Thank you for your feedback!Categories
The SPML XSD Web Service uses Oracle Identity Manager as a back-end service to provide provisioning functionality to Fusion applications. A key building block of the SPML Web Service is the SPML Provisioning Service Object (PSO), which defines the object to be provisioned. Examples of PSO are identity and role.
This appendix shows the supported PSO attributes and their LDAP mappings, and explains the character restrictions on Oracle Identity Manager attributes. Finally, it describes additional operational data that the application can pass to the SPML Web Service. It contains the following sections:
Table B-1 shows identity attributes supported by the SPML implementation in Oracle Identity Manager and how these attributes map to LDAP objects/attributes.
Note:
The syntax column lists relevant attribute properties such as the type, required, and so on.
Table B-1 Identity PSO Attributes
| SPML Attribute Name | Syntax | Description | LDAP Mapping (Oracle Internet Directory) |
|---|---|---|---|
|
ID |
String, Read-Only, Required, Single |
The identifier used to identify a user for modify request. |
orclUserV2: orclguid |
|
activeEndDate |
Timestamp, Single |
Termination time and date for the user |
orclUserV2: orclActiveEndDate |
|
activeStartDate |
Timestamp, Single |
Activation time and date for the user |
orclUserV2: orclActiveStartDate |
|
commonName |
String, Required |
The common names of the person, typically the person's full name and any variations of the same. |
person: cn |
|
countryName |
String, Single |
The business country of the person, expressed as a two-letter [ISO3166] country code. |
orclUserV2: c |
|
departmentNumber |
String, Single |
Codes for the departments within an organization to which this person belongs. This can be strictly numeric or alphanumeric. |
inetOrgPerson: departmentNumber |
|
description |
String, Single |
Human-readable descriptive phrases about the person. |
person: description |
|
displayName |
String, Single, MLS |
The preferred name to use when displaying an entry for the person. Provides MultiLingual Support (MLS) and also accepts language values for locale, for example "en" and "fr". |
inetOrgPerson: displayName |
|
employeeNumber |
String, Single |
Numeric or alphanumeric identifier assigned to a person, typically based on order of hire or association with an organization. |
inetOrgPerson: employeeNumber |
|
employeeType |
String, Single |
Identifies the type of employee. For the list of valid values see Table B-2 |
inetOrgPerson: employeeType |
|
facsimileTelephoneNumber |
String, Single |
Telephone numbers for the person's business facsimile (FAX) terminals. |
organizationalPerson: facsimileTelephoneNumber |
|
generationQualifier |
String, Single |
Name strings that are typically the suffix part of the person's name (e.g. "III", "3rd", "Jr."). |
N/A |
|
givenName |
String, Single |
Name strings that are part of a person's name that is not their surname (for example, first name). |
inetOrgPerson: givenName |
|
hireDate |
Timestamp, Single |
Date of hire. |
orclUserV2: orclHireDate |
|
homePhone |
Single, String |
Home telephone numbers associated with the person. |
inetOrgPerson:homePhone |
|
homePostalAddress |
Single, String |
The home postal addresses of the person. |
inetOrgPerson: homePostalAddress |
|
initials |
String, Single |
Some or all of an individual's names, except the surname(s) |
inetOrgPerson: initials |
|
localityName |
Single, String |
Names of a business locality or place, such as a city, county, or other geographic region. |
N/A |
|
|
Single, String |
Business Internet mail addresses of the person in Mailbox [RFC2821] form. |
inetOrgPerson: mail |
|
manager |
Single, String |
The manager of the person. |
N/A |
|
middleName |
String, Single |
The middle names of the person. |
orclUserV2: middleName |
|
mobile |
Single, String |
Mobile telephone numbers associated with the person. |
inetOrgPerson: mobile |
|
organization |
String, Single |
Name of an organization—for example, my_company. |
organization |
|
organizationUnit |
String, Single |
Name of a unit within an organization, for example, IT Support. |
organizationalUnitName |
|
pager |
Single, String |
The business pager telephone numbers of the person. |
inetOrgPerson: pager |
|
password |
String, Single |
Password of the user. |
person: userPassword |
|
postalAddress |
String, Single |
Business addresses used by a Postal Service to perform services for the person. |
organizationalPerson: postalAddress |
|
postalCode |
String, Single |
Codes used by a Postal Service to identify postal service zones of the person's business. |
organizationalPerson: postalCode |
|
postOfficeBox |
String, Single |
Postal box identifiers that a Postal Service uses when a customer arranges to receive mail at a box on the premises of the Postal Service. |
organizationalPerson: postOfficeBox |
|
preferredLanguage |
String, Single |
The preferred written or spoken language for the person. This is useful for international correspondence or human-computer interaction. Values for this attribute type MUST conform to the definition of the Accept-Language header field defined in [RFC2068] with one exception: the sequence "Accept-Language" ":" should be omitted. |
inetOrgPerson: preferredLanguage |
|
state |
String, Single |
Full names of business states or provinces of the person. |
organizationalPerson: st |
|
street |
String, Single |
Site information from a business postal address (that is, the street name, place, avenue, and the house number) of the person. |
organizationalPerson: street |
|
surname |
String, Single |
Name strings for the family names (last name) of the person. |
person: sn |
|
telephoneNumber |
String, Single |
Business telephone number of the person |
organizationalPerson: telephoneNumber |
|
title |
String, Single |
Title of the person in their organizational context. |
organizationalPerson: title |
|
username |
String, Single |
Computer system login names associated with the person. |
uid |
|
userType |
String, Single |
The type of user. This attribute is used to provide Design Console access to the end-users. The allowed values are true and false. |
Table B-2 shows the valid values for the employeeType attribute:
Table B-2 Valid Values of employeeType
| Value | Meaning |
|---|---|
|
Full-Time |
Full-Time Employee |
|
Part-Time |
Part-Time Employee |
|
Temp |
Temp |
|
Intern |
Intern |
|
Consultant |
Consultant |
|
Contractor |
Contractor |
|
EMP |
Employee |
|
CWK |
Contingent Worker |
|
NONW |
Non Worker |
|
OTHER |
Other Employee Type |
Note:
Oracle Identity Manager passes only the codes shown in the Value column; the meaning of each code is shown for reference.
Custom attributes are provided to support Oracle Identity Manager functionality; these attributes are present in Oracle Identity Manager (such as when a user-defined field is added) but not in the PSO.
The custom attribute name must match the attribute name specified in the corresponding request dataset for the mapping to work end-to-end.
Here are some examples of custom attributes:
... <data> <pso:identity> <pso:attributes> <pso:attr name="Number Format"> <pso:value>#,##0.##[.,]</pso:value> </pso:attr> <pso:attr name="Currency"> <pso:value>USD</pso:value> </pso:attr> </attributes> ...
Table B-3 lists the role attributes supported by the SPML implementation in Oracle Identity Manager and how these attributes map to LDAP objects/attributes.
| Attribute Name | Syntax | Description |
|---|---|---|
|
ID |
String, Read-Only, Required, Single |
The PSO identifier that uniquely identifies a role. Usually directory GUID. |
|
commonName |
String, Required, MLS |
The common name of the role. |
|
description |
Single |
Human readable role description |
|
displayName |
String, Single, MLS |
The preferred name to use when displaying an entry for the role. |
Custom attributes are provided to support Oracle Identity Manager functionality; these attributes are present in Oracle Identity Manager but not in the PSO.
The custom attribute name must match the attribute name specified in the corresponding request dataset for the mapping to work end-to-end.
Here is an example of a custom role attribute:
... <pso:attributes> <pso:attr name="Role Category Name"> <pso:value>Cat1</pso:value> </pso:attr> ...
Role Category Name is a special custom role attribute. It is the namespace for the roles. Each role belongs to a role category. This can be specified while creating a new role. If not specified, then the Default role category is selected. Each role category and role name uniquely identifies a role.
Table B-4 lists the preference attributes supported by the SPML implementation in Oracle Identity Manager:
Table B-4 Preference Attributes
| Attribute Name | Syntax | Description | LDAP Mapping |
|---|---|---|---|
|
Number Format |
String |
The format to display numbers |
orclNumberFormat Values are: #,##0.##[.,] #,##0.###[\u00A0,] #,##0.### #,##0.###;#,##0.###- #,##0.###[.,] #,##0.###;(#,##0.###)[.,] #,##0.##[\u00A0,] #,##0.###['.] #,##0.###[',] |
|
Currency |
String |
The symbol that must be used for currency |
orclCurrency Sample values are: USD YUN NZD INR |
|
Date Format |
String |
The format to display the date |
orclDateFormat Values are: MM-dd-yyyy MM-dd-yy MM.dd.yyyy MM.dd.yy MM/dd/yyyy MM/dd/yy M-d-yyyy M-d-yy M.d.yyyy M.d.yy M/d/yyyy M/d/yy dd-MM-yyyydd-MM-yy d-M-yyyy d-M-yy dd.MM.yyyy dd.MM.yy d.M.yyyy d.M.yy dd/MM/yyyy dd/MM/yy d/M/yyyy d/M/yy yyyy-MM-dd yy-MM-dd yyyy-M-d yy-M-d yyyy.MM.dd yy.MM.dd yyyy.M.d yy.M.d yy. M. d yyyy/MM/dd yy/MM/dd yyyy/M/d yy/M/d |
|
Time Format |
String |
The format to display the time |
orclTimeFormat Values are: HH.mm HH.mm.ss HH:mm HH:mm:ss H:mm H:mm:ss H.mm H.mm.ss a hh.mm a hh.mm.ss a hh:mm a hh:mm:ss ah:mm ah:mm:ss hh.mm a hh.mm.ss a hh:mm a hh:mm:ss a |
|
Embedded Help |
String |
Whether or not to show embedded help |
orclEmbeddedHelp Values are: true false |
|
Font Size |
String |
The size of the font |
orclFontSize Values are: LARGE MEDIUM |
|
Color Constrast |
String |
Constrast of the color |
orclColorContrast Values are: STANDARD HIGH |
|
Accessibility Mode |
String |
Accessibility mode for the user |
orclAccessibilityMode Values are: screenReader inaccessible default |
|
FA Language |
String |
The default preference language |
orclFALanguage |
|
User Name Preferred Language |
String |
The preference language of the user used to only show the display name of the user in that language Note: The value set for this attribute is not used in Oracle Identity Manager. |
orclDisplayNameLanguagePreference |
This section lists character restrictions applicable to Oracle Identity Manager attributes. Failure to observe these restrictions will cause errors when performing operations with attributes.
Alphanumeric characters (a through z, A through Z, and 0 through 9) and the underscore character (_) can be used in all Oracle Identity Manager attributes.
The following special characters can be used in the Password field:
Percent sign ( % )
Plus sign ( + )
Equal sign ( = )
Comma ( , )
Backslash ( \ )
Single quotation mark ( ' )
Slash ( / )
Vertical bar ( | )
The single quotation mark ( ' ) can be used only in the following attributes:
Login
Manager ID
First Name
Last Name
Middle Name
Group Name
Organization Name
Resource Name
The semicolon ( ; ) can be used only in access policy names.
The following special characters are not supported in any Oracle Identity Manager attribute:
Period ( . )
Number sign ( # )
Slash ( / )
Percent sign ( % )
Equal sign ( = )
Vertical bar ( | )
Plus sign ( + )
Comma ( , )
Backslash ( \ )
Double quotation mark ( " )
Less than symbol ( < )
Greater than symbol ( > )
Requesting application such as HCM Fusion Application will act as a SPML requestor. In addition to PSO data, the application can also pass some operational data to the SPML Web Service. This section describes how applications can pass the operation data.
It is possible to pass a requestor ID for each operation. When the Fusion application supplies credentials in a request, that is an application ID. For auditing purposes, it is also possible to pass a requestor ID. Oracle Identity Manager audits this ID, instead of the application ID, as the actual requestor of the operation.
Along with the requestorID, a justification for the request can also be specified.
The following is an example of the operation data:
... </pso:identity> </data> <capabilityData capabilityURI="http://xmlns.oracle.com/idm/identity/OperationData" mustUnderstand="true"> <operationData xmlns="http://xmlns.oracle.com/idm/identity/OperationData" requestorGUID="1" justification="i need this account"> </capabilityData> </addRequest>
The application is also required to pass some reference data to SPML so that when a callback is received, it can be identified with the reference data for the callback in context. This is pass-through data, which is ignored by Oracle Identity Manager, but will be returned in the callback.
The following is an example that contains the <LdapRequestId>:
... ... </pso:identity> </data> <capabilityData capabilityURI="http://xmlns.oracle.com/idm/identity/OperationData" mustUnderstand="true"> <operationData xmlns="http://xmlns.oracle.com/idm/identity/OperationData" requestorGUID="1" justification="i need this account"> <LdapRequestId xmlns="http://xmlns.oracle.com/apps/hcm/users/ldapRequestService/">102329090340 </operationData> </capabilityData> </addRequest>
Sign In