1 About the Box Connector
Oracle Identity Governance is a centralized identity management solution that provides self service, compliance, provisioning and password management services for applications residing on-premises or on the Cloud. Oracle Identity Governance connectors are used to integrate Oracle identity Governance with the external identity-aware applications.
Note:
In this guide, the connector that is deployed using the Applications option on the Manage tab of Identity Self Service is referred to as an AOB application. The connector that is deployed using the Manage Connector option in Oracle Identity System Administration is referred to as a CI-based connector (Connector Installer-based connector).Application onboarding is the process of registering or associating an application with Oracle Identity Governance and making that application available for provisioning and reconciliation of user information.
The following topics provide a high-level overview of the Box connector:
1.1 Certified Components
These are the software components and their versions required for installing and using the Box connector.
Table 1-1 lists the certified components for this connector.
Table 1-1 Certified Components
| Component | Requirement for AOB Application | Requirement for CI-Based Connector |
|---|---|---|
|
Oracle Identity Governance or Oracle Identity Manager |
You can use any one of the following releases:
|
You can use one of the following releases of Oracle Identity Governance or Oracle Identity Manager:
|
|
Target System |
Box |
Box |
|
Connector Server |
11.1.2.1.0 and later |
11.1.2.1.0 and later |
|
Connector Server JDK |
JDK 1.8 and later |
JDK 1.8 and later |
1.2 Usage Recommendation
These are the recommendations for the Box connector version that you can deploy and use depending on the Oracle Identity Governance or Oracle Identity Manager version that you are using.
-
If you are using Oracle Identity Governance 12c (12.2.1.3.0), then use the latest 12.2.1.x version of this connector. Deploy the connector using the Applications option on the Manage tab of Identity Self Service.
-
If you are using any of the Oracle Identity Manager releases listed in the “Requirement for CI-Based Connector” column in Table 1-1, then use the 11.1.x version of the Box connector. If you want to use the 12.1.x version of this connector, then you can install and use it only in the CI-based mode. If you want to use the AOB application, then you must upgrade to Oracle Identity Governance release 12.2.1.3.0.
Note:
If you are using the latest 12.2.1.x version of the Box connector in the CI-based mode, then see Oracle Identity Manager Connector Guide for Box, Release 11.1.1 for complete details on connector deployment, usage, and customization.1.3 Certified Languages
These are the languages that the connector supports.
-
Arabic
-
Chinese (Simplified)
-
Chinese (Traditional)
-
Czech
-
Danish
-
Dutch
-
English
-
Finnish
-
French
-
French (Canadian)
-
German
-
Greek
-
Hebrew
-
Hungarian
-
Italian
-
Japanese
-
Korean
-
Norwegian
-
Polish
-
Portuguese
-
Portuguese (Brazilian)
-
Romanian
-
Russian
-
Slovak
-
Spanish
-
Swedish
-
Thai
-
Turkish
1.4 Supported Connector Operations
These are the list of operations that the connector supports for your target system.
Table 1-2 Supported Connector Operations
| Operation | Supported? |
|---|---|
|
User Management |
|
|
Create user |
Yes |
|
Update user |
Yes |
|
Delete User |
Yes |
|
Enable User |
Yes |
|
Disable User |
Yes |
Note:
All the connector artifacts required for managing groups as an object (for example groups attribute mappings, reconciliation rules, jobs, and so on) are not visible in the Applications UI in Identity Self Service. However, all the required information is available in the predefined application templates of the connector installation package.1.5 Connector Architecture
The Box connector is implemented by using the Identity Connector Framework (ICF).
The connector enables you to manage accounts on the target system. Managing accounts consists of the following processes:
-
Provisioning
Provisioning involves creating or updating users on the target system through Oracle Identity Governance. When you allocate (or provision) a Box resource to an OIG User, the operation results in the creation of an account on Box for that user. In the Oracle Identity Governance context, the term provisioning also covers updates made to the target system account through Oracle Identity Governance.
-
Target Resource Reconciliation
In target resource reconciliation, data related to newly created and modified target system accounts can be reconciled and linked with existing OIG Users and provisioned resources. A scheduled job is used for reconciliation.
As shown in this figure, Box is configured as a target resource of Oracle Identity Governance. Through provisioning operations performed on Oracle Identity Governance, accounts are created and updated on the target system for OIG Users. Through reconciliation, account data that is created and updated directly on the target system is fetched into Oracle Identity Governance and stored against the corresponding OIG Users. Identity Connector Framework (ICF) is a component that is required in order to use Identity Connectors. ICF is distributed together with Oracle Identity Governance.
You do not need to configure or modify ICF. During provisioning, the Adapters invoke ICF operation, ICF in turn invokes create operation on Box Identity Connector Bundle and then the bundle calls Box REST API for Provisioning operations. The Box REST API on the target system accepts provisioning data from the bundle, carries out the required operation on the target system, and returns the response from the target system back to the bundle, which passes it to the adapters. During reconciliation, a scheduled task invokes ICF operation, ICF inturn invokes search operation on Box Identity Connector Bundle and then the bundle calls Box REST API for Reconciliation operation. The API extracts user records that match the reconciliation criteria and hands them over through the bundle and ICF back to the scheduled task, which brings the records to Oracle Identity Governance.
Each record fetched from the target system is compared with Box resources that are already provisioned to OIG Users. If a match is found, then the update made to the Box record from the target system is copied to the Box resource in Oracle Identity Governance. If no match is found, then the user ID of the record is compared with the user ID of each OIG User. If a match is found, then data in the target system record is used to provision an Box resource to the OIG User.
The Box Identity Connector Bundle communicates with the Box REST API using the HTTPS protocol.
1.6 Supported Use Cases
Box is a cloud computing business which provides file-sharing, collaborating, and other tools for working with files that are uploaded to its servers. Box provides dynamic, flexible content management solution which empowers users to share and access content from anywhere, while providing IT enterprise-grade security and oversight into how content moves within their organizations.
The following are some of the most common scenarios in which this connector can be used:
-
Update Access Token
Today, security is one of the biggest concerns that organizations face while accessing cloud applications. Each cloud application has its own mechanism to ensure that a security breach does not take place. Box uses automated tokens to achieve this. The administrators of the Box Connector are assigned a security token which is required to authenticate and authorize the administrators in order to perform various operations on the application. This token also gets refreshed periodically to minimize risk.
Oracle Identity Manager Connector for Box provides automated admin token management to ensure that your administrator’s security tokens are up-to-date. This functionality ensures that only authenticated and authorized administrators can perform the operations without any delay due to stale or expired tokens.
-
Box User Management
Organizations across the globe are using Box for content sharing. They want their employees to be able to access and share the most up-to-date information across different geographical locations. To achieve this, a Box administrator has to create and grant login to the concerned employees. The Box administrator must also be sure of the complete life cycle of this particular user. It must be ensured that when an employee leaves the organization, they should no longer be able to access sensitive information or content or files using their Box account. Similarly, during an employee’s tenure, it has to be ensured that they have access towards files and content which they alone are entitled to use while access must be restricted towards classified files and content.
Doing this manually for every employee is very cumbersome thus resulting in errors sometimes. Oracle Identity Manager Connector for Box provides user management functionality which enables automation of provisioning and deprovisioning of the users (employees). Whenever a new employee joins the organization, a Box account will automatically be provisioned to them along with appropriate access rights. Likewise, when they leave the organization, the same account will automatically be deactivated. This not only saves time but provides robust security as manual intervention is minimal here.
-
Exempt Box User from 2-Step Login Verification
As the need for enhanced security increases, Box provides an extra layer of security through the use of 2-step verification. This process requires the user to present the following two authenticating pieces of evidence when they log in:
-
Something they know (their Box password)
-
Something they have (an OTP code that is sent to their mobile device)
The OTP code is sent to the users mobile device as a text message (SMS). In case the user loses their mobile device or cannot access the confirmation codes sent to the mobile device for reasons unknown, the Box Connector provides an option to exempt the user from the 2-Step Login Verification requirement. An exempted user would be able to log in successfully with only the Box password. If you would like to exempt a group of users or the administrator, you can enable the option Exempt this user from 2-Step login verification for that particular user.
-
-
User Email Alias Management
In an organization, a user may have multiple email addresses. For example, in case of acquisitions or mergers, there is a need to manage multiple email addresses for different domains. In such a situation, you may want to add a new email alias for a user who changed their name but left their primary email address the same.
Email alias allows users to link multiple email addresses to a single Box account for easy management of their important content. Now, any user type can add multiple email addresses to their account and designate one as the primary address, where collaboration invites and Box notifications will be sent. With Oracle Identity Manager Connector for Box, you can manage email aliases and mark any one of them as primary for the user account.
-
Box User’s Group Membership Management
Organizations are usually broken down into departments, project teams or other sub-units and with this systematic break-down, there comes a need to grant different teams different levels of access for different content. The group functionality of Box helps the organization to achieve this, thereby making it easy to replicate the work or resource breakdown easy in Box. It also helps in creating new teams along new lines. Groups make this division of labor easy to replicate in Box, and also give the opportunity to create new teams along new lines.
Oracle Identity Manager Connector for Box enables an organization to manage user’s group memberships. A user can be a member of one or more groups. Oracle Identity Manager Connector for Box has the capability to enable the IT group to retain visibility into how content is managed and accessed. With monitoring and granular access control capabilities, it can be ensured that only authorized users have access.
One other benefit of collaborating using the Box User’s Group Membership Management is that, as new users are added to any specific group, they are automatically eligible to gain access to the content already shared. This means that, such new users can log in and gain access to relevant content required by them to perform their job effectively.
-
User and Group Reconciliation
If a user with an existing Box application (which has other users and groups configured) wants to manage users and group membership, they must initially migrate the pre-existing Box groups into Oracle Identity Manager. The Box Connector facilitates User Reconciliation and Group Lookup Reconciliation to bulk load these users and their group memberships to Oracle Identity Manager respectively.
1.7 Supported Connector Features Matrix
Provides the list of features supported by the AOB application and CI-based connector.
Table 1-3 Supported Connector Features Matrix
| Feature | AOB Application | CI-Based Connector |
|---|---|---|
|
Full reconciliation |
Yes |
Yes |
|
Limited reconciliation |
Yes |
Yes |
|
Use connector server |
Yes |
Yes |
|
Transformation and validation of account data |
Yes |
Yes |
|
Perform connector operations in multiple domains |
Yes |
Yes |
|
Support for paging |
Yes |
Yes |
|
Test connection |
Yes |
No |
|
Reset password |
Yes |
Yes |
1.8 Connector Features
The features of the connector include support for connector server, full reconciliation, limited reconciliation, and reconciliation of deleted account data.
1.8.1 Full Reconciliation
After you create the application, you can perform full reconciliation to bring all existing user data from the target system to Oracle Identity Governance.
Note:
The connector cannot support incremental reconciliation because of the target system limitation. The target system does not provide a way to filter user records based on the attribute which stores the time at which the account data is created or modified.You can perform a full reconciliation run at any time. See Configuring Reconciliation.
1.8.2 Limited Reconciliation
You can set a reconciliation filter as the value of the Filter attribute of a reconciliation scheduled job. This filter specifies the subset of added and modified target system records that must be reconciled.
For more information, see Performing Limited Reconciliation.
1.8.3 Support for the Connector Server
Connector Server is one of the features provided by ICF. By using one or more connector servers, the connector architecture permits your application to communicate with externally deployed bundles.
A Java connector server is useful when you do not wish to execute a Java connector bundle in the same VM as your application. It can be beneficial to run a Java connector on a different host for performance improvements.
For information about installing, configuring, and running the Connector Server, and then installing the connector in a Connector Server, see Using an Identity Connector Server in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Governance.
1.8.4 Secure Communication to the Target System
To provide secure communication to the target system, SSL is required. You can configure SSL between Oracle Identity Governance and the Connector Server and between the Connector Server and the target system.
If you do not configure SSL, passwords can be transmitted over the network in clear text. For example, this problem can occur when you are creating a user or modifying a user's password.
For more information, see Configuring SSL.
1.8.5 Transformation and Validation of Account Data
You can configure transformation and validation of account data that is brought into or sent from Oracle Identity Governance during reconciliation and provisioning operations by writing Groovy scripts while creating your application.
For more information, see Validation and Transformation of Provisioning and Reconciliation Attributes in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.