3 Configuring the Microsoft Exchange Connector
While creating a target application, you must configure connection-related parameters that the connector uses to connect Oracle Identity Governance with your target system and perform connector operations. In addition, you can view and edit attribute mappings between the process form fields in Oracle Identity Governance and target system attributes, predefined correlation rules, situations and responses, and reconciliation jobs.
3.1 Basic Configuration Parameters
These are the connection-related parameters that Oracle Identity Governance requires to connect to Microsoft Exchange.
Table 3-1 Basic Configuration Parameters for Microsoft Exchange
Parameter | Mandatory? | Description |
---|---|---|
Exchange Server Type |
Yes |
Enter the type of Microsoft Exchange Server. For Exchange 2016, set the value to |
Connector Server Name |
No |
If you are using this connector with a .NET Connector Server, then enter the name of Connector Server IT resource. |
Exchange Server Host |
Yes |
Enter the hostname of the computer hosting the Exchange Server. |
Exchange User |
Yes |
User name of the service account having minimum privileges described in Creating a Target System User Account for Connector Operations. Enter the username in the following format: DOMAIN_NAME\USER_NAME |
Exchange User Password |
Yes |
Enter the valid password for user specified for the Exchange User parameter. |
3.2 Advanced Settings Parameters
These are the configuration-related entries that the connector uses during reconciliation and provisioning operations.
Table 3-2 Advanced Setting Parameters
Parameter | Mandatory? | Description |
---|---|---|
Directory Admin Name |
Yes |
This parameter is used internally by the connector. Do not modify this entry. Default value: |
Directory Admin Password |
Yes |
This parameter is used internally by the connector. Do not modify this entry. Default value: |
Container |
Yes |
This parameter is used internally by the connector. Do not modify this entry. Default value: |
Use SSL For Remote PowerShell |
No |
This entry is used when the connector is configured against Exchange 2010 to remotely connect to the connector. Default value: Do not modify this entry. |
Authentication Mechanism |
No |
This entry is used when the connector is configured against Exchange to remotely connect to the Exchange Server. Default value: Do not modify this entry. |
Bundle Name |
No |
This entry holds the name of the connector bundle package. Default value: |
Bundle Version |
No |
This entry holds the version of the connector bundle class. Default value: |
Default Incoming Message Size |
No |
During Enable operation, the connector first sets the IncomingMessageSize of the recipient to this value. After the operation completes, the connector updates the target system with the actual size in the process form. Enter the appropriate default value for your organization. Default value: |
Connector Name |
No |
This entry holds the name of the connector class. Default value: |
Mode |
No |
This parameter is used internally by the connector. Default value: |
Default Outgoing Message Size |
During Enable operation, the connector first sets the OutgoingMessageSize of the recipient to this value. After the operation completes, the connector updates the target system with the actual size in the process form. Enter the appropriate default value for your organization. Default value: |
|
Domain Name |
No |
This parameter is used internally by the connector. Do not modify this entry. Default value: |
3.3 Attribute Mappings
The Schema page for a target application displays the default schema (provided by the connector) that maps Oracle Identity Governance attributes to target system attributes. The connector uses these mappings during reconciliation and provisioning operations.
Exchange User Attributes
Table 3-3 lists the user-specific attribute mappings between the process form fields in Oracle Identity Governance and Google Apps attributes. The table also lists whether a specific attribute is used during provisioning or reconciliation and whether it is a matching key field for fetching records during reconciliation.
If required, you can edit the default attribute mappings by adding new attributes or deleting existing attributes as described in Creating a Target Application of Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.
Table 3-3 Default Attribute Mappings for a Microsoft Exchange User Account
Display Name | Target Attribute | Data Type | Mandatory Provisioning Property? | Provision Field? | Recon Field? | Key Field? | Case Insensitive? |
---|---|---|---|---|---|---|---|
User Logon Name |
__NAME__ |
String |
Yes |
Yes |
Yes |
No |
Not applicable |
Alias |
Alias |
String |
No |
Yes |
Yes |
No |
Not applicable |
Display Name |
DisplayName |
String |
No |
Yes |
Yes |
No |
Not applicable |
Simple Display Name |
SimpleDisplayName |
String |
Yes |
Yes |
Yes |
No |
Not applicable |
Recipient Type |
RecipientType |
String |
No |
Yes |
Yes |
Yes |
No |
External Email Address |
ExternalEmailAddress |
String |
No |
Yes |
Yes |
No |
Not applicable |
Maximum Recipients |
RecipientLimits |
String |
No |
Yes |
Yes |
No |
Not applicable |
Max Incoming Message Size |
MaxReceiveSize |
String |
No |
Yes |
Yes |
No |
Not applicable |
Max Outgoing Message Size |
MaxSendSize |
String |
No |
Yes |
Yes |
No |
Not applicable |
Use Storage Defaults |
UseDatabaseQuotaDefaults |
Boolean |
No |
Yes |
Yes |
No |
Not applicable |
Mailbox Size Receipt Quota |
ProhibitSendReceiveQuota |
String |
No |
Yes |
Yes |
No |
Not applicable |
Mailbox Size Transmit Quota |
ProhibitSendQuota |
String |
No |
Yes |
Yes |
No |
Not applicable |
Mailbox Warning Size |
IssueWarningQuota |
String |
No |
Yes |
Yes |
No |
Not applicable |
Archive Mailbox Size |
ArchiveQuota |
String |
No |
Yes |
No |
No |
Not applicable |
Archive Mailbox Size Warning |
ArchiveWarningQuota |
String |
No |
Yes |
No |
No |
Not applicable |
Retain Deleted Items Defaults |
UseDatabaseRetentionDefaults |
Boolean |
No |
Yes |
Yes |
No |
Not applicable |
Retain Deleted Items For |
RetainDeletedItemsFor |
String |
No |
Yes |
Yes |
No |
Not applicable |
Retain Deleted Items Until Backup |
RetainDeletedItemsUntilBackup |
Boolean |
No |
Yes |
Yes |
No |
Not applicable |
Return Value |
__UID__ |
String |
No |
Yes |
Yes |
Yes |
No |
Leave Start Date |
Date |
No |
No |
No |
No |
Not applicable |
|
Leave End Date |
Date |
No |
No |
No |
No |
Not applicable |
|
Hidden From Address Lists Enabled |
HiddenFromAddressListsEnabled |
Boolean |
No |
Yes |
Yes |
No |
Not applicable |
Email Address Policy Enabled |
EmailAddressPolicyEnabled |
Boolean |
No |
Yes |
Yes |
No |
Not applicable |
Primary SMTP Address |
PrimarySmtpAddress |
String |
No |
Yes |
Yes |
No |
Not applicable |
Server |
Long |
Yes |
No |
Yes |
No |
Not applicable |
|
Message Format |
MessageFormat |
String |
No |
Yes |
No |
No |
Not applicable |
Message Body Format |
MessageBodyFormat |
String |
No |
Yes |
No |
No |
Not applicable |
Use Prefer Message Format |
UsePreferMessageFormat |
String |
No |
Yes |
No |
No |
Not applicable |
Status |
__ENABLE__ |
String |
No |
No |
Yes |
No |
Not applicable |
Figure 3-1 shows some of the default User account attribute mappings.
Figure 3-1 Default Attribute Mappings for Exchange User Account
Description of "Figure 3-1 Default Attribute Mappings for Exchange User Account"
Distribution Groups Child Attributes
Table 3-4 lists the attribute mappings for distribution groups between the process form fields in Oracle Identity Governance and Exchange attributes. The table lists whether a given attribute is mandatory during provisioning. It also lists whether a given attribute is used during reconciliation and whether it is a matching key field for fetching records during reconciliation.
If required, you can edit the default attribute mappings by adding new attributes or deleting existing attributes as described in Creating a Target Application of Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.
Table 3-4 Default Attribute Mappings for Exchange Distribution Groups
Display Name | Target Attribute | Data Type | Mandatory Provisioning Property? | Recon Field | Key Field? | Case Insensitive? |
---|---|---|---|---|---|---|
Distribution Group |
DistributionGroup |
String |
No |
Yes |
Yes |
No |
Figure 3-2 shows the default Distribution Groups child attribute mapping.
Figure 3-2 Default Attribute Mappings for Distribution Groups
Description of "Figure 3-2 Default Attribute Mappings for Distribution Groups"
3.4 Correlation Rules
When you create a Target application, the connector uses correlation rules to determine the identity to which Oracle Identity Governance must assign a resource.
Predefined Identity Rules
By default, the Exchange connector provides a simple correlation rule when you create a Target application. The connector uses this correlation rule to compare the entries in Oracle Identity Governance repository and the target system repository, determine the difference between the two repositories, and apply the latest changes to Oracle Identity Governance.
If required, you can edit the default correlation rule or add new rules. You can create complex correlation rules also. For more information about adding or editing simple or complex correlation rules, see Updating Identity Correlation Rule in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.
Table 3-5 Predefined Identity Correlation Rule for an Exchange Target Application
Target Attribute | Element Operator | Identity Attribute | Case Sensitive? |
---|---|---|---|
SamAccountName |
Equals |
User Login |
No |
-
SamAccountName is a field on Microsoft Active Directory that represents the login name of the user account.
-
User Login is a field on the OIM User form that holds the unique ID of the Exchange user.
-
Rule operator is AND.
Predefined Situations and Responses
The Exchange connector provides a default set of situations and responses when you create a Target application. These situations and responses specify the action that Oracle Identity Governance must take based on the result of a reconciliation event.
Table 3-6 lists the default situations and responses for the Exchange application. If required, you can edit these default situations and responses or add new ones. For more information about adding or editing situations and responses, see Creating a Target Application in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance
Table 3-6 Predefined Situations and Responses for Exchange
Situation | Response |
---|---|
No Matches Found |
None |
One Entity Match Found |
Establish Link |
One Process Match Found |
Establish Link |
3.5 Reconciliation Jobs
These are the reconciliation jobs that are automatically created in Oracle Identity Governance after you create the application.
User Reconciliation Job
You can either use these predefined jobs or edit them to meet your requirements. Alternatively, you can create custom reconciliation jobs. For information about editing these predefined jobs or creating new ones, see Updating Reconciliation Jobs in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.
The Exchange Target Resource User Reconciliation job is used to reconcile user data from a target application.
Table 3-7 Parameters of the Exchange Target Resource User Reconciliation Job
Parameter | Description |
---|---|
Application Name |
Name of the application you created for your target system. This value is the same as the value that you provided for the Application Name field while creating your target application. Do not modify this value. |
DomainController |
This attribute indicates if you want to reconcile from a particular domain. If no domain controller is provided, then a reconciliation run fetches users from all the domains in the forest. By default, this value is blank. |
Scheduled Task Name |
This parameter holds the name of the scheduled job. Note: For the scheduled job included with this connector, you must not change the value of this parameter. However, if you create a new job or create a copy of the job, then enter the unique name for that scheduled job as the value of this parameter. Default value: APP_NAME Exchange Target Resource User Reconciliation |
OrganizationalUnit |
Specifies the distinguished name of the OU from which you want to reconcile mailboxes. |
Incremental Recon Attribute |
Default value: |
Latest Token |
Time stamp at which the last reconciliation run started. Note: Do not enter a value for this attribute. The reconciliation engine automatically enters a value in this attribute. |
Filter |
Enter the search filter for fetching user records from the target system during a reconciliation run. See Performing Limited Reconciliation for more information about this attribute. |
Object Type |
This attribute holds the name of the object type for the reconciliation run. Default value: Do not change the default value. |
Delete User Reconciliation Job
The Exchange Target Resource Delete User Reconciliation job is used to reconcile deleted user data from a target application.
Table 3-8 Parameters of the Exchange Target Resource Delete User Reconciliation Job
Parameter | Description |
---|---|
Application Name |
Name of the application you created for your target system. This value is the same as the value that you provided for the Application Name field while creating your target application. Do not modify this value. |
Object Type |
This attribute holds the name of the object type for the reconciliation run. Default value: Do not change the default value. |
Reconciliation Jobs for Entitlements
-
Exchange User Distribution Group Lookup Reconciliation
Use this reconciliation job to fetch all mail-enabled universal distribution groups present in the forest into Oracle Identity Governance.
-
Exchange User Mailbox Database Group Lookup Reconciliation
Use this reconciliation job to synchronize mailbox database lookup fields in Oracle Identity Governance with mailbox databases in the target system.
The parameters for both the reconciliation jobs are the same.
Table 3-9 Parameters of the Reconciliation Jobs for Entitlements
Parameter | Description |
---|---|
Application Name |
Name of the application you created for your target system. This value is the same as the value that you provided for the Application Name field while creating your target application. Do not modify this value. |
Code Key Attribute |
Name of the connector or target system attribute that is used to populate the Code Key column of the lookup definition (specified as the value of the Lookup Name attribute). Default value: Note: Do not change the value of this attribute. |
Decode Attribute |
Name of the connector or target system attribute that is used to populate the Decode column of the lookup definition (specified as the value of the Lookup Name attribute). Default value: Note: Do not change the value of this attribute. |
Lookup Name |
This parameter holds the name of the lookup definition that maps each lookup definition with the data source from which values must be fetched. Depending on the reconciliation job you are using, the default values are as follows:
|
Object Type |
Enter the type of object whose values must be synchronized. Depending on the reconciliation job you are using, the default values are as follows:
Note: Do not change the value of this attribute. |
Leave Of Absence Reconciliation Job
The Exchange Leave Of Absence Update Task reconciliation job sets the HiddenFromAddressListsEnabled attribute on Microsoft Exchange for a user.
Note:
This recon job is loaded into the system through the xml/Exchange-pre-config.xml file after you create your Exchange application. You can access and run this job only from the Identity System Administration console once the application is created.
To run this job, you must specify the name of the application against which reconciliation runs must be performed.
This job runs only if the Leave Start Date and Leave End Date values are provided on the process form. For example, if the date falls between the Leave Start Date and the Leave End Date, then this job runs and sets the HiddenFromAddressListsEnabled attribute on Microsoft Exchange for that user. Otherwise, this task resets the HiddenFromAddressListsEnabled attribute for that user.