| Oracle® Fusion Middleware User's Guide for Oracle Identity Manager 11g Release 1 (11.1.1) Part Number E14316-04 |
|
|
View PDF |
| Oracle® Fusion Middleware User's Guide for Oracle Identity Manager 11g Release 1 (11.1.1) Part Number E14316-04 |
|
|
View PDF |
Oracle Identity Manager has a three-tier integration solutions strategy to provide connectors to various heterogeneous identity-aware IT systems. This three-tier strategy is designed to minimize custom development, maximize the reuse of code, and reduce deployment time. The three tiers are:
Out-of-the box integration using predefined connectors and predefined generic technology connector providers
Connectors based on custom generic technology connector providers
Custom connectors using the Adapter Factory
Figure 5-1 illustrates the three-tier integration solutions strategy of Oracle Identity Manager.
Figure 5-1 Three-Tier Integration Solutions Strategy of Oracle Identity Manager
This chapter discusses the following topics:
When a predefined connector is available for the target resource, this is the preferred integration method. Because a predefined connector is designed specifically for the target application, it offers the quickest integration method. These connectors support popular business applications such as Oracle eBusiness Suite, PeopleSoft, Siebel, JD Edward and SAP, as well as technology applications such as Active Directory, Java Directory Server, UNIX, databases, and RSA ClearTrust. Predefined connectors offer the quickest integration alternative because they are designed specifically for the target application. They use target recommended integration technologies and are preconfigured with application specific attributes.
See Also:
""Predefined Scheduled Tasks" for information about predefined connector installation in the Oracle Fusion Middleware System Administrator's Guide for Oracle Identity Manager.Similar to a predefined connector, a generic technology connector acts as the bridge for reconciliation and provisioning operations between Oracle Identity Manager and a target system. In terms of functionality, a generic technology connector can be divided into a reconciliation module and provisioning module. When you create a generic technology connector, you can specify whether you want to include both modules or only the reconciliation or provisioning module.
The GTC framework provides basic components that are used to rapidly assemble a custom connector. The reconciliation and provisioning modules of a generic technology connector are composed of these reusable components that you select. Each component performs a specific function during provisioning or reconciliation. The components are:
Reconciliation:
Reconciliation Transport Provider: This provider is responsible for moving the reconciled data from the target system to Oracle Identity Manager.
Reconciliation Format Provider: This provider parses the message received from the target system, which contains the reconciled data, into a data structure that can be interpreted by the reconciliation engine in Oracle identity Manager.
Validation Provider: This provider validates any data received before passing it on to the reconciliation engine.
Provisioning:
Provisioning Format Provider: This provider converts Oracle identity Manager provisioning data into a format that is supported by the target system.
Provisioning Transport Provider: This provider carries the provisioning message received from the Provisioning Format Provider to the target system.
Figure 5-2 shows the functional architecture of a generic technology connector.
Figure 5-2 Functional Architecture of a Generic Technology Connector
See Also:
"Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager" for detailed information about the functional architecture, configuration, and functionalities of the generic technology connectorGeneric technology connectors have the following features:
Features specific to the reconciliation module are:
Generic technology connector in trusted source reconciliation: A generic technology connector can be used for trusted source reconciliation. During reconciliation in trusted mode, if the reconciliation engine detects new target system accounts, then it creates corresponding OIM Users. If the reconciliation engine detects changes to existing target system accounts, then the same changes are made in the corresponding OIM Users.
Generic technology connector in account status reconciliation: User account status information is used to track whether or not the owner of a target system account is to be allowed to access and use the account. If the target system does not store account status information in the format in which it is stored in Oracle Identity Manager, then you can use the predefined Translation Transformation Provider to implement account status reconciliation.
Generic technology connector in full or incremental reconciliation: While creating a generic technology connector, you can specify that you want to use the connector for full or incremental reconciliation. In incremental reconciliation, only target system records that have changed after the last reconciliation run are reconciled (stored) into Oracle Identity Manager. In full reconciliation, all the reconciliation records are extracted from the target system.
Generic technology connector for batched reconciliation: To exercise more control over the reconciliation process, you can use the generic technology connector to specify a batch size for reconciliation. By doing this, you can break into batches the total number of records that the reconciliation engine fetches from the target system during each reconciliation run.
Generic technology connector in reconciliation of multivalued attribute data (child data) deletion: You can specify whether or not you want to reconcile into Oracle Identity Manager the deletion of multivalued attribute data on the target system.
Generic technology connector in failure threshold for stopping reconciliation: During reconciliation, Validation Providers can be used to run checks on target system data before it is stored in Oracle Identity Manager. You can set a failure threshold to automatically stop a reconciliation run if the percentage of records that fail the validation checks to the total number of records processed exceeds the specified threshold percentage.
Other features of generic technology connectors are:
Custom Providers: If the predefined providers shipped with Oracle Identity Manager do not address the transport, format change, validation, or transformation requirements of your operating environment, then you can create custom providers.
Multilanguage Support: Generic technology connectors can handle both ASCII and non-ASCII user data.
Custom Date Formats: While creating a generic technology connector, you can specify the format of date values in target system records that are extracted during reconciliation and the format in which date values must be sent to the target system during provisioning.
Propagation of Changes in OIM User Attributes to Target Systems: While creating a generic technology connector, you can enable the automatic propagation of changes in OIM User attributes to the target system.
If the target resource has no technology interface or accessible user repository, then the customer can develop a custom connector. The Adapter Factory tool in Oracle Identity Manager Design Console provides a definitional user interface that facilitates such custom development efforts without coding or scripting.
See Also:
"Adapters" in the Oracle Fusion Middleware Developer's Guide for Oracle Identity Manager for details about how to define adapters by using the Adapter FactoryTable 5-1 lists the definitions of connector components contained in the connector XML file. These components are common to all connectors.
Table 5-1 Connector Components
| Components | Description |
|---|---|
|
This is a virtual representation of the target application on which you want to provision accounts. It is the parent record with which the provisioning process and process form are associated. |
|
|
Provisioning Process |
This process definition is used to create, maintain, and delete accounts on the target system. It consists of definitions of the individual tasks that are used to perform automated functions on the target system. Each connector is packaged with a single provisioning process. You can manually create additional provisioning processes. Note: For more information about provisioning process, see Table 5-2 and Table 5-3. |
|
This form is used to provide information about user accounts to be created, updated, or deleted on the target system. This form is also used to capture data that can be used by provisioning process tasks or to provide a mechanism for users to provide real-time data. This form is used extensively when conducting reconciliation. The table structure associated with this form supports the archiving and auditing of user accounts on the target system. Each process form consists of field definitions required by a standard connector. If you require additional fields, then you can create another version of the form and add the required fields. Each connector is shipped with certain default process forms. You can manually create additional process forms. |
|
|
This component is a template for all IT resource definitions associated with the connector. An IT resource type specifies the parameters that are common to all IT resource instances, such as host servers and computers, of that particular IT resource type. The parameters specified in this definition are inherited by all IT resource definitions of that type. For example, the Solaris 8 IT resource type can have a parameter called IP Address. The value of that parameter for the Target_Solaris IT resource instance can be set to 192.168.50.25. |
|
|
Adapters |
This includes all adapters that are required to perform common functions on the target application. Each adapter is predefined with certain mappings and functionality. These adapters are capable of interacting with the tasks in the provisioning process and the fields of the process form. Note: For more information about adapters, see Oracle Identity Manager Tools Reference. |
|
If the connector that you want to use is shipped with a predefined reconciliation module, then you are provided with a scheduled task definition. You use this component to control the frequency at which the target system is polled for changes to tracked data. |
Table 5-2 lists the predefined tasks (or their equivalents) that the Provisioning Process component contains.
Table 5-2 Provisioning Process Tasks
| Provisioning Process Task | Purpose |
|---|---|
|
Create User |
Creates a new user account in the target application (provisions the user with an account) |
|
Disable User |
Temporarily disables a user account in the target application |
|
Enable User |
Re-enables a disabled user account in the target application |
|
Delete User |
Deletes a user account in the target application (revokes the user's account) |
|
Update User |
Modifies the privileges or profile of a user account in the target application |
In addition to the tasks listed in the previous section, the Provisioning Process component also contains the reconciliation-related tasks. Table 5-3 lists these tasks.
Note:
When Oracle Identity Manager receives a reconciliation event, all provisioning-related tasks within the provisioning process are suppressed and the relevant reconciliation-related task is inserted.Table 5-3 Reconciliation-Related Provisioning Process Tasks
| Provisioning Process Task (Reconciliation-Related) | Purpose |
|---|---|
|
Reconciliation Insert Received |
This task is inserted into the Provisioning Process instance associated with the user or organization when Oracle Identity Manager determines that the reconciliation event received from the target system represents the creation of a user or organization account. In addition, the information in the reconciliation event record is stored in the process form according to the mappings set on the provisioning process. |
|
Reconciliation Update Received |
This task is inserted into the Provisioning Process instance associated with the user or organization when Oracle Identity Manager determines that the reconciliation event received from the target system represents the update of an existing user or organization account. In addition, the information in the reconciliation event record is stored in the process form according to the mappings set on the provisioning process. |
|
Reconciliation Delete Received |
This task is inserted into the Provisioning Process instance associated with the user or organization when Oracle Identity Manager determines that the reconciliation event received from the target system represents the deletion of an existing user or organization account. |
Oracle Identity Manager provides features to install connectors. The following are general considerations that you must address before installing connectors:
Some connectors require external libraries in the form of JAR files for normal functioning. You can purchase these JAR files from the respective vendors. After you obtain these JAR files, you must configure Oracle Identity Manager as required. For example, you can update the CLASSPATH environment variable.
Some connectors require external software to be installed on the target system. For example, if you are using the Bourne (sh) shell on Solaris, then you must install and start WBEM Services on the target Solaris computer. Otherwise, you cannot use Oracle Identity Manager to provision users on Solaris.
For optimal performance of the prepackaged connectors, you must configure the target systems separately. Where required, this step is explained in the connector deployment guides.
While installing Oracle Identity Manager in a clustered environment, you copy the contents of the installation directory to each node of the cluster. Similarly, all the JAR files that you copy to Oracle Identity Manager server during the connector deployment process must be copied to the corresponding directories on each node of the cluster.
|
 Copyright © 1991, 2010, Oracle and/or its affiliates. All rights reserved. Legal Notices |
|
