1 About the SAP SuccessFactors Connector
Oracle Identity Governance is a centralized identity management solution that provides self service, compliance, provisioning and password management services for applications residing on-premise or on the Cloud. Oracle Identity Governance connectors are used to integrate Oracle identity Governance with the external identity-aware applications.
Note:
In this guide, the connector that is deployed using the Applications option on the Manage tab of Identity Self Service is referred to as an AOB application. The connector that is deployed using the Manage Connector option in Oracle Identity System Administration is referred to as a CI-based connector (Connector Installer-based connector).Application onboarding is the process of registering or associating an application with Oracle Identity Governance and making that application available for provisioning and reconciliation of user information.
The following topics provide a high-level overview of the SAP SuccessFactors connector:
1.1 Certified Components
These are the software components and their versions required for installing and using the SuccessFactors connector.
Table 1-1 Certified Components
| Component | Requirement for AOB Application | Requirement for CI-Based Connector |
|---|---|---|
|
Oracle Identity Manager or Oracle Identity Governance |
You can use any one of the following releases:
|
You can use one of the following releases:
|
|
Oracle Identity Governance or Oracle Identity Manager JDK |
JDK 1.8 or later |
JDK 1.8 or later |
|
Target systems |
SAP SuccessFactors |
SAP SuccessFactors |
|
Connector Server |
11.1.2.1.0 or later |
11.1.2.1.0 or later |
|
Connector Server JDK |
JDK 1.8 or later |
JDK 1.8 or later |
1.2 Usage Recommendation
These are the recommendations for the SAP SuccessFactors connector version that you can deploy and use depending on the Oracle Identity Governance or Oracle Identity Manager version that you are using.
-
If you are using Oracle Identity Governance 12c (12.2.1.3.0), then use the latest 12.2.1.x version of this connector. Deploy the connector using the Applications option on the Manage tab of Identity Self Service.
-
If you are using any of the Oracle Identity Manager releases listed in the “Requirement for CI-Based Connector” column in Table 1-1, then use the 11.1.x version of the SAP SuccessFactors connector. If you want to use the 12.1.x version of this connector, then you can install and use it only in the CI-based mode. If you want to use the AOB application, then you must upgrade to Oracle Identity Governance release 12.2.1.3.0.
1.3 Certified Languages
These are the languages that the connector supports.
-
Arabic
-
Chinese (Simplified)
-
Chinese (Traditional)
-
Czech
-
Danish
-
Dutch
-
English
-
Finnish
-
French
-
French (Canadian)
-
German
-
Greek
-
Hebrew
-
Hungarian
-
Italian
-
Japanese
-
Korean
-
Norwegian
-
Polish
-
Portuguese
-
Portuguese (Brazilian)
-
Romanian
-
Russian
-
Slovak
-
Spanish
-
Swedish
-
Thai
-
Turkish
1.4 Supported Connector Operations
These are the list of operations that the connector supports for your target system.
Table 1-2 Supported Connector Operations
| Operation | Supported |
|---|---|
|
User Management |
|
|
Create user |
Yes |
|
Update user |
Yes |
|
Delete User |
Yes Note: In the current release, delete operation is not supported by the target application. When you execute a user-delete operation from the connector application, the deleted user gets disabled on the target application. |
|
Enable User |
Yes |
|
Disable User |
Yes |
|
Test Connection |
Yes |
|
Group Management |
Note: To obtain support for group management, apply patch SuccessFactors-12.2.1.3.0B or later. |
|
Add group |
Yes |
|
Add multiple groups |
Yes |
|
Remove group |
Yes |
|
Remove multiple groups |
Yes |
|
Assign single or multiple groups |
Yes |
|
Remove single or multiple groups |
Yes |
1.5 Connector Architecture
The SuccessFactors connector is implemented by using the Identity Connector Framework (ICF).
The ICF is a component that is required in order to use Identity Connector. ICF provides basic reconciliation and provisioning operations that are common to all Oracle Identity Governance connectors. In addition, ICF provides common features that developers would otherwise need to implement on their own, such as, buffering, time outs, and filtering. ICF is distributed together with Oracle Identity Governance. Therefore, you do not need to configure or modify ICF.
Figure 1-1 shows the architecture of the SuccessFactors connector.
Figure 1-1 Architecture of the SuccessFactors Connector
Description of "Figure 1-1 Architecture of the SuccessFactors Connector"
-
Identity reconciliation
Identity reconciliation is also known as authoritative. In this mode, the target system is used as an authoritative source and users are directly created and modified on Oracle Identity Governance by reconciliation jobs. During reconciliation, a scheduled task invokes an ICF operation. ICF inturn invokes a search operation on the SuccessFactors Connector Bundle and then the bundle calls the OData API for reconciliation operation. The API extracts user records that match the reconciliation criteria and hands them over through the bundle and ICF back to the scheduled task, which brings the records to Oracle Identity Governance.
Each user record fetched from the target system is compared with existing Oracle Identity Governance Users. If a match is found between the target system record and the Oracle Identity Governance User, then the Oracle Identity Governance User attributes are updated with changes made to the target system record. If no match is found, then the target system record is used to create an Oracle Identity Governance User.
-
Account management
Account management is also known as target resource management. In this mode, the target system is used as a target resource and the connector enables the following operations:
-
Provisioning
Provisioning involves creating and updating users on the target system through Oracle Identity Governance. During provisioning, the adapters invoke ICF operation, ICF inturn invokes create operation on the SuccessFactors Identity Connector Bundle and then the bundle calls the target system API for provisioning operations. The API on the target system accepts provisioning data from the bundle, carries out the required operation on the target system, and returns the response from the target system back to the bundle, which passes it to the adapters.
-
Target resource reconciliation
During reconciliation, a scheduled task invokes an ICF operation. ICF inturn invokes a search operation on the SuccessFactors Identity Connector Bundle and then the bundle calls the target system API for reconciliation operation. The API extracts user records that match the reconciliation criteria and hands them over through the bundle and ICF back to the scheduled task, which brings the records to Oracle Identity Governance.
Each record fetched from the target system is compared with SuccessFactors resources that are already provisioned to Oracle Identity Governance Users. If a match is found, then the update made to the SuccessFactors record from the target system is copied to the SuccessFactors resource in Oracle Identity Governance. If no match is found, then the user ID of the record is compared with the user ID of each Oracle Identity Governance User. If a match is found, then data in the target system record is used to provision a SuccessFactors resource to the Oracle Identity Governance User.
-
1.6 Use Cases Supported by the Connector
The SAP SuccessFactors application uses the Software as a Service (SaaS) model and supports full human resource lifecycle functions on a single platform. The SAP SuccessFactors application allows an organization to make various data-driven people management decisions. The SAP SuccessFactors connector integrates Oracle Identity Governance with SuccessFactors application.
The SAP SuccessFactors connector standardizes service processes and implements automation to replace manual tasks. The SuccessFactors connector enables you to use SuccessFactors either as a managed (target) resource or as an authoritative (trusted) source of identity data for Oracle Identity Governance. Multiple instances of SuccessFactors solution can use a single connector bundle.
User Management and Entitlement Grant Management are example scenarios which the SuccessFactors connector facilitates:
User Management
An organization using SAP SuccessFactors wants to integrate with Oracle Identity Governance to manage the employee provisioning operations. The organization wants to manage its employee information (add and update functions) by creating them in the target system using Oracle Identity Governance. The organization also wants to synchronize employee updates performed directly in the target system with Oracle Identity Governance. In such a scenario, a quick and an easy way is to install the SuccessFactors connector and configure it with your target system by providing connection information in the IT resource.
The SuccessFactors connector is used to manage various employee attributes such as email id, hire-date, and job-level.
Entitlement Grant Management
In SuccessFactors context, static permission groups are created and modified by adding individual user names to a group using an excel spreadsheet. They store a static list of users instead of a list based on dynamically generated criteria. Changing user information does not modify group members. However, you must redefine group members by importing an updated spreadsheet.
The SAP SuccessFactors Connector enables an organization to add and remove users from a static group. It also helps fetch static group memberships through reconciliation for a user. If a user with an existing SuccessFactors application wants to manage group membership, they must initially migrate the pre-existing SuccessFactors static groups into Oracle Identity Governance.
In terms of operational capability, the connector facilitates user reconciliation and group lookup reconciliation. From Oracle Identity Governance, however, connector group membership is limited to SAP SuccessFactors Static groups only. Dynamic groups are managed by SuccessFactors but READ-ONLY reconciliation of dynamic groups are possible with a change in the connector configuration.
1.7 Connector Features
The features of the connector include support for connector server, full reconciliation, incremental reconciliation, limited reconciliation, and reconciliation of updates to account data.
Table 1-3 Supported Connector Features Matrix
| Feature | AOB Application | CI-Based Connector |
|---|---|---|
|
Full reconciliation |
Yes |
Yes |
|
Incremental reconciliation |
Yes |
Yes |
| Support for Trusted Source Reconciliation |
Yes |
Yes |
| Limited reconciliation |
Yes |
Yes |
|
Use connector server |
Yes |
Yes |
|
Clone applications or create new application instances |
Yes |
Yes |
|
Transformation and validation of account data |
Yes |
Yes |
|
Reconcile user account status |
Yes |
Yes |
|
Test Connection |
Yes |
No |
|
Perform connector operations in multiple domains |
Yes |
Yes |
| Support for paging from Release 12.2.1.3.0J | Yes | Yes |
The following topics provide more information on the features of the AOB application:
1.7.1 Full and Incremental Reconciliation
After you create the connector, you can perform full reconciliation to bring all existing user data from the target system to Oracle Identity Governance. After the first full reconciliation run, you can configure your connector for incremental reconciliation. In incremental reconciliation, only records that are added or modified after the last reconciliation run are fetched into Oracle Identity Governance.
Note:
The connector supports incremental reconciliation if the target system contains an attribute that holds the timestamp at which an object is created or modified.1.7.2 Support for Trusted Source Reconciliation
The SuccessFactors connector can be configured as a trusted source for reconciliation of records into Oracle Identity Governance.
1.7.3 Limited Reconciliation
To limit or filter the records that are fetched into Oracle Identity Governance during a reconciliation run, you can specify the subset of added or modified target system records that must be reconciled.
You can set a reconciliation filter as the value of the Filter Suffix attribute of the user reconciliation scheduled job. The Filter Suffix attribute helps you to assign filters to the API based on which you get a filtered response from the target system.
1.7.4 Support for the Connector Server
Connector Server is one of the features provided by ICF. By using one or more connector servers, the connector architecture permits your application to communicate with externally deployed bundles.
A Java connector server is useful when you do not wish to execute a Java connector bundle in the same VM as your application. It can be beneficial to run a Java connector on a different host for performance improvements.
For information about installing, configuring, and running the Connector Server, and then installing the connector in a Connector Server, see Using an Identity Connector Server in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Governance.
1.7.5 Transformation and Validation of Account Data
You can configure transformation and validation of account data that is brought into or sent from Oracle Identity Governance during reconciliation and provisioning operations by writing Groovy scripts while creating your application.
For more information, see Validation and Transformation of Provisioning and Reconciliation Attributes in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.