2 Deploying the Salesforce Connector

The procedure to deploy the connector is divided across three stages namely preinstallation, installation, and postinstallation.

The following topics discuss these stages:

• Preinstallation

• Installation

• Postinstallation

2.1 Preinstallation

Preinstallation for the Salesforce connector involves registering a client application (that is, the Salesforce connector) with the target system and obtaining the client ID and client secret for authenticating to the target system. It also involves creating a custom profile and an account in the target system that the connector (or client) can use for performing connector operations.

Preinstallation involves performing the following tasks on the target system:

Note:

The detailed instructions for performing these preinstallation tasks are available in the Salesforce documentation.

1. Register your client application with the target system by creating a Connected App in Salesforce. While creating the Connected App, ensure to select the OAuth scopes in the following table which represent the operations that can be performed through the Connected App you can configure. After the Connected App is created, note down the client ID and client secret values.

   OAuth Scope	Description
   Access your basic information (id, profile, email, address, phone).	This scope allows access to the Identity URL service.
   Access and manage your data (api)	This scope allows access to the logged-in user’s account using APIs, such as SCIM API and REST API. This value also includes chatter_api, which allows access to Chatter REST API resources.
   Full access (full)	Allows access to all data accessible by the logged-in user, and encompasses all other scopes. full does not return a refresh token. You must explicitly request the refresh_token scope to get a refresh token.

   The consumer key and consumer secret values for the Connected App are generated.
2. Note down the consumer key and consumer secret values as they are required while configuring the IT resource parameters. The consumer key corresponds to the clientId parameter while the consumer secret corresponds to the clientSecret parameter.
3. Create a custom profile by cloning a standard user profile with the following minimum set of administrative permissions:

   • API Enabled

   • API Only User

   • Assign Permission Sets

   • Chatter Internal User

   • Manage Internal Users

   • Manage IP Addresses

   • Manage Login Access Policies

   • Manage Package Licenses

   • Manage Password Policies

   • Manage Profiles and Permission Sets

   • Manage Roles

   • Manage Sharing

   • Manage Unlisted Groups

   • Manage Users

   • Moderate Chatter

   • Reset User Passwords and Unlock Users

   • View All Users

   • View Help Link

   • View Setup and Configuration

4. Create a target system user account to connect to the target system during each connector operation.

2.2 Installation

You must install the Salesforce connector in Oracle Identity Manager and if required, place the connector code bundle in the Connector Server.

The following topics discuss installing the Salesforce connector:

• Understanding Installation of the Salesforce Connector

• Running the Connector Installer

• Configuring the IT Resource for the Target System

2.2.1 Understanding Installation of the Salesforce Connector

You can run the connector code either locally in Oracle Identity Manager or remotely in a Connector Server.

Depending on where you want to run the connector code (bundle), the connector provides the following installation options:

• Run the connector code locally in Oracle Identity Manager.

  In this scenario, you deploy the connector in Oracle Identity Manager. Deploying the connector in Oracle Identity Manager involves performing the procedures described in Running the Connector Installer and Configuring the IT Resource for the Target System.

• Run the connector code remotely in a Connector Server.

  In this scenario, you deploy the connector in Oracle Identity Manager, and then, deploy the connector bundle in a Connector Server. See Using an Identity Connector Server in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Manager for information about installing, configuring, and running the Connector Server, and then installing the connector in a Connector Server.

2.2.2 Running the Connector Installer

Note:

In this guide, the term Connector Installer has been used to refer to the Install Connectors feature of Oracle Identity System Administration.

To run the Connector Installer:

1. Copy the contents of the connector installation media into the following directory: OIM_HOME/server/ConnectorDefaultDirectory
2. If you have not already done so, create a directory in OIM_HOME/ConnectorDefaultDirectory/targetsystems-lib with the same name as the installer package. For example: OIM_HOME/server/ConnectorDefaultDirectory/targetsystems-lib/Salesforce-11.1.1.5.0

   Note:

   If you are doing it for the first time place the bundle in the connector server bundle directory.
3. Log in to Oracle Identity System Administration.
4. In the left pane, under System Management, click Manage Connector.
5. In the Manage Connector page, click Install.
6. From the Connector List list, select Salesforce ConnectorRELEASE NUMBER. This list displays the names and release numbers of connectors whose installation files you copy into the default connector installation directory: OIM_HOME/server/ConnectorDefaultDirectory

   If you have copied the installation files into a different directory, then:

   1. In the Alternative Directory field, enter the full path and name of that directory.

   2. To repopulate the list of connectors in the Connector List list, click Refresh.

   3. From the Connector List list, select Salesforce Connector RELEASE NUMBER.

7. Click Load.
8. To start the installation process, click Continue. The following tasks are performed in sequence:

   1. Configuration of connector libraries

   2. Import of the connector XML files (by using the Deployment Manager)

   3. Compilation of adapters

   On successful completion of a task, a check mark appears for the task. If a task fails, then an X mark and a message stating the reason for failure are displayed. If a task fails, then make the required correction and perform one of the following steps:

   1. Retry the installation by clicking Retry.

   2. Cancel the installation and begin again from step 3.

      Figure 2-1 Installation Status

      
      Description of "Figure 2-1 Installation Status"
9. If all three tasks of the connector installation process are successful, then a message indicating successful installation appears.
   In addition, a list of the steps that you must perform after the installation appears. These steps are as follows:

   1. Ensuring that the prerequisites for using the connector are addressed

      Note:

      At this stage, run the PurgeCache utility to load the server cache with content from the connector resource bundle in order to view the list of prerequisites. There are no prerequisites for some predefined connectors. See Clearing Content Related to Connector Resource Bundles from the Server Cache for information about running the PurgeCache utility. There are no prerequisites for some predefined connectors.

   2. Configuring the IT resource for the connector Record the name of the IT resource displayed on this page. The procedure to configure the IT resource is described later in this guide.

   3. Configuring the scheduled tasks that are created when you installed the connector

      Record the names of the scheduled tasks displayed on this page. The procedure to configure these scheduled tasks is described later in this guide.

   When you run the Connector Installer, it copies the connector files and external code files to destination directories on the Oracle Identity Manager host computer. These files are listed in Files and Directories on the Installation Media.

2.2.3 Configuring the IT Resource for the Target System

The IT resource for the target system is created during connector installation. This IT resource contains connection information about the target system. Oracle Identity Manager uses this information during reconciliation and provisioning.

The Salesforce IT resource is automatically created when you run the Connector Installer. You must specify values for the parameters of the IT resource.

To specify values for the parameters of the IT resource:

1. Log in to Oracle Identity System Administration.
2. Create and activate a sandbox.
3. In the left pane, under Configuration, click IT Resource.
4. In the IT Resource Name field on the Manage IT Resource page, enter Salesforce and then click Search.
5. Click Edit for the IT resource.
6. From the list at the top of the page, select Details and Parameters.
7. Specify values for the parameters of the IT resource. Table 2-1 describes each parameter.

   Note:

   Entries in this table are sorted in alphabetical order of parameter names.

   Table 2-1 Parameters of the IT Resource

   Parameter	Description
   acceptType	Accept type for the header that denotes how the request body must be parsed. The request body should only be parsed as JSON if the Content-Type header is application/json.
   authenticationServerUrl	URL of the authentication server that validates the client ID and client secret. Sample value: https://$HOTSNAME$.salesforce.com/services/oauth2/token?
   baseURI	Base relative URI of your target system. For example, if you are using version1 (v1), then the baseURI will be /services/scim/v1. Similarly, if you are using version2 (v2), then the baseURI will be /services/scim/v2.
   clientId	The client identifier (a unique string) issued by the authorization server to your domain during the registration process performed in Preinstallation. Sample Value: 3MVG9Z8h6Bxz0zc6gU3lDg8zQflDLyyydUdH151g9VVT7O.ys_WFNz5q0EDkFWDAjDeavV5.XWVP6Hyhdg6zS
   clientSecret	Value used to authenticate the identity of your domain. This value is obtained while performing the procedure described in Preinstallation. Sample Value: 6551799938364196225
   Configuration Lookup	Name of the lookup definition that stores configuration information used during reconciliation and provisioning. Default value: Lookup.Salesforce.Configuration
   ConnectorServer Name	If you are using Salesforce Connector together with the Java Connector Server, then provide the name of Connector Server IT Resource here.
   contentType	This entry holds the content type expected by the target system in the header. Default Value : application/json
   grantType	Type of authentication used by your target system. grantTypes supported by the SCIM code are basic, jwt,client_credentials, password, and custom. However, the grantType supported by Salesforce is password only. Default value: password
   Host	Salesforce Host name or IP address of the computer hosting the target system. Sample value: www.*****.salesforce.com
   Password	Enter the password of the target system user account that you created (for connector operations) while performing the procedure described in Preinstallation.
   sslEnabled	If the target system requires SSL connectivity, set the value of this parameter to true. Otherwise set the value to false.
   proxyHost	Name of the proxy host used to connect to an external target. Sample value: www.example.com
   proxyPassword	Password of the proxy user ID of the target system user account that Oracle Identity Manager uses to connect to the target system.
   proxyPort	Proxy port number. Sample value: 80
   proxyUser	Proxy user name of the target system user account that Oracle Identity Manager uses to connect to the target system.
   Username	Enter the user name of the target system that you created (for performing connector operations) while performing the procedure described in Preinstallation.

8. To save the values, click Update.

2.3 Postinstallation

Postinstallation steps are divided across the following sections:

• Configuring Oracle Identity Manager

• Localizing Field Labels in UI Forms

• Clearing Content Related to Connector Resource Bundles from the Server Cache

• Managing Logging for the Salesforce Connector

• Obtaining GUID of Roles

2.3.1 Configuring Oracle Identity Manager

You must create a UI form and an application instance for the resource against which you want to perform reconciliation and provisioning operations. In addition, you must run entitlement and catalog synchronization jobs.

The following topics describe the procedures to configure Oracle Identity Manager:

• Creating and Activating a Sandbox

• Creating a New UI Form

• Creating an Application Instance

• Publishing a Sandbox

• Harvesting Entitlements and Sync Catalog

• Updating an Existing Application Instance with a New Form

2.3.1.1 Creating and Activating a Sandbox

See Managing Sandboxes in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Manager for instructions on creating and activating a sandbox.

2.3.1.2 Creating a New UI Form

See Managing Forms in Oracle Fusion Middleware Administering Oracle Identity Manager for instructions on creating a new UI form. While creating the UI form, ensure that you select the resource object corresponding to the Salesforce connector that you want to associate the form with.

2.3.1.3 Creating an Application Instance

Create an application instance as follows.

For detailed instructions, see Managing Application Instances in Oracle Fusion Middleware Administering Oracle Identity Manager.

1. In the left pane of the Identity System Administration, under Configuration, click Application Instances. The Application Instances page appears.
2. From the Actions menu, select Create. Alternatively, click Create on the toolbar.
   The Create Application Instance page appears.
3. Specify values for the following fields:

   • Name: The name of the application instance

   • Display Name: The display name of the application instance.

   • Description: A description of the application instance.

   • Resource Object: The resource object name. Click the search icon next to this field to search for and select Salesforce User.

   • IT Resource Instance: The IT resource instance name. Click the search icon next to this field to search for and select Salesforce.

   • Form: Select the form name (created in Creating a New UI Form).

4. Click Save.
   The application instance is created.
5. Publish the application instance to an organization to make the application instance available for requesting and subsequent provisioning to users. See Managing Organizations Associated With Application Instances in Oracle Fusion Middleware Administering Oracle Identity Manager for detailed instructions.

2.3.1.4 Publishing a Sandbox

Before publishing a sandbox, perform the following procedure as a best practice to validate all sandbox changes made till this stage as it is difficult to revert the changes after a sandbox is published:

1. In Identity System Administration, deactivate the sandbox.
2. Log out of Identity System Administration.
3. Log in to Identity Self Service using the xelsysadm user credentials and then activate the sandbox that you deactivated in Step 1.
4. In the Catalog, ensure that the Salesforce application instance form appears with correct fields.
5. Publish the sandbox. See Publishing a Sandbox in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Manager.

2.3.1.5 Harvesting Entitlements and Sync Catalog

To harvest entitlements and sync catalog:

1. Run the scheduled jobs for lookup field synchronization listed in Scheduled Jobs for Lookup Field Synchronization.
2. Run the Entitlement List scheduled job to populate Entitlement Assignment schema from child process form table. See Predefined Scheduled Tasks in Oracle Fusion Middleware Administering Oracle Identity Manager for more information about this scheduled job.
3. Run the Catalog Synchronization Job scheduled job. See Predefined Scheduled Tasks in Oracle Fusion Middleware Administering Oracle Identity Manager for more information about this scheduled job.

2.3.1.6 Updating an Existing Application Instance with a New Form

For any changes you do in the Form Designer, you must create a new UI form and update the changes in an application instance. To update an existing application instance with a new form:

1. Create a sandbox and activate it as described in Creating and Activating a Sandbox.
2. Create a new UI form for the resource as described in Creating a New UI Form.
3. Open the existing application instance.
4. In the Form field, select the new UI form that you created.
5. Save the application instance.
6. Publish the sandbox as described in Publishing a Sandbox.

2.3.2 Localizing Field Labels in UI Forms

You can localize UI form field labels by using the resource bundle corresponding to the language you want to use. Resource bundles are available in the connector installation media.

To localize field label that is added to the UI forms:

1. Log in to Oracle Enterprise Manager.
2. In the left pane, expand Application Deployments and then select oracle.iam.console.identity.sysadmin.ear.
3. In the right pane, from the Application Deployment list, select MDS Configuration.
4. On the MDS Configuration page, click Export and save the archive to the local computer.
5. Extract the contents of the archive, and open the following file in a text editor:
   SAVED_LOCATION\xliffBundles\oracle\iam\ui\runtime\BizEditorBundle_en.xlf
6. Edit the BizEditorBundle.xlf file in the following manner:

   1. Search for the following text:

      <file source-language="en" 
      original="/xliffBundles/oracle/iam/ui/runtime/BizEditorBundle.xlf" 
      datatype="x-oracle-adf">

   2. Replace with the following text:

      <file source-language="en" 
      target-language="LANG_CODE"original="/xliffBundles/oracle/iam/ui/runtime/BizEditorBundle.xlf" 
      datatype="x-oracle-adf">

      In this text, replace LANG_CODE with the code of the language that you want to localize the form field labels. The following is a sample value for localizing the form field labels in Japanese:

      <file source-language="en" 
      target-language="ja" original="/xliffBundles/oracle/iam/ui/runtime/BizEditorBundle.xlf" 
      datatype="x-oracle-adf">

   3. Search for the application instance code. This procedure shows a sample edit for Oracle Database application instance. The original code is:

      <trans-unit 
      id="${adfBundle['oracle.adf.businesseditor.model.util
      .BaseRuntimeResourceBundle']['persdef.sessiondef.orac
      le.iam.ui.runtime.form.model.user.entity.use 
      rEO.UD_SF_USERNAME__c_description']}">
      
      <source>Username</source>
      
      </target> </trans-unit> <trans-unit
      
      id="sessiondef.oracle.iam.ui.runtime.form.model.Sales
      force.entity. sEO.UD_SF_USR_USERNAME__c">
      
      <source>Username</source>
      
      </target> </trans-unit>

   4. Open the resource file from the connector package, for example Salesforce_ja.properties, and get the value of the attribute from the file, for example, global.udf.UD_SF_USR_USERNAME=\u30A2\u30AB\u30A6\u30F3 \u30C8\u540D.

   5. Replace the original code shown in Step 6.c with the following:

      <trans-unitid="${adfBundle['oracle.adf.businesseditor.model.util.BaseRuntimeResourceBundle']['persdef.sessiondef.oracle.iam.ui.
      runtime.form.model.user.entity.userEO.UD_SF_USR_USERNAME__c_description']}">
      
      <source>User Name</source> 
      <target>u30A2\u30AB\u30A6\u30F3\u30C8\u540D</target>
      </trans-unit> 
      <trans-unit id="sessiondef.oracle.iam.ui.runtime.form.model.Salesforce.entity sEO.UD_SF_USR_USERNAME__c_LABEL
      ">
      <source>Account Name</source> <target>\u30A2\u30AB\u30A6\u30F3\u30C8\u540D</target> </trans-unit>

   6. Repeat Steps 6.a through 6.d for all attributes of the process form.

   7. Save the file as BizEditorBundle_LANG_CODE.xlf. In this file name, replace LANG_CODE with the code of the language to which you are localizing. Sample file name: BizEditorBundle_ja.xlf

7. Repackage the ZIP file and import it into MDS.

   See Also:

   Deploying and Undeploying Customizations in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Manager for information about exporting and importing metadata files.

8. Log out of and log in to Oracle Identity Manager.

2.3.3 Clearing Content Related to Connector Resource Bundles from the Server Cache

When you deploy the connector, the resource bundles are copied from the resources directory on the installation media into the Oracle Identity Manager database. Whenever you add a new resource bundle to the connectorResources directory or make a change in an existing resource bundle, you must clear content related to connector resource bundles from the server cache.

To clear content related to connector resource bundles from the server cache:

1. In a command window, switch to the OIM_HOME/server/bin directory.
2. Enter one of the following commands:

   • On Microsoft Windows: PurgeCache.bat All

   • On UNIX: PurgeCache.sh All

   Note:

   You can use the PurgeCache utility to purge the cache for any content category. Run PurgeCache.bat CATEGORY_NAME on Microsoft Windows or PurgeCache.sh CATEGORY_NAME on UNIX. The CATEGORY_NAME argument represents the name of the content category that must be purged.

   For example, the following commands purge Metadata entries from the server cache:

   • PurgeCache.bat MetaData

   • PurgeCache.sh MetaData

   Before running the PurgeCache utility, ensure the WL_HOME and JAVA_HOME environment variables are set.

   When prompted, enter the user name and password of an account belonging to the SYSTEM ADMINISTRATORS group. In addition, you are prompted to enter the service URL in the following format:

   t3://OIM_HOST_NAME:OIM_PORT_NUMBER

   In this format:

   • Replace OIM_HOST_NAME with the host name or IP address of the Oracle Identity Manager host computer.

   • Replace OIM_PORT_NUMBER with the port on which Oracle Identity Manager is listening.

2.3.4 Managing Logging for the Salesforce Connector

Oracle Identity Manager uses the Oracle Diagnostic Logging (ODL) logging service for recording all types of events pertaining to the connector.

The following topics provide detailed information about logging:

• Understanding Log Levels

• Enabling Logging

2.3.4.1 Understanding Log Levels

When you enable logging, Oracle Identity Manager automatically stores in a log file information about events that occur during the course of provisioning and reconciliation operations. ODL is the principle logging service used by Oracle Identity Manager and is based on java.util.Logger. To specify the type of event for which you want logging to take place, you can set the log level to one of the following:

• SEVERE.intValue()+100

  This level enables logging of information about fatal errors.

• SEVERE

  This level enables logging of information about errors that might allow Oracle Identity Manager to continue running.

• WARNING

  This level enables logging of information about potentially harmful situations.

• INFO

  This level enables logging of messages that highlight the progress of the application.

• CONFIG

  This level enables logging of information about fine-grained events that are useful for debugging.

• FINE, FINER, FINEST

  These levels enable logging of information about fine-grained events, where FINEST logs information about all events.

These log levels are mapped to ODL message type and level combinations as shown in Table 2-2.

Table 2-2 Log Levels and ODL Message Type:Level Combinations

Log Level	ODL Message Type:Level
SEVERE.intValue()+100	INCIDENT_ERROR:1
SEVERE	ERROR:1
WARNING	WARNING:1
INFO	NOTIFICATION:1
CONFIG	NOTIFICATION:16
FINE	TRACE:1
FINER	TRACE:16
FINEST	TRACE:32

The configuration file for OJDL is logging.xml, which is located at the following path:

DOMAIN_HOME/config/fmwconfig/servers/OIM_SERVER/logging.xml

Here, DOMAIN_HOME and OIM_SERVER are the domain name and server name specified during the installation of Oracle Identity Manager.

2.3.4.2 Enabling Logging

To enable logging in the Oracle WebLogic Server:

1. Edit the logging.xml file as follows:
   1. Add the following blocks in the file:

      <log_handler name='Salesforce-handler' level='[LOG_LEVEL]' class='oracle.core.ojdl.logging.ODLHandlerFactory'>
      <property name='logreader:' value='off'/>
          <property name='path' value='[FILE_NAME]'/>
          <property name='format' value='ODL-Text'/>
          <property name='useThreadName' value='true'/> 
          <property name='locale' value='en'/> 
          <property name='maxFileSize' value='5242880'/> 
          <property name='maxLogSize' value='52428800'/>
          <property name='encoding' value='UTF-8'/>
      </log_handler>
      
      <logger name="ORG.IDENTITYCONNECTORS.GENERICSCIM" level="[LOG_LEVEL]" useParentHandlers="false">
          <handler name="Salesforce-handler"/> 
          <handler name="console-handler"/>
        </logger>

   2. Replace both occurrences of [LOG_LEVEL] with the ODL message type and level combination that you require. Table 2-2 lists the supported message type and level combinations.
      Similarly, replace [FILE_NAME] with the full path and name of the log file in which you want log messages to be recorded.
      The following blocks show sample values for [LOG_LEVEL] and [FILE_NAME]:

      <log_handler name='Salesforce-handler' level='NOTIFICATION:1' class='oracle.core.ojdl.logging.ODLHandlerFactory'> 
      <property name='logreader:' value='off'/>
          <property name='path' value='F:\MyMachine\middleware\user_projects\domains\base_domain1\servers\oim_server1\logs\
           oim_server1-diagnostic-1.log'/>
          <property name='format' value='ODL-Text'/> 
          <property name='useThreadName' value='true'/> 
          <property name='locale' value='en'/> 
          <property name='maxFileSize' value='5242880'/> 
          <property name='maxLogSize' value='52428800'/> 
          <property name='encoding' value='UTF-8'/> 
        </log_handler> 
      
      <logger name="ORG.IDENTITYCONNECTORS.GENERICSCIM" level="NOTIFICATION:1" useParentHandlers="false"> 
          <handler name="Salesforce-handler"/> 
          <handler name="console-handler"/> 
        </logger>

      With these sample values, when you use Oracle Identity Manager, all messages generated for this connector that are of a log level equal to or higher than the NOTIFICATION:1 level are recorded in the specified file.
2. Save and close the file.
3. Set the following environment variable to redirect the server logs to a file:

   For Microsoft Windows: set WLS_REDIRECT_LOG=FILENAME

   For UNIX: export WLS_REDIRECT_LOG=FILENAME

   Replace FILENAME with the location and name of the file to which you want to redirect the output.

4. Restart the application server.

2.3.5 Obtaining GUID of Roles

You must obtain the GUID of roles from the target system to populate the Code Key values of the Lookup.Salesforce.Roles lookup definition.

The SCIM services exposed by Salesforce.com do not provide any endpoint to fetch the Role GUIDs programatically. Therefore, to manage provision roles for users, you have to populate the Lookup.Salesforce.Roles lookup manually.

To obtain GUID of roles, from your organization’s role hierarchy, click on any role for which you want to determine the GUID. The GUID is available as part of the URL. For example, in the following URL, 00E800000016mY is the GUID of the selected role:

https://cs40.salesforce.com.00E800000016mY.setupid=Roles

2.3.6 Configuring SSL for connector

Configure SSL to secure data communication between Oracle Identity Manager and Salesforce.

Note:

If you are using this connector along with a Connector Server, then there is no need to configure SSL. You can skip this section.

Salesforce validates the client system dates to be in sync with the SSL certificate (the certificate issued by Salesforce application) date. If there is any deviation, then the target system might throw an error. The client machine date must be in sync with the certificate timestamp range. Obtain SSL certificate from the target system.

Importing the Certificate

Use the keytool command to import the SSL certificate from the target system into the identity keystore in Oracle Identity Manager.

keytool -import -alias alias -trustcacerts -file file-to-import -keystore keystore-name -storepass keystore-password

In this example, the certificate file supportcert.pem is imported to the identity keystore client_store.jks with password weblogic1:

keytool -import -alias serverwl -trustcacerts -file supportcert.pem -keystore client_store.jks -storepass weblogic1

Note:

Change the parameter values passed to the keytool command according to your requirements. Ensure that there is no line break in the keytool arguments.