3 Configuring the Box Connector
While creating an application, you must configure connection-related parameters that the connector uses to connect Oracle Identity Governance with your target system and perform connector operations. In addition, you can view and edit attribute mappings between the process form fields in Oracle Identity Governance and target system columns, predefined correlation rules, situations and responses, and reconciliation jobs.
This section contains the following topics:
3.1 Basic Configuration Parameters
These are the connection-related parameters that Oracle Identity Governance requires to connect to the Box target application.
Note:
Unless specified, the parameters in the table are applicable to both target and authoritative applications.Table 3-1 Basic Configuration Parameters for the Box Connector
Parameter | Mandatory? | Description |
---|---|---|
authenticationType |
Yes |
Enter the type of authentication used by your target system. The Box target system uses manual input of access token and refresh token for OAuth2.0 authentication. Default value: Other |
Host |
Yes |
Enter the host name of the computer hosting your target system. Sample value: api.box.com/2.0 |
clientId |
Yes |
Enter the client identifier (a unique string) issued by the authorization server to your client application during the registration process. You would have obtained the client ID while configuring the newly registered application. Sample value: 83b-88onw9ddvgy9nnbworruf0x4nre9 |
clientSecret |
Yes |
Enter the secret key used to authenticate the identity of your client application. You obtained the secret key while performing the procedure described in Configuring the Newly Added Application. Sample value: 5Zi1PivsZDd00iHwK1GcZmvv5qNFCvuI |
customAuthHeaders |
Yes |
Takes access token and refresh token values.
Sample value: "access_token=fjvf0ghwpm3H1gSnWec3NcSVkgUFLIaQ","refresh_token=V1P163HMIC52RDxVE8rwlWHas0w71QWAJ2AXSivEpr6LluxGsQtDB34nxuKHhFJd"
|
sslEnabled |
Yes |
If the target system requires SSL connectivity, then set the value of this parameter to true. Otherwise set the value to false. Default value: |
Connector Server Name |
No |
If you are using Box Connector together with the Java Connector Server, then provide the name of Connector Server. |
Port |
No |
Enter the port number at which the target system is listening. Sample value: 443 |
proxyHost |
No |
Enter the name of the proxy host used to connect to an external target. |
proxyPassword |
No |
Password of the proxy user ID of the target system user account that Oracle Identity Governance uses to connect to the target system. |
proxyPort |
No |
Proxy port number. |
proxyUser |
No |
Proxy user name of the target system user account that Oracle Identity Manager uses to connect to the target system. |
3.2 Advanced Settings Parameters
The advanced settings parameters are the configuration-related entries that the connector uses during reconciliation and provisioning operations.
Note:
All parameters in the below table are mandatoryTable 3-2 Advanced Settings Parameters for the Box Connector
Parameter | Description |
---|---|
Bundle Name |
This entry holds the name of the connector bundle. Default value: org.identityconnectors.genericrest |
Bundle Version |
This entry holds the version of the connector bundle. Default value: 12.3.0 |
Connector Name |
This entry holds the name of the connector. Default value: org.identityconnectors.genericrest.GenericRESTConnector |
httpHeaderAccept |
This holds the accept-type expected from the target system in the header. Default value:application/json |
customPayload |
This entry lists the payloads for all operations that are not in the standard format. Default value:
|
nameAttributes |
This entry holds the name attribute for all the objects that are handled by this connector. Default value: |
jsonResourcesTagspecialAttributeHandling |
This entry holds the json tag value that is used during reconciliation for parsing multiple entries in a single payload. Default value: |
specialAttributeHandling |
Enter the list of special attributes whose values must be sent to the target system in separate calls, one at a time. If you do not specify a value for this parameter, then the connector will send all values for a given special attribute in a single call. Default value:"__ACCOUNT__.__GROUP__.CREATEOP=SINGLE","__ACCOUNT__.__GROUP__.UPDATEOP=SINGLE","__ACCOUNT__.email.CREATEOP=SINGLE","__ACCOUNT__.email.UPDATEOP=SINGLE","__ACCOUNT__.role.SEARCHOP=SINGLE","__ACCOUNT__.is_exempt_from_login_verification.SEARCHOP=SINGLE","__ACCOUNT__.is_sync_enabled.SEARCHOP=SINGLE" |
httpHeaderContentType |
This holds the content-type expected by the target system in the header. Default value: |
relURIs (Box) |
This entry holds the relative URL of every object class supported by this connector and the connector operations that can be performed on these object classes. Default value:"__ACCOUNT__.CREATEOP=/users","__ACCOUNT__.UPDATEOP=/users/$(__UID__)$","__ACCOUNT__.SEARCHOP=/users?$(Filter Suffix)$&limit=$(PAGE_SIZE)$&offset=$(PAGE_OFFSET)$","__ACCOUNT__.DELETEOP=/users/$(__UID__)$","__GROUP__.SEARCHOP=/groups?$(Filter Suffix)$&limit=$(PAGE_SIZE)$&offset=$(PAGE_OFFSET)$","__ACCOUNT__.__GROUP__.CREATEOP=/group_memberships","__ACCOUNT__.__GROUP__.UPDATEOP=/group_memberships","__ACCOUNT__.__GROUP__.SEARCHOP=/users/$(__UID__)$/memberships?limit=$(PAGE_SIZE)$&offset=$(PAGE_OFFSET)$","__ACCOUNT__.__GROUP__.DELETEOP=/group_memberships/$(__MEMBERSHIP__.id)$","__ACCOUNT__.__MEMBERSHIP__.__GROUP__.SEARCHOP=/users/$(__UID__)$/memberships","__ACCOUNT__.email.UPDATEOP=/users/$(__UID__)$/email_aliases","__ACCOUNT__.email.SEARCHOP=/users/$(__UID__)$/email_aliases?limit=$(PAGE_SIZE)$&offset=$(PAGE_OFFSET)$","__ACCOUNT__.email.DELETEOP=/users/$(__UID__)$/email_aliases/$(__MEMBERSHIP__.id)$","__ACCOUNT__.__MEMBERSHIP__.email.SEARCHOP=/users/$(__UID__)$/email_aliases?limit=$(PAGE_SIZE)$&offset=$(PAGE_OFFSET)$","__ACCOUNT__.role.SEARCHOP=/users/$(__UID__)$?fields=role","__ACCOUNT__.is_sync_enabled.SEARCHOP=/users/$(__UID__)$?fields=is_sync_enabled","__ACCOUNT__.is_exempt_from_login_verification.SEARCHOP=/users/$(__UID__)$?fields=is_exempt_from_login_verification" |
statusEnableValue |
This entry holds the value of the status attribute in the target system which represents the enable value. Default value:active |
enableEmptyString |
This entry holds the configuration value. If this configuration is set to true
|
specialAttributeTargetFormat |
This entry lists the format in which a special attribute is present in the target system endpoint. Default value: |
statusAttributes |
This entry lists the name of the target system attribute that holds the status of an account. For example, for the __ACCOUNT__ object class that it used for User accounts, the status attribute is accountEnabled. Default value: |
uidAttributes |
This entry holds the uid attribute for all the objects that are handled by this connector. Default value: |
opTypes |
This entry specifies the HTTP operation type for each object class supported by the connector. Default value:
|
statusDisableValue |
This entry holds the value of the status attribute in the target system which represents the disable value. Default value: |
3.3 Attribute Mappings
The Schema page for a target application displays the default schema (provided by the connector) that maps Oracle Identity Governance attributes to target system columns. The connector uses these mappings during reconciliation and provisioning operations.
Box User Account Attributes
Table 3-3 lists the user-specific attribute mappings between the process form fields in Oracle Identity Governance and Box application columns. The table also lists whether a specific attribute is used during provisioning or reconciliation and whether it is a matching key field for fetching records during reconciliation.
If required, you can edit the default attribute mappings by adding new attributes or deleting existing attributes as described in Creating a Target Application in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.
Table 3-3 Default Attribute Mappings for Box User Account
Identity Attribute | Target Attribute | Data Type | Mandatory Provisioning Property? | Provision Field? | Recon Field? | Key Field? | Case Insensitive? |
---|---|---|---|---|---|---|---|
Login |
__NAME__ |
String |
Yes |
Yes |
Yes |
No |
No |
Name |
name |
String |
Yes |
Yes |
Yes |
Yes |
No |
Role |
role |
String |
No |
Yes |
Yes |
No |
No |
Language |
language |
String |
No |
Yes |
Yes |
No |
No |
Enable Sync |
is_sync_enabled |
String |
No |
Yes |
Yes |
No |
No |
Job Title |
job_title |
String |
No |
Yes |
Yes |
No |
No |
Phone |
_ENABLE_ |
String |
No |
Yes |
Yes |
No |
No |
Address |
address |
String |
No |
Yes |
Yes |
No |
No |
Space Amount |
space_amount |
String |
No |
Yes |
Yes |
No |
No |
Timezone |
timezone |
String |
No |
Yes |
Yes |
No |
No |
Exempt From Login |
is_exempt_from_login |
String |
No |
Yes |
Yes |
No |
No |
Id |
_UID_ |
String |
No |
Yes |
Yes |
No |
No |
Status |
_ENABLE_ |
String |
No |
No |
Yes |
No |
No |
Figure 3-1 Default Attribute Mappings for Box User Account
![Description of Figure 3-1 follows Description of Figure 3-1 follows](img/attribute-mappings.png)
Description of "Figure 3-1 Default Attribute Mappings for Box User Account "
Groups Entitlement
Table 3-4 lists the group forms attribute mappings between the process form fields in Oracle Identity Governance and Box target application attributes. The table lists whether a given attribute is mandatory during provisioning. It also lists whether a given attribute is used during reconciliation and whether it is a matching key field for fetching records during reconciliation.
If required, you can edit the default attribute mappings by adding new attributes or deleting existing attributes as described in Creating a Target Application in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.
Table 3-4 Default Attribute Mappings for Groups Entitlement
Display Name | Target Attribute | Data Type | Mandatory Provisioning Property? | Recon Field? | Key Field? | Case Insensitive? |
---|---|---|---|---|---|---|
Group Name |
__GROUP__~__GROUP__~id |
String | No | Yes | Yes | No |
Figure 3-1 shows the default attribute groups mapping.
Figure 3-2 Default Attribute Mappings for Groups Entitlement
![Description of Figure 3-2 follows Description of Figure 3-2 follows](img/defaultattrmappgrpsent.png)
Description of "Figure 3-2 Default Attribute Mappings for Groups Entitlement"
3.4 Correlation Rules
Learn about the predefined rules, responses and situations for a Target application. The connector use these rules and responses for performing reconciliation.
Predefined Identity Correlation Rules
By default, the Box connector provides a simple correlation rule when you create a target application. The connector uses this correlation rule to compare the entries in Oracle Identity Governance repository and the target system repository, determine the difference between the two repositories, and apply the latest changes to Oracle Identity Governance.
Table 3-5 lists the default simple correlation rule for Box connector. If required, you can edit the default correlation rule or add new rules. You can create complex correlation rules also. For more information about adding or editing simple or complex correlation rules, see Creating a Target Application in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.
Table 3-5 Predefined Identity Correlation Rule for a Box Target Application
Target Attribute | Element Operator | Identity Attribute | Case Sensitive? |
---|---|---|---|
__NAME__ |
Equals |
User Login |
No |
-
__NAME__ is a single-valued attribute on the target system that identifies the user account.
-
User Login is the field on the OIG User form.
Figure 3-3 shows the complex correlation rule for Box target application.
Figure 3-3 Complex Correlation Rule for a Box Target Application
![Description of Figure 3-3 follows Description of Figure 3-3 follows](img/correlationrules.png)
Description of "Figure 3-3 Complex Correlation Rule for a Box Target Application"
Predefined Situations and Responses
The Box connector provides a default set of situations and responses when you create a target application. These situations and responses specify the action that Oracle Identity Governance must take based on the result of a reconciliation event.
Table 3-5 lists the default situations and responses for Box target application. If required, you can edit these default situations and responses or add new ones. For more information about adding or editing situations and responses, see Creating a Target Application in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.
Table 3-6 Predefined Situations and Responses for a Box Target Application
Situation | Response |
---|---|
No Matches Found |
None |
One Entity Match Found |
Establish Link |
One Process Match Found |
Establish Link |
Figure 3-4 shows the situations and responses for Box that the connector provides by default.
Figure 3-4 Predefined Situations and Responses for a Box Target Application
![Description of Figure 3-4 follows Description of Figure 3-4 follows](img/situations-and-responses_target.png)
Description of "Figure 3-4 Predefined Situations and Responses for a Box Target Application"
3.5 Reconciliation Jobs
Learn about reconciliation jobs that are automatically created in Oracle Identity Governance after you create a target application for your target system.
User Reconciliation Job
You must specify values for the attributes of user reconciliation jobs.
The Box Target User Reconciliation job is used to fetch all user records from the target system.
Table 3-7 Parameters of the Box Target User Reconciliation Job
Attribute | Description |
---|---|
Application Name |
Name of the application you created for your target system. This value is the same as the value that you provided for the Application Name field while creating your target application. Do not modify this value. |
Filter Suffix |
Enter the search filter for fetching records from the target system during a reconciliation run. Sample value: See Configuring Reconciliation Jobs for more information about filtered reconciliation. |
Object Type |
Type of object you want to reconcile. Default value: |
Reconciliation Jobs for Lookup Field Synchronization
The lookup definitions are used as an input source for lookup fields in Oracle Identity Governance.
The Box Group Lookup Reconciliation Scheduled job is used for lookup fields synchronization.
Table 3-8 Parameters of the Box Group Lookup Reconciliation Scheduled Job
Attribute | Description |
---|---|
Application Name |
Name of the application you created for your target system. This value is the same as the value that you provided for the Application Name field while creating your target application. Do not modify this value. |
Lookup Name |
Enter the name of the lookup definition in Oracle Identity Governance that must be populated with values fetched from the target system. Default value: |
Object Type |
Type of object you want to reconcile. Default value: |
Code Key Attribute | Name of the connector attribute that is used to populate the Code Key column of the lookup definition (specified as the value of the Lookup Name attribute).
Default value: __UID__ |
Decode Attribute | Name of the connector attribute that is used to populate the Decode column of the lookup definition (specified as the value of the Lookup Name attribute).
Default value :__NAME__ |
Box Update Access Token Job
Access token configured as part of IT resource will expire in 60 minutes and refresh token will expire in 60 days. Box Update Access Token Job is used to keep the value of the access token (in the IT resource) always valid. Every 50 minutes, this job is scheduled to run periodically.
Note:
If for some reason this scheduler is not run for more than 60 days, then the refresh token value in IT resource would have expired due to which if you run the Box Update Access Token Job after 60 days, it will fail. In such cases, a new access token and refresh token has to be generated manually.Table 3-9 Attributes of the Box Update Access Token Job
Attribute | Description |
---|---|
Access Token Endpoint |
This attribute holds the Box REST endpoint to get the new access token. Default value: |
IT Resource Name |
Enter the name of the IT resource for the target system installation from which you want to reconcile user records. Default value: |
Task Name |
This attribute holds the name of the scheduled task. Default value: You must not change the default value. |
Start Date |
This attribute holds the Start Date and time of job. Select current time and date from the Calender drop-down. |