Tuesday, December 24, 2013

Flat File Connector: Packaging the Connector

Description: Create a flat file connector installer package. The package should contain all the artifacts and metadata for the flat file connector (E.g. IT Resource, Process Form, Resource Object, Adapters, etc). On a new OIM environment, you will be able to install the flat file connector. After connector installation, modify the IT Resources to point to your target system accordingly.

Monday, December 23, 2013

Flat File Connector: Scheduled Tasks and Jobs

Description: To create a scheduled task in Oracle Identity Manager, you need to create an xml of the task and push that xml into the metadata store (MDS) using weblogic import utility or deployment manager. (The xml to be imported may need to be adjusted when using one or the other) After purging the cache, you will be able to create a scheduled job of the type. 

To import the metadata into MDS using weblogic import utility:

1. Modify the weblogic.properties file located in "MW_HOME/Oracle_IDM1/server/bin" directory. Given below is an example. The metadata_file parameter is not used for importing; it mentioned for completeness. The absolute path of my xml file is "/home/oracle/importMetadata/flatfile/metadata/FFLookupRecon.xml".

# Weblogic Server Name on which OIM application is running 

wls_servername=oim_server1

# If you are importing or exporting any out of box event handlers, value is oim. 
# For rest of the out of box metadata, value is OIMMetadata. 
# If you are importing or exporting any custom data, always use application name as OIMMetadata.

application_name=OIMMetadata

# Directory location from which XML file should be imported.
# Lets say I want to import User.xml and it is in the location /scratc/asmaram/temp/oim/file/User.xml, 
# I should give from location value as /scratc/asmaram/temp/oim. Make sure no other files exist 
# in this folder or in its sub folders. Import utility tries to recursively import all the files under the 
# from location folder. This property is only used by weblogicImportMetadata.sh

metadata_from_loc=/home/oracle/importMetadata/flatfile

# Directory location to which XML file should be exported to

metadata_to_loc=

# For example /file/User.xml to export user entity definition. You can specify multiple xml files as comma separated values.
# This property is only used by weblogicExportMetadata.sh and weblogicDeleteMetadata.sh scripts

metadata_files=/metadata/FFLookupRecon.xml

2. Execute weblogicImportMetadata.sh file located in MW_HOME/Oracle_IDM1/server/bin" directory. When running the script, you will be prompted to enter weblogic username, password, and admin server URL.

3. Purge the cache. You will be prompted to enter the administrator credential for OIM and the OIM service URL.

cd  /home/oracle/Oracle/Middleware/Oracle_IDM1/server/bin
./PurgeCache.sh ALL



To import metadata into MDS using deployment manager:

1. Login to the OIM console, go to the Advanced section, and click Import Deployment Manager File under System Management. 


2. Select xml to import.


Friday, December 20, 2013

Flat File Connector: Creating Lookups

The lookups given here are needed for the ICF flat file connector demo. To create, modify, or delete a lookup, use design console and navigate to the Lookup Definition under Administration.


Main Configuration Lookup
This lookup contains information regarding the connector bundle like name, version, and connector name This lookup is used by the ICF to load the connector at run time.


Lookup Name: Lookup.FF.Configuration
Lookup Type 
Group: FF
Code Key Decode Description
Bundle Name org.identityconnectors.flatfile Bundle name which contains the connector SPI implementation
Bundle Version 1.0 Bundle version
Connector Name org.identityconnectors.flatfileconnector.FlatFileConnector Fully qualified name of the connector implementation
User Configuration Lookup Lookup.FF.UM.Configuration User configuration lookup containing the information about the provisioning attribute map and reconciliation attribute map

User Configuration Lookup
This lookup contains the information about the provisioning attribute map and reconciliation attribute map lookups to be used for the connector.


Lookup Name: Lookup.FF.UM.Configuration
Lookup Type
Group: FF
Code Key Decode Description
Provisioning Attribute Map Lookup.FF.UM.ProvAttrMap Contains mapping of OIM fields with the target fields and is used during provisioning operation.
Recon Attribute Map Lookup.FF.UM.ReconAttrMap Contains mapping of OIM object fields with the target fields and is used during reconciliation operation.

Provisioning Attribute Map Lookup
This lookup is used by the ICF OIM glue during provisioning operations. This contains mapping between OIM attributes with target attributes.


Lookup Name: Lookup.FF.UM.ProvAttrMap
Lookup Type
Group: FF

Code Key Decode Description
ReturnValue __UID__ UID returned by ICF
AccountID AccountId Account ID as represented in flat file
FirstName firstName First name as represented in flat file
LastName lastName Last Name as represented in flat file
Email email Email as represented in flat file
UD_FLAT_CH~Roles Role Role as represented in flat file

General Rule for Single-valued Attributes: 
For Code Key use the field label on the Flat File parent process form.
For Decode use the name of the attribute on the target system. __UID__ is a special case handled by ICF.

General Rule for Multi-valued Attributes:
Code Key = <CHILD_TABLE_FORM>~<CHILD_FIELD_LABEL>
Decode = <TARGET_ATTRIBUTE>

Roles Lookup for Child Form
The values defined in this lookup would be used by the flat file child form. A scheduled task is created to populate this lookup.


Lookup Name: Lookup.FF.Roles
Lookup Type
Group: FF

Reconciliation Attribute Map Lookup
This section includes steps to creating the reconciliation attribute map. This map is referred by the OIM ICF glue during reconciliation.



Code: Lookup.FF.UM.ReconAttrMap
Lookup Type
Group: FF

Code Key Decode
AccountId AccountId
FirstName firstName
LastName lastName
Email email
Roles~Roles Role

General Rule for Single-valued Attributes: 
Code Key = <Recon Field Name>
Decode = <Target Attribute Name>

General Rule for Multi-valued Attributes:
Code Key = <Recon Multivalued Map Name>~<Recon Field Name>
Decode = <Target Attribute Name>

The reconciliation fields are defined in the reconciliation profile of the flat file resource object. In design console, navigate to Resource Management -> Resource Object and then search for FLATFILERESOURCE and click Object Reconciliation to view to reconciliation profile.

Flat File Connector: Reconciliation Rule

Description: Reconciliation rules are used by the reconciliation engine for entity matching. During reconciliation, when a target system record is pulled into OIM, the reconciliation engine tries to match the target system record with existing OIM user records. The matching process is typically comparing a specific OIM User profile attribute to an attribute on the target system.

Flat File Connector: Target User Reconciliation Mappings (Recon Fields To Process Form Fields)

Description: Create reconciliation mapping for the flat file connector for target user reconcilation. The mapping is an association between the reconciliation fields and the process form fields.

Process matching is determined by the reconciliation mapping key field. During a target reconciliation run, process matching rule is performed on each process form of a resource object instance (account). If no match is found, then entity matching (uses reconciliation rule which tries to match based on an attribute in the OIM User Profile with a target system attribute) is performed. 

Flat File Connector: Creating Reconciliation Profile

Description: You will be creating a reconciliation profile for the flat file connector. This consists of creating reconciliation fields and reconciliation action rules.

Reconciliation fields represents the actual fields of the target system. Association between the reconciliation fields and target system fields is determined by a lookup, namely Lookup.*.UM.ReconAttrMap.

Reconciliation action rules define the actions that must be performed based on the reconciliation rules. These action rules determine how the reconciliation events are processed (E.g. A new provisioned resource in Oracle Identity Manager is created and associated with the corresponding owner identity. The matched provisioned resource in Oracle Identity Manager is updated to reflect the current state of the target account).

Thursday, December 19, 2013

Flat File Connector: Creating Adapter and Process Tasks for Child Form

Description: You will be creating an adapter that is responsible for performing provisioning operations on the flat file connector roles child form. Then you will create process tasks for insert, delete, and update that use this adapter.

Tuesday, December 17, 2013

Flat File Connector: Creating a Child Process Form

Description: This includes steps to create a child form for the flat file connector. A target system may have attributes that can store more than one value. For example a user on the target system can have multiple email addresses. A resource object instance consist of a parent form and one or more child forms. These forms store data about the user account on the target system. Also, these forms are used during provisioning. Oracle Identity Manager handles the values of multivalued attributes via child forms.

Thursday, December 12, 2013

Flat File Connector: IT Resources

Here you will be creating a Flat File IT Resource and a Connector Server IT Resource for the Flat File Connector.

Follow the steps given below to create an IT Resource in general:
  1. Log in to Oracle Identity Manager Administrative and User Console (E.g. http://localhost:14000/oim/). 
  2. Navigate to the Advanced section and click Create IT Resource under Configuration. 


Flat File Connector: Process Definition and Process Tasks

Here you are going to create a process definition for the Flat File connector. Then you will need create several standard process tasks. For these process tasks, you will attach the adapters you've created in Flat File Connector: Creating Adapters for Parent Form section.

The Create User process task is executed whenever you provision a Flat File account to an OIM User. The Delete User process task is called whenever you revoke a user's Flat File account in OIM. The Enable User process task is called whenever you manually enable a user's Flat File account in OIM. For each attribute on the Flat File parent process form excluding Server attribute, you will need to create an update process task.
 
In designconsole, open Process Defintion under Process Management.

Tuesday, December 3, 2013

Flat File Connector: Creating Adapters for Parent Form

To create an adapter, open Adapter Factory under Devlopment Tools in designconsole. Mentioned here are important adapters for the flat file connector parent form. Also, these adapters are standard for ICF connectors.

Monday, December 2, 2013

Revoking OIM Accounts using OIM API

Version: Oracle Identity Manager 11g R2
Description: Given here is sample Java code that revokes all User accounts (resource object instances) in OIM. Modify the class variables to match your OIM environment.

Code Overview:
  1. Login to OIM remotely using the OIM Client.
  2. Get the ProvisioningService service.
  3. Connect to the OIM Schema and query the the OIU (Object Instance User Mapping) table. This table contains the account id needed for the revoke method given in the ProvisioningService ops.