5 Using the Identity Cloud Service Connector
You can use the connector for performing reconciliation and provisioning operations after configuring it to meet your requirements.
5.1 Configuring Reconciliation
You can configure the connector to specify the type of reconciliation and its schedule.
This section discusses the following topics related to configuring reconciliation:
5.1.1 Performing Full and Incremental Reconciliation
Full reconciliation involves reconciling all existing user records from the target system into Oracle Identity Governance. During incremental reconciliation, only records that are added or modified after the last reconciliation run are fetched into Oracle Identity Governance.
After you deploy the connector, you must first perform full reconciliation. In addition, you can switch from incremental reconciliation to full reconciliation whenever you want to ensure that all target system records are reconciled in Oracle Identity Governance.
To perform a full reconciliation run, ensure that a value is not specified for the Filter and Latest Token attributes of scheduled jobs for reconciling user and group records.
At the end of the reconciliation run, the Latest Token attribute of the scheduled jobs for user and group record reconciliation is automatically set to the time stamp at which the run ended. From the next reconciliation run onward, only records created or modified after this time stamp are considered for reconciliation. This is incremental reconciliation.
See IDCS Target Resource User Reconciliation Job and IDCS Group Reconciliation Job for information about these scheduled jobs.
You specify values for these attributes by following the instructions described in Configuring Reconciliation Jobs.
5.1.2 Performing Batched Reconciliation
You can perform batched reconciliation to reconcile a specific number of records from the target system into Oracle Identity Governance.
During a reconciliation run, all changes in the target system records are reconciled into Oracle Identity Governance. Depending on the number of records to be reconciled, this process may require a large amount of time. In addition, if the connection breaks during reconciliation, then the process would take longer to complete.
You can configure batched reconciliation to avoid these problems.
To configure batched reconciliation, you must specify a value for the Batch Size attribute of scheduled jobs for reconciling user and group records. The Batch Size attribute is used to specify the number of records that must be included in each batch. See IDCS Target Resource User Reconciliation Job, IDCS Target Resource User Delete Reconciliation Job, and IDCS Group Reconciliation Job for information about these scheduled jobs.
By default, the value of this attribute is empty, indicating that all records are included (no batched reconciliation).
You specify values for these attributes by following the instructions described in Configuring Reconciliation Jobs.
5.1.3 Performing Limited Reconciliation
You can perform limited reconciliation by creating filters for the reconciliation module, and reconcile records from the target system based on a specified filter criterion.
By default, all target system records that are added or modified after the last reconciliation run are reconciled during the current reconciliation run. You can customize this process by specifying the subset of added or modified target system records that must be reconciled.
This connector provides a Filter attribute (a scheduled job attribute) that allows you to use any of the Identity Cloud Service resource attributes to filter the target system records. See IDCS Target Resource User Reconciliation Job and IDCS Group Reconciliation Job.
Note:
If you are using filters in reconciliation as described in this section, be consistent and always use the same filters for all reconciliation jobs. By using the same filters, you maintain consistency of the data and ensure that you work with the same user base in all reconciliation operations.
For detailed information about ICF Filters, see ICF Filter Syntax in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Governance.
You specify values for these attributes by following the instructions described in Configuring Reconciliation Jobs.
5.2 Configuring Reconciliation Jobs
Configure reconciliation jobs to perform reconciliation runs that check for new information on your target system periodically and replicates the data in Oracle Identity Governance.
You can apply this procedure to configure the reconciliation jobs for users and entitlements.
5.3 Configuring Provisioning
Learn about performing provisioning operations in Oracle Identity Governance and the guidelines that you must apply while performing these operations.
5.3.1 Guidelines on Performing Provisioning Operations
These are the guidelines that you must apply while performing provisioning operations.
-
During the Create User provisioning operation, if you do not want to send the account creation notification to users from the target system and do not want users to reset password on first login, then you must enable hashing on the default password. To do so, set the hashPasswordEnabled advanced settings parameter to
true
.As a result, accounts are provisioned on Identity Cloud Service with the password that is assigned to the corresponding Oracle Identity Governance Users. Also, the e-mail notification is not sent from Identity Cloud Service and users do not need to reset password on first login in Identity Cloud Service.
-
During the Delete User provisioning operation, if you want to delete users that are associated with one or more entities (Groups or Applications) in Identity Cloud Service, then you must update the relURLs advanced settings parameter. To do so, add the
"__ACCOUNT__.DeleteOp=/Users/$(__ACCOUNT__.__UID__)$?forceDelete=true"
value at the end of the relURLs entry.The updated sample value is:
"__ACCOUNT__.password.UpdateOp=/Users/$(__ACCOUNT__.__UID__)$","__ACCOUNT__.DeleteOp=/Users/$(__ACCOUNT__.__UID__)$?forceDelete=true"
.
For details on the hashPasswordEnabled and relURLs parameters, see Advanced Settings Parameters.
5.3.2 Performing Provisioning Operations
You create a new user in Identity Self Service by using the Create User page. You provision or request for accounts on the Accounts tab of the User Details page.
To perform provisioning operations in Oracle Identity Governance:
- Log in to Identity Self Service.
- Create a user as follows:
- In Identity Self Service, click Manage. The Home tab displays the different Manage option. Click Users. The Manage Users page is displayed.
- From the Actions menu, select Create. Alternatively, you can click Create on the toolbar. The Create User page is displayed with input fields for user profile attributes.
- Enter details of the user in the Create User page.
- On the Account tab, click Request Accounts.
- In the Catalog page, search for and add to cart the application instance for the connector that you configured earlier, and then click Checkout.
- Specify value for fields in the application form and then click Ready to Submit.
- Click Submit.
See Also:
Creating a User in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance for details about the fields on the Create User page5.4 Connector Objects Used For Group Management
Learn about the objects that are used by the connector to perform group management operations such as create, update, and delete.
This section provides information related to connector objects used during a provisioning or reconciliation operation:
5.4.1 Lookup Definitions for Group Management
These are the lookup definitions that map group resource object fields in Oracle Identity Governance and the target system attributes. The Lookup.IDCS.GM.ReconAttrMap lookup definition is used for performing target resource group reconciliation runs. The Lookup.IDCS.GM.ProvAttrMap lookup definition is used for performing group provisioning operations.
Table 5-1 lists the entries in the Lookup.IDCS.GM.ReconAttrMap and Lookup.IDCS.GM.ProvAttrMap lookup definitions.
Table 5-1 Entries in the Lookup Definitions for Group Management
Code Key | Decode |
---|---|
Description |
description |
Group Id |
__UID__ |
Group Name |
__NAME__ |
OIG Organization Name |
OIG Organization Name |
5.4.2 Reconciliation Scheduled Jobs for Group Management
After you create an application, reconciliation scheduled jobs are automatically created for group management operations in Oracle Identity Governance. You must configure these scheduled jobs to suit your requirements by specifying values for its attributes.
This topic provides information about the following scheduled jobs
5.4.2.1 IDCS Group Reconciliation Job
You use the IDCS Group Reconciliation scheduled job to reconcile group data from the target system.
Table 5-2 Attributes of the IDCS Group Reconciliation Scheduled Job
Attribute | Description |
---|---|
Filter |
Enter the search filter for fetching records from the target system during a reconciliation run. See Performing Limited Reconciliation for more information about filtered reconciliation. |
Incremental Recon Attribute |
This attribute holds the value of the attribute that is specified as the value of the Incremental Recon Attribute. Default value: Note: Do not change the value of this attribute. |
IT Resource Name |
Enter the name of the IT resource for the target system installation from which you want to reconcile group records. Default value: |
Latest Token |
Attribute that holds the date on which the token record was modified. The Latest Token attribute is used for internal purposes. By default, this value is empty. Note: Do not enter a value for this attribute. The reconciliation engine automatically enters a value in this attribute. Sample value: |
Object Type |
This attribute holds the name of the object type for the reconciliation run. Default value: Note: Group is the only object that is supported. Therefore, do not change the value of this attribute. |
OIM Organization Name |
Name of the organization that is used for reconciliation. |
Resource Object Name |
This attribute holds the name of the resource object used for reconciliation. Default value: |
5.4.2.2 IDCS Group Delete Reconciliation Job
You use the IDCS Group Delete Reconciliation scheduled job to reconcile deleted group data from the target system.
Table 5-3 Attributes of the IDCS Group Delete Reconciliation Scheduled Job
Attribute | Description |
---|---|
Batch Size |
Enter the number of records that must be included in each batch fetched from the target system during reconciliation. By default, the value of this attribute is empty, indicating that all records are included for reconciliation. |
IT Resource Name |
Enter the name of the IT resource for the target system installation from which you want to reconcile group records. Default value: |
Object Type |
This attribute holds the name of the object type for the reconciliation run. Default value: Note: Group is the only object that is supported. Therefore, do not change the value of this attribute. |
OIM Organization Name |
Name of the organization that is used for delete reconciliation. |
Resource Object Name |
This attribute holds the name of the resource object used for reconciliation. Default value: |
5.4.3 Reconciliation Rules for Group Management
The reconciliation engine uses rules to determine the identity to which Oracle Identity Governance must assign a newly discovered account on the target system.
This section discuss the following topics related to group reconciliation rule for target resource reconciliation:
5.4.3.1 Reconciliation Rule for Groups
The Identity Cloud Service connector can perform reconciliation of groups. Therefore, the connector has reconciliation rules defined specifically for groups.
Rule name: IDCS Groups Recon Rule
Rule element: Organization Name Equals OIG Org Name.
-
Organization Name
is the Organization Name field of the Oracle Identity Governance User form. -
OIG Org Name
is the organization name of the groups in Oracle Identity Governance. OIG Org Name is the value specified in the Organization Name attribute of the IDCS Group Recon scheduled job.
5.4.3.2 Viewing Reconciliation Rules in the Design Console
You can view reconciliation rules for groups on the Reconciliation Rule Builder form in Oracle Identity Manager Design Console.
To view the reconciliation rule for groups:
- Log in to the Oracle Identity Manager Design Console.
- Expand Development Tool and then double-click Reconciliation Rules.
- Search for and open the IDCS Groups Recon Rule.
5.4.4 Reconciliation Action Rules for Group Management
Reconciliation action rules specify the actions that the connector must perform depending on whether or not matching the Identity Cloud Service resources or Oracle Identity Governance Users are found when the reconciliation rule is applied.
Note:
No action is performed for rule conditions that are not predefined for this connector. You can define your own action rule for such rule conditions.The following sections provide information about the action rules for this connector:
5.4.4.1 Reconciliation Action Rules for Groups
Reconciliation action rules specify the actions the connector must perform based on the result of the processing of a reconciliation event. These are the reconciliation action rules for groups.
Table 5-4 Reconciliation Action Rules for Groups
Rule Condition | Action |
---|---|
No matches found |
None |
One entity match found |
Establish link |
One process match found |
Establish link |
5.5 Uninstalling the Connector
Uninstalling the Identity Cloud Service connector deletes all the account-related data associated with its resource objects.
If you want to uninstall the connector for any reason, then run the Uninstall Connector utility. Before you run this utility, ensure that you set values for ObjectType
and ObjectValues
properties in the ConnectorUninstall.properties file. For example, if you want to delete resource objects, scheduled tasks, and scheduled jobs associated with the connector, then enter "ResourceObject", "ScheduleTask", "ScheduleJob" as the value of the ObjectType
property and a semicolon-separated list of object values corresponding to your connector as the value of the ObjectValues
property.
For example: IDCS User; IDCS Group
Note:
If you set values for theConnectorName
and Release
properties along with the ObjectType
and ObjectValue
properties, then the deletion of objects listed in the ObjectValues
property is performed by the utility and the Connector information is skipped.
For more information, see Uninstalling Connectors in Oracle Fusion Middleware Administering Oracle Identity Governance.