2 Creating an Application By Using the Microsoft Active Directory User Management Connector

Learn about onboarding applications using the connector and the prerequisites for doing so.

• Process Flow for Creating an Application By Using the Connector
• Prerequisites for Creating an Application By Using the Connector
• Installing the Microsoft Active Directory User Management Connector in the Connector Server
• Creating an Application By Using the Connector

2.1 Process Flow for Creating an Application By Using the Connector

From Oracle Identity Governance release 12.2.1.3.0 onward, connector deployment is handled using the application onboarding capability of Identity Self Service.

Figure 2-1 is a flowchart depicting high-level steps for creating an application in Oracle Identity Governance by using the connector installation package.

Figure 2-1 Overall Flow of the Process for Creating an Application By Using the Connector

Description of "Figure 2-1 Overall Flow of the Process for Creating an Application By Using the Connector"

2.2 Prerequisites for Creating an Application By Using the Connector

Learn about the tasks that you must complete before you create the application.

• Downloading the Connector Installation Package

• Creating a Target System User Account for Connector Operations

• Assigning Permissions to Perform Delete User Reconciliation Runs

• Delegating Control for Organizational Units and Custom Object Classes

2.2.1 Downloading the Connector Installation Package

You can obtain the installation package for your connector on the Oracle Technology Network (OTN) website.

To download the connector installation package:

1. Navigate to the OTN website at http://www.oracle.com/technetwork/middleware/id-mgmt/downloads/connectors-101674.html.
2. Click OTN License Agreement and read the license agreement.
3. Select the Accept License Agreement option.
   You must accept the license agreement before you can download the installation package.
4. Download and save the installation package to any directory on the computer hosting Oracle Identity Governance.
5. Extract the contents of the installation package to any directory on the computer hosting Oracle Identity Governance. This creates a directory named CONNECTOR_NAME-RELEASE_NUMBER. For example, for this connector, the director name is activedirectory-12.2.1.3.0.
6. Copy the CONNECTOR_NAME-RELEASE_NUMBER directory to the OIM_HOME/server/ConnectorDefaultDirectory directory.

2.2.2 Creating a Target System User Account for Connector Operations

Oracle Identity Governance requires a target system user account to access the target system during reconciliation and provisioning operations. You provide the credentials of this user account in the Basic Configuration section while creating an application.

Depending on the target system that you are using, perform the procedure described in one of the following sections:

• Creating a User Account for Connector Operations in Microsoft Active Directory

• Creating a User Account for Connector Operations in Microsoft AD LDS

2.2.2.1 Creating a User Account for Connector Operations in Microsoft Active Directory

You can use a Microsoft Windows 2008 Server (Domain Controller) administrator account for connector operations. Alternatively, you can create a user account and assign the minimum required rights to the user account.

To create the Microsoft Active Directory user account for connector operations:

See Also:

Microsoft Active Directory documentation for detailed information about performing this procedure

1. Create a group (for example, OIMGroup) on the target system. While creating the group, select Security Group as the group type and Global or Universal as the group scope.

   Note:

   In a parent-child domain setup, create the group in the parent domain.

2. Make this group a member of the Account Operators group.
3. Assign all read permissions to this group. If there are multiple child domains in the forest, then log in to each child domain and add the above group to the Account Operators group of each child domain.

   Note:

   You assign read permissions on the Security tab of the Properties dialog box for the user account. This tab is displayed only in Advanced Features view. To switch to this view, select Advanced Features from the View menu on the Microsoft Active Directory console.

4. Create a user (for example, OIMUser) on the target system. In a parent-child domain setup, create the user in the parent domain.
5. Make the user a member of the group (for example, OIMGroup) created in Step 1.

2.2.2.2 Creating a User Account for Connector Operations in Microsoft AD LDS

You must create and use a user account that belongs to the Administrators group for performing connector operations.

To create the Microsoft AD LDS user account for connector operations:

See Also:

Microsoft AD LDS documentation for detailed information about these steps

1. Create a user account in Microsoft AD LDS.
2. Set a password for the user account.
3. Enable the user account by setting the msDS-UserAccountDisabled field to false.
4. Enter a value in the userPrincipalName field.
   The value that you provide must be in the user_name@domain_name format, for example, OIMuser@example.com.
5. Add the distinguished name of the user to the Administrators group.

   Note:

   To create the user account for connector operations in a standalone Microsoft ADLDS instance:

   1. Create a user account in the standalone computer.

   2. Add the newly created user to the ADLDS Administrators group[CN=Administrators,CN=Roles,DC=X].

2.2.3 Assigning Permissions to Perform Delete User Reconciliation Runs

In order to enable the user account that you created for performing connector operations to retrieve information about deleted user accounts during delete reconciliation runs, you must assign permissions to the deleted objects container (CN=DeletedObjects) in the target system.

Note:

In a forest environment, if you are performing reconciliation by using the Global Catalog Server, then perform the procedure described in this section on all child domains.

To do so:

1. Log in to the target system as an administrator.
2. In a terminal window, run the following command:

   dsacls DELETED_OBJ_DN /takeownership
   

   In this command, replace DELETED_OBJ_DN with the distinguished name of the deleted directory object.

   Sample value:

   dsacls "CN=Deleted Objects,DC=mydomain,dc=com" /takeownership
   

3. In a terminal window, run the following command to grant a user or group permissions to perform successful runs of the delete user reconciliation scheduled job:

   dsacls DELETED_OBJ_DN /G USER_OR_GROUP:PERMISSION
   

   In this command, replace:

   • DELETED_OBJ_DN with the distinguished name of the deleted directory object.

   • USER_OR_GROUP with name of the user or group to which you want to assign permissions

   • PERMISSION with the permissions to grant.

   Sample value:

   dsacls "CN=Delet ed Objects,DC=mydomain,dc=com" /G ROOT3\OIMUser:LCRP
   

2.2.4 Delegating Control for Organizational Units and Custom Object Classes

By default, user accounts that belong to the Account Operators group can manage only user and group objects. To manage organizational units or custom object classes, you must assign the necessary permissions to a user account. In other words, you must delegate complete control for an organizational unit or custom object class to a user or group object. In addition, you need these permissions to successfully perform provisioning of custom object classes.

This is achieved by using the Delegation of Control Wizard. An example for managing organizational units is creating organizational units.

To delegate control for an organizational unit or custom object class to a user account:

Note:

In a parent-child deployment environment or forest topology, perform this procedure on all the child domains.

1. In the Active Directory Users and Computers window, in the navigation tree, right-click the organizational unit whose control you want to delegate, and then click Delegate Control.
   The Delegation of Control Wizard appears.

   Note:

   If you want to delegate control for all organization units under the root context, then delegate control at the root context level.

2. On the Welcome to the Delegation of Control Wizard page, click Next.
3. On the Users or Groups page, to select either a user or group to whom you want to delegate control:
   1. Click Add.
   2. In the Select Users, Computers, or Groups dialog box, enter a user or group name. For example, enter OIMUser.
   3. Click Check Names.
   4. Click OK to close the dialog box.
4. Click Next.
5. On the Tasks to Delegate page, select the Create a custom task to delegate option, and then click Next.
6. On the Active Directory Object Type page, select Only the following objects in the folder, and then select Organization Unit Objects. If you are delegating control for custom object classes, then select the custom object class for which you want to delegate control.
7. Select the Create selected objects in the folderand Delete selected objects in the folder options, and then click Next.
8. On the Permissions page:

   • For Organizational Units, select Full Control, click Next, and then click Finish.

   • For custom object classes, select the required permissions, click Next and then click Finish.

2.3 Installing the Microsoft Active Directory User Management Connector in the Connector Server

Installation in the Connector Server consists of copying and extracting the connector bundle to the Connector Server and configuring the IT resource.

To copy and extract the connector bundle to the Connector Server:

1. Stop the Connector Server.

   Note:

   You can download the necessary Connector Server from the Oracle Technology Network web page.
2. From the installation media, copy and extract contents of the bundle/ActiveDirectory.Connector-12.3.0.0.zip file to the CONNECTOR_SERVER_HOME directory.
3. Rename Shell-ScriptExecutorFactory.dll file to Shell.ScriptExecutorFactory.dll.
4. Start the Connector Server for the connector bundle to be picked up by the Connector Server.

Note:

• For information about configure the IT resource for the Connector Server, see Configuring the IT Resource for the Connector Server.

• For information about configuring the .NET Connector Server, see Configuring the .NET Connector Server.

2.4 Creating an Application By Using the Connector

You can onboard an application into Oracle Identity Governance from the connector package by creating a Target application. To do so, you must log in to Identity Self Service and then choose the Applications box on the Manage tab.

The following is the high-level procedure to create an application by using the connector:

Note:

For detailed information on each of the steps in this procedure, see Creating Applications of Oracle Fusion Middleware Performing Self Service Tasks with Oracle Identity Governance.

1. Create an application in Identity Self Service. The high-level steps are as follows:
   1. Log in to Identity Self Service either by using the System Administration account or an account with the ApplicationInstanceAdministrator admin role.
   2. Ensure that the Connector Package option is selected when creating an application.
   3. Update the basic configuration parameters to include connectivity-related information.
   4. If required, update the advanced setting parameters to update configuration entries related to connector operations.
   5. Review the default user account attribute mappings. If required, add new attributes or you can edit or delete existing attributes.
   6. Review the provisioning, reconciliation, organization, and catalog settings for your application and customize them if required. For example, you can customize the default correlation rules for your application if required.
   7. Review the details of the application and click Finish to submit the application details.
      The application is created in Oracle Identity Governance.
   8. When you are prompted whether you want to create a default request form, click Yes or No.
      If you click Yes, then the default form is automatically created and is attached with the newly created application. The default form is created with the same name as the application. The default form cannot be modified later. Therefore, if you want to customize it, click No to manually create a new form and attach it with your application.
2. Verify reconciliation and provisioning operations on the newly created application.

Note:

You can verify and test connectivity using the Test Connection option only after the completion of following actions:

• AOB installation
• Extracted bundle/ActiveDirectory.Connector-12.3.0.0.zip is copied to the Connector Server home directory
• IT Resource for the Connector Server is configured
• IT Resource for the Target System is configured

See Also:

• Configuring the Microsoft Active Directory User Management Connector for details on basic configuration and advanced settings parameters, default user account attribute mappings, default correlation rules, and reconciliation jobs that are predefined for this connector

• Configuring Oracle Identity Governance for details on creating a new form and associating it with your application, if you chose not to create the default form