1 About the Generic SCIM Connector

The Generic SCIM connector integrates Oracle Identity Governance with SCIM-based target systems.

Note:

In this guide, the connector that is deployed using the Applications option on the Manage tab of Identity Self Service is referred to as an AOB application. The connector that is deployed using the Manage Connector option in Oracle Identity System Administration is referred to as a CI-based connector (Connector Installer-based connector).

From Oracle Identity Governance release 12.2.1.3.0 onward, connector deployment is handled using the application onboarding capability of Oracle Identity Self Service. This capability lets business users to onboard applications with minimum details and effort. The connector installation package includes a collection of predefined templates (XML files) that contain all the information required for provisioning and reconciling data from a given application or target system. These templates also include basic connectivity and configuration details specific to your target system. The connector uses information from these predefined templates allowing you to onboard your applications quickly and easily using only a single and simplified UI.

Application onboarding is the process of registering or associating an application with Oracle Identity Governance and making that application available for provisioning and reconciliation of user information.

The following sections provide a high-level overview of the connector:

• Introduction to the Generic SCIM Connector

• Certified Components for Generic SCIM Connector

• Certified Languages for the Generic SCIM Connector

• Usage Recommendation

• Architecture of the Generic SCIM Connector

• Features of the Generic SCIM Connector

• Use Cases Supported by the Generic SCIM Connector

Introduction to the Connector

The Generic SCIM connector is a solution to integrate Oracle Identity Manager with SCIM-based identity-aware applications. A SCIM-based identity-aware application is any application that exposes its SCIM APIs or interfaces for identity management.

Note:

A SCIM-based identity-aware application has been referred to as the target system or SCIM-based target system.

The Generic SCIM connector provides a centralized system to streamline delivery of services and assets to your company’s consumers, and manage those services and assets in a simple, secure, and cost efficient manner by using automation. The Generic SCIM connector standardizes service processes and implements automation to replace manual tasks.

In order to connect with a SCIM-based target system, the Generic SCIM connector supports HTTP Basic Authentication and OAuth 2.0 authentication mechanisms. This connector also supports authenticating to the target system by using access token and refresh token as an input from the user. This authentication mechanism can be useful if your target system does not provide a programmatic approach to obtain access tokens.

The connector supports the following OAuth 2.0 grant types:

• JWT

• Client Credentials

• Resource Owner Password

If your target system does not support any of the authentication types supported by this connector, then you can implement the custom authentication that your target system supports. You can connect this custom implementation to the connector by using the plug-ins exposed by this connector.

The Generic SCIM connector synchronizes data between Oracle Identity Governance and SCIM-based target systems by performing reconciliation and provisioning operations that parse data in the JSON format. If your target system does not support request or response payload in JSON format, then you can create your own implementation for parsing data. You can connect this custom implementation to the connector by using the plug-ins exposed by this connector.

The Generic SCIM connector is a connector for a discovered target system. This is because the schema of the SCIM-based target system with which the connector integrates is not known in advance. The Generic SCIM connector is not shipped with any artifacts. So during application creation, you must specify the schema of your target system, and this helps the connector understand the schema of the SCIM-based target system and then generate the artifacts.

Certified Components

These are the software components, and their versions required for installing and using the connector.

Table 1-1 Certified Components

Item	Requirement for AOB Application	Requirement for CI-Based Connector
Oracle Identity Governance or Oracle Identity Manager	You can use one of the following releases of Oracle Identity Governance: Oracle Identity Governance 12c PS4 (12.2.1.4.0) Oracle Identity Governance 14c (14.1.2.1.0)	You can use one of the following releases of Oracle Identity Governance or Oracle Identity Manager: Oracle Identity Governance 12c PS4 (12.2.1.4.0) Oracle Identity Governance 14c (14.1.2.1.0)
Target System	Any identity-aware application that supports SCIM service	Any identity-aware application that supports SCIM service
Connector Server	12.2.1.3.1 or 12.2.1.3.0 Note: Connector server is optional, if you have deployed the Generic SCIM connector in the Connector Server, then you can download the necessary Java Connector Server 12.2.1.3.1 or 12.2.1.3.0 from the Oracle Technology Network web page.	12.2.1.3.1 or 12.2.1.3.0 Note: Connector server is optional, if you have deployed the Generic SCIM connector in the Connector Server, then you can download the necessary Java Connector Server 12.2.1.3.1 or 12.2.1.3.0 from the Oracle Technology Network web page.
Connector Server JDK	For Connector Server 12.2.1.3.1, use JDK 17 or later For Connector Server 12.2.1.3.0, use JDK 1.8 or later	For Connector Server 12.2.1.3.1, use JDK 17 or later For Connector Server 12.2.1.3.0, use JDK 1.8 or later

Certified Languages

The connector will support the languages that are supported by Oracle Identity Governance.

These are the languages that the connector supports.

• Arabic

• Chinese (Simplified)

• Chinese (Traditional)

• Czech

• Danish

• Dutch

• English (US)

• Finnish

• French

• French (Canadian)

• German

• Greek

• Hebrew

• Hungarian

• Italian

• Japanese

• Korean

• Norwegian

• Polish

• Portuguese

• Portuguese (Brazilian)

• Romanian

• Russian

• Slovak

• Spanish

• Swedish

• Thai

• Turkish

Resource bundles are not part of the connector installation package as the resource bundle entries vary depending on the target system being used.

Usage Recommendation

These are the recommendations for the Generic SCIM Connector versions that you can deploy and use depending on the Oracle Identity Governance version that you are using.

If you are using Oracle Identity Governance 12c (12.2.1.3.0) or Oracle Identity Governance 14c (14.1.2.1.0) or later, then use the latest 12.2.1.x version of this connector. Deploy the connector using the Applications option on the Manage tab of Identity Self Service.

Architecture of Generic SCIM Connector

The Generic SCIM connector is implemented using the Identity Connector Framework (ICF).

The ICF is a component that provides basic reconciliation and provisioning operations that are common to all Oracle Identity Manager connectors. In addition, ICF provides common features that developers would otherwise need to implement on their own, such as connection pooling, buffering, time outs, and filtering. The ICF is shipped along with Oracle Identity Governance.

Below figure shows the architecture of the connector.

Figure 1-1 Connector Architecture

The primary function of the Generic SCIM connector is to connect to any target system that exposes its SCIM APIs and then synchronize user identity data between this target system and Oracle Identity Governance.

This connector is not shipped with any metadata as it is a connector for target system that is not known in advance. Depending on the schema of your target system, the connector artifacts are generated after you create the application for your target system. After the connector artifacts are created, Oracle Identity Governance communicates with your target system through the connector bundle by various provisioning and reconciliation operations.

The SCIM Common layer contains all the plug-ins and logic required by the connector to authenticate to the target system and parse data. Any custom implementation for authorization and data parsing can also be hooked as a plug-in in the SCIM Common layer.

During provisioning, adapters carry provisioning data submitted through the process form to the target system. The adapters establish a connection with the corresponding Create, Update, or Delete operations in the connector bundle which in turn establishes a connection with a target system by leveraging the SCIM Common layer. After the adapters establish a connection with the target system, SCIM calls are made to the endpoints, and the required provisioning operation is performed. Subsequently, the response from the target system is returned to the adapters.

During reconciliation, a schedule task is run which calls the SearchOp operation of the connector bundle. The connector bundle establishes a connection with the target system by using the SCIM Common layer. Then, the connector retrieves all records that match the reconciliation criteria by calling the specific SCIM endpoint. This result is then passed to Oracle Identity Governance.

Connector Features

The features of the connector include support for full and incremental reconciliation, limited reconciliation, custom authentication, custom parsing, custom payload, handling multiple endpoint URLs, and SSL communication.

The following are the features of the connector:

• Support for Both Trusted Source and Target Resource Reconciliation
• Full and Incremental Reconciliation
• Limited (Filtered) Reconciliation
• Custom Authentication
• Custom Parsing
• Custom Payload
• Support for Additional HTTP Headers
• Support for Handling Multiple Endpoint URLs
• SSL Communication

Trusted Source and Target Resource Reconciliation

You can configure your SCIM-based application as a Target application or an Authoritative application for reconciliation of records into Oracle Identity Governance.

There are two versions of the connectors available to provide support fortrusted source (authoritative application) and target resource (Target application) reconciliation.

See Configuring Reconciliation Jobs for more information.

Full and Incremental Reconciliation

After you create the application, you can perform full reconciliation to bring all existing user data from the target system to Oracle Identity Governance. After the first full reconciliation run, you can configure your connector for incremental reconciliation. In incremental reconciliation, only records that are added or modified after the last reconciliation run are fetched into Oracle Identity Governance.

Note:

If the target system contains an attribute that holds the timestamp at which an object is created or modified, the connector supports incremental reconciliation.

You can perform a full reconciliation run at any time. See Performing Full Reconciliation and Incremental Reconciliation for more information.

Limited (Filtered) Reconciliation

You can set a reconciliation filter as the value of the Filter Suffix attribute of the scheduled jobs. This filter specifies the subset of newly added and modified target system records that must be reconciled.

See Performing Limited (Filtered) Reconciliation for more information about performing limited reconciliation.

Custom Authentication

By default, the Generic SCIM connector supports HTTP Basic Authentication and OAuth 2.0 authentication mechanisms. The connector also supports an authentication mechanism in which the user provides access token as an input. The supported grant types for OAuth 2.0 authentication mechanism are JWT, Client Credentials, and Resource Owner Password. If your target system uses any of the authentication mechanisms that is not supported by the connector, then you can write your own implementation for custom authentication by using the plug-ins exposed by this connector.

See Implementing Custom Authentication for more information about creating your own implementation for the custom authentication.

Custom Parsing

By default, the Generic SCIM connector supports request and response payloads only in the JSON format. If your target system does not support request or response payload in JSON format, then you can implement a custom parsing logic by using plug-ins exposed by this connector.

See Implementing Custom Parsing for more information about custom parsing.

Custom Payload

The Generic SCIM connector provides support for handling custom formats for any attributes in the payload that do not adhere to the standard JSON format.

This can be achieved by specifying a value for the customPayload parameter of Advanced Settings. See Advanced Settings Parameters for more information about this parameter.

Support for Additional HTTP Headers

If your target system requires additional or custom HTTP headers in any SCIM call, then you can insert these HTTP headers as the value of the customAuthHeaders configuration parameter.

See Authentication Parameters for more information about this parameter.

Support for Handling Multiple Endpoint URLs

The Generic SCIM connector allows you to handle attributes of an object class (for example, a User object class) that can be managed only through endpoints other than the base endpoint URL of the object class. For example, in certain target systems, there are attributes of the User object class that can be managed using the base endpoint URL. However, some attributes (for example, email alias) can be managed only through a different endpoint URL. The connector provides support for handling all endpoint URLs associated with an object class.

This can be achieved by providing endpoint URL details of such attributes in the relURIs IT resource parameter. See Advanced Settings Parameters for more information about this parameter.

SSL Communication

You can configure SSL to secure data communication between Oracle Identity Governance and the SCIM-based target system.

See Configuring SSL for information about configuring secure communication.

Use Cases Supported by the Generic SCIM Connector

The Generic SCIM connector can be used to integrate OIM with any target system that supports SCIM services. This connector can be used to load identity data into OIM from a SCIM service and then efficiently manage identities in an integrated cycle with the rest of the identity-aware applications in your enterprise.

As a business use case example, consider a leading logistics company that has 20+ cloud applications. Most of these cloud applications are now inefficient because data in these applications are manually entered and are managed using spreadsheets or custom-coded process flows. Therefore, this company wants to integrate its cloud applications with Oracle Identity Manager to streamline its operations, increase its organizational efficiency, and at the same time, lower its operational costs. There are two approaches for integrating these cloud applications with Oracle Identity Manager. One approach would be to deploy a point-to-point connector for each of these applications. The drawbacks of this approach are as follows:

• Increased time and effort to identify and deploy a point-to-point connector for each application.

• Increased administration and maintenance overheads for managing connectors for each application.

• Unavailability of point-to-point connectors for all applications. In such a scenario, one needs to develop custom connectors which increases time and effort to develop, deploy and test the custom connector.

An alternative to this approach is to use the Generic SCIM connector that can be used to integrate all the cloud applications with Oracle Identity Manager . The Generic SCIM connector provides the ability to manage accounts across all cloud applications without spending additional resources and time on building custom connectors for each cloud application.

The Generic SCIM connector is a hybrid approach that helps enterprises leverage on-premise Oracle Identity Manager deployment to integrate with target systems for identity governance. These targets systems include any application that exposes SCIM APIs such as SaaS, PaaS, home-grown applications and so on.

The following are some example scenarios in which the Generic SCIM connector is used:

• User Management

  The Generic SCIM Connector manages individuals who can access Cloud service by defining them as users in the system and assigning them to groups. This connector allows new users to self-provision on a Generic SCIM Cloud Service, while having it be controlled by IT. Users can request and provision from a catalog of cloud-based resources that is established by Oracle Identity Manager administrators. For example, to create a new user in the target system, fill in and submit the Oracle Identity Manager process form to trigger the provisioning operation. The connector executes the create operation against your target system and the user is created on successful execution of the operation. Similarly, operations such as delete and update can be performed.

• Entitlement Management

  The Generic SCIM Connector manages Cloud services objects (if exposed by the target system) as entitlements. Depending on the target system being used, this connector can be used to manage entitlements such as Groups, Roles, Licenses, Folders, Collaboration and so on. For example, you can use the Generic SCIM connector to automatically assign or revoke groups to users based on predefined access policies in Oracle Identity Manager . Similarly, you can use the Generic SCIM Connector to manage role memberships that provide selective access to certain Cloud Service functionality or groups. Therefore, as new users are added to a specific role, they automatically gain corresponding access in the applications.