1 About the Oracle Internet Directory Connector
Oracle Identity Governance is a centralized identity management solution that provides self service, compliance, provisioning and password management services for applications residing on-premises or on the Cloud. Oracle Identity Governance connectors are used to integrate Oracle identity Governance with the external identity-aware applications.
Note:
In this guide, the connector that is deployed using the Applications option on the Manage tab of Identity Self Service is referred to as an AOB application. The connector that is deployed using the Manage Connector option in Oracle Identity System Administration is referred to as a CI-based connector (Connector Installer-based connector).Application onboarding is the process of registering or associating an application with Oracle Identity Governance and making that application available for provisioning and reconciliation of user information.
The following sections provide a high-level overview of the connector:
Note:
At some places in this guide, ODSEE, OID, OUD, and an LDAPv3-compliant directory server are referred to as the target system.1.1 Certified Components
These are the software components and their versions required for installing and using the connector.
Table 1-1 Certified Components
Component | Requirement for AOB Application | Requirement for CI-Based Connector |
---|---|---|
Oracle Identity Governance or Oracle Identity Manager |
You can use one of the following releases:
|
You can use one of the following releases of Oracle Identity Governance or Oracle Identity Manager:
|
Target systems |
The target system can be any one of the following:
|
The target system can be any one of the following:
|
Connector Server |
11.1.2.1.0 |
11.1.2.1.0 |
Connector Server JDK and JRE |
JDK or JRE 1.6 and above |
JDK or JRE 1.6 and above |
1.2 Usage Recommendation
These are the recommendations for the OID connector versions that you can deploy and use depending on the Oracle Identity Governance or Oracle Identity Manager version that you are using.
Note:
If you are using Oracle Identity Manager release 11.1.x, then you can install and use the connector only in the CI-based mode. If you want to use the AOB application, then you must upgrade to Oracle Identity Governance release 12.2.1.3.0.-
If you are using Oracle Identity Governance 12c (12.2.1.3.0) and want to integrate it with any of the following target systems, then use the latest 12.2.1.x version of this connector and deploy it using the Applications option on the Manage tab of Identity Self Service:
-
Oracle Internet Directory release 9.x, 10.1.4.x, 11g release 1 (11.1.1.5.0, 11.1.1.6.0, 11.1.1.7.0 and 11.1.1.9.0), and 12c release (12.2.1.3.0, 12.2.1.4.0)
-
Oracle Unified Directory 11g release (11.1.1.5.0, 11.1.2.0.0, 11.1.2.2.0, and 11.1.2.3.0), and 12c release (12.2.1.3.0, 12.2.1.4.0)
-
Oracle Directory Server Enterprise Edition 11g release 1 (11.1.1.5.0 and 11.1.1.7.2)
-
An LDAPv3-compliant directory server
-
-
If you are using Oracle Identity Governance 12c (12.2.1.3.0) and want to integrate it with any of the following target systems, then use the latest 12.2.1.x version of this connector and deploy it using the Manage Connector option in Oracle Identity System Administration:
-
Oracle Virtual Directory 10g and 11g release 1 (11.1.1.5.0)
-
Novell eDirectory 8.7.3 and 8.8
-
Sun Java System Directory Server Enterprise Edition 6.3 and 7.0
-
Sun ONE Directory Server 5.2
-
-
If you are using any of the Oracle Identity Manager 11.1.x releases listed in the “Requirement for CI-Based Connector” column of Table 1-1, then use the 11.1.x version of the OID connector. If you want to use the 12.2.1.x version of this connector with Oracle Identity Manager 11.1.x releases, then you can install and use it only in the CI-based mode. If you want to use the AOB application, then you must upgrade to Oracle Identity Governance release 12.2.1.3.0.
Note:
If you are using the latest 12.2.1.x version of the Oracle Internet Directory connector in the CI-based mode, then see Oracle Identity Manager Connector Guide for Oracle Internet Directory, Release 11.1.1 for complete details on connector deployment, usage, and customization. -
If you are using an Oracle Identity Manager release that is earlier than Oracle Identity Manager 11g Release 1 (11.1.1), then depending on the target system that you are using, install and use one of the following connectors:
-
For Oracle Internet Directory, use the 9.0.4.x version of the Oracle Internet Directory connector.
-
For Sun ONE Directory Server and Sun Java System Directory Server Enterprise Edition, use the 9.0.4.x version of the Sun Java System Directory connector.
-
For Novell eDirectory, use the 9.0.4.x version of the Novell eDirectory connector.
-
1.3 Certified Languages
These are the languages that the connector supports.
-
Arabic
-
Chinese (Simplified)
-
Chinese (Traditional)
-
Czech
-
Danish
-
Dutch
-
English
-
Finnish
-
French
-
German
-
Greek
-
Hebrew
-
Hungarian
-
Italian
-
Japanese
-
Korean
-
Norwegian
-
Polish
-
Portuguese (Brazilian)
-
Romanian
-
Russian
-
Slovak
-
Spanish
-
Swedish
-
Thai
-
Turkish
1.4 Supported Connector Operations
These are the list of operations that the connector supports for your target system.
Table 1-2 Supported Connector Operations
Operation | Supported for OID? | Supported for OUD? | Supported for ODSEE? | Supported for LDAPv3-compliant directory server? | Supported for Novell eDirectory? |
---|---|---|---|---|---|
User Management |
|||||
Create user |
Yes |
Yes |
Yes |
Yes |
Yes |
Update user |
Yes |
Yes |
Yes |
Yes |
Yes |
Delete User |
Yes |
Yes |
Yes |
Yes |
Yes |
Enable user |
Yes |
Yes |
Yes |
Yes |
Yes |
Disable user |
Yes |
Yes |
Yes |
Yes |
Yes |
Reset password |
Yes |
Yes |
Yes |
Yes |
No |
Groups and Organization Units Management |
|||||
Create group or organization unit |
Yes |
Yes |
Yes |
Yes |
Yes |
Update group name or organization unit name |
Yes |
Yes |
Yes |
Yes |
Yes |
Delete group or organization unit |
Yes |
Yes |
Yes |
Yes |
Yes |
Update container DN |
Yes |
Yes |
Yes |
Yes |
Yes |
Roles Management |
|||||
Create role |
Yes |
No |
Yes |
Yes, if your target system supports creation of roles |
Yes |
Update role name |
Yes |
No |
Yes |
Yes |
Yes |
Delete role |
Yes |
No |
Yes |
Yes |
Yes |
Update container DN |
Yes |
No |
Yes |
Yes |
Yes |
Entitlement Grant Management |
|||||
Add groups |
Yes |
Yes |
Yes |
Not applicable |
Yes |
Revoke groups |
Yes |
Yes |
Yes |
Not applicable |
Yes |
Add roles |
No |
No |
Yes |
Not applicable |
Yes |
Revoke Roles |
No |
No |
Yes |
Not applicable |
Yes |
Add organizations |
No |
No |
No |
Not applicable |
Yes |
Remove organizations |
No |
No |
No |
Not applicable |
Yes |
Add domain scope |
Not applicable |
Not applicable |
Not applicable |
Not applicable |
Yes |
Add profiles |
Not applicable |
Not applicable |
Not applicable |
Not applicable |
Yes |
Add role containers |
Not applicable |
Not applicable |
Not applicable |
Not applicable |
Yes |
1.5 Connector Architecture
The Oracle Internet Directory connector is implemented by using the Identity Connector Framework (ICF). The ICF is a component that provides basic reconciliation and provisioning operations that are common to all Oracle Identity Governance connectors. The ICF is shipped along with Oracle Identity Governance. Therefore, you need not configure or modify the ICF.
The OID connector uses JNDI to access the target system.
This connector can be configured to run in one of the following modes:
-
Identity reconciliation
Identity reconciliation is also known as authoritative or trusted source reconciliation. In this form of reconciliation, OIG Users are created or updated corresponding to the creation of and updates to users on the target system. Note that the identity reconciliation mode supports reconciliation of user objects only.
See Reconciliation Scheduled Jobs for Groups and Organizational Units Management in OID for information about the LDAP Connector Trusted User Reconciliation scheduled job that is used in this mode.
-
Account Management
Account management is also known as target resource management. This mode of the connector enables the following operations:
-
Provisioning
Provisioning involves creating, updating, or deleting users, groups, roles, and organizational units (OUs) on the target system through Oracle Identity Governance.
When you allocate (or provision) a target system resource to an OIG User, the operation results in the creation of an account on the target system for that user. In the Oracle Identity Governance context, the term "provisioning" is also used to mean updates (for example enabling or disabling) made to the target system account through Oracle Identity Governance.
Users and organizations are organized in hierarchical format on the target system. Before you can provision users to (that is, create users in) the required organizational units (OUs) on the target system, you must fetch into Oracle Identity Governance the list of OUs used on the target system. This is achieved by using the LDAP Connector OU Lookup Reconciliation scheduled job for lookup synchronization.
Similarly, before you can provision users to the required groups or roles on the target system, you must fetch into Oracle Identity Governance the list of all groups and roles used on the target system. This is achieved by using the LDAP Connector Group Lookup Reconciliation and LDAP Connector Role Lookup Recon scheduled jobs for lookup synchronization.
-
Target resource reconciliation
To perform target resource reconciliation, the LDAP Connector User Search Reconciliation or LDAP Connector User Sync Reconciliation scheduled jobs is used. The connector applies filters to locate users to be reconciled from the target system and then fetches the attribute values of these users.
Depending on the data that you want to reconcile, you use different scheduled jobs. For example, you use the LDAP Connector User Search Reconciliation scheduled job to reconcile user data in the target resource mode. See Reconciliation Scheduled Jobs for Groups and Organizational Units Management in OID for more information about scheduled jobs used in this mode.
-
1.6 Supported Connector Features Matrix
Provides the list of features supported by the AOB application and CI-based connector.
Table 1-3 Supported Connector Features Matrix
Feature | AOB Application | CI-Based Connector |
---|---|---|
Full reconciliation |
Yes |
Yes |
Incremental reconciliation |
Yes |
Yes |
Limited reconciliation |
Yes |
Yes |
Connection pooling |
Yes |
Yes |
Use connector server |
Yes |
Yes |
Transformation and validation of account data |
Yes |
Yes |
Compatibility with high-availability target system environments |
Yes |
Yes |
SSL communication between the target system and Oracle Identity Governance |
Yes |
Yes |
Reconcile deleted user records |
Yes |
Yes |
Reconcile deleted groups, roles, and organizations |
Yes |
Yes |
Test connection |
Yes |
No |
1.7 Connector Features
The features of the connector include support for connector server, support for high-availability configuration of the target system, connection pooling, reconciliation of deleted user records, support for groovy scripts, and so on.
The following are the features of the connector:
1.7.1 Full and Incremental Reconciliation
Full reconciliation involves reconciling all existing user records from the target system into Oracle Identity Governance. In incremental reconciliation, only records that are added or modified after the last reconciliation run are fetched into Oracle Identity Governance.
After you create the application, you can perform full reconciliation to bring all existing user data from the target system to Oracle Identity Governance. After the first full reconciliation run, incremental reconciliation is automatically enabled. In incremental reconciliation, user accounts that have been added or modified since the last reconciliation run are fetched into Oracle Identity Governance.
After you create the application, you can first perform full reconciliation. After the first full reconciliation run, incremental reconciliation is automatically enabled.
For more information, see Performing Full and Incremental Reconciliation.
1.7.2 Limited Reconciliation
You can set a reconciliation filter as the value of the Filter attribute of a reconciliation scheduled job. This filter specifies the subset of added and modified target system records that must be reconciled.
For more information, see Performing Limited Reconciliation.
1.7.3 Support for the Connector Server
Connector Server is one of the features provided by ICF. By using one or more connector servers, the connector architecture permits your application to communicate with externally deployed bundles.
A Java connector server is useful when you do not wish to execute a Java connector bundle in the same VM as your application. It can be beneficial to run a Java connector on a different host for performance improvements.
For information about installing, configuring, and running the Connector Server, and then installing the connector in a Connector Server, see Using an Identity Connector Server in Oracle Fusion Middleware Developing and Customizing Applications for Oracle Identity Governance.
1.7.4 Transformation and Validation of Account Data
You can configure transformation and validation of account data that is brought into or sent from Oracle Identity Governance during reconciliation and provisioning operations by writing Groovy scripts while creating your application.
For more information, see Validation and Transformation of Provisioning and Reconciliation Attributes in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.
1.7.5 Support for High-Availability Configuration of the Target System
You can configure the connector for compatibility with high-availability target system environments.
The connector can read information about backup target system hosts from the failover parameter of the Basic Configuration section and apply this information when it is unable to connect to the primary host.
For more information about the Failover parameter, see Basic Configuration Parameters for OID or Basic Configuration Parameters for OUD, ODSEE, and LDAPv3-Compliant Directory Server.
1.7.6 Reconciliation of Deleted User Records
You can use the connector to reconcile user records that are deleted on the target system into Oracle Identity Governance.
For more information about the reconciliation job used for reconciling these deleted records, see one of the following sections:
-
For OID: Reconciliation Jobs for OID
-
For OUD, ODSEE, or an LDAPv3-compliant directory server: Reconciliation Jobs for OUD, ODSEE, and LDAPv3-Compliant Directory Server
1.7.7 Reconciliation of Deleted Groups, Roles, and Organizations
You can use the connector to reconcile groups, roles, and organizations that are deleted on the target system into Oracle Identity Governance.
For more information about the reconciliation job used for reconciling these deleted records, see one of the following sections:
-
For OID: Scheduled Jobs for Reconciliation of Deleted Groups and OUs in OID
-
For OUD, ODSEE, or an LDAPv3-compliant directory server: Scheduled Jobs for Reconciliation of Deleted Groups, OUs, and Roles in OUD, ODSEE, and LDAPv3-Compliant Directory Server
1.7.8 Connection Pooling
A connection pool is a cache of objects that represent physical connections to the target. Oracle Identity Governance connectors can use these connections to communicate with target systems.
At run time, the application requests a connection from the pool. If a connection is available, then the connector uses it and then returns it to the pool. A connection returned to the pool can again be requested for and used by the connector for another operation. By enabling the reuse of connections, the connection pool helps reduce connection creation overheads like network latency, memory allocation, and authentication.
One connection pool is created for each set of basic configuration parameters that you provide while creating an application. For example, if you have three applications for three installations of the target system, then three connection pools will be created, one for each target system installation.
-
For OID: Advanced Settings Parameters for OID
-
For OUD, ODSEE, or an LDAPv3-compliant directory server: Advanced Settings Parameters for OUD, ODSEE, and LDAPv3-Compliant Directory Server
1.7.9 Support for Running Pre and Post Action Scripts
You can run pre and post action scripts on a computer where the connector is deployed. These scripts can be of type SQL/StoredProc/Groovy. You can configure the scripts to run before or after the create, update, or delete an account provisioning operations.
For more information, see Updating the Provisioning Configuration in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.
1.7.10 Secure Communication to the Target System
To provide secure communication to the target system, SSL is required. You can configure SSL between Oracle Identity Governance and the Connector Server and between the Connector Server and the target system.
If you do not configure SSL, passwords can be transmitted over the network in clear text. For example, this problem can occur when you are creating a user or modifying a user's password.
For more information, see Configuring SSL for the Connector.
1.7.11 Support for Cloning Applications and Creating Instance Applications
You can configure this connector for multiple installations of the target system by cloning applications or by creating instance applications.
When you clone an application, all the configurations of the base application are copied into the cloned application. When you create an instance application, it shares all configurations as the base application.
For more information about these configurations, see Cloning Applications and Creating Instance Applications in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.