27-22 Oracle Fusion Middleware Developers Guide for Oracle Identity Manager b. Navigate to process-templateAPPLICATION_NAMEPROJECT_NAME and open PROJECT_NAME.jpr from JDevepoler, where APPLICATION_NAME and PROJECT_NAME are the names of the application and project respectively. The PROJECT_NAME.jpr workflow is same as the DefaultRequestApproval workflow. You can modify this workflow to call the SoDCheck Web Service. Figure 27–9 shows the default workflow modified to perform SoD Check after human approval: Figure 27–9 Modified Workflow To Perform SoD Check c. Extract OIM_HOMEworkflowscompositesDefaultSODApproval.zip and copy asyncsod.wsdl from the extracted directory to OIM_HOMEworkflows process-templateAPPLICATION_NAMEPROJECT_NAME. Add a Web service, such as SODCheckService1, in the composite.xml and provide the asyncsod.wsdl as the WSDL file. The SoDCheck partner link is as shown in Figure 27–10 : Note: BPEL connects to all external entities through a partner link. Using Segregation of Duties SoD 27-23 Figure 27–10 SoD Check Partner Link

d. In the ApprovalProcess.bpel design, include the following BPEL activities:

– ASSIGN: An assign activity must be added before calling the SoD Check Web Service. This activity initializes the parameters required to call the Web Service. To create an assign activity: i Drag and drop the activity in the BPEL process opened in JDeveloper. ii After the activity is created, double-click the activity, and click the Copy Operation tab. iii Click Add, and then select Copy Operation. Provide the values for the variables, as shown in Table 27–1 : Table 27–1 Variables to Assign Copy From Copy To XML Fragment EndpointReference xmlns=http:www.w3.org200508addressing Address EndpointReference Variable partnerlink Expression concatsubstring-beforebpws:getVariableDatainpu tVariable,payload,client:processns1:url, workflowserviceCallbackService, sodcheckSoDCheckInitiateService Partnerlink, EndpointReference, Address Variable partnerlink Partner Link SODCheckService1 Variable Payload, RequestId Variable SODInvoke_initiate_InputVariable, where SODInvoke_initiate_InputVariable is the variable defined in Invoke BPEL Activity 27-24 Oracle Fusion Middleware Developers Guide for Oracle Identity Manager The following figures show the values to be added: Figure 27–11 shows the final assign activity: Figure 27–11 Final Assign Activity – INVOKE: The details for this activity are: Interaction Type: Partnerlink Partnerlink: SODCheckService Operation: Initiate Input Variable: SODInvoke_initiate_InputVariable Figure 27–12 shows the Invoke dialog box with sample values in the fields: Figure 27–12 The Invoke Dialog Box – RECEIVE: The details for this activity are: Interaction Type: Partnerlink Using Segregation of Duties SoD 27-25 Partnerlink: SODCheckService Operation: Result Variable: SODResultReceive_result_InputVariable Figure 27–13 shows the Receive dialog box with sample values in the fields: Figure 27–13 The Receive Dialog Box – SWITCH: This activity is to switch between workflows based on SODCheck Result. The switch case is as shown in Figure 27–14 : 27-26 Oracle Fusion Middleware Developers Guide for Oracle Identity Manager Figure 27–14 Switch Case – New Human Tasks: A new human task may be created and assigned to an approver other then the system administrator. The new approval task is same as the old one already present in the workflow, except that the approver is different. This human task is used in the switch case. For example, if the SoD check passes, then the approval task can be assigned to a role. If the SoD check fails, then the approval task can be assigned to the SOD administrators role. DefaultSODApproval always assigns approval task to the SoD administrators role.

e. Applying SAML policy for request and callback for the AsyncSoD Web

service: OWSM SAML token with Message Protection Policy, which is based on Security Assertion Markup Language SAML, is used as security policy for message protection in asynchronous calls for SoD checks from the SOA composite to Oracle Identity Manager. In asynchronous SoD check Web service, it is mandatory to use SAML token with Message Protection Client Policy for Request and SAML token with Message Protection Service Policy for Callback, as described in this section. To apply SAML token with Message Protection Client policy for request: i Right-click AsynchSoD Web service, and select Configure WS Policies, and then select For Request, as shown in Figure 27–15 : Note: The SoDCheck Web service can be called multiple times. Using Segregation of Duties SoD 27-27 Figure 27–15 Configuring WS Policies for Request ii In the Configure SOA WS Policies dialog box, in the Security section, click the plus + icon to add a security policy. iii In the Select Client Security Policies dialog box, select wss11_saml _token_with_message_protection_client_policy as shown in Figure 27–16 , and then click OK. Figure 27–16 Select Client Security Policies To apply SAML or Username token with Message Protection Service Policy for callback: i Right-click AsynchSoD Web service, and select Configure WS Policies, and then select For Callback. 27-28 Oracle Fusion Middleware Developers Guide for Oracle Identity Manager ii In the Configure SOA WS Policies dialog box, in the Security section, click the plus + icon to add a security policy. iii In the Select Server Security Policies dialog box, select wss11_saml _or_username_token_with_message_protection_service_policy as shown in Figure 27–17 , and then click OK. Figure 27–17 Select Server Security Policies f. Compile the project to see if there are any errors. If there are no errors, then right-click the project, and select Deploy. In the dialog box that is displayed, select any one of the following options: – Deploy to Application Server: Select this option and then select the appropriate server. The workflow is directly deployed to the application server. – Deploy to JAR: A JAR file is created under the JDeveloper deploy directory with the name sca_PROJECT_NAME_rev1.0.jar, where PROJECT_NAME is the name of the project. g. From the SOA_HOMEbin directory, deploy the workflow on SOA server by running the following command: ant -f ant-sca-deploy.xml -DserverURL=http:SOA_SERVER_HOSTNAME:SOA_PORT -DsarLocation=JDeveloperdeploysca_PROJECT_NAME_rev1.0.jar -Duser=SOA_USER -Dpassword=SOA_PASSWORD Note: ■ In this guide, SOA_HOME refers to the directory on which SOA server is installed. ■ Before running this command, ensure that the SOA server is running. Using Segregation of Duties SoD 27-29 This deploys a new composite on SOA server. You can check if the composite is deployed by navigating to the following URL: http:SOA_SERVER_HOSTNAME:SOA_PORTsoa-infra In the URL, replace SOA_SERVER_HOSTNAME with the host name of the SOA server, and SOA_PORT with the port on which the SOA server is installed. h. Restart the SOA server. Registering the Workflow a. In the OIM_HOMEworkflowsregistration directory, create a NEW_PROJECT_NAME.props file by copying the DefaultRequestApproval.props. Modify the NEW_PROJECT_NAME.props by changing the name attribute. Here, NEW_PROJECT_NAME is the name of the new project that you created. The NEW_PROJECT_NAME.props file has the following contents: This is is the input file for registering the default workflow new project name name=NEW_PROJECT_NAME category=Approval providerType=BPEL serviceName=RequestApprovalService domainName=default version=1.0 payLoadID=payload operationID=process listOfTasks=ApprovalTask Here, – The version parameter is the version of the workflow deployed on BPEL. – The listOfTasks parameter is the colon-seperated list of approval tasks. For example, if you add a new approval task as Approval_Task1, then you must provide ApprovalTask:ApprovalTask1 as the value for this parameter. b. Run OIM_HOMEworkflowsregistration registerworkflows-mp.xml as shown: Note: You must replace the following with valid values: ■ SOA_SERVER_HOSTNAME ■ SOA_PORT ■ PROJECT_NAME ■ SOA_USER ■ SOA_PASSWORD See Also: Chapter 25, Developing SOA Composites for general procedure for creating a new workflow and registering it with Oracle Identity Manager