1 About the Generic Scripting Connector

This chapter introduces the Generic Scripting connector.

Oracle Identity Manager automates access rights management, security, and provisioning of IT resources. Oracle Identity Manager connects users to resources, and revokes and restricts unauthorized access to protect sensitive corporate information. Oracle Identity Manager connectors are used to integrate Oracle Identity Manager with external and identity-aware applications such as PeopleSoft and MySQL.

This chapter discusses the following topics that introduce the Generic Scripting connector:

1.1 Introduction to the Generic Scripting Connector

The Generic Scripting connector is a solution to integrate OIM with target systems that do not have predefined connectors.

This connector enables you to perform connector operations between OIM and your target system by providing your own scripts. The connector generates a custom connector and the required metadata (such as process forms, lookup definitions, scheduled tasks, and so on) based on the target system schema you initially define. Subsequently, the generated connector will invoke your custom scripts to perform the actual connector operations.

You can develop your custom scripts using scripting languages BeanShell, Groovy, or JavaScript. The connector guide includes a few sample scripts that you can modify to suit your requirements and perform connector operations.

The Generic Scripting connector has the ability to connect with multiple target systems using the same connector bundle. The following are some of the advantages of using a Generic Scripting connector:

  • Eliminates the need to deploy and test a predefined connector for each target system.

  • Reduces time and effort required to develop, deploy, and test custom connectors for multiple target systems in your environment.

  • Enables you to easily integrate numerous target systems with OIM that do not have predefined connectors.

  • Provides flexibility to define custom rules and business logic that can be dynamically modified at run time for complex applications.

  • Provides platform independence for the target system. This connector can be used with target systems that belong to enterprise, mobile, cloud, or social environments.

1.2 Usage Recommendation

Depending on the Oracle Identity Manager version that you are using, you must deploy and use one of the following connectors:

  • If you are using an Oracle Identity Manager release that is later than release 9.1.0.2 and earlier than Oracle Identity Manager 11g Release 1 (11.1.1.5.3), then you must use the 9.1.x version of this connector.

  • If you are using Oracle Identity Manager 11g Release 1 (11.1.1.5.3) and any later BP in this release track, Oracle Identity Manager 11g Release 2 (11.1.2.0.4) and any later BP in this release track, or Oracle Identity Manager 11g Release 2 PS3 (11.1.2.3.0) and any later BP in this release track, then you must use the latest 11.1.1.x version of this connector.

  • If you are using Microsoft SQL Server 2000 as the target system, then you must use the 9.1.x version of this connector, irrespective of the Oracle Identity Manager release you are using.

1.3 Certified Components for the Generic Scripting Connector

Table 1-1 lists the certified components for this connector.

Table 1-1 Certified Components

Item Requirement

Oracle Identity Manager or Oracle Identity Governance

You can use one of the following releases of Oracle Identity Governance or Oracle Identity Manager:

  • Oracle Identity Governance 12c (12.2.1.4.0)

  • Oracle Identity Governance 12c (12.2.1.3.0)

  • Oracle Identity Manager 11g Release 2 PS3 (11.1.2.3.0)

  • Oracle Identity Manager 11g Release 2 PS2 (11.1.2.2.0)

Target System

Any target system that can be connected through BeanShell, Groovy, or JavaScript.

The following are examples of the target system:

  • Any JDBC compliant database

  • Any resource over SOAP, HTTP, or REST that supports XML or JSON

Connector Server

11.1.2.1.0

Connector Server JDK

JDK 1.6 or later

Scripting Language

BeanShell, Groovy, JavaScript

1.4 Certified Languages for the Generic Scripting Connector

The connector will support the languages that are supported by Oracle Identity Manager.

Resource bundles are not part of the connector installation media as the resource bundle entries vary depending on the target system being used.

1.5 Connector Architecture of the Generic Scripting Connector

The Generic Scripting connector is implemented by using the Identity Connector Framework (ICF).

Figure 1-1 shows the architecture of the connector.

Figure 1-1 Connector Architecture

Description of Figure 1-1 follows
Description of "Figure 1-1 Connector Architecture"

The ICF is a component that provides basic reconciliation and provisioning operations that are common to all Oracle Identity Manager connectors. In addition, ICF provides common features that developers would otherwise need to implement on their own, such as connection pooling, buffering, time outs, and filtering. The ICF is shipped along with Oracle Identity Manager.

The Generic Scripting connector is not shipped with any metadata as it is a connector for target system that is not known in advance. Depending on the schema of your target system, the connector artifacts are generated during connector deployment.

The following is a high-level description of the stages into which the connector deployment and usage procedure is divided into:

  • Generating the connector

    Understanding the schema of your target system is one of the important aspects in generating the connector. You must create a schema file describing the attributes of your target system to help the connector know your target system. The Generic Scripting connector includes a groovy file in which you can specify information about your target system. This information is used by the metadata generator, one of the deployment utilities shipped with the connector, to generate the connector based on the target system schema.

    In other words, when you run the metadata generator on the groovy file, the connector package is generated. This package contains an XML file that contains definitions for connector components such as adapters, process tasks, scheduled tasks, lookup definitions, and IT resource. Connector operations such as provisioning and reconciliation are performed using these connector components.

  • Installing and configuring the connector

    In this stage, you install the generated connector by running the connector installer and then perform configuration tasks such as configuring the IT resource, enabling logging and so on.

  • Using the connector

    In this stage, you start using the connector to perform connector operations such as reconciliation and provisioning.

1.6 Common Use Cases Supported by the Connector

The Generic Scripting connector can be used with any target system (including custom, home-grown applications) that can be connected with OIM using BeanShell, Groovy, or JavaScript scripting languages.

This section discusses some of the scenarios in which the Generic Scripting connector can be used:

  • Integrating SOAP-based target systems

    An organization using a SOAP-based target system wants to integrate with OIM to manage identities. The organization wants to quickly manage its user identities by creating user identities in the target system using OIM and synchronizing user identity changes performed directly in the target system with OIM. In such a scenario, a quick and an easy way is to install the Generic Scripting connector, define the schema file, generate OIM metadata, and then write its own SOAP-based scripts for performing reconciliation and provisioning operations. The connector is ready for use after it is configured with the target system (by providing connection information in the IT resource).

    To create a new user identity in the target system, you must submit the required details in the OIM process form, which triggers a provisioning operation. The connector will execute the corresponding create script against the target system and the user identity will be created on successful execution. Similarly, provisioning operations such as delete and update can be performed.

    To search or retrieve the user identities, you must run a scheduled task from OIM. The connector will run the corresponding search or sync script against the user identities in the target system and fetch all the changes to OIM.

  • Integrating heterogenous target systems

    Suppose a web-based product of your organization uses a REST service for customer database updates from clients and a SOAP-based API for backend accounting updates between Mainframe servers. Now suppose you need to integrate the REST-based and SOAP-based target systems (for customer database updates and accounting updates, respectively), with OIM. One approach would be to deploy and use the predefined Webservices connector for the SOAP-based target system, and develop a custom connector for the REST-based target system. The drawbacks of this approach are as follows:

    • Increased time and effort to develop, deploy and test the custom connector for the REST-based target system.

    • Deploying and testing the Webservices connector.

    • Administering and maintaining two connectors for both systems.

    An alternative to this approach is to use a single Generic Scripting connector to interface both the REST and SOAP-based systems to the database instead of deploying a REST connector and also developing and testing a custom connector for SOAP. This enables you to manage both target systems using a single connector.

  • Integrating JDBC-based target systems

    Suppose you have multiple databases from different vendors in your organization. For example, you use Oracle Database to store customer and order information and use MS SQL Server to store employee information. Now suppose you must synchronize the information in both the databases with Oracle Identity Manager. One approach would be to deploy and use the Database Application Tables connector for Oracle Database and MS SQL Server. The drawback of this approach is to install one connector each for every database. An alternative to this approach is to use a single Generic Scripting connector to integrate both the databases.

  • Integrating cloud-based applications

    A single Generic Scripting connector can be used to integrate one or more cloud-based applications with Oracle Identity Manager. As an alternative to developing, testing, and deploying your custom connector for cloud-based application, you can use the Generic Scripting connector if your cloud-based applications expose their APIs that can be called using any of the certified scripting languages.

1.7 Features of the Connector

The following are the features of the connector:

1.7.1 Support for Both Trusted Source and Target Resource Reconciliation

The Generic Scripting connector includes a groovy file that enables you to configure the connector to run either in the trusted source mode or target resource mode.

See Configuring the ScriptConfiguration.groovy File for more information about configuring the connector for the trusted source and target resource modes.

1.7.2 Full and Incremental Reconciliation

After you create the connector, you can perform full reconciliation to bring all existing user data from the target system to Oracle Identity Manager.

After the first full reconciliation run, you can configure your connector for incremental reconciliation. In incremental reconciliation, only records that are added or modified after the last reconciliation run are fetched into Oracle Identity Manager.

You can perform a full reconciliation run at any time. See Full Reconciliation and Incremental Reconciliation for more information about performing full and incremental reconciliation.

1.7.3 Limited (Filtered) Reconciliation

You can set a reconciliation filter as the value of the Filter attribute of the scheduled jobs.

This filter specifies the subset of newly added and modified target system records that must be reconciled. This connector does not support complex filters.

See Limited (Filtered) Reconciliation for more information about performing limited reconciliation.

1.7.4 Support for Reconciliation of Deleted Records

Apart from the scheduled jobs for user records reconciliation, there are independent scheduled jobs for reconciliation of deleted user records.

In target resource mode, if a record is deleted on the target system, then the corresponding target system resource is revoked from the OIM User. In trusted source mode, if a record is deleted on the target system, then the corresponding OIM User is deleted.

See Scheduled Jobs for Reconciliation of Deleted Users Records for more information about the scheduled jobs used for reconciling deleted user records.

1.8 Roadmap for Generating and Using the Connector

The following is the organization of information in the rest of this guide: