1 About the Connector

The Amazon Web Services connector integrates Oracle Identity Governance with the Amazon Web Services target system.

The following topics provide a high-level overview of the Amazon Web Services connector:

• Introduction to the Connector

• Certified Components

• Usage Recommendation

• Certified Languages

• Supported Connector Operations

• Connector Architecture

• Supported Connector Features Matrix

• Features of the Connector

1.1 Introduction to the Connector

Oracle Identity Governance is a centralized identity management solution that provides self service, compliance, provisioning and password management services for applications residing on-premises or on the Cloud. Oracle Identity Governance connectors are used to integrate Oracle identity Governance with the external identity-aware applications.

The Amazon Web Services connector lets you create and onboard AWS (Amazon Web Services) applications in Oracle Identity Governance.

Note:

In this guide, the connector that is deployed using the Applications option on the Manage tab of Identity Self Service is referred to as an AOB application.

From Oracle Identity Governance release 12.2.1.3.0 onward, connector deployment is handled using the application onboarding capability of Oracle Identity Self Service. This capability lets business users to onboard applications with minimum details and effort. The connector installation package includes a collection of predefined templates (XML files) that contain all the information required for provisioning and reconciling data from a given application or target system. These templates also include basic connectivity and configuration details specific to your target system. The connector uses information from these predefined templates allowing you to onboard your applications quickly and easily using only a single and simplified UI.

Application onboarding is the process of registering or associating an application with Oracle Identity Governance and making that application available for provisioning and reconciliation of user information.

Note:

At some places in this guide, Amazon Web Services is sometimes referred to as the target system.

1.2 Certified Components

These are the software components and their versions required for installing and using the Amazon Web Services connector.

Table 1-1 Certified Components

Component	Requirement for AOB Application
Oracle Identity Governance	You can use any one of the following releases: Oracle Identity Governance 12c PS3 (12.2.1.3.0) Oracle Identity Governance 12c PS4 (12.2.1.4.0)
Oracle Identity Governance JDK	JDK 1.8 and later
Target systems	AWS SDK for Java API Reference - 2.13.76
Connector Server	11.1.2.1.0 or 12.2.1.3.0
Connector Server JDK	JDK 1.8 and later

1.3 Usage Recommendation

This is the recommendation for the Amazon Web Services connector version that you can deploy and use depending on the Oracle Identity Governance or Oracle Identity Manager version that you are using.

If you are using Oracle Identity Governance 12c (12.2.1.3.0) or later, then use the latest 12.2.1.x version of this connector. Deploy the connector using the Applications option on the Manage tab of Identity Self Service.

1.4 Certified Languages

These are the languages that the connector supports.

• Arabic

• Chinese (Simplified)

• Chinese (Traditional)

• Czech

• Danish

• Dutch

• English

• Finnish

• French

• French (Canadian)

• German

• Greek

• Hebrew

• Hungarian

• Italian

• Japanese

• Korean

• Norwegian

• Polish

• Portuguese

• Portuguese (Brazilian)

• Romanian

• Russian

• Slovak

• Spanish

• Swedish

• Thai

• Turkish

1.5 Supported Connector Operations

These are the list of operations that the connector supports for your target system.

Table 1-2 Supported Connector Operations

Operation	Supported
User Management
Create user	Yes
Update user	Yes
Enable user	Yes
Disable user	Yes
Delete user	Yes
Reset Password	Yes
Policy Management
Add and Remove Policies to Users	Yes
Group Management
Add and Remove Groups to Users	Yes
Tag Management
Add and Remove Tags to Users	Yes

1.6 Connector Architecture

The Amazon Web Services connector is implemented by using the Identity Connector Framework (ICF).

The ICF is a component that is required in order to use Identity Connector. ICF provides basic reconciliation and provisioning operations that are common to all Oracle Identity Governance connectors. In addition, ICF provides common features that developers would otherwise need to implement on their own, such as, buffering, time outs, and filtering. ICF is distributed together with Oracle Identity Governance. Therefore, you do not need to configure or modify ICF.

Figure 1-1 shows the architecture of the Amazon Web Services connector.

Figure 1-1 Connector Architecture

The connector is configured to run in the Account management mode. Account management is also known as target resource management. In this mode, the target system is used as a target resource and the connector enables the following operations:

• Provisioning

  Provisioning involves creating, updating, or deleting users on the target system through Oracle Identity Governance. During provisioning, the Adapters invoke ICF operation, ICF inturn invokes create operation on the Amazon Web Services Identity Connector Bundle and then the bundle calls the Amazon Web Service SDK for provisioning operations. The SDK on the target system accepts provisioning data from the bundle, carries out the required operation on the target system, and returns the response from the target system back to the bundle, which passes it to the adapters.

• Target resource reconciliation

  During reconciliation, a scheduled task invokes an ICF operation. ICF inturn invokes a search operation on the Amazon Web Services Identity Connector Bundle and then the bundle calls the Amazon Web Service SDK for the reconciliation operation. The SDK extracts user records that match the reconciliation criteria and hands them over through the bundle and ICF back to the scheduled task, which brings the records to Oracle Identity Governance.

  Each record fetched from the target system is compared with Amazon Web Services resources that are already provisioned to OIM Users. If a match is found, then the update made to the Amazon Web Services record from the target system is copied to the Amazon Web Services resource in Oracle Identity Governance. If no match is found, then the userPrincipalName of the record is compared with the User Login of each OIM User. If a match is found, then data in the target system record is used to provision an Amazon Web Services resource to the OIM User.

See Also:

Understanding the Identity Connector Framework in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Governance for more information about ICF

1.7 Supported Connector Features Matrix

Provides the list of features supported by the AOB application.

Table 1-3 Supported Connector Features Matrix

Feature	AOB Application
Full reconciliation	Yes
Incremental reconciliation	Yes
Limited reconciliation	Yes
Reconcile deleted user records	Yes
Provide secure communication to the target system through SSL	Yes
Use connector server	Yes
Clone applications or create new application instances	Yes
Transformation and validation of account data	Yes
Support for pagination	Yes
Test connection	Yes

1.8 Features of the Connector

The features of the connector include full and incremental reconciliation, limited reconciliation, transformation and validation of account data and so on.

• Support for Full and Incremental Reconciliation

• Support for Limited (Filtered) Reconciliation

• Reconciliation of Deleted User Records

• Reconciliation of Lookup Definitions

• Support for the Connector Server

• Transformation and Validation of Account Data

• Support for Cloning Applications and Creating Instance Applications

• Secure Communication to the Target System

• Configuring Action Scripts

• Support for Enabling and Disabling Accounts

1.8.1 Support for Full and Incremental Reconciliation

In full reconciliation, all records are fetched from the target system to Oracle Identity Governance. In incremental reconciliation, only records that are added or modified after the last reconciliation run are fetched into Oracle Identity Governance.

You can switch from incremental to full reconciliation at any time after you deploy the connector. See Performing Full Reconciliation and Incremental Reconciliation for more information on performing full and incremental reconciliation runs.

1.8.2 Support for Limited (Filtered) Reconciliation

You can reconcile records from the target system based on a specified filter criterion.

You can set a reconciliation filter as the value of the Filter Query attribute of the user reconciliation scheduled job. This filter specifies the subset of newly added and modified target system records that must be reconciled. The Filter Query attribute helps you to assign filters to the webservices based on which you will get a filtered response from the target system.

See Performing Limited Reconciliation for more information on performing limited reconciliation.

1.8.3 Reconciliation of Deleted User Records

You can configure the connector for reconciliation of deleted user records. In target resource mode, if a user record is deleted on the target system, then the corresponding Exchange User resource is revoked from the OIM User.

For information about the Delete User reconciliation job, see Reconciliation Jobs.

1.8.4 Reconciliation of Lookup Definitions

You can configure the connector for reconciliation of groups and policies in the target system to be populated as entitlements in the lookup definitions on Oracle Identity Governance.

For detailed information about the jobs that are available for reconciling these entitlements, see Reconciliation Jobs.

1.8.5 Support for the Connector Server

Connector Server is one of the features provided by ICF. By using one or more connector servers, the connector architecture permits your application to communicate with externally deployed bundles.

A Java connector server is useful when you do not wish to execute a Java connector bundle in the same VM as your application. It can be beneficial to run a Java connector on a different host for performance improvements.

For information about installing, configuring, and running the Connector Server, and then installing the connector in a Connector Server, see Using an Identity Connector Server in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Governance.

1.8.6 Transformation and Validation of Account Data

You can configure transformation and validation of account data that is brought into or sent from Oracle Identity Governance during reconciliation and provisioning operations by writing Groovy scripts while creating your application.

For more information, see Validation and Transformation of Provisioning and Reconciliation Attributes in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.

1.8.7 Support for Cloning Applications and Creating Instance Applications

You can configure this connector for multiple installations of the target system by cloning applications or by creating instance applications.

When you clone an application, all the configurations of the base application are copied into the cloned application. When you create an instance application, it shares all configurations as the base application.

For more information about these configurations, see Cloning Applications and Creating an Instance Application in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.

1.8.8 Secure Communication to the Target System

To provide secure communication to the target system, SSL is required.

You can configure SSL between Oracle Identity Governance and the Connector Server and between the Connector Server and the target system.

If you do not configure SSL, passwords can be transmitted over the network in clear text. For example, this problem can occur when you are creating a user or modifying a user's password.

For information on SSL, see Configuring SSL.

1.8.9 Configuring Action Scripts

You can configure Action Scripts by writing your own Groovy scripts while creating your application.

These scripts can be configured to run before or after the create, update, or delete an account provisioning operations. For example, you can configure a script to run before every user creation operation.

For more information about configuring these scripts, see Configuring Action Scripts.

1.8.10 Support for Enabling and Disabling Accounts

Enabling User accounts from Oracle Identity Governance will make the Console and Programmatic Access active in the target system if the enableProgrammaticAccess configuration parameter is set to true. Only Console access will be active if the configuration parameter is set to false.

Disabling user accounts from Oracle Identity Governance makes the Console access and Programmatic Access deactivated in the target system irrespective of the enableProgrammaticAccess configuration parameter value. This disables user accounts in Oracle Identity Governance thereby prohibiting them from performing any operation.

Enabling and disabling Oracle Identity Governance account status during reconciliation operation: Oracle Identity Governance account status will be disabled if both the Console access and Programmatic access are deactivated in the target. If either Console access or Programmatic access is actived, Oracle Identity Governance account status will be enabled.

Note:

For disable/enable operations to work, remove/create Login Profile in AWS IAM user respectively.