1 About the SharePoint Connector
Oracle Identity Governance is a centralized identity management solution that provides self service, compliance, provisioning and password management services for applications residing on-premises or on the Cloud. Oracle Identity Governance connectors are used to integrate Oracle identity Governance with the external identity-aware applications.
Note:
In this guide, the connector that is deployed using the Applications option on the Manage tab of Identity Self Service is referred to as an AOB application.The following topics provide a high-level overview of the SharePoint connector:
1.1 Connector Offerings
SharePoint Online Connector supports the Azure AD features along with SharePoint Online features.
- Parent Form attributes which are supported for both the Provisioning and Reconciliation using the Microsoft Graph API’s. These attribute values are maintained in Azure AD.
- Supports Add/Remove and Reconciliation of the SharePoint Online groups to the Azure AD user.
- Microsoft Office365 Groups which are part of SharePoint Online Group will be supporting only in user reconciliation.
- Supports SharePoint Online Groups and Microsoft Office365 Groups Lookup Reconciliation.
- SharePoint Online Group management (CRUD Operations) supporting in this connector.
- This connector doesn’t support Role Grant Management, License Grant Management, Security Group Management
1.2 Certified Components for the Microsoft SharePoint Connector
These are the software components and their versions required for installing and using the SharePoint connector.
Table 1-1 Certified Components
Component | Requirement for AOB Application |
---|---|
Oracle Identity Manager or Oracle Identity Manager |
You can use any one of the following releases:
Note: Ensure that you download and apply the patch 27861122 from My Support Oracle for 12c PS3. Failing to apply this patch prevents you from successfully testing connection between Oracle Identity Governance and your target system. |
Oracle Identity Governance or Oracle Identity Manager JDK | JDK 1.8 and later |
Target systems | Microsoft SharePoint Online, Microsoft Azure AD |
Connector Server | 11.1.2.1.0 or 12.2.1.3.0 |
Connector Server JDK | JDK 1.8 and later |
Target API version | SharePoint REST API v1,Azure Active Directory (AD) Microsoft graph API v1.0 |
1.3 Usage Recommendation
If you are using Oracle Identity Governance 12c (12.2.1.3.0) or later, then use the latest 12.2.1.x version of this connector. Deploy the connector using the Applications option on the Manage tab of Identity Self Service.
1.4 Certified Languages
These are the languages that the connector supports:
- Arabic
- Chinese (Simplified)
- Chinese (Traditional)
- Czech
- Danish
- Dutch
- English
- Finnish
- French
- French (Canadian)
- German
- Greek
- Hebrew
- Hungarian
- Italian
- Japanese
- Korean
- Norwegian
- Polish
- Portuguese
- Portuguese (Brazilian)
- Romanian
- Russian
- Slovak
- Spanish
- Swedish
- Thai
- Turkish
1.5 Supported Connector Operations
These are the list of operations that the connector supports for your target system.
Table 1-* Supported Connector Operations
Operation | Supported |
---|---|
User Management |
|
Create user |
Yes |
Update user |
Yes |
Enable user | Yes |
Disable user | Yes |
Delete user |
Yes |
Reset Password | Yes |
SharePoint Online Group Management |
|
Create, Update, Revoke Group | Yes |
SharePoint Online Group Grant Management | |
Assign and Remove Groups | Yes |
Microsoft Office365 Groups Grant Management | |
Microsoft Office365 Group Reconciliation | Yes |
Note:
- Microsoft Office365 Groups that are part of the SharePoint Online Groups are supported only during user reconciliation.
- All the connector artifacts required for managing groups as an object (for example groups attribute mappings, reconciliation rules, jobs, and so on) are not visible in the Applications UI in Identity Self Service. However, all the required information is available in the predefined application templates of the connector installation package. For more information about the artifacts related to groups, see Connector Objects Used for Groups Management.
1.6 Connector Architecture
The SharePoint Online connector is implemented by using the Identity Connector Framework (ICF).
The ICF is a component that is required in order to use Identity Connector. ICF provides basic reconciliation and provisioning operations that are common to all Oracle Identity Governance connectors. In addition, ICF provides common features that developers would otherwise need to implement on their own, such as, buffering, time outs, and filtering. ICF is distributed together with Oracle Identity Governance. Therefore, you do not need to configure or modify ICF.
Figure 1-1 SharePoint Architecture
![This figure shows the architecture of the Sharepoint connector. The description of the architecture is provided in the same section. This figure shows the architecture of the Sharepoint connector. The description of the architecture is provided in the same section.](img/sharepoint_connector_architecture.png)
- Account managementAccount management is also known as target resource management. In this mode, the target system is used as a target resource and the connector enables the following operations:
- Provisioning
Provisioning involves creating, updating and deleting users on the target system through Oracle Identity Governance. During provisioning, the Adapters invoke ICF operation, ICF in turn invokes create operation on the SharePoint Online Identity Connector Bundle and then the bundle calls the target system API (Microsoft Azure Active Directory (AD) Graph API and SharePoint Online API) for provisioning operations. The API on the target system accepts provisioning data from the bundle, carries out the required operation on the target system, and returns the response from the target system back to the bundle, which passes it to the adapters.
- Target resource reconciliation
During reconciliation, a scheduled task invokes an ICF operation. ICF inturn invokes a search operation on the SharePoint Online Identity Connector Bundle and then the bundle calls Microsoft Graph API and SharePoint Online API for Reconciliation operation. The API extracts user records that match the reconciliation criteria and hands them over through the bundle and ICF back to the scheduled task, which brings the records to Oracle Identity Governance.
Each record fetched from the target system is compared with SharePoint Online resources that are already provisioned to OIM Users. If a match is found, then the update made to the SharePoint Online record from the target system is copied to the SharePoint Online resource in Oracle Identity Governance. If no match is found, then the userPrincipalName of the record is compared with the User Login of each OIM User. If a match is found, then data in the target system record is used to provision an SharePoint Online resource to the OIM User.
- Provisioning
Note:
1.7 Use Cases Supported by the Connector
The SharePoint Online connector is used to integrate Oracle Identity Governance with SharePoint Online to ensure that all Azure AD accounts are created, updated, and deactivated on an integrated cycle with the rest of the identity-aware applications in your enterprise. The SharePoint Online connector supports management of identities for Cloud Identity, Synchronized Identity, and Federated Identity models of Azure AD. In a typical IT scenario, an organization using Oracle Identity Governance wants to manage accounts across Sharepoint online Cloud Service and groups across SharePoint Online Cloud Service.
The following are some of the most common scenarios in which this connector can be used:
- SharePoint Online User Management
An organization using SharePoint Online wants to integrate with Oracle Identity Governance to manage identities. The organization wants to manage its user identities by creating them in the target system using Oracle Identity Governance. The organization also wants to synchronize user identity changes performed directly in the target system with Oracle Identity Governance. In such a scenario, a quick and an easy way is to install the SharePoint Online connector and configure it with your target system by providing connection information. To create a new user in the target system, fill in and submit the OIM process form to trigger the provisioning operation. The connector executes the
CreateOp
operation against your target system and the user is created on successful execution of the operation. Similarly, operations like delete and update can be performed. To search or retrieve the user identities, you must run a scheduled task from Oracle Identity Governance. The connector will run the correspondingSearchOp
against the user identities in the target system and fetch all the changes to Oracle Identity Governance. - SharePoint Online Groups Management
An organization has a number of SharePoint Online Groups allowing its users to set up new groups, update groups and delete groups. The organization now wants to know the list of groups that have not been recently accessed or who have inactive members. In such a scenario, you can use the SharePoint Online connector to highlight the usage trend for groups. By using the SharePoint Online, you can leverage the reporting capabilities of Oracle Identity Governance to track any operations (such as create, update and delete) performed on groups and changes made in their memberships.
1.8 Connector Features
The features of the connector include support for connector server, full reconciliation, limited reconciliation, and reconciliation of deleted account data.
Table 1-2 provides the list of features supported by the AOB application.
Table 1-2 Supported Connector Features Matrix
Feature | AOB Application |
---|---|
Full reconciliation | Yes |
Limited reconciliation | Yes |
Delete reconciliation | Yes |
Use connector server | Yes |
Transformation and validation of account data | Yes |
Perform connector operations in multiple domains | Yes |
Support for paging | Yes |
Test connection | Yes |
Reset password | Yes |
The following topics provide more information on the features of the AOB application:
1.8.1 Full Reconciliation and Incremental Reconciliation
You can perform full reconciliation to bring all existing user data from the target system to Oracle Identity Governance.
Note:
The connector supports incremental reconciliation if the target system contains an attribute that holds the time stamp at which an object is created or modified.You can perform a full reconciliation run at any time. See Performing Full Reconciliation and Incremental Reconciliation for more information about performing full and incremental reconciliation.
1.8.2 Limited Reconciliation
You can reconcile records from the target system based on a specified filter criterion. To limit or filter the records that are fetched into Oracle Identity Governance during a reconciliation run, you can specify the subset of added or modified target system records that must be reconciled.
You can set a reconciliation filter as the value of the Filter Suffix attribute of the user reconciliation scheduled job. The Filter Suffix attribute helps you to assign filters to the API based on which you get a filtered response from the target system.
For more information, see Performing Limited Reconciliation.
1.8.3 Support for the Connector Server
Connector Server is one of the features provided by ICF. By using one or more connector servers, the connector architecture permits your application to communicate with externally deployed bundles.
A Java connector server is useful when you do not want to execute a Java connector bundle in the same VM as your application. It can be beneficial to run a Java connector on a different host for performance improvements if the bundle works faster when deployed on the same host as the native managed resource.
Note:
Refer to Using an Identity Connector Server in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Manager, for more information about installing and configuring connector server and running the connector server.
1.8.4 Transformation and Validation of Account Data
You can configure transformation and validation of account data that is brought into or sent from Oracle Identity Governance during reconciliation and provisioning operations by writing Groovy scripts while creating your application.
For more information, see Validation and Transformation of Provisioning and Reconciliation Attributes in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.