1. Connector Guide for RSA Authentication Manager
  2. About the RSA Authentication Manager Connector

1 About the RSA Authentication Manager Connector

This chapter introduces the RSA Authentication Manager connector.

This chapter discusses the following topics:

1.1 Introduction to RSA Authentication Manager Connector

Oracle Identity Manager automates access rights management, security, and provisioning of IT resources. Oracle Identity Manager connectors are used to integrate Oracle Identity Manager with external, identity-aware applications. This guide discusses the connector that enables you to use RSA Authentication Manager as a managed (target) resource of Oracle Identity Manager.

Note:

At some places in this guide, RSA Authentication Manager has been referred to as the target system.

In the account management (target resource) mode of the connector, information about users created or modified directly on the target system can be reconciled into Oracle Identity Manager. In addition, you can use Oracle Identity Manager to perform provisioning operations on the target system.

1.2 Certified Components

Table 1-1 lists the certified components for the target system.

Table 1-1 Certified Components

Item Requirement

Oracle Identity Governance or Oracle Identity Manager

You can use one of the following releases of Oracle Identity Manager:

  • Oracle Identity Governance 12c (12.2.1.4.0)

  • Oracle Identity Governance 12c (12.2.1.3.0)

  • Oracle Identity Manager 11g Release 2 PS3 (11.1.2.3.0)

  • Oracle Identity Manager 11g Release 2 PS2 (11.1.2.2.0) and any later BP in this release track

  • Oracle Identity Manager 11g Release 2 PS1 (11.1.2.1.0) and any later BP in this release track

  • Oracle Identity Manager 11g Release 2 (11.1.2.0.0) and any later BP in this release track

Target System

You can use one of the following supported versions of the target system:

  • RSA Authentication Manager 8.0 or later

Connector Server

11.1.2.1.0
Connector Server JDK JDK 1.6 or later

1.3 Usage Recommendation

Depending on the Oracle Identity Manager version that you are using, you must deploy and use one of the following connectors:

  • If you are using an Oracle Identity Manager release that is earlier than Oracle Identity Manager 11g Release 2 (11.1.2.0.0), then you must use the 9.1.0.x version of this connector. However, if you are using RSA Authentication Manager 6.0, or 6.1, or 6.1.2, then you must use the 9.0.4.x version of this connector.

  • If you are using Oracle Identity Manager 11g Release 2 or later, then you must use the 11.1.1.x version of this connector. However, if you are using RSA Authentication Manager 7.1 with SP3 or later, then use the 9.1.0.x version of this connector.

1.4 Certified Languages

The connector supports the following languages:

  • Arabic

  • Chinese (Simplified)

  • Chinese (Traditional)

  • Czech

  • Danish

  • Dutch

  • English (UK)

  • English (US)

  • Finnish

  • French

  • German

  • Greek

  • Hebrew

  • Hungarian

  • Italian

  • Japanese

  • Korean

  • Norwegian

  • Polish

  • Portuguese

  • Portuguese (Brazilian)

  • Romanian

  • Russian

  • Slovak

  • Spanish

  • Swedish

  • Thai

  • Turkish

1.5 Connector Architecture

Figure 1-1 shows the architecture of the connector.

Figure 1-1 Connector Architecture

Description of Figure 1-1 follows
Description of "Figure 1-1 Connector Architecture"

The RSA Authentication Manager connector is implemented by using the Identity Connector Framework (ICF). The ICF is a component that provides basic reconciliation and provisioning operations that are common to all Oracle Identity Manager connectors. In addition, ICF provides common features that developers would otherwise need to implement on their own, such as connection pooling, buffering, time outs, and filtering. The ICF is shipped along with Oracle Identity Manager. Therefore, you need not configure or modify the ICF.

This connector is used to manage users and tokens on RSA Authentication Manager through Oracle Identity Manager. This connector integrates Oracle Identity Manager with the target system with the help of a Java API.

The target system can be configured to run in the Account Management mode. Account management is also known as target resource management. In this mode, the target system is used as a target resource and the connector enables the following operations:

  • Provisioning:

    Provisioning involves creating, updating, or deleting users and tokens on the target system through Oracle Identity Manager. The connector makes use of the Java API to connect to the RSA AM Server, and in turn provision accounts and tokens.

    Token provisioning operations are performed in the same manner. A separate set of Oracle Identity Manager adapters is used during token provisioning operations.

    During user provisioning, data received in the create/update operation will be passed to the target system APIs. RSA APIs accept provisioning data, carry out the required operation on the target system, and then return the response from the target system back to the connector. The connector will return the response to Oracle Identity Manager.

  • Target source reconciliation:

    During reconciliation, the connector fetches data (using scheduled jobs) about users created or modified directly on the target system into Oracle Identity Manager. This data is used to add or modify resources allocated to OIM Users.

    Similarly, during reconciliation, the RSA APIs will accept the search criteria, including filters, and return the records to the connector. The connector supports searching for users, tokens, roles, groups, identity sources, security domains and RADIUS profiles on the target.

1.6 Lookup Definitions Used During Reconciliation and Provisioning

Lookup definitions used during reconciliation and provisioning can either be synchronized with the target system or preconfigured. The following sections contain detailed information:

1.6.1 About Lookup Field Synchronization

During a provisioning operation, you use a lookup field on the process form to specify a single value from a set of values. For example, you use the Identity Source lookup field to select an identity source during a provisioning operation performed through the Administrative and User Console. When you deploy the connector, lookup definitions corresponding to the lookup fields on the target system are automatically created in Oracle Identity Manager. Lookup field synchronization involves copying additions or changes made to the target system lookup fields into the lookup definitions in Oracle Identity Manager.

1.6.2 Lookup Definitions Synchronized with the Target System

The following lookup definitions are populated with values fetched from the target system by the scheduled jobs for lookup field synchronization:

Note:

See Scheduled Job for Lookup Field Synchronization.
1.6.2.1 Lookup.RSAAM.UserGroup

The Lookup.RSAAM.UserGroup lookup definition holds details of user groups defined on RSA Authentication Manager. You populate this lookup definition through lookup field synchronization performed using the RSAAM UserGroup Lookup Reconciliation scheduled job.

The following is the format of entries in this lookup definition:

  • Code Key: IT_RESOURCE_KEY~GROUP_GUID

    In this format:

    • IT_RESOURCE_KEY is the key assigned to the IT resource on Oracle Identity Manager.

    • GROUP_GUID is the GUID of the group on the target system.

  • Decode: IT_RESOURCE_NAME~IDENTITY_SOURCE_NAME~SECURITY_DOMAIN_NAME~GROUP_NAME

    In this format:

    • IT_RESOURCE_NAME is the name assigned to the IT resource on Oracle Identity Manager.

    • IDENTITY_SOURCE_NAME is the name of the identity source on the target system.

    • SECURITY_DOMAIN_NAME is the name of the security domain on the target system.

    • GROUP_NAME is the name of the group on the target system.

The following table shows sample entries in this lookup definition:

Code Key Decode

41~ims.898afd743afcb10a1b20d2688a0b14be

RSA Server Instance~Internal Database~SecDom1a~Group1

41~ims.2820d78e3afcb10a1bc9883fa4aedc51

RSA Server Instance~Internal Database~SystemDomain~Group3

41~ims.3139e7eb3afcb10a1bc8f2e9afd7a77e

RSA Server Instance~Internal Database~SystemDomain~Group2
1.6.2.2 Lookup.RSAAM.IdentitySource

In RSA Authentication Manager, an identity source can be the default internal database, an LDAP-based solution, or a database. The Lookup.RSAAM.IdentitySource lookup definition holds details of the identity sources configured for your target system installation. You populate this lookup definition through lookup field synchronization performed using the RSAAM IdentitySource Lookup Reconciliation scheduled job.

The following is the format of entries in this lookup definition:

  • Code Key: IT_RESOURCE_KEY~IDENTITY_SOURCE_GUID

    In this format:

    • IT_RESOURCE_KEY is the key assigned to the IT resource on Oracle Identity Manager.

    • IDENTITY_SOURCE_GUID is the GUID of the identity source on the target system.

  • Decode: IT_RESOURCE_NAME~IDENTITY_SOURCE_NAME

    In this format:

    • IT_RESOURCE_NAME is the name assigned to the IT resource on Oracle Identity Manager.

    • IDENTITY_SOURCE_NAME is the name of the identity source on the target system.

The following table shows sample entries in this lookup definition:

Code Key Decode

1~ ims.000000000000000000001000d0011000

RSA Server Instance~Internal Database
1.6.2.3 Lookup.RSAAM.SecurityDomain

In the RSA Authentication Manager context, security domains represent the internal business units, such as departments, of the organization. These security domains are organized in a hierarchy. You populate this lookup definition through lookup field synchronization performed using the RSAAM SecurityDomain Lookup Reconciliation scheduled job.

The Lookup.RSAAM.SecurityDomain lookup definition stores the GUID and name of these security domains.

The following is the format of entries in this lookup definition:

  • Code Key: IT_RESOURCE_KEY~SECURITY_DOMAIN_GUID

    In this format:

    • IT_RESOURCE_KEY is the key assigned to the IT resource on Oracle Identity Manager.

    • SECURITY_DOMAIN_GUID is the GUID of the security domain on the target system.

  • Decode: IT_RESOURCE_NAME~SECURITY_DOMAIN_NAME

    In this format:

    • IT_RESOURCE_NAME is the name assigned to the IT resource on Oracle Identity Manager.

    • SECURITY_DOMAIN_NAME is the name of the security domain on the target system.

The following table shows sample entries in this lookup definition:

Code Key Decode

1~ims.000000000000000000001000e0011000

RSA Server Instance~SystemDomain

1~ims.6de7d3c19e3714ac017cfd3c69eec20e

RSA Server Instance~Domain1

1~ims.6e3dc8939e3714ac02019a05130a8285

RSA Server Instance~Domain2
1.6.2.4 Lookup.RSAAM.AdminRole

On RSA Authentication Manager, an administrative role is a collection of permissions that can be assigned to an administrator. It determines the level of control the administrator has over users, user groups, and other entities. You populate this lookup definition through lookup field synchronization performed using the RSAAM AdminRole Lookup Reconciliation scheduled job.

The Lookup.RSAAM.AdminRole lookup definition stores details of administrative roles. The following is the format of entries in this lookup definition:

  • Code Key: IT_RESOURCE_KEY~ROLE_GUID

    In this format:

    • IT_RESOURCE_KEY is the key assigned to the IT resource on Oracle Identity Manager.

    • ROLE_GUID is the GUID of the role on the target system.

  • Decode: IT_RESOURCE_NAME~SECURITY_DOMAIN_NAME~ROLE_NAME

    In this format:

    • IT_RESOURCE_NAME is the name assigned to the IT resource on Oracle Identity Manager.

    • SECURITY_DOMAIN_NAME is the name of the security domain on the target system.

    • ROLE_NAME is the name of the role on the target system.

The following table shows sample entries in this lookup definition:

Code Key Decode

41~ims.000000000000000000002000f0035001

RSA Server Instance~SystemDomain~Auth Mgr Root Domain Admin

41~ims.000000000000000000001000e0031001

RSA Server Instance~SystemDomain~TrustedRealmAdminRole
1.6.2.5 Lookup.RSAAM.TokenSerial

On RSA Authentication Manager, a token serial is a unique identification number provided for every token. You populate this lookup definition through lookup field synchronization performed using the RSAAM TokenSerial Lookup Reconciliation scheduled job.

The Lookup.RSAAM.TokenSerial lookup definition stores details of token serials. The following is the format of entries in this lookup definition:

  • Code Key: IT_RESOURCE_KEY~TOKEN_SERIAL_NUMBER

    In this format:

    • IT_RESOURCE_KEY is the key assigned to the IT resource on Oracle Identity Manager.

    • TOKEN_SERIAL_NUMBER is the number assigned to the token on the target system.

  • Decode: IT_RESOURCE_NAME~SECURITY_DOMAIN_NAME~TOKEN_SERIAL_NUMBER

    In this format:

    • IT_RESOURCE_NAME is the name assigned to the IT resource on Oracle Identity Manager.

    • SECURITY_DOMAIN_NAME is the name of the security domain on the target system.

    • TOKEN_SERIAL_NUMBER is the number assigned to the token on the target system.

The following table shows sample entries in this lookup definition:

Code Key Decode

41~000221996071

RSA Server Instance~SecDom2a~000221996071

41~000221996081

RSA Server Instance~SystemDomain~000221996081
1.6.2.6 Lookup.RSAAM.RadiusProfile

On RSA Authentication Manager, a radius profile is a collection of attributes that specify session requirements for a users authentication using RADIUS. These attributes are contained in a checklist or a return list. You populate this lookup definition through lookup field synchronization performed using the RSAAM RadiusProfile Lookup Reconciliation scheduled job.

The Lookup.RSAAM.RadiusProfile lookup definition stores details of radius profiles. The following is the format of entries in this lookup definition:

  • Code Key: IT_RESOURCE_KEY~RADIUS_PROFILE_GUID

    In this format:

    • IT_RESOURCE_KEY is the key assigned to the IT resource on Oracle Identity Manager.

    • RADIUS_PROFILE_GUID is the GUID of the radius profile on the target system.

  • Decode: IT_RESOURCE_NAME~SECURITY_DOMAIN_NAME~RADIUS_PROFILE_NAME

    In this format:

    • IT_RESOURCE_NAME is the name assigned to the IT resource on Oracle Identity Manager.

    • SECURITY_DOMAIN_NAME is the name of the security domain on the target system.

    • RADIUS_PROFILE_NAME is the name of the profile on the target system.

The following table shows sample entries in this lookup definition:

Code Key Decode

41~ims.a0f646313afcb10a1ba80b1af3204720

RSA Server Instance~SystemDomain~RAD_PROF2

41~ims.6b630bf63afcb10a1bc062fe04d92672

RSA Server Instance~SystemDomain~RAD_PROF1

1.6.3 Preconfigured Lookup Definitions

This section discusses the other lookup definitions that are created in Oracle Identity Manager when you deploy the connector. These lookup definitions are either prepopulated with values or values must be manually entered in them after the connector is deployed. The other lookup definitions are as follows:

1.6.3.1 Lookup.RSAAM.Configuration

The Lookup.RSAAM.Configuration lookup definition holds connector configuration entries that are used during target resource reconciliation and provisioning operations.

Table 1-2 lists the default entries in this lookup definition.

Table 1-2 Entries in the Lookup.RSAAM.Configuration Lookup Definition

Code Key Decode Description

Bundle Name

org.identityconnectors.rsaam

This entry holds the name of the connector bundle package. Do not modify this entry.

Bundle Version

1.0.1115

This entry holds the version of the connector bundle class. Do not modify this entry.

Connector Name

org.identityconnectors.rsaam.RSAAMConnector

This entry holds the name of the connector class. Do not modify this entry.

User Configuration Lookup

Lookup.RSAAM.UM.Configuration

This entry holds the name of the lookup definition that contains user-specific configuration properties. Do not modify this entry.

defaultBatchSize

1000

This entry holds the number of records that must be included in each batch during batched reconciliation. This entry is used only when the Batch Size attribute of the user reconciliation scheduled jobs is either empty or set to 0. See Batched Reconciliation for more information about the Batch Size attribute.

Token Configuration Lookup

Lookup.RSAAM.Token.Configuration

This entry holds the name of the lookup definition that contains token-specific configuration properties. Do not modify this entry.

If the computer hosting Oracle Identity Manager and RSA Authentication Manger are in different time zones, you can configure it by following the procedure mentioned in Setting up the Lookup Definition for Different Time Zones.

1.6.3.2 Lookup.RSAAM.UM.Configuration

The Lookup.RSAAM.UM.Configuration lookup definition holds configuration entries that are specific to the user object type. This lookup definition is used during user management operations when your target system is configured as a target resource.

Table 1-3 lists the default entries in this lookup definition.

Table 1-3 Entries in the Lookup.RSAAM.UM.Configuration Lookup Definition

Code Key Decode Description

Provisioning Attribute Map

Lookup.RSAAM.UM.ProvAttrMap

This entry holds the name of the lookup definition that maps process form fields and target system attributes. See Lookup.RSAAM.UM.ProvAttrMap for more information about this lookup definition.

Recon Attribute Map

Lookup.RSAAM.UM.ReconAttrMap

This entry holds the name of the lookup definition that maps resource object fields and target system attributes. See Lookup.RSAAM.UM.ReconAttrMap for more information about this lookup definition.

1.6.3.3 Lookup.RSAAM.UM.ProvAttrMap

The Lookup.RSAAM.UM.ProvAttrMap lookup definition holds mappings between process form fields and target system attributes. This lookup definitions is used during provisioning. This lookup definition is preconfigured. Table 1-10 lists the default entries.

You can add entries in this lookup definitions if you want to map new target system attributes for provisioning. See Adding New User or Token Attributes for Provisioning.

1.6.3.4 Lookup.RSAAM.UM.ReconAttrMap

The Lookup.RSAAM.UM.ReconAttrMap lookup definition holds mappings between resource object fields and target system attributes. This lookup definition is used during reconciliation. This lookup definition is preconfigured. Table 1-5 lists the default entries.

You can add entries in this lookup definitions if you want to map new target system attributes for reconciliation. See Adding New User or Token Attributes for Reconciliation.

1.6.3.5 Lookup.RSAAM.Token.Configuration

The Lookup.RSAAM.Token.Configuration lookup definition holds configuration entries that are specific to the token object type. This lookup definition is used during token management operations when your target system is configured as a target resource.

Table 1-4 lists the default entries in this lookup definition.

Table 1-4 Entries in the Lookup.RSAAM.Token.Configuration Lookup Definition

Code Key Decode Description

Provisioning Attribute Map

Lookup.RSAAM.Token.ProvAttrMap

This entry holds the name of the lookup definition that maps process form fields and target system attributes. See Lookup.RSAAM.Token.ProvAttrMap for more information about this lookup.

Recon Attribute Map

Lookup.RSAAM.Token.ReconAttrMap

This entry holds the name of the lookup definition that maps resource object fields and target system attributes. See Lookup.RSAAM.Token.ReconAttrMap for more information about this lookup.

1.6.3.6 Lookup.RSAAM.Token.ProvAttrMap

The Lookup.RSAAM.Token.ProvAttrMap lookup definition holds mappings between process form fields and target system attributes. This lookup definitions is used during provisioning. This lookup definition is preconfigured. Table 1-11 lists the default entries.

You can add entries in this lookup definitions if you want to map new target system attributes for provisioning. See Adding New User or Token Attributes for Provisioning.

1.6.3.7 Lookup.RSAAM.Token.ReconAttrMap

The Lookup.RSAAM.Token.ReconAttrMap lookup definition holds mappings between resource object fields and target system attributes. This lookup definition is used during reconciliation. This lookup definition is preconfigured. Table 1-7 lists the default entries.

You can add entries in this lookup definitions if you want to map new target system attributes for reconciliation. See Adding New User or Token Attributes for Reconciliation.

1.6.3.8 Lookup.RSAAM.Hours

The Lookup.RSAAM.Hours lookup definition holds the list of configured hours. This is a static lookup definition. You cannot modify or add entries in this lookup definition.

1.6.3.9 Lookup.RSAAM.Minutes

The Lookup.RSAAM.Minutes lookup definition holds the list of configured minutes. This is a static lookup definition. You cannot modify or add entries in this lookup definition.

1.7 Connector Objects Used During Reconciliation

Target resource reconciliation involves fetching data about newly created or modified accounts on the target system and using this data to add or modify resources assigned to OIM Users.

The RSAAM User Target Reconciliation and RSAAM Token Target Reconciliation scheduled jobs are used to initiate a target resource reconciliation run. These scheduled jobs are discussed in Scheduled Jobs for Reconciliation of Token and User Records.

This section discusses the following topics:

1.7.1 User Fields for Target Resource Reconciliation

The Lookup.RSAAM.UM.ReconAttrMap lookup definition maps resource object fields and target system attributes. This lookup definition is used for performing target resource user reconciliation runs.

In this lookup definition, entries are in the following format:

  • Code Key: Reconciliation field of the resource object

  • Decode: The value is in the following format:

    METHOD_NAME;PRINCIPAL_TYPE;ATTRIBUTE_TYPE;METHOD_RETURN_TYPE;DTO_ATTRIBUTE_NAME

In this format:

  • METHOD_NAME is the name of the method on the target system that fetches values from the attribute. This method belongs to one of the following classes:

    • com.rsa.admin.data.PrincipalDTO

    • com.rsa.authmgr.admin.principalmgt.data.AMPrincipalDTO

    The get or is prefix of the method name is not included in the Decode value.

  • PRINCIPAL_TYPE can be either IMS or AM depending on whether the attribute is an Identity Management Services attribute or an Authentication Manager attribute.

    See Also:

    Target system documentation for information about differences between Identity Management Services and Authentication Manager attributes

  • ATTRIBUTE_TYPE can be one of the following:

    • Replace ATTRIBUTE_TYPE with Core if the attribute is a standard RSA Authentication Manager attribute.

    • Replace ATTRIBUTE_TYPE with Extended if the attribute is a custom attribute.

  • METHOD_RETURN_TYPE is the data type of the value returned by the method. The return type is specified in the Javadocs for the API.

  • DTO_ATTRIBUTE_NAME is the name of the attribute in the PrincipalDTO or AMPrincipalDTO class.

Table 1-5 provides information about user attribute mappings for target resource reconciliation.

Table 1-5 Entries in the Lookup.RSAAM.UM.ReconAttrMap lookup definition

Code Decode

Account Expire Date[Date]

accountExpireDate;IMS;Core;Date;EXPIRATION_DATE

Account Expire Hours

AccountExpireHours

Account Expire Minutes

AccountExpireMinutes

Account Start Date[Date]

accountStartDate;IMS;Core;Date;START_DATE

Account Start Hours

AccountStartHours

Account Start Minutes

AccountStartMinutes

Certificate DN

certificateDN;IMS;Core;String;CERT_DN

Clear Incorrect Passcodes

clearBadPasscodes;AM;Core;boolean

Clear Windows Password

clearWindowsLoginPassword;AM;Core;boolean

Default Shell

defaultShell;AM;Core;String

First Name

firstName;IMS;Core;String;FIRST_NAME

Fixed Passcode Allowed

staticPasswordSet;AM;Core;boolean

Groups~Group Name[LOOKUP]

UserGroup

Identity Source[LOOKUP]

identitySourceGuid;IMS;Core;String;IDENTITY_SRC_ID

Last Name

lastName;IMS;Core;String;LAST_NAME

Middle Name

middleName;IMS;Core;String;MIDDLE_NAME

Security Domain[LOOKUP]

securityDomainGuid;IMS;Core;String;OWNER_ID

Roles~Role Name[LOOKUP]

AdminRole

Radius Profile[LOOKUP]

radiusProfileGuid;AM;Core;String

Status

_ENABLE_

User GUID

_UID_

User ID

_NAME_

1.7.2 Reconciliation Rule for User Target Resource Reconciliation

See Also:

Reconciliation Engine in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Manager for generic information about reconciliation matching and action rules.

The following is the process-matching rule:

Rule name: RSA AuthManager UserRecon

Rule element: User Login Equals User ID where the User Login is the User ID field on the OIM User form and the User ID is the user ID (_NAME_) field of RSA Authentication Manager.

1.7.3 Viewing Reconciliation Rule for User Target Resource Reconciliation

After you have deployed the connector, you can view the reconciliation rule for target resource reconciliation by performing the following steps:

  1. Log in to the Oracle Identity Manager Design Console.
  2. Expand Development Tools.
  3. Double-click Reconciliation Rules.
  4. Search for RSA AuthManager UserRecon. Figure 1-2 shows the reconciliation rule for target resource reconciliation.

    Figure 1-2 Reconciliation Rule for Target Resource Reconciliation

    Description of Figure 1-2 follows
    Description of "Figure 1-2 Reconciliation Rule for Target Resource Reconciliation"

1.7.4 Reconciliation Action Rules for User Target Resource Reconciliation

The action rules for target resource reconciliation are listed in Table 1-6.

Table 1-6 Action Rules for Target Resource Reconciliation

Rule Condition Action

No Matches Found

Assign To Administrator With Least Load

One Entity Match Found

Establish Link

One Process Match Found

Establish Link

Note:

No action is performed for rule conditions that are not predefined for this connector. You can define your own action rule for such rule conditions. See the following topics in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Manager:

1.7.5 Viewing Reconciliation Action Rules for User Target Resource Reconciliation

After you deploy the connector, you can view the reconciliation action rules for target resource reconciliation by performing the following steps:

  1. Log in to the Oracle Identity Manager Design Console.
  2. Expand Resource Management.
  3. Double-click Resource Objects.
  4. Search for and open the RSA Auth Manager User resource object.
  5. Click the Object Reconciliation tab, and then click the Reconciliation Action Rules tab. The Reconciliation Action Rules tab displays the action rules defined for this connector. Figure 1-3 shows the reconciliation action rule for target resource reconciliation.

    Figure 1-3 Reconciliation Action Rules for Target Resource Reconciliation

    Description of Figure 1-3 follows
    Description of "Figure 1-3 Reconciliation Action Rules for Target Resource Reconciliation"

1.7.6 Token Fields for Target Resource Reconciliation

The Lookup.RSAAM.Token.ReconAttrMap lookup definition maps resource object fields and target system attributes. This lookup definition is used for performing target resource user reconciliation runs.

In this lookup definition, entries are in the following format:

  • Code Key: Reconciliation field of the resource object

  • Decode: The value is in the following format:

    METHOD_NAME;API_NAME;ATTRIBUTE_TYPE;METHOD_RETURN_TYPE;DTO_ATTRIBUTE_NAME

In this format:

  • METHOD_NAME is the name of the method on the target system that fetches values from the attribute. This method belongs to one of the following classes:

    • com.rsa.admin.data.ListTokenDTO

    • com.rsa.authmgr.admin.principalmgt.data.TokenDTO

    Note:

    If the field is present in both ListTokenDTO and TokenDTO, use the field from ListTokenDTO for better performance.

    The get or is prefix of the method name is not included in the Decode value.

  • API_NAME is either ListTokenDTO or TokenDTO.

  • ATTRIBUTE_TYPE can be one of the following:

    • Replace ATTRIBUTE_TYPE with Core if the attribute is a standard RSA Authentication Manager attribute.

    • Replace ATTRIBUTE_TYPE with Extended if the attribute is a custom attribute.

  • METHOD_RETURN_TYPE is the data type of the value fetched by the method. The return type is specified in the Javadocs for the API.

  • DTO_ATTRIBUTE_NAME is the name of the attribute in the ListTokenDTO or TokenDTO class.

Table 1-7 provides information about user attribute mappings for target resource reconciliation.

Table 1-7 Entries in the Lookup.RSAAM.Token.ReconAttrMap lookup definition

Code Decode

Notes

notes;ListTokenDTO;Core;String

Status

_ENABLE_

Token GUID

_UID_

Token Lost

tokenLost;ListTokenDTO;Core;boolean;tokenLost

Token Serial Number[LOOKUP]

_NAME_

User GUID

principalId;TokenDTO;Core;String

User ID

assignedUser;ListTokenDTO;Core;String;principalID

1.7.7 Reconciliation Rule for Token Target Resource Reconciliation

See Also:

Reconciliation Engine in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Manager for generic information about reconciliation matching and action rules

The following is the process-matching rule:

Rule name: RSA AuthManager TokenRecon

Rule element: User Login Equals User ID where the User Login is the User ID field on the OIM User form and the User ID is the user ID (_NAME_) field of RSA Authentication Manager.

1.7.8 Viewing Reconciliation Rule for Token Target Resource Reconciliation

After you have deployed the connector, you can view the reconciliation rule for target resource reconciliation by performing the following steps:

  1. Log in to the Oracle Identity Manager Design Console.
  2. Expand Development Tools.
  3. Double-click Reconciliation Rules.
  4. Search for RSA AuthManager TokenRecon. Figure 1-2 shows the reconciliation rule for target resource reconciliation.

    Figure 1-4 Reconciliation Rule for Target Resource Reconciliation

    Description of Figure 1-4 follows
    Description of "Figure 1-4 Reconciliation Rule for Target Resource Reconciliation"

1.7.9 Reconciliation Action Rules for Token Target Resource Reconciliation

Table 1-8 lists the action rules for target resource reconciliation.

Table 1-8 Action Rules for Target Resource Reconciliation

Rule Condition Action

No Matches Found

Assign To Administrator With Least Load

One Entity Match Found

Establish Link

One Process Match Found

Establish Link

Note:

No action is performed for rule conditions that are not predefined for this connector. You can define your own action rule for such rule conditions. See the following topics in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Manager:

1.7.10 Viewing Reconciliation Action Rules for Token Target Resource Reconciliation

After you deploy the connector, you can view the reconciliation action rules for target resource reconciliation by performing the following steps:

  1. Log in to the Oracle Identity Manager Design Console.
  2. Expand Resource Management.
  3. Double-click Resource Objects.
  4. Search for and open the RSA Auth Manager Token resource object.
  5. Click the Object Reconciliation tab, and then click the Reconciliation Action Rules tab. The Reconciliation Action Rules tab displays the action rules defined for this connector. Figure 1-5 shows the reconciliation action rule for target resource reconciliation.

    Figure 1-5 Reconciliation Action Rules for Target Resource Reconciliation

    Description of Figure 1-5 follows
    Description of "Figure 1-5 Reconciliation Action Rules for Target Resource Reconciliation"

1.8 Connector Objects Used During Provisioning

Provisioning involves creating or modifying user data on the target system through Oracle Identity Manager.

See Also:

Managing Provisioning Tasks in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Manager for conceptual information about provisioning

This section discusses the following topics:

1.8.1 Provisioning Functions

The provisioning functions that are supported by the connector are listed in Table 1-9. The Adapter column gives the name of the adapter that is used when the function is performed.

Table 1-9 Provisioning Functions

Function Adapter

Create User

adpRSAAMCREATEUSER

Update User

adpRSAAMUPDATEUSER

Delete User

adpRSAAMDELETEUSER

Enable User

adpRSAAMENABLEUSER

Disable User

adpRSAAMDISABLEUSER

Assign Token

adpRSAAMASSIGNTOKEN

Update Token

adpRSAAMUPDATETOKEN

Enable Token

adpRSAAMENABLETOKEN

Disable Token

adpRSAAMDISABLETOKEN

Unassign Token

adpRSAAMUNASSIGNTOKEN

Add Role

adpRSAAMADDROLE

Update Role

adpRSAAMUPDATEROLE

Remove Role

adpRSAAMREMOVEROLE

Add Group

adpRSAAMADDGROUP

Update Group

adpRSAAMUPDATEGROUP

Remove Group

adpRSAAMREMOVEGROUP

Prepopulate Adapter

adpRSAAMPREPOPULATEADAPTER

Multi Update

adpRSAAMMULTIUPDATE

Return Input Value

adpRSAAMRETURNINPUTVALUE

1.8.2 User Fields for Provisioning

The Lookup.RSAAM.UM.ProvAttrMap lookup definition maps process form fields with target system attributes. This lookup definition is used for performing user provisioning operations.

In this lookup definition, entries are in the following format:

  • Code Key: Name of the process form field

  • Decode: The value is in the following format:

    METHOD_NAME;PRINCIPAL_TYPE;ATTRIBUTE_TYPE;METHOD_INPUT_TYPE;DTO_ATTRIBUTE_NAME

In this format:

  • METHOD_NAME is the name of the method on the target system that sets the values for this attribute. This method belongs to one of the following classes:

    • com.rsa.admin.data.PrincipalDTO

    • com.rsa.authmgr.admin.principalmgt.data.AMPrincipalDTO

    The set prefix of the method name is not included in the Decode value.

  • PRINCIPAL_TYPE can be either IMS or AM depending on whether the attribute is an Identity Management Services attribute or an Authentication Manager attribute.

    See Also:

    Target system documentation for information about differences between Identity Management Services and Authentication Manager attributes

  • ATTRIBUTE_TYPE can be one of the following:

    • Replace ATTRIBUTE_TYPE with Core if the attribute is a standard RSA Authentication Manager attribute.

    • Replace ATTRIBUTE_TYPE with Extended if the attribute is a custom attribute.

  • METHOD_INPUT_TYPE is the data type of the value sent to the method. The input type is specified in the Javadocs for the API.

  • DTO_ATTRIBUTE_NAME is the name of the attribute in the PrincipalDTO or AMPrincipalDTO class.

Table 1-10 lists the user identity fields of the target system for which you can specify or modify values during provisioning operations.

Table 1-10 Entries in the Lookup.RSAAM.UM.ProvAttrMap lookup definition

Code Decode

Account Expire Date[Date]

accountExpireDate;IMS;Core;Date;EXPIRATION_DATE

Account Expire Hours

AccountExpireHours

Account Expire Minutes

AccountExpireMinutes

Account Start Hours

AccountStartHours

Account Start Minutes

AccountStartMinutes

Account Start Date[Date]

accountStartDate;IMS;Core;Date;START_DATE

Certificate DN

certificateDN;IMS;Core;String;CERT_DN

Clear Incorrect Passcodes

clearBadPasscodes;AM;Core;boolean

Clear Windows Password

clearWindowsLoginPassword;AM;Core;boolean

Default Shell

defaultShell;AM;Core;String

First Name

firstName;IMS;Core;String;FIRST_NAME

Fixed Passcode

staticPassword;AM;Core;String

Fixed Passcode Allowed

staticPasswordSet;AM;Core;boolean

Identity Source[LOOKUP]

identitySourceGuid;IMS;Core;String;IDENTITY_SRC_ID

Last Name

lastName;IMS;Core;String;LAST_NAME

Middle Name

middleName;IMS;Core;String;MIDDLE_NAME

Password

_PASSWORD_

Radius Profile[LOOKUP]

radiusProfileGuid;AM;Core;String

Security Domain[LOOKUP]

securityDomainGuid;IMS;Core;String;OWNER_ID

UD_AMGROUP~GroupName[LOOKUP]

UserGroup

UD_AMROLE~RoleName[LOOKUP]

AdminRole

User GUID

_UID_

User ID

_NAME_

Note:

Incorrect Passcodes and Clear Windows passwords are one-time trigger actions used to clear passcodes and Windows password respectively. However, as a part of provisioning, these changed values will not reflect on the target system side prohibiting it from being reconciled to the Oracle Identity Manager server also.

1.8.3 Token Fields for Provisioning

The Lookup.RSAAM.Token.ProvAttrMap lookup definition maps process form fields with target system attributes. This lookup definition is used for performing token provisioning operations.

In this lookup definition, entries are in the following format:

  • Code Key: Name of the process form field

  • Decode: The value is in the following format:

    METHOD_NAME;API_NAME;ATTRIBUTE_TYPE;METHOD_INPUT_TYPE;DTO_ATTRIBUTE_NAME

In this format:

  • METHOD_NAME is the name of the method on the target system that sets values for this attribute. This method belongs to the com.rsa.authmgr.admin.principalmgt.data.TokenDTO class.

    The set prefix of the method name is not included in the Decode value.

  • API_NAME is TokenDTO.

  • ATTRIBUTE_TYPE can be one of the following:

    • Replace ATTRIBUTE_TYPE with Core if the attribute is a standard RSA Authentication Manager attribute.

    • Replace ATTRIBUTE_TYPE with Extended if the attribute is a custom attribute.

  • METHOD_INPUT_TYPE is the data type of the value returned to the method. The return type is specified in the Javadocs for the API.

  • DTO_ATTRIBUTE_NAME is the name of the attribute in the TokenDTO class.

Table 1-11 lists the token fields of the target system for which you can specify or modify values during provisioning operations.

Table 1-11 Entries in the Lookup.RSAAM.Token.ProvAttrMap lookup definition

Code Decode

Notes

notes;TokenDTO;Core;String

Pin

_PASSWORD_

Token GUID

_UID_

Token Lost

tokenLost;TokenDTO;Core;Boloean

Token Serial Number[LOOKUP]

_NAME_

User GUID

principalId;TokenDTO;Core;String

User ID

assignedUser;ListTokenDTO;Core;String;principalId

1.9 Roadmap for Deploying and Using the Connector

The following is the organization of information in the rest of this guide: