3 Configuring the Office 365 Connector
While creating a target or an authoritative application, you must configure connection-related parameters that the connector uses to connect to Oracle Identity Governance with your target system and perform connector operations. In addition, you can view and edit attribute mappings between the process form fields in Oracle Identity Governance and target system columns, predefined correlation rules, situations and responses, and reconciliation jobs.
3.1 Basic Configuration Parameters
These are the connection-related parameters that Oracle Identity Governance requires to connect to an Office 365 application. These parameters are common for both target applications and authoritative applications.
Note:
Unless specified, do not modify entries in the below table.Table 3-1 Parameters in the Basic Configuration
| Parameter | Mandatory ? | Description |
|---|---|---|
|
authenticationType |
Yes |
Enter the type of authentication used by your target system. For this connector, the target system OAuth2.0 client credentials. This is a mandatory attribute while creating an application. Do not modify the value of the parameter. Default value: |
|
host |
Yes |
Enter the host name of the machine hosting your target system. This is a mandatory attribute while creating an application. Sample value: |
|
authenticationServerUrl |
Yes |
Enter the URL of the authentication server that validates the client ID and client secret for your target system. Sample value: |
|
clientId |
Yes |
Enter the client identifier (a unique string) issued by the authorization server to your client application during the registration process. You obtained the client ID while performing the procedure described in Configuring the Newly Added Application. |
|
clientSecret |
Yes |
Enter the secret key used to authenticate the identity of your client application. You obtained the secret key while performing the procedure described in Configuring the Newly Added Application. |
|
uriPlaceHolder |
Yes |
Enter the key-value pair for replacing place holders in the relURIs. The URI place holder consists of values which are repeated in every relative URL. Values must be comma separated. For example, tenant ID and API version values are a part of every request URL. Therefore, we replace it with a key-value pair. Sample value: |
|
Connector Server Name |
No |
If you have deployed the Office 365 connector in the Connector Server, then enter the name of the IT resource for the Connector Server. Sample value: Connector Server |
|
port |
No |
Enter the port number at which the target system is listening. Sample value: |
|
proxyHost |
No |
Enter the name of the proxy host used to connect to an external target. |
|
proxyPassword |
No |
Enter the password of the proxy user ID of the target system user account that Oracle Identity Governance uses to connect to the target system. |
|
proxyPort |
No |
Enter the proxy port number. |
|
proxyUser |
No |
Enter the proxy user name of the target system user account that Oracle Identity Governance uses to connect to the target system. Sample value: |
|
sslEnabled |
No |
If the target system requires SSL connectivity, then set the value of this parameter to Default value: |
3.2 Advanced Settings Parameters
These are the configuration-related entries that the connector uses during reconciliation and provisioning operations.
Note:
-
Unless specified, do not modify entries in the below table.
-
All parameters in the below table are mandatory.
Table 3-2 Advanced Settings Parameters
| Parameter | Description |
|---|---|
|
relURIs |
This entry holds the relative URL of every object class supported by this connector and the connector operations that can be performed on these object classes. This is a mandatory attribute while creating an application. Default value: |
|
nameAttributes |
This entry holds the name attribute for all the objects that are handled by this connector. For example, for the Default value: "__ACCOUNT__.userPrincipalName","__GROUP__.displayName","__ROLE__.displayName","__LICENSE__.skuPartNumber" |
|
uidAttributes |
This entry holds the uid attribute for all the objects that are handled by this connector. For example, for __ACCOUNT__.objectId in decode implies that the __UID__ attribute (that is, GUID) of the connector for __ACCOUNT__ object class is mapped to objectId which is the corresponding uid attribute for user accounts in the target system.
Default value: |
|
Bundle Name |
This entry holds the name of the connector bundle. Default value: |
|
Bundle Version |
This entry holds the version of the connector bundle. Default value: |
|
Connector Name |
This entry holds the name of the connector class. Default value: |
|
opTypes |
This entry specifies the HTTP operation type for each object class supported by the connector. Values are comma separated and are in the following format: OBJ_CLASS.OP=HTTP_OP In this format, Default value: |
|
pageSize |
The number of resources/users that appears on a page for a search operation. Default value: 100 |
|
pageTokenAttribute |
The attribute in response payload that denotes the next page token. Default value: odata.nextLink |
|
pageTokenRegex |
This attribute is used in the URL while reconciliation to support pagination. Default value: (?<=skiptoken=).* |
|
Any Incremental Recon Attribute Type |
By default, during incremental reconciliation, Oracle Identity Governance accepts timestamp information sent from the target system only in Long datatype format. Setting the value of this parameter to Default value: |
|
jsonResourcesTag |
This entry holds the json tag value that is used during reconciliation for parsing multiple entries in a single payload. Default value: |
|
httpHeaderContentType |
This entry holds the content type expected by the target system in the header. Default value: |
|
httpHeaderAccept |
This entry holds the accept type expected from the target system in the header. Default value: |
|
specialAttributeTargetFormat |
This entry lists the format in which an attribute is present in the target system endpoint. For example, the alias attribute will be present as Default value |
|
specialAttributeHandling |
This entry lists the special attributes whose values should be sent to the target system one by one ("SINGLE"). Values are comma separated and are in the following format: OBJ_CLASS.ATTR_NAME.PROV_OP=SINGLE For example, the Default value |
|
customPayload |
This entry lists the payloads for all operations that are not in the standard format. Default value: |
|
statusAttributes |
This entry lists the name of the target system attribute that holds the status of an account. For example, for the Default value: |
|
passwordAttribute |
This entry holds the name of the target system attribute that is mapped to the __PASSWORD__ attribute of the connector in OIM. Default value: |
|
targetObjectIdentifier |
This entry specifies the key-value pair for replacing place holders in the relURIs. Values are comma separated and in the KEY;VALUE format. Default value: |
3.3 Attribute Mappings
The attribute mappings on the Schema page vary depending on whether you are creating a target application or an authoritative application.
3.3.1 Attribute Mappings for the Target Application
The Schema page for a target application displays the default schema (provided by the connector) that maps Oracle Identity Governance attributes to target system attributes. The connector uses these mappings during reconciliation and provisioning operations.
Default Attributes for Office 365 Target Application
Table 3-3 lists the user-specific attribute mappings between the process form fields in Oracle Identity Governance and Office 365 target application attributes. The table also lists whether a specific attribute is used during provisioning or reconciliation and whether it is a matching key field for fetching records during reconciliation.
If required, you can edit the default attribute mappings by adding new attributes or deleting existing attributes as described in Creating a Target Application in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.
Table 3-3 Default Attributes for Office 365 Target Application
| Display Name | Target Attribute | Data Type | Mandatory Provisioning Property? | Provision Field? | Recon Field? | Key Field? | Case Insensitive? | Advanced Flag Settings |
|---|---|---|---|---|---|---|---|---|
|
Object Id |
__UID__ |
String |
No |
Yes |
Yes |
Yes |
Yes |
Yes |
|
User Principal Name |
__NAME__ |
String |
Yes |
Yes |
Yes |
No |
Not applicable |
Yes |
|
First Name |
givenName |
String |
No |
Yes |
Yes |
No |
Not applicable |
Yes |
|
Last Name |
surname |
String |
No |
Yes |
Yes |
No |
Not applicable |
Yes |
|
Display Name |
displayName |
String |
Yes |
Yes |
Yes |
No |
Not applicable |
Yes |
|
Usage Location |
usageLocation |
String |
No |
Yes |
Yes |
No |
Not applicable |
Yes |
|
City |
city |
String |
No |
Yes |
Yes |
No |
Not applicable |
Yes |
|
Country |
country |
String |
No |
Yes |
Yes |
No |
Not applicable |
Yes |
|
Manager |
manager |
String |
No |
Yes |
Yes |
No |
Not applicable |
Yes |
|
Preferred Language |
preferredLanguage |
String |
No |
Yes |
Yes |
No |
Not applicable |
Yes |
|
Mail NickName |
mailNickname |
String |
Yes |
Yes |
Yes |
No |
Not applicable |
Yes |
|
Account Enabled |
accountEnabled |
String |
No |
Yes |
Yes |
No |
Not applicable |
Yes |
|
Office365 Server |
Long |
Yes |
No |
Yes |
Yes |
Not applicable |
Yes |
|
|
Status |
__ENABLE__ |
String |
No |
No |
Yes |
No |
Not applicable |
Yes |
|
Password |
__PASSWORD__ |
String |
Yes |
Yes |
No |
No |
Not applicable |
Yes |
|
Change Password On Next Logon |
passwordProfile.forceChangePasswordNextLogin |
String |
No |
Yes |
No |
No |
Not applicable |
Yes |
Figure 3-1 shows the default User account attribute mappings.
Figure 3-1 Default Attribute Mappings for Office 365 User Account
Description of "Figure 3-1 Default Attribute Mappings for Office 365 User Account"
Roles Entitlement
Table 3-4 lists the roles-specific attribute mappings between the process form fields in Oracle Identity Governance and Office 365 target application attributes. The table lists whether a given attribute is mandatory during provisioning. It also lists whether a given attribute is used during reconciliation and whether it is a matching key field for fetching records during reconciliation.
If required, you can edit the default attribute mappings by adding new attributes or deleting existing attributes as described in Creating a Target Application in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.
Table 3-4 Default Attribute Mappings for Roles
| Display Name | Target Attribute | Data Type | Mandatory Provisioning Property? | Recon Field? | Key Field? | Case Insensitive? |
|---|---|---|---|---|---|---|
|
Role Name |
__ROLE__~__ROLE__~objectId |
String | No | Yes | Yes | No |
Figure 3-2 shows the default roles entitlement mapping.
Figure 3-2 Default Attribute Mappings for Role
Description of "Figure 3-2 Default Attribute Mappings for Role"
Groups Entitlement
Table 3-5 lists the group forms attribute mappings between the process form fields in Oracle Identity Governance and Office 365 target application attributes. The table lists whether a given attribute is mandatory during provisioning. It also lists whether a given attribute is used during reconciliation and whether it is a matching key field for fetching records during reconciliation.
If required, you can edit the default attribute mappings by adding new attributes or deleting existing attributes as described in Creating a Target Application in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.
Table 3-5 Default Attribute Mappings for Groups Forms
| Display Name | Target Attribute | Data Type | Mandatory Provisioning Property? | Recon Field? | Key Field? | Case Insensitive? |
|---|---|---|---|---|---|---|
|
Group Name |
__GROUP__~__GROUP__~objectId |
String | No | Yes | Yes | No |
Figure 3-3 shows the default attribute groups mapping.
Figure 3-3 Default Attribute Mappings for Groups
Description of "Figure 3-3 Default Attribute Mappings for Groups"
Licenses Entitlement
Table 3-6 lists the license attribute mappings between the process form fields in Oracle Identity Governance and Office 365 target application attributes. The table lists whether a given attribute is mandatory during provisioning. It also lists whether a given attribute is used during reconciliation and whether it is a matching key field for fetching records during reconciliation.
If required, you can edit the default attribute mappings by adding new attributes or deleting existing attributes as described in Creating a Target Application in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.
Table 3-6 Default Attribute Mappings for Licenses
| Display Name | Target Attribute | Data Type | Mandatory Provisioning Property? | Recon Field? | Key Field? | Case Insensitive? |
|---|---|---|---|---|---|---|
|
License Name |
__LICENSE__~__LICENSE__~skuId |
String | No | No | Yes | No |
Figure 3-4 shows the default attribute licenses mapping.
Figure 3-4 Default Attribute Mappings for Licenses
Description of "Figure 3-4 Default Attribute Mappings for Licenses"
3.3.2 Attribute Mappings for the Authoritative Application
The Schema page for an authoritative application displays the default schema (provided by the connector) that maps Oracle Identity Governance attributes to authoritative system attributes. The connector uses these mappings during reconciliation and provisioning operations.
Table 3-7 lists the user-specific attribute mappings between the process form fields in Oracle Identity Governance and Office 365 Authoritative application attributes. The table also lists the data type for a given attribute and specified whether it is a mandatory attribute for reconciliation.
If required, you can edit the default attribute mappings by adding new attributes or deleting existing attributes as described in Creating an Authoritative Application in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.
You may use the default schema that has been set for you or update and change it before continuing to the next step.
The Organization Name, Xellerate Type, and Role identity attributes are mandatory fields on the OIG User form. They cannot be left blank during reconciliation. The target attribute mappings for these identity attributes are empty by default because there are no corresponding columns in the target system. Therefore, the connector provides default values (as listed in the Table 3-7 ) that it can use during reconciliation. For example, the default target attribute value for the Organization Name attribute is Xellerate Users. This implies that the connector reconciles all target system user accounts into the Xellerate Users organization in Oracle Identity Governance. Similarly, the default attribute value for Xellerate Type attribute is End-User, which implies that all reconciled user records are marked as end users.
Table 3-7 Default Attributes for Office 365 Authoritative Application
| Display Name | Target Attribute | Data Type | Mandatory Provisioning Property? | Recon Field? | Advanced Flag Settings | Default Value for Identity Display Name |
|---|---|---|---|---|---|---|
|
User Login |
__NAME__ |
String | No | Yes |
Yes |
NA |
|
Office365 GUID |
__UID__ |
String | No | Yes | Yes |
NA |
|
First Name |
givenName |
String | No | Yes | Yes |
NA |
|
Last Name |
surname |
String | No | Yes | Yes |
NA |
|
Display Name |
displayName |
String | No | Yes | Yes |
NA |
|
Locality Name |
usageLocation |
String | No | Yes | Yes |
NA |
|
Country |
country |
String | No | Yes | Yes |
NA |
|
Manager Login |
manager |
String | No | Yes | Yes |
NA |
|
usr_locale |
preferredLanguage |
String | No | Yes | Yes |
NA |
|
Xellerate Type |
String | No | Yes | Yes |
End-User |
|
|
Role |
String | No | Yes | Yes |
Full-Time |
|
|
Organization Name |
String | No | Yes | Yes |
Xellerate Users |
|
|
Status |
__ENABLE__ |
String | No | Yes | Yes |
NA |
Figure 3-5 shows the default User account attribute mappings.
Figure 3-5 Default Attributes for Office 365 Authoritative Application
Description of "Figure 3-5 Default Attributes for Office 365 Authoritative Application"
3.4 Correlation Rules
Learn about the predefined rules, responses and situations for Target and Authoritative applications. The connector uses these rules and responses for performing reconciliation.
3.4.1 Correlation Rules for the Target Application
When you create a target application, the connector uses correlation rules to determine the identity to which Oracle Identity Governance must assign a resource.
Predefined Identity Correlation Rules
By default, the Office 365 connector provides a simple correlation rule when you create a target application. The connector uses this correlation rule to compare the entries in Oracle Identity Governance repository and the target system repository, determine the difference between the two repositories, and apply the latest changes to Oracle Identity Governance.
Table 3-8 lists the default simple correlation rule for an Office 365 connector. If required, you can edit the default correlation rule or add new rules. You can create complex correlation rules also. For more information about adding or editing simple or complex correlation rules, see Updating Identity Correlation Rule in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.
Table 3-8 Predefined Identity Correlation Rule for an Office 365 Connector
| Target Attribute | Element Operator | Identity Attribute | Case Sensitive? |
|---|---|---|---|
|
__NAME__ |
Equals |
User Login |
No |
-
__NAME__ is a single-valued attribute on the target system that identifies the user account.
-
User Login is the field on the OIG User form.
Figure 3-6 shows the simple correlation rule for an Office 365 target application.
Figure 3-6 Simple Correlation Rule for an Office 365 Target Application
Description of "Figure 3-6 Simple Correlation Rule for an Office 365 Target Application"
Predefined Situations and Responses
The Office 365 connector provides a default set of situations and responses when you create a target application. These situations and responses specify the action that Oracle Identity Governance must take based on the result of a reconciliation event.
Table 3-9 lists the default situations and responses for an Office 365 Target application. If required, you can edit these default situations and responses or add new ones. For more information about adding or editing situations and responses, see Updating Situations and Responses in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance
Table 3-9 Predefined Situations and Responses for an Office 365 Target Application
| Situation | Response |
|---|---|
|
No Matches Found |
None |
|
One Entity Match Found |
Establish Link |
|
One Process Match Found |
Establish Link |
Figure 3-7 shows the situations and responses for an Office 365 that the connector provides by default.
Figure 3-7 Predefined Situations and Responses for an Office 365 Target Application
Description of "Figure 3-7 Predefined Situations and Responses for an Office 365 Target Application"
3.4.2 Correlation Rules for the Authoritative Application
When you create an authoritative application, the connector uses correlation rules to determine the identity that must be reconciled into Oracle Identity Governance.
Predefined Identity Correlation Rules
By default, the Office 365 connector provides a simple correlation rule when you create an authoritative application. The connector uses this correlation rule to compare the entries in Oracle Identity Governance repository and the target system repository, determine the difference between the two repositories, and apply the latest changes to Oracle Identity Governance.
Table 3-10 lists the default simple correlation rule for an Office 365 connector. If required, you can edit the default correlation rule or add new rules. You can create complex correlation rules also. For more information about adding or editing simple or complex correlation rules, see Updating Identity Correlation Rule in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.
Table 3-10 Predefined Identity Correlation Rule for an Office 365 Authoritative Application
| Authoritative Attribute | Element Operator | Identity Attribute | Case Sensitive? |
|---|---|---|---|
|
__NAME__ |
Equals |
User Login |
No |
| _UID_ | Equals | Office365 GUID | No |
Correlation Rule element: (__NAME__Equals __User Login) OR (_UID_Equals Office365 GUID)
-
User Login is the User ID field of the OIM User form.
-
__NAME__ is the unique login name of a user.
-
Office365 GUID is a UDF (user defined field) for mapping target object ID with an OIM user.
-
_UID_ is the Object Id for an Office365 user.
Rule operator: OR
Figure 3-8 shows the simple correlation rule for an Office 365 Authoritative application.
Figure 3-8 Simple Correlation Rule for an Office 365 Authoritative Application
Description of "Figure 3-8 Simple Correlation Rule for an Office 365 Authoritative Application"
Predefined Situations and Responses
The Office 365 connector provides a default set of situations and responses when you create an Authoritative application. These situations and responses specify the action that Oracle Identity Governance must take based on the result of a reconciliation event.
Table 3-9 lists the default situations and responses for an Office 365 Authoritative Application. If required, you can edit these default situations and responses or add new ones. For more information about adding or editing situations and responses, see Updating Situations and Responses in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.
Table 3-11 Predefined Situations and Responses for an Office 365 Authoritative Application
| Situation | Response |
|---|---|
|
No Matches Found |
Create User |
|
One Entity Match Found |
Establish Link |
|
One Process Match Found |
Establish Link |
Figure 3-9 shows the situations and responses for an Office 365 that the connector provides by default.
Figure 3-9 Predefined Situations and Responses for an Office 365 Authoritative Application
Description of "Figure 3-9 Predefined Situations and Responses for an Office 365 Authoritative Application"
3.5 Reconciliation Jobs
These are the reconciliation jobs that are automatically created in Oracle Identity Governance after you create the application.
User Reconciliation Jobs
You can either use these predefined jobs or edit them to meet your requirements. Alternatively, you can create custom reconciliation jobs. For information about editing these predefined jobs or creating new ones, see Updating Reconciliation Jobs in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.
The following reconciliation jobs are available for reconciling user data:
- Office365 Full User Reconciliation: Use this reconciliation job to reconcile user data from a target application.
- Office365 User Trusted Reconciliation: Use this reconciliation job to reconcile user data from an authoritative application.
Table 3-12 describes the parameters of the Office365 Full User Reconciliation job.
Table 3-12 Parameters of the Office365 Full User Reconciliation Job
| Parameter | Description |
|---|---|
|
Application name |
Name of the AOB application with which the reconciliation job is associated. This value is the same as the value that you provided for the Application Name field while creating your target application. Do not change the default value. |
|
Latest Token |
This parameter holds the value of the target system attribute that is specified as the value of the Incremental Recon Attribute parameter. The Latest Token parameter is used for internal purposes. By default, this value is empty. Note: Do not enter a value for this parameter. The reconciliation engine automatically enters a value in this parameter. Sample value: <String>2017-09-19T14:16:24Z</String> |
|
Object Type |
This parameter holds the name of the object type for the reconciliation run. Default value: User Do not change the default value. |
|
Filter Suffix |
Enter the search filter for fetching user records from the target system during a reconciliation run. Sample value when incremental recon is enabled: %20and%20startswith(displayName,'user1') Sample value when incremental recon is not enabled: For more information about creating filters, see Performing Limited Reconciliation. |
|
Scheduled Task Name |
Name of the scheduled task used for reconciliation. Do not modify the value of this parameter. |
|
Incremental Recon Attribute |
Enter the name of the attribute that holds the timestamp at which the token record was modified. Sample value: lastDirSyncTime |
Table 3-13 Parameters of the Office365 User Trusted Reconciliation Job
| Parameter | Description |
|---|---|
|
Application name |
Name of the AOB Application with which the job is associated. This value is the same as the value that you provided for the Application Name field while creating your target application. Do not modify this value. |
|
Filter Suffix |
Enter the search filter for fetching user records from the target system during a reconciliation run. Sample value: %20and%20startswith(displayName,'tap') For more information about creating filters, see Performing Limited Reconciliation. |
|
Incremental Recon Attribute |
Attribute that holds the timestamp at which the token record was modified. |
|
Latest Token |
This parameter holds the value of the attribute that is specified as the value of the Incremental Recon Attribute attribute. The Latest Token parameter is used for internal purposes. By default, this value is empty. Note: If an appropriate Increment Recon attribute has been specified, then do not enter a value for this parameter. Sample value: <String>2017-11-30T04:44:29Z</String> |
|
Object Type |
This parameter holds the name of the object type for the reconciliation run. Default value: User Note: Do not change the default value. |
|
Scheduled Task Name |
Name of the scheduled task used for reconciliation. Do not modify the value of this parameter. |
Reconciliation Jobs for Entitlements
-
Office365 Group Lookup Reconciliation
-
Office365 Licenses Lookup Reconciliation
-
Office365 Roles Lookup Reconciliation
-
Office365 Manager Lookup Reconciliation
Table 3-14 Parameters of the Reconciliation Jobs for Entitlements
| Parameter | Description |
|---|---|
|
Application Name |
Current AOB application name with which the reconciliation job is associated. Default value: Office365 Do not modify this value. |
|
Code Key Attribute |
Name of the connector attribute that is used to populate the Code Key column of the lookup definition (specified as the value of the Lookup Name attribute). Default value: Do not modify this value. |
|
Decode Attribute |
Name of the connector attribute that is used to populate the Decode column of the lookup definition (specified as the value of the Lookup Name attribute). Default value: |
|
Lookup Name |
Enter the name of the lookup definition in Oracle Identity Governance that must be populated with values fetched from the target system. Depending on the Reconciliation job that you are using, the default values are as follows:
If you create a copy of any of these lookup definitions, then enter the name of that new lookup definition as the value of the Lookup Name attribute. |
|
Object Type |
Enter the type of object you want to reconcile. Depending on the reconciliation job that you are using, the default values are as follows:
Note: Do not change the value of this parameter. |