4 Extending the Functionality of the Connector
This chapter discusses the following optional procedures:
Note:
From Oracle Identity Manager Release 11.1.2 onward, lookup queries are not supported. See Managing Lookups in Oracle Fusion Middleware Administering Oracle Identity Manager for information about managing lookups by using the Form Designer in the Oracle Identity Manager System Administration console.
4.1 Adding Target System Attributes for Reconciliation
By default, the attributes listed in the "User Attributes" are mapped for reconciliation between Oracle Identity Manager and the target system. If required, you can map additional attributes for reconciliation as follows:
Note:
Perform this procedure only if you want to add new target system attributes for reconciliation.
-
In the resource object definition, add a reconciliation field corresponding to the new attribute as follows:
-
Open the Resource Objects form. This form is in the Resource Management folder.
-
Click Query for Records.
-
On the Resource Objects Table tab, double-click the Lotus User resource object to open it for editing.
-
On the Object Reconciliation tab, click Add Field to open the Add Reconciliation Field dialog box.
-
Specify a value for the field name.
You must specify the name that is to the left of the equal sign in the line that you uncomment or add while performing Step 1.
For example, if you uncomment the
Users.City=City
line in Step 1, then you must specifyUsers.City
as the attribute name. -
From the Field Type list, select a data type for the field.
For example:
String
-
Save the values that you enter, and then close the dialog box.
-
If required, repeat Steps d through g to map more fields.
-
If you are using Oracle Identity Manager release 11.1.1, then click Create Reconciliation Profile. This copies changes made to the resource object into the MDS.
-
-
If a corresponding field does not exist in the process form, then add a new column in the process form.
-
Open the Form Designer form. This form is in the Development tools folder.
-
Query for the UD_LOTUS form.
-
Click Create New Version.
The Create a New Version dialog box is displayed.
-
In the Label field, enter the name of the version.
-
Click Save and close the dialog box.
-
From the Current Version box, select the version name that you entered in the Label field in Step 2.d.
-
On the Additional Columns tab, click Add.
-
In the Name field, enter the name of the data field and then enter the other details of the field.
Note:
Repeat Steps g and h if you want to add more attributes.
-
Click Save, and then click Make Version Active.
-
-
Modify the process definition to include the mapping between the newly added attribute and the corresponding reconciliation field:
-
Open the Process Definition form. This form is in the Process Management folder of the Design Console.
-
Click the Query for Records icon.
-
On the Process Definition Table tab, double-click the Lotus User process definition.
-
On the Reconciliation Field Mappings tab, click Add Field Map to open the Add Reconciliation Field Mapping dialog box.
-
From the Field Name list, select the name of the resource object that you add in Step 2.1.e.
-
Double-click Process Data Field and select the corresponding process form field from the Lookup dialog box. Then, click OK.
-
Click Save and close the dialog box.
-
If required, repeat Steps 3.c through 3.g to map more fields.
-
-
Go to the reconciliation lookup, Lookup.Domino.UM.ProvAttrMap, and add a new record for the new attribute using the following values:
-
Code Key - Name of the reconciliation field
-
Decode - Name of the Domino Attribute
-
4.2 Adding Target System Attributes for Provisioning
Note:
In this section, the term "attribute" refers to the identity data fields that store user data.
Do not repeat steps that you have performed as part of the procedure described in Adding Target System Attributes for Reconciliation.
By default, the attributes listed in the "User Attributes" are mapped for provisioning between Oracle Identity Manager and the target system. If required, you can map additional attributes for provisioning by performing these steps:
-
Add a new form field.
To add a new field to the Process form, use the following steps:
-
Open the Form Designer form. This form is in the Development Tools folder of the Oracle Identity Manager Design Console.
-
Query for the UD_LOTUS form.
-
Click Create New Version.
The Create a New Version dialog box is displayed.
-
In the Label field, enter the name of the version.
-
Click Save and close the dialog box.
-
From the Current Version box, select the version name that you entered in the Label field in Step 4.
-
On the Additional Columns tab, click Add.
-
Specify the new field name and other values.
-
Click Save.
-
Click Make Version Active to make the new form field visible to the user.
Now, if you go to Oracle Identity Manager, and try to provision a new user to Domino, you should see the new form field. Next, you must add the new form field to the Provisioning Mapping Lookup.
-
-
Add the new field to the Provisioning Mapping Lookup.
After creating a new form field, you must add that field to the Provisioning Mapping Lookup. Use the following steps:
-
Expand Administration and then double-click Lookup Definition.
-
In the Lookup Definition window, search for
*Domino*
.The Design Console returns Lookup.Domino.UM.ProvAttrMap.
-
Select the Lookup Definition Table tab, and select
Lookup.Domino.UM.ProvAttrMap
.The Lookup Code Information tab maps the OIM form field names and the Domino Identity Connector attributes. Where the Code Key column contains the OIM field labels and the Decode column contains the attribute names supported by the Domino Identity Connector.
-
Add a new record for the new form field. Type the new form field name into the Code Key column and type the Domino Identity Connector attribute name into the Decode column.
-
Click Save.
Now, when you create a new Domino user, the connector will get the new attribute as part of the create operation.
At this point, the process task only handles creates. Next, you must change the process task to also handle updates. Instructions are described in the next section.
-
-
Change the process task to handle updates by performing these steps:
-
In the Design Console, expand Process Management and then double-click Process definition.
-
Search for, and select the Lotus User process.
-
In the Task column, look for an update task that is similar to the one you want to add and select that entry.
-
Click Add.
-
In the Creating New Task dialog, select the General tab and enter a Task Name and a Task Description.
The Task Name is important because it will be the form name field. Be sure to include the event you want the task to handle. For example, if you add the
City
field for provisioning, then add theCity Updated
task. Now, this update event will be triggered when theCity
field is updated. -
In the Task Properties section, set the following properties as noted:
- Conditional: Enabled
- Required for Completion: Disabled
- Disable Manual Insert: Disabled
- Allow Cancellation while Pending: Enabled
- Allow Multiple Instances: Enabled
You do not have to change any of the remaining properties.
-
Save your changes.
-
To add an Event Handler, select the Integration tab, and then click Add.
-
When the Handler Select dialog box displays, select Adapter as the handler type and then select adpLNUPDATEUSERINFO and click Save.
-
Map all of the variables that are configured for the event adapter.
In the Adapter Variables section, double-click a variable name to open the Edit Data Mapping For Variable dialog box. Specify the following values for each variable in turn. Be sure to save your changes after each mapping.
Variable Name Map To Qualifier Literal Value itResourceFieldName
Literal
String
UD_LOTUS_SERVERNAME
processInstanceKey
Process Data
Process Instance
Adapter return value
Response Code
objectType
Literal
String
User
attrName
Literal
String
Enter your new Form Field Label
-
Save and close the Creating New Task dialog.
-
Check the Task column on the Process Definition tab to verify that the new process task is listed. Also verify that the new form field is available and working in Oracle Identity Manager.
-
4.3 Configuring Validation and Transformation
You can configure validation for provisioned and reconciled single-valued data according to your requirements. You can also configure transformation, but it is only supported for reconciliation.
Instructions for configuring validations and transformations are described in the following sections:
4.3.1 Configuring Validation for Provisioning
To configure validation for provisioned data, follow these steps:
4.3.2 Configuring Validation for Reconciliation
The steps for configuring reconciliation validation are the same as the steps described in Configuring Validation for Provisioning, except that the Code Key in step 8 must be Recon Validation Lookup
.
4.3.3 Configuring Reconciliation Transformation
You can configure transformation of reconciled single-valued user data according to your requirements. For example, you could use First Name
and Last Name
values to create a value for the Full Name field in Oracle Identity Manager.
To configure the reconciliation transformation:
4.4 Configuring the Connector for Multiple Installations of the Target System
Note:
Perform this procedure only if you want to configure the connector for multiple installations of IBM Lotus Notes and Domino.
You might want to configure the connector for multiple installations of the target system. The following example illustrates this requirement:
The London and New York offices of Example Multinational Inc. have their own installations of the target system. The company has recently installed Oracle Identity Manager, and they want to configure Oracle Identity Manager to link all the installations of the target system.
To meet the requirement posed by such a scenario, you can create copies of connector objects, such as the IT resource and scheduled job.
The decision to create a copy of a connector object is based on a requirement. For example, an IT resource can hold connection information for one target system installation. Therefore, it is mandatory to create a copy of the IT resource for each target system installation.
To create copies of the connector objects:
Note:
For this connector, it is assumed that all installation of the target system have the same set of attributes for reconciliation and provisioning.
- Create a copy of the IT resource. See "Configuring the IT Resource" for information about this IT resource.
- Create a copy of the Lotus Notes User Reconciliation scheduled job. See "Reconciliation Scheduled Jobs" for information about this scheduled job.
To reconcile data from a particular target system installation, specify the name of the IT resource for that target system installation as the value of the ITResource scheduled job attribute.
4.5 Moving the User Name in the Name Hierarchy
If you want to move the username in the name hierarchy then perform the following steps.
4.6 Creating and Updating WebUsers
If you want to create and update WebUsers, perform the following procedure:
Note:
The following procedure is applicable only for WebUsers.
-
To create a WebUser in Domino, set the configuration option of CreateIdFile as false in the Lookup.Configuration.Domino lookup definition. To do so, perform the following procedure:
-
Log into the Design Console.
-
Search for and open the Lookup.Configuration.Domino lookup definition.
-
Set the configuration option of CreateIdFile to
False.
-
Click Save and close the lookup definition.
-
-
While provisioning, enter the cert org hierarchy value in the process form in order to ensure that the WebUsers Update functionality works as expected.
4.7 Resetting the User Password in IDVault
This connector supports the reset password functionality in the idvault. To achieve this you need to set the useIDVault to be true in the Lookup.Configuration.Domino.
On the target side "The IDVault can be configured for certain organization or can use policy to decide if the IDFile should be stored in IDVault. Also Domino Connector support using explicit policy when registering new user."