Configuring the Connector

3 Configuring the Connector

While creating a target or an authoritative application, you must configure connection-related parameters that the connector uses to connect to Oracle Identity Governance with your target system and perform connector operations. In addition, you can view and edit attribute mappings between the process form fields in Oracle Identity Governance and target system columns, predefined correlation rules, situations and responses, and reconciliation jobs.

3.1 Basic Configuration Parameters

These are the connection-related parameters that Oracle Identity Governance requires to connect to an Azure AD application. These parameters are common for both target applications and authoritative applications.

Note:

Unless specified, do not modify entries in the below table.

Table 3-1 Parameters in the Basic Configuration

Parameter	Mandatory ?	Description
authenticationType	Yes	Enter the type of authentication used by your target system. For this connector, the target system OAuth2.0 client credentials. This is a mandatory attribute while creating an application. Do not modify the value of the parameter. Default value: `client_credentials`
host	Yes	Enter the host name of the machine hosting your target system. This is a mandatory attribute while creating an application. Sample value: `graph.microsoft.com`
authenticationServerUrl	Yes	Enter the URL of the authentication server that validates the client ID and client secret for your target system. Sample value: `https://login.microsoftonline.com/idmconnector.onmicrosoft.com/oauth2/v2.0/token`
clientId	Yes	Enter the client identifier (a unique string) issued by the authorization server to your client application during the registration process. You obtained the client ID while performing the procedure described in Configuring the Newly Added Application.
clientSecret	Yes	Enter the secret key used to authenticate the identity of your client application. You obtained the secret key while performing the procedure described in Configuring the Newly Added Application.
uriPlaceHolder	Yes	Enter the key-value pair for replacing place holders in the relURIs. The URI place holder consists of values which are repeated in every relative URL. Values must be comma separated. For example, tenant ID and API version values are a part of every request URL. Therefore, we replace it with a key-value pair. Sample value:`"api_version;v1.0"`
port	No	Enter the port number at which the target system is listening. Sample value: `443`
sslEnabled	No	If the target system requires SSL connectivity, then set the value of this parameter to `true`. Otherwise set the value to `false`. Default value: `true`
Scope	Yes	Enter the scope of your client application. Default value: `https://graph.microsoft.com/.default`
proxyHost	No	Enter the name of the proxy host used to connect to an external target.
proxyPassword	No	Enter the password of the proxy user ID of the target system user account that Oracle Identity Governance uses to connect to the target system.
proxyPort	No	Enter the proxy port number.
proxyUser	No	Enter the proxy user name of the target system user account that Oracle Identity Governance uses to connect to the target system. Sample value: `80`

3.2 Advanced Settings Parameters

These are the configuration-related entries that the connector uses during reconciliation and provisioning operations.

Note:

Unless specified, do not modify entries in the below table.
All parameters in the below table are mandatory.

Table 3-2 Advanced Settings Parameters

Parameter	Description
granularLicenses	This parameter enables the support for granular licenses. Default value: False Note: granularLicenses parameter is supported from 12.2.1.3.0A
relURIs	This entry holds the relative URL of every object class supported by this connector and the connector operations that can be performed on these object classes. This is a mandatory attribute while creating an application. Default value: __ACCOUNT__.CREATEOP=/$(api_version)$/users,"__ACCOUNT__.UPDATEOP=/$(api_version)$/users/$(__UID__)$","__ACCOUNT__.SEARCHOP=/$(api_version)$/users?$(Filter Suffix)$&$select=assignedLicenses,userType,displayName,givenName,userPrincipalName,id,city,usageLocation,accountEnabled,mailNickname,surname,country&$top=$(PAGE_SIZE)$&$skiptoken=$(PAGE_TOKEN)$","__ACCOUNT__=/$(api_version)$/users/$(__UID__)$?$select=assignedLicenses,displayName,givenName,userPrincipalName,id,city,usageLocation,accountEnabled,mailNickname,country,surname,userType","__ACCOUNT__.manager.SEARCHOP=/$(api_version)$/users/$(__UID__)$/manager","__ACCOUNT__.manager=/$(api_version)$/users/$(__UID__)$/manager/$ref","__ACCOUNT__.__GROUP__.SEARCHOP=/$(api_version)$/users/$(__UID__)$/memberOf?&$top=$(PAGE_SIZE)$&$skiptoken=$(PAGE_TOKEN)$","__ACCOUNT__.__GROUP__.DELETEOP=/$(api_version)$/groups/$(__GROUP__.id)$/members/$(__UID__)$/$ref","__ACCOUNT__.__GROUP__=/$(api_version)$/groups/$(__GROUP__.id)$/members/$ref","__GROUP__.CREATEOP=/$(api_version)$/groups","__GROUP__.UPDATEOP=/$(api_version)$/groups/$(__UID__)$","__GROUP__.SEARCHOP=/$(api_version)$/groups?&$filter=securityEnabled+eq+true&$top=$(PAGE_SIZE)$&$skiptoken=$(PAGE_TOKEN)$","__OFFICEGROUP__.SEARCHOP=/$(api_version)$/groups?&$filter=securityEnabled+eq+false&$top=$(PAGE_SIZE)$&$skiptoken=$(PAGE_TOKEN)$","__GROUP__=/$(api_version)$/groups/$(__UID__)$","__GROUP__.member=/$(api_version)$/groups/$(__UID__)$/members/$ref?","__ROLE__.SEARCHOP=/$(api_version)$/directoryRoles?/$(Filter Suffix)$","__ACCOUNT__.__ROLE__=/$(api_version)$/directoryRoles/$(__ROLE__.id)$/members/$ref","__ACCOUNT__.__ROLE__.DELETEOP=/$(api_version)$/directoryRoles/$(__ROLE__.id)$/members/$(__UID__)$/$ref","__ROLE__.member=/$(api_version)$/directoryRoles/$(__UID__)$/members/$ref","__ACCOUNT__.__ROLE__.SEARCHOP=/$(api_version)$/users/$(__UID__)$/memberOf?&$top=$(PAGE_SIZE)$&$skiptoken=$(PAGE_TOKEN)$","assignedLicenses.SEARCHOP=/$(api_version)$/subscribedSkus?/$(Filter Suffix)$","__ACCOUNT__.assignedLicenses.ADDATTRIBUTE=/$(api_version)$/users/$(__UID__)$/assignLicense","__ACCOUNT__.assignedLicenses.REMOVEATTRIBUTE=/$(api_version)$/users/$(__UID__)$/assignLicense","__ACCOUNT__.__OFFICEGROUP__=/$(api_version)$/groups/$(__OFFICEGROUP__.id)$/members/$ref","__ACCOUNT__.__OFFICEGROUP__.DELETEOP=/$(api_version)$/groups/$(__OFFICEGROUP__.id)$/members/$(__UID__)$/$ref","__ACCOUNT__.__OFFICEGROUP__.SEARCHOP=/$(api_version)$/users/$(__UID__)$/memberOf?&$top=$(PAGE_SIZE)$&$skiptoken=$(PAGE_TOKEN)$" Note: granularLicenses parameter is supported from 12.2.1.3.0A If you are enabling the granular license replace the relURIs provided below. "__ACCOUNT__.CREATEOP=/$(api_version)$/users","__ACCOUNT__.UPDATEOP=/$(api_version)$/users/$(__UID__)$","__ACCOUNT__.SEARCHOP=/$(api_version)$/users?$(Filter Suffix)$&$select=assignedLicenses,userType,displayName,givenName,userPrincipalName,id,city,usageLocation,accountEnabled,mailNickname,surname,country&$top=$(PAGE_SIZE)$&$skiptoken=$(PAGE_TOKEN)$","__ACCOUNT__=/$(api_version)$/users/$(__UID__)$?$select=assignedLicenses,displayName,givenName,userPrincipalName,id,city,usageLocation,accountEnabled,mailNickname,country,surname,userType","__ACCOUNT__.manager.SEARCHOP=/$(api_version)$/users/$(__UID__)$/manager","__ACCOUNT__.manager=/$(api_version)$/users/$(__UID__)$/manager/$ref","__ACCOUNT__.__GROUP__.SEARCHOP=/$(api_version)$/users/$(__UID__)$/memberOf?&$top=$(PAGE_SIZE)$&$skiptoken=$(PAGE_TOKEN)$","__ACCOUNT__.__GROUP__.DELETEOP=/$(api_version)$/groups/$(__GROUP__.id)$/members/$(__UID__)$/$ref","__ACCOUNT__.__GROUP__=/$(api_version)$/groups/$(__GROUP__.id)$/members/$ref","__GROUP__.CREATEOP=/$(api_version)$/groups","__GROUP__.UPDATEOP=/$(api_version)$/groups/$(__UID__)$","__GROUP__.SEARCHOP=/$(api_version)$/groups?&$filter=securityEnabled%20eq%20true&$top=$(PAGE_SIZE)$&$skiptoken=$(PAGE_TOKEN)$","__OFFICEGROUP__.SEARCHOP=/$(api_version)$/groups?&$filter=securityEnabled%20eq%20false&$top=$(PAGE_SIZE)$&$skiptoken=$(PAGE_TOKEN)$","__GROUP__=/$(api_version)$/groups/$(__UID__)$","__GROUP__.member=/$(api_version)$/groups/$(__UID__)$/members/$ref?","__ROLE__.SEARCHOP=/$(api_version)$/directoryRoles?/$(Filter Suffix)$","__ACCOUNT__.__ROLE__=/$(api_version)$/directoryRoles/$(__ROLE__.id)$/members/$ref","__ACCOUNT__.__ROLE__.DELETEOP=/$(api_version)$/directoryRoles/$(__ROLE__.id)$/members/$(__UID__)$/$ref","__ROLE__.member=/$(api_version)$/directoryRoles/$(__UID__)$/members/$ref","__ACCOUNT__.__ROLE__.SEARCHOP=/$(api_version)$/users/$(__UID__)$/memberOf?&$top=$(PAGE_SIZE)$&$skiptoken=$(PAGE_TOKEN)$","assignedLicenses.SEARCHOP=/$(api_version)$/subscribedSkus?/$(Filter Suffix)$","__ACCOUNT__.assignedLicenses.ADDATTRIBUTE=/$(api_version)$/users/$(__UID__)$/assignLicense","__ACCOUNT__.assignedLicenses.REMOVEATTRIBUTE=/$(api_version)$/users/$(__UID__)$/assignLicense","__ACCOUNT__.__OFFICEGROUP__=/$(api_version)$/groups/$(__OFFICEGROUP__.id)$/members/$ref","__ACCOUNT__.__OFFICEGROUP__.DELETEOP=/$(api_version)$/groups/$(__OFFICEGROUP__.id)$/members/$(__UID__)$/$ref","__ACCOUNT__.__OFFICEGROUP__.SEARCHOP=/$(api_version)$/users/$(__UID__)$/memberOf?&$top=$(PAGE_SIZE)$&$skiptoken=$(PAGE_TOKEN)$","__ACCOUNT__.assignedLicenses.SEARCHOP=/$(api_version)$/users/$(__UID__)$/licenseDetails?&$top=$(PAGE_SIZE)$&$skiptoken=$(PAGE_TOKEN)$" Note: If you are disabling the granular license kindly use the default RelURIs
nameAttributes	This entry holds the name attribute for all the objects that are handled by this connector. For example, for the `__ACCOUNT__` object class that it used for User accounts, the name attribute is `userPrincipalName`. Default value: `__ACCOUNT__.userPrincipalName,"__GROUP__.displayName","__ROLE__.displayName","assignedLicenses.skuPartNumber","__OFFICEGROUP__.displayName"`
uidAttributes	This entry holds the uid attribute for all the objects that are handled by this connector. For example, for `User accounts`, the uid attribute is `objectId`. In other words, the value `__ACCOUNT__.objectId` in decode implies that the `__UID__`attribute (that is, GUID) of the connector for `__ACCOUNT__` object class is mapped to `objectId` which is the corresponding uid attribute for user accounts in the target system. Default value:`__ACCOUNT__.id,"__GROUP__.id","__ROLE__.id","assignedLicenses.skuId","__OFFICEGROUP__.id"`
opTypes	This entry specifies the HTTP operation type for each object class supported by the connector. Values are comma separated and are in the following format: OBJ_CLASS.OP=HTTP_OP In this format, `OBJ_CLASS` is the connector object class, `OP` is the connector operation (for example, CreateOp, UpdateOp, SearchOp), and `HTTP_OP` is the HTTP operation (GET, PUT, or POST). Default value: `__ACCOUNT__.CREATEOP=POST,"__ACCOUNT__.UPDATEOP=PATCH","__ACCOUNT__.SEARCHOP=GET","__ACCOUNT__.TESTOP=GET","__ACCOUNT__.__GROUP__.UPDATEOP=POST","__ACCOUNT__.manager.CREATEOP=PUT","__ACCOUNT__.manager.UPDATEOP=PUT","__ACCOUNT__.__ROLE__.UPDATEOP=POST","__ACCOUNT__.assignedLicenses.ADDATTRIBUTE=POST","__ACCOUNT__.assignedLicenses.REMOVEATTRIBUTE=POST","__ACCOUNT__.__OFFICEGROUP__.ADDATTRIBUTE=POST"`
pageSize	The number of resources/users that appears on a page for a search operation. Default value: `100`
pageTokenAttribute	The attribute in response payload that denotes the next page token. Default value: `odata.nextLink`
pageTokenRegex	This attribute is used in the URL while reconciliation to support pagination. Default value: `(?<=skiptoken=).*`
Any Incremental Recon Attribute Type	By default, during incremental reconciliation, Oracle Identity Governance accepts timestamp information sent from the target system only in Long datatype format. Setting the value of this parameter to `True` indicates that Oracle Identity Governance will accept timestamp information in any datatype format. Default value: `True`
jsonResourcesTag	This entry holds the json tag value that is used during reconciliation for parsing multiple entries in a single payload. Default value: `__ACCOUNT__=value,"__GROUP__=value","__ROLE__=value","assignedLicenses=value","__OFFICEGROUP__=value"`
httpHeaderContentType	This entry holds the content type expected by the target system in the header. Default value: `application/json`
httpHeaderAccept	This entry holds the accept type expected from the target system in the header. Default value: `application/json`
specialAttributeTargetFormat	This entry lists the format in which an attribute is present in the target system endpoint. For example, the alias attribute will be present as `aliases.alias` in the target system endpoint. Values are comma separated and are presented in the following format: OBJ_CLASS.ATTR_NAME= TARGET_FORMAT Default value`__ACCOUNT__.manager=id,"__GROUP__.member=url","__ROLE__.member=url","__ACCOUNT__.__GROUP__=value","__ACCOUNT__.__ROLE__=value","__ROLE__.member=value","__GROUP__.member=value","__ACCOUNT__.assignedLicenses=value","__ACCOUNT__.__OFFICEGROUP__=value"`
specialAttributeHandling	This entry lists the special attributes whose values should be sent to the target system one by one ("SINGLE"). Values are comma separated and are in the following format: OBJ_CLASS.ATTR_NAME.PROV_OP=SINGLE For example, the `__ACCOUNT__.manager.UPDATEOP=SINGLE` value in decode implies that during an update provisioning operation, the `manager` attribute of the `__ACCOUNT__` object class must be sent to the target system one-by-one. Default value`__ACCOUNT__.__GROUP__.CREATEOP=SINGLE,"__ACCOUNT__.__GROUP__.UPDATEOP=SINGLE","__ACCOUNT__.manager.CREATEOP=SINGLE","__ACCOUNT__.manager.UPDATEOP=SINGLE","__ACCOUNT__.__ROLE__.CREATEOP=SINGLE","__ACCOUNT__.__ROLE__.UPDATEOP=SINGLE","__ACCOUNT__.assignedLicenses.ADDATTRIBUTE=SINGLE","__ACCOUNT__.assignedLicenses.REMOVEATTRIBUTE=SINGLE","__ACCOUNT__.__OFFICEGROUP__.ADDATTRIBUTE=SINGLE","__ACCOUNT__.__OFFICEGROUP__.REMOVEATTRIBUTE=SINGLE"`
customPayload	This entry lists the payloads for all operations that are not in the standard format. Default value:__ACCOUNT__.__GROUP__.UPDATEOP={\@odata.id\":\"https://graph.microsoft.com/v1.0/directoryObjects/$(__UID__)$\"}","__ACCOUNT__.__GROUP__.CREATEOP={\"@odata.id\":\"https://graph.microsoft.com/v1.0/directoryObjects/$(__UID__)$\"}","__ACCOUNT__.manager.CREATEOP={\"@odata.id\":\"https://graph.microsoft.com/v1.0/directoryObjects/$(manager)$\"}","__ACCOUNT__.manager.UPDATEOP={\"@odata.id\":\"https://graph.microsoft.com/v1.0/directoryObjects/$(manager)$\"}","__ACCOUNT__.__ROLE__.UPDATEOP={\"@odata.id\":\"https://graph.microsoft.com/v1.0/directoryObjects/$(__UID__)$\"}","__ACCOUNT__.__ROLE__.CREATEOP={\"@odata.id\":\"https://graph.microsoft.com/v1.0/directoryObjects/$(__UID__)$\"}","__ACCOUNT__.assignedLicenses.ADDATTRIBUTE={\"addLicenses\": [{\"skuId\": \"$(skuId)$\"}],\"removeLicenses\": []}","__ACCOUNT__.assignedLicenses.REMOVEATTRIBUTE={\"addLicenses\": [],\"removeLicenses\": [\"$(skuId)$\"]}","__ACCOUNT__.__OFFICEGROUP__.UPDATEOP={\"@odata.id\":\"https://graph.microsoft.com/v1.0/directoryObjects/$(__UID__)$\"}"
statusAttributes	This entry lists the name of the target system attribute that holds the status of an account. For example, for the `__ACCOUNT__` object class that it used for User accounts, the status attribute is `accountEnabled`. Default value:`"__ACCOUNT__.accountEnabled"`
passwordAttribute	This entry holds the name of the target system attribute that is mapped to the __PASSWORD__ attribute of the connector in OIM. Default value: `passwordProfile.password`
targetObjectIdentifier	This entry specifies the key-value pair for replacing place holders in the relURIs. Values are comma separated and in the KEY;VALUE format. Default value: `__ACCOUNT__.__GROUP__=securityEnabled;true,"__ACCOUNT__.__OFFICEGROUP__=securityEnabled;false","__ACCOUNT__.__ROLE__=@odata.type;#microsoft.graph.directoryRole"`
childFieldsWithSingleEnd	This entry specifies special attributes data coming in from a single end point response. Default value: `__GROUP__,"__ROLE__","__OFFICEGROUP__"`

3.3 Attribute Mappings

The attribute mappings on the Schema page vary depending on whether you are creating a target application or an authoritative application.

3.3.1 Attribute Mappings for the Target Application

The Schema page for a target application displays the default schema (provided by the connector) that maps Oracle Identity Governance attributes to target system attributes. The connector uses these mappings during reconciliation and provisioning operations.

Default Attributes for Azure AD Target Application

Table 3-3 lists the user-specific attribute mappings between the process form fields in Oracle Identity Governance and Azure AD target application attributes. The table also lists whether a specific attribute is used during provisioning or reconciliation and whether it is a matching key field for fetching records during reconciliation.

If required, you can edit the default attribute mappings by adding new attributes or deleting existing attributes as described in Creating a Target Application in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.

Table 3-3 Default Attributes for Azure AD Target Application

Display Name	Target Attribute	Data Type	Mandatory Provisioning Property?	Provision Field?	Recon Field?	Key Field?	Case Insensitive?	Advanced Flag Settings
Object Id	__UID__	String	No	Yes	Yes	Yes	Yes	Yes
User Principal Name	__NAME__	String	Yes	Yes	Yes	No	Not applicable	Yes
First Name	givenName	String	No	Yes	Yes	No	Not applicable	Yes
Last Name	surname	String	No	Yes	Yes	No	Not applicable	Yes
Display Name	displayName	String	Yes	Yes	Yes	No	Not applicable	Yes
Usage Location	usageLocation	String	No	Yes	Yes	No	Not applicable	Yes
City	city	String	No	Yes	Yes	No	Not applicable	Yes
Country	country	String	No	Yes	Yes	No	Not applicable	Yes
Manager	manager	String	No	Yes	Yes	No	Not applicable	Yes
Preferred Language	preferredLanguage	String	No	Yes	Yes	No	Not applicable	Yes
Mail NickName	mailNickname	String	Yes	Yes	Yes	No	Not applicable	Yes
Account Enabled	accountEnabled	String	No	Yes	Yes	No	Not applicable	Yes
AzureAD Server		Long	Yes	No	Yes	Yes	Not applicable	Yes
Status	__ENABLE__	String	No	No	Yes	No	Not applicable	Yes
Password	__PASSWORD__	String	No	Yes	No	No	Not applicable	Yes
Change Password On Next Logon	passwordProfile.forceChangePasswordNextLogin	String	No	Yes	No	No	Not applicable	Yes

Figure 3-1 shows the default User account attribute mappings.

Figure 3-1 Default Attribute Mappings for Azure AD User Account

This is a screenshot of the Schema page for a target application that displays the default attribute mappings for Azure AD User account.

Roles Entitlement

Table 3-4 lists the roles-specific attribute mappings between the process form fields in Oracle Identity Governance and Azure AD target application attributes. The table lists whether a given attribute is mandatory during provisioning. It also lists whether a given attribute is used during reconciliation and whether it is a matching key field for fetching records during reconciliation.

Table 3-4 Default Attribute Mappings for Roles

Display Name	Target Attribute	Data Type	Mandatory Provisioning Property?	Recon Field?	Key Field?	Case Insensitive?
Role Name	__ROLE__~__ROLE__~id	String	No	Yes	Yes	No

Figure 3-2 shows the default roles entitlement mapping.

Figure 3-2 Default Attribute Mappings for Role

This is a screenshot of the Schema page for a target application that displays the default Role child attribute mapping.

Groups Entitlement

Table 3-5 and Table 3-6 lists the group forms attribute mappings between the process form fields in Oracle Identity Governance and Azure AD target application attributes. The table lists whether a given attribute is mandatory during provisioning. It also lists whether a given attribute is used during reconciliation and whether it is a matching key field for fetching records during reconciliation.

Table 3-5 Default Attribute Mappings for Security Groups Forms

Display Name	Target Attribute	Data Type	Mandatory Provisioning Property?	Recon Field?	Key Field?	Case Insensitive?
Security Group Name	__GROUP__~__GROUP__~id	String	No	Yes	Yes	No

Figure 3-3 shows the default attribute security groups mapping.

Figure 3-3 Default Attribute Mappings for Security Groups

This is a screenshot of the Schema page for a target application that displays the default Groups child attribute mapping.

Table 3-6 Default Attribute Mappings for Office Groups Forms

Display Name	Target Attribute	Data Type	Mandatory Provisioning Property?	Recon Field?	Key Field?	Case Insensitive?
Office Group Name	__OFFICEGROUP__~__OFFICEGROUP__~id	String	No	Yes	Yes	No

Figure 3-4 shows the default attribute office groups mapping.

Figure 3-4 Default Attribute Mappings for Office Groups

This is a screenshot of the Schema page for a target application that displays the default Office Groups child attribute mapping.

Licenses Entitlement

Table 3-7 lists the license attribute mappings between the process form fields in Oracle Identity Governance and Azure AD target application attributes. The table lists whether a given attribute is mandatory during provisioning. It also lists whether a given attribute is used during reconciliation and whether it is a matching key field for fetching records during reconciliation.

Table 3-7 Default Attribute Mappings for Licenses

Display Name	Target Attribute	Data Type	Mandatory Provisioning Property?	Recon Field?	Key Field?	Case Insensitive?
License Name	assignedLicenses~assignedLicenses~skuId	String	No	Yes	Yes	No

Figure 3-5 shows the default attribute licenses mapping.

Figure 3-5 Default Attribute Mappings for Licenses

This is a screenshot of the Schema page for a target application that displays the default Licenses child attribute mapping.

3.3.2 Attribute Mappings for the Authoritative Application

The Schema page for an authoritative application displays the default schema (provided by the connector) that maps Oracle Identity Governance attributes to authoritative system attributes. The connector uses these mappings during reconciliation and provisioning operations.

Table 3-8 lists the user-specific attribute mappings between the process form fields in Oracle Identity Governance and Azure AD Authoritative application attributes. The table also lists the data type for a given attribute and specified whether it is a mandatory attribute for reconciliation.

If required, you can edit the default attribute mappings by adding new attributes or deleting existing attributes as described in Creating an Authoritative Application in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.

You may use the default schema that has been set for you or update and change it before continuing to the next step.

The Organization Name, Xellerate Type, and Role identity attributes are mandatory fields on the OIG User form. They cannot be left blank during reconciliation. The target attribute mappings for these identity attributes are empty by default because there are no corresponding columns in the target system. Therefore, the connector provides default values (as listed in the Table 3-8 ) that it can use during reconciliation. For example, the default target attribute value for the Organization Name attribute is Xellerate Users. This implies that the connector reconciles all target system user accounts into the Xellerate Users organization in Oracle Identity Governance. Similarly, the default attribute value for Xellerate Type attribute is End-User, which implies that all reconciled user records are marked as end users.

Table 3-8 Default Attributes for Azure AD Authoritative Application

Display Name	Target Attribute	Data Type	Mandatory Provisioning Property?	Recon Field?	Advanced Flag Settings	Default Value for Identity Display Name
User Login	__NAME__	String	No	Yes	Yes	NA
Office365 GUID	__UID__	String	No	Yes	Yes	NA
First Name	givenName	String	No	Yes	Yes	NA
Last Name	surname	String	No	Yes	Yes	NA
Display Name	displayName	String	No	Yes	Yes	NA
Locality Name	usageLocation	String	No	Yes	Yes	NA
Country	country	String	No	Yes	Yes	NA
Manager Login	manager	String	No	Yes	Yes	NA
usr_locale	preferredLanguage	String	No	Yes	Yes	NA
Xellerate Type		String	No	Yes	Yes	End-User
Role		String	No	Yes	Yes	Full-Time
Organization Name		String	No	Yes	Yes	Xellerate Users
Status	__ENABLE__	String	No	Yes	Yes	NA

Figure 3-6 shows the default User account attribute mappings.

Figure 3-6 Default Attributes for Azure AD Authoritative Application

This is a screenshot of the Schema page for an authoritative application that displays the default attribute mappings for an Azure AD trusted account.

3.3.3 MS Teams Management

The Table 3-9 for Teams lists the MS Teams attribute mappings between the process form fields in Oracle Identity Governance and MS Teams target application attributes. The table lists whether a given attribute is mandatory during provisioning. It also lists whether a given attribute is used during reconciliation and whether it is a matching key field for fetching records during reconciliation.

If required, you can edit the default attribute mappings by adding new attributes or deleting existing attributes as described in Creating a Target ApplicationCreating a Target Application in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.

Default Attribute Mappings for MS Teams Group Assignment Provides the default attribute mappings by adding new attributes or deleting existing attributes.

Table 3-9 Default Attribute Mappings for Teams

Display Name	Target Attribute	Data Type	Mandatory Provisioning Property?	Recon Field?	Key Field?	Case Insensitive?
Teams	__TEAMS__~__TEAMS__~id	String	No	Yes	Yes	No

Teams Group Assignment

The Provision Resource to Organization figures shows the Microsoft Teams attribute mappings between the process form fields in Oracle Identity Governance and MS Teams target application attributes.

Figure 3-7 Provision Resource to Organization

Describes the steps for selecting resource for provisioning resource to organization.

Figure 3-8 Process Data Provision Resource to Organization

Describes the steps for generating the process data from from AzureTeam group form.

3.4 Correlation Rules

Learn about the predefined rules, responses and situations for Target and Authoritative applications. The connector uses these rules and responses for performing reconciliation.

3.4.1 Correlation Rules for the Target Application

When you create a target application, the connector uses correlation rules to determine the identity to which Oracle Identity Governance must assign a resource.

Predefined Identity Correlation Rules

By default, the Azure AD connector provides a simple correlation rule when you create a target application. The connector uses this correlation rule to compare the entries in Oracle Identity Governance repository and the target system repository, determine the difference between the two repositories, and apply the latest changes to Oracle Identity Governance.

Table 3-10 lists the default simple correlation rule for an Azure AD connector. If required, you can edit the default correlation rule or add new rules. You can create complex correlation rules also. For more information about adding or editing simple or complex correlation rules, see Updating Identity Correlation Rule in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.

Table 3-10 Predefined Identity Correlation Rule for an Azure AD Connector

Target Attribute	Element Operator	Identity Attribute	Case Sensitive?
__NAME__	Equals	User Login	No

In this identity rule:

__NAME__ is a single-valued attribute on the target system that identifies the user account.
User Login is the field on the OIG User form.

Figure 3-1 shows the simple correlation rule for an Azure AD target application.

Figure 3-9 Simple Correlation Rule for an Azure AD Target Application

This is a screenshot of the Simple Correlation Rule when you create a target application for Azure AD.

Predefined Situations and Responses

The Azure AD connector provides a default set of situations and responses when you create a target application. These situations and responses specify the action that Oracle Identity Governance must take based on the result of a reconciliation event.

Table 3-11 lists the default situations and responses for an Azure AD Target application. If required, you can edit these default situations and responses or add new ones. For more information about adding or editing situations and responses, see Updating Situations and Responses in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance

Table 3-11 Predefined Situations and Responses for an Azure AD Target Application

Situation	Response
No Matches Found	None
One Entity Match Found	Establish Link
One Process Match Found	Establish Link

Figure 3-10 shows the situations and responses for an Azure AD that the connector provides by default.

Figure 3-10 Predefined Situations and Responses for an Azure AD Target Application

This is a screenshot of the default situations and responses available for an Axure AD target application during reconciliation.

3.4.2 Correlation Rules for the Authoritative Application

When you create an authoritative application, the connector uses correlation rules to determine the identity that must be reconciled into Oracle Identity Governance.

Predefined Identity Correlation Rules

By default, the Azure AD connector provides a simple correlation rule when you create an authoritative application. The connector uses this correlation rule to compare the entries in Oracle Identity Governance repository and the target system repository, determine the difference between the two repositories, and apply the latest changes to Oracle Identity Governance.

Table 3-12 lists the default simple correlation rule for an Azure AD connector. If required, you can edit the default correlation rule or add new rules. You can create complex correlation rules also. For more information about adding or editing simple or complex correlation rules, see Updating Identity Correlation Rule in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.

Table 3-12 Predefined Identity Correlation Rule for an Azure AD Authoritative Application

Authoritative Attribute	Element Operator	Identity Attribute	Case Sensitive?
__NAME__	Equals	User Login	No
_UID_	Equals	AzuzreAD GUID	No

Correlation Rule element: (__NAME__Equals __User Login) OR (_UID_Equals AzuzreAD GUID)

In the first correlation rule element:

User Login is the User ID field of the OIM User form.
__NAME__ is the unique login name of a user.

In the second correlation rule element:

AzuzreAD GUID is a UDF (user defined field) for mapping target object ID with an OIM user.
_UID_ is the Object Id for an AzuzreAD user.

Rule operator: OR

Figure 3-11 shows the simple correlation rule for an Azure AD Authoritative application.

Figure 3-11 Simple Correlation Rule for an Azure AD Authoritative Application

This is a screenshot of the Simple Correlation Rule when you create an authoritative application for Azure AD.

Predefined Situations and Responses

The Azure AD connector provides a default set of situations and responses when you create an Authoritative application. These situations and responses specify the action that Oracle Identity Governance must take based on the result of a reconciliation event.

Table 3-13 lists the default situations and responses for an Azure AD Authoritative Application. If required, you can edit these default situations and responses or add new ones. For more information about adding or editing situations and responses, see Updating Situations and Responses in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.

Table 3-13 Predefined Situations and Responses for an Azure AD Authoritative Application

Situation	Response
No Matches Found	Create User
One Entity Match Found	Establish Link
One Process Match Found	Establish Link

Figure 3-12 shows the situations and responses for an Azure AD that the connector provides by default.

Figure 3-12 Simple Correlation Rule for an Azure AD Authoritative Application

3.5 Reconciliation Jobs

These are the reconciliation jobs that are automatically created in Oracle Identity Governance after you create the application.

User Reconciliation Jobs

You can either use these predefined jobs or edit them to meet your requirements. Alternatively, you can create custom reconciliation jobs. For information about editing these predefined jobs or creating new ones, see Updating Reconciliation Jobs in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.

The following reconciliation jobs are available for reconciling user data:

Azure AD Full User Reconciliation: Use this reconciliation job to reconcile user data from a target application.
Azure AD User Trusted Reconciliation: Use this reconciliation job to reconcile user data from an authoritative application.

Table 3-14 describes the parameters of the Azure AD Full User Reconciliation job.

Table 3-14 Parameters of the Azure AD Full User Reconciliation Job

Parameter	Description
Application name	Name of the AOB application with which the reconciliation job is associated. This value is the same as the value that you provided for the Application Name field while creating your target application. Do not change the default value.
Latest Token	This parameter holds the value of the target system attribute that is specified as the value of the Incremental Recon Attribute parameter. The Latest Token parameter is used for internal purposes. By default, this value is empty. Note: Do not enter a value for this parameter. The reconciliation engine automatically enters a value in this parameter. Sample value: `<String>2017-11-30T04:44:29Z</String>`
Object Type	This parameter holds the name of the object type for the reconciliation run. Default value: `User` Do not change the default value.
Filter Suffix	Enter the search filter for fetching user records from the target system during a reconciliation run. Sample value when incremental recon is enabled: `$filter=startswith(displayName,'user1')` Sample value when incremental recon is not enabled: `&$filter=startswith(displayName,'user1')` For more information about creating filters, see Performing Limited Reconciliation.
Scheduled Task Name	Name of the scheduled task used for reconciliation. Do not modify the value of this parameter.
Incremental Recon Attribute	Enter the name of the attribute that holds the timestamp at which the token record was modified.

Table 3-15 describes the parameters of Azure AD User Trusted Reconciliation job.

Table 3-15 Parameters of the Azure AD User Trusted Reconciliation Job

Parameter	Description
Application name	Name of the AOB Application with which the job is associated. This value is the same as the value that you provided for the Application Name field while creating your target application. Do not modify this value.
Filter Suffix	Enter the search filter for fetching user records from the target system during a reconciliation run. Sample value: `$filter=startswith(displayName,'user1')` For more information about creating filters, see Performing Limited Reconciliation.
Incremental Recon Attribute	Attribute that holds the timestamp at which the token record was modified.
Latest Token	This parameter holds the value of the attribute that is specified as the value of the Incremental Recon Attribute attribute. The Latest Token parameter is used for internal purposes. By default, this value is empty. Note: If an appropriate Increment Recon attribute has been specified, then do not enter a value for this parameter. Sample value: `<String>2017-11-30T04:44:29Z</String>`
Object Type	This parameter holds the name of the object type for the reconciliation run. Default value: `User` Note: Do not change the default value.
Scheduled Task Name	Name of the scheduled task used for reconciliation. Do not modify the value of this parameter.

Target Delete User Reconciliation Job

The Azure AD User Target Delete Recon job is used to reconcile data about deleted users from a target application. During a reconciliation run, for each deleted user account on the target system, the Azure AD resource is revoked for the corresponding OIM User.

Table 3-16 Parameters of the AzureAD Target User Delete Reconciliation Job

Parameter Description

Parameter	Description
Application Name	Name of the application you created for your target system. This value is the same as the value that you provided for the Application Name field while creating your target application. Do not modify this value.
Object Type	This parameter holds the type of object you want to reconcile. Default value: `User` Note: If you configure the connector to provision users to a custom class (for example, InetOrgPerson) then enter the value of the object class here.

Application Name

Name of the application you created for your target system. This value is the same as the value that you provided for the Application Name field while creating your target application.

Do not modify this value.

Object Type

This parameter holds the type of object you want to reconcile.

Default value: User

Note: If you configure the connector to provision users to a custom class (for example, InetOrgPerson) then enter the value of the object class here.

Trusted Delete User Reconciliation Job

The Azure AD User Trusted Delete Recon job is used to reconcile data about deleted users from an Authoritative application. During a reconciliation run, for each deleted target system user account, the corresponding OIM User is deleted.

Table 3-17 Parameters of the AzureAD Trusted User Delete Reconciliation Job

Parameter Description

Parameter	Description
Application Name	Name of the application you created for your target system. This value is the same as the value that you provided for the Application Name field while creating your target application. Do not modify this value.
Object Type	This parameter holds the type of object you want to reconcile. Default value: `User` Note: If you configure the connector to provision users to a custom class (for example, InetOrgPerson) then enter the value of the object class here.

Application Name

Name of the application you created for your target system. This value is the same as the value that you provided for the Application Name field while creating your target application.

Do not modify this value.

Object Type

This parameter holds the type of object you want to reconcile.

Default value: User

Note: If you configure the connector to provision users to a custom class (for example, InetOrgPerson) then enter the value of the object class here.

Reconciliation Jobs for Entitlements

The following jobs are available for reconciling entitlements:

AzureAD Office Groups Lookup Reconciliation
AzureAD Security Groups Lookup Reconciliation
AzureAD Licenses Lookup Reconciliation
AzureAD Roles Lookup Reconciliation
AzureAD Manager Lookup Reconciliation
AzureADTeams Lookup Reconciliation

Note:
The Teams support is applicable from 12.2.1.3.0B

The parameters for all the reconciliation jobs are the same.

Table 3-18 Parameters of the Reconciliation Jobs for Entitlements

Parameter	Description
Application Name	Current AOB application name with which the reconciliation job is associated. Default value: `AzureAD` Do not modify this value.
Code Key Attribute	Name of the connector attribute that is used to populate the Code Key column of the lookup definition (specified as the value of the Lookup Name attribute). Default value: `__UID__` Do not modify this value.
Decode Attribute	Name of the connector attribute that is used to populate the Decode column of the lookup definition (specified as the value of the Lookup Name attribute). Default value: `__NAME__`
Lookup Name	Enter the name of the lookup definition in Oracle Identity Governance that must be populated with values fetched from the target system. Depending on the Reconciliation job that you are using, the default values are as follows: For AzureAD Office Groups Lookup Reconciliation: `Lookup.AzureAD.OfficeGroups` For AzureAD Security Groups Lookup Reconciliation: `Lookup.AzureAD.SecurityGroups` For Azure AD Licenses Lookup Reconciliation: `Lookup.AzureAD.Licenses` For Azure AD Roles Lookup Reconciliation: `Lookup.AzureAD.Roles` For Azure AD Manager Lookup Reconciliation: `Lookup.AzureAD.Manager` ForAzure AD Teams Lookup Reconciliation: Lookup.Teams.TeamsGroup Note: The Teams support is applicable from 12.2.1.3.0B. If you create a copy of any of these lookup definitions, then enter the name of that new lookup definition as the value of the Lookup Name attribute.
Object Type	Enter the type of object you want to reconcile. Depending on the reconciliation job that you are using, the default values are as follows: For Azure AD Office Groups Lookup Reconciliation: `__OFFICEGROUP__` For Azure AD Security Groups Lookup Reconciliation: `__GROUP__` For Azure AD Licenses Lookup Reconciliation: `__LICENSE__` For Azure AD Roles Lookup Reconciliation: `__ROLE__` For Azure AD Manager Lookup Reconciliation: `__USER__` ForAzure AD Teams Lookup Reconciliation: __TEAMS__ Note: Do not change the value of this parameter. The Teams support is applicable from 12.2.1.3.0B.