1 About the RSA Authentication Manager Connector
This chapter introduces the RSA Authentication Manager connector.
This chapter discusses the following topics:
1.1 Introduction to RSA Authentication Manager Connector
Oracle Identity Manager automates access rights management, security, and provisioning of IT resources. Oracle Identity Manager connectors are used to integrate Oracle Identity Manager with external, identity-aware applications. This guide discusses the connector that enables you to use RSA Authentication Manager as a managed (target) resource of Oracle Identity Manager.
Note:
At some places in this guide, RSA Authentication Manager has been referred to as the target system.
In the account management (target resource) mode of the connector, information about users created or modified directly on the target system can be reconciled into Oracle Identity Manager. In addition, you can use Oracle Identity Manager to perform provisioning operations on the target system.
1.2 Certified Components
Table 1-1 lists the certified components for the target system.
Table 1-1 Certified Components
Item | Requirement |
---|---|
Oracle Identity Governance or Oracle Identity Manager |
You can use one of the following releases of Oracle Identity Manager:
|
Target System |
You can use one of the following supported versions of the target system:
|
Connector Server |
11.1.2.1.0 |
Connector Server JDK | JDK 1.6 or later |
1.3 Usage Recommendation
Depending on the Oracle Identity Manager version that you are using, you must deploy and use one of the following connectors:
-
If you are using an Oracle Identity Manager release that is earlier than Oracle Identity Manager 11g Release 2 (11.1.2.0.0), then you must use the 9.1.0.x version of this connector. However, if you are using RSA Authentication Manager 6.0, or 6.1, or 6.1.2, then you must use the 9.0.4.x version of this connector.
-
If you are using Oracle Identity Manager 11g Release 2 or later, then you must use the 11.1.1.x version of this connector. However, if you are using RSA Authentication Manager 7.1 with SP3 or later, then use the 9.1.0.x version of this connector.
1.4 Certified Languages
The connector supports the following languages:
-
Arabic
-
Chinese (Simplified)
-
Chinese (Traditional)
-
Czech
-
Danish
-
Dutch
-
English (UK)
-
English (US)
-
Finnish
-
French
-
German
-
Greek
-
Hebrew
-
Hungarian
-
Italian
-
Japanese
-
Korean
-
Norwegian
-
Polish
-
Portuguese
-
Portuguese (Brazilian)
-
Romanian
-
Russian
-
Slovak
-
Spanish
-
Swedish
-
Thai
-
Turkish
1.5 Connector Architecture
Figure 1-1 shows the architecture of the connector.
The RSA Authentication Manager connector is implemented by using the Identity Connector Framework (ICF). The ICF is a component that provides basic reconciliation and provisioning operations that are common to all Oracle Identity Manager connectors. In addition, ICF provides common features that developers would otherwise need to implement on their own, such as connection pooling, buffering, time outs, and filtering. The ICF is shipped along with Oracle Identity Manager. Therefore, you need not configure or modify the ICF.
This connector is used to manage users and tokens on RSA Authentication Manager through Oracle Identity Manager. This connector integrates Oracle Identity Manager with the target system with the help of a Java API.
The target system can be configured to run in the Account Management mode. Account management is also known as target resource management. In this mode, the target system is used as a target resource and the connector enables the following operations:
-
Provisioning:
Provisioning involves creating, updating, or deleting users and tokens on the target system through Oracle Identity Manager. The connector makes use of the Java API to connect to the RSA AM Server, and in turn provision accounts and tokens.
Token provisioning operations are performed in the same manner. A separate set of Oracle Identity Manager adapters is used during token provisioning operations.
During user provisioning, data received in the create/update operation will be passed to the target system APIs. RSA APIs accept provisioning data, carry out the required operation on the target system, and then return the response from the target system back to the connector. The connector will return the response to Oracle Identity Manager.
-
Target source reconciliation:
During reconciliation, the connector fetches data (using scheduled jobs) about users created or modified directly on the target system into Oracle Identity Manager. This data is used to add or modify resources allocated to OIM Users.
Similarly, during reconciliation, the RSA APIs will accept the search criteria, including filters, and return the records to the connector. The connector supports searching for users, tokens, roles, groups, identity sources, security domains and RADIUS profiles on the target.
1.6 Lookup Definitions Used During Reconciliation and Provisioning
Lookup definitions used during reconciliation and provisioning can either be synchronized with the target system or preconfigured. The following sections contain detailed information:
1.6.1 About Lookup Field Synchronization
During a provisioning operation, you use a lookup field on the process form to specify a single value from a set of values. For example, you use the Identity Source lookup field to select an identity source during a provisioning operation performed through the Administrative and User Console. When you deploy the connector, lookup definitions corresponding to the lookup fields on the target system are automatically created in Oracle Identity Manager. Lookup field synchronization involves copying additions or changes made to the target system lookup fields into the lookup definitions in Oracle Identity Manager.
1.6.2 Lookup Definitions Synchronized with the Target System
The following lookup definitions are populated with values fetched from the target system by the scheduled jobs for lookup field synchronization:
1.6.2.1 Lookup.RSAAM.UserGroup
The Lookup.RSAAM.UserGroup lookup definition holds details of user groups defined on RSA Authentication Manager. You populate this lookup definition through lookup field synchronization performed using the RSAAM UserGroup Lookup Reconciliation scheduled job.
The following is the format of entries in this lookup definition:
-
Code Key:
IT_RESOURCE_KEY~GROUP_GUID
In this format:
-
IT_RESOURCE_KEY
is the key assigned to the IT resource on Oracle Identity Manager. -
GROUP_GUID
is the GUID of the group on the target system.
-
-
Decode:
IT_RESOURCE_NAME~IDENTITY_SOURCE_NAME~SECURITY_DOMAIN_NAME~GROUP_NAME
In this format:
-
IT_RESOURCE_NAME
is the name assigned to the IT resource on Oracle Identity Manager. -
IDENTITY_SOURCE_NAME
is the name of the identity source on the target system. -
SECURITY_DOMAIN_NAME
is the name of the security domain on the target system. -
GROUP_NAME
is the name of the group on the target system.
-
The following table shows sample entries in this lookup definition:
Code Key | Decode |
---|---|
41~ims.898afd743afcb10a1b20d2688a0b14be |
RSA Server Instance~Internal Database~SecDom1a~Group1 |
41~ims.2820d78e3afcb10a1bc9883fa4aedc51 |
RSA Server Instance~Internal Database~SystemDomain~Group3 |
41~ims.3139e7eb3afcb10a1bc8f2e9afd7a77e |
RSA Server Instance~Internal Database~SystemDomain~Group2 |
1.6.2.2 Lookup.RSAAM.IdentitySource
In RSA Authentication Manager, an identity source can be the default internal database, an LDAP-based solution, or a database. The Lookup.RSAAM.IdentitySource lookup definition holds details of the identity sources configured for your target system installation. You populate this lookup definition through lookup field synchronization performed using the RSAAM IdentitySource Lookup Reconciliation scheduled job.
The following is the format of entries in this lookup definition:
-
Code Key:
IT_RESOURCE_KEY~IDENTITY_SOURCE_GUID
In this format:
-
IT_RESOURCE_KEY
is the key assigned to the IT resource on Oracle Identity Manager. -
IDENTITY_SOURCE_GUID
is the GUID of the identity source on the target system.
-
-
Decode:
IT_RESOURCE_NAME~IDENTITY_SOURCE_NAME
In this format:
-
IT_RESOURCE_NAME
is the name assigned to the IT resource on Oracle Identity Manager. -
IDENTITY_SOURCE_NAME
is the name of the identity source on the target system.
-
The following table shows sample entries in this lookup definition:
Code Key | Decode |
---|---|
1~ ims.000000000000000000001000d0011000 |
RSA Server Instance~Internal Database |
1.6.2.3 Lookup.RSAAM.SecurityDomain
In the RSA Authentication Manager context, security domains represent the internal business units, such as departments, of the organization. These security domains are organized in a hierarchy. You populate this lookup definition through lookup field synchronization performed using the RSAAM SecurityDomain Lookup Reconciliation scheduled job.
The Lookup.RSAAM.SecurityDomain lookup definition stores the GUID and name of these security domains.
The following is the format of entries in this lookup definition:
-
Code Key:
IT_RESOURCE_KEY~SECURITY_DOMAIN_GUID
In this format:
-
IT_RESOURCE_KEY
is the key assigned to the IT resource on Oracle Identity Manager. -
SECURITY_DOMAIN_GUID
is the GUID of the security domain on the target system.
-
-
Decode:
IT_RESOURCE_NAME~SECURITY_DOMAIN_NAME
In this format:
-
IT_RESOURCE_NAME
is the name assigned to the IT resource on Oracle Identity Manager. -
SECURITY_DOMAIN_NAME
is the name of the security domain on the target system.
-
The following table shows sample entries in this lookup definition:
Code Key | Decode |
---|---|
1~ims.000000000000000000001000e0011000 |
RSA Server Instance~SystemDomain |
1~ims.6de7d3c19e3714ac017cfd3c69eec20e |
RSA Server Instance~Domain1 |
1~ims.6e3dc8939e3714ac02019a05130a8285 |
RSA Server Instance~Domain2 |
1.6.2.4 Lookup.RSAAM.AdminRole
On RSA Authentication Manager, an administrative role is a collection of permissions that can be assigned to an administrator. It determines the level of control the administrator has over users, user groups, and other entities. You populate this lookup definition through lookup field synchronization performed using the RSAAM AdminRole Lookup Reconciliation scheduled job.
The Lookup.RSAAM.AdminRole lookup definition stores details of administrative roles. The following is the format of entries in this lookup definition:
-
Code Key:
IT_RESOURCE_KEY~ROLE_GUID
In this format:
-
IT_RESOURCE_KEY
is the key assigned to the IT resource on Oracle Identity Manager. -
ROLE_GUID
is the GUID of the role on the target system.
-
-
Decode:
IT_RESOURCE_NAME~SECURITY_DOMAIN_NAME~ROLE_NAME
In this format:
-
IT_RESOURCE_NAME
is the name assigned to the IT resource on Oracle Identity Manager. -
SECURITY_DOMAIN_NAME
is the name of the security domain on the target system. -
ROLE_NAME
is the name of the role on the target system.
-
The following table shows sample entries in this lookup definition:
Code Key | Decode |
---|---|
41~ims.000000000000000000002000f0035001 |
RSA Server Instance~SystemDomain~Auth Mgr Root Domain Admin |
41~ims.000000000000000000001000e0031001 |
RSA Server Instance~SystemDomain~TrustedRealmAdminRole |
1.6.2.5 Lookup.RSAAM.TokenSerial
On RSA Authentication Manager, a token serial is a unique identification number provided for every token. You populate this lookup definition through lookup field synchronization performed using the RSAAM TokenSerial Lookup Reconciliation scheduled job.
The Lookup.RSAAM.TokenSerial lookup definition stores details of token serials. The following is the format of entries in this lookup definition:
-
Code Key:
IT_RESOURCE_KEY~TOKEN_SERIAL_NUMBER
In this format:
-
IT_RESOURCE_KEY
is the key assigned to the IT resource on Oracle Identity Manager. -
TOKEN_SERIAL_NUMBER
is the number assigned to the token on the target system.
-
-
Decode:
IT_RESOURCE_NAME~SECURITY_DOMAIN_NAME~TOKEN_SERIAL_NUMBER
In this format:
-
IT_RESOURCE_NAME
is the name assigned to the IT resource on Oracle Identity Manager. -
SECURITY_DOMAIN_NAME
is the name of the security domain on the target system. -
TOKEN_SERIAL_NUMBER
is the number assigned to the token on the target system.
-
The following table shows sample entries in this lookup definition:
Code Key | Decode |
---|---|
41~000221996071 |
RSA Server Instance~SecDom2a~000221996071 |
41~000221996081 |
RSA Server Instance~SystemDomain~000221996081 |
1.6.2.6 Lookup.RSAAM.RadiusProfile
On RSA Authentication Manager, a radius profile is a collection of attributes that specify session requirements for a users authentication using RADIUS. These attributes are contained in a checklist or a return list. You populate this lookup definition through lookup field synchronization performed using the RSAAM RadiusProfile Lookup Reconciliation scheduled job.
The Lookup.RSAAM.RadiusProfile lookup definition stores details of radius profiles. The following is the format of entries in this lookup definition:
-
Code Key:
IT_RESOURCE_KEY~RADIUS_PROFILE_GUID
In this format:
-
IT_RESOURCE_KEY
is the key assigned to the IT resource on Oracle Identity Manager. -
RADIUS_PROFILE_GUID
is the GUID of the radius profile on the target system.
-
-
Decode:
IT_RESOURCE_NAME~SECURITY_DOMAIN_NAME~RADIUS_PROFILE_NAME
In this format:
-
IT_RESOURCE_NAME
is the name assigned to the IT resource on Oracle Identity Manager. -
SECURITY_DOMAIN_NAME
is the name of the security domain on the target system. -
RADIUS_PROFILE_NAME
is the name of the profile on the target system.
-
The following table shows sample entries in this lookup definition:
Code Key | Decode |
---|---|
41~ims.a0f646313afcb10a1ba80b1af3204720 |
RSA Server Instance~SystemDomain~RAD_PROF2 |
41~ims.6b630bf63afcb10a1bc062fe04d92672 |
RSA Server Instance~SystemDomain~RAD_PROF1 |
1.6.3 Preconfigured Lookup Definitions
This section discusses the other lookup definitions that are created in Oracle Identity Manager when you deploy the connector. These lookup definitions are either prepopulated with values or values must be manually entered in them after the connector is deployed. The other lookup definitions are as follows:
1.6.3.1 Lookup.RSAAM.Configuration
The Lookup.RSAAM.Configuration lookup definition holds connector configuration entries that are used during target resource reconciliation and provisioning operations.
Table 1-2 lists the default entries in this lookup definition.
Table 1-2 Entries in the Lookup.RSAAM.Configuration Lookup Definition
Code Key | Decode | Description |
---|---|---|
Bundle Name |
org.identityconnectors.rsaam |
This entry holds the name of the connector bundle package. Do not modify this entry. |
Bundle Version |
1.0.1115 |
This entry holds the version of the connector bundle class. Do not modify this entry. |
Connector Name |
org.identityconnectors.rsaam.RSAAMConnector |
This entry holds the name of the connector class. Do not modify this entry. |
User Configuration Lookup |
Lookup.RSAAM.UM.Configuration |
This entry holds the name of the lookup definition that contains user-specific configuration properties. Do not modify this entry. |
defaultBatchSize |
1000 |
This entry holds the number of records that must be included in each batch during batched reconciliation. This entry is used only when the Batch Size attribute of the user reconciliation scheduled jobs is either empty or set to 0. See Batched Reconciliation for more information about the Batch Size attribute. |
Token Configuration Lookup |
Lookup.RSAAM.Token.Configuration |
This entry holds the name of the lookup definition that contains token-specific configuration properties. Do not modify this entry. |
If the computer hosting Oracle Identity Manager and RSA Authentication Manger are in different time zones, you can configure it by following the procedure mentioned in Setting up the Lookup Definition for Different Time Zones.
1.6.3.2 Lookup.RSAAM.UM.Configuration
The Lookup.RSAAM.UM.Configuration lookup definition holds configuration entries that are specific to the user object type. This lookup definition is used during user management operations when your target system is configured as a target resource.
Table 1-3 lists the default entries in this lookup definition.
Table 1-3 Entries in the Lookup.RSAAM.UM.Configuration Lookup Definition
Code Key | Decode | Description |
---|---|---|
Provisioning Attribute Map |
Lookup.RSAAM.UM.ProvAttrMap |
This entry holds the name of the lookup definition that maps process form fields and target system attributes. See Lookup.RSAAM.UM.ProvAttrMap for more information about this lookup definition. |
Recon Attribute Map |
Lookup.RSAAM.UM.ReconAttrMap |
This entry holds the name of the lookup definition that maps resource object fields and target system attributes. See Lookup.RSAAM.UM.ReconAttrMap for more information about this lookup definition. |
1.6.3.3 Lookup.RSAAM.UM.ProvAttrMap
The Lookup.RSAAM.UM.ProvAttrMap lookup definition holds mappings between process form fields and target system attributes. This lookup definitions is used during provisioning. This lookup definition is preconfigured. Table 1-10 lists the default entries.
You can add entries in this lookup definitions if you want to map new target system attributes for provisioning. See Adding New User or Token Attributes for Provisioning.
1.6.3.4 Lookup.RSAAM.UM.ReconAttrMap
The Lookup.RSAAM.UM.ReconAttrMap lookup definition holds mappings between resource object fields and target system attributes. This lookup definition is used during reconciliation. This lookup definition is preconfigured. Table 1-5 lists the default entries.
You can add entries in this lookup definitions if you want to map new target system attributes for reconciliation. See Adding New User or Token Attributes for Reconciliation.
1.6.3.5 Lookup.RSAAM.Token.Configuration
The Lookup.RSAAM.Token.Configuration lookup definition holds configuration entries that are specific to the token object type. This lookup definition is used during token management operations when your target system is configured as a target resource.
Table 1-4 lists the default entries in this lookup definition.
Table 1-4 Entries in the Lookup.RSAAM.Token.Configuration Lookup Definition
Code Key | Decode | Description |
---|---|---|
Provisioning Attribute Map |
Lookup.RSAAM.Token.ProvAttrMap |
This entry holds the name of the lookup definition that maps process form fields and target system attributes. See Lookup.RSAAM.Token.ProvAttrMap for more information about this lookup. |
Recon Attribute Map |
Lookup.RSAAM.Token.ReconAttrMap |
This entry holds the name of the lookup definition that maps resource object fields and target system attributes. See Lookup.RSAAM.Token.ReconAttrMap for more information about this lookup. |
1.6.3.6 Lookup.RSAAM.Token.ProvAttrMap
The Lookup.RSAAM.Token.ProvAttrMap lookup definition holds mappings between process form fields and target system attributes. This lookup definitions is used during provisioning. This lookup definition is preconfigured. Table 1-11 lists the default entries.
You can add entries in this lookup definitions if you want to map new target system attributes for provisioning. See Adding New User or Token Attributes for Provisioning.
1.6.3.7 Lookup.RSAAM.Token.ReconAttrMap
The Lookup.RSAAM.Token.ReconAttrMap lookup definition holds mappings between resource object fields and target system attributes. This lookup definition is used during reconciliation. This lookup definition is preconfigured. Table 1-7 lists the default entries.
You can add entries in this lookup definitions if you want to map new target system attributes for reconciliation. See Adding New User or Token Attributes for Reconciliation.
1.6.3.8 Lookup.RSAAM.Hours
The Lookup.RSAAM.Hours lookup definition holds the list of configured hours. This is a static lookup definition. You cannot modify or add entries in this lookup definition.
1.7 Connector Objects Used During Reconciliation
Target resource reconciliation involves fetching data about newly created or modified accounts on the target system and using this data to add or modify resources assigned to OIM Users.
The RSAAM User Target Reconciliation and RSAAM Token Target Reconciliation scheduled jobs are used to initiate a target resource reconciliation run. These scheduled jobs are discussed in Scheduled Jobs for Reconciliation of Token and User Records.
This section discusses the following topics:
-
Viewing Reconciliation Rule for User Target Resource Reconciliation
-
Reconciliation Action Rules for User Target Resource Reconciliation
-
Viewing Reconciliation Action Rules for User Target Resource Reconciliation
-
Reconciliation Rule for Token Target Resource Reconciliation
-
Viewing Reconciliation Rule for Token Target Resource Reconciliation
-
Reconciliation Action Rules for Token Target Resource Reconciliation
-
Viewing Reconciliation Action Rule for Token Target Resource Reconciliation
1.7.1 User Fields for Target Resource Reconciliation
The Lookup.RSAAM.UM.ReconAttrMap lookup definition maps resource object fields and target system attributes. This lookup definition is used for performing target resource user reconciliation runs.
In this lookup definition, entries are in the following format:
-
Code Key: Reconciliation field of the resource object
-
Decode: The value is in the following format:
METHOD_NAME;PRINCIPAL_TYPE;ATTRIBUTE_TYPE;METHOD_RETURN_TYPE;DTO_ATTRIBUTE_NAME
In this format:
-
METHOD_NAME
is the name of the method on the target system that fetches values from the attribute. This method belongs to one of the following classes:-
com.rsa.admin.data.PrincipalDTO
-
com.rsa.authmgr.admin.principalmgt.data.AMPrincipalDTO
The
get
oris
prefix of the method name is not included in the Decode value. -
-
PRINCIPAL_TYPE
can be eitherIMS
orAM
depending on whether the attribute is an Identity Management Services attribute or an Authentication Manager attribute.See Also:
Target system documentation for information about differences between Identity Management Services and Authentication Manager attributes
-
ATTRIBUTE_TYPE
can be one of the following:-
Replace
ATTRIBUTE_TYPE
withCore
if the attribute is a standard RSA Authentication Manager attribute. -
Replace
ATTRIBUTE_TYPE
withExtended
if the attribute is a custom attribute.
-
-
METHOD_RETURN_TYPE
is the data type of the value returned by the method. The return type is specified in the Javadocs for the API. -
DTO_ATTRIBUTE_NAME
is the name of the attribute in the PrincipalDTO or AMPrincipalDTO class.
Table 1-5 provides information about user attribute mappings for target resource reconciliation.
Table 1-5 Entries in the Lookup.RSAAM.UM.ReconAttrMap lookup definition
Code | Decode |
---|---|
Account Expire Date[Date] |
accountExpireDate;IMS;Core;Date;EXPIRATION_DATE |
Account Expire Hours |
AccountExpireHours |
Account Expire Minutes |
AccountExpireMinutes |
Account Start Date[Date] |
accountStartDate;IMS;Core;Date;START_DATE |
Account Start Hours |
AccountStartHours |
Account Start Minutes |
AccountStartMinutes |
Certificate DN |
certificateDN;IMS;Core;String;CERT_DN |
Clear Incorrect Passcodes |
clearBadPasscodes;AM;Core;boolean |
Clear Windows Password |
clearWindowsLoginPassword;AM;Core;boolean |
Default Shell |
defaultShell;AM;Core;String |
First Name |
firstName;IMS;Core;String;FIRST_NAME |
Fixed Passcode Allowed |
staticPasswordSet;AM;Core;boolean |
Groups~Group Name[LOOKUP] |
UserGroup |
Identity Source[LOOKUP] |
identitySourceGuid;IMS;Core;String;IDENTITY_SRC_ID |
Last Name |
lastName;IMS;Core;String;LAST_NAME |
Middle Name |
middleName;IMS;Core;String;MIDDLE_NAME |
Security Domain[LOOKUP] |
securityDomainGuid;IMS;Core;String;OWNER_ID |
Roles~Role Name[LOOKUP] |
AdminRole |
Radius Profile[LOOKUP] |
radiusProfileGuid;AM;Core;String |
Status |
_ENABLE_ |
User GUID |
_UID_ |
User ID |
_NAME_ |
1.7.2 Reconciliation Rule for User Target Resource Reconciliation
See Also:
Reconciliation Engine in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Manager for generic information about reconciliation matching and action rules.
The following is the process-matching rule:
Rule name: RSA AuthManager UserRecon
Rule element: User Login Equals User ID where the User Login is the User ID field on the OIM User form and the User ID is the user ID (_NAME_) field of RSA Authentication Manager.
1.7.3 Viewing Reconciliation Rule for User Target Resource Reconciliation
After you have deployed the connector, you can view the reconciliation rule for target resource reconciliation by performing the following steps:
1.7.4 Reconciliation Action Rules for User Target Resource Reconciliation
The action rules for target resource reconciliation are listed in Table 1-6.
Table 1-6 Action Rules for Target Resource Reconciliation
Rule Condition | Action |
---|---|
No Matches Found |
Assign To Administrator With Least Load |
One Entity Match Found |
Establish Link |
One Process Match Found |
Establish Link |
Note:
No action is performed for rule conditions that are not predefined for this connector. You can define your own action rule for such rule conditions. See the following topics in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Manager:
1.7.5 Viewing Reconciliation Action Rules for User Target Resource Reconciliation
After you deploy the connector, you can view the reconciliation action rules for target resource reconciliation by performing the following steps:
1.7.6 Token Fields for Target Resource Reconciliation
The Lookup.RSAAM.Token.ReconAttrMap lookup definition maps resource object fields and target system attributes. This lookup definition is used for performing target resource user reconciliation runs.
In this lookup definition, entries are in the following format:
-
Code Key: Reconciliation field of the resource object
-
Decode: The value is in the following format:
METHOD_NAME;API_NAME;ATTRIBUTE_TYPE;METHOD_RETURN_TYPE;DTO_ATTRIBUTE_NAME
In this format:
-
METHOD_NAME
is the name of the method on the target system that fetches values from the attribute. This method belongs to one of the following classes:-
com.rsa.admin.data.ListTokenDTO
-
com.rsa.authmgr.admin.principalmgt.data.TokenDTO
Note:
If the field is present in both ListTokenDTO and TokenDTO, use the field from ListTokenDTO for better performance.
The
get
oris
prefix of the method name is not included in the Decode value. -
-
API_NAME
is eitherListTokenDTO
orTokenDTO.
-
ATTRIBUTE_TYPE
can be one of the following:-
Replace
ATTRIBUTE_TYPE
withCore
if the attribute is a standard RSA Authentication Manager attribute. -
Replace
ATTRIBUTE_TYPE
withExtended
if the attribute is a custom attribute.
-
-
METHOD_RETURN_TYPE
is the data type of the value fetched by the method. The return type is specified in the Javadocs for the API. -
DTO_ATTRIBUTE_NAME
is the name of the attribute in the ListTokenDTO or TokenDTO class.
Table 1-7 provides information about user attribute mappings for target resource reconciliation.
Table 1-7 Entries in the Lookup.RSAAM.Token.ReconAttrMap lookup definition
Code | Decode |
---|---|
Notes |
notes;ListTokenDTO;Core;String |
Status |
_ENABLE_ |
Token GUID |
_UID_ |
Token Lost |
tokenLost;ListTokenDTO;Core;boolean;tokenLost |
Token Serial Number[LOOKUP] |
_NAME_ |
User GUID |
principalId;TokenDTO;Core;String |
User ID |
assignedUser;ListTokenDTO;Core;String;principalID |
1.7.7 Reconciliation Rule for Token Target Resource Reconciliation
See Also:
Reconciliation Engine in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Manager for generic information about reconciliation matching and action rules
The following is the process-matching rule:
Rule name: RSA AuthManager TokenRecon
Rule element: User Login Equals User ID where the User Login is the User ID field on the OIM User form and the User ID is the user ID (_NAME_) field of RSA Authentication Manager.
1.7.8 Viewing Reconciliation Rule for Token Target Resource Reconciliation
After you have deployed the connector, you can view the reconciliation rule for target resource reconciliation by performing the following steps:
1.7.9 Reconciliation Action Rules for Token Target Resource Reconciliation
Table 1-8 lists the action rules for target resource reconciliation.
Table 1-8 Action Rules for Target Resource Reconciliation
Rule Condition | Action |
---|---|
No Matches Found |
Assign To Administrator With Least Load |
One Entity Match Found |
Establish Link |
One Process Match Found |
Establish Link |
Note:
No action is performed for rule conditions that are not predefined for this connector. You can define your own action rule for such rule conditions. See the following topics in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Manager:
1.8 Connector Objects Used During Provisioning
Provisioning involves creating or modifying user data on the target system through Oracle Identity Manager.
See Also:
Managing Provisioning Tasks in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Manager for conceptual information about provisioning
This section discusses the following topics:
1.8.1 Provisioning Functions
The provisioning functions that are supported by the connector are listed in Table 1-9. The Adapter column gives the name of the adapter that is used when the function is performed.
Table 1-9 Provisioning Functions
Function | Adapter |
---|---|
Create User |
adpRSAAMCREATEUSER |
Update User |
adpRSAAMUPDATEUSER |
Delete User |
adpRSAAMDELETEUSER |
Enable User |
adpRSAAMENABLEUSER |
Disable User |
adpRSAAMDISABLEUSER |
Assign Token |
adpRSAAMASSIGNTOKEN |
Update Token |
adpRSAAMUPDATETOKEN |
Enable Token |
adpRSAAMENABLETOKEN |
Disable Token |
adpRSAAMDISABLETOKEN |
Unassign Token |
adpRSAAMUNASSIGNTOKEN |
Add Role |
adpRSAAMADDROLE |
Update Role |
adpRSAAMUPDATEROLE |
Remove Role |
adpRSAAMREMOVEROLE |
Add Group |
adpRSAAMADDGROUP |
Update Group |
adpRSAAMUPDATEGROUP |
Remove Group |
adpRSAAMREMOVEGROUP |
Prepopulate Adapter |
adpRSAAMPREPOPULATEADAPTER |
Multi Update |
adpRSAAMMULTIUPDATE |
Return Input Value |
adpRSAAMRETURNINPUTVALUE |
1.8.2 User Fields for Provisioning
The Lookup.RSAAM.UM.ProvAttrMap lookup definition maps process form fields with target system attributes. This lookup definition is used for performing user provisioning operations.
In this lookup definition, entries are in the following format:
-
Code Key: Name of the process form field
-
Decode: The value is in the following format:
METHOD_NAME;PRINCIPAL_TYPE;ATTRIBUTE_TYPE;METHOD_INPUT_TYPE;DTO_ATTRIBUTE_NAME
In this format:
-
METHOD_NAME
is the name of the method on the target system that sets the values for this attribute. This method belongs to one of the following classes:-
com.rsa.admin.data.PrincipalDTO
-
com.rsa.authmgr.admin.principalmgt.data.AMPrincipalDTO
The
set
prefix of the method name is not included in the Decode value. -
-
PRINCIPAL_TYPE
can be eitherIMS
orAM
depending on whether the attribute is an Identity Management Services attribute or an Authentication Manager attribute.See Also:
Target system documentation for information about differences between Identity Management Services and Authentication Manager attributes
-
ATTRIBUTE_TYPE
can be one of the following:-
Replace
ATTRIBUTE_TYPE
withCore
if the attribute is a standard RSA Authentication Manager attribute. -
Replace
ATTRIBUTE_TYPE
withExtended
if the attribute is a custom attribute.
-
-
METHOD_INPUT_TYPE
is the data type of the value sent to the method. The input type is specified in the Javadocs for the API. -
DTO_ATTRIBUTE_NAME
is the name of the attribute in the PrincipalDTO or AMPrincipalDTO class.
Table 1-10 lists the user identity fields of the target system for which you can specify or modify values during provisioning operations.
Table 1-10 Entries in the Lookup.RSAAM.UM.ProvAttrMap lookup definition
Code | Decode |
---|---|
Account Expire Date[Date] |
accountExpireDate;IMS;Core;Date;EXPIRATION_DATE |
Account Expire Hours |
AccountExpireHours |
Account Expire Minutes |
AccountExpireMinutes |
Account Start Hours |
AccountStartHours |
Account Start Minutes |
AccountStartMinutes |
Account Start Date[Date] |
accountStartDate;IMS;Core;Date;START_DATE |
Certificate DN |
certificateDN;IMS;Core;String;CERT_DN |
Clear Incorrect Passcodes |
clearBadPasscodes;AM;Core;boolean |
Clear Windows Password |
clearWindowsLoginPassword;AM;Core;boolean |
Default Shell |
defaultShell;AM;Core;String |
First Name |
firstName;IMS;Core;String;FIRST_NAME |
Fixed Passcode |
staticPassword;AM;Core;String |
Fixed Passcode Allowed |
staticPasswordSet;AM;Core;boolean |
Identity Source[LOOKUP] |
identitySourceGuid;IMS;Core;String;IDENTITY_SRC_ID |
Last Name |
lastName;IMS;Core;String;LAST_NAME |
Middle Name |
middleName;IMS;Core;String;MIDDLE_NAME |
Password |
_PASSWORD_ |
Radius Profile[LOOKUP] |
radiusProfileGuid;AM;Core;String |
Security Domain[LOOKUP] |
securityDomainGuid;IMS;Core;String;OWNER_ID |
UD_AMGROUP~GroupName[LOOKUP] |
UserGroup |
UD_AMROLE~RoleName[LOOKUP] |
AdminRole |
User GUID |
_UID_ |
User ID |
_NAME_ |
Note:
Incorrect Passcodes and Clear Windows passwords are one-time trigger actions used to clear passcodes and Windows password respectively. However, as a part of provisioning, these changed values will not reflect on the target system side prohibiting it from being reconciled to the Oracle Identity Manager server also.1.8.3 Token Fields for Provisioning
The Lookup.RSAAM.Token.ProvAttrMap lookup definition maps process form fields with target system attributes. This lookup definition is used for performing token provisioning operations.
In this lookup definition, entries are in the following format:
-
Code Key: Name of the process form field
-
Decode: The value is in the following format:
METHOD_NAME;API_NAME;ATTRIBUTE_TYPE;METHOD_INPUT_TYPE
;DTO_ATTRIBUTE_NAME
In this format:
-
METHOD_NAME
is the name of the method on the target system that sets values for this attribute. This method belongs to the com.rsa.authmgr.admin.principalmgt.data.TokenDTO class.The
set
prefix of the method name is not included in the Decode value. -
API_NAME
isTokenDTO.
-
ATTRIBUTE_TYPE
can be one of the following:-
Replace
ATTRIBUTE_TYPE
withCore
if the attribute is a standard RSA Authentication Manager attribute. -
Replace
ATTRIBUTE_TYPE
withExtended
if the attribute is a custom attribute.
-
-
METHOD_INPUT_TYPE
is the data type of the value returned to the method. The return type is specified in the Javadocs for the API. -
DTO_ATTRIBUTE_NAME
is the name of the attribute in the TokenDTO class.
Table 1-11 lists the token fields of the target system for which you can specify or modify values during provisioning operations.
Table 1-11 Entries in the Lookup.RSAAM.Token.ProvAttrMap lookup definition
Code | Decode |
---|---|
Notes |
notes;TokenDTO;Core;String |
Pin |
_PASSWORD_ |
Token GUID |
_UID_ |
Token Lost |
tokenLost;TokenDTO;Core;Boloean |
Token Serial Number[LOOKUP] |
_NAME_ |
User GUID |
principalId;TokenDTO;Core;String |
User ID |
assignedUser;ListTokenDTO;Core;String;principalId |
1.9 Roadmap for Deploying and Using the Connector
The following is the organization of information in the rest of this guide:
-
Deploying the RSA Authentication Manager Connector describes procedures that you must perform on Oracle Identity Manager and the target system during each stage of connector deployment.
-
Using the RSA Authentication Manager Connector describes guidelines on using the connector and the procedure to configure reconciliation runs and perform provisioning operations.
-
Extending the Functionality of the RSA Authentication Manager Connector describes procedures that you can perform if you want to extend the functionality of the connector.