1 About the ServiceNow Connector
Oracle Identity Governance is a centralized identity management solution that provides self service, compliance, provisioning and password management services for applications residing on-premises or on the Cloud. Oracle Identity Governance connectors are used to integrate Oracle identity Governance with the external identity-aware applications.
Note:
In this guide, the connector that is deployed using the Applications option on the Manage tab of Identity Self Service is referred to as an AOB application. The connector that is deployed using the Manage Connector option in Oracle Identity System Administration is referred to as a CI-based connector (Connector Installer-based connector).Application onboarding is the process of registering or associating an application with Oracle Identity Governance and making that application available for provisioning and reconciliation of user information.
The following topics provide a high-level overview of the ServiceNow connector:
Note:
In this guide, the term Oracle Identity Governance server refers to the computer on which Oracle Identity Governance is installed.1.1 Certified Components
These are the software components and their versions required for installing and using ServiceNow connector.
Note:
If you are using Oracle Identity Manager release 11.1.x, then you can install and use the connector only in the CI-based mode. If you want to use the AOB application, then you must upgrade to Oracle Identity Governance release 12.2.1.3.0.Table 1-1 Certified Components
| Component | Requirement for AOB Application | Requirement for CI-Based Connector |
|---|---|---|
|
Oracle Identity Governance or Oracle Identity Manager |
You can use one of the following releases of Oracle Identity Governance:
|
You can use one of the following releases of Oracle Identity Governance or Oracle Identity Manager:
|
|
Target System |
ServiceNow release Eureka or later |
ServiceNow release Eureka or later |
|
Connector Server |
11.1.2.1.0 or later |
11.1.2.1.0 or later |
|
Connector Server JDK |
JDK 1.8 or later |
JDK 1.8 or later |
|
Connector Patch |
If you want to create and manage Authoritative applications for ServiceNow, then you must download and apply patch 29874542, to the ServiceNow connector bundle, from My Oracle Support. |
Not applicable |
1.2 Usage Recommendation
These are the recommendations for the ServiceNow connector versions that you can deploy and use depending on the Oracle Identity Governance or Oracle Identity Manager version that you are using.
-
If you are using Oracle Identity Governance release 12c (12.2.1.3.0) or later, then use the latest 12.2.1.x version of this connector. Deploy the connector using the Applications option on the Manage tab of Identity Self Service.
-
If you are using the Oracle Identity Manager release listed in the “Requirement for CI-Based Connector” column in Table 1-1, then use the 11.1.x version of this connector. If you want to use the 12.1.x version of this connector, then you can install and use it only in the CI-based mode. If you want to use the AOB application, then you must upgrade to Oracle Identity Governance release 12c (12.2.1.3.0) or later.
Note:
If you are using the latest 12.2.1.x version of the ServiceNow connector in the CI-based mode, then see Oracle Identity Manager Connector Guide for ServiceNow, Release 11.1.1 for complete details on connector deployment, usage, and customization.1.3 Certified Languages
These are the languages that the connector supports.
-
Arabic
-
Chinese (Simplified)
-
Chinese (Traditional)
-
Czech
-
Danish
-
Dutch
-
English
-
Finnish
-
French
-
French (Canadian)
-
German
-
Greek
-
Hebrew
-
Hungarian
-
Italian
-
Japanese
-
Korean
-
Norwegian
-
Polish
-
Portuguese
-
Portuguese (Brazilian)
-
Romanian
-
Russian
-
Slovak
-
Spanish
-
Swedish
-
Thai
-
Turkish
1.4 Supported Connector Operations
These are the list of operations that the connector supports for your target system.
Table 1-2 Supported Connector Operations
| Operation | Supported |
|---|---|
|
User Management |
|
|
Create user |
Yes |
|
Reconcile user |
Yes |
|
Update user |
Yes |
|
Delete user |
Yes |
|
Set password |
Yes |
|
Reset password |
Yes |
|
Enable user |
Yes |
|
Disable user |
Yes |
|
Role Grant Management |
|
|
Add role |
Yes |
|
Add multiple roles |
Yes |
|
Remove role |
Yes |
|
Remove multiple roles |
Yes |
|
Assign single or multiple roles |
Yes |
|
Remove single or multiple roles |
Yes |
|
Group Management |
|
|
Add group |
Yes |
|
Add multiple groups |
Yes |
|
Remove group |
Yes |
|
Remove multiple groups |
Yes |
|
Assign single or multiple groups |
Yes |
|
Remove single or multiple groups |
Yes |
1.5 Connector Architecture
The connector uses ServiceNow APIs to synchronize user attributes between Oracle Identity Governance and ServiceNow directory services, and is implemented using the Identity Connector Framework (ICF) component.
The ICF is a component that is required in order to use Identity Connector. ICF provides basic reconciliation and provisioning operations that are common to all Oracle Identity Governance connectors. In addition, ICF provides common features that developers would otherwise need to implement on their own, such as, buffering, time outs, and filtering. ICF is distributed together with Oracle Identity Governance. Therefore, you do not need to configure or modify ICF.
You can configure the connector to run in one of the following modes:
-
Identity reconciliation
Identity reconciliation is also known as authoritative or trusted source reconciliation. In this mode, the target system is used as the trusted source and users are directly created and modified on it. During reconciliation, each user record fetched from the target system is compared with existing OIM Users. If a match is found between the target system record and the OIM User, then the OIM User attributes are updated with changes made to the target system record. If no match is found, then the target system record is used to create an OIM User.
-
Account management
Account management is also known as target resource management. In this mode, the target system is used as a target resource and the connector enables the following operations:
-
Provisioning
Provisioning involves creating or updating users on the target system through Oracle Identity Governance. When you allocate (or provision) a ServiceNow resource to the OIM User, the operation results in the creation of an account on ServiceNow for that user. In the Oracle Identity Governancecontext, the term provisioning also covers updates made to the target system account through Oracle Identity Governance.
-
Target resource reconciliation
In target resource reconciliation, data related to the newly created and modified target system accounts can be reconciled and linked with existing OIM Users and provisioned resources. You use a scheduled job for performing reconciliation.
-
Figure 1-1 shows the architecture of the ServiceNow connector.
As shown in this figure, the ServiceNow connector enables you to use the target system as a managed resource (target) of identity data for Oracle Identity Governance.
Through the provisioning operations that are performed on Oracle Identity Governance, accounts are created and updated in the target system for Oracle Identity Governance Users. During provisioning, the Adapters invoke ICF operation, ICF inturn invokes create operation on the ServiceNow Identity Connector Bundle and then the bundle calls the target system API for provisioning operations. The ServiceNow Table API on the target system accepts provisioning data from the bundle, carries out the required operation on the target system, and returns the response from the target system back to the bundle, which passes it to the adapters.
During reconciliation, a scheduled task invokes an ICF operation. ICF inturn invokes a search operation on the ServiceNow Identity Connector Bundle and then the bundle calls ServiceNow API for reconciliation operation. The API extracts user records that match the reconciliation criteria and hands them over through the bundle and ICF back to the scheduled task, which brings the records to Oracle Identity Governance.
Each record fetched from the target system is compared with ServiceNow resources that are already provisioned to OIG Users. If a match is found, then the update made to the ServiceNow record from the target system is copied to the ServiceNow resource in Oracle Identity Governance. If no match is found, then the user ID of the record is compared with the user ID of each OIG User. If a match is found, then data in the target system record is used to provision an ServiceNow resource to the OIG User.
The ServiceNow Identity Connector Bundle communicates with the ServiceNow Table API using the HTTPS protocol. The ServiceNow Table API provides programmatic access through REST API endpoints. Apps can use the ServiceNow API to perform create, read, update, and delete (CRUD) operations on directory data and directory objects, such as users.
See Also:
Understanding the Identity Connector Framework in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Governance for more information about ICF
1.6 Supported Use Cases
ServiceNow connector is used to integrate OIG with a ServiceNow instance. ServiceNow connector ensures that all ServiceNow accounts are created, updated, deleted, and deactivated on an integrated cycle with the rest of the identity-aware applications in your enterprise. ServiceNow connector standardizes service processes and implements automation to replace manual tasks. In a typical IT scenario, an organization using OIG wants to manage accounts, user association with a role or with a department across a ServiceNow Cloud instance.
As a business use case, consider a leading logistics company in Australia which was using ServiceNow for the ticketing system solution and OIG for identity management. Before using ServiceNow connector, operations such as create, edit, and delete were performed manually and lacked a centralized streamlining operation. These operations can be easily automated using the ServiceNow REST APIs. By integrating ServiceNow connector with Oracle Identity Governance, the logistics company was able to achieve complete automation.
-
ServiceNow User Management
An organization using ServiceNow wants to integrate with OIG to manage identities. The organization wants to manage its user identities by creating them in the target system using OIG. The organization also wants to synchronize user identity changes performed directly in the target system with OIG. In such a scenario, a quick and an easy way is to install the ServiceNow connector and configure it with your target system by providing connection information in the IT resource.
ServiceNow connector allows new users to self-provision on a ServiceNow Cloud instance. New users can request and provision from a catalog of cloud-based resources.
To create a new user in the target system, fill in and submit the OIG process form to trigger the provisioning operation. The connector executes the create operation against your target system and the user is created on successful execution of the operation. Similarly, operations such as delete and update can be performed.
To search or retrieve the user identities, you must run a scheduled task from OIG. The connector will run the corresponding search operation against the user identities in the target system and fetch all the changes to OIG.
- Entitlement Grant Management
- ServiceNow Groups
In ServiceNow context, a group is a collection of users who share a common purpose. Generally, a group will perform tasks such as approving change requests and resolving incidents.
For example, consider a network outage scenario. A Network group with several team members will receive a group notification about the incident. The outage incident task can be assigned to any Network group member for a resolution. The ServiceNow connector integration with OIG provides a request-based policy option. Before using ServiceNow connector, the approver must be an user from the Network group. With ServiceNow integration, the said outage resolution can be automatically assigned to users or groups based on predefined polices. For administrators and users, the ServiceNow connector provides an option to facilitate a request-based group membership assignment or group membership revocation options.
-
ServiceNow Roles
In ServiceNow context, a role is an administrator who can create groups and provide access-based permissions to various groups.
ServiceNow connector manages role memberships. Role memberships provide selective access to ServiceNow functionalities. A user can be a member of one or more roles. Generally, new users are added to a specific role. Each role determines various tasks such as view, update, and delete operations that a ServiceNow user can perform.
As an example, a user with specific role has the rights to view a change request, however does not have access privileges to approve or reject a change request. A ServiceNow user without a role assignment can perform minimal read and write operations. A ServiceNow user needs to have role access privilege in order to create a group. In large organizations, it may be necessary for an administrator to designate other employees to act as administrators to serve different functions. For example, you can set admin roles for your IT staff that can act as support agents to other employees, partners, customers and vendors. With the ServiceNow connector, you can assign or revoke a ServiceNow admin role to users as an entitlement, thus facilitating you to leverage the delegated administration capability of ServiceNow.
- ServiceNow Groups
1.7 Supported Connector Features Matrix
Provides the list of features supported by the AOB application and CI-based connector.
Table 1-3 Supported Connector Features Matrix
| Feature | AOB Application | CI-Based Connector |
|---|---|---|
|
Perform full reconciliation |
Yes |
Yes |
|
Perform incremental reconciliation |
Yes, only for Authoritative applications |
No |
|
Perform limited reconciliation |
Yes |
Yes |
|
Use connector server |
Yes |
Yes |
|
Configure validation and transformation of account data |
Yes |
Yes |
|
Perform connector operations in multiple domains |
Yes |
Yes |
|
Support for paging |
Yes |
Yes |
|
Test connection |
Yes |
No |
|
Reset password |
Yes |
Yes |
|
Clone applications or create new application instances |
Yes |
Yes |
|
Provide secure communication to the target system through SSL |
Yes |
Yes |
1.8 Connector Features
The features of the connector include support for connector server, full reconciliation, limited reconciliation, reconciliation of deleted account data, support for cloning applications and creating instance applications, and secure communication to the target system.
1.8.1 Support for Both Target and Authoritative Applications
You can use the connector to create and manage Target applications and Authoritative applications.
Note:
To create and manage Authoritative applications, ensure that you have applied patch 29874542 from My Oracle Support.
1.8.2 Support for Full and Incremental Reconciliation
Full reconciliation involves reconciling all existing user records from the target system into Oracle Identity Governance. In incremental reconciliation, only records that are added or modified after the last reconciliation run are fetched into Oracle Identity Governance. You can perform incremental reconciliation only for an Authoritative application.
After you create the application, you can first perform full reconciliation. For an authoritative application, incremental reconciliation is automatically enabled after the first full reconciliation run, if you entered a value for the Incremental Recon Attribute parameter of the ServiceNow User Trusted Reconciliation job.
You can perform a full reconciliation run at any time. See Performing Full and Incremental Reconciliation
1.8.3 Support for Limited (Filtered) Reconciliation
You can reconcile records from the target system based on a specified filter criterion.
You can set a reconciliation filter as the value of the Filter Suffix attribute of the user reconciliation scheduled job. This filter specifies the subset of newly added and modified target system records that must be reconciled. The Filter Suffix attribute helps you to assign filters to the API based on which you will get a filtered response from the target system.
1.8.4 Support for the Connector Server
Connector Server is one of the features provided by ICF. By using one or more connector servers, the connector architecture permits your application to communicate with externally deployed bundles.
A Java connector server is useful when you do not wish to execute a Java connector bundle in the same VM as your application. It can be beneficial to run a Java connector on a different host for performance improvements.
For information about installing, configuring, and running the Connector Server, and then installing the connector in a Connector Server, see Using an Identity Connector Server in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Governance.
1.8.5 Transformation and Validation of Account Data
You can configure transformation and validation of account data that is brought into or sent from Oracle Identity Governance during reconciliation and provisioning operations by writing Groovy scripts while creating your application.
For more information, see Validation and Transformation of Provisioning and Reconciliation Attributes in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.
1.8.6 Support for Cloning Applications and Creating Instance Applications
You can configure this connector for multiple installations of the target system by cloning applications or by creating instance applications.
When you clone an application, all the configurations of the base application are copied into the cloned application. When you create an instance application, it shares all configurations as the base application.
For more information about these configurations, see Cloning Applications and Creating Instance Applications in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.
1.8.7 Secure Communication to the Target System
To provide secure communication to the target system, SSL is required. You can configure SSL between Oracle Identity Governance and the Connector Server and between the Connector Server and the target system.
If you do not configure SSL, passwords can be transmitted over the network in clear text. For example, this problem can occur when you are creating a user or modifying a user's password.