1 About the Concur Connector
Oracle Identity Governance is a centralized identity management solution that provides self service, compliance, provisioning and password management services for applications residing on-premises or on the Cloud. Oracle Identity Governance connectors are used to integrate Oracle identity Governance with the external identity-aware applications.
Note:
In this guide, the connector that is deployed using the Applications option on the Manage tab of Identity Self Service is referred to as an AOB application. The connector that is deployed using the Manage Connector option in Oracle Identity System Administration is referred to as a CI-based connector (Connector Installer-based connector).Application onboarding is the process of registering or associating an application with Oracle Identity Governance and making that application available for provisioning and reconciliation of user information.
Note:
In this guide, Concur is sometimes referred to as the target system.
The following topics provide a high-level overview of the Concur connector:
Note:
In this guide, the term Oracle Identity Governance server refers to the computer on which Oracle Identity Governance is installed.1.1 Certified Components
These are the software components and their versions required for installing and using the Concur connector.
Note:
If you are using Oracle Identity Manager release 11.1.x, then you can install and use the connector only in the CI-based mode. If you want to use the AOB application, then you must upgrade to Oracle Identity Governance release 12.2.1.3.0.Table 1-1 Certified Components
| Component | Requirement for AOB Application | Requirement for CI-Based Connector |
|---|---|---|
|
Oracle Identity Manager or Oracle Identity Governance |
You can use one of the following releases of Oracle Identity Manager or Oracle Identity Governance:
|
You can use one of the following releases of Oracle Identity Manager or Oracle Identity Governance:
|
|
Target system |
Concur |
Concur |
|
Connector Server |
11.1.2.1.0 or later |
11.1.2.1.0 or later |
|
Connector Server JDK |
JDK 1.8 or later |
JDK 1.8 or later |
1.2 Usage Recommendation
These are the recommendations for the Concur connector versions that you can deploy and use depending on the Oracle Identity Governance or Oracle Identity Manager version that you are using.
-
If you are using Oracle Identity Governance release 12c (12.2.1.3.0) or later, then use the latest 12.2.1.x version of this connector. Deploy the connector using the Applications option on the Manage tab of Identity Self Service.
-
If you are using any of the Oracle Identity Manager releases listed in the “Requirement for CI-Based Connector” column of Table 1-1, then use the 11.1.1.x version of the Concur connector. If you want to use the 12.2.1.x version of this connector, then you can install and use it only in the CI-based mode. If you want to use the AOB application, then you must upgrade to Oracle Identity Governance release 12c (12.2.1.3.0) or later.
Note:
If you are using the latest 12.2.1.x version of the Concur connector in the CI-based mode, then see Oracle Identity Manager Connector Guide for Concur, Release 11.1.1 for complete details on connector deployment, usage, and customization.1.3 Certified Languages
The connector supports the following languages:
-
Arabic
-
Chinese (Simplified)
-
Chinese (Traditional)
-
Czech
-
Danish
-
Dutch
-
English (US)
-
Finnish
-
French
-
French (Canadian)
-
German
-
Greek
-
Hebrew
-
Hungarian
-
Italian
-
Japanese
-
Korean
-
Norwegian
-
Polish
-
Portuguese
-
Portuguese (Brazilian)
-
Romanian
-
Russian
-
Slovak
-
Spanish
-
Swedish
-
Thai
-
Turkish
1.4 Supported Connector Operations
These are the list of operations that the connector supports for your target system.
Table 1-2 Supported Connector Operations
| Operation | Supported? |
|---|---|
|
User Management |
|
|
Create User |
Yes |
|
Update User |
Yes |
|
Enable User |
Yes |
|
Disable User |
Yes |
|
Change or Reset Password |
Yes |
1.5 Connector Architecture
The Concur connector can be configured to run in the Account Management (or target resource management) mode, and is implemented using the Integrated Common Framework (ICF) component.
The Concur connector uses OAuth 2.0 security protocol (Native Flow) for connecting to Concur and performing user authentication. You can configure the Concur connector to run in the Account Management (or target resource management) mode. In this mode of the connector, information about users that are created or modified directly on Concur can be reconciled into Oracle Identity Governance. This data is used to add or modify resources (that is, accounts) that are allocated to Oracle Identity Governance Users. In addition, you can use Oracle Identity Governance to provision or update Concur accounts that are assigned to Oracle Identity Governance Users.
This connector enables the following operations:
-
Provisioning
Provisioning involves creating and updating users on Concur through Oracle Identity Governance. When you allocate (or provision) a Concur resource to an Oracle Identity Governance User, the operation results in the creation of an account on Concur for that user. In the Oracle Identity Governance context, the term "provisioning" is also used to mean updates (for example enabling or disabling) made to the Concur account through Oracle Identity Governance.
-
Target resource reconciliation
To perform target resource reconciliation, the Concur Recon scheduled job is used. The connector then fetches the user attribute values from Concur.
Figure 1-1 Architecture of the Concur Connector
Description of "Figure 1-1 Architecture of the Concur Connector"
As shown in Figure 1-1, Concur is configured as a target resource of Oracle Identity Governance. Through the provisioning operations that are performed on Oracle Identity Governance, accounts are created and updated on Concur for Oracle Identity Governance Users.
Through reconciliation, account data that is created and updated directly on Concur is fetched into Oracle Identity Governance and stored against the corresponding Oracle Identity Governance Users.
The Concur connector is implemented using the ICF component. The ICF component provides basic reconciliation and provisioning operations that are common to all Oracle Identity Governance connectors. In addition, ICF provides common features that developers would otherwise need to implement on their own, such as connection pooling, buffering, time outs, and filtering. ICF is distributed together with Oracle Identity Governance. Therefore, you do not need to configure or modify ICF.
During provisioning, the adapters invoke ICF operation, ICF invokes the Create operation on Concur Connector Bundle, and then the bundle calls the OAuth API. The OAuth API uses OAuth method (Native Flow) to connect to Concur. Concur accepts provisioning data from the bundle, carries out the operation, and returns the response back to the bundle. The bundle then passes it to the adapters.
1.6 Supported Use Cases
The Concur connector provides user management functionality that helps in managing users and their accounts in Concur through Oracle Identity Governance.
The following is a scenario in which the Concur connector can be used:
Organizations use Concur for managing their travel and expense (T&E) information. The administrator needs to create and grant login access to the concerned employees in the Concur portal. When the employee leaves the organization, the administrator needs to ensure that the employee must no longer be able to access the sensitive information using their Concur account. Doing these tasks manually for every employee is cumbersome and error-prone. The Concur connector enables automation of provisioning and deprovisioning of the user accounts in Concur. Whenever a new employee joins the organization, based on the access policies defined in Oracle Identity Governance, a Concur account is automatically provisioned to that employee with appropriate access rights. Similarly, upon quitting the organization, the same account is automatically deactivated. This saves time and provides robust security due to less manual intervention.
1.7 Supported Connector Features Matrix
Provides the list of features supported by the AOB application and CI-based connector.
Table 1-3 Supported Connector Features Matrix
| Feature | AOB Application | CI-Based Connector |
|---|---|---|
|
Perform full reconciliation |
Yes |
Yes |
|
Support for connector server |
Yes |
Yes |
|
Support for limited reconciliation of account based on filters |
Yes |
Yes |
|
Transformation and validation of account data |
Yes |
Yes |
|
Clone applications or create new application instances |
Yes |
Yes |
|
Use connector server |
Yes |
Yes |
|
Provide secure communication to the target system through SSL |
Yes |
Yes |
| Support for paging | Yes | Yes |
| Test connection | Yes | No |
1.8 Connector Features
The features of the connector include support for provisioning user accounts, target resource reconciliation, reconciliation of all existing or modified account data, limited reconciliation, transformation and validation of account data during reconciliation and provisioning, support for the connector server, multiple installations of the target system, secure communication to the target system through SSL, and so on.
The Concur Connector supports the following features:
1.8.1 Support for Full Reconciliation
After you create the application, you can perform full reconciliation to bring all existing user data from the target system to Oracle Identity Governance.
You can perform a full reconciliation run at any time. See Performing Full Reconciliation.
1.8.2 Support for Limited Reconciliation
You can reconcile records from the target system based on a specified filter criterion. To limit or filter the records that are fetched into Oracle Identity Governance during a reconciliation run, you can specify the subset of added or modified target system records that must be reconciled.
You can set a reconciliation filter as the value of the Filter Suffix attribute of the user reconciliation scheduled job. The Filter Suffix attribute helps you to assign filters to the API based on which you get a filtered response from the target system.
1.8.3 Transformation and Validation of Account Data
You can configure transformation and validation of account data that is brought into or sent from Oracle Identity Governance during reconciliation and provisioning operations by writing Groovy scripts while creating your application.
For more information, see Validation and Transformation of Provisioning and Reconciliation Attributes in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.
1.8.4 Support for the Connector Server
Connector Server is one of the features provided by ICF. By using one or more connector servers, the connector architecture permits your application to communicate with externally deployed bundles.
A Java connector server is useful when you do not wish to execute a Java connector bundle in the same VM as your application. It can be beneficial to run a Java connector on a different host for performance improvements.
For information about installing, configuring, and running the Connector Server, and then installing the connector in a Connector Server, see Using an Identity Connector Server in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Governance.
1.8.5 Support for Cloning Applications and Creating Instance Applications
You can configure this connector for multiple installations of the target system by cloning applications or by creating instance applications.
When you clone an application, all the configurations of the base application are copied into the cloned application. When you create an instance application, it shares all configurations as the base application.
For more information about these configurations, see Cloning Applications and Creating Instance Applications in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.
1.8.6 Secure Communication to the Target System
To provide secure communication to the target system, SSL is required. You can configure SSL between Oracle Identity Governance and the Connector Server and between the Connector Server and the target system.
If you do not configure SSL, passwords can be transmitted over the network in clear text. For example, this problem can occur when you are creating a user or modifying a user's password.
See Configuring SSL.