Extending the Functionality of the Connector

4.1 Adding Target System Attributes for Reconciliation

By default, the attributes listed in the "User Attributes" are mapped for reconciliation between Oracle Identity Manager and the target system. If required, you can map additional attributes for reconciliation as follows:

Note:

Perform this procedure only if you want to add new target system attributes for reconciliation.

In the resource object definition, add a reconciliation field corresponding to the new attribute as follows:
1. Open the Resource Objects form. This form is in the Resource Management folder.
2. Click Query for Records.
3. On the Resource Objects Table tab, double-click the Lotus User resource object to open it for editing.
4. On the Object Reconciliation tab, click Add Field to open the Add Reconciliation Field dialog box.
5. Specify a value for the field name.
  
  You must specify the name that is to the left of the equal sign in the line that you uncomment or add while performing Step 1.
  
  For example, if you uncomment the Users.City=City line in Step 1, then you must specify Users.City as the attribute name.
6. From the Field Type list, select a data type for the field.
  
  For example: String
7. Save the values that you enter, and then close the dialog box.
8. If required, repeat Steps d through g to map more fields.
9. If you are using Oracle Identity Manager release 11.1.1, then click Create Reconciliation Profile. This copies changes made to the resource object into the MDS.
If a corresponding field does not exist in the process form, then add a new column in the process form.
1. Open the Form Designer form. This form is in the Development tools folder.
2. Query for the UD_LOTUS form.
3. Click Create New Version.
  
  The Create a New Version dialog box is displayed.
4. In the Label field, enter the name of the version.
5. Click Save and close the dialog box.
6. From the Current Version box, select the version name that you entered in the Label field in Step 2.d.
7. On the Additional Columns tab, click Add.
8. In the Name field, enter the name of the data field and then enter the other details of the field.
  
  Note:
  
  Repeat Steps g and h if you want to add more attributes.
9. Click Save, and then click Make Version Active.
Modify the process definition to include the mapping between the newly added attribute and the corresponding reconciliation field:
1. Open the Process Definition form. This form is in the Process Management folder of the Design Console.
2. Click the Query for Records icon.
3. On the Process Definition Table tab, double-click the Lotus User process definition.
4. On the Reconciliation Field Mappings tab, click Add Field Map to open the Add Reconciliation Field Mapping dialog box.
5. From the Field Name list, select the name of the resource object that you add in Step 2.1.e.
6. Double-click Process Data Field and select the corresponding process form field from the Lookup dialog box. Then, click OK.
7. Click Save and close the dialog box.
8. If required, repeat Steps 3.c through 3.g to map more fields.
Go to the reconciliation lookup, Lookup.Domino.UM.ProvAttrMap, and add a new record for the new attribute using the following values:
- Code Key - Name of the reconciliation field
- Decode - Name of the Domino Attribute

4.2 Adding Target System Attributes for Provisioning

Note:

In this section, the term "attribute" refers to the identity data fields that store user data.

Do not repeat steps that you have performed as part of the procedure described in Adding Target System Attributes for Reconciliation.

By default, the attributes listed in the "User Attributes" are mapped for provisioning between Oracle Identity Manager and the target system. If required, you can map additional attributes for provisioning by performing these steps:

Add a new form field.

To add a new field to the Process form, use the following steps:
1. Open the Form Designer form. This form is in the Development Tools folder of the Oracle Identity Manager Design Console.
2. Query for the UD_LOTUS form.
3. Click Create New Version.
  
  The Create a New Version dialog box is displayed.
4. In the Label field, enter the name of the version.
5. Click Save and close the dialog box.
6. From the Current Version box, select the version name that you entered in the Label field in Step 4.
7. On the Additional Columns tab, click Add.
8. Specify the new field name and other values.
9. Click Save.
10. Click Make Version Active to make the new form field visible to the user.
  
  Now, if you go to Oracle Identity Manager, and try to provision a new user to Domino, you should see the new form field. Next, you must add the new form field to the Provisioning Mapping Lookup.
Add the new field to the Provisioning Mapping Lookup.

After creating a new form field, you must add that field to the Provisioning Mapping Lookup. Use the following steps:
1. Expand Administration and then double-click Lookup Definition.
2. In the Lookup Definition window, search for *Domino*.
  
  The Design Console returns Lookup.Domino.UM.ProvAttrMap.
3. Select the Lookup Definition Table tab, and select Lookup.Domino.UM.ProvAttrMap.
  
  The Lookup Code Information tab maps the OIM form field names and the Domino Identity Connector attributes. Where the Code Key column contains the OIM field labels and the Decode column contains the attribute names supported by the Domino Identity Connector.
4. Add a new record for the new form field. Type the new form field name into the Code Key column and type the Domino Identity Connector attribute name into the Decode column.
5. Click Save.
  
  Now, when you create a new Domino user, the connector will get the new attribute as part of the create operation.
At this point, the process task only handles creates. Next, you must change the process task to also handle updates. Instructions are described in the next section.

Change the process task to handle updates by performing these steps:

In the Design Console, expand Process Management and then double-click Process definition.
Search for, and select the Lotus User process.
In the Task column, look for an update task that is similar to the one you want to add and select that entry.
Click Add.
In the Creating New Task dialog, select the General tab and enter a Task Name and a Task Description.

The Task Name is important because it will be the form name field. Be sure to include the event you want the task to handle. For example, if you add the City field for provisioning, then add the City Updated task. Now, this update event will be triggered when the City field is updated.
In the Task Properties section, set the following properties as noted:

- Conditional: Enabled

- Required for Completion: Disabled

- Disable Manual Insert: Disabled

- Allow Cancellation while Pending: Enabled

- Allow Multiple Instances: Enabled

You do not have to change any of the remaining properties.
Save your changes.
To add an Event Handler, select the Integration tab, and then click Add.
When the Handler Select dialog box displays, select Adapter as the handler type and then select adpLNUPDATEUSERINFO and click Save.

Map all of the variables that are configured for the event adapter.

In the Adapter Variables section, double-click a variable name to open the Edit Data Mapping For Variable dialog box. Specify the following values for each variable in turn. Be sure to save your changes after each mapping.

Variable Name	Map To	Qualifier	Literal Value
itResourceFieldName	Literal	String	UD_LOTUS_SERVERNAME
processInstanceKey	Process Data	Process Instance
Adapter return value	Response Code
objectType	Literal	String	User
attrName	Literal	String	Enter your new Form Field Label

Save and close the Creating New Task dialog.
Check the Task column on the Process Definition tab to verify that the new process task is listed. Also verify that the new form field is available and working in Oracle Identity Manager.

4.3 Configuring Validation and Transformation

You can configure validation for provisioned and reconciled single-valued data according to your requirements. You can also configure transformation, but it is only supported for reconciliation.

Instructions for configuring validations and transformations are described in the following sections:

4.3.1 Configuring Validation for Provisioning

To configure validation for provisioned data, follow these steps:

Write some custom Java class code to implement the Validation interface. For example:

package com.validationexample;
import oracle.iam.connectors.common.ConnectorException;
 
import java.util.HashMap;
 
public class MyValidator implements Validator {
    public boolean validate(HashMap hmUserDetails, HashMap hmEntitlementDetails, String sField) throws ConnectorException {
 
        /* You must write code to validate attributes. Parent
                 * data values can be fetched by using hmUserDetails.get(field)
                 * For child data values, loop through the
                 * ArrayList/Vector fetched by hmEntitlementDetails.get("Child Table")
                 * Depending on the outcome of the validation operation,
                 * the code must return true or false.
                 */
        /*
        * In this sample code, the value "false" is returned if the field
        * contains the number sign (#). Otherwise, the value "true" is
        * returned.
        */
        boolean valid = true;
        String sFirstName = (String) hmUserDetails.get(sField);
        for (int i = 0; i < sFirstName.length(); i++) {
            if (sFirstName.charAt(i) == '#') {
                valid = false;
                break;
            }
        }
        return valid;
 
    }
}

Log into the Design Console.
Search for and open the Lookup.Domino.UM.ProvValidation (or create another custom name) lookup definition.

Note:

If you cannot find the Lookup.Domino.UM.ProvValidation lookup definition, create a new lookup.
In the Code Key column, enter the resource object field name that you want to validate.
In the Decode column, enter the class name.

For example, com.validationexample.MyValidator.
Save your changes to the lookup definition.
Search for and open the Lookup.Domino.UM.Configuration lookup definition.
In the Code Key column, enter Provisioning Validation Lookup.
In the Decode column, enter Lookup.Domino.UM.ProvValidation or enter the name of the lookup you created in step 3.

4.3.2 Configuring Validation for Reconciliation

The steps for configuring reconciliation validation are the same as the steps described in Configuring Validation for Provisioning, except that the Code Key in step 8 must be Recon Validation Lookup.

4.3.3 Configuring Reconciliation Transformation

You can configure transformation of reconciled single-valued user data according to your requirements. For example, you could use First Name and Last Name values to create a value for the Full Name field in Oracle Identity Manager.

To configure the reconciliation transformation:

Write a custom java class to implement the Transformation interface. For example:

package com.transformationexample;
import oracle.iam.connectors.common.ConnectorException;
 
import java.util.HashMap;
 
 
public class MyTransformer implements Transformation {
    public Object transform(HashMap hmUserDetails, HashMap hmEntitlementDetails, String sField) throws ConnectorException {
        /*
        * You must write code to transform the attributes.
        * Parent data attribute values can be fetched by
        * using hmUserDetails.get("Field Name").
        * To fetch child data values, loop through the
        * ArrayList/Vector fetched by hmEntitlementDetails.get("Child          Table")
        * Return the transformed attribute.
        */
        String sFirstName = (String) hmUserDetails.get("First Name");
        String sLastName = (String) hmUserDetails.get("Last Name");
        return sFirstName + "." + sLastName;
 
    }
}

Log in to the Design Console.
Search for and open the Lookup.Domino.UM.ReconTransformation (or create another custom name) lookup definition.

Note:

If you cannot find the Lookup.Domino.UM.ReconTransformation lookup definition, create a new lookup.
In the Code Key column, enter the resource object field name you want to transform.
In the Decode column, enter the class name.

For example, com.transformationexample.MyTransformer.
Save the changes to the lookup definition.
Search for and open the Lookup.Domino.UM.Configuration lookup definition.
In the Code Key column, enter Recon Transformation Lookup.
In the Decode column, enter Lookup.Domino.UM.ReconTransformation or enter the name of the lookup you created in step 3.

4.4 Configuring the Connector for Multiple Installations of the Target System

Note:

Perform this procedure only if you want to configure the connector for multiple installations of IBM Lotus Notes and Domino.

You might want to configure the connector for multiple installations of the target system. The following example illustrates this requirement:

The London and New York offices of Example Multinational Inc. have their own installations of the target system. The company has recently installed Oracle Identity Manager, and they want to configure Oracle Identity Manager to link all the installations of the target system.

To meet the requirement posed by such a scenario, you can create copies of connector objects, such as the IT resource and scheduled job.

The decision to create a copy of a connector object is based on a requirement. For example, an IT resource can hold connection information for one target system installation. Therefore, it is mandatory to create a copy of the IT resource for each target system installation.

To create copies of the connector objects:

Note:

For this connector, it is assumed that all installation of the target system have the same set of attributes for reconciliation and provisioning.

Create a copy of the IT resource. See "Configuring the IT Resource" for information about this IT resource.
Create a copy of the Lotus Notes User Reconciliation scheduled job. See "Reconciliation Scheduled Jobs" for information about this scheduled job.

To reconcile data from a particular target system installation, specify the name of the IT resource for that target system installation as the value of the ITResource scheduled job attribute.

4.5 Moving the User Name in the Name Hierarchy

If you want to move the username in the name hierarchy then perform the following steps.

Change the CertifierOrghierarchy with new org info (example: org2/org) in the process form.
Give the values of new certifier id path and certpassword in the process form.
Check the movecertifier checkbox.
Click Save.

Note:

To make the above feature work, you should copy the root certificate, current certificate, and the certificate that you are moving into the "Servers\Certificates" view of the inbound domain's Name and Address book (Domino Directory). You can also create the documents if you have the Certifier ID files.

4.6 Creating and Updating WebUsers

If you want to create and update WebUsers, perform the following procedure:

Note:

The following procedure is applicable only for WebUsers.

To create a WebUser in Domino, set the configuration option of CreateIdFile as false in the Lookup.Configuration.Domino lookup definition. To do so, perform the following procedure:
1. Log into the Design Console.
2. Search for and open the Lookup.Configuration.Domino lookup definition.
3. Set the configuration option of CreateIdFile to False.
4. Click Save and close the lookup definition.
While provisioning, enter the cert org hierarchy value in the process form in order to ensure that the WebUsers Update functionality works as expected.

4.7 Resetting the User Password in IDVault

This connector supports the reset password functionality in the idvault. To achieve this you need to set the useIDVault to be true in the Lookup.Configuration.Domino.

On the target side "The IDVault can be configured for certain organization or can use policy to decide if the IDFile should be stored in IDVault. Also Domino Connector support using explicit policy when registering new user."