You can use the connector for performing reconciliation and provisioning operations after configuring it to meet your requirements.
Note:
These sections provide both conceptual and procedural information about configuring the connector. It is recommended that you read the conceptual information before you perform the procedures.Lookup definitions used during reconciliation and provisioning are either preconfigured or can be synchronized with the target system.
The following categories of lookup definitions are discussed in this section:
Preconfigured lookup definitions are the other lookup definitions that are created in Oracle Identity Manager when you deploy the connector. These lookup definitions are either prepopulated with values or values must be manually entered in them after the connector is deployed.
The other lookup definitions are as follows:
Note:
RESOURCE has been used as a place holder text for IT resource name. Therefore, replace all instances of RESOURCE in this guide with the value that you specified for the itResourceName entry in the GenericScimConfiguration.groovy file. See Understanding Entries in the Predefined Sections of the Groovy File for more information about entries in the GenericScimConfiguration.groovy file.Table 4-1 lists the entries in this lookup definition.
Table 4-1 Entries in the Lookup.RESOURCE.Configuration Lookup Definition
| Code Key | Decode | Description |
|---|---|---|
|
Bundle Name |
org.identityconnectors.genericscim |
This entry holds the name of the connector bundle class. Do not modify this entry. |
|
Bundle Version |
1.0.1115 |
This entry holds the version of the connector bundle class. Do not modify this entry. |
|
Connector Name |
org.identityconnectors.genericscim.GenericSCIMConnector |
This entry holds the name of the connector class. Do not modify this entry. |
|
User Configuration Lookup |
Lookup.RESOURCE.UM.Configuration |
This entry holds the name of the lookup definition that contains configuration information specific to the user object type. See Lookup.RESOURCE.UM.Configuration for more information about this lookup definition. |
The Lookup.RESOURCE.UM.Configuration lookup definition contains entries specific to the user object type. This lookup definition is preconfigured.
Table 4-2 lists the default entries in this lookup definition when you have configured your target system as a target resource.
Table 4-2 Entries in the Lookup.RESOURCE.UM.Configuration Lookup Definition for a Target Resource Configuration
| Code Key | Decode |
|---|---|
|
Provisioning Attribute Map |
Lookup.RESOURCE.UM.ProvAttrMap |
|
Recon Attribute Map |
Lookup.RESOURCE.UM.ReconAttrMap |
Table 4-3 lists the default entries in this lookup definition when you have configured your target system as a trusted source.
Table 4-3 Entries in the Lookup.RESOURCE.UM.Configuration Lookup Definition for a Trusted Source Configuration
| Code Key | Decode |
|---|---|
|
Recon Attribute Map |
Lookup.RESOURCE.UM.ReconAttrMap |
|
Recon Attribute Defaults |
Lookup.RESOURCE.UM.ReconAttrMap.Defaults |
The Lookup.RESOURCE.UM.ReconAttrMap lookup definition holds mappings between resource object fields and target system attributes
Depending on whether you have configured your connector for the target resource mode or trusted source mode, this lookup definition is used during target resource or trusted source user reconciliation runs, respectively.
If you have configured the connector for target resource mode:
The following is the format of the Code Key and Decode values in this lookup definition:
For single-valued attributes:
Code Key: Reconciliation attribute of the resource object against which target resource user reconciliation runs must be performed
Decode: Corresponding target system attribute name
For multivalued attributes:
Code Key: RO_ATTR_NAME~ATTR_NAME[LOOKUP]
In this format:
RO_ATTR_NAME specifies the reconciliation field for the child table.
ATTR_NAME is the name of the multivalued attribute.
[LOOKUP] is a keyword that is appended to the code key value if the child data is picked from a lookup or declared as an entitlement.
Decode: Corresponding target system attribute name
EMBED_OBJ_NAME~RELATION_TABLE_NAME~ATTR_NAME
In this format:
EMBED_OBJ_NAME is the name of the object (for example, an account's address) on the target system that is embedded in another object.
RELATION_TABLE_NAME is the name of child table in the target system.
ATTR_NAME is the name of the column in the child table corresponding to the multivalued attribute in the Code Key column.
If you have configured your connector for trusted source mode:
The following is the format of the Code Key and Decode values in this lookup definition:
Code Key: Reconciliation attribute of the resource object against which trusted source user reconciliation runs must be performed
Decode: Corresponding target system attribute name
The entries in this lookup definition depend on the data available in the target system. The entries of this lookup definition are populated based on the values specified for the alias entry in the GenericScimConfiguration.groovy file. See Understanding Entries in the Predefined Sections of the Groovy File for more information about the alias entry.
The Lookup.RESOURCE.UM.ProvAttrMap lookup definition holds mappings between process form fields and target system attribute names. This lookup definition is used for performing provisioning operations.
The following is the format of the Code Key and Decode values in this lookup definition:
Code Key: Name of the label on the process form
Decode: Corresponding target system attribute name
For entries corresponding to child form fields, the following is the format of the Code Key and Decode values:
Code Key: CHILD_FORM_NAME~FIELD_NAME
CHILD_FORM_ NAME specifies the name of the child form.
FIELD_NAME specifies the name of the label on the child form.
Decode: Combination of the following elements separated by the tilde (~) character:
EMBED_OBJ_NAME~RELATION_TABLE_NAME~COL_NAME
In this format:
EMBED_OBJ_NAME is the name of the object (for example, an account's address) on the target system that is embedded in another object.
RELATION_TABLE_NAME is the name of child table in the target system.
COL_NAME is the name of the column in the child table corresponding to the child form specified in the Code Key column.
The entries in this lookup definition depend on the data available in the target system. The values in the lookup definition are populated based on the value specified for the alias entry in the GenericScimConfiguration.groovy file. See Understanding Entries in the Predefined Sections of the Groovy File for more information about the alias entry.
The Lookup.RESOURCE.UM.ReconAttrMap.Defaults lookup definition holds default values of the mandatory fields on the Oracle Identity Manager User form that are not mapped with the target system attributes. This lookup definition is created only if you have configured the connector for the trusted source mode. .
The Lookup.RESOURCE.UM.ReconAttrMap.Defaults lookup definition is used when there is a mandatory field on the Oracle Identity Manager User form, but no corresponding attribute in the target system from which values can be fetched during trusted source reconciliation runs. In addition, this lookup definition is used if the mandatory field on the Oracle Identity Manager User form has a corresponding column that is empty or contains null values.
The following is the format of the Code Key and Decode values in this lookup definition:
Code Key: Name of the user field on Oracle Identity Self Service.
Decode: Corresponding default value to be displayed.
For example, the Role field is a mandatory field on the Oracle Identity Manager User form. Suppose the target system contains no attribute that stores information about the role for a user account. During reconciliation, no value for the Role field is fetched from the target system. However, as the Role field cannot be left empty, you must specify a value for this field. Therefore, the Decode value of the Role Code Key has been set to Full-Time. This implies that the value of the Role field on the Oracle Identity Manager User form displays Full-Time for all user accounts reconciled from the target system.
Table 4-4 lists the default entries in this lookup definition.
Table 4-4 Entries in the Lookup.RESOURCE.UM.ReconAttrMap.Defaults Lookup Definition
| Code Key | Decode |
|---|---|
|
Role |
Full-Time |
|
Organization Name |
Xellerate Users |
|
Xellerate Type |
End-User |
Lookup field synchronization involves copying additions or changes made to specific fields in the target system to lookup definitions in Oracle Identity Manager.
During a provisioning operation, you use a lookup field on the process form to specify a single value from a set of values. For example, you may want to select a role from a lookup field (displaying a set of roles) to specify the role being assigned to the user.
While configuring the GenericScimConfiguration.groovy file, if you specified a value for the lookupAttributeList entry, then the connector creates a lookup definition for every target system attribute specified in this entry and then associates it with the corresponding lookup field on the OIM User process form. The connector creates a lookup definition named in the following format:
Lookup.${IT_RES_NAME}.${FIELD_NAME}
In this format, the connector replaces:
IT_RES_NAME with the value of the itResourceDefName entry in the GenericScimConfiguration.groovy file.
FIELD_NAME with the name of the field for which the lookup field is created.
Lookup field synchronization involves copying additions or changes made to the target system attributes (listed in the lookupAttributeList entry) into corresponding lookup definitions (used as an input source for lookup fields) in Oracle Identity Manager. This is achieved by running scheduled jobs for lookup field synchronization.
The following example illustrates the list of lookup definitions created for a given lookupAttributeList value:
Suppose the value of the itResourceDefName entry is GenSCIM. If the value of the lookupAttributeList entry is ['Roles', 'Groups'], then the connector creates the following lookup definitions:
Lookup.GenSCIM.Roles
Lookup.GenSCIM.Groups
After you perform lookup field synchronization, data in the lookup definition is stored in the following format:
Code Key value: IT_RESOURCE_KEY~LOOKUP_FIELD_ID
In this format:
IT_RESOURCE_KEY is the numeric code assigned to each IT resource in Oracle Identity Manager.
LOOKUP_FIELD_ID is the target system code assigned to each lookup field entry. This value is populated based on the target system attribute name specified in the Code Key attribute of the scheduled job for lookup field synchronization.
Sample value: 1~SA
Decode value: IT_RESOURCE_NAME~LOOKUP_FIELD_ID
In this format:
IT_RESOURCE_NAME is the name of the IT resource in Oracle Identity Manager.
LOOKUP_FIELD_ID is the target system code assigned to each lookup field entry. This value is populated based on the target system attribute name specified in the Decode attribute of the scheduled job for lookup field synchronization.
Sample value: GenSCIM~SYS_ADMIN
See Also:
Scheduled Job for Lookup Field Synchronization for information about the attributes of the scheduled job for lookup field synchronizationYou can configure the connector to specify the type of reconciliation and its schedule.
This section discusses the following topics related to configuring reconciliation:
Reconciliation rules are automatically created when you generate the Generic SCIM connector.
The following is the format of the rule element:
User Login Equals NameAttribute
User Login is the User ID field on the Oracle Identity Manager User form.
NameAttribute is the value of the account qualifier in the schema.properties file.
For example, if the value of the NameAttribute account qualifier is __NAME__, then the rule element is as follows:
User Login Equals__NAME__
Full reconciliation involves reconciling all existing user records from the target system into Oracle Identity Manager.
In incremental reconciliation, only records created or modified after the latest date or timestamp the last reconciliation was run are considered for reconciliation.
After you deploy the connector, you must first perform full reconciliation.
You can perform a full reconciliation by removing or deleting any value currently assigned to the Filter attribute and then running the scheduled job for user data reconciliation. See Scheduled Jobs for Reconciliation of User Records for more information about the user reconciliation scheduled job. In this scheduled job, you can include the timestamp attributes available in the Incremental Recon Attribute field.
At any given point in time, you can switch from incremental reconciliation to full reconciliation. All you need to do is perform a full reconciliation run.
Incremental Recon Attribute — Name of the target system attribute that holds the time stamp at which the record was last modified. The value in this attribute is used to determine the newest or latest record reconciled from the target system.
Latest Token — Holds the value of the attribute that is specified as the value of the Incremental Recon Attribute attribute. The Latest Token attribute is used for internal purposes. Do not enter a value for this attribute. The reconciliation engine automatically enters a value in this attribute. Sample value: 1354753427000
Limited or filtered reconciliation is the process of limiting the number of records being reconciled based on a set filter criteria.
By default, all target system records that are added or modified after the last reconciliation run are reconciled during the current reconciliation run. You can customize this process by specifying the subset of added or modified target system records that must be reconciled. You do this by creating filters for the reconciliation module.
You can perform limited reconciliation by creating filters that your target system supports. This connector provides the Filter attribute (scheduled task attributes) that allows you to use any of the attributes of the target system to filter target system records.
Lookup field synchronization involves obtaining the most current values from specific attributes in the target system to the lookup definitions (used as an input source for lookup fields) in Oracle Identity Manager. You can perform lookup field synchronization by configuring and running the scheduled jobs for lookup field synchronization.
Scheduled jobs for lookup field synchronization are created only if you have specified a value for the lookupAttributeList entry in the GenericScimConfiguration.groovy file. The names of these scheduled jobs are in the following format:
IT_RES_NAME Target FIELD_NAME Lookup Reconciliation
For every attribute specified in the lookupAttributeList entry, a corresponding scheduled job for reconciling lookup values from the target system is created. This is illustrated by the following example:
Suppose the value of the itResourceDefName entry is GenSCIM. If the value of the lookupAttributeList entry is ['Roles', 'Groups'], then the connector creates the following scheduled jobs:
GenSCIM Target Roles Lookup Reconciliation
GenSCIM Target Groups Lookup Reconciliation
When you run the Connector Installer, reconciliation scheduled jobs are automatically created in Oracle Identity Manager. You must configure these scheduled jobs to suit your requirements by specifying values for its attributes.
Scheduled jobs for lookup field synchronization fetch the most recent values from specific fields in the target system to lookup definitions in Oracle Identity Manager. These lookup definitions are used as an input source for lookup fields in Oracle Identity Manager.
After you generate the connector, scheduled jobs for lookup field synchronization are created only if you have specified a value for the lookupAttributeList entry in the GenericScimConfiguration.groovy file. For every attribute specified in the lookupAttributeList entry, a corresponding scheduled job for reconciling lookup values from the target system is created.
Table 4-5 describes the attributes of the scheduled job for lookup field synchronization. See Configuring Scheduled Jobs.
Table 4-5 Attributes of the Scheduled Job for Lookup Field Synchronization
| Attribute | Description |
|---|---|
|
Code Key Attribute |
Enter the name of the attribute that is used to populate the Code Key column of the lookup definition (specified as the value of the Lookup Name attribute). |
|
Decode Attribute |
Enter the name of the attribute that is used to populate the Decode column of the lookup definition (specified as the value of the Lookup Name attribute). |
|
IT Resource Name |
Name of the IT resource for the target system installation from which you want to reconcile records. The default value of this attribute is the same as the value of the ITResourceDefName entry in the GenericScimConfiguration.groovy file. |
|
Lookup Name |
Name of the lookup definition in Oracle Identity Manager that must be populated with values fetched from the target system. The value for this attribute is populated automatically if you have specified a value for the lookupAttributeList entry while configuring the GenericScimConfiguration.groovy file. The value of this attribute is in the following format: Lookup.${IT_RES_NAME}.${FIELD_NAME} For example, if you have specified Roles as the value of the lookupAttributeList entry, then the value of this attribute is Lookup.GenSCIMTrusted.Roles. |
|
Object Type |
Enter the type of object you want to reconcile. Default value: Note:
|
After you generate the connector, the scheduled task for user data reconciliation is automatically created in Oracle Identity Manager. A scheduled job, which is an instance of this scheduled task is used to reconcile user data from the target system.
The following scheduled jobs are used for user data reconciliation:
RESOURCE Target Resource User Reconciliation
This scheduled job is used to reconcile user data in the target resource (account management) mode of the connector.
RESOURCE Trusted Resource User Reconciliation
This scheduled job is used to reconcile user data in the trusted source (identity management) mode of the connector.
Table 4-6 describes the attributes of both scheduled jobs.
Table 4-6 Attributes of the User Reconciliation Scheduled Jobs
| Attribute | Description |
|---|---|
|
Filter |
Enter the search filter for fetching records from the target system during a reconciliation run. See Limited Reconciliation for Generic SCIM Connector. |
|
Incremental Recon Attribute |
Enter the name of the target system attribute that holds the time stamp at which the record was last modified. The value in this attribute is used during incremental reconciliation to determine the newest or latest record reconciled from the target system. |
|
Latest Token |
This attribute holds the value of the attribute that is specified as the value of the Incremental Recon Attribute attribute. The Latest Token attribute is used for internal purposes. By default, this value is empty. Note: Do not enter a value for this attribute. The reconciliation engine automatically enters a value in this attribute. |
|
IT Resource Name |
Name of the IT resource for the target system installation from which you want to reconcile user records. Sample value: |
|
Object Type |
Type of object you want to reconcile. Default value: Note: User is the only object that is supported. Therefore, do not change the value of this attribute. |
|
Resource Object Name |
Name of the resource object that is used for reconciliation. Sample value: |
|
Scheduled Task Name |
Name of the scheduled task that is used for reconciliation. The default value of this attribute in the The default value of this attribute in the Sample value: |
After you generate the connector, the scheduled task for reconciling data about deleted users records is automatically created in Oracle Identity Manager. A scheduled job, which is an instance of this scheduled task is used to reconcile data about deleted users in the target system.
The following scheduled jobs are used for reconciliation of deleted user records data:
RESOURCE Target Resource User Delete Reconciliation
This scheduled job is used to reconcile data about deleted user records in the target resource (account management) mode of the connector. During a reconciliation run, for each deleted user record on the target system, the target system resource is revoked for the corresponding Oracle Identity Manager User.
RESOURCE Trusted User Delete Reconciliation
This scheduled job is used to reconcile data about deleted user records in the trusted source (identity management) mode of the connector. During a reconciliation run, for each deleted target system user record, the corresponding Oracle Identity Manager User is deleted.
Table 4-7 describes the attributes of both scheduled jobs.
Table 4-7 Attributes of the Delete User Reconciliation Scheduled Jobs
| Attribute | Description |
|---|---|
|
IT Resource Name |
Name of the IT resource for the target system installation from which you want to reconcile user records. Sample value: |
|
Object Type |
Type of object you want to reconcile. Default value: Note: User is the only object that is supported. Therefore, do not change the value of this attribute. |
|
Resource Object Name |
Name of the resource object that is used for delete reconciliation. |
You create a new user in Oracle Identity Self Service by using the Create User page. You provision or request for accounts on the Accounts tab of the User Details page.
Uninstalling the connector deletes all the account related data associated with resource objects of the connector. You use the Uninstall Connectors utility to uninstall a connector.
If you want to uninstall the connector for any reason, see Uninstalling Connectors in Oracle Fusion Middleware Administering Oracle Identity Manager.