Third-Party Directory Integration Concepts and Considerations 16-11 Figure 16–3 Interaction Among Components with Oracle Internet Directory as the Central Enterprise Directory As Figure 16–3 on page 16-11 shows, when Oracle Internet Directory is the central enterprise directory, typical provisioning of a user or group follows this process:

1. The user or group entry is created in Oracle Internet Directory by using the Oracle

Internet Directory Self-Service Console or command-line tools.

2. At the next scheduled interval, that entry creation event is read by the third-party

directory connector in Oracle Directory Integration Platform.

3. Following the mapping information in the integration profile, the user or group

attributes in Oracle Internet Directory are appropriately mapped to the corresponding user or group attributes as required by the schema in the third-party directory.

4. The user and group entry is created in the third-party directory.

A user entry is modified in Oracle Internet Directory, when: ■ A new attribute gets added to the entry. ■ The value of an existing attribute is modified. ■ An existing attribute is deleted. When Oracle Internet Directory is the central enterprise directory, the sequence of events during modification of a user or group entry is as follows:

1. The entry is modified by using the Oracle Internet Directory Self-Service Console

or Oracle Enterprise Manager Fusion Middleware Control.

2. At the next scheduled interval, that entry modification event is read by the

third-party directory connector in Oracle Directory Integration Platform.

3. Following the mapping information in the integration profile, the attribute in

Oracle Internet Directory is appropriately mapped to the corresponding attribute in the connected directory.

4. The user entry is modified in the third-party directory.

16.2.2.2 Third-Party Directory as the Central Enterprise Directory

If a third-party directory is the central enterprise directory, then, once the user, group, and realm objects are created, the third-party directory becomes the source of provisioning information for all Oracle components and other directories. In this case, Oracle Internet Directory is deployed to support Oracle components. To provide this Oracle Internet Directory Third-Party Connected Directory Oracle Directory Integration Platform Third-Party Directory Connector 2 1 User Administration Sync 3 4 Sync 16-12 Oracle Fusion Middleware Administrators Guide for Oracle Directory Integration Platform support, Oracle Internet Directory stores a footprint that enables it to identify entries in the third-party directory. Table 16–2 describes the typical requirements in this deployment. New users or groups created in the third-party directory are automatically synchronized into Oracle Internet Directory by the Oracle Directory Integration Platform. Before the provisioning can take place, a one-way synchronization between the third-party directory and Oracle Internet Directory must be established. Figure 16–4 shows a typical deployment where a third-party directory is the central enterprise directory. Table 16–2 Typical Requirements with a Third-Party Directory as the Central Enterprise Directory Requirement Description Initial startup The syncProfileBootstrap command populates Oracle Internet Directory with users and groups stored in the third-party directory. You can choose to manage user information, including password credentials, in the third-party directory only. In such deployments, to enable single sign-on in the Oracle environment, the Oracle Directory Integration Platform can synchronize only those user entry attributes required by Oracle components. Passwords are not migrated from the third-party directory to Oracle Internet Directory. Synchronization The central directory for user and group information is a third-party directory. Changes to user and group information in the third-party directory are synchronized with Oracle Internet Directory by the Oracle Directory Integration Platform when an import profile has been configured. Synchronization from Oracle Internet Directory to the third-party directory is achieved by configuring an export profile. Passwords and password verifiers Passwords are managed in the third-party directory. The Oracle Directory Integration Platform does not synchronize password changes into Oracle Internet Directory. Oracle Application Server Single Sign-On Users log in to the Oracle environment only once by using the OracleAS Single Sign-On Server. Users with credentials only in the third-party directory are authenticated by the Oracle directory server invoking the external authentication plug-in. Users with credentials in Oracle Internet Directory are authenticated locally by the Oracle directory server. Third-party directory external authentication plug-in When user credentials are managed in the third-party directory, this plug-in is required. To authenticate a user, the OracleAS Single Sign-On Server calls upon the Oracle directory server. The plug-in then performs the authentication of the user against the user credentials stored in the third-party directory.