| Oracle® Fusion Middleware Developer's Guide for Oracle Identity Manager 11g Release 1 (11.1.1) Part Number E14309-05 | 
 | 
| 
 | View PDF | 
The primary goal of any provisioning system is to manage requests submitted by users and provision resources to users. Request completion involves execution of associated approval processes. These approval processes are deployed as Server Oriented Architecture (SOA) composites running on the SOA Server. Request service is responsible for execution and management of such approval processes. Figure 19-1, "Request Service and SOA Integration" shows the integration of the request service and SOA.
The interaction between Oracle Identity Manager and SOA Server is explained in the following steps:
The user creates a request by using the Oracle Identity Manager Self Service. The request can be for creating a user or provisioning a resource to a beneficiary.
Request engine evaluates the approval policy, and the SOA composite to be instantiated is selected.
Note:
The composites must be registered with Oracle Identity Manager in order for them to be kicked off when the request is submitted. For information about registering workflows with Oracle Identity Manager, see "Registering a SOA Composite with Oracle Identity Manager".Request engine contacts SOA Server to instantiate the selected SOA composite.
Instantiates selected composite instance on SOA server.
SOA composite run starts and human approval task is assigned for approval.
The approver logs in to the Task List in the Oracle Identity Manager Self Service console, and approves the request.
After the approval, the composite instance run is completed, which is notified to the request service.
Request service informs the request engine about the approval, and the request moves to the next stage.
This chapter discusses the following topics:
To create a new SOA composite that can be used as an approval process, you must perform the following steps:
To use a SOA composite as an approval process, it must adhere to certain standards. These standards ensure that the request service is able to instantiate and manage such composites correctly. These standards are:
The following attributes are mandatory for BPEL process:
RequestID of type String
RequestModel of type String
RequestTarget of type String
URL of type String
RequesterDetails of XML Element
BeneficiaryDetails of XML Element
ObjectDetails of XML Element
OtherDetails of XML Element
The RequestID, RequestModel, RequestTarget, and URL attributes are always set with valid values for all types of requests.
RequesterDetails is an XML element. This element is filled up with valid values for all requests that requires authentication. Requester details is empty for the requests of type Self-Register User because the requester is anonymous user.
BeneficiaryDetails is an XML element. This element is filled up with valid values for all requests that have a beneficiary, for example, Provision Resource and Assign Roles. This is filled up only if the request is associated with single beneficiary. If the request is associated with multiple beneficiaries, then BeneficiaryDetails is empty. BeneficiaryDetails element always has valid value for simple requests and child requests that have a beneficiary. Therefore, it is recommended to use this XML element in SOA composites that are used as approval processes at the operational level of approval. This is because at the operational level of approval, the request is associated with only one beneficiary.
ObjectDetails is an XML element. This element is filled up with valid values for all requests that are associated with the Resource entity. This is filled up only if the request is associated with single resource. If the request is associated with multiple resources, then ObjectDetails is empty. The ObjectDetails element always has valid value for simple and child requests that are associated with resource. Therefore, it is recommended to use this XML element in SOA composites that are used as approval processes at the operational level of approval. This is because at the operational level of approval, the request is associated with only one resource.
All the attributes that are mandatory for the BPEL process are referred from RequestDetails.xsd and ApprovalProcess.xsd. These files are present in the template SOA composite, which must not de modified or deleted.
Oracle Identity Manager provides a helper utility for creating custom SOA composites. This utility creates a template SOA project that adheres to all the necessary standards. This utility is located in the OIM_HOME/workflows/new-workflow directory.
Note:
JAVA_HOME environment variable must be set before running this utility. This requires Apache Ant version 1.7 or later.To create a custom SOA composite by running the helper utility:
Run the following commands:
cd OIM_HOME/workflows/new-workflow
ant -f new_project.xml
Enter the JDeveloper application name when the following prompt is displayed:
Please enter application name
Enter the JDeveloper project name when the following prompt is displayed:
Please enter project name
Enter the name of the ADF binding service for the composite when the following prompt is displayed:
Please enter the service name for the composite. This needs to be unique across applications
The new application is created in the OIM_HOME/workflows/new-workflow/process-template/ directory. You can open the new application in JDeveloper for modification.
Human task in the template SOA composite is configured to send notifications to the assignee of the human task. In the custom composite that is created, the notification message can be modified based on the requirement. All the notifications to be sent to the approver must be configured in the SOA composite. For configuring Oracle SOA server to send notifications, refer to "Configuring Oracle User Messaging Service" in the Oracle Fusion Middleware Administrator's Guide for Oracle SOA Suite and Oracle Business Process Management Suite.
For information about deploying the workflow composite in BPEL, see Oracle Fusion Middleware Developer's Guide for Oracle SOA Suite.
Note:
If a composite is redeployed in SOA, then all the pending approvals in Oracle Identity Manager initiated by the composite becomes stale and are removed from the user's TaskList. See "Deploying an Existing SOA Archive in Oracle JDeveloper" in the Oracle Fusion Middleware Developer's Guide for Oracle SOA Suite for information about deploying existing SOA composites.If the communication to Oracle Identity Manager is through the SSL mode, then you must:
Note:
For a non-SSL connection, skip this section.Set the TRUSTSTORE_LOCATION environment variable, where TRUSTSTORE_LOCATION is the trusted key store file location.
Use t3s protocol instead of t3. For example, the URL for Oracle Identity Manager is:
t3s://HOST_NAME:PORT
The SOA composite must be registered with Oracle Identity Manager before it can be used as an approval process. To register a SOA composite with Oracle Identity Manager:
Create the COMPOSITE_NAME.props property file in the OIM_HOME/workflows/registration/ directory with the following content:
name=COMPOSITE_NAME category=Approval providerType=BPEL serviceName=REQUEST_APPROVAL_SERVICE domainName=DOMAIN version=REVISION_ID payLoadID=PAYLOAD operationID=OPERATION_ID listOfTasks=HUMAN_TASK_NAMES
Where:
Replace COMPOSITE_NAME with the name of the SOA composite as specified in the composite.xml file.
Replace REQUEST_APPROVAL_SERVICE with the name of the service exposed in the composite. This service is invoked while instantiating the composite for approval.
Replace OPERATION_ID with the name of operation to be invoked on the service mentioned for the serviceName property.
Replace PAYLOAD with the part name of the operation specified as the value of the operationID property.
Replace REVISION_ID with the SOA composite revision as specified in the composite.xml file.
Replace DOMAIN with name of SOA partition in which the composite is deployed. By default, SOA has one partition named default.
Replace HUMAN_TASK_NAMES with the names of the approval tasks associated with the SOA composite. Separate the names with colon (:).
Note:
Do not add any extra spaces in the properties file.Run the following command from the OIM_HOME/workflows/registration/ directory:
Note:
JAVA_HOME environment variable must be set before running this utility. This requires Apache Ant version 1.7 or later.
For a connection over SSL, you must meet the prerequisites mentioned in "Prerequisites for Communication to Oracle Identity Manager Through SSL Mode".
ant -f registerworkflows-mp.xml register
Enter Oracle Identity Manager administrator username when prompted.
Enter Oracle Identity Manager administrator password when prompted.
Note:
When you login to the SOA server by using the Oracle Identity Manager administrator credentials, the login attempt fails if your challenge questions and answers and password are not reset in Oracle Identity Manager. You must reset the challenge questions and answers and password when you first login to Oracle Identity Manager.Enter Oracle Identity Manager server t3 URL when prompted.
Enter the property file name that you created in step 1 when prompted.
Enter the complete path of the property file name that you created in step 1 when prompted.
To modify an existing SOA composite that can be used as an approval process, you must perform the following:
Note:
If the SOA composite modification involves adding or removing human tasks, then perform the following steps:Modify the SOA composite in JDeveloper. While modifying the composite, make sure that the SOA composite version ID is changed. The existing SOA composite version ID, which is already registered with Oracle Identity Manager, cannot be used.
Disable the SOA composite in Oracle Identity Manager.
Deploy the SOA composite in Oracle SOA Server.
Register the SOA composite with Oracle Identity Manager.
You can modify SOA composites by using JDeveloper. If you want to modify the default SOA composites, then you can access the respective JDeveloper projects in the paths listed in Table 21-1:
Table 21-1 Location of Default SOA Composites
| SOA Composite | Path | 
|---|---|
| BeneficiaryManagerApproval | OIM_HOME/workflows/composites/BeneficiaryManagerApproval.zip | 
| DefaultOperationalApproval | OIM_HOME/workflows/composites/DefaultOperationalApproval.zip | 
| DefaultRequestApproval | OIM_HOME/workflows/composites/DefaultRequestApproval.zip | 
| DefaultRoleApproval | OIM_HOME/workflows/composites/DefaultRoleApproval.zip | 
| ResourceAuthorizerApproval | OIM_HOME/workflows/composites/ResourceAuthorizerApproval.zip | 
| ResourceAdministratorApproval | OIM_HOME/workflows/composites/ResourceAdministratorApproval.zip | 
| RequesterManagerApproval | OIM_HOME/workflows/composites/RequesterManagerApproval.zip | 
| DefaultSODApproval | OIM_HOME/workflows/composites/DefaultSODApproval.zip | 
For information about using JDeveloper to build applications with Oracle SOA Suite, see Oracle® Fusion Middleware Developer's Guide for Oracle SOA Suite.
You can disable a SOA composite on Oracle Identity Manager by using the registerworkflows-mp utility located in the OIM_HOME/workflows/new-workflow/ directory.
Note:
JAVA_HOME environment variable must be set before running this utility. This requires Apache Ant version 1.7 or later.
For a connection over SSL, you must meet the prerequisites described in "Prerequisites for Communication to Oracle Identity Manager Through SSL Mode".
To disable a SOA composite on Oracle Identity Manager:
Using a command prompt, go to the OIM_HOME/workflows/registration/ directory.
Run the following command:
ant -f registerworkflows-mp.xml disable
When prompted to enter username, enter the Oracle Identity Manager administrator username.
When prompted to enter password, enter the Oracle Identity Manager administrator password.
When prompted to enter the server t3 URL, enter the Oracle Identity Manager server t3 URL, for example, t3://localhost:7001.
Specify the domain of the workflow. By default, this is set to the default domain.
When prompted for the name of the workflow, enter the SOA composite name.
When prompted for the version of the workflow, enter the SOA composite version.
For information about deploying the workflow composite in BPEL, see Oracle Fusion Middleware Developer's Guide for Oracle SOA Suite.
To enable a SOA Composite with Oracle Identity Manager:
Note:
JAVA_HOME environment variable must be set before running this utility. This requires Apache Ant version 1.7 or later.
For a connection over SSL, you must meet the prerequisites described in "Prerequisites for Communication to Oracle Identity Manager Through SSL Mode".
Run the following command:
ant -f registerworkflows-mp.xml enable
Perform steps 3 through 8 in listed "Disabling a SOA Composite on Oracle Identity Manager".