Creating an Application By Using the Generic REST Connector

2 Creating an Application By Using the Generic REST Connector

Learn about onboarding applications using the connector.

You can onboard an application for your target system into Oracle Identity Governance from the connector package by creating a Target application or an Authoritative application. To do so, you must log in to Identity Self Service and then choose the Applications box on the Manage tab.

2.1 Prerequisites for Creating an Application

Learn about process flow for onboarding applications using the connector and the prerequisites for doing so.

2.1.1 Process Flow for Creating an Application By Using the Connector

From Oracle Identity Governance release 12.2.1.3.0 onward, connector deployment is handled using the application onboarding capability of Identity Self Service.

Figure 2-1 is a flowchart depicting high-level steps for creating an application in Oracle Identity Governance by using the connector installation package.

Figure 2-1 Overall Flow of the Process for Creating an Application By Using the Connector

This image is a flowchart that is depicting the overall flow of the process for creating an application using the connector.

2.1.2 Downloading the Connector Installation Package

You can obtain the installation package for your connector on the Oracle Technology Network (OTN) website.

To download the connector installation package:

Navigate to the OTN website at http://www.oracle.com/technetwork/middleware/id-mgmt/downloads/connectors-101674.html.
Click OTN License Agreement and read the license agreement.
Select the Accept License Agreement option.
You must accept the license agreement before you can download the installation package.
Download and save the installation package to any directory on the computer hosting Oracle Identity Governance.
Extract the contents of the installation package to any directory on the computer hosting Oracle Identity Governance. This creates a directory named CONNECTOR_NAME-RELEASE_NUMBER.
Copy the CONNECTOR_NAME-RELEASE_NUMBER directory to the OIG_HOME/server/ConnectorDefaultDirectory directory.

2.2 Navigating to the Create Application Screen

To navigate to the Create Application screen, you must log in to Identity Self Service and then choose the Applications box on the Manage tab.

Log in to Identity Self Service either by using the System Administration account or an account with the ApplicationInstanceAdministrator admin role.
On the Applications page, click the Create menu on the toolbar, and then select one of the following options:
- Target - to create a Target application.
- Authoritative - to create an Authoritative application.

The Create Application screen with the Basic Information page is displayed.

2.3 Understanding and Updating the Basic Information

Learn about the configuration-related details that you must enter on the Basic Information page. The connector uses these details to establish a connection with the target system and while performing reconciliation or provisioning operations.

Creating an application (whether Target or Authoritative) involves providing relevant details of the application such as connectivity information, schema details, and so on. On the Basic Information page, you provide various details of application that you wish to onboard. For example, you select the connector bundle, enter the name of the application to be created, and enter connection-related parameters that the connector uses to connect Oracle Identity Governance with your target system and perform connector operations.

This following topic discuss parameters on the various sections of the Basic Information page in detail and the process for specifying values for these parameters:

2.3.1 Basic Configuration Parameters

These are the connection-related parameters that Oracle Identity Governance requires to connect to the REST-based target system.

Table 2-1 Basic Configuration Parameters

Parameter	Mandatory?	Description
authenticationType	Yes	Enter the type of authentication used by your target system. The following are the possible values for this parameter: For HTTP Basic Authentication: `basic` For OAuth 2.0 JWT: `jwt` For OAuth 2.0 Client Credentials: `client_credentials` For OAuth 2.0 Resource Owner Password: `password` For manual input of access token and refresh token: `other` For custom authentication implementation: `custom` Default value: `client_credentials` Note: If you are using a value other than the default value, client_credentials, then ensure to add the parameters corresponding to the authentication type that your target system is using.
host	Yes	Host name or IP address of the computer hosting the target system. Sample value: `www.example.com`
port	Yes	Port number at which the target system is listening. Sample value: `80`
authenticationServerUrl	No	Enter the URL of the authorization server that authenticates the client (by validating the client ID and client secret), and if valid, issues an access token. Sample value: `https://api.example.com/oauth2/token`
clientId	No	Enter the client identifier (a unique string) issued by the authorization server to the client during the registration process. Sample value: `XDWTh0r2eWuULCDVt`
clientSecret	No	Enter the value used to authenticate the identity of your client application. Sample value: `clZsdZisTOoYN5NITirarIDepDkiJTGHdzNFT0m`
Connector Server Name	No	If you have deployed the Generic REST connector in the Connector Server, then enter the name of the IT resource for the Connector Server.
proxyHost	No	Name of the proxy host used to connect to an external target system. Sample value: `www.example.com`
proxyPort	No	Proxy port number Sample value: `80`
proxyUser	No	Proxy user name of the target system user account that Oracle Identity Manager uses to connect to the target system.
proxyScheme	No
proxyPassword	No	Password of the proxy user ID of the target system user account that Oracle Identity Governance uses to connect to the target system.
sslEnabled	No	If the target system requires SSL connectivity, then set the value of this parameter to `true`. Otherwise set the value to `false`. Default value: `true`
uriPlaceHolder	No	Enter the key-value pair for replacing place holders in the relURIs. The URI place holder consists of values which are repeated in every relative URL. Values must be comma separated. For example, tenant ID and API version values are a part of every request URL. Therefore, we replace it with a key-value pair. Sample value: `"tenant_id;<domain name>","api_version;api-version=1.6"`

2.3.2 Advanced Settings Parameters

These are the configuration-related entries that the connector uses during reconciliation and provisioning operations.

Table 2-2 Advanced Settings Parameters

Parameter	Mandatory?	Description
Bundle Name	Yes	This parameter holds the name of the connector class. Default value: `org.identityconnectors.genericrest`
Bundle Version	Yes	This parameter holds the version of the connector bundle class. Default value: `12.3.0`
Connector Name	Yes	This parameter holds the name of the connector bundle package. Default value: `org.identityconnectors.genericrest.GenericRESTConnector`
relURIs	Yes	Enter the relative URLs for all operations of each object class. Enter a value for this parameter in one of the following formats: For attributes: OBJ_CLASS.OP=REL_URL For special attributes: OBJ_CLASS.ATTR_NAME.OP=REL_URL For attributes that have the same relative URL for multiple operations: OBJ_CLASS=REL_URL or OBJ_CLASS.ATTR_NAME=REL_URL If you want to filter records based on a filter criteria during reconciliation, then use $(Filter Suffix)$ . Here, replace $(Filter Suffix)$ with the filter criteria that you specify as part of the Filter Suffix attribute of the scheduled job. If you have to pass the unique ID of the user as part of endpoint URL, use $(__UID__)$ . Here, replace $(__UID__)$ with the unique ID of the user. If you have to pass any attribute other than the unique ID of the user, then represent it in one of the following formats: For a single-valued attribute: $(attr_name)$ Here, replace $(attr_name)$ with the name of the attribute in the target system. For an embedded object: $(OBJ_CLASS.ATTR_NAME)$ For example, $(__GROUP__.id)$ . End point specified in relURI's should be without a host name. Host name should be specified in basic configuration and it will be appended through the code in run time. Sample value: "__ACCOUNT__.CREATEOP=/admin/directory/v1/users","__ACCOUNT__.SEARCHOP=/admin/directory/v1/users/$(Filter Suffix)$"&page=$(PAGE_OFFSET)$&pagesize=$(PAGE_SIZE)$","__ACCOUNT__=/admin/directory/v1/users/$(__UID__)$","__GROUP__.CREATEOP=/admin/directory/v1/groups","__GROUP__=/admin/directory/v1/groups/$(__UID__)$","__GROUP__.SEARCHOP=/admin/directory/v1/groups/$(Filter Suffix)$&page=$(PAGE_OFFSET)$&pagesize=$(PAGE_SIZE)$","__ACCOUNT__.alias=/admin/directory/v1/users/$(__UID__)$/aliases","__ACCOUNT__.alias.DELETEOP=/admin/directory/v1/users/$(__UID__)$/aliases/$(alias)$","__GROUP__.alias.DELETEOP=/admin/directory/v1/groups/$(__UID__)$/aliases/$(alias)$","__ACCOUNT__.__GROUP__=/admin/directory/v1/groups/$(__GROUP__.id)$/members","__ACCOUNT__.__GROUP__.DELETEOP=/admin/directory/v1/groups/$(__GROUP__.id)$/members/$(__UID__)$","__ACCOUNT__.__GROUP__.SEARCHOP=/admin/directory/v1/groups?userKey=$(__UID__)$" Note: Depending on the target system, you can perform pagination by using either offset value or page count. Below are sample values for both options. Sample value for offset value: `"__ACCOUNT__.SEARCHOP=/admin/directory/v1/users/?$(Filter Suffix)$&pagesize=$(PAGE_SIZE)$&offset=$(PAGE_OFFSET)$"` Sample value for page count: `"__ACCOUNT__.SEARCHOP=/admin/directory/v1/users/?$(Filter Suffix)$&page=$(PAGE_INCREMENT)$&pagesize=$(PAGE_SIZE)$"` To support pagination using page size we have introduced one configurable attribute page increment as same as page offset. It should we specified in rel URI as $(PAGE_INCREMENT)$ . Page increment attribute count starts from 1 and increment by one till it reaches last page. For example,`relURI:/API/REST/2.0/system/users?page=$(PAGE_INCREMENT)$&pagesize=$(PAGE_SIZE)$` Since PAGE_SIZE is a configurable parameter, let’s consider it to be 100. Then the request URI looks as below: 1st request : /API/REST/2.0/system/users?page=1&pagesize=100 2nd request : /API/REST/2.0/system/users?page=2&pagesize=100 3rd request : /API/REST/2.0/system/users?page=3&pagesize=100 4th request : /API/REST/2.0/system/users?page=4&pagesize=100 and so on Here every page has 100 users and it continues to bring the data till the last page. If the target system has 1000 accounts, then 10 calls will be triggered. To support pagination using OFFSET Is configurable attribute page offset. It should we specified in rel URI as $(PAGE_OFFSET)$ . Page offset attribute count starts from 0 and increment by page size till it reaches last page. For example, `relURI:/API/REST/2.0/system/users?page=$(PAGE_OFFSET)$&pagesize=$(PAGE_SIZE)$` Since PAGE_SIZE is a configurable parameter, let’s consider it to be 100. Then the request URI looks as below: 1st request : /API/REST/2.0/system/users?offset=0&pagesize=100 2nd request : /API/REST/2.0/system/users?offset=101&pagesize=100 3rd request : /API/REST/2.0/system/users?offset=201&pagesize=100 4th request : /API/REST/2.0/system/users?offset=301&pagesize=100 and so on Here every page has 100 users and it continues to bring the data till the last page. If the target system has 1000 accounts, then 10 calls will be triggered.
opTypes	No	Enter the HTTP operation type for each object class that is to be managed by the connector. Values must be comma separated and in the following format: `“OBJ_CLASS.OPERATION=HTTP_OPERATION”` In this format, OBJ_CLASS is the connector object class, OPERATION is the connector operation (for example, CreateOp, UpdateOp, or SearchOp), and HTTP_OPERATION is the HTTP operation (for example, GET, PUT, or POST). Sample value: `"__ACCOUNT__.CREATEOP=POST","__ACCOUNT__.DELETEOP=DELETE","__GROUP__.CREATEOP=POST","__ACCOUNT__.alias.CREATEOP=POST","__ACCOUNT__.alias.UPDATEOP=POST","__ACCOUNT__.alias.DELETEOP=DELETE","__GROUP__.alias.CREATEOP=POST","__GROUP__.alias.UPDATEOP=POST","__GROUP__.alias.DELETEOP=DELETE","__ACCOUNT__.__GROUP__.CREATEOP=POST","__ACCOUNT__.__GROUP__.UPDATEOP=POST","__ACCOUNT__.__GROUP__.DELETEOP=DELETE"`
nameAttributes	Yes	Enter the name attribute for all object classes that are handled by the connector. This value specifies the mapping between the _NAME_ connector attribute and the corresponding target system attribute for each object class that the connector handles. Format: `OBJ_CLASS.ATTR_NAME` Sample value: `"__ACCOUNT__.userName"` Note: All values in this parameter must be comma separated.
uidAttributes	Yes	Enter the __UID__ attribute for each object class that the connector handles. A __UID__ attribute is a target system attribute that uniquely identifies an account in the target system. This target system attribute name must be unique and need not be autogenerated. Format: `OBJ_CLASS.ATTR_NAME` Sample value: `"__ACCOUNT__.id"` In this format, OBJ_CLASS is the connector object class and ATTR_NAME is the name of the attribute that uniquely identifies an account in the target system. Note: All values in this parameter must be comma separated.
statusAttributes	No	Enter the name of the target system attribute that holds the status for each object class this connector handles. Format: `OBJ_CLASS.ATTR_NAME` Sample value: `"__ACCOUNT__.suspended"` Note: All values in this parameter must be comma separated.
passwordAttribute	No	Enter the name of the target system attribute that is mapped to the __PASSWORD__ attribute of the connector in OIM.
pageSize	No	The number of resources/users that appears on a page for a search operation. Deafult value: 100
pageTokenAttribute	No	The attribute in response payload that denotes the next page token. Deafult value: `odata.nextLink`
pageTokenRegex	No	This attribute is used in the URL while reconciliation to support pagination. Deafult value: `(?<=skiptoken=).*`
Any Incremental Recon Attribute Type	No	By default, during incremental reconciliation, Oracle Identity Governance accepts timestamp information sent from the target system only in Long datatype format. Setting the value of this parameter to `True` indicates that Oracle Identity Governance will accept timestamp information in any datatype format. Deafult value: `True`
jsonResourcesTag	Yes, if you are implementing custom parsers	Enter the JSON tag value that is used for parsing a response payload. The connector will consider the value that you enter in this parameter as an unwanted outer tag while parsing responses. You can skip entering a value for this parameter if there is no unwanted outer tag in your response payload. Enter a value for this parameter in the following format: OBJ_CLASS=OUTER_ATTR_NAME In this format, OBJ_CLASS is the name of the object class for which a response payload is being parsed. OUTER_ATTR_NAME is the name of the outer tag in the response payload. For example, consider the following JSON value for a User object: `"Resources":"{ "user1":"{value1}", "user2":"{value2}" }` Because the name of the object class for a User object is __ACCOUNT__, for the given example, the value of the jsonResourcesTag parameter is `__ACCOUNT__=Resources`. Note: You must enter a value for this parameter only if the data from your target system is in JSON format. For more than one JSON tag, the values must be comma separated.
httpHeaderContentType	Yes	This parameter holds the content type expected by the target system in the header. Default value: `application/json`.
httpHeaderAccept	Yes	This parameter holds the accept type expected by the target system in the header. Default value: `application/json`.
specialAttributeTargetFormat	No	Enter the format in which a special attribute is present in the target system. Attributes in an object class that can be managed only through a separate rest endpoint rather than the same endpoint of the base object class are referred to as special attributes. Format: `OBJ_CLASS.ATTR_NAME= TARGET_FORMAT` In this example, TARGET_FORMAT is the format in the format of the special attribute in the target system. For example, consider the following target endpoint value: `{ "kind": "admin#directory#aliases", "etag": etag, "aliases": [ "kind": "admin#directory#alias", "id": string, "etag": etag, "primaryEmail": string, "alias": string ] }` In this example, the alias attribute is present as aliases.alias in the target system endpoint. Therefore, you must set the value of this parameter to `__ACCOUNT__.alias=aliases.alias`. Sample value: `"__ACCOUNT__.alias=aliases.alias","__GROUP__.alias=aliases.alias","__ACCOUNT__.__GROUP__=groups"`
specialAttributeHandling	No	Enter the list of special attributes whose values must be sent to the target system in separate calls, one at a time. If you do not specify a value for this parameter, then the connector will send all values for a given special attribute in a single call. Format: `OBJ_CLASS.ATTR_NAME.OP=SINGLE` Note: All values in this parameter must be comma separated. Sample value: `"__ACCOUNT__.alias.CREATEOP=SINGLE","__GROUP__.alias.CREATEOP=SINGLE","__ACCOUNT__.alias.UPDATEOP=SINGLE","__GROUP__.alias.UPDATEOP=SINGLE","__ACCOUNT__.__GROUP__.CREATEOP=SINGLE","__ACCOUNT__.__GROUP__.UPDATEOP=SINGLE"`
customPayload	No	Enter a comma-separated list of request payload formats for target system attributes that do not adhere to the standard JSON format. Format: `OBJ_CLASS.ATTRNAME.OP=PAYLOAD_FORMAT` Note: If you must pass the unique ID or Name attribute of the user as part of a custom payload, then represent it as $(__UID__)$ or $(__NAME__)$ respectively" Sample value: `"__ACCOUNT__.__GROUP__.UPDATEOP={ \"user\": { \"id\": \"$(__UID__)$\"}, \"group\": { \"id\": \"$(id)$\" } }"`
targetObjectIdentifier	No	Enter the name of the attribute used for identifying the required target object during reconciliation. Format: `OBJ_CLASS.ATTR_NAME=TARGET_OBJ_ATTR_NAME;VAL`
statusEnableValue	No	This entry holds the name attribute for all target values indicating the status as `enabled`.
statusDisableValue	No	This entry holds the name attribute for all target values indicating the status as `disabled`.

2.3.3 Authentication Parameters

Authentication parameters are used by the target system to authenticate an application. The set of parameters for which you must specify values depends on the value that you enter for the authenticationType parameter of the Basic Configuration section.

The authenticationType parameter holds the type of authentication used by your target system. The connector supports the following types of authentication:

HTTP Basic Authentication
OAuth 2.0 JWT
OAuth 2.0 Client Credentials
OAuth 2.0 Resource Owner Password
Manually input access token

If your target system uses an authentication type other than the ones listed above, then you must write your own implementation which requires development effort. By default, the UI includes parameters for the OAuth 2.0 Client Credentials authentication type. For any other authentication type, you must create and add the corresponding parameters in the Advanced Settings section.

The following are the possible values for the authenticationType parameter:

For HTTP Basic Authentication: basic
For OAuth 2.0 JWT: jwt
For OAuth 2.0 Client Credentials: client_credentials
For OAuth 2.0 Resource Owner Password: password
For manual input of access token: other
For custom authentication implementation: custom

Note:

This section provides information about parameters for all authentication types. Enter values only for parameters corresponding to the authentication type you specify.

HTTP Basic Authentication

Table 2-3 lists the set of parameters for which you must enter values when the authenticationType parameter is set to basic.

Table 2-3 HTTP Basic Authentication Parameters

Parameter Description

Parameter	Description
username	Enter the user name or user ID of the account that Oracle Identity Governance must use to connect to and access the target system during reconciliation and provisioning operations. Sample value: `johnsmith`
password	Enter the password of the account that Oracle Identity Governance must use to connect to and access the target system during reconciliation and provisioning operations. Sample value: `password`

username

Enter the user name or user ID of the account that Oracle Identity Governance must use to connect to and access the target system during reconciliation and provisioning operations.

Sample value: johnsmith

password

Enter the password of the account that Oracle Identity Governance must use to connect to and access the target system during reconciliation and provisioning operations.

Sample value: password

OAuth 2.0 JWT

Table 2-4 lists the set of parameters for which you must enter values when the authenticationType parameter is set to jwt.

Table 2-4 OAuth 2.0 JWT Parameters

Parameter	Description
aud	Enter the intended audience of the JWT. The value can either be a URI or token endpoint URL of the authorization server. Sample value: `https://www.example.com/oauth2/v3/token`
iss	Enter a value that uniquely identifies the entity that issued the JWT. Sample value: `527901474-ugnvd5uh21p598cf9h6cd@developer.example.com`
scope	Enter the scope of the access token being issued. Sample value: `https://www.example.com/auth/adm.direct.group`, `https://www.example.com/auth/adm.direct.user`
sub	Enter a value that identifies the principal to which the JWT is being issued. Sample value: `admin@example.com`
privateKeyLocation	Enter the absolute path to the private key used to sign the access token. Sample value: `C:\Users\jdoe\Desktop\Connector_Server_111210\connector_server_java-1.4.0\bundles\googleapps.p12`
privateKeySecret	Enter the secret key for the private key that is being used to sign the access token.
tokenLifespan	Enter the life span of the access token in milliseconds. Sample value: `3600`
signatureAlgorithm	Enter the algorithm used for signing the access token. Sample value: `RS265`
privateKeyFormat	Enter the format of the private key used to sign the access token. Sample value: `PKCS12`

OAuth 2.0 Client Credentials

Table 2-5 lists the set of parameters for which you must enter values when the authenticationType parameter is set to client_credentials.

Note:

B default, these parameters are available in the Basic Configuration section. Therefore, there is no need to add them manually.

Table 2-5 OAuth2.0 Client Credentials Parameters

Parameter Description

Parameter	Description
clientId	Enter the client identifier (a unique string) issued by the authorization server to the client during the registration process. Sample value: `XDWTh0r2eWuULCDVt`
clientSecret	Enter the value used to authenticate the identity of your client application. Sample value: `clZsdZisTOoYN5NITirarIDepDkiJTGHdzNFT0m`
authenticationServerURL	Enter the URL of the authorization server that authenticates the client (by validating the client ID and client secret), and if valid, issues an access token. Sample value: `https://api.example.com/oauth2/token`

clientId

Enter the client identifier (a unique string) issued by the authorization server to the client during the registration process.

Sample value: XDWTh0r2eWuULCDVt

clientSecret

Enter the value used to authenticate the identity of your client application.

Sample value: clZsdZisTOoYN5NITirarIDepDkiJTGHdzNFT0m

authenticationServerURL

Enter the URL of the authorization server that authenticates the client (by validating the client ID and client secret), and if valid, issues an access token.

Sample value: https://api.example.com/oauth2/token

OAuth 2.0 Resource Owner Password

Table 2-6 lists the set of parameters for which you must enter values when the authenticationType parameter is set to password.

Table 2-6 OAuth 2.0 Resource Owner Password Parameters

Parameter	Description
username	Enter the user name or user ID of the resource owner. Sample value: `johnsmith`
password	Enter the password of the resource owner. Sample value: `password`
clientId	Enter the client identifier issued to the client during the registration process. Sample value: `XDWTh0r2eWuULCDVt` Note: This is an optional parameter.
clientSecret	Enter the client secret used to authenticate the identity of the client application. Sample value: `clZsdZisTOoYN5NITirarIDepDkiJTGHdzNFT0m` Note: This is an optional parameter.
authenticationServerUrl	Enter the URL of the authorization server (token endpoint) that authenticates the client (by validating client ID and client secret) and the resource owner credentials, if valid, issues an access token. Sample value: `https://api.example.com/oauth2/token`

Manual Input of Access Tokens

This section discusses the parameter for which you must enter a value when the authenticationType parameter is set to other.

In this authentication mechanism, the connector expects the value of the access token to be directly passed through the customAuthHeaders parameter. The customAuthHeaders parameter must hold the access token value that must be passed through an HTTP authorization header, for example, access_token=<value>.

Custom Authentication

This section discusses the parameter for which you must enter a value when the authenticationType parameter is set to custom.

If you have implemented custom authentication, then you must enter a value for the customAuthClassName parameter. The customAuthClassName parameter must hold the name of the class implementing the custom authentication logic that you created while performing the procedure described in Implementing Custom Authentication.

2.3.4 Providing Basic Information

You must provide configuration-related details on the Basic Information page. The connector uses these details while performing reconciliation.

On the Basic Information page, you provide the application details and configuration info that the connector uses during reconciliation. Depending on the authentication type that your target system uses, you may need to manually add the corresponding attributes for providing authentication details.

On the Basic Information page, ensure that the Connector Package option is selected.
From the Select Bundle drop-down list, select Generic REST Connector 12.2.1.3.0.
Enter the Application Name, Display Name, and Description for the application.
In the Basic Configuration section, enter values for parameters as required. If you set the value of the authenticationType parameter to a value other than the default value (client_credentials), then you must add and enter values for the corresponding authentication attributes in the Advanced Settings section. For example, if you set the value of the authenticationType parameter to basic (for basic HTTP authentication), then this type of authentication requires a username and password. As there are no such attributes available in the UI, you must manually add them as follows:
1. In the Advanced Settings section, click Add Attribute.
2. In the New Attribute dialog box, enter values for the Name and Value fields. Optionally, enter a value for the Display Name field.
  For example, in the Name field, enter username as the attribute name. In the Value field, enter jdoe.
3. Click OK.
  The attribute is displayed under the Custom section.
4. Repeat Steps 4.a through 4.c for each attribute that you need to add for your authentication type.
In the Advanced Settings section, enter values for the parameters as required.
Click Next to proceed to the Schema page.

2.4 Understanding and Updating the Schema Page

Use the Schema page to add or update attributes to help the connector understand the underlying structure of your target system.

2.4.1 Understanding the Schema Page for a Target Application

The Schema page for a Target application displays the default schema that maps Oracle Identity Governance attributes with corresponding target system attributes. The connector uses these mappings during reconciliation and provisioning operations.

The table under the REST User section displays a basic set of user-specific attribute mappings between Oracle Identity Governance and the target system. The table also lists the data type for a given attribute and specifies whether it is mandatory for reconciliation and whether it is a matching key field for fetching records during reconciliation. By default, the Schema page displays mappings for the __UID__, __NAME__, and __ENABLE__ connector attributes with the corresponding Oracle Identity Governance attributes. If required, you can edit the default attribute mappings.

The Schema page also provides a child form for the Group object class by default. Similar to the table in the REST User section, you can use this table to specify Group attribute mappings, data type for a given attribute, whether it is a key field for reconciliation, and so on. You can

As the connector is unaware of the target system schema, you must manually add and map your target system attributes with corresponding Oracle Identity Governance attributes. as described in Creating a Target Application of Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.

2.4.2 Understanding the Schema Page for an Authoritative Application

The Schema page for an Authoritative application displays the default schema that maps Oracle Identity Governance attributes with corresponding target system attributes. The connector uses these mappings during reconciliation runs.

The table under the REST Trusted section displays a basic set of user-specific attribute mappings between Oracle Identity Governance and the target system. The table also lists the data type for a given attribute and specifies whether it is mandatory for reconciliation and whether it is a matching key field for fetching records during reconciliation. By default, the Schema page displays mappings for the __UID__, __NAME__, and __ENABLE__ connector attributes with the corresponding Oracle Identity Governance attributes. If required, you can edit the default attribute mappings.

The schema page lists the default set of user-specific attribute mappings between the reconciliation fields in Oracle Identity Governance and target system attributes. The table also lists the data type for a given attribute and specifies whether it is a mandatory attribute for reconciliation.

If required, you can edit these attributes mappings by adding new attributes or deleting existing attributes on the Schema page as described in Creating an Authoritative Application in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.

The Organization Name, Xellerate Type, and Role identity attributes are mandatory fields on the OIG User form that cannot be left blank during reconciliation. As your target system might not contain corresponding attributes for the Organization Name, Xellerate Type, and Role identity attributes, they have been mapped to attributes in Oracle identity Governance. In addition, the connector provides default values (as listed in the “Default Value for Identity Display Name” column of Table 2-7) that it can use during reconciliation. For example, the default target attribute value for the Organization Name attribute is Xellerate Users. This implies that the connector reconciles all target system user accounts into the Xellerate Users organization in Oracle Identity Governance. Similarly, the default attribute value for Xellerate Type attribute is End-User, which implies that all reconciled user records are marked as end users.

Table 2-7 REST Trusted User Account Schema Attributes for an Authoritative Application

Identity Display Name	Target Attribute	Data Type	Mandatory Reconciliation Property?	Recon Field?	Default Value for Identity Display Name
User Login	__NAME__	String	No	Yes	NA
REST User GUID	__UID__	String	No	Yes	NA
Status	__ENABLE__	String	No	Yes	NA
Last Name		String	No	Yes	NA
Xellerate Type		String	No	Yes	End-User
Role		String	No	Yes	Full-Time
Organization Name		String	No	Yes	Xellerate Users

The following is EloquaAppsUserSchema.properties, a sample schema file propery used in the Eloqua target system:

#Schema file for Eloqua
#List of fields
FieldNames=id,login,name,firstName,Active,lastName,senderDisplayName,emailAddress

#Unique ID Attribute
UidAttribute=id
#Account Name attribute
NameAttribute=login

#Account Status Attribute and Mapping
StatusAttribute=Active
Active.True=Enabled
Active.False=Disabled

The following is GenericRestConfiguration.groovy, a sample groovy file:

/*
 * Run like:
 * In Windows: GenericRestGenerator.cmd ..\resources\GenericRestConfiguration.groovy trusted
 * In Linux/Unix: sh GenericRestGenerator.sh ../resources/GenericRestConfiguration.groovy trusted
 */
trusted {
    /* 
     * ITResource name
     */
    itResourceDefName='resttrust2' // This will be used as a base name for all metadata across the connector
    //  itResourceName="$itResourceDefName" //the same as itResourceDefName by default

    /*
     * Output files
     */
    //  connectorDir="../$itResourceDefName"                    // output dir of the connector, is the same as it resource name by default
    //  xmlFile='GenericRest-ConnectorConfig.xml'               // name of the dm xml of the connector
    //  configFile='GenericRest-CI.xml'                         // name of the config xml
    //  propertiesFile='GenericRest-generator.properties'       // name of the resources/properties file
    //  version='11.1.1.6.0'                                    // connector version


    /*
     * Trusted/Target mode
     * For trusted, we will not create forms, dataobjects and event handlers
     * For target, we will create all above metadata
     */
    trusted=true                                                // Flag to denote if the mode is trusted or not

    /*
     * Location of the generic rest bundle jar
     */
    bundleJar='../lib/org.identityconnectors.genericrest-12.3.0.jar'

    /*
     * The Configuration used to run the generic rest bundle mentioned above, get the schema from below mentioned schemaFile, which is required for generating metadata 
     */
    config = [
  		'schemaFile' : '../schema/EloquaAppsUserSchema.properties',
		'authenticationType' : '',
		'username' : '',
		'password' : '',
		'host' : '',
		'port' : '',
		'proxyHost' : '',
		'proxyPort' : '',
		'proxyUser' : '',
		'proxyPassword' : '',
		'sslEnabled' : '',
		'relURIs' : '',
		'nameAttributes' : '',
		'uidAttributes' : '',
		'opTypes' : '',
		'jsonResourcesTag' : '',
		'httpHeaderContentType' : '',
		'httpHeaderAccept' : '',
		'customPayload' : '',
		'statusAttributes' : '',
		'specialAttributeTargetFormat' : '',
		'specialAttributeHandling' : '',
		'statusEnableValue' : '',
		'statusDisableValue' : '',
		'passwordAttribute' : ''
    ]

    
    /**
      *  Provide the attribute list that need to be handled as Date on process form
      *  Make sure these fields datatype in schema should be long
      *  dateAttributeList is not a mandatory field
      **/

    //dateAttributeList = ["JoiningDate"]


    /**
     *   Alias are used to map the OIM User Form attributes with the Connector Attributes. 
     *   The Format is of 'Connector Attribute':'OIM User Form Attribute'
     *   Mandatory alias shouldn't be removed. Customer can update these mandatory attributes but should not be removed
     *   Customer can add other aliases to the OIM User form fields
     **/
    // Mapping is mandatory for attributes User Login, Last Name,Organization, Xellerate Type and Role. One can modify the required mappings but shouldn't delete them. 
    //UID field is not required in trusted but if customer wanted to add UID field then one can map it to a valid OIM User Form Label
    alias = ['__NAME__':'User Login', 'lastName':'Last Name','Organization':'Organization Name', 'Employee Type':'Xellerate Type', 'Role':'Role']
    //Extend the aliases to include more connector attributes for trusted by mapping
    alias += ['__ENABLE__':'Status', 'emailAddress':'Email']
}


/*
 * Run like:
 * In Windows: GenericRestGenerator.cmd ..\resources\GenericRestConfiguration.groovy target
 * In Linux/Unix: sh GenericRestGenerator.sh ../resources/GenericRestConfiguration.groovy target
 */
target {
    /*
     * ITResource name
     */
    itResourceDefName='restci2' // This will be used as a base name for all metadata across the connector
    //  itResourceName="$itResourceDefName" //the same as itResourceDefName by default

    /**
     * Give the name of the Application Instance that need to be generated. By default Application Instance name is taken as itResourceDefName
     * Application Instance is not a mandatory field
     **/
    //applicationInstanceName="$itResourceDefName"

    /*
     * Output files
     */
    //  connectorDir="../$itResourceDefName"                    // output dir of the connector, is the same as it resource name by default
    //  xmlFile='GenericRest-ConnectorConfig.xml'         	// name of the dm xml of the connector
    //  configFile='GenericRest-CI.xml'                   	// name of the config xml
    //  propertiesFile='GenericRest-generator.properties'   	// name of the resources/properties file
    //  version='11.1.1.6.0'                                    // connector version

    /*
     * Location of the generic rest bundle jar
     */
    bundleJar='../lib/org.identityconnectors.genericrest-12.3.0.jar'

    /*
     * The Configuration used to run the generic rest bundle mentioned above, and get the schema from the below mentioned schemaFile, which is required for generating metadata
     */
    config = [
  		'schemaFile' : '../schema/GoogleAppsUserSchema.properties',
		'authenticationType' : '',
		'username' : '',
		'password' : '',
		'host' : '',
		'port' : '',
		'proxyHost' : '',
		'proxyPort' : '',
		'proxyUser' : '',
		'proxyPassword' : '',
		'sslEnabled' : '',
		'relURIs' : '',
		'nameAttributes' : '',
		'uidAttributes' : '',
		'opTypes' : '',
		'jsonResourcesTag' : '',
		'httpHeaderContentType' : '',
		'httpHeaderAccept' : '',
		'customPayload' : '',
		'statusAttributes' : '',
		'specialAttributeTargetFormat' : '',
		'specialAttributeHandling' : '',
		'statusEnableValue' : '',
		'statusDisableValue' : '',
		'passwordAttribute' : ''
    ]

    /**
      *  Lookup List is the list of attributes for which we need to create lookups and map those fields as lookup in form. 
      *  For Main Process Form Fields and a Multivalued field the format is 
      *     	lookupAttributeList=["FieldName"]
      *  For Embedded Multi Valued field the format is
      *		lookupAttributeList=["ObjectClassName.SubFieldName"]
      *  lookups will be generated with the FieldNames in format Lookup.${ITResource}.${FieldName}
      *
      *  lookupList is not a mandatory field
      */	
	
     //lookupAttributeList=['Currency']

     /* entitlementAttributeList is the list of fully Qualified field names to which entitlements need to be tagged. 
      * If you require entitlements for a multi valued attribute which is embedded then the format should be as 
      *		entitlementAttributeList=["${ObjectClass}.SubFieldName"]
      *	If the attribute is just a MultiValued then the format is
      *		entitlementAttributeList=["MultiValuedFieldName"]
      *
      * entitlementAttributeList is not a mandatory attribute
      */
    
       entitlementAttributeList=['__GROUPS__.id']

    /**
      *  Provide the attribute list that need to be handled as Date on process form
      *  Make sure these fields datatype in schema should be long
      *  dateAttributeList is not a mandatory field
      **/

     //dateAttributeList = ["JoiningDate"]

    /*
     * Target attribute to user fields alias
     */
    //Mandatory alias
    alias = ['__UID__':'id', '__NAME__':'login']
    //Optional aliases if any (Can also be used to give short names for lengthy attribute names)
    //alias += ['Generic Rest Target':'GENREST', 'Family Name':'Last name']

    /*
     * Generate prepopulate adapters
     */
    prepopulate = ['__UID__':'User Login']
}

2.4.3 Updating the Schema Page

Update the Schema page to review and update the attribute mappings between Oracle Identity Governance and target system.

To update the schema:

On the Schema page, review the default mapping provided by the connector.
If you are creating a Target application, then:
1. In the REST User section, click Add Attribute to add a new row and enter a target system user-specific attribute and its mapping with the corresponding Oracle Identity Governance attribute. Then, select the checkboxes for the Mandatory, Provision Field, Recon Field, Key Field, and Case Insensitive fields to specify the provisioning and reconciliation properties for the newly added user-specific attribute as required.
  For example, if you are using Eloqua as the target system, and you want to add the emailAddress attribute, then click Add Attribute. In the newly added row, enter Email and emailAddress in the Display Name and Target Attribute columns, respectively. Then select the Provision Field, Recon Field, and Key Field checkboxes.
2. Repeat Step 2.a for add all the user-specific attribute mappings.
3. Expand the Groups section, and review the default child form details.
4. If your target system uses Groups as a child form, then update the table to match the attributes in your target system. Otherwise, delete the child form by clicking Delete Form.
5. (Optional) Click Add Child Form and enter the required details to add any other child forms that your target system uses. For example, if you are using Eloqua as the target system, then add a child form for Licenses.
6. If you
If you are creating an Authoritative application, then for the Last Name attribute in the Identity Display Name column, enter the corresponding target system attribute name in the Target Attribute column. Then, specify the reconciliation properties in columns such as Mandatory, Recon Field, and so on. Repeat this for any other attributes that you need to update. If required, add new attributes by clicking Add Attribute.
Click Next to proceed to the Settings page.

2.5 Updating Settings

Review the default provisioning and reconciliation settings for the application being created, and customize it if required.

2.5.1 Correlation Rules, Responses, and Situations

Learn about the predefined rules, responses and situations for Target and Authoritative applications. The connector uses these rules and responses for performing reconciliation.

2.5.1.1 Correlation Rules, Responses, and Situations for a Target Application

When you create a Target application, the connector uses correlation rules to determine the identity to which Oracle Identity Governance must assign a resource.

Predefined Identity Correlation Rules

By default, the Generic REST connector provides a simple correlation rule when you create a Target application. The connector uses this correlation rule to compare the entries in Oracle Identity Governance repository and the target system repository, determine the difference between the two repositories, and apply the latest changes to Oracle Identity Governance.

Table 2-8 lists the default simple correlation rule for a REST-based target system. If required, you can edit the default correlation rule or add new rules. You can create complex correlation rules also. For more information about adding or editing simple or complex correlation rules, see Updating Identity Correlation Rule in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.

Table 2-8 Predefined Identity Correlation Rule for a Target Application

Target Attribute	Element Operator	Identity Attribute	Case Sensitive?
__NAME__	Equals	User Login	No

In this identity rule:

__NAME__ is a single-valued attribute on the target system that identifies the user account.
User Login is the field on the OIM User form.

Predefined Situations and Responses

The connector provides a default set of situations and responses when you create a Target application. These situations and responses specify the action that Oracle Identity Governance must take based on the result of a reconciliation event.

Table 2-9 lists the default situations and responses for this connector. If required, you can edit these default situations and responses or add new ones. For more information about adding or editing situations and responses, see Updating Situations and Responses in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.

Table 2-9 Predefined Situations and Responses for a Target Application

Situation	Response
No Matches Found	None
One Entity Match Found	Establish Link
One Process Match Found	Establish Link

2.5.1.2 Correlation Rules, Responses, and Situations for an Authoritative Application

When you create an Authoritative application, the connector uses correlation rules to determine the identity that must be reconciled into Oracle Identity Governance.

Predefined Identity Correlation Rules

By default, the Generic REST connector provides a simple correlation rule when you create an Authoritative application. The connector uses this correlation rule to compare the entries in Oracle Identity Governance repository and the target system repository, determine the difference between the two repositories, and apply the latest changes to Oracle Identity Governance.

Table 2-10 lists the default simple correlation rule for an authoritative application. If required, you can edit the default correlation rule or add new rules. You can create complex correlation rules also. For more information about adding or editing simple or complex correlation rules, see Updating Identity Correlation Rule in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.

Table 2-10 Predefined Identity Correlation Rule for an Authoritative Application

Target Attribute	Element Operator	Identity Attribute	Case Sensitive?
__UID__	Equals	REST User GUID	No
__NAME__	Equals	User Login	No

The identity correlation rule for an Authoritative application is as follows:

(__UID__ Equals REST User GUID) OR (__NAME__ Equals User Login)

In the first identity rule component:

__UID__ is an attribute on the target system that uniquely identifies the user account.
REST User GUID is the unique identifier of the resource assigned to the OIG User.

In the second identity rule component:

__NAME__ is a single-valued attribute on the target system that identifies the user account.
User Login is the field on the OIG User form.

Both the rule components are joined using the OR logical operator.

Predefined Situations and Responses

The connector provides a default set of situations and responses when you create an Authoritative application. These situations and responses specify the action that Oracle Identity Governance must take based on the result of a reconciliation event.

Table 2-11 lists the default situations and responses for an authoritative application. If required, you can edit these default situations and responses or add new ones. For more information about adding or editing situations and responses, see Updating Situations and Responses in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.

Table 2-11 Predefined Situations and Responses for an Authoritative Application

Situation	Response
No Matches Found	Create User
One Entity Match Found	Establish Link
One Process Match Found	Establish Link

2.5.2 Reconciliation Jobs

Apart from reviewing the provisioning, reconciliation, and organization settings for your application and customizing them if required, you must specify values for the mandatory parameters of the reconciliation jobs.

The Settings page provides a preview of all settings related to provisioning, reconciliation, and organizations. You can review these settings and customize them if required. On the Reconciliation tab of the Settings page, expand the Reconciliation Jobs section to view the reconciliation jobs that the connector automatically creates after you create a Target or an Authoritative application. At this point, you can delete any reconciliation job that you do not want to use. If required, you can also edit the reconciliation jobs or create custom reconciliation jobs to meet your requirements. For information about editing these predefined jobs or creating new ones, see Updating Reconciliation Jobs in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.

Note:

Ensure that you enter values for the mandatory parameters (marked by the asterisk (*) symbol) of all the reconciliation jobs and then click Apply.

By default, jobs for user, delete user, and entitlement reconciliation are available for use after you create your application.

User Reconciliation Jobs

The following reconciliation jobs are available for reconciling user data:

REST Application Target User Reconciliation: Use this reconciliation job to reconcile user data from a Target application.
REST Application Trusted User Reconciliation: Use this reconciliation job to reconcile user data from an Authoritative application.

The parameters for both these jobs are the same.

Table 2-12 Parameters of the User Reconciliation Jobs

Parameter	Description
Application Name	Name of the application you created for your target system. This value is the same as the value that you provided for the Application Name field while creating your application. Do not modify this value.
Filter	Enter the expression for filtering records that the scheduled job must reconcile. Sample value: `search=loginName=<uid_name>`
Incremental Recon Attribute	Name of the target system attribute that holds the timestamp at which the user record was modified.
Object Type	Type of object you want to reconcile. Default value: `User`
Latest Token	The parameter holds the value of the target system attribute that is specified as the value of the Incremental Recon Attribute parameter. The Latest Token parameter is used for internal purposes. By default, this value is empty. Note: Do not enter a value for this attribute. The reconciliation engine automatically enters a value in this attribute.
Scheduled Task Name	Name of the scheduled job. Note: For the scheduled job included with this connector, you must not change the value of this attribute. However, if you create a new job or create a copy of the job, then enter the unique name for that scheduled job as the value of this attribute.

Delete User Reconciliation Jobs

The following reconciliation jobs are available for reconciling data about deleted user accounts:

REST Application Target User Delete Reconciliation: Use this reconciliation job to reconcile data about deleted user accounts from a Target application.
REST Application Trusted User Delete Reconciliation: Use this reconciliation job to reconcile data about deleted user accounts from an Authoritative application.

The parameters for both these jobs are the same.

Table 2-13 Parameters of the Delete User Reconciliation Jobs

Parameter Description

Application Name

Name of the application you created for your target system. This value is the same as the value that you provided for the Application Name field while creating your target application.

Do not modify this value.

Object Type

Type of object you want to reconcile.

Default value: User

Scheduled Task Name

Name of the scheduled job.

Note: For the scheduled job included with this connector, you must not change the value of this attribute. However, if you create a new job or create a copy of the job, then enter the unique name for that scheduled job as the value of this attribute.

Reconciliation Jobs for Entitlements

Depending on the child forms (of Lookup type) that you use or added on the Schema page, the corresponding reconciliation jobs for entitlements are displayed. For example, if you use the Groups child form on the Schema page, then the REST Application Group Lookup Reconciliation job is available for reconciling entitlements.

These reconciliation jobs are available only for a Target application. The parameters for all such reconciliation jobs are the same.

Table 2-14 Parameters of the Reconciliation Jobs for Entitlements

Parameter	Description
Application Name	Name of the application you created for your target system. This value is the same as the value that you provided for the Application Name field while creating your target application. Do not modify this value.
Lookup Name	This parameter holds the name of the lookup definition that maps each lookup definition with the data source from which values must be fetched. Depending on the reconciliation job you are using, the default values is as follows: `Lookup.GenericREST.`ENTITLEMENT_NAME For example, for the Groups entitlement job, the default value is `Lookup.GenericREST.Groups`.
Object Type	Enter the type of object whose values must be synchronized. For example, for reconciling Groups entitlement, enter `__GROUPS__`. Note: Do not change the value of this attribute.
Code Key Attribute	Enter the name of the connector or target system attribute that is used to populate the Code Key column of the lookup definition (specified as the value of the Lookup Name attribute). Default value: `__NAME__` Note: Do not change the value of this attribute.
Decode Attribute	Enter the name of the connector or target system attribute that is used to populate the Decode column of the lookup definition (specified as the value of the Lookup Name attribute). Default value: `__NAME__`