Oracle Internet Directory

Before You Begin

Introduction

This document describes how to configure Oracle Identity Cloud Service to perform Authoritative Synchronization and Provisioning for Oracle Internet Directory.

About Oracle Internet Directory

Oracle Internet Directory is an online directory with a specialized database that stores and retrieves collections of information about objects. The information can represent any resources that require management, for example:

  • Employee names, titles, and security credentials
  • Information about partners
  • Information about shared resources, such as conference rooms and printers

The information in the directory is available to different clients, such as single sign-on solutions, email clients, and database applications. Clients communicate with a directory server by means of the Lightweight Directory Access Protocol (LDAP). Oracle Internet Directory is an LDAP directory that uses an Oracle Database for storage.

After integrating Oracle Internet Directory with Oracle Identity Cloud Service, administrators can:

  • Synchronize users, groups and user-group memberships from Oracle Internet Directory into Oracle Identity Cloud Service
  • Assign and revoke user access to Oracle Internet Directory using the Oracle Identity Cloud Service administration console
  • Manage user group membership through Oracle Identity Cloud Service

What Do You Need?

  • A fully installed and running provisioning bridge from Oracle Internet Directory. To confirm Oracle Internet Directory is installed and running, make sure that the app shows an Active status in Oracle Identity Cloud Service. See Manage Provisioning Bridges for Oracle Identity Cloud Service.
  • An Oracle Identity Cloud Service Identity Domain Administrator, Security Administrator, or Application Administrator account so that you can manage apps and user accounts.
  • Oracle Internet Directory server connectivity details such as administrator credentials, host name, and the port number.

Enable SSL between Oracle Internet Directory and Provisioning Bridge

The steps mentioned in this section are optional, but must be performed if you want to enable SSL between Oracle Internet Directory and the provisioning bridge. For detailed information on performing these steps, refer to Oracle Internet Directory documentation.

  1. In Oracle Internet Directory, ensure that SSL is enabled and a port is specified to accept connections from LDAP clients.
  2. Generate a self-signed certificate and import it into the Oracle Internet Directory server instance.
  3. Import the certificate into the Java keystore of the machine on which the provisioning bridge is installed by following the steps mentioned in Import the Certificate as a Trusted Certificate.
  4. Restart the provisioning bridge.

Configuring Oracle Internet Directory in Oracle Identity Cloud Service

Use this section to register and activate Oracle Internet Directory, and to configure Authoritative Synchronization for Oracle Internet Directory. You can then perform user, group and user-group synchronization from Oracle Internet Directory.

Register and Activate Oracle Internet Directory

Register and activate Oracle Internet Directory and configure authoritative synchronization for Oracle Internet Directory so that you can perform user, group and user-group synchronization from Oracle Internet Directory.

Note: that Oracle Internet Directory supports authoritative synchronization only.

  1. Access the Oracle Identity Cloud Service administration console, select Applications, and then click Add.
  2. Click App Catalog.
  3. Search for Oracle Internet Directory, click Add, and then click Next.
  4. In the Name field, enter Oracle Internet Directory, and add a description.
  5. In the Provisioning Bridge drop-down, from the list of all active and inactive provisioning bridges, select the bridge that you installed as a part of the What Do You Need? section
  6. Click Next to enable provisioning and synchronization for Oracle Internet Directory. For details, see the Enable SSL between Oracle Internet Directory and Provisioning Bridge section.
  7. Click Finish. Oracle Identity Cloud Service displays a confirmation message.
  8. Click Activate, and then click Activate Application. Oracle Identity Cloud Service displays a confirmation message.

Enabling Provisioning and Synchronization for Oracle Internet Directory

Use this section to synchronize user accounts from Oracle Internet Directory to Oracle Identity Cloud Service.

Enable Provisioning for Oracle Internet Directory

  1. On the Provisioning page, select Enable Provisioning.
  2. In the Grant Consent dialog box, click Continue.

  3. Specify values for the following parameters to configure connectivity with Oracle Cloud through Oracle Identity Cloud Service. The table lists the parameters that Oracle Identity Cloud Service requires to connect to Oracle Internet Directory.

    Option Description
    Host Name Enter the host name of the server that hosts Oracle Internet Directory. For example, host name value: app.cpdmqa01.com. Note: The host name value is dynamic and changes for each instance of Oracle Internet Directory.
    Port Number Enter the port number at which Oracle Internet Directory is listening. For example, port number value: 1389.
    Administrator Username Enter the Oracle Internet Directory service account user name.
    Administrator Password Enter the Oracle Internet Directory service account password.
    SSL Enabled Select this checkbox if SSL communication is enabled between Oracle Internet Directory and the provisioning bridge as explained in the Enable SSL between Oracle Internet Directory and Provisioning Bridge section.
    Base Contexts Enter the root dn values from which all users and groups are synchronized. For example, base context value: dc=example,dc=com. One or more base context values can be specified, which are separated by a carriage return. For example, base context value: dc=example, dc=com and dc=example2, dc=com. Note: The base contexts value is dynamic and changes for each instance of Oracle Internet Directory.
    Change Log Block Size Enter the block size to be used for an incremental synchronization operation. By default, the value selected is 100.
    Block Size Enter the block size to be used for a full synchronization operation. By default, the value selected is 100.
    Use Page Result Control Specify whether a simple paged search should be used for a full synchronization operation.
    Account User Name Attribute This specifies the user name attribute.
    UID Attribute Name Provide UID Attribute Name which uniquely identifies the entry in the DIT.
    Use Standard Change Log Enable this option to use standard changelog mechanism for synchronization.
    Changelog BaseDN Provide the distinguished name of the entry which contains the set of entries comprising this server's changelog.
    ChangelogUidAttribute Provide the UID attribute name which uniquely identifies the changelog entry.
    ChangelogUidAttribute Provide an attribute name for the change number. It is used to uniquely identify a change made to a directory entry.
    Use Modify Timestamps Enable this option to use Modify Timestamps based for Synchronization if Standard changelog is not supported.
    Create Timestamp Attribute Provide an attribute name for the created timestamp of an entry.
    Modify Timestamp Attribute Provide attribute name for the modified timestamp of an entry.
  4. Click Test Connectivity to verify the connection with Oracle Internet Directory. Oracle Identity Cloud Service displays a confirmation message.

  5. Use this table to configure a User Object required to synchronize users from Oracle Internet Directory to Oracle Identity Cloud Service. This table lists the parameters that Oracle Identity Cloud Service requires to sync and provision users from Oracle Internet Directory into Oracle Identity Cloud Service. Note: To test the connectivity, the associated bridge must be in Active status and must be started on the client network.

    Option Description
    User Object Class Enter a list of object classes required for a User Object.
    User Enabled Attribute Enter the attribute name that signifies if a user is enabled or disabled in Oracle Internet Directory. By default, the value selected is ENABLED.
    User Enabled Value Enter the value present in the Account Enabled Attribute when a user is active in Oracle Internet Directory. By default, the value selected is DISABLED.
    User Disabled Value Enter the value present in Account Enabled Attribute when a user is inactive in Oracle Internet Directory.

  6. Use this table to configure a Group Object required to synchronize users from Oracle Internet Directory to Oracle Identity Cloud Service. This table lists the parameters that Oracle Identity Cloud Service requires to sync and provision users from Oracle Internet Directory into Oracle Identity Cloud Service.

    Option Description
    Group Object Class Enter a list of object classes required for a Group Object.
    Group Member Attribute Enter the attribute name that signifies a user’s membership to the group in Oracle Internet Directory.
    Group UID Attribute Enter the unique identifier attribute of the group.

  7. The Configure Attributes section defines predefined attribute mappings between the user account fields defined in Oracle Internet Directory and the corresponding fields defined in Oracle Identity Cloud Service.

    a. To view and subsequently add Oracle Internet Directory user attributes. Click Add to view the available list of Oracle Internet Directory user attributes, then in the Add Attribute dialog box, click Refresh to get the latest list of user attributes from the Oracle Internet Directory server, and finally select the attribute that you wish to add, and select OK.

    b. To view the predefined attribute mappings between the user account fields defined in Oracle Internet Directory and the corresponding fields defined in Oracle Identity Cloud Service, click Attribute Mapping, and click OK.

    Note: To add a new attribute, click Add Row, specify attributes in the User and Oracle Internet Directory Account columns, and then click OK.

  8. Specify the provisioning operations that you want to enable for Oracle Internet Directory:

    • Authoritative Sync: Configures Oracle Internet Directory as an authoritative source of Oracle Identity Cloud Service. In the authoritative sync configuration, users, roles, and user role memberships are created or modified on Oracle Internet Directory and the information is synchronized into Oracle Identity Cloud Service. Note: By default, Authoritative Sync check box is selected.

Enable Synchronization for Oracle Internet Directory

  1. On the Provisioning page, select Enable Synchronization.

  2. From the User Identifier drop-down list, define a matching rule that links a record fetched from Oracle Internet Directory with an existing record in Oracle Identity Cloud Service.

    Note: By default, User Name is selected. Leave this default attribute for an accurate synchronization of user records.

  3. From the Application Identifier drop-down list, define a matching rule that links a record fetched from Oracle Internet Directory with an existing record in Oracle Identity Cloud Service.

    Note: By default, UserUid is selected. This value represents the Uid attribute of a user in Oracle Internet Directory. Leave this default attribute for an accurate synchronization of user records.

  4. From the When exact match is found drop-down list, select one of the following actions to be performed when a matching Oracle Identity Cloud Service user is found for an account:

    • Link and confirm: Automatically links and confirms the matched account to the corresponding Oracle Identity Cloud Service users based on the defined user identifier.
    • Link but do not confirm: Automatically links all the matched accounts to the corresponding Oracle Identity Cloud Service users based on the defined user identifier. You need to manually confirm the linked accounts.

  5. In the Max. number of creates field, enter a number that is greater than or equal to 10. This value limits the number of accounts to be created during the synchronization run.

  6. In the Max. number of deletes field, enter a number that is greater than or equal to 10. This value limits the number of accounts to be removed during the synchronization run.

  7. From the Synchronization schedule drop-down list, select the intervals at which you want the synchronization operation to be performed.

    Note: By default, Never is selected. Change this value as per your requirement.

After enabling provisioning and synchronization for Oracle Internet Directory, you can synchronize the existing account details from Oracle Internet Directory and link them to the corresponding Oracle Identity Cloud Service users. For more information on performing synchronization tasks, see Import User Accounts from a Software as a Service Application.

Discover the Schema for OID

  1. On the Provisioning Setting tab, under Configuration Attributes, click Add Attribute.

  2. Click Refresh to display the unmapped attributes from OID whether they are out of the box or custom.

Troubleshooting

For any issues, contact Oracle Support:

  1. Go to https://support.oracle.com.

  2. Select Cloud Support, and then sign in with your support credentials.

  3. In the Cloud Dashboard, confirm that there are no planned outages in Oracle Identity Cloud Service, and then click Create Service Request.

  4. Select Oracle Identity Cloud Service as the service type. Complete your service request.