1 About the Microsoft Exchange Connector
The Microsoft Exchange connector integrates Oracle Identity Governance with the Microsoft Exchange target system.
The following topics provide a high-level overview of the Microsoft Exchange connector:
1.1 Introduction to the Connector
Oracle Identity Governance is a centralized identity management solution that provides self service, compliance, provisioning and password management services for applications residing on-premises or on the Cloud. Oracle Identity Governance connectors are used to integrate Oracle identity Governance with the external identity-aware applications.
Note:
In this guide, the connector that is deployed using the Applications option on the Manage tab of Identity Self Service is referred to as an AOB application. The connector that is deployed using the Manage Connector option in Oracle Identity System Administration is referred to as a CI-based connector (Connector Installer-based connector).Application onboarding is the process of registering or associating an application with Oracle Identity Governance and making that application available for provisioning and reconciliation of user information.
In the account management mode of the connector, information about mailboxes created or modified directly on the target system can be reconciled into Oracle Identity Manager. In addition, you can use Oracle Identity Manager to perform mailbox provisioning operations on the target system.
Note:
At some places in this guide, Microsoft Exchange is sometimes referred to as the target system.
This connector supports two recipient types, UserMailbox and MailUser. The term recipients is used in this guide to refer to both recipient types. In other cases, the terms UserMailbox and MailUser are used in this guide to refer to specific recipient types.
1.2 Certified Components
These are the software components and their versions required for installing and using the connector.
Table 1-1 Certified Components
| Item | Requirement for AOB Application | Requirement for CI-Based Connector |
|---|---|---|
| Oracle Identity Governance or Oracle Identity Manager |
You can use any one of the following releases:
|
You can use one of the following releases of Oracle Identity Governance or Oracle Identity Manager:
|
|
Target systems |
Microsoft Exchange 2016, 2019 |
The target system can be any one or a combination of the following:
|
|
Connector Server |
12.2.1.3.0 |
11.1.2.1.0 or 12.2.1.30 |
|
Connector Server JDK |
JDK 1.8 or later |
You can use one of the following versions:
|
|
Other systems |
You must ensure the following software are installed in your operating environment:
|
You must ensure the following software are installed in your operating environment:
|
1.3 Usage Recommendation
These are the recommendations for the Microsoft Exchange connector versions that you can deploy and use depending on the Oracle Identity Governance or Oracle Identity Manager version that you are using.
-
If you are using Oracle Identity Governance release 12c (12.2.1.3.0) or later, then use the 12.2.1.3.0 version of this connector. Deploy the connector using the Applications option on the Manage tab of Identity Self Service for a fresh installation. Otherwise, continue to manage the connector using the CI mode and Oracle Identity Manager Design Console.
-
If you are using any of the Oracle Identity Manager releases listed in the “Requirement for CI-Based Connector” column of Table 1-1, then use the 11.1.1.x version of the Microsoft Exchange connector. If you want to use the 12.2.1.3.0 version of this connector, then you can install and use it only in the CI-based mode. If you want to use the AOB application, then you must upgrade to Oracle Identity Governance release 12c (12.2.1.3.0) or later.
Note:
If you are using the 12.2.1.3.0 version of the Microsoft Exchange connector in the CI-based mode, then see Oracle Identity Manager Connector Guide for Microsoft Exchange, Release 11.1.1 for complete details on connector deployment, usage, and customization.
1.4 Certified Languages
These are the languages that the connector supports.
-
Arabic
-
Chinese (Simplified)
-
Chinese (Traditional)
-
Czech
-
Danish
-
Dutch
-
English
-
Finnish
-
French
-
German
-
Greek
-
Hebrew
-
Hungarian
-
Italian
-
Japanese
-
Korean
-
Norwegian
-
Polish
-
Portuguese
-
Portuguese (Brazilian)
-
Romanian
-
Russian
-
Slovak
-
Spanish
-
Swedish
-
Thai
-
Turkish
1.5 Supported Connector Operations
These are the list of operations that the connector supports for your target system.
Table 1-2 Supported Connector Operations
| Operation | Supported? |
|---|---|
| User Management | Yes |
| Create User | Yes |
| Delete User | Yes |
| Update User | Yes |
| Enable User | Yes |
| Disable User | Yes |
| Entitlement Grant Management | Yes |
| Insert Distribution Group | Yes |
| Delete Distribution Group | Yes |
| Update Distribution Group | Yes |
1.6 Connector Architecture
Learn about the architecture of the connector and reconciling and provisioning mailboxes across multiple domains.
This section discusses the following topics:
Note:
The connector requires the deployment of a Microsoft Active Directory User Management connector. The user account data is stored in Microsoft Active Directory. Before you can provision a Microsoft Exchange mailbox for a user, you must create an account for the user in Microsoft Active Directory.
The Microsoft Exchange connector uses the data in Microsoft Active Directory during the mailbox provisioning and reconciliation operations. This means that the connector only supports target resource reconciliation with Microsoft Exchange.
1.6.1 Architecture of the Microsoft Exchange Connector
The connector uses Exchange-related PowerShell cmdlets to perform recipient administration activities on the Exchange Server. The connector supports UserMailbox and MailUser recipient types. The .NET connector server is mandatory for the Exchange target system.
See Also:
http://technet.microsoft.com/en-us/library/bb201680%28v=exchg.141%29.aspx for more information about recipient types
Figure 1-1 shows the architecture of the connector supporting Exchange Server 2016. In this architecture diagram, the .NET connector server is installed on a different computer in the same domain as that of the Exchange Server computer. You can also install the connector server on the same computer hosting Exchange Server.
Figure 1-1 Architecture of the Connector Supporting Exchange Server 2016
Description of "Figure 1-1 Architecture of the Connector Supporting Exchange Server 2016"
Oracle Identity Governance (OIG) communicates with the Exchange Server via connector bundle using various adapters and scheduled jobs. The connector bundle is deployed on a Windows computer with the .NET connector server installed. To communicate with the Exchange Server, OIG uses remote Shell, which in turn uses Windows PowerShell 2.0 and Windows Remote Management (WinRM) 2.0 without the need for Exchange Management Tools. Therefore, Exchange Management Tools are not required to be installed on the connector server for Exchange Server 2016. For more information, see the following topic on Remote Exchange Management at:
http://technet.microsoft.com/en-in/library/dd297932%28v=exchg.141%29.aspx
Run the Enable-PSRemoting cmdlet to configure the Exchange Server computer to receive Windows PowerShell remote commands that are sent by using the WS-Management technology. For more information about the Enable-PSRemoting cmdlet, see:
1.6.2 Reconciliation and Provisioning of Mailboxes Across Multiple Domains
The connector supports reconciliation and provisioning of mailboxes for users across multiple Microsoft Active Directory domains. The domains can be in a parent child relationship or can be peer domains.
For example:
-
Users in Child Domain 1, Child Domain 2, and Parent Domain can have mailboxes in the same single Exchange Server.
-
Users in Peer Domain 1 and Peer Domain 2 can have mailboxes in the same single Exchange Server. In this case, Exchange Server can be configured against Peer Domain 1 or Peer Domain 2.
1.7 Supported Connector Features Matrix
Provides the list of features supported by the AOB application and CI-based connector.
Table 1-3 Supported Connector Features Matrix
| Feature | AOB Application | CI-Based Connector |
|---|---|---|
|
Full reconciliation |
Yes |
Yes |
|
Incremental reconciliation |
Yes |
Yes |
|
Limited reconciliation |
Yes |
Yes |
|
Reconcile deleted user records |
Yes |
Yes |
|
Scheduled jobs for reconciliation of distribution groups and mailbox database |
Yes |
Yes |
|
Perform reconciliation and provisioning operations across multiple domains |
Yes |
Yes |
|
Run custom PowerShell scripts |
Yes |
Yes |
|
Connection pooling |
Not applicable |
Yes |
|
Use connector server |
Yes |
Yes |
|
Clone applications or create new application instances |
Yes |
Yes |
|
Transformation and validation of account data |
Yes |
Yes |
1.8 Features of the Connector
The features of the connector include full and incremental reconciliation, limited reconciliation, transformation and validation of account data and so on.
1.8.1 Full and Incremental Reconciliation
After you deploy the connector, you can perform full reconciliation to bring all existing user data from the target system to Oracle Identity Manager. After the first full reconciliation run, incremental reconciliation is automatically enabled. In incremental reconciliation, user accounts that have been added or modified since the last reconciliation run are fetched into Oracle Identity Manager.
You can perform a full and incremental reconciliation against a single domain by providing a value for the DomainController parameter of the scheduled task. If the DomainController parameter is blank, reconciliation is performed against all domains in the forest.
See Performing Full Reconciliation and Incremental Reconciliation for more information.
1.8.2 Limited Reconciliation
You can set a reconciliation filter as the value of the Filter attribute of the user reconciliation scheduled task. This filter specifies the subset of added and modified target system records that must be reconciled.
For detailed information about limited reconciliation, see Performing Limited Reconciliation.
1.8.3 Reconciliation of Deleted User Records
You can configure the connector for reconciliation of deleted user records. In target resource mode, if a user record is deleted on the target system, then the corresponding Exchange User resource is revoked from the OIM User.
For information about the Delete User reconciliation job, see Reconciliation Jobs.
1.8.4 Reconciliation of Lookup Definitions
You can configure the connector for reconciliation of the distribution groups and mailbox database in the target system to be populated as entitlements in the lookup definitions on Oracle Identity Governance.
For detailed information about the jobs that are available for reconciling these entitlements, see Reconciliation Jobs.
1.8.5 Support for Multiple Domains
The connector supports multiple domains in a forest with a single Exchange resource object.
For more information about performing reconciliation and provisioning operations on mailboxes across multiple domains, see Reconciliation and Provisioning of Mailboxes Across Multiple Domains.
1.8.6 Support for Running Custom PowerShell Scripts
You can run custom PowerShell scripts on a computer where the Microsoft Exchange connector is deployed. You can configure the scripts to run before or after the create, update, or delete an account provisioning operations.
For example, you could configure a script to run before a user is created by the connector.
For more information about configuring these scripts, see Configuring Action Scripts.
1.8.7 Support for Connector Server
Connector Server is a component provided by ICF. By using one or more connector servers, the connector architecture permits your application to communicate with externally deployed bundles. In other words, a connector server enables remote execution of an Oracle Identity Governance connector.
The Microsoft Exchange connector is written using Microsoft .NET. A .NET environment is required for the execution of this connector code. Therefore, it is mandatory for this connector to be deployed on the .NET Connector Server. The Microsoft Exchange connector operates in the context of a .NET Connector Framework, which in turn requires an application to execute. Therefore, by default, Oracle provides the .NET Connector Server to run the Microsoft Exchange connector.
For information about installing, configuring, and running the Connector Server, and installing the connector in a Connector Server, see Using an Identity Connector Server in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Governance.
1.8.8 Support for Cloning Applications and Creating Instance Applications
You can configure this connector for multiple installations of the target system by cloning applications or by creating instance applications.
When you clone an application, all the configurations of the base application are copied into the cloned application. When you create an instance application, it shares all configurations as the base application.
For more information about these configurations, see Cloning Applications and Creating Instance Applications in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.
1.8.9 Transformation and Validation of Account Data
You can configure transformation and validation of account data that is brought into or sent from Oracle Identity Governance during reconciliation and provisioning operations by writing Groovy scripts while creating your application.
For more information, see Validation and Transformation of Provisioning and Reconciliation Attributes in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.