Configuring the Connector

3 Configuring the Connector

While creating a target or an authoritative application, you must configure connection-related parameters that the connector uses to connect to Oracle Identity Governance with your target system and perform connector operations. In addition, you can view and edit attribute mappings between the process form fields in Oracle Identity Governance and target system columns, predefined correlation rules, situations and responses, and reconciliation jobs.

3.1 Basic Configuration Parameters

These are the connection-related parameters that Oracle Identity Governance requires to connect to a Microsoft Teams application. These parameters are common for both target applications and authoritative applications.

Note:

Unless specified, do not modify entries in the below table.

Table 3-1 Parameters in the Basic Configuration

Parameter	Mandatory ?	Description
authenticationType	Yes	Enter the type of authentication used by your target system. For this connector, the target system OAuth2.0 client credentials. This is a mandatory attribute while creating an application. Do not modify the value of the parameter. Default value: `client_credentials`
authenticationServerUrl	Yes	Enter the URL of the authentication server that validates the client ID and client secret for your target system. Sample value: `https://login.microsoftonline.com/idmconnector.onmicrosoft.com/oauth2/v2.0/token`
clientId	Yes	Enter the client identifier (a unique string) issued by the authorization server to your client application during the registration process. You obtained the client ID while performing the procedure described in Configuring the Newly Added Application.
clientSecret	Yes	Enter the secret key used to authenticate the identity of your client application. You obtained the secret key while performing the procedure described in Configuring the Newly Added Application.
Scope	Yes	Enter the scope of your client application. Default value: `https://graph.microsoft.com/.default`
host	Yes	Enter the host name of the machine hosting your target system. This is a mandatory attribute while creating an application. Sample value: `graph.microsoft.com`
uriPlaceHolder	Yes	Enter the key-value pair for replacing place holders in the relURIs. The URI place holder consists of values which are repeated in every relative URL. Values must be comma separated. For example, tenant ID and API version values are a part of every request URL. Therefore, we replace it with a key-value pair. Sample value:`"api_version;v1.0"`
port	No	Enter the port number at which the target system is listening. Sample value: `443`
proxyHost	No	Enter the name of the proxy host used to connect to an external target.
proxyPassword	No	Enter the password of the proxy user ID of the target system user account that Oracle Identity Governance uses to connect to the target system.
proxyPort	No	Enter the proxy port number.
proxyUser	No	Enter the proxy user name of the target system user account that Oracle Identity Governance uses to connect to the target system. Sample value: `80`
sslEnabled	No	If the target system requires SSL connectivity, then set the value of this parameter to `true`. Otherwise set the value to `false`. Default value: `true`

3.2 Advanced Settings Parameters

These are the configuration-related entries that the connector uses during reconciliation and provisioning operations.

Note:

Unless specified, do not modify entries in the below table.
All parameters in the below table are mandatory.

Table 3-2 Advanced Settings Parameters

Parameter	Description
relURIs	This entry holds the relative URL of every object class supported by this connector and the connector operations that can be performed on these object classes. This is a mandatory attribute while creating an application. Default value: "__ACCOUNT__.CREATEOP=/$(api_version)$/users","__ACCOUNT__.UPDATEOP=/$(api_version)$/users/$(__UID__)$","__ACCOUNT__.SEARCHOP=/$(api_version)$/users?$(Filter Suffix)$&$select=assignedLicenses,userType,displayName,givenName,userPrincipalName,id,city,usageLocation,accountEnabled,mailNickname,surname,country&$top=$(PAGE_SIZE)$&$skiptoken=$(PAGE_TOKEN)$","__ACCOUNT__=/$(api_version)$/users/$(__UID__)$?$select=assignedLicenses,displayName,givenName,userPrincipalName,id,city,usageLocation,accountEnabled","__TEAMS__.SEARCHOP=/beta/groups?$filter=resourceProvisioningOptions/Any(x:x+eq+'Team')&$top=$(PAGE_SIZE)$&$skiptoken=$(PAGE_TOKEN)$","__TEAMS__.member=/$(api_version)$/teams/$(__UID__)$/members/$ref?","__ACCOUNT__.__TEAMS__=/$(api_version)$/groups/$(__TEAMS__.id)$/members/$ref","__ACCOUNT__.__TEAMS__.DELETEOP=/$(api_version)$/groups/$(__TEAMS__.id)$/members/$(__UID__)$/$ref""__ACCOUNT__.__TEAMS__.SEARCHOP=/$(api_version)$/users/$(__UID__)$/joinedTeams","__ACCOUNT__.manager.SEARCHOP=/$(api_version)$/users/$(__UID__)$/manager","__ACCOUNT__.manager=/$(api_version)$/users/$(__UID__)$/manager/$ref"
nameAttributes	This entry holds the name attribute for all the objects that are handled by this connector. For example, for the `__ACCOUNT__` object class that it used for User accounts, the name attribute is `userPrincipalName`. Default value: `"__ACCOUNT__.userPrincipalName","__TEAMS__.displayName"`
uidAttributes	This entry holds the uid attribute for all the objects that are handled by this connector. For example, for `User accounts`, the uid attribute is `objectId`. In other words, the value ACCOUNT.objectId in decode implies that the UIDattribute (that is, GUID) of the connector for ACCOUNTobject class is mapped to objectId which is the corresponding uid attribute for user accounts in the target system. Default value: `"__ACCOUNT__.id","__TEAMS__.id"`
opTypes	This entry specifies the HTTP operation type for each object class supported by the connector. Values are comma separated and are in the following format: OBJ_CLASS.OP=HTTP_OP In this format, `OBJ_CLASS` is the connector object class, `OP` is the connector operation (for example, CreateOp, UpdateOp, SearchOp), and `HTTP_OP` is the HTTP operation (GET, PUT, or POST). Default value: `"__ACCOUNT__.CREATEOP=POST","__ACCOUNT__.UPDATEOP=PATCH","__ACCOUNT__.SEARCHOP=GET","__ACCOUNT__.TESTOP=GET","__ACCOUNT__.manager.CREATEOP=PUT","__ACCOUNT__.manager.UPDATEOP=PUT","__ACCOUNT__.__TEAMS__.UPDATEOP=POST"`
pageSize	The number of resources/users that appears on a page for a search operation. Default value: `100`
pageTokenAttribute	The attribute in response payload that denotes the next page token. Default value: `odata.nextLink`
pageTokenRegex	This attribute is used in the URL while reconciliation to support pagination. Default value: `(?<=skiptoken=).*`
Any Incremental Recon Attribute Type	By default, during incremental reconciliation, Oracle Identity Governance accepts timestamp information sent from the target system only in Long datatype format. Setting the value of this parameter to `True` indicates that Oracle Identity Governance will accept timestamp information in any datatype format. Default value: `True`
jsonResourcesTag	This entry holds the json tag value that is used during reconciliation for parsing multiple entries in a single payload. Default value: `"__ACCOUNT__=value","__TEAMS__=value"`
httpHeaderContentType	This entry holds the content type expected by the target system in the header. Default value: `application/json`
httpHeaderAccept	This entry holds the accept type expected from the target system in the header. Default value: `application/json`
specialAttributeTargetFormat	This entry lists the format in which an attribute is present in the target system endpoint. For example, the alias attribute will be present as `aliases.alias` in the target system endpoint. Values are comma separated and are presented in the following format: OBJ_CLASS.ATTR_NAME= TARGET_FORMAT Default value`"__ACCOUNT__.manager=id","__TEAMS__.member=url","__TEAMS__.member=value","__ACCOUNT__.__TEAMS__=value"`
specialAttributeHandling	This entry lists the special attributes whose values should be sent to the target system one by one ("SINGLE"). Values are comma separated and are in the following format: OBJ_CLASS.ATTR_NAME.PROV_OP=SINGLE For example, the `__ACCOUNT__.manager.UPDATEOP=SINGLE` value in decode implies that during an update provisioning operation, the `manager` attribute of the `__ACCOUNT__` object class must be sent to the target system one-by-one. Default value`"__ACCOUNT__.__TEAMS__.CREATEOP=SINGLE","__ACCOUNT__.__TEAMS__.UPDATEOP=SINGLE","__ACCOUNT__.manager.CREATEOP=SINGLE","__ACCOUNT__.manager.UPDATEOP=SINGLE","__ACCOUNT__.__TEAMS__.ADDATTRIBUTE=SINGLE","__ACCOUNT__.__TEAMS__.REMOVEATTRIBUTE=SINGLE"`
customPayload	This entry lists the payloads for all operations that are not in the standard format. Default value:`"__ACCOUNT__.__TEAMS__.UPDATEOP={\"@odata.id\":\"https://graph.microsoft.com/v1.0/directoryObjects/$(__UID__)$\"}","__ACCOUNT__.__TEAMS__.CREATEOP={\"@odata.id\":\"https://graph.microsoft.com/v1.0/directoryObjects/$(__UID__)$\"}","__ACCOUNT__.manager.CREATEOP={\"@odata.id\":\"https://graph.microsoft.com/v1.0/directoryObjects/$(manager)$\"}","__ACCOUNT__.manager.UPDATEOP={\"@odata.id\":\"https://graph.microsoft.com/v1.0/directoryObjects/$(manager)$\"}"`
statusAttributes	This entry lists the name of the target system attribute that holds the status of an account. For example, for the `__ACCOUNT__` object class that it used for User accounts, the status attribute is `accountEnabled`. Default value:`"__ACCOUNT__.accountEnabled"`
passwordAttribute	This entry holds the name of the target system attribute that is mapped to the __PASSWORD__ attribute of the connector in OIM. Default value: `passwordProfile.password`
targetObjectIdentifier	This entry specifies the key-value pair for replacing place holders in the relURIs. Values are comma separated and in the KEY;VALUE format. Default value: `__ACCOUNT__.__GROUP__=securityEnabled;true,"__ACCOUNT__.__OFFICEGROUP__=securityEnabled;false","__ACCOUNT__.__ROLE__=@odata.type;#microsoft.graph.directoryRole"`
childFieldsWithSingleEnd	This entry specifies special attributes data coming in from a single end point response. Default value: `"__GROUP__","__ROLE__","__OFFICEGROUP`

3.3 Attribute Mappings

The attribute mappings on the Schema page vary depending on whether you are creating a target application.

Attribute Mappings for the Target Application

3.3.1 Attribute Mappings for the Target Application

The Schema page for a target application displays the default schema (provided by the connector) that maps Oracle Identity Governance attributes to target system attributes. The connector uses these mappings during reconciliation and provisioning operations.

Default Attributes for MS Teams Target Application

Table 3-3 lists the user-specific attribute mappings between the process form fields in Oracle Identity Governance and MS Teams target application attributes. The table also lists whether a specific attribute is used during provisioning or reconciliation and whether it is a matching key field for fetching records during reconciliation.

If required, you can edit the default attribute mappings by adding new attributes or deleting existing attributes as described in Creating a Target Application in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.

Table 3-3 Default Attributes for MS Teams Target Application

Display Name	Target Attribute	Data Type	Mandatory Provisioning Property?	Provision Field?	Recon Field?	Key Field?	Case Insensitive?	Advanced Flag Settings
Object Id	__UID__	String	No	Yes	Yes	Yes	Yes	Yes
User Principal Name	__NAME__	String	Yes	Yes	Yes	No	Not applicable	Yes
Password	__PASSWORD__	String	No	Yes	No	No	Not applicable	Yes
First Name	givenName	String	No	Yes	Yes	No	Not applicable	Yes
Last Name	surname	String	No	Yes	Yes	No	Not applicable	Yes
Display Name	displayName	String	Yes	Yes	Yes	No	Not applicable	Yes
User Type	userType	String	No	No	Yes	No	Not applicable	Yes
Usage Location	usageLocation	String	No	Yes	Yes	No	Not applicable	Yes
City	city	String	No	Yes	Yes	No	Not applicable	Yes
Country	country	String	No	Yes	Yes	No	Not applicable	Yes
Manager	manager	String	No	Yes	Yes	No	Not applicable	Yes
Preferred Language	preferredLanguage	String	No	Yes	Yes	No	Not applicable	Yes
Mail NickName	mailNickname	String	Yes	Yes	Yes	No	Not applicable	Yes
MSTeams Server		Long	Yes	No	Yes	Yes	No	Yes
Change Password On Next Logon	passwordProfile.forceChangePasswordNextSignIn	String	No	Yes	No	No	Not applicable	Yes
Account Enabled	accountEnabled	String	No	Yes	Yes	No	Not applicable	Yes
Status	__ENABLE__	String	No	No	Yes	No	Not applicable	Yes

Default Attribute Mappings shows the default User account attribute mappings.

Default Attribute Mappings for MS Teams User Account

MS Teams Entitlement

Table 3-4 lists the group forms attribute mappings between the process form fields in Oracle Identity Governance and MS Teams target application attributes. The table lists whether a given attribute is mandatory during provisioning. It also lists whether a given attribute is used during reconciliation and whether it is a matching key field for fetching records during reconciliation.

If required, you can edit the default attribute mappings by adding new attributes or deleting existing attributes as described in Creating a Target ApplicationCreating a Target Application in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.

Table 3-4 Default Attribute Mappings for MSTeamsGroup

Display Name	Target Attribute	Data Type	Mandatory Provisioning Property?	Recon Field?	Key Field?	Case Insensitive?
MSTeams Group Name	__TEAMS__~__TEAMS__~id	String	No	Yes	Yes	No

MS Teams MSTeamsGroup Entitlement

lists the group forms attribute mappings between the process form fields in Oracle Identity Governance and MS Teams target application attributes. The table lists whether a given attribute is mandatory during provisioning. It also lists whether a given attribute is used during reconciliation and whether it is a matching key field for fetching records during reconciliation.

Figure 3-1 Default Attribute Mappings for MS Teams MSTeamsGroup

3.4 Correlation Rules

Learn about the predefined rules, responses and situations for Target and Authoritative applications. The connector uses these rules and responses for performing reconciliation.

Correlation Rules for the Target Application

3.4.1 Correlation Rules for the Target Application

When you create a target application, the connector uses correlation rules to determine the identity to which Oracle Identity Governance must assign a resource.

Predefined Identity Correlation Rules

By default, the MS Teams connector provides a simple correlation rule when you create a target application. The connector uses this correlation rule to compare the entries in Oracle Identity Governance repository and the target system repository, determine the difference between the two repositories, and apply the latest changes to Oracle Identity Governance.

Table 3-6lists the default simple correlation rule for a MS Teams AD connector. If required, you can edit the default correlation rule or add new rules. You can create complex correlation rules also. For more information about adding or editing simple or complex correlation rules, see Updating Identity Correlation Rule in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.

Table 3-5 Predefined Identity Correlation Rule for a MS Teams Connector

Target Attribute	Element Operator	Identity Attribute	Case Sensitive?
__NAME__	Equals	User Login	No

In this identity rule:

__NAME__ is a single-valued attribute on the target system that identifies the user account.
User Login is the field on the OIG User form.

Simple Correlation Rule for MS Teams Target Application shows the simple correlation rule for a MS Teams AD target application.

Predefined Situations and Responses

The MS Teams connector provides a default set of situations and responses when you create a target application. These situations and responses specify the action that Oracle Identity Governance must take based on the result of a reconciliation event.

Table 3-6 lists the default situations and responses for a MS Teams Target application. If required, you can edit these default situations and responses or add new ones. For more information about adding or editing situations and responses, seeUpdating Situations and Responses in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance

Table 3-6 Predefined Situations and Responses for a MS Teams AD Target Application

Situation	Response
No Matches Found	None
One Entity Match Found	Establish Link
One Process Match Found	Establish Link

Predefined Situations and Responses for a MS Teams Target Application shows the situations and responses for a MS Teams that the connector provides by default.

Figure 3-2 Predefined Situations and Responses for a MS Teams Target Application

3.5 Reconciliation Jobs

These are the reconciliation jobs that are automatically created in Oracle Identity Governance after you create the application.

User Reconciliation Jobs

You can either use these predefined jobs or edit them to meet your requirements. Alternatively, you can create custom reconciliation jobs. For information about editing these predefined jobs or creating new ones, see Updating Reconciliation Jobs in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.

The following reconciliation jobs are available for reconciling user data:

MS Teams Full User Reconciliation: Use this reconciliation job to reconcile user data from a target application.
MS Teams Limited User Reconciliation: Use this reconciliation job to reconcile user data from an authoritative application.

Table 3-7 describes the parameters of the MS Teams Full User Reconciliation job.

Table 3-7 Parameters of the MS Teams Full User Reconciliation Job

Parameter	Description
Application name	Name of the AOB application with which the reconciliation job is associated. This value is the same as the value that you provided for the Application Name field while creating your target application. Do not change the default value.
Filter Suffix	Enter the search filter for fetching user records from the target system during a reconciliation run. Sample value when incremental recon is enabled: `&$filter=displayName+eq+'JAN2KKA1'` Sample value when incremental recon is not enabled: `&$filter=displayName+eq+'Aug11'` For more information about creating filters, see Performing Limited Reconciliation.
Object Type	This parameter holds the name of the object type for the reconciliation run. Default value: `User` Do not change the default value.
Scheduled Task Name	Name of the scheduled task used for reconciliation. Do not modify the value of this parameter.
Incremental Recon Attribute	Enter the name of the attribute that holds the timestamp at which the token record was modified.
Latest Token	This parameter holds the value of the target system attribute that is specified as the value of the Incremental Recon Attribute parameter. The Latest Token parameter is used for internal purposes. By default, this value is empty. Note: Do not enter a value for this parameter. The reconciliation engine automatically enters a value in this parameter. Sample value: `<String>2017-11-30T04:44:29Z</String>`

Target Delete User Reconciliation Job

The MS Teams User Target Delete Recon job is used to reconcile data about deleted users from a MS Teams target application. During a reconciliation run, for each deleted user account on the target system, the MS Teams resource is revoked for the corresponding OIM User.

Table 3-8 Parameters of the MS TeamsTarget User Delete Reconciliation Job

Parameter	Description
Application name	Name of the application you created for your target system. This value is the same as the value that you provided for the Application Name field while creating your target application. Do not modify this value.
Object Type	This parameter holds the type of object you want to reconcile. Default value: `User` Note: If you configure the connector to provision users to a custom class (for example, InetOrgPerson) then enter the value of the object class here.

Parameter

Description

Application name

Name of the application you created for your target system. This value is the same as the value that you provided for the Application Name field while creating your target application.

Do not modify this value.

Object Type

This parameter holds the type of object you want to reconcile.

Default value: User

Note: If you configure the connector to provision users to a custom class (for example, InetOrgPerson) then enter the value of the object class here.

Reconciliation Jobs for Entitlements

The following jobs are available for reconciling entitlements:

MSTeams Group Lookup Reconciliation
MSTeams Manager Lookup Reconciliation

The parameters for all the reconciliation jobs are the same.

Table 3-9 Parameters of the Reconciliation Jobs for Entitlements

Parameter	Description
Application Name	Current AOB application name with which the reconciliation job is associated. Default value: `teams1` Do not modify this value.
Code Key Attribute	Name of the connector attribute that is used to populate the Code Key column of the lookup definition (specified as the value of the Lookup Name attribute). Default value: `__UID__` Do not modify this value.
Decode Attribute	Name of the connector attribute that is used to populate the Decode column of the lookup definition (specified as the value of the Lookup Name attribute). Default value: `__NAME__`
Lookup Name	Enter the name of the lookup definition in Oracle Identity Governance that must be populated with values fetched from the target system. Depending on the Reconciliation job that you are using, the default values are as follows: For MSTeams Group Lookup Reconciliation: Lookup.MSTeams.TeamsGroups For MSTeams Manager Lookup Reconciliation: Lookup.MSTeams.Manager If you create a copy of any of these lookup definitions, then enter the name of that new lookup definition as the value of the Lookup Name attribute.
Object Type	Enter the type of object you want to reconcile. Depending on the reconciliation job that you are using, the default values are as follows: For MSTeams Group Lookup Reconciliation: __TEAMS__ For MSTeams Manager Lookup Reconciliation: User Note: Do not change the value of this parameter.