You can use the connector for performing reconciliation and provisioning operations after configuring it to meet your requirements.
This chapter contains the following topics related to using the Oracle Identity Cloud Service connector:
Note:
These sections provide both conceptual and procedural information about configuring the connector. It is recommended that you read the conceptual information before you perform the procedures.Scheduled jobs for lookup field synchronization fetch the most recent values from specific fields in the target system to lookup definitions in Oracle Identity Manager. These lookup definitions are used as an input source for lookup fields in Oracle Identity Manager.
The following scheduled jobs are used for lookup fields synchronization:
IDCS Groups Lookup Reconciliation
IDCS Managers Lookup Reconciliation
You must specify values for the attributes of these scheduled jobs. Table 3-1 describes the attributes of the scheduled job for lookup field synchronization.
Table 3-1 Attributes of the Scheduled Job for Lookup Field Synchronization
Attribute | Description |
---|---|
Code Key Attribute |
Name of the connector or target system attribute that is used to populate the Code Key column of the lookup definition (specified as the value of the Lookup Name attribute). Default value: Note: Do not change the value of this attribute. |
Decode Attribute |
Name of the connector or target system attribute that is used to populate the Decode column of the lookup definition (specified as the value of the Lookup Name attribute). Default value: Note: Do not change the value of this attribute. |
IT Resource Name |
Enter the name of the IT resource for the target system installation from which you want to reconcile user records. Default value: |
Lookup Name |
Enter the name of the lookup definition in Oracle Identity Manager that must be populated with values fetched from the target system. Depending on the scheduled job that you are using, the default values are as follows:
|
Object Type |
Enter the type of object you want to reconcile. Depending on the scheduled job that you are using, the default values are as follows:
|
You can configure the connector to specify the type of reconciliation and its schedule.
This section discusses the following topics related to configuring reconciliation:
Full reconciliation involves reconciling all existing user records from the target system into Oracle Identity Manager.
After you deploy the connector, you must first perform full reconciliation. In addition, you can switch from incremental reconciliation to full reconciliation whenever you want to ensure that all target system records are reconciled in Oracle Identity Manager.
To perform a full reconciliation run, ensure that no values are specified for the Latest Token and Filter attributes of the scheduled jobs for reconciling user records.
At the end of the reconciliation run, the Latest Token attribute of the scheduled job for user record reconciliation is automatically set to the time stamp at which the run ended. From the next reconciliation run onward, only records created or modified after this time stamp are considered for reconciliation. This is incremental reconciliation.
Note:
Incremental reconciliation reflects changes or modifications made in the target system when a change or modification is made in the incremental reconciliation attribute. For example, during user reconciliation, changes like updates to all the fields on the Authentication Settings page (including radius profiles) and group updates will not be reconciled as a part of incremental reconciliation, and a full reconciliation has to be performed in order to reconcile these changes into Oracle Identity Manager.This topic discusses the Batch Size, Batch Start, and Number of Batches attributes of the scheduled jobs for target resource reconciliation.
By default, all target system records that are added or modified after the last reconciliation run are reconciled during the current reconciliation run. Depending on the number of records to be reconciled, this process may require a large amount of time. In addition, if the connection breaks during reconciliation, then the process would take longer to complete.
You can configure batched reconciliation to avoid such problems.
Batch Start is an attribute that can be used to configure batched reconciliation. This attribute is used to specify the record number from which batched reconciliation must begin.
Set the value of this attribute to 0 to begin reconciliation from the first record in the target system. Similarly, set the value of this attribute to 1 to begin reconciliation from the second record in the target system and so on.
Note:
See Reconciliation Scheduled Jobs for Oracle Identity Cloud Service Connector for more information about the IDCS User Target Recociliation and IDCS Group Target Recociliation scheduled jobs.Limited or filtered reconciliation is the process of limiting the number of records being reconciled based on a set filter criteria.
By default, all target system records that are added or modified after the last reconciliation run are reconciled during the current reconciliation run. You can customize this process by specifying the subset of added or modified target system records that must be reconciled. You do this by creating filters for the reconciliation module.
Note:
If you are using filters in reconciliation as described in this section, be consistent and always use the same filters for delete and normal reconciliation. By using the same filters, you will maintain consistency of the data and will ensure that you work with the same user base in all reconciliation operations.
You can perform limited reconciliation by creating filters for the reconciliation module. This connector provides a Filter attribute (a scheduled task attribute) that allows you to use Oracle Identity Cloud Service resource attributes to filter the target system records.
See ICF Filter Syntax in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Manager for detailed information about ICF Filters.
When you run the Connector Installer, reconciliation scheduled jobs are automatically created in Oracle Identity Manager. You must configure these scheduled jobs to suit your requirements by specifying values for its attributes.
This section discusses the following scheduled jobs that you can configure for reconciliation:
Note:
Attribute values are predefined in the connector XML file that you import. Specify values only for attributes that you want to change.You use the IDCS User Reconciliation scheduled job to reconcile user account data from the target system.
Table 3-2 describes the attributes of this scheduled job.
Table 3-2 Attributes of the IDCS User Reconciliation Scheduled Job
Attribute | Description |
---|---|
Filter |
Enter the search filter for fetching records from the target system during a reconciliation run. See Performing Full Reconciliation for more information about filtered reconciliation. |
Incremental Recon Attribute |
Attribute that holds the date on which the token record was modified. Default value: Note: Do not change the value of this attribute. |
IT Resource Name |
Enter the name of the IT resource for the target system installation from which you want to reconcile user records. Default value: |
Latest Token |
This attribute holds the value of the target system attribute that is specified as the value of the Incremental Recon Attribute attribute. The Latest Token attribute is used for internal purposes. By default, this value is empty. Note: Do not enter a value for this attribute. The reconciliation engine automatically enters a value in this attribute.Sample value: |
Object Type |
This attribute holds the name of the object type for the reconciliation run. Default value: Note: User is the only object that is supported. Therefore, do not change the value of this attribute. |
Resource Object Name |
This attribute holds the name of the resource object used for reconciliation. Default value: Do not change the value of this attribute. |
You use the IDCS Delete User Reconciliation scheduled job to reconcile deleted user account data from the target system.
Table 3-3 describes the attributes of this scheduled job.
Table 3-3 Attributes of the IDCS Delete User Reconciliation Scheduled Job
Attribute | Description |
---|---|
IT Resource Name |
Enter the name of the IT resource for the target system installation from which you want to reconcile user records. Default value: |
Object Type |
This attribute holds the name of the object type for the reconciliation run. Default value: Note: User is the only object that is supported. Therefore, do not change the value of this attribute. |
Resource Object Name |
This attribute holds the name of the resource object used for reconciliation. Default value: |
You use the IDCS Group Reconciliation scheduled job to reconcile group data from the target system.
Table 3-4 describes the attributes of this scheduled job.
Table 3-4 Attributes of the Group Reconciliation Scheduled Job
Attribute | Description |
---|---|
Filter |
Enter the search filter for fetching records from the target system during a reconciliation run. See Performing Full Reconciliation for more information about filtered reconciliation. |
Incremental Recon Attribute |
Attribute that holds the date on which the token record was modified. Default value: Note: Do not change the value of this attribute. |
IT Resource Name |
Enter the name of the IT resource for the target system installation from which you want to reconcile user records. Default value: |
Latest Token |
This attribute holds the value of the attribute that is specified as the value of the Incremental Recon Attribute. The Latest Token attribute is used for internal purposes. By default, this value is empty. Note: Do not enter a value for this attribute. The reconciliation engine automatically enters a value in this attribute.Sample value: |
Object Type |
This attribute holds the name of the object type for the reconciliation run. Default value: Note: Group is the only object that is supported. Therefore, do not change the value of this attribute. |
OIM Organization Name |
Name of the organization that is used for reconciliation. |
Resource Object Name |
This attribute holds the name of the resource object used for reconciliation. Default value: |
You use the IDCS Delete Group Reconciliation scheduled job to reconcile deleted group data from the target system.
Table 3-5 describes the attributes of this scheduled job.
Table 3-5 Attributes of the Delete Group Reconciliation Scheduled Job
Attribute | Description |
---|---|
IT Resource Name |
Enter the name of the IT resource for the target system installation from which you want to reconcile user records. Default value: |
Object Type |
This attribute holds the name of the object type for the reconciliation run. Default value: Note: User is the only object that is supported. Therefore, do not change the value of this attribute. |
OIM Organization Name |
Name of the organization that is used for delete reconciliation. |
Resource Object Name |
This attribute holds the name of the resource object used for reconciliation. Default value: |
Configure scheduled jobs to perform reconciliation runs that check for new information on your target system periodically and replicates the data in Oracle Identity Manager.
You can apply this procedure to configure the scheduled jobs for lookup field synchronization and reconciliation.
To configure a scheduled job:
You create a new user in Oracle Identity Self Service by using the Create User page. You provision or request for accounts on the Accounts tab of the User Details page.
To perform provisioning operations in Oracle Identity Manager:
Log in to Oracle Identity Administrative and User console.
Create a user as follows:
In Identity Self Service, click Manage. The Home tab displays the different Manage option. Click Users. The Manage Users page is displayed.
From the Actions menu, select Create. Alternatively, you can click Create on the toolbar. The Create User page is displayed with input fields for user profile attributes.
Enter details of the user in the Create User page.
On the Account tab, click Request Accounts.
In the Catalog page, search for and add to cart the application instance created in Step 3, and then click Checkout.
Specify value for fields in the application form.
Specify value for fields in the application form and then click Ready to Submit.
Click Submit.
If you want to provision entitlements, then:
On the Entitlements tab, click Request Entitlements.
In the Catalog page, search for and add to cart the entitlement, and then click Checkout.
Click Submit.
Uninstalling the connector deletes all the account related data associated with resource objects of the connector.
If you want to uninstall the connector for any reason, see Uninstalling Connectors in Oracle Fusion Middleware Administering Oracle Identity Manager