also:
The Javadocs shipped with the connector for more information about this interface
The following sample validation class checks if the value in the First Name attribute contains the number sign (#):
package com.validate; import java.util.*; public class MyValidation { public boolean validate(HashMap hmUserDetails, HashMap hmEntitlementDetails, String field) { /* * You must write code to validate attributes. Parent * data values can be fetched by using hmUserDetails.get(field) * For child data values, loop through the * ArrayList/Vector fetched by hmEntitlementDetails.get("Child Table") * Depending on the outcome of the validation operation, * the code must return true or false. */ /* * In this sample code, the value "false" is returned if the field * contains the number sign (#). Otherwise, the value "true" is * returned. */ boolean valid=true; String sUserID=(String) hmUserDetails.get(field); for(int i=0;i<sUserID.length();i++){ if (sUserID.charAt(i) == '#'){ valid=false; break; } } return valid; } }
Create a JAR file to hold the Java class.
Run the Oracle Identity Manager Upload JARs utility to post the JAR file to the Oracle Identity Manager database. This utility is copied into the following location when you install Oracle Identity Manager:
Note:
Before you use this utility, verify that the WL_HOME
environment variable is set to the directory in which Oracle WebLogic Server is installed.
For Microsoft Windows:
OIM_HOME/server/bin/UploadJars.bat
For UNIX:
OIM_HOME/server/bin/UploadJars.sh
When you run the utility, you are prompted to enter the login credentials of the Oracle Identity Manager administrator, URL of the Oracle Identity Manager host computer, context factory value, type of JAR file being uploaded, and the location from which the JAR file is to be uploaded. Specify 1 as the value of the JAR type.
If you created the Java class for validating a process form field for reconciliation, then:
Log in to the Design Console.
Search for and open the Lookup.ActiveDirectory.UM.ReconValidation lookup definition.
In the Code Key column, enter the resource object field name. In the Decode column, enter the class name (for example: com.validate.MyValidation
).
Save the changes to the lookup definition.
Search for and open the Lookup.ActiveDirectory.UM.Configuration lookup definition.
Ensure that the value of the Recon Validation Lookup entry is set to Lookup.ActiveDirectory.UM.ReconValidation.
Save the changes to the lookup definition.
If you created the Java class for validating a process form field for provisioning, then:
Log in to the Design Console.
Search for and open the Lookup.ActiveDirectory.UM.ProvValidation lookup definition.
In the Code Key column, enter the process form field name. In the Decode column, enter the class name (for example: com.validate.MyValidation
).
Save the changes to the lookup definition.
Search for and open the Lookup.ActiveDirectory.UM.Configuration lookup definition.
Ensure that the value of the Provisioning Validation Lookup entry is set to Lookup.ActiveDirectory.UM.ProvValidation.
Save the changes to the lookup definition.
This completes the procedure for configuring validation of data. For data that fails the validation check, the following message is displayed or recorded in the log file:
Value returned for field
FIELD_NAME
is false.
The Microsoft Active Directory User Management connector supports reconciliation and provisioning operations across multiple domains in a single forest.
Note:
The information in this section is applicable only if you are using Microsoft Active Directory as the target system. Enabling reconciliation and provisioning operations across multiple domains is not supported if you are using Microsoft AD LDS as the target system.
Reconciliation runs are performed by using the Global Catalog Server and provisioning operations are performed by using LDAP referrals.
If you want to enable reconciliation and provisioning across multiple domains, then perform the procedure described in the following sections:
This following sections help you understand enabling reconciliation across multiple domains:
To perform reconciliation across multiple domains, this connector uses both the domain controller and the Global Catalog Server for fetching records from the target system.
During reconciliation, records from the Global Catalog Server are fetched to the connector. After a record is fetched into the connector, the distinguishedName and uSNChanged attribute values are read. By using the distinguishedName, the connector performs an LDAP query on the domain controller that contains the actual data (referrals are used here). This approach is used for reconciliation because the Global Catalog Server has only partial set of records. Complete data can only be fetched from the domain controller.
After all records are fetched into Oracle Identity Manager, the reconciliation engine updates the Latest Token attribute of the scheduled job with the maximum value of the uSNChanged attribute of a domain controller on which the Global Catalog Server is running. From the next reconciliation run onward, only records whose uSNChanged attribute values are greater than current value in the Latest Token attribute are fetched from the Global Catalog Server. Therefore, any updates made to a record on the target system must update the uSNChanged attribute of that record in the Global Catalog Server so that the connector can detect records that have been updated since the last reconciliation run and then fetch them into Oracle Identity Manager.
To enable reconciliation across multiple domains:
Note:
If the value of the SearchChildDomains entry in the configuration lookup definition is set to yes
and no value is specified for the SyncGlobalCatalogServer parameter of the IT resource, then the connector determines the Global Catalog Server on its own. It is strongly recommended that you specify a value for the SearchChildDomains entry and the SyncGlobalCatalogServer IT resource parameter.
While performing group reconciliation in a cross-domain environment, the connector fetches only those groups of the account that are visible to the domain controller on which the account is present.
It is recommended to not enter any value for LDAPHostName parameter of the IT resource. The connector will automatically find the right domain controller to fetch complete user information after obtaining the distinguished name from the global catalog server. If you specify a value for the LDAPHostName parameter, then the connector ignores it and determines the appropriate domain controller (for fetching user information) by using the ADSI referrals feature.
In a parent-child deployment environment of the target system, before performing provisioning operations across multiple domains, it is expected that the target system IT resource is configured with the parent domain. In a replication environment of the target system, before performing provisioning operations across multiple domains, it is expected that the target system IT resource is configured with any of the domain controllers.
This scenario is illustrated by the following example:
Suppose a parent-child domain environment in which the parent domain is dc1 and child domain is dc2. The target system IT resource is configured to include dc1 as the value of the LDAPHostName parameter and the name of the parent domain as the value of the DomainName parameter.
During provisioning, if we select an organization that belongs to the child domain, multiple groups that span across domains, and the manager from the parent domain, then LDAP referrals are internally used by ADSI (Active Directory Service Interfaces). This is because all connectors operations are leveraged to ADSI, which enables creation of an account in the child domain even without providing any details of the child domain in the IT resource.
All this information is internally calculated depending upon the organization that is selected during the provisioning operation. In the connector, the referral chasing option is set to All,
which means that all referrals are chased when any referral is provided by the domain controller. Therefore, no explicit configuration procedure is required to enable provisioning across multiple domains.
See Also:
The ADSI documentation for more information about LDAP referrals
You can use the connector for more than one trusted source reconciliation.
The following are examples of scenarios in which there is more than one trusted source for user data in an organization:
One of the target systems is a trusted source for data about employees. The second target system is a trusted source for data about contractors. The third target system is a trusted source for data about interns.
One target system holds the data of some of the identity fields that constitute an OIM User. Two other systems hold data for the remaining identity fields. In other words, to create an OIM User, data from all three systems would need to be reconciled.
If the operating environment of your organization is similar to that described in either one of these scenarios, then this connector enables you to use the target system as one of the trusted sources of user data in your organization.
You can use the Active Directory User Management connector in an environment containing multiple target systems.
The following are topics related to multiple target system installations:
Note:
The information in this section also applies to Microsoft AD LDS.
Perform the procedure described in this section if your environment has multiple installations of the target system, which share the same schema managed by this connector. In such a scenario, if you are using Oracle Identity Manager release 11.1.1.x, then only the IT resource information must be changed. If you are using Oracle Identity Manager release 11.1.2.x, then the IT resource information must be changed and application instances must be created.
In addition, irrespective of the Oracle Identity Manager release that you are using, scheduled tasks must be replicated, but the underlying workflow and process form is shared across all installations of the target system.
If your environment has multiple installations of the target system and the schema differs (that is, different sets of attributes must be managed by using the connector. In other words, you need different process forms, workflows, and so on), then you must use the connector cloning feature. For more information about cloning the connector, see About Cloning the Microsoft Active Directory User Management Connector.
You may want to configure the connector for multiple installations of Microsoft Active Directory. The following example illustrates this requirement:
The Tokyo, London, and New York offices of Example Multinational Inc. have their own installations of Microsoft Active Directory. The company has recently installed Oracle Identity Manager, and they want to configure Oracle Identity Manager to link all the installations of Microsoft Active Directory.
To meet the requirement posed by such a scenario, you must configure the connector for multiple installations of Microsoft Active Directory.
Summary of steps to configure the connector for multiple installations of the target system is as follows:
Configure the connector for multiple installations of the target system.
Complete the prerequisite steps for performing provisioning operations with multiple instances of the target system.
Perform provisioning operations.
To configure the connector for multiple installations of the target system:
The User Principal Name field on the process form is pre-populated with values from the User ID field and the UPN Domain IT resource parameter. Before you perform provisioning operations on Oracle Identity Manager release 11.1.1.x and switch to a different IT resource during a provisioning operation, you must change the IT resource to which the User Principal Name field is mapped.
When you perform provisioning operations:
On Oracle Identity Manager release 11.1.1.x:
When you use the Administrative and User Console to perform provisioning, you can specify the IT resource corresponding to the Microsoft Active Directory installation to which you want to provision the user.
On Oracle Identity Manager release 11.1.2.x or later:
Perform the instructions described in Performing Provisioning Operations in Oracle Identity Manager Release 11.1.2 or Later.
You can initiate the process task for home directory update after the Create User provisioning operation.
The following sections discuss the procedure to initiate the process task for home directory update after the Create User provisioning operation:
While performing a Create User provisioning operation, you can specify a value for the Home Directory field. However, at times, due to the delay in replicating this information across all domain controllers, the following error is encountered:
The security ID structure is invalid.
To avoid this issue, you can create the home directory after successful completion of the Create User provisioning operation. This is achieved by creating a new process task that will be initiated upon successful completion of the Create User provisioning task.
Note:
During the Create User provisioning operation, do not specify a value for the Home Directory field. After the Create User provisioning operation completes successfully, the UpdateHomeDirTask process task updates the Home Directory field on the process form. This triggers the Homedirectory Updated task, which updates the home directory information for the user and creates it on the target system.
You must create an adapter (for example UpdateHomeDirectoryField) that can update the home directory for a user. To create the UpdateHomeDirectoryField adapter:
Log in to the Design Console.
Expand Development Tools, and double-click Adapter Factory.
On the Adapter Factory form, in the Adapter Name field, enter the name of the adapter, for example, UpdateHomeDirectoryField.
Double-click the Adapter Type lookup field. From the Lookup window that is displayed, select Process Task.
In the Description field, type a description for the adapter, for example, This adapter is used to update the home directory for a user.
Click the Save icon.
The adapter is created and stored in the Oracle Identity Manager database.
Add adapter variables as follows:
On the Adapter Factory form, click the Variable List tab.
Click Add.
The Add a Variable window is displayed.
In the Variable Name field, enter the name of the adapter variable, for example, networkShare.
From the Type menu, select String.
From the Map To menu, select Resolve at runtime.
Click the Save icon and close the window.
Click Add to add another variable.
In the Variable Name field, enter the name of the adapter variable, for example, sAMAccountName.
From the Type menu, select String.
From the Map To menu, select Resolve at runtime.
Click the Save icon and close the window.
Create an adapter task of type utility as follows:
On the Adapter Tasks tab, click Add.
In the Adapter Task Selection dialog box, select Utility Task, ensure that Utility is selected from the list of utility tasks, and then click Continue.
In the Object Instance Selection dialog box, ensure that New Object Instance is selected, and then click Continue. The Add An Adapter Factory Task dialog box displays.
In the Task Name field, enter HomeDirUpdateTask.
From the Application API list, select com.thortech.xl.util.adapters.tcUtilStringOperations.
From the Methods list, select com.thortech.xl.util.adapters.tcUtilStringOperations#performConcat().
Click the Save icon.
Map adapter variables to the method inputs, and map method output to the Adapter return variable.
Click Set.
Click the Save icon and close the dialog box.
On the Adapter Factory form, click the Build icon.
After the adapter is re-created, the Compile Status field will display the OK
status.
Click the Save icon.
After creating the adapter, you must update the AD User process definition to include a new process task that contains the newly created adapter. To do so:
Expand Process Management, and then double-click Process Definition.
Search for and open the AD User process definition.
Create the UpdateHomeDirTask process task as follows:
On the Tasks tab, click Add.
The Creating New Task dialog box is displayed.
In the Task Name field, enter the name of the process task, for example, UpdateHomeDirTask.
In the Task Properties region, select Conditional and Allow Multiple Instances, and deselect Required for Completion.
Click the Save icon.
On the Integration tab, in the Event Handler/Adapter region, click Add.
The Handler Selection dialog box is displayed.
Select the Adapter option, and then from the list of adapters displayed in the Handler Name region, select UpdateHomeDirectoryField (the adapter created in Creating the UpdateHomeDirectoryField Adapter). This assigns the UpdateHomeDirectoryField adapter to the UpdateHomeDirTask process task.
Click the Save icon and close the dialog box.
On the Integration tab, in the Adapter Variables region, select the networkShare adapter variable.
Click Map.
In the Edit Data Mapping For Variable dialog box, create the following mapping:
Variable Name: networkShare
Literal Value: \\
MY_SERVER
\
MY_SHARED_FOLDER
\
Click the Save icon and close the dialog box.
On the Integration tab, in the Adapter Variables region, select the sAMAccountName adapter variable.
In the Edit Data Mapping For Variable dialog box, create the following mapping:
Variable Name: sAMAccountName
Map To: Process Data
Literal Value: Any process form field label whose value is the directory name. The literal value is usually the User ID field.
Click the Save icon and close the Editing Data Mapping for Variable dialog box.
Click the Save icon on the Process Definition form.
You can create a group of type Security Group - Universal by adding this group type to the Lookup.ActiveDirectory.GroupTypes lookup definition.
There are six types of groups that you can create in the target system. By default, this connector is shipped with only five group types that you can select for the group that you create through Oracle Identity Manager. If you want to create a group of type Security Group - Universal, then you must add this group type to the Lookup.ActiveDirectory.GroupTypes lookup definition as follows:
You can provision or reconcile a custom object category.
Note:
The procedure described in this section is applicable only if you are using AD LDS as the target system.
By default, the connector can provision to or reconcile only objects of the Person category. If you want the provision or reconcile custom object category, then perform the procedure discussed in this section. This sections contains the following topics:
To configure the connector to reconcile records belonging to a custom object category during trusted source reconciliation:
When you perform a trusted source reconciliation by using the scheduled task you created in this section, the connector will retrieve records of custom object that you specify as the value of the objectCategory attribute. If you do not specify a value for the objectCategory attribute, then objects of "Person" category are fetched.
To configure the connector to reconcile records belonging to a custom object category during target resource reconciliation:
Make the following scheduled task specific changes:
Create a new scheduled task similar to the Active Directory User Target Recon task. In other words, clone the Active Directory User Target Recon task.
In the newly created scheduled task, add the objectCategory attribute.
A new task is ready to perform target resource reconciliation of a custom object category.
Modify the process form as follows:
Expand Development Tools and then double-click Form Designer.
Search for and open the UD_ADUSER process form.
Click Create New Version, and then click Add.
In the Name field, enter UD_ADUSER_OBJCATEGORY.
In the Field Label column, enter Object Category.
Then, enter values for the rest of the columns.
On the Properties tab, select the Object Category field, and then click Add Property.
In the Add Property dialog box, add the Lookup Code property and set its value to Lookup.ActiveDirectory.ObjectCategory.
Click Save and then click Make Version Active.
Create a lookup definition named Lookup.ActiveDirectory.ObjectCategory.
Modify the resource object as follows:
Expand Resource Management and then double-click Resource Objects.
Search for and open the AD User resource object.
On the Object Reconciliation tab, click Add Field.
In the Add Reconciliation Field dialog box, enter Object Category
in the Field Name field and select String from the Field Type list.
Click Save and close the dialog box.
Click Save.
Modify the process definition:
Expand Process Management and then double-click Process Definition.
Search for and open the AD User provisioning process.
On the Reconciliation Field Mappings tab of the provisioning process, click Add Field Map.
In the Add Reconciliation Field Mapping dialog box, from the Field Name field, select Object Category.
Double-click the Process Data field, and then select UD_ADUSER_OBJCATEGORY.
Click Save and close the dialog box.
Click Save.
Click Create Reconciliation Profile. This copies changes made to the resource object into MDS.
Run the PurgeCache utility.
Modify the lookup definition as follows:
Expand Administration and then double-click Lookup Definition.
Search for and open the Lookup.ActiveDirectoryLDS.UM.ReconAttrMap lookup definition.
Click Add to create an entry for the Object Category field.
In the Code Key column, enter Object Category.
In the Decode column, enter objectCategory.
Click Save.
When you perform target resource reconciliation by using the scheduled task you created in this section, the connector will retrieve records of custom object that you specify as the value of the objectCategory attribute. If you do not specify a value for the objectCategory attribute, then objects of "Person" category are fetched.
To configure the connector to provision accounts belonging to a custom object category:
Create a list (containing distinguished names) of all custom object categories on the target system.
Modify the Lookup.ActiveDirectory.ObjectCategory lookup definition as follows:
Expand Administration and then double-click Lookup Definition.
Search for and open the Lookup.ActiveDirectory.ObjectCategory lookup definition.
Click Add.
Enter values in the following format:
Code Key: IT_RESOURCE_KEY~CUST_OBJ_CATG_DN
In this format, IT_RESOURCE_KEY is the numeric code assigned to each IT resource in Oracle Identity Manager, and CUST_OBJ_CATG_DN is the distinguished name of a custom object category.
Sample value: 23~CN=customPerson,CN=Schema,CN=Configuration,CN={D14B37E9-778C-4312-99B3-FF3AA0DE99C6}
Decode: IT_RESOURCE_NAME~CUST_OBJ_CATG_DN
In this format, IT_RESOURCE_KEY is the name of the IT resource, and CUST_OBJ_CATG_DN is the distinguished name of a custom object category.
Sample value: ADLDSITResource~CN=customPerson,CN=Schema,CN=Configuration,CN={D14B37E9-778C-4312-99B3-FF3AA0DE99C6}
Repeat Steps 2.c and 2.d to add all distinguished names collected in Step 1.
Click Save.
Modify the Lookup.ActiveDirectoryLDS.UM.ProvAttrMap lookup definition:
Expand Administration and then double-click Lookup Definition.
Search for and open the Lookup.ActiveDirectoryLDS.UM.ProvAttrMap lookup definition.
Click Add.
In the Code Key column, enter Object Category[LOOKUP].
In the Decode column, enter object Category.
Click Save.
Run the PurgeCache utility.
Note:
After performing the procedure described in this section, during a provisioning operation, you can select the object category from the Object Category lookup field. If you want to enable the update of the Object Category field, then create a process task (for example, Object Category Updated) for the AD User process definition. Ensure to use the ADIDC Update Attribute Value adapter.