1. Configuring the Amazon Web Services Application
  2. Configuring the Connector

3 Configuring the Connector

While creating a target application, you must configure connection-related parameters that the connector uses to connect to Oracle Identity Governance with your target system and perform connector operations. In addition, you can view and edit attribute mappings between the process form fields in Oracle Identity Governance and target system columns, predefined correlation rules, situations and responses, and reconciliation jobs.

3.1 Basic Configuration Parameters

These are the connection-related parameters that Oracle Identity Governance requires to connect to an Amazon Web Services application.

Note:

Unless specified, do not modify entries in the below table.

Table 3-1 Parameters in the Basic Configuration

Parameter Mandatory ? Description

userName

 Yes

Enter the user name of the target system that you create for performing connector operations.

Sample value: johndoe

accessKeyId

Yes

Enter the access key identifier (a unique string) issued by the authorization server to your client application during the registration process. You would have obtained the access key while configuring the newly registered application.

Sample value: AKIA33FL36M3OIF5C7N2

secretAccessKey

Yes

Enter the secret Access Key used to authenticate the identity of your client application. You obtained the secret Access Key while performing the procedure described in Configuring the Newly Added Application.

Sample value: HWuvCMIptAhT5YmBx8ee0GpVVkyMBWLmqxJcf621

proxyPassword

No

Enter the proxy password if you are using proxy server to access internet.

proxyHostPort

No

Enter the proxy host or IP and port if you are using proxy server to access internet.

Sample value: http://host:port

proxyUsername

No

Enter the proxy username if you are using proxy server to access internet.

3.2 Advanced Settings Parameters

These are the configuration-related entries that the connector uses during reconciliation and provisioning operations.

Note:

  • Unless specified, do not modify entries in the below table.

  • All parameters in the below table are mandatory.

Table 3-2 Advanced Settings Parameters

Parameter Description

Bundle Name

This entry holds the name of the connector bundle.

Default value: org.identityconnectors.aws

Bundle Version

This entry holds the version of the connector bundle.

Default value: 12.3.0

Connector Name

This entry holds the name of the connector class.

Default value: org.identityconnectors.aws.AWSConnector

pageSize

Specify the number of objects to return in a page from the target system in a paged search.

Default value: 25

passwordLastUsed

Enter true to display the Last activity attribute value in the parent form.

Default value: False

region

Enter the Region for IAM and Organization.

Default value: aws-global

cloudTrailRegion

Enter the region for Cloudtrail service used for incremental reconciliation

Default value: us-east-2

policyGroup

Enter true to fetch inherit policies

Default value: False

changePasswordNextSignIn

Enter true to force password change on next login.

Default value: False

enableProgrammaticAccess

Enter true to enable the programmatic access.

Default value: False

timeZone

This parameter displays the Oracle Identity Manager timezone.

Default value: IST

3.3 Attribute Mappings

The Schema page for a target application displays the default schema (provided by the connector) that maps Oracle Identity Governance attributes to target system attributes. The connector uses these mappings during reconciliation and provisioning operations.

Default Attributes for Amazon Web Services Target Application

Table 3-3 lists the user-specific attribute mappings between the process form fields in Oracle Identity Governance and Amazon Web Services target application attributes. The table also lists whether a specific attribute is used during provisioning or reconciliation and whether it is a matching key field for fetching records during reconciliation.

If required, you can edit the default attribute mappings by adding new attributes or deleting existing attributes as described in Creating a Target Application in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.

Table 3-3 Default Attributes for Amazon Web Services Target Application

Display Name Target Attribute Data Type Mandatory Provisioning Property? Provision Field? Recon Field? Key Field? Case Insensitive? Advanced Flag Settings

User ID

__UID__

String

No

No

Yes

No

No

Length:256

User Name

__NAME__

String

Yes

Yes

Yes

Yes

No

Length:64

Password

__PASSWORD__

String

No

Yes

No

No

No

Length:128

User ARN

UserARN

String

No

No

Yes

No

No

WriteBack; Length:2048

Last Activity

PasswordLastUsed

String

No

No

Yes

No

No

WriteBack; Length:256

Creation Time

CreateDate

String

No

No

Yes

No

No

WriteBack; Length:256

Path

Path

String

No

Yes

Yes

No

No

Length:512

Organization ARN

OrgARN

String

No

No

Yes

No

No

WriteBack; Length:2048

Organization Account Name

AccountOrgName

String

No

No

Yes

No

No

WriteBack; Length:50

Organization ID

OrgUnit

String

No

No

Yes

No

No

WriteBack; Length:50

Service Control Policies

ServiceControlPolicy

String

No

No

Yes

No

No

WriteBack; Length:256

Status

__ENABLE__

String

No

No

Yes

No

No

WriteBack; Length:256

Programmatic Access Status

ProgrammaticAccessStatus

Boolean

No

No

Yes

No

No

WriteBack

IT Resource Name

  

Long

No

No

Yes

No

No

  

Table 3-3 shows the default User account attribute mappings.

Figure 3-1 Default Attribute Mappings for Amazon Web Services User Account

This is a screenshot of the Schema page for a target application that displays the default attribute mappings for Amazon Web Services User account

Note:

Ensure that the path begins and ends with /.

Default value: /

Example: /Oracle/

Groups Attribute

Table 3-4 lists the group forms attribute mappings between the process form fields in Oracle Identity Governance and Amazon Web Services target application attributes. The table lists whether a given attribute is mandatory during provisioning. It also lists whether a given attribute is used during reconciliation and whether it is a matching key field for fetching records during reconciliation.

If required, you can edit the default attribute mappings by adding new attributes or deleting existing attributes as described in Creating a Target Application in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.

Table 3-4 Default Attribute Mappings for Groups

Display Name Target Attribute Data Type Mandatory Provisioning Property? Recon Field? Key Field? Case Insensitive? Entitlement Advanced settings

Group

__GROUP__~__GROUP__~GroupName

 String Yes Yes Yes No True List of Values: Lookup.AWS.Group Length:256

Figure 3-2 shows the default attribute groups mapping.

Figure 3-2 Default Attribute Mappings for Groups

This is a screenshot of the Schema page for a target application that displays the default Groups child attribute mapping.

Policies Attribute

Table 3-5 lists the policy attribute mappings between the process form fields in Oracle Identity Governance and Amazon Web Services target application attributes. The table lists whether a given attribute is mandatory during provisioning. It also lists whether a given attribute is used during reconciliation and whether it is a matching key field for fetching records during reconciliation.

If required, you can edit the default attribute mappings by adding new attributes or deleting existing attributes as described in Creating a Target Application in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.

Table 3-5 Default Attribute Mappings for Policies

Display Name Target Attribute Data Type Mandatory Provisioning Property? Recon Field? Key Field? Case Insensitive? Entitllement Advanced Settings

Policy name

 __POLICIES__~__POLICIES__~policyName String Yes Yes Yes No True List of Values: Lookup.AWS.Policy Length:256

Policy type

 __POLICIES__~__POLICIES__~policyType String No Yes Yes No   Length:256

Figure 3-3 shows the default attribute policy mapping.

Figure 3-3 Default Attribute Mappings for Policies

This is a screenshot of the Schema page for a target application that displays the default policy child attribute mapping.

Tags Attribute

Table 3-6 lists the tag attribute mappings between the process form fields in Oracle Identity Governance and Amazon Web Services target application attributes. The table lists whether a given attribute is mandatory during provisioning. It also lists whether a given attribute is used during reconciliation and whether it is a matching key field for fetching records during reconciliation.

If required, you can edit the default attribute mappings by adding new attributes or deleting existing attributes as described in Creating a Target Application in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.

Table 3-6 Default Attribute Mappings for Tags

Display Name Target Attribute Data Type Mandatory Provisioning Property? Recon Field? Key Field? Case Insensitive? Advanced Settings

Tag key

 __TAGS__~__TAGS__~tagskey String Yes Yes Yes No Length:256

Tag value

 __TAGS__~__TAGS__~tagsvalue String Yes Yes No No Length:256

Figure 3-4 shows the default attribute tag mapping.

Figure 3-4 Default Attribute Mappings for Tags

This is a screenshot of the Schema page for a target application that displays the default tag child attribute mapping.

Inline Policy Attribute

Table 3-7 lists the inline policy attribute mappings between the process form fields in Oracle Identity Governance and Amazon Web Services target application attributes. The table lists whether a given attribute is mandatory during provisioning. It also lists whether a given attribute is used during reconciliation and whether it is a matching key field for fetching records during reconciliation.

If required, you can edit the default attribute mappings by adding new attributes or deleting existing attributes as described in Creating a Target Application in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.

Table 3-7 Default Attribute Mappings for Inline Policies

Display Name Target Attribute Data Type Mandatory Provisioning Property? Recon Field? Key Field? Case Insensitive? Advanced Settings

Policy Name

 __INLINEPOLICIES__~__INLINEPOLICIES__~InlinePolicyName String Yes Yes Yes No Length:256

Policy type

 __INLINEPOLICIES__~__INLINEPOLICIES__~InlinePolicyType String No Yes Yes No Length:256

Figure 3-5 shows the default attribute inline policiy mapping.

Figure 3-5 Default Attribute Mappings for Inline Policies

This is a screenshot of the Schema page for a target application that displays the default inline policy child attribute mapping.

3.4 Correlation Rules, Situations, and Responses for a Target Application

When you create a Target application, the connector uses correlation rules to determine the identity to which Oracle Identity Governance must assign a resource.

Predefined Identity Correlation Rules

By default, the Amazon Web Services connector provides a simple correlation rule when you create a target application. The connector uses this correlation rule to compare the entries in Oracle Identity Governance repository and the target system repository, determine the difference between the two repositories, and apply the latest changes to Oracle Identity Governance.

Table 3-8 lists the default simple correlation rule for Amazon Web Services connector. If required, you can edit the default correlation rule or add new rules. You can create simple correlation rules also. For more information about adding or editing simple or complex correlation rules, see Updating Identity Correlation Rule in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.

Table 3-8 Predefined Identity Correlation Rule for a Amazon Web Services Target Application

Target Attribute Element Operator Identity Attribute Case Sensitive? Rule Operator

__NAME__

Equals

User Login

No

In this identity rule:

  • __NAME__ is a single-valued attribute on the target system that identifies the user account.

  • User Login is the field on the OIG User form.

Figure 3-6 shows the simple correlation rule for a Amazon Web Services target application.

Figure 3-6 Simple Correlation Rule for a Amazon Web Services Target Application

This is a screenshot of the default situations and responses available for Amazon Web Service connector application during reconciliation.

Predefined Situations and Responses

The Amazon Web Services connector provides a default set of situations and responses when you create a target application. These situations and responses specify the action that Oracle Identity Governance must take based on the result of a reconciliation event.

Table 3-9 lists the default situations and responses for Amazon Web Services target application. If required, you can edit these default situations and responses or add new ones. For more information about adding or editing situations and responses, see Creating a Target Application in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.

Table 3-9 Predefined Situations and Responses for a Amazon Web Services Target Application

Situation Response

No Matches Found

None

One Entity Match Found

Establish Link

One Process Match Found

Establish Link

3.5 Reconciliation Jobs

These are the reconciliation jobs that are automatically created in Oracle Identity Governance after you create the application.

User Reconciliation Job

You can either use these predefined jobs or edit them to meet your requirements. Alternatively, you can create custom reconciliation jobs. For information about editing these predefined jobs or creating new ones, see Updating Reconciliation Jobs in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.

The Amazon Webservice Target Resource User Reconciliation job is used to reconcile user data from a target application.

Table 3-10 Parameters of the Amazon Webservice Target Resource User Reconciliation Job

Parameter Description

Application Name

Name of the application you created for your target system. This value is the same as the value that you provided for the Application Name field while creating your target application.

Do not modify this value.

Scheduled Task Name

This parameter holds the name of the scheduled job.

Note: For the scheduled job included with this connector, you must not change the value of this parameter. However, if you create a new job or create a copy of the job, then enter the unique name for that scheduled job as the value of this parameter.

Default value: APP_NAME AWS Target Resource User Reconciliation

Filter Query

Enter the search filter for fetching user records from the target system during a reconciliation run. See Performing Limited Reconciliation for more information about this attribute.

Object Type

This attribute holds the name of the object type for the reconciliation run.

Default value: User

Do not change the default value.

Sync Token

This attribute holds the date and time stamp at when the last full or incremental reconciliation run started.

Default value: <String>0</String>

Note:
  • If you are running a schedule job with incremental reconciliation, sync token will be updated automatically.
  • If you know a valid value for sync token, you can enter it in the following example format: <String>2020-05-19T18:29:49</String>
  • This attribute stores values in an XML serialized format.

Delete User Reconciliation Job

The Amazon Web Services Target Resource Delete User Reconciliation job is used to reconcile deleted user data from a target application.

Table 3-11 Parameters of the Amazon Web Services Target Resource Delete User Reconciliation Job

Parameter Description

Application Name

Name of the application you created for your target system. This value is the same as the value that you provided for the Application Name field while creating your target application.

Do not modify this value.

Object Type

This attribute holds the name of the object type for the reconciliation run.

Default value: User

Do not change the default value.

Reconciliation Jobs for Entitlements

The following jobs are available for reconciling entitlements:

  • Amazon Web Services Group Lookup Reconciliation

  • Amazon Web Services Policy Lookup Reconciliation

The parameters for both the reconciliation jobs are the same.

Table 3-12 Parameters of the Reconciliation Jobs for Entitlements

Parameter Description

Application Name

Name of the application you created for your target system. This value is the same as the value that you provided for the Application Name field while creating your target application.

Do not modify this value.

Code Key Attribute

Name of the connector or target system attribute that is used to populate the Code Key column of the lookup definition (specified as the value of the Lookup Name attribute).

Default value: __UID__

Note: Do not change the value of this attribute.

Decode Attribute

Name of the connector or target system attribute that is used to populate the Decode column of the lookup definition (specified as the value of the Lookup Name attribute).

Default value: __NAME__

Note: Do not change the value of this attribute.

Lookup Name

This parameter holds the name of the lookup definition that maps each lookup definition with the data source from which values must be fetched.

Depending on the reconciliation job you are using, the default values are as follows:

  • For Amazon Web Services Group Lookup Reconciliation - Lookup.AWS.Group

  • For Amazon Web Services Policy Lookup Reconciliationn - Lookup.AWS.Policy

Object Type

Enter the type of object whose values must be synchronized.

Depending on the reconciliation job you are using, the default values are as follows:

  • For Amazon Web Services Group Lookup Reconciliation - __GROUP__

  • For Amazon Web Services Policy Lookup Reconciliation - Reconciliation - __POLICY__

Note: Do not change the value of this attribute.