3 Configuring the Connector
While creating a target application, you must configure connection-related parameters that the connector uses to connect to Oracle Identity Governance with your target system and perform connector operations. In addition, you can view and edit attribute mappings between the process form fields in Oracle Identity Governance and target system columns, predefined correlation rules, situations and responses, and reconciliation jobs.
3.1 Basic Configuration Parameters
These are the connection-related parameters that Oracle Identity Governance requires to connect to an Amazon Web Services application.
Note:
Unless specified, do not modify entries in the below table.Table 3-1 Parameters in the Basic Configuration
Parameter | Mandatory ? | Description |
---|---|---|
userName |
Yes |
Enter the user name of the target system that you create for performing connector operations. Sample value:
|
accessKeyId |
Yes |
Enter the access key identifier (a unique string) issued by the authorization server to your client application during the registration process. You would have obtained the access key while configuring the newly registered application. Sample value:
|
secretAccessKey |
Yes |
Enter the secret Access Key used to authenticate the identity of your client application. You obtained the secret Access Key while performing the procedure described in Configuring the Newly Added Application. Sample value:
|
proxyPassword |
No |
Enter the proxy password if you are using proxy server to access internet. |
proxyHostPort |
No |
Enter the proxy host or IP and port if you are using proxy server to access internet. Sample value:
|
proxyUsername |
No |
Enter the proxy username if you are using proxy server to access internet. |
3.2 Advanced Settings Parameters
These are the configuration-related entries that the connector uses during reconciliation and provisioning operations.
Note:
-
Unless specified, do not modify entries in the below table.
-
All parameters in the below table are mandatory.
Table 3-2 Advanced Settings Parameters
Parameter | Description |
---|---|
Bundle Name |
This entry holds the name of the connector bundle. Default value:
|
Bundle Version |
This entry holds the version of the connector bundle. Default value:
|
Connector Name |
This entry holds the name of the connector class. Default value:
|
pageSize |
Specify the number of objects to return in a page from the target system in a paged search. Default value: |
passwordLastUsed |
Enter Default value: |
region |
Enter the Region for IAM and Organization. Default value: |
cloudTrailRegion |
Enter the region for Cloudtrail service used for incremental reconciliation Default value: |
policyGroup |
Enter Default value: |
changePasswordNextSignIn |
Enter Default value: |
enableProgrammaticAccess |
Enter Default value: |
timeZone |
This parameter displays the Oracle Identity Manager timezone. Default value: |
3.3 Attribute Mappings
The Schema page for a target application displays the default schema (provided by the connector) that maps Oracle Identity Governance attributes to target system attributes. The connector uses these mappings during reconciliation and provisioning operations.
Default Attributes for Amazon Web Services Target Application
Table 3-3 lists the user-specific attribute mappings between the process form fields in Oracle Identity Governance and Amazon Web Services target application attributes. The table also lists whether a specific attribute is used during provisioning or reconciliation and whether it is a matching key field for fetching records during reconciliation.
If required, you can edit the default attribute mappings by adding new attributes or deleting existing attributes as described in Creating a Target Application in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.
Table 3-3 Default Attributes for Amazon Web Services Target Application
Display Name | Target Attribute | Data Type | Mandatory Provisioning Property? | Provision Field? | Recon Field? | Key Field? | Case Insensitive? | Advanced Flag Settings |
---|---|---|---|---|---|---|---|---|
User ID |
__UID__ |
String |
No |
No |
Yes |
No |
No |
Length:256 |
User Name |
__NAME__ |
String |
Yes |
Yes |
Yes |
Yes |
No |
Length:64 |
Password |
__PASSWORD__ |
String |
No |
Yes |
No |
No |
No |
Length:128 |
User ARN |
UserARN |
String |
No |
No |
Yes |
No |
No |
WriteBack; Length:2048 |
Last Activity |
PasswordLastUsed |
String |
No |
No |
Yes |
No |
No |
WriteBack; Length:256 |
Creation Time |
CreateDate |
String |
No |
No |
Yes |
No |
No |
WriteBack; Length:256 |
Path |
Path |
String |
No |
Yes |
Yes |
No |
No |
Length:512 |
Organization ARN |
OrgARN |
String |
No |
No |
Yes |
No |
No |
WriteBack; Length:2048 |
Organization Account Name |
AccountOrgName |
String |
No |
No |
Yes |
No |
No |
WriteBack; Length:50 |
Organization ID |
OrgUnit |
String |
No |
No |
Yes |
No |
No |
WriteBack; Length:50 |
Service Control Policies |
ServiceControlPolicy |
String |
No |
No |
Yes |
No |
No |
WriteBack; Length:256 |
Status |
__ENABLE__ |
String |
No |
No |
Yes |
No |
No |
WriteBack; Length:256 |
Programmatic Access Status |
ProgrammaticAccessStatus |
Boolean |
No |
No |
Yes |
No |
No |
WriteBack |
IT Resource Name |
Long |
No |
No |
Yes |
No |
No |
Table 3-3 shows the default User account attribute mappings.
Figure 3-1 Default Attribute Mappings for Amazon Web Services User Account
![This is a screenshot of the Schema page for a target application that displays the default attribute mappings for Amazon Web Services User account This is a screenshot of the Schema page for a target application that displays the default attribute mappings for Amazon Web Services User account](img/new_schemapart.png)
Note:
Ensure that the path begins and ends with /
.
Default value: /
Example: /Oracle/
Groups Attribute
Table 3-4 lists the group forms attribute mappings between the process form fields in Oracle Identity Governance and Amazon Web Services target application attributes. The table lists whether a given attribute is mandatory during provisioning. It also lists whether a given attribute is used during reconciliation and whether it is a matching key field for fetching records during reconciliation.
If required, you can edit the default attribute mappings by adding new attributes or deleting existing attributes as described in Creating a Target Application in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.
Table 3-4 Default Attribute Mappings for Groups
Display Name | Target Attribute | Data Type | Mandatory Provisioning Property? | Recon Field? | Key Field? | Case Insensitive? | Entitlement | Advanced settings |
---|---|---|---|---|---|---|---|---|
Group |
__GROUP__~__GROUP__~GroupName |
String | Yes | Yes | Yes | No | True | List of Values: Lookup.AWS.Group Length:256 |
Figure 3-2 shows the default attribute groups mapping.
Figure 3-2 Default Attribute Mappings for Groups
![This is a screenshot of the Schema page for a target application that displays the default Groups child attribute mapping. This is a screenshot of the Schema page for a target application that displays the default Groups child attribute mapping.](img/group-child-attributes.png)
Policies Attribute
Table 3-5 lists the policy attribute mappings between the process form fields in Oracle Identity Governance and Amazon Web Services target application attributes. The table lists whether a given attribute is mandatory during provisioning. It also lists whether a given attribute is used during reconciliation and whether it is a matching key field for fetching records during reconciliation.
If required, you can edit the default attribute mappings by adding new attributes or deleting existing attributes as described in Creating a Target Application in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.
Table 3-5 Default Attribute Mappings for Policies
Display Name | Target Attribute | Data Type | Mandatory Provisioning Property? | Recon Field? | Key Field? | Case Insensitive? | Entitllement | Advanced Settings |
---|---|---|---|---|---|---|---|---|
Policy name |
__POLICIES__~__POLICIES__~policyName | String | Yes | Yes | Yes | No | True | List of Values: Lookup.AWS.Policy Length:256 |
Policy type |
__POLICIES__~__POLICIES__~policyType | String | No | Yes | Yes | No | Length:256 |
Figure 3-3 shows the default attribute policy mapping.
Figure 3-3 Default Attribute Mappings for Policies
![This is a screenshot of the Schema page for a target application that displays the default policy child attribute mapping. This is a screenshot of the Schema page for a target application that displays the default policy child attribute mapping.](img/policies-child-attributes.png)
Tags Attribute
Table 3-6 lists the tag attribute mappings between the process form fields in Oracle Identity Governance and Amazon Web Services target application attributes. The table lists whether a given attribute is mandatory during provisioning. It also lists whether a given attribute is used during reconciliation and whether it is a matching key field for fetching records during reconciliation.
If required, you can edit the default attribute mappings by adding new attributes or deleting existing attributes as described in Creating a Target Application in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.
Table 3-6 Default Attribute Mappings for Tags
Display Name | Target Attribute | Data Type | Mandatory Provisioning Property? | Recon Field? | Key Field? | Case Insensitive? | Advanced Settings |
---|---|---|---|---|---|---|---|
Tag key |
__TAGS__~__TAGS__~tagskey | String | Yes | Yes | Yes | No | Length:256 |
Tag value |
__TAGS__~__TAGS__~tagsvalue | String | Yes | Yes | No | No | Length:256 |
Figure 3-4 shows the default attribute tag mapping.
Figure 3-4 Default Attribute Mappings for Tags
![This is a screenshot of the Schema page for a target application that displays the default tag child attribute mapping. This is a screenshot of the Schema page for a target application that displays the default tag child attribute mapping.](img/tag-child-attributes.png)
Inline Policy Attribute
Table 3-7 lists the inline policy attribute mappings between the process form fields in Oracle Identity Governance and Amazon Web Services target application attributes. The table lists whether a given attribute is mandatory during provisioning. It also lists whether a given attribute is used during reconciliation and whether it is a matching key field for fetching records during reconciliation.
If required, you can edit the default attribute mappings by adding new attributes or deleting existing attributes as described in Creating a Target Application in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.
Table 3-7 Default Attribute Mappings for Inline Policies
Display Name | Target Attribute | Data Type | Mandatory Provisioning Property? | Recon Field? | Key Field? | Case Insensitive? | Advanced Settings |
---|---|---|---|---|---|---|---|
Policy Name |
__INLINEPOLICIES__~__INLINEPOLICIES__~InlinePolicyName | String | Yes | Yes | Yes | No | Length:256 |
Policy type |
__INLINEPOLICIES__~__INLINEPOLICIES__~InlinePolicyType | String | No | Yes | Yes | No | Length:256 |
Figure 3-5 shows the default attribute inline policiy mapping.
Figure 3-5 Default Attribute Mappings for Inline Policies
![This is a screenshot of the Schema page for a target application that displays the default inline policy child attribute mapping. This is a screenshot of the Schema page for a target application that displays the default inline policy child attribute mapping.](img/inlinepolicies-child-attributes.png)
3.4 Correlation Rules, Situations, and Responses for a Target Application
When you create a Target application, the connector uses correlation rules to determine the identity to which Oracle Identity Governance must assign a resource.
Predefined Identity Correlation Rules
By default, the Amazon Web Services connector provides a simple correlation rule when you create a target application. The connector uses this correlation rule to compare the entries in Oracle Identity Governance repository and the target system repository, determine the difference between the two repositories, and apply the latest changes to Oracle Identity Governance.
Table 3-8 lists the default simple correlation rule for Amazon Web Services connector. If required, you can edit the default correlation rule or add new rules. You can create simple correlation rules also. For more information about adding or editing simple or complex correlation rules, see Updating Identity Correlation Rule in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.
Table 3-8 Predefined Identity Correlation Rule for a Amazon Web Services Target Application
Target Attribute | Element Operator | Identity Attribute | Case Sensitive? | Rule Operator |
---|---|---|---|---|
__NAME__ |
Equals |
User Login |
No |
-
__NAME__ is a single-valued attribute on the target system that identifies the user account.
-
User Login is the field on the OIG User form.
Figure 3-6 shows the simple correlation rule for a Amazon Web Services target application.
Figure 3-6 Simple Correlation Rule for a Amazon Web Services Target Application
![This is a screenshot of the default situations and responses available for Amazon Web Service connector application during reconciliation. This is a screenshot of the default situations and responses available for Amazon Web Service connector application during reconciliation.](img/new_corelation-rule-aws.png)
Predefined Situations and Responses
The Amazon Web Services connector provides a default set of situations and responses when you create a target application. These situations and responses specify the action that Oracle Identity Governance must take based on the result of a reconciliation event.
Table 3-9 lists the default situations and responses for Amazon Web Services target application. If required, you can edit these default situations and responses or add new ones. For more information about adding or editing situations and responses, see Creating a Target Application in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.
Table 3-9 Predefined Situations and Responses for a Amazon Web Services Target Application
Situation | Response |
---|---|
No Matches Found |
None |
One Entity Match Found |
Establish Link |
One Process Match Found |
Establish Link |
3.5 Reconciliation Jobs
These are the reconciliation jobs that are automatically created in Oracle Identity Governance after you create the application.
User Reconciliation Job
You can either use these predefined jobs or edit them to meet your requirements. Alternatively, you can create custom reconciliation jobs. For information about editing these predefined jobs or creating new ones, see Updating Reconciliation Jobs in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.
The Amazon Webservice Target Resource User Reconciliation job is used to reconcile user data from a target application.
Table 3-10 Parameters of the Amazon Webservice Target Resource User Reconciliation Job
Parameter | Description |
---|---|
Application Name |
Name of the application you created for your target system. This value is the same as the value that you provided for the Application Name field while creating your target application. Do not modify this value. |
Scheduled Task Name |
This parameter holds the name of the scheduled job. Note: For the scheduled job included with this connector, you must not change the value of this parameter. However, if you create a new job or create a copy of the job, then enter the unique name for that scheduled job as the value of this parameter. Default value: APP_NAME AWS Target Resource User Reconciliation |
Filter Query |
Enter the search filter for fetching user records from the target system during a reconciliation run. See Performing Limited Reconciliation for more information about this attribute. |
Object Type |
This attribute holds the name of the object type for the reconciliation run. Default value: Do not change the default value. |
Sync Token |
This attribute holds the date and time stamp at when the last full or incremental reconciliation run started. Default value:
Note:
|
Delete User Reconciliation Job
The Amazon Web Services Target Resource Delete User Reconciliation job is used to reconcile deleted user data from a target application.
Table 3-11 Parameters of the Amazon Web Services Target Resource Delete User Reconciliation Job
Parameter | Description |
---|---|
Application Name |
Name of the application you created for your target system. This value is the same as the value that you provided for the Application Name field while creating your target application. Do not modify this value. |
Object Type |
This attribute holds the name of the object type for the reconciliation run. Default value: Do not change the default value. |
Reconciliation Jobs for Entitlements
-
Amazon Web Services Group Lookup Reconciliation
-
Amazon Web Services Policy Lookup Reconciliation
The parameters for both the reconciliation jobs are the same.
Table 3-12 Parameters of the Reconciliation Jobs for Entitlements
Parameter | Description |
---|---|
Application Name |
Name of the application you created for your target system. This value is the same as the value that you provided for the Application Name field while creating your target application. Do not modify this value. |
Code Key Attribute |
Name of the connector or target system attribute that is used to populate the Code Key column of the lookup definition (specified as the value of the Lookup Name attribute). Default value: Note: Do not change the value of this attribute. |
Decode Attribute |
Name of the connector or target system attribute that is used to populate the Decode column of the lookup definition (specified as the value of the Lookup Name attribute). Default value: Note: Do not change the value of this attribute. |
Lookup Name |
This parameter holds the name of the lookup definition that maps each lookup definition with the data source from which values must be fetched. Depending on the reconciliation job you are using, the default values are as follows:
|
Object Type |
Enter the type of object whose values must be synchronized. Depending on the reconciliation job you are using, the default values are as follows:
Note: Do not change the value of this attribute. |