Deployment Configurations 4-25 To synchronize date from Oracle Identity Manager to LDAP, the location of the LDAP must be known to Oracle Identity Manager. The information about the LDAP location is stored in Oracle Identity Manager as the DirectoryServer IT resource. This is a default IT resource provided by Oracle Identity Manager. The various parameters of this IT resource, which you can specify while installing Oracle Identity Manager, allows the connection between Oracle Identity Manager and LDAP. In order to identify the same entry in Oracle Identity Manager and LDAP, the Distinguished Name DN and GUID attributes are used. Each entry has the DN attribute in LDAP, which indicates the unique location of an entry in LDAP. The GUID attribute is an unique ID to identify the entry. The DN and GUID for users and roles are stored in columns in the users and role tables in Oracle Identity Manager database. For information about how to synchronize user-defined fields between Oracle Identity Manager and LDAP, refer Synchronizing User-Defined Fields Between Oracle Identity Manager and LDAP in the Oracle Fusion Middleware Administrators Guide for Oracle Identity Manager. This section describes the following topics: ■ Managing Users ■ Managing Roles

4.3.2.1 Managing Users

The following user operations can be performed to synchronize data from Oracle Identity Manager to LDAP: ■ Create user ■ Update user ■ Delete user ■ Enable user ■ Disable user ■ Lock user ■ Unlock user ■ Add role member ■ Delete role member ■ Change password

4.3.2.2 Managing Roles

The following role operations can be performed to synchronize data from Oracle Identity Manager to LDAP: ■ Create role ■ Update role ■ Delete role Note: Each handler has predefined execute and compensate methods. The execute method runs any operation, such as creating a user. The compensate method is called when an error occurs to revert the operation performed by the execute method. 4-26 Oracle Fusion Middleware Users Guide for Oracle Identity Manager ■ Add role to a member ■ Add and Update role ■ Remove role from a member ■ Add role hierarchy ■ Remove role hierarchy

4.3.3 Reconciliation From LDAP Identity Store to Oracle Identity Manager

When changes in the identities are made directly in the LDAP identity store, the changes must be replicated to Oracle Identity Manager through authoritative source reconciliation. The identities include users and roles. Reconciling users from LDAP to Oracle Identity Manager works with the general configuration of reconciliation, which includes the scheduled tasks for reconciliation. The role reconciliation works only with the LDAP groups. Role reconciliation supports creation, updation, and deletion of roles. Role membership reconciliation supports creation and deletion of role memberships being driven from changes in an external LDAP directory. Without roles and users being present in Oracle Identity Manager, role membership reconciliation will fail. Therefore, configure the LDAP synchronization scheduled jobs to run in the following order: 1. Fusion Applications Role Category Seeding See Also: ■ Reconciliation Configuration on page 4-2 for detailed information about reconciliation ■ Managing Scheduled Tasks for information about scheduler and scheduled tasks in the Oracle Fusion Middleware Administrators Guide for Oracle Identity Manager. Note: Instead of using LDAP synchronization reconciliation jobs to reconcile users from LDAP to Oracle Identity Manager, if the Bulk Load utility is used, then subsequent operation on these users might fail if LDAP synchronization is enabled. To avoid this, all the users that are loaded in Oracle Identity Manager must be updated with correct GUID and DN values, and all these users in LDAP must be updated with an object class called orclIDXPerson. For detailed information about the Bulk Load utility, see Bulk Load Utility in the Oracle Fusion Middleware Developers Guide for Oracle Identity Manager. See Also: Chapter 12, Managing Roles for information about roles, role memberships, and role hierarchies Deployment Configurations 4-27 2. LDAP Role Create and Update Reconciliation 3. LDAP Role Hierarchy Reconciliation 4. LDAP User Create and Update Reconciliation 5. LDAP Role Membership Reconciliation For each of these jobs, except Fusion Applications Role Category Seeding, there is a parallel job to do the full reconciliation. All these jobs, except Fusion Applications Role Category Seeding, perform the reconciliation based on change logs, whereas full reconciliation jobs use the search base to do the reconciliation. Note: Fusion Applications Role Category Seeding is a predefined scheduled task that is generated only when LDAP synchronization is enabled, along with other LDAP synchronization scheduled jobs. This job gets all distinct business categories in LDAP and creates them as OIM role categories. For a list of the predefined scheduled jobs, see Predefined Scheduled Tasks in the Oracle Fusion Middleware Administrators Guide for Oracle Identity Manager. 4-28 Oracle Fusion Middleware Users Guide for Oracle Identity Manager 5 Integration Solutions 5-1 5 Integration Solutions Oracle Identity Manager has a three-tier integration solutions strategy to provide connectors to various heterogeneous identity-aware IT systems. This three-tier strategy is designed to minimize custom development, maximize the reuse of code, and reduce deployment time. The three tiers are: ■ Out-of-the box integration using predefined connectors and predefined generic technology connector providers ■ Connectors based on custom generic technology connector providers ■ Custom connectors using the Adapter Factory Figure 5–1 illustrates the three-tier integration solutions strategy of Oracle Identity Manager. Figure 5–1 Three-Tier Integration Solutions Strategy of Oracle Identity Manager This chapter discusses the following topics: ■ Predefined Connectors ■ Generic Technology Connectors ■ Custom Connectors ■ Components Common to All Connectors Predefined Connectors Based on Adapter Factory For Example: IBM and Microsoft Active Directory Predefined Generic Technology Connector Providers For ExampleL: SPML Format Provider and Shared Drive Transport Provider Generic Technology Connector Providers GUI-Driven Connector Development and Configuration Registration of Custom Providers Adapter Factory Visual Integration Development Environment GUI-Driven Java Code Generator 5-2 Oracle Fusion Middleware Users Guide for Oracle Identity Manager ■ Connector Installation

5.1 Predefined Connectors

When a predefined connector is available for the target resource, this is the preferred integration method. Because a predefined connector is designed specifically for the target application, it offers the quickest integration method. These connectors support popular business applications such as Oracle eBusiness Suite, PeopleSoft, Siebel, JD Edward and SAP, as well as technology applications such as Active Directory, Java Directory Server, UNIX, databases, and RSA ClearTrust. Predefined connectors offer the quickest integration alternative because they are designed specifically for the target application. They use target recommended integration technologies and are preconfigured with application specific attributes.

5.2 Generic Technology Connectors

Similar to a predefined connector, a generic technology connector acts as the bridge for reconciliation and provisioning operations between Oracle Identity Manager and a target system. In terms of functionality, a generic technology connector can be divided into a reconciliation module and provisioning module. When you create a generic technology connector, you can specify whether you want to include both modules or only the reconciliation or provisioning module. The GTC framework provides basic components that are used to rapidly assemble a custom connector. The reconciliation and provisioning modules of a generic technology connector are composed of these reusable components that you select. Each component performs a specific function during provisioning or reconciliation. The components are: ■ Reconciliation: – Reconciliation Transport Provider: This provider is responsible for moving the reconciled data from the target system to Oracle Identity Manager. – Reconciliation Format Provider: This provider parses the message received from the target system, which contains the reconciled data, into a data structure that can be interpreted by the reconciliation engine in Oracle identity Manager. – Validation Provider: This provider validates any data received before passing it on to the reconciliation engine. ■ Provisioning: – Provisioning Format Provider: This provider converts Oracle identity Manager provisioning data into a format that is supported by the target system. – Provisioning Transport Provider: This provider carries the provisioning message received from the Provisioning Format Provider to the target system. Figure 5–2 shows the functional architecture of a generic technology connector. See Also: Predefined Scheduled Tasks for information about predefined connector installation in the Oracle Fusion Middleware Administrators Guide for Oracle Identity Manager. Integration Solutions 5-3 Figure 5–2 Functional Architecture of a Generic Technology Connector Generic technology connectors have the following features: ■ Features specific to the reconciliation module are: – Generic technology connector in trusted source reconciliation: A generic technology connector can be used for trusted source reconciliation. During reconciliation in trusted mode, if the reconciliation engine detects new target system accounts, then it creates corresponding OIM Users. If the reconciliation engine detects changes to existing target system accounts, then the same changes are made in the corresponding OIM Users. – Generic technology connector in account status reconciliation: User account status information is used to track whether or not the owner of a target system account is to be allowed to access and use the account. If the target system does not store account status information in the format in which it is stored in Oracle Identity Manager, then you can use the predefined Translation Transformation Provider to implement account status reconciliation. – Generic technology connector in full or incremental reconciliation: While creating a generic technology connector, you can specify that you want to use the connector for full or incremental reconciliation. In incremental reconciliation, only target system records that have changed after the last reconciliation run are reconciled stored into Oracle Identity Manager. In full reconciliation, all the reconciliation records are extracted from the target system. – Generic technology connector for batched reconciliation: To exercise more control over the reconciliation process, you can use the generic technology connector to specify a batch size for reconciliation. By doing this, you can break into batches the total number of records that the reconciliation engine fetches from the target system during each reconciliation run. – Generic technology connector in reconciliation of multivalued attribute data child data deletion: You can specify whether or not you want to reconcile See Also: Oracle Fusion Middleware Developers Guide for Oracle Identity Manager for detailed information about the functional architecture, configuration, and functionalities of the generic technology connector Generic Technology Connector Oracle Identity Manager Provisioning Format Provider Transformation Providers Provisioning Transport Provider Provisioning Staging Data Sets Reconciliation Transport Provider Reconciliation Format Provider Validation Providers Transformation Providers Reconciliation Staging Data Sets Source Data Sets Target System OIM Data Sets Provisioning Module Reconciliation Module