4 Extending the Functionality of the RSA Authentication Manager Connector
This chapter describes procedures that you can perform to extend the functionality of the connector for addressing your specific business requirements. This chapter discusses the following sections:
Note:
From Oracle Identity Manager Release 11.1.2 onward, lookup queries are not supported. For information on managing lookups by using the Form Designer in Identity System Administration, see Managing Lookups in Oracle Fusion Middleware Administering Oracle Identity Manager .
4.1 Determining Whether an Attribute Is an Identity Management Services or Authentication Manager Attribute
Some of the sections in this chapter describe procedures to map new attributes for reconciliation and provisioning. One of the steps of these procedures is to create an entry in the lookup definition that holds the mapping between target system and Oracle Identity Manager attributes. The Decode value of these lookup definitions contains a setting that requires you to specify whether the attribute is an Identity Management Services or Authentication Manager attribute.
To determine if an attribute is an Identity Management Services or Authentication Manager attribute:
4.2 Adding New User or Token Attributes for Reconciliation
You can add new user or token attributes for reconciliation. By default, the attributes listed in Table 1-5 and Table 1-7 are mapped for reconciliation between Oracle Identity Manager and the target system. If required, you can add new attributes (standard or custom) for reconciliation.
Note:
-
This connector supports configuration of the preconfigured and custom attributes of RSA Authentication Manager for reconciliation.
-
Only single-valued attributes can be mapped for reconciliation.
This information is divided across the following sections:
4.2.1 Adding New Attributes
To add a new attribute on the process form, perform the following procedure:
Note:
If you have already added an attribute for provisioning, then you need not repeat steps performed here.
-
Log in to the Oracle Identity Manager Design Console.
-
Add the new attribute on the process form as follows:
-
Expand Development Tools, and double-click Form Designer.
-
If you want to add a user attribute, then search for and open the UD_AMUSER process form.
If you want to add a token attribute, then search for and open the UD_AMTOKEN process form.
-
Click Create New Version, and then click Add.
-
Enter the details of the field.
For example, if you are adding the EMAIL field, enter
UD_AMUSER_EMAIL
in the Name field and then enter other details such as Variable Type, Length, Field Label, and Field Type. -
Click the Save icon, and then click Make Version Active. The following screenshot shows the new field added to the process form:
-
4.2.2 Adding Attributes to Reconciliation Fields
To add the new attribute to the list of reconciliation fields in the resource object, perform the following procedure:
4.2.3 Creating Reconciliation Field Mapping
To create a reconciliation field mapping for the new attribute in the process definition, perform the following procedure:
4.2.4 Creating Entries in Lookup Definitions
To create an entry for the field in the lookup definition that holds attribute mappings for reconciliation, perform the following procedure:
4.2.5 Performing Changes in a New UI Form
You must replicate all changes made to the Form Designer of the Design Console in a new UI form.
- Log in to Oracle Identity System Administration.
- Create and activate a sandbox. See Creating a Sandbox and Activating and Deactivating a Sandbox in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Manager.
- Create a new UI form to view the newly added field along with the rest of the fields. See Creating Forms By Using the Form Designer in Oracle Fusion Middleware Administering Oracle Identity Manager.
- Associate the newly created UI form with the application instance of your target system. To do so, open the existing application instance for your resource, from the Form field, select the form, and then save the application instance.
- Publish the sandbox. See Publishing a Sandbox in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Manager.
4.3 Adding New User or Token Attributes for Provisioning
You can add new user or token attributes for reconciliation. By default, the attributes listed in Table 1-10 and Table 1-11 are mapped for provisioning between Oracle Identity Manager and the target system. If required, you can map additional attributes for provisioning.
Note:
Only single-valued attributes can be mapped for provisioning.
This information is divided across the following sections:
4.3.1 Adding New Attributes
To add a new attribute on the process form, perform the following procedure:
Note:
If you have already added an attribute for reconciliation, then you need not repeat steps performed here.
-
Log in to the Oracle Identity Manager Design Console.
-
Add the new attribute on the process form as follows:
-
Expand Development Tools, and double-click Form Designer.
-
If you want to add a user attribute, then search for and open the UD_AMUSER process form.
If you want to add a token attribute, then search for and open the UD_AMTOKEN process form.
-
Click Create New Version, and then click Add.
-
Enter the details of the attribute.
For example, if you are adding the EMAIL field, enter
UD_AMUSER_EMAIL
in the Name field, and then enter the rest of the details of this field. -
Click the Save icon, and then click Make Version Active. The following screenshot shows the new field added to the process form:
-
4.3.2 Creating Entries in Lookup Definitions
To create an entry for the attribute in the lookup definition that holds attribute mappings for provisioning, perform the following procedure:
4.3.3 Creating a Task to Enable Update
Create a task to enable update of the attribute during provisioning operations.
If you do not perform this procedure, then you will not be able to modify the value of the attribute after you set a value for it during the Create User provisioning operation.
To enable the update of the attribute during provisioning operations, add a process task for updating the attribute:
4.3.4 Performing Changes in a New UI Form
To perform all changes made to the Form Designer of the Design Console in a new UI form, perform the following procedure:
- Log in to Oracle Identity System Administration.
- Create and activate a sandbox. See Creating and Activating a Sandbox for more information.
- Create a new UI form to view the newly added field along with the rest of the fields. See Creating a New UI Form for more information about creating a UI form.
- Associate the newly created UI form with the application instance of your target system. To do so, open the existing application instance for your resource, from the Form field, select the form (created in Step 5.c), and then save the application instance.
- Publish the sandbox. See Publishing a Sandbox for more information.
4.4 Configuring Validation of Data During Reconciliation and Provisioning
You can configure validation of reconciled and provisioned single-valued data according to your requirements. For example, you can validate data fetched from the First Name attribute to ensure that it does not contain the number sign (#). In addition, you can validate data entered in the First Name field on the process form so that the number sign (#) is not sent to the target system during provisioning operations.
To configure validation of data:
-
Write code that implements the required validation logic in a Java class.
The following sample validation class checks if the value in the First Name attribute contains the number sign (#):
package org.identityconnectors.rsaam.extension; import java.util.*; public class RSAAMValidator { public boolean validate(HashMap hmUserDetails, HashMap hmEntitlementDetails, String field) { /* * You must write code to validate attributes. Parent * data values can be fetched by using hmUserDetails.get(field) * For child data values, loop through the * ArrayList/Vector fetched by hmEntitlementDetails.get("Child Table") * Depending on the outcome of the validation operation, * the code must return true or false. */ /* * In this sample code, the value "false" is returned if the field * contains the number sign (#). Otherwise, the value "true" is * returned. */ boolean valid=true; String sFirstName=(String) hmUserDetails.get(field); for(int i=0;i<sFirstName.length();i++){ if (sFirstName.charAt(i) == '#'){ valid=false; break; } } return valid; } } /* End */
-
Create a JAR file to hold the Java class.
-
Run the Oracle Identity Manager Upload JARs utility to post the JAR file created in Step 2 to the Oracle Identity Manager database. This utility is copied into the following location when you install Oracle Identity Manager:
Note:
Before you use this utility, verify that the
WL_HOME
environment variable is set to the directory in which Oracle WebLogic Server is installed.For Microsoft Windows:
OIM_HOME/server/bin/UploadJars.bat
For UNIX:
OIM_HOME/server/bin/UploadJars.sh
When you run the utility, you are prompted to enter the login credentials of the Oracle Identity Manager administrator, URL of the Oracle Identity Manager host computer, context factory value, type of JAR file being uploaded, and the location from which the JAR file is to be uploaded. Specify 1 as the value of the JAR type.See Also:
Upload JAR Utility in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Manager -
If you created the Java class for validating a process form field for reconciliation, then:
-
Log in to the Design Console.
-
Create a lookup definition named Lookup.RSAAM.UM.ReconValidation.
-
In the Code Key column, enter the resource object field name that you want to validate. For example,
Firstname.
In the Decode column, enter the class name. For example,org.identityconnectors.rsaam.extension.RSAAMValidator.
-
Save the changes to the lookup definition.
-
Search for and open the Lookup.RSAAM.UM.Configuration lookup definition.
-
In the Code Key column, enter
Recon Validation Lookup.
In the Decode column, enterLookup.RSAAM.UM.ReconValidation.
-
Save the changes to the lookup definition.
-
-
If you created the Java class for validating a process form field for provisioning, then:
-
Log in to the Design Console.
-
Create a lookup definition by the name Lookup.RSAAM.UM.ProvValidation.
-
In the Code Key column, enter the process form field label. For example,
Firstname.
In the Decode column, enter the class name. For example,org.identityconnectors.rsaam.extension.RSAAMValidator.
-
Save the changes to the lookup definition.
-
Search for and open the Lookup.RSAAM.UM.Configuration lookup definition.
-
In the Code Key column, enter
Provisioning Validation Lookup.
In the Decode column, enterLookup.RSAAM.UM.ProvValidation.
-
Save the changes to the lookup definition.
-
-
Purge the cache to get the changes reflected in Oracle Identity Manager. See Purging Cache in Oracle Fusion Middleware Administering Oracle Identity Manager.
4.5 Configuring Transformation of Data During Reconciliation
Note:
This section describes an optional procedure. Perform this procedure only if you want to configure transformation of data during reconciliation.
You can configure the transformation of reconciled single-valued data according to your requirements. For example, you can append the domain name with the User ID.
To configure the transformation of data:
-
Write code that implements the required transformation logic in a Java class.
This transformation class must implement the transform method. The following sample transformation class modifies the User ID attribute by using values fetched from the __NAME__ attribute of the target system:
pacakge oracle.iam.connectors.rsaam; import java.util.HashMap; public class RSAAMTransformation { public Object transform(HashMap hmUserDetails, HashMap hmEntitlementDetails, String sField) throws ConnectorException { /* * You must write code to transform the attributes. * Parent data attribute values can be fetched by using hmUserDetails.get("Field Name"). * To fetch child data values, loop through the * ArrayList/Vector fetched by hmEntitlementDetails.get("Child Table") * Return the transformed attribute. */ String sUserName = (String) hmUserDetails.get("__NAME__"); return sUserName + "@example.com"; } }
-
Create a JAR file to hold the Java class.
-
Run the Oracle Identity Manager Upload JARs utility to post the JAR file created in Step 2 to the Oracle Identity Manager database. This utility is copied into the following location when you install Oracle Identity Manager:
Note:
Before you use this utility, verify that the
WL_HOME
environment variable is set to the directory in which Oracle WebLogic Server is installed.For Microsoft Windows:
OIM_HOME/server/bin/UploadJars.bat
For UNIX:
OIM_HOME/server/bin/UploadJars.sh
When you run the utility, you are prompted to enter the login credentials of the Oracle Identity Manager administrator, URL of the Oracle Identity Manager host computer, context factory value, type of JAR file being uploaded, and the location from which the JAR file is to be uploaded. Specify 1 as the value of the JAR type.See Also:
Upload JAR Utility in Oracle Fusion Middleware Developing and Customizing Applications with Oracle Identity Manager -
Create a new lookup definition by the name Lookup.RSAAM.UM.ReconTransformations and then add the following entry:
-
Log in to the Design Console.
-
Expand Administration, and then double-click Lookup Definition.
-
In the Code field, enter
Lookup.RSAAM.UM.ReconTransformations
as the name of the lookup definition. -
Select the Lookup Type option.
-
On the Lookup Code Information tab, click Add.
-
In the Code Key column, enter the resource object field name on which you want to apply the transformation. For example:
User ID.
-
In the Decode column, enter the name of the class file. For example:
oracle.iam.connectors.rsaam.RSAAMTransformation.
-
Save the lookup definition.
-
-
Purge the cache to get the changes reflected in Oracle Identity Manager. See Purging Cache in Oracle Fusion Middleware Administering Oracle Identity Manager.