1 About the Generic SCIM Connector

The Oracle Identity Manager Connector for Generic SCIM (Generic SCIM connector) integrates Oracle Identity Manager with SCIM -based target systems.

Oracle Identity Manager is a centralized identity management solution that provides self service, compliance, provisioning and password management services for applications residing on-premise or on the Cloud. Oracle Identity Manager connects users to resources, and revokes and restricts unauthorized access to protect sensitive corporate information. Oracle Identity Manager connectors are used to integrate Oracle Identity Manager with external and identity-aware applications such as PeopleSoft and MySQL.

The following topics introduce the Generic SCIM connector:

1.1 Introduction to the Generic SCIM Connector

The Generic SCIM connector is a solution to integrate Oracle Identity Manager with SCIM-based identity-aware applications. A SCIM-based identity-aware application is any application that exposes its SCIM APIs or interfaces for identity management.

Note:

In this guide:

  • A SCIM-based identity-aware application has been referred to as the target system or SCIM-based target system.

  • RELEASE_NUMBER has been used as a placeholder for the current release number of the connector. Therefore, replace all instances of RELEASE_NUMBER with the release number of the connector. For example, 11.1.1.

  • The Oracle Identity Manager Connector for Generic SCIM has been referred to as the Generic SCIM connector.

The Generic SCIM connector provides a centralized system to streamline delivery of services and assets to your company’s consumers, and manage those services and assets in a simple, secure, and cost efficient manner by using automation. The Generic SCIM connector standardizes service processes and implements automation to replace manual tasks.

In order to connect with a SCIM-based target system, the Generic SCIM connector supports HTTP Basic Authentication and OAuth 2.0 authentication mechanisms. This connector also supports authenticating to the target system by using access token and refresh token as an input from the user. This authentication mechanism can be useful if your target system does not provide a programmatic approach to obtain access or refresh tokens.

The connector supports the following OAuth 2.0 grant types:

  • JWT

  • Client Credentials

  • Resource Owner Password

If your target system does not support any of the authentication types supported by this connector, then you can implement the custom authentication that your target system supports. You can connect this custom implementation to the connector by using the plug-ins exposed by this connector.

The Generic SCIM connector synchronizes data between Oracle Identity Manager and SCIM-based target systems by performing reconciliation and provisioning operations that parse data in the JSON format. If your target system does not support request or response payload in JSON format, then you can create your own implementation for parsing data. You can connect this custom implementation to the connector by using the plug-ins exposed by this connector.

The Generic SCIM connector is a connector for a discovered target system. This is because the schema of the SCIM-based target system with which the connector integrates is not known in advance. The Generic SCIM connector is not shipped with any artifacts. Instead, it is shipped with a set of deployment utilities that help in discovering the schema of the SCIM-based target system and generating the artifacts.

1.2 Certified Components for Generic SCIM Connector

These are the software components and their versions required for integrating Oracle Identity Manager with a Generic SCIM connector.

Table 1-1 lists the certified components for this connector:

Table 1-1 Certified Components

Item Requirement

Oracle Identity Manager

You can use one of the following releases of Oracle Identity Manager:

  • Oracle Identity Governance 12c (12.2.1.4.0)

  • Oracle Identity Governance 12c (12.2.1.3.0)

  • Oracle Identity Manager 11g Release 2 PS3 (11.1.2.3.0)

  • Oracle Identity Manager 11g Release 2 PS2 (11.1.2.2.0)

Target System

Any target system that supports SCIM-based services.

Connector Server

  • 11.1.2.1.0

  • 12.2.1.3.0

Connector Server JDK

JDK 1.6 or later

1.3 Certified Languages for the Generic SCIM Connector

These are the languages that the connector supports.

  • Arabic

  • Chinese (Simplified)

  • Chinese (Traditional)

  • Czech

  • Danish

  • Dutch

  • English (US)

  • Finnish

  • French

  • French (Canadian)

  • German

  • Greek

  • Hebrew

  • Hungarian

  • Italian

  • Japanese

  • Korean

  • Norwegian

  • Polish

  • Portuguese

  • Portuguese (Brazilian)

  • Romanian

  • Russian

  • Slovak

  • Spanish

  • Swedish

  • Thai

  • Turkish

1.4 Architecture of the Generic SCIM Connector

The Generic SCIM connector is implemented using the Identity Connector Framework (ICF).

The ICF is a component that provides basic reconciliation and provisioning operations that are common to all Oracle Identity Manager connectors. In addition, ICF provides common features that developers would otherwise need to implement on their own, such as connection pooling, buffering, time outs, and filtering. The ICF is shipped along with Oracle Identity Manager.

Figure 1-1 Generic SCIM Connector Architecture

Description of Figure 1-1 follows
Description of "Figure 1-1 Generic SCIM Connector Architecture"

The Generic SCIM connector is not shipped with any metadata as it is a connector for target system that is not known in advance. Depending on the schema of your target system, the connector artifacts are generated during connector deployment.

The following is a high-level description of the stages into which the connector deployment and usage procedure is divided into:

  • Generating the Connector

    The Generic SCIM connector includes a groovy file in which you can specify information about your target system. This information is used by the metadata generator, one of the deployment utilities shipped with the connector, to generate the connector based on the target system schema.

    When you run the metadata generator on the groovy file, the connector package is generated. This package contains an XML file that contains definitions for connector components such as adapters, process tasks, scheduled tasks, lookup definitions, and IT resource. Connector operations such as provisioning and reconciliation are performed using these connector components. Along with the XML file, a schema file is included.

  • Installing and configuring the connector

    In this stage, you install the generated connector by running the connector installer and then perform configuration tasks such as configuring the IT resource, enabling logging and so on.

  • Using the Connector

    In this stage, you start using the connector to perform connector operations such as reconciliation and provisioning.

1.5 Use Cases Supported by the Generic SCIM Connector

The Generic SCIM connector can be used to integrate OIM with any target system that supports SCIM services. This connector can be used to load identity data into OIM from a SCIM service and then efficiently manage identities in an integrated cycle with the rest of the identity-aware applications in your enterprise.

Oracle Identity Manager Connector for Generic SCIM, with a few simple configurations, provides a reusable framework that helps in integrating most of the SCIM-based target systems. This connector can be used to load identity data into Oracle Identity Manager from a SCIM service and then efficiently manage identities in an integrated cycle with the rest of the identity-aware applications in your enterprise.

As a business use case example, consider a leading logistics company that has 100+ cloud applications. Most of these cloud applications are now inefficient because data in these applications are manually entered and are managed using spreadsheets or custom-coded process flows. Therefore, this company wants to integrate its cloud applications with Oracle Identity Manager to streamline its operations, increase its organizational efficiency, and at the same time, lower its operational costs. There are two approaches for integrating these cloud applications with Oracle Identity Manager . One approach would be to deploy a point-to-point connector for each of these applications. The drawbacks of this approach are as follows:

  • Increased time and effort to identify and deploy a point-to-point connector for each application.

  • Increased administration and maintenance overheads for managing connectors for each application.

  • Unavailability of point-to-point connectors for all applications. In such a scenario, one needs to develop custom connectors which increases time and effort to develop, deploy and test the custom connector.

An alternative to this approach is to use the Generic SCIM connector that can be used to integrate all the cloud applications with Oracle Identity Manager . The Generic SCIM connector provides the ability to manage accounts across all cloud applications without spending additional resources and time on building custom connectors for each cloud application.

The Generic SCIM connector is a hybrid approach that helps enterprises leverage on-premise Oracle Identity Manager deployment to integrate with target systems for identity governance. These targets systems include any application that exposes SCIM APIs such as SaaS, PaaS, home-grown applications and so on.

The following are some example scenarios in which the Generic SCIM connector is used:

  • User Management

    The Generic SCIM Connector manages individuals who can access Cloud service by defining them as users in the system and assigning them to groups. This connector allows new users to self-provision on a Generic SCIM Cloud Service, while having it be controlled by IT. Users can request and provision from a catalog of cloud-based resources that is established by Oracle Identity Manager administrators. For example, to create a new user in the target system, fill in and submit the Oracle Identity Manager process form to trigger the provisioning operation. The connector executes the create operation against your target system and the user is created on successful execution of the operation. Similarly, operations such as delete and update can be performed.

  • Entitlement Management

    The Generic SCIM Connector manages Cloud services objects (if exposed by the target system) as entitlements. Depending on the target system being used, this connector can be used to manage entitlements such as Groups, Roles, Licenses, Folders, Collaboration and so on. For example, you can use the Generic SCIM connector to automatically assign or revoke groups to users based on predefined access policies in Oracle Identity Manager . Similarly, you can use the Generic SCIM Connector to manage role memberships that provide selective access to certain Cloud Service functionality or groups. Therefore, as new users are added to a specific role, they automatically gain corresponding access in the applications. As an administrator, you can also use this connector to efficiently manage user licenses for all the available resources. By leveraging the auditing and reporting tools of Oracle Identity Manager, you can automate license allocation whenever a new account is created. In addition, license assignments and usage can be monitored through changing organization needs and unused licenses can be tracked for potential recycling.

1.6 Features of the Generic SCIM Connector

The features of the connector include support for full and incremental reconciliation, limited reconciliation, custom authentication, custom parsing, custom payload, handling multiple endpoint URLs, and SSL communication.

The following are the features of the connector:

1.6.1 Support for Both Trusted Source and Target Resource Reconciliation

The Generic SCIM connector includes a groovy file (a part of the metadata generator) that enables you to configure the connector to run either in the trusted source mode or target resource mode.

See Configuring the GenericScimConfiguration.groovy File.

1.6.2 Full and Incremental Reconciliation

After you create the connector, you can perform full reconciliation to bring all existing user data from the target system to Oracle Identity Manager. After the first full reconciliation run, you can configure your connector for incremental reconciliation. In incremental reconciliation, only records that are added or modified after the last reconciliation run are fetched into Oracle Identity Manager.

Note:

The connector supports incremental reconciliation if the target system contains an attribute that holds the timestamp at which an object is created or modified. See Full Reconciliation and Incremental Reconciliation.

You can perform a full reconciliation run at any time.

1.6.3 Limited (Filtered) Reconciliation

You can reconcile records from the target system based on a specified filter criterion. To limit or filter the records that are fetched into Oracle Identity Manager during a reconciliation run, you can specify the subset of added or modified target system records that must be reconciled.

You can set a reconciliation filter as the value of the Filter attribute of the scheduled jobs. This filter specifies the subset of newly added and modified target system records that must be reconciled. See Limited Reconciliation for Generic SCIM Connector.

1.6.4 Custom Authentication

By default, the Generic SCIM connector supports HTTP Basic Authentication and OAuth 2.0 authentication mechanisms. The connector also supports an authentication mechanism in which the user provides access token and refresh tokens as an input. The supported grant types for OAuth 2.0 authentication mechanism are JWT, Client Credentials, and Resource Owner Password.

If your target system uses any of the authentication mechanisms that is not supported by the connector, then you can write your own implementation for custom authentication by using the plug-ins exposed by this connector. See Implementing Custom Authentication.

1.6.5 Custom Parsing

By default, the Generic SCIM connector supports request and response payloads only in the JSON format. If your target system does not support request or response payload in JSON format, then you can implement a custom parsing logic by using plug-ins exposed by this connector.

See Implementing Custom Parsing.

1.6.6 Custom Payload

The Generic SCIM connector provides support for handling custom formats for any attributes in the payload that do not adhere to the standard JSON format. This can be achieved by specifying a value for the customPayload IT resource parameter.

1.6.7 Support for Additional HTTP Headers

If your target system requires additional or custom HTTP headers in any SCIM call, then you can insert these HTTP headers as the value of the customAuthHeaders or customAuthHeaders IT resource parameters. See Additional Configuration Parameters..

1.6.8 Support for Handling Multiple Endpoint URLs

The Generic SCIM connector allows you to handle attributes of an object class (for example, a User object class) that can be managed only through endpoints other than the base endpoint URL of the object class. For example, in certain target systems, there are attributes of the User object class that can be managed using the base endpoint URL. However, some attributes (for example, email alias) can be managed only through a different endpoint URL. The connector provides support for handling all endpoint URLs associated with an object class.

This can be achieved by providing endpoint URL details of such attributes in the relURIs IT resource parameter.

1.6.9 SSL Communication

You can configure SSL communication between Oracle Identity Manager and the SCIM-based target system.

See Configuring SSL for the Generic SCIM Connector for information about configuring secure communication.

1.7 Roadmap for Generating and Using the Connector

This is the organization of information available in this guide for deploying and using the connector.

The rest of this guide is divided into the following chapters: