1 About the Connector

Oracle Identity Manager automates access rights management, security, and provisioning of IT resources. Oracle Identity Manager connectors are used to integrate Oracle Identity Manager with external, identity-aware applications. This guide discusses the connector that enables you to integrate Oracle Identity Manager with Oracle CRM On Demand. This connector enables you to use the target system as a managed (target) resource of identity data for Oracle Identity Manager.

In the account management (target resource) mode of the connector, information about users created or modified directly on the target system can be reconciled into Oracle Identity Manager. In addition, you can use Oracle Identity Manager to perform provisioning operations on the target system.

This chapter contains the following sections:

Note:

In this guide, the term Oracle Identity Manager server refers to the computer on which Oracle Identity Manager is installed.

1.1 Certified Components

Table 1-1 lists the certified components for this connector.

Table 1-1 Certified Components

Item Requirement

Oracle Identity Manager

You can use one of the following releases of Oracle Identity Manager:

  • Oracle Identity Manager 11g Release 1 BP01 (11.1.1.5.1) and any later BP in this release track

  • Oracle Identity Manager 11g Release 2 BP04 (11.1.2.0.4) and any later BP in this release track

  • Oracle Identity Manager 11g Release 2 PS3 (11.1.2.3.0)

Target systems

Oracle CRM On Demand Release 19 or later

Connector Server

11.1.2.1.0

Connector Server JDK

JDK 1.6 Update 24 or later, or JRockit JDK 1.6 Update 24 or later


1.2 Certified Languages

The connector supports the following languages:

  • Arabic

  • Chinese (Simplified)

  • Chinese (Traditional)

  • Czech

  • Danish

  • Dutch

  • English

  • Finnish

  • French

  • German

  • Greek

  • Hebrew

  • Hungarian

  • Italian

  • Japanese

  • Korean

  • Norwegian

  • Polish

  • Portuguese

  • Portuguese (Brazilian)

  • Romanian

  • Russian

  • Slovak

  • Spanish

  • Swedish

  • Thai

  • Turkish

1.3 Connector Architecture

This connector enables management of target system accounts through Oracle Identity Manager. Figure 1-1 shows the architecture of the connector.

Figure 1-1 Architecture of the Connector

Description of Figure 1-1 follows
Description of "Figure 1-1 Architecture of the Connector "

The Oracle Identity Manager Connector for Oracle CRM On Demand is an Identity Connector Framework (ICF)-based connector. ICF is a component that provides basic provisioning, reconciliation, and other functions that the connector requires.

The operations on the target system would be performed via web services exposed by Oracle CRM On Demand. The connector consumes the following CRM On Demand web services:

  • User web service

    This web service is used for user-specific provisioning and reconciliation operations.

  • Role Management web service

    This web service is used by the CRM On Demand Role Lookup Recon scheduled job to synchronize the roles available on the target system into the Lookup.CRMOD.Roles lookup definition.

  • Password web service

    This web service is used for setting or changing the password of a user from Oracle Identity Manager.

The Web Service Description Language (WSDL) files and the generated web service stubs (artifacts) are packaged with the connector bundle. The connector communicates with the target system using these prepackaged stubs for all connector operations.

The connector leverages Oracle Web Service Manager (OWSM) for security-related aspects during communication with the target system. Communication between Oracle Identity Manager and Oracle CRM On Demand is encrypted with Secure Sockets Layer (SSL) for security (URL of the target system is always HTTPS). In addition, the connector uses username/token policy for message-level security during communication with the Oracle CRM On Demand web services.

The target system does not allow deletion of created user accounts. Therefore, as part of Revoke Resource operation of Oracle Identity Manager, the following changes will be made:

  • On the target system, the corresponding user account is set to Inactive.

  • In Oracle Identity Manager, the tasks for the corresponding user account are cancelled and the account status is set to Disabled.

The following topics describe the connector operations:

1.3.1 Reconciliation Process

This connector can be configured to perform target resource reconciliation. The connector enables you to create and manage target accounts for OIM Users through provisioning. In addition, data related to newly created and modified target system accounts can be reconciled and linked with existing OIM Users and provisioned resources.

See Also:

Oracle Fusion Middleware Users's Guide for Oracle Identity Manager for conceptual information about target resource reconciliation

The following is an overview of the steps involved in reconciliation:

  1. The scheduled job is run at the time or frequency that you specify. This scheduled task contains details of the reconciliation that you want to perform.

  2. The scheduled job performs the following tasks:

    • Reads the values that you set for the job attributes.

    • Fetches user records into Oracle Identity Manager.

  3. Each user record fetched from the target system is compared with existing target system resources assigned to OIM Users. The reconciliation rule is applied during the comparison process. See Section 3.1.3, "Reconciliation Rule for Target Resource Reconciliation" for information about the reconciliation rule.

  4. The next step of the process depends on the outcome of the matching operation:

    • If a match is found between the target system record and a resource provisioned to an OIM User, then the user resource is updated with changes made to the target system record.

    • If no match is found, then the target system user record is compared with existing OIM Users. The next step depends on the outcome of the matching operation:

      If a match is found, then the target system record is used to provision a resource for the OIM User.

      If no match is found, then the status of the reconciliation event is set to No Match Found.

1.3.2 Provisioning Process

See Also:

Oracle Fusion Middleware Users's Guide for Oracle Identity Manager conceptual information about provisioning

Provisioning involves creating and managing user accounts. When you allocate (or provision) an Oracle CRM On Demand resource to an OIM User, the operation results in the creation of an account on the target system for that user. Similarly, when you update the resource on Oracle Identity Manager, the same update is made to the account on the target system.

Provisioning is a two-step process. In the first step, the create user task is triggered. If the create user task is completed successfully, then the second step is initiated. In the second step, the password update task is triggered.

During provisioning operations, adapters carry provisioning data submitted through the process form to the connector, which in turn submits the provisioning data to the target system. The user account maintenance commands accept provisioning data from the adapters, carry out the required operation on the target system, and return the response from the target system to the adapters. The adapters return the response to Oracle Identity Manager.

The provisioning process can be started through one of the following events:

  • Direct provisioning

    The Oracle Identity Manager administrator uses the Administrative and User Console to create a target system account for a user.

  • Provisioning triggered by access policy changes

    An access policy related to accounts on the target system is modified. When an access policy is modified, it is reevaluated for all users to which it applies.

  • Request-based provisioning

    In request-based provisioning, an individual creates a request for a target system account. The provisioning process is completed when an OIM User with the required privileges approves the request and provisions the target system account to the requester.

1.3.3 Provisioning Functions

Table 1-2 lists the provisioning functions that are supported by the connector. The Adapter column gives the name of the adapter that is used when the function is performed.

Table 1-2 Provisioning Functions

Function Adapter

Create User

CRMODCreateUser

Delete User

CRMODDisableUser

Disable User

CRMODDisableUser

Enable User

CRMODEnableUser

Alias Updated

CRMODUpdateUser

Cell Phone Updated

CRMODUpdateUser

Department Updated

CRMODUpdateUser

Division Updated

CRMODUpdateUser

Email Updated

CRMODUpdateUser

Employee Number Updated

CRMODUpdateUser

External Unique ID Updated

CRMODUpdateUser

First Name Updated

CRMODUpdateUser

Job Title Updated

CRMODUpdateUser

Language Updated

CRMODUpdateUser

Last Name Updated

CRMODUpdateUser

Middle Name Updated

CRMODUpdateUser

Password Updated

CRMODUpdateUser

Region Updated

CRMODUpdateUser

Reports To Updated

CRMODUpdateUser

Role Updated

CRMODUpdateUser

Work Phone Updated

CRMODUpdateUser


1.4 Features of the Connector

1.4.1 ICF Based Connector

The Identity Connector Framework (ICF) is a component that provides basic provisioning, reconciliation, and other functions that all Oracle Identity Manager connectors require.

The Oracle Identity Manager Connector for Oracle CRM On Demand is an ICF-based connector. The ICF uses classpath isolation, which allows the connector to co-exist with legacy versions of the connector.

For more information about the ICF and its advantages, see the "Understanding the Identity Connector Framework" chapter in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager.

1.4.2 Support for Target Resource Reconciliation

You can use the connector to configure the target system as a target resource of Oracle Identity Manager.

See Section 3.1, "Configuring Reconciliation" for more information.

1.4.3 Support for Both Full and Incremental Reconciliation

After you deploy the connector, you can perform full reconciliation to bring all existing user data from the target system to Oracle Identity Manager. After the first full reconciliation run, incremental reconciliation is automatically enabled from the next run of the user reconciliation.

You can perform a full reconciliation run at any time. See Section 3.1.1, "Full Reconciliation" for more information.

1.4.4 Support for Limited Reconciliation

You can set a reconciliation filter as the value of the Filter attribute of the scheduled jobs. This filter specifies the subset of newly added and modified target system records that must be reconciled.

See Section 3.1.2, "Limited Reconciliation" for more information.

1.4.5 Support for Adding Custom Attributes for Reconciliation and Provisioning

If you want to add custom attributes for reconciliation and provisioning, then perform the procedures described in Section 4.1, "Adding Custom Attributes for Target Resource Reconciliation" and Section 4.2, "Adding Custom Attributes for Provisioning."

1.4.6 Support for Transformation of Data

You can configure transformation of data that is brought into Oracle Identity Manager during reconciliation.

See Section 4.4, "Configuring Transformation of Data During User Reconciliation" for more information.

1.4.7 Support for Validation of Data

You can configure validation of data that is brought into Oracle Identity Manager during provisioning and reconciliation operations.

See Section 4.3, "Configuring Validation of Data During Reconciliation and Provisioning" for more information.

1.4.8 Support for Resource Exclusion Lists

You can specify a list of accounts that must be excluded from reconciliation and provisioning operations. Accounts whose user IDs you specify in the exclusion list are not affected by reconciliation and provisioning operations.

Section 4.5, "Configuring Resource Exclusion Lists" describes the procedure to add entries in these lookup definitions.

1.5 User Attributes for Target Resource Reconciliation and Provisioning

Table 1-3 provides information about user attribute mappings for target resource reconciliation and provisioning.

Table 1-3 User Attributes for Target Resource Reconciliation and Provisioning

Process Form Field Target System Field (User Schema) Description

Alias

Alias

Alias of the user

Cell Phone

CellPhone

Cell phone number of the user

Department

Department

Department of the user

Division

Division

Division of the user

Email

EmailAddr

Email ID of the user

Employee Number

EmployeeNumber

Employee number of the user

First Name

FirstName

First name of the user

Job Title

JobTitle

Job title of the user

Last Name

LastName

Last name of the user

Middle Name

MiddleName

Middle name of the user

Password

__PASSWORD__

User's password

Note: The Password field can only be updated. It cannot be reconciled.

Region

Region

Region of the user

Return ID

__UID__

UID of the user

Role[LOOKUP]

Role

User's role

User Login Id

UserLoginId

User's login ID

Work Phone

PhoneNumber

Phone number of the user


1.6 Roadmap for Deploying and Using the Connector

The following is the organization of information in the rest of this guide: