3 Using the RSA Authentication Manager Connector
This chapter is divided into the following sections:
3.1 Performing First-Time Reconciliation
First-time reconciliation involves synchronizing lookup definitions in Oracle Identity Manager with the lookup fields of the target system, and performing full reconciliation. In full reconciliation, all existing user records from the target system are brought into Oracle Identity Manager.
The following is the sequence of steps involved in reconciling all existing user records:
- Perform lookup field synchronization by running the scheduled jobs provided for this operation.
- Perform user and token reconciliation by running the scheduled jobs for user and token reconciliation.
After first-time reconciliation, the Last Execution Timestamp attribute of the scheduled job is automatically set to the time stamp at which the reconciliation run began.
From the next reconciliation run onward, only target system user records that are added or modified after the time stamp stored in the scheduled job are considered for incremental reconciliation. These records are brought to Oracle Identity Manager when you configure and run the user reconciliation scheduled job.
3.2 Scheduled Job for Lookup Field Synchronization
The following scheduled jobs are used for lookup fields synchronization:
-
RSAAM TokenSerial Lookup Reconciliation
-
RSAAM SecurityDomain Lookup Reconciliation
-
RSAAM RadiusProfile Lookup Reconciliation
-
RSAAM IdentitySource Lookup Reconciliation
-
RSAAM UserGroup Lookup Reconciliation
-
RSAAM AdminRole Lookup Reconciliation
You must specify values for the attributes of these scheduled jobs. Table 3-1 describes the attributes of these scheduled jobs. Scheduled Jobs describes the procedure to configure scheduled jobs.
Table 3-1 Attributes of the Scheduled Jobs for Lookup Field Synchronization
Attribute | Description |
---|---|
Code Key Attribute |
Name of the connector or target system attribute that is used to populate the Code Key column of the lookup definition (specified as the value of the Lookup Name attribute). Default value: Note: Do not change the value of this attribute. |
Decode Attribute |
Name of the connector or target system attribute that is used to populate the Decode column of the lookup definition (specified as the value of the Lookup Name attribute). Default value: Note: Do not change the value of this attribute. |
IT Resource Name |
Enter the name of the IT resource for the target system installation from which you want to reconcile user records. Default value: |
Lookup Name |
Enter the name of the lookup definition in Oracle Identity Manager that must be populated with values fetched from the target system. Depending on the scheduled job that you are using, the default values are as follows:
|
Object Type |
Enter the type of object you want to reconcile. Depending on the scheduled job that you are running, the default value is one of the following:
|
Resource Object Name |
Name of the resource object that is used for reconciliation. Default value: |
3.3 Configuring Reconciliation
Reconciliation involves duplicating in Oracle Identity Manager the creation of and modifications to user accounts on the target system. This section discusses the following topics related to configuring reconciliation:
3.3.1 Full Reconciliation
Full reconciliation involves reconciling all existing user records from the target system into Oracle Identity Manager. After you deploy the connector, you must first perform full reconciliation. In addition, you can switch from incremental reconciliation to full reconciliation whenever you want to ensure that all target system records are reconciled in Oracle Identity Manager.
For performing a full reconciliation run, values for the Latest Token and Filter attributes of the scheduled jobs for reconciling user records must not be present.
At the end of the reconciliation run, the Latest Token attribute of the scheduled job for user record reconciliation is automatically set to the time stamp at which the run ended. From the next reconciliation run onward, only records created or modified after this time stamp are considered for reconciliation. This is incremental reconciliation.
Note:
Incremental reconciliation reflects changes or modifications made in the target system when a change or modification is made in the incremental reconciliation attribute. For example, during user reconciliation, changes like updates to all the fields on the Authentication Settings page (including radius profiles) and group updates will not be reconciled as a part of incremental reconciliation, and a full reconciliation has to be performed in order to reconcile these changes into Oracle Identity Manager.
3.3.2 Limited Reconciliation
By default, all target system records that are added or modified after the last reconciliation run are reconciled during the current reconciliation run. You can customize this process by specifying the subset of added or modified target system records that must be reconciled.
The connector provides a Filter attribute that allows you to use any of the RSA Authentication Manager resource attributes to filter the target system records.
You can perform limited reconciliation by creating filters for the reconciliation module. This connector provides a Filter attribute (a scheduled job attribute) that allows you to use any of the RSA Authentication Manager resource attributes to filter the target system records.
The following RSA Authentication Manager attributes are supported for filtering:
-
For User Reconciliation:
-
CERT_DN
-
EMAIL
-
FIRST_NAME
-
LAST_NAME
-
LOGINUID
-
MIDDLE_NAME
-
PASSWORD
-
ADMINISTRATOR_FLAG
-
PROXIED_AUTHENTICATORS
-
CHANGE_PASSWORD_DATE
-
CHANGE_PASSWORD_FLAG
-
DESCRIPTION
-
ENABLE_FLAG
-
EXPIRATION_DATE
-
EXPIRE_LOCKOUT_DATE
-
EXPIRE_EMERGENCY_LOCKOUT_DATE
-
FAIL_EMERGENCY_COUNT
-
FAIL_EMERGENCY_DATE
-
FAIL_PASSWORD_COUNT
-
FAIL_PASSWORD_DATE
-
IDENTITY_SRC_ID
-
IMPERSONATABLE_FLAG
-
IMPERSONATOR_FLAG
-
LAST_UPDATED_BY
-
LAST_UPDATED_ON
-
LOCKOUT_FLAG
-
EMERGENCY_LOCKOUT_FLAG
-
LOGIN_FAILURE_COUNT
-
OWNER_ID
-
SECURITY_QUES_ANSWERS
-
SECURITY_QUES_REQUIRED_AUTHN
-
SECURITY_QUES_REQUIRED_REG
-
SECURITY_QUES_LANGUAGE
-
SECURITY_QUES_COUNTRY
-
SECURITY_QUES_VARIANT
-
START_DATE
In addition, all extended attributes that are added in the target system through customization are supported for filtering.
-
-
For Token Reconciliation:
-
assignedBy
-
tokenAssignedDate
-
assignedToken
-
enabled
-
tokenShutdownDate
-
importedBy
-
importedOn
-
lastExportedBy
-
lastExportedOn
-
tokenRuntime.lastLoginDate
-
lastUpdatedBy
-
lastUpdatedOn
-
tokenLost
-
replacedByToken
-
pinType
-
serialNumber
-
softidDeployed
-
tokenType
-
Note:
While entering filters in the scheduled job for user and token reconciliation, the attribute name should be in the same syntax as the decode value in the reconciliation attribute map.
See User Fields for Target Resource Reconciliation and Token Fields for Target Resource Reconciliation for decode values that need to be specified for user and token reconciliation.
In addition, during token reconciliation, use the token attributes from ListTokenDTO and not from TokenDTO target class.
Following are a few examples:
-
To reconcile all users whose login id is like 'jo*', use filter
startsWith('__NAME__','jo')
-
To reconcile all users whose email is like '*@company.com', use filter
endsWith('email;IMS;Core;String;EMAIL','@company.com')
-
To reconcile all tokens whose serialnumber is like '0002219*', use filter
startsWith('__NAME__','0002219')
-
To reconcile all tokens which are marked as lost, use filter
equalTo('tokenLost;ListTokenDTO;Core;boolean;tokenLost', true)
3.3.3 Batched Reconciliation
This section discusses the Batch Size, Batch Start, and Number of Batches attributes of the scheduled jobs for target resource reconciliation.
By default, all target system records that are added or modified after the last reconciliation run are reconciled during the current reconciliation run. Depending on the number of records to be reconciled, this process may require a large amount of time. In addition, if the connection breaks during reconciliation, then the process would take longer to complete.
You can configure batched reconciliation to avoid such problems.
The following are the attributes used to configure batched reconciliation:
-
Batch Size: Use this attribute to specify the number of records that must be included in each batch.
If you set the value of this attribute to 0, then the defaultbatchsize entry of the main configuration lookup (Lookup.RSAAM.Configuration) is considered as the batch size for batched reconciliation. Any numeric value other than 0 takes precedence over the defaultbatchsize entry.
-
Batch Start: Use this attribute to specify the record number from which batched reconciliation must begin.
Set the value of this attribute to
0
to begin reconciliation from the first record in the target system. Similarly, set the value of this attribute to1
to begin reconciliation from the second record in the target system and so on. -
Number of Batches: Use this attribute to specify the total number of batches that must be reconciled. The default value of this attribute is
0.
This implies that the connector fetches records in the maximum possible number of batches from the target system. In other words, all records starting from the record specified in the Batch Start attribute to the last record available in the target system is fetched. Any other valid number limits the number of batches to that specified value.
To configure batched reconciliation for tokens, specify values for all the above attributes of the RSAAM Token Target Recociliation scheduled job.
To configure batched reconciliation for users, specify a value for the Batch Size attribute of the RSAAM User Target Recociliation scheduled job.
See Also:
Scheduled Jobs for Reconciliation of Token and User Records for more information about the RSAAM Token Target Reconciliation and RSAAM User Target Reconciliation scheduled jobs3.3.4 Reconciliation Scheduled Jobs
When you run the Connector Installer, the scheduled tasks corresponding to the following scheduled jobs are automatically created in Oracle Identity Manager:
3.3.4.1 Scheduled Jobs for Reconciliation of Token and User Records
Depending on whether you want to implement target resource reconciliation for tokens or users, you must specify values for the attributes of one of the following user reconciliation scheduled jobs:
-
RSAAM Token Target Reconciliation
This scheduled job is used to reconcile token data for assigned tokens.
Table 3-2 describes the attributes of the scheduled job for reconciliation of token records
Table 3-2 Attributes of the Scheduled Jobs for Reconciliation of Token Records
Attributes Description Batch Size
Enter the number of records that must be included in each batch fetched from the target system.
Default value:
0
This attribute is used in conjunction with the Batch Start and Number of Batches attributes. All these attributes are discussed in Batched Reconciliation.
Batch Start
Enter the number of the target system record from which a batched reconciliation run must begin.
Default value:
0
This attribute is used in conjunction with the Batch Start and Number of Batches attributes. All these attributes are discussed in Batched Reconciliation.
Filter
Expression for filtering records. Use the following syntax:
syntax = expression ( operator expression )* operator = 'and' | 'or' expression = ( 'not' )? filter filter = ('equalTo' | 'contains' | 'containsAllValues' | 'startsWith' | 'endsWith' | 'greaterThan' | 'greaterThanOrEqualTo' | 'lessThan' | 'lessThanOrEqualTo' ) '(' 'attributeName' ',' attributeValue')' attributeValue = singleValue | multipleValues singleValue = 'value' multipleValues = '[' 'value_1' (',' 'value_n')* ']'
Default value: None
Incremental Recon Attribute
Attribute that holds the date on which the token record was modified.
Default value:
lastUpdatedOn;TokenDTO;Core;Date;lastUpdatedOn
Note: Do not change the value of this attribute
IT Resource Name
Name of the IT resource instance that the connector must use to reconcile data.
Sample value:
RSA Server Instance
Latest Token
This attribute holds the value of the attribute that is specified as the value of the Incremental Recon Attribute attribute. The Latest Token attribute is used for internal purposes. By default, this value is empty.
Note: Do not enter a value for this attribute. The reconciliation engine automatically enters a value in this attribute.
Sample value:
1354753427000
Number of Batches
Enter the number of batches that must be reconciled.
Default value:
0
This attribute is used in conjunction with the Batch Start and Number of Batches attributes. All these attributes are discussed in Batched Reconciliation.
Object Type
This attribute holds the type of object you want to reconcile.
Default value:
Token
Resource Object Name
Enter the name of the resource object against which reconciliation runs must be performed.
Default value:
RSA Auth Manager Token.
Scheduled Task Name
Name of the scheduled task used for reconciliation.Default value:
RSAAM Token Target Reconciliation.
-
RSAAM User Target Reconciliation
This scheduled job is used to reconcile user data in the target resource (account management) mode of the connector.
Table 3-3 describes the attributes of the scheduled job for reconciliation of user records.
Table 3-3 Attributes of the Scheduled Jobs for Reconciliation of User Records
Attribute Description Batch Size
Enter the number of records that must be included in each batch fetched from the target system.
Default value:
0
Filter
Expression for filtering records. Use the following syntax:
syntax = expression ( operator expression )* operator = 'and' | 'or' expression = ( 'not' )? filter filter = ('equalTo' | 'contains' | 'containsAllValues' | 'startsWith' | 'endsWith' | 'greaterThan' | 'greaterThanOrEqualTo' | 'lessThan' | 'lessThanOrEqualTo' ) '(' 'attributeName' ',' attributeValue')' attributeValue = singleValue | multipleValues singleValue = 'value' multipleValues = '[' 'value_1' (',' 'value_n')* ']'
Default value: None
IT Resource Name
Name of the IT resource instance that the connector must use to reconcile data.
Sample value:
RSA Server Instance
Object Type
This attribute holds the type of object you want to reconcile.
Default value:
User
Resource Object Name
Enter the name of the resource object against which reconciliation runs must be performed.
Default value:
RSA Auth Manager User.
Incremental Recon Attribute
Attribute that holds the date on which the user record was modified.
Default value:
lastModifiedOn;IMS;Core;Date;LAST_UPDATED_ON
Note: Do not change the value of this attribute
Latest Token
This attribute holds the value of the attribute that is specified as the value of the Incremental Recon Attribute attribute. The Latest Token attribute is used for internal purposes. By default, this value is empty.
Note: Do not enter a value for this attribute. The reconciliation engine automatically enters a value in this attribute.
Sample value:
1354753427000
Scheduled Task Name
Name of the scheduled task used for reconciliation.
Default value:
RSAAM User Target Reconciliation.
3.3.4.2 Scheduled Jobs for Reconciliation of Deleted Token and User Records
Depending on whether you want to implement target resource delete reconciliation for tokens or users, you must specify values for the attributes of one of the following scheduled jobs:
-
RSAAM Token Target Delete Reconciliation
This scheduled job is used to reconcile unassigned token data in the target source (identity management) mode of the connector. After the completion of this scheduled job, all the unassigned tokens are revoked in Oracle Identity Manager.
Table 3-4 describes the attributes of the scheduled job for reconciliation of deleted token records.
Table 3-4 Attributes of the Scheduled Jobs for Delete Token Reconciliation
Attributes Description IT Resource Name
Name of the IT resource instance that the connector must use to reconcile data.
Sample value:
RSA Server Instance
Object Type
This attribute holds the type of object you want to reconcile.
Default value:
Token
Resource Object Name
Enter the name of the resource object against which reconciliation runs must be performed.
Default value:
RSA Auth Manager Token.
-
RSAAM User Target Delete Reconciliation
This scheduled job is used to reconcile deleted user data in the target source (identity management) mode of the connector.
Table 3-5 describes the attributes of the scheduled job for reconciliation of deleted user records.
Table 3-5 Attributes of the Scheduled Jobs for Delete User Reconciliation
Attributes Description IT Resource Name
Name of the IT resource instance that the connector must use to reconcile data.
Sample value:
RSA Server Instance
Object Type
This attribute holds the type of object you want to reconcile.
Default value:
User
Resource Object Name
Enter the name of the resource object against which reconciliation runs must be performed.
Default value:
RSA Auth Manager User.
3.4 Scheduled Jobs
The following sections provide detailed information about scheduled jobs that must be configured along with the procedure to configure them for lookup field synchronization and reconciliation:
3.4.1 Scheduled Jobs for Lookup Field Synchronization and Reconciliation
All scheduled jobs that must be configured are listed in Table 3-6.
Table 3-6 Scheduled Jobs for Lookup Field Synchronization and Reconciliation
Scheduled Task | Description |
---|---|
RSAAM Token Serial Lookup Reconciliation |
This scheduled job is used to synchronize values of the token serial lookup fields between Oracle Identity Manager and the target system. See Scheduled Job for Lookup Field Synchronization for information about this scheduled job. |
RSAAM Security Domain Lookup Reconciliation |
This scheduled job is used to synchronize values of the security domain lookup fields between Oracle Identity Manager and the target system. See Scheduled Job for Lookup Field Synchronization for information about this scheduled job. |
RSAAM Radius Profile Lookup Reconciliation |
This scheduled job is used to synchronize values of the radius profile lookup fields between Oracle Identity Manager and the target system. See Scheduled Job for Lookup Field Synchronization for information about this scheduled job. |
RSAAM Identity Source Lookup Reconciliation |
This scheduled job is used to synchronize values of the identity source lookup fields between Oracle Identity Manager and the target system. See Scheduled Job for Lookup Field Synchronization for information about this scheduled job. |
RSAAM User Group Lookup Reconciliation |
This scheduled job is used to synchronize values of the user group lookup fields between Oracle Identity Manager and the target system. See Scheduled Job for Lookup Field Synchronization for information about this scheduled job. |
RSAAM Admin Role Lookup Reconciliation |
This scheduled job is used to synchronize values of the admin role lookup fields between Oracle Identity Manager and the target system. See Scheduled Job for Lookup Field Synchronization for information about this scheduled job. |
RSAAM User Target Reconciliation |
This scheduled job is used to fetch user data during target resource reconciliation. See Reconciliation Scheduled Jobs for information about this scheduled job. |
RSAAM Token Target Reconciliation |
This scheduled job is used to fetch token data during target resource reconciliation. See Reconciliation Scheduled Jobs for information about this scheduled job. |
RSAAM User Target Delete Reconciliation |
This scheduled job is used to fetch data about deleted users during target resource reconciliation. During a reconciliation run, for each deleted user record on the target system, the RSA Authentication Manager user resource for the corresponding OIM User is revoked. See Reconciliation Scheduled Jobs for information about this scheduled job. |
RSAAM Token Target Delete Reconciliation |
This scheduled job is used to fetch data about deleted tokens during target resource reconciliation. During a reconciliation run, for each deleted token record on the target system, the token for the corresponding OIM User is revoked. See Reconciliation Scheduled Jobs for information about this scheduled job. |
3.4.2 Configuring Scheduled Jobs
This section describes the procedure to configure scheduled jobs. You can apply this procedure to configure the scheduled jobs for lookup field synchronization and reconciliation:
-
Log in to Oracle Identity System Administration.
-
In the left pane, under System Management, click Scheduler.
-
Search for and open the scheduled job as follows:
-
In the Search field, enter the name of the scheduled job as the search criterion. Alternatively, you can click Advanced Search and specify the search criterion.
-
In the search results table on the left pane, click the scheduled job in the Job Name column.
-
-
On the Job Details tab, you can modify the following parameters:
-
Retries: Enter an integer value in this field. This number represents the number of times the scheduler tries to start the job before assigning the Stopped status to the job.
-
Schedule Type: Depending on the frequency at which you want the job to run, select the appropriate schedule type.
Note:
See Creating Jobs in Oracle Fusion Middleware Administering Oracle Identity Manager for detailed information about schedule types.
In addition to modifying the job details, you can enable or disable a job.
-
-
On the Job Details tab, in the Parameters region, specify values for the attributes of the scheduled job.
Note:
-
Attribute values are predefined in the connector XML file that you import. Specify values only for those attributes that you want to change.
-
Values (either default or user-defined) must be assigned to all the attributes. If even a single attribute value is left empty, then reconciliation is not performed.
-
-
Click Apply to save the changes.
Note:
The Stop Execution option is available in the Administrative and User Console. You can use the Scheduler Status page to either start, stop, or reinitialize the scheduler.
3.5 Guidelines On Performing Provisioning Operations
The following is a guideline that you must apply while performing a provisioning operation:
During a provisioning operation, if you do not specify values or clear all the existing values for the Account Expire Date, Account Expire Hours, and Account Expire Minutes fields, then the corresponding account in the target system is set to Does Not Expire.
3.6 Performing Provisioning Operations
To perform provisioning operations in Oracle Identity Manager:
-
Log in to Oracle Identity Administrative and User console.
-
Create a user. See Creating a User in Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Manager.
-
On the Account tab, click Request Accounts.
-
In the Catalog page, search for and add to cart the application instance created for the RSA Server Instance IT resource (in Creating an Application Instance), and then click Checkout.
-
Specify value for fields in the application form.
Note:
Ensure to select proper values for lookup type fields as there are a few dependent fields. Selecting a wrong value for such fields may result in provisioning failure.
-
Click Ready to Submit.
-
Click Submit.
-
If you want to provision entitlements, then:
-
On the Entitlements tab, click Request Entitlements.
-
In the Catalog page, search for and add to cart the entitlement, and then click Checkout.
-
Click Submit.
-
3.7 Uninstalling the Connector
If you want to uninstall the connector for any reason, see Uninstalling Connectors in Oracle Fusion Middleware Administering Oracle Identity Manager.
After you uninstall the connector, perform the postuninstall procedure. See Postuninstall in Oracle Fusion Middleware Administering Oracle Identity Manager.