4 Integrating Oracle Identity Governance and Oracle Access Manager Using LDAP Connectors
Integrate Oracle Identity Governance (OIG) and Oracle Access Manager (OAM) using LDAP Connectors. You can run an automated integration script to complete OIG-OAM integration or perform configuration operations individually. The script utilizes user-supplied values from property files to perform various configurations.
Note:
The exact details in this chapter may differ depending on your specific deployment. Adapt information as required for your environment.The integration instructions assume Identity Governance components have been configured on separate Oracle WebLogic domains, as discussed in About the Basic Integration Topology. For prerequisite and detailed information on how the components were installed and configured in this example integration, see Preparing to Install and Configure Oracle Identity and Access Management in Fusion Middleware Installing and Configuring Oracle Identity and Access Management
If you are deploying Oracle Identity Governance components in an enterprise integration topology, as discussed in About the Basic Integration Topology, see Understanding an Enterprise Deployment in Oracle Fusion Middleware Enterprise Deployment Guide for Oracle Identity and Access Management for implementation procedures.
This chapter contains these sections:
4.1 Overview of Oracle Identity Governance and Oracle Access Manager Integration
This integration scenario enables you to manage identities with Oracle Identity Governance and control access to resources with Oracle Access Manager. Oracle Identity Governance is a user provisioning and administration solution that automates user account management, whereas Access Manager provides a centralized and automated single sign-on (SSO) solution.
This section contains the following topics:
-
About Integrating Oracle Identity Governance with Oracle Access Manager
-
About Oracle Identity Governance and Oracle Access Manager Single-Node Integration Topology
-
Prerequisites to Integrating Oracle Identity Governance and Oracle Access Manager
-
Roadmap to Integrating Oracle Identity Governance and Oracle Access Manager
4.1.1 About Integrating Oracle Identity Governance with Oracle Access Manager
In the Oracle Access Manager (OAM) and Oracle Identity Governance (OIG) integration, users have the capability to:
-
Create and reset the password without assistance for expired and forgotten passwords
-
Recover passwords using challenge questions and answers
-
Set up challenge questions and answers
-
Perform self-service registration
-
Perform self-service profile management
-
Access multiple applications securely with one authentication step
4.1.2 About Oracle Identity Governance and Oracle Access Manager Single-Node Integration Topology
You must configure IdM components, Access Manager and Oracle Identity Governance, in separate WebLogic Server domains (split domain topology), as discussed in About the Basic Integration Topology, and separate Oracle Middleware homes. Otherwise, attempts to patch or upgrade one product may be blocked by a version dependency on a component shared with another. When you install Oracle Identity Governance components in a single WebLogic Server domain, there is a risk that the component (libraries, jars, utilities, and custom plug-ins) you are installing into the domain might not be compatible with other components, thereby resulting in problems across your entire domain.
Access Manager uses a database for policy data and a directory server for identity data. This integration scenario assumes a single directory server. The directory server must also be installed in a separate domain and a separate Middleware home as well.
Note:
The instructions in this chapter assume that you will use Oracle Unified Directory as the identity store.
4.1.3 Prerequisites to Integrating Oracle Identity Governance and Oracle Access Manager
Ensure the required environment is set and made available for the integration.
In the following sections it is assumed that the required components, as listed in Table 4-1, have already been installed, including any dependencies, and the environment is configured prior to the integration. See Understanding Oracle Identity Management Integration Topologies.
Note:
-
Use 14.1.2.1.0 binaries for OAM and OIG.
-
OUD needs to have the changelog enabled for incremental reconciliation from OIG to work. If this is not enabled, the incremental reconciliation will not work. On a replicated OUD instance,
cn=changelog
is available by default depending on the condition that this instance contains both directory server and replication server components, which is the default. The changelog has no additional cost since the replication is already up.On a non replicated OUD instance,
cn=changelog
is not available by default because there is a cost in disk and cpu that should not be paid if it is not useful. This can be easily enabled with the following command:$ dsreplication enable-changelog -h localhost -p 4444 -D "cn=directory manager" -r 8989 -b "dc=example,dc=com"
Table 4-1 Required Components for Integration Scenario
Component | Information |
---|---|
Oracle HTTP Server with OAM WebGate |
Oracle HTTP Server with OAM WebGate is installed. |
Oracle SOA Suite |
Oracle Identity Governance requires Oracle SOA Suite 14.1.2.1.0, which is exclusive to Oracle Identity and Access Management. SOA Suite is a prerequisite for Oracle Identity Governance and must be installed in the same domain as Oracle Identity Governance. If you use SOA Suite for other purposes, a separate install must be set up for running your own services, composites, BPEL processes, and so on. See Installing the Oracle Identity and Access Management Software in Installing and Configuring Oracle Identity and Access Management. |
Oracle Unified Directory |
Oracle Unified Directory is installed. |
Access Manager |
Access Manager is already installed. Configuring Oracle Access Management Domain in Installing and Configuring Oracle Identity and Access Management. |
Oracle Identity Governance |
Oracle Identity Governance 14.1.2.1.0 is already installed. See Installing the Oracle Identity and Access Management Software and Configuring the Oracle Identity Governance Domain in Installing and Configuring Oracle Identity and Access Management. |
Environmental Variables |
Set the environmental variables required for OIG-OAM integration. See Set Up Environment Variables for OIG-OAM Integration. |
4.1.4 Roadmap to Integrating Oracle Identity Governance and Oracle Access Manager
Table 4-2 lists the high-level tasks for integrating Access Manager and Oracle Identity Governance with Oracle Unified Directory.
Depending on your installation path, you may already have performed some of the integration procedures listed in this table. For details on the installation roadmap, see Understanding the Installation Roadmap.
Table 4-2 Integration Flow for Access Manager and Oracle Identity Governance
No. | Task | Information |
---|---|---|
1 |
Verify that all required components have been installed and configured prior to integration. |
See Prerequisites to Integrating Oracle Identity Governance and Oracle Access Manager |
2 |
Configuring Oracle HTTP Server to Front-End Resources on Oracle Identity Governance |
See Configuring Oracle HTTP Server to Front-End Resources on Oracle Identity Governance |
3 |
Integrate Access Manager and Oracle Identity Governance. |
See Configuring Oracle Identity Governance and Oracle Access Manager Integration |
4 |
Stop the Oracle WebLogic Server managed servers for Access Manager and Oracle Identity Governance |
See Starting and Stopping Admin Server in Administering Oracle Fusion Middleware |
5 |
Test the integration. |
See Validating the Access Manager and Oracle Identity Governance Integration |
4.2 Installing Oracle HTTP Server and Configuring the Oracle HTTP Server WebGate
For more information on installing Oracle HTTP Server, see Installing Oracle HTTP Server.
For more information on configuring Oracle HTTP Server WebGate, see Configuring Oracle HTTP Server WebGate for Oracle Access Manager.
To install the Oracle HTTP Server and configuring the Oracle HTTP Server WebGate, do the following:
-
Install the Oracle HTTP Server in collocated mode.
For more information, see Installing the Oracle HTTP Server Software in Installing and Configuring Oracle HTTP Server.
-
Configure Oracle HTTP Server WebGate for Oracle Access Manager. For more information, see Configuring Oracle HTTP Server WebGate for Oracle Access Manager in Installing WebGates for Oracle Access Manager.
4.3 Configuring Oracle Identity Governance and Oracle Access Manager Integration
The automated script for integration simplifies the process of a connector-based integration between Oracle Identity Governance (OIG) and Oracle Access Manager (OAM) or any third-party access product. You can integrate OIG and OAM with directories such as Oracle Unified Directory (OUD), Oracle Internet Directory (OID) and Active Directory (AD).
4.3.1 Prerequisites for the Connector-based Integration
Verifying the Environment
-
Check that your operating system is up-to-date with all necessary patches applied.
-
Mount the binaries you will be using. The applicable Oracle software includes:
-
Oracle Database 19+
-
JRF 14.1.2.1.0
-
Oracle Identity and Access Management 14c (14.1.2.1.0)
-
Oracle Unified Directory 14c (14.1.2.1.0) /Oracle Internet Directory 14c (14.1.2.1.0)
Note:
-
Use 14.1.2.1.0 binaries for OAM and OIG.
- Apply OAM bundle patch 12.2.1.4.191223 or the latest bundle patch available for your release before starting the integrating process.
- If you are upgrading OAM-OIG integrated
environments to the latest 14c (14.1.2.1.0) release version,
then apply the following bundle patches:
- OAM bundle patch 12.2.1.4.200327
- OIM bundle patch 12.2.1.4.200505
-
The Oracle HTTP Server with 12c WebGate must be installed.
-
-
Verify that Oracle Database is configured and running.
-
Verify that the directory of your choice (OUD/OID/AD) is up and running.
-
Verify that Oracle Access Manager is up and running.
-
Verify that Oracle Access Manager is integrated with LDAP.
-
Verify that Oracle Identity Governance is up and running.
-
Verify if the environmental variables are set, as described in Set Up Environment Variables for OIG-OAM Integration.
-
Ensure that Oracle Access Manager and Oracle Identity Governance are installed on separate domains.
- Ensure that the screen package is installed on
your server by running the following
command:
rpm -qa | grep screen
The command returns the value as shown in the following example:
screen.x86_64 0:4.1.0-0.23.20120314git3c2946.el7_2
If the command does not return information about the screen package version then install the package as follows:
- Log on to your Linux server as root
- Run
yum install screen
to install the screen package (For example,screen.x86_64 0:4.1.0-0.23.20120314git3c2946.el7_2
):[root@server]# yum install screen > Package screen.x86_64 0:4.1.0-0.23.20120314git3c2946.el7_2 will be installed Total download size: 552 k Installed size: 914 k Is this ok [y/d/N]: Enter 'y' and press enter. Downloading packages: screen-4.1.0-0.23.20120314git3c2946.el7_2.x86_64.rpm Installed: screen.x86_64 0:4.1.0-0.23.20120314git3c2946.el7_2
-
Ensure that the OpenLDAP packages are installed:
yum install openldap openldap-clients
Verify if the version is on your system by entering the command
which ldapsearch
. The command returns the value as shown in the following example:/usr/bin/ldapsearch
Update your
$PATH
to the LDAP directory server installation directory.
Updating Datasource Related to OIG Metadata Services (MDS) Configuration
-
Log in to the WebLogic Administrative Console for OIG.
-
In the left pane, under Domain Structure, expand Services, and then click Data Sources.
-
Click mds-oim, click the Connection Pool tab.
-
Update the following property values in the MDS-OIM connection pool:
-
Initial Capacity to 50
-
Maximum Capacity to 150
-
Minimum Capacity to 50
-
-
To update the value for Inactive Connection Timeout:
In the same datasource, click Advanced link under the bottom of the page and set the Inactive Connection Timeout value to 10.
-
Click Save.
-
Click Activate Changes.
Downloading the Connector
-
Download the Connector bundle from the artifactory: Download Connector Bundle
-
For OID or OUD, download the
oid-12.2.1.3.0.zip
Connector bundle corresponding to Oracle Internet Directory. -
For AD, download
activedirectory-12.2.1.3.0.zip
connector bundle corresponding to Microsoft Active Directory User Management.
Note:
For all directory types, the required Connector version for OIG-OAM integration is 12.2.1.3.0. -
-
Unzip the Connector bundle to the desired connector path under OIG Oracle home
$ORACLE_HOME/idm/server/ConnectorDefaultDirectory
.For example:
ORACLE_HOME/idm/server/ConnectorDefaultDirectory
-
For AD, install the Active Directory User Management Connector on both, OIG and Connector server.
Note:
Application creation step performs the connector installation. No other install steps are necessary.Important:
Post OIG-OAM integration, if the LDAP Connector bundle or the Active Directory Connector bundle is used for creating target application instances for other IT resources, then thepre-config.xml
corresponding to the directory type must be manually imported from Sysadmin UI before proceeding to create application instance.
-
For OID:
XML name: OID-pre-config.xml Location (example): $ORACLE_HOME/idm/server/ConnectorDefaultDirectory/OID-12.2.1.3.0/xml/OID-pre-config.xml
-
For OUD/ODSEE/LDAPV3:
XML name: ODSEE-OUD-LDAPV3-pre-config.xml Location (example): $ORACLE_HOME/idm/server/ConnectorDefaultDirectory/OID-12.2.1.3.0/xml/ODSEE-OUD-LDAPV3-pre-config.xml
-
For AD:
XML name: ad-pre-config.xml Location (example): $ORACLE_HOME/idm/server/ConnectorDefaultDirectory/activedirectory-12.2.1.3.0/xml//ad-pre-config.xml
For importing pre-config.xml
, see Importing Connector XML File.
Assigning Lockout Threshold in LDAP Directory and Oracle Access Manager
The value for maximum number of authentication failures that a user is allowed to attempt before the user's account gets locked, should be the same in the LDAP directory and Oracle Access Manager.
To set the account lockout duration, open the
oam-config.xml
in the OAM Domain under
DOMAIN_HOME/config/fmwconfig
and update the
LockoutAttempts
parameter. To do so, export and import the
oam-config.xml
file by following the steps in Exporting and Importing the OAM Configuration File.
See Also:
-
OID-Managing Password Policies in Administering Oracle Internet Directory.
-
OUD-Managing Password Policies in Administering Oracle Unified Directory.
-
AD-Configuring Account Lockout Policies in Windows 2000 Evaluated Configuration Administrators Guide.
4.3.2 Step-by-step Procedure for OIG-OAM Integration Using Automated Script
OIGOAMIntegration.sh
supports individual execution of OIG-OAM configuration operations. The properties file, ssointg-config.properties
located at $ORACLE_HOME/idm/server/ssointg/config/
specifies which individual step is to be executed.
Note:
You must run the OIGOAMIntegration.sh
command only on the OIG server.
-
Installed all the components listed Prerequisites.
OIGOAMIntegration.sh
, a top-level automated
integration script to perform the following operations required for OIG-OAM
integration:
The ssointg-config.properties
file (Located at
$ORACLE_HOME/idm/server/ssointg/config/
) provides the
required configuration information for OIG and OAM integration. The configuration
operations executed by the automated integration script are managed by the
ssointg-config.properties
file.
4.3.2.1 Populating OHS Rules Using Automated Script
If you need to create redirect rules in your Oracle HTTP Server configuration then follow the steps below. This step is optional as configuring the Oracle HTTP server redirect rules is normally done manually.
oim.conf
file. See Configuring Oracle
HTTP Server to Front-End Resources on Oracle
Identity.
To populate OHS rules:
-
Update the
populateOHSRedirectIdmConf.config
file. (Located atORACLE_HOME/idm/server/ssointg/config
)OIM_HOST OIM_PORT OAM_HOST OAM_PORT
The following table provides descriptions of the parameters in the
populateOHSRedirectIdmConf.config
file.Table 4-3 Parameters in
populateOHSRedirectIdmConf.config
fileProperty Description Sample Value OAM_HOST
Enter the URL for OAM server.
oamhost.example.com
OAM_PORT
Enter the port for OAM Server
14100
OIM_HOST
Enter the host name for OIG managed server.
oimhost.example.com
OIM_PORT
Enter the port for OIG Server.
14000
-
Run the automated script for OIG-OAM integration to populate OHS Rules.
OIGOAMIntegration.sh -populateOHSRules
You have successfully executed the automated script for populating OHS rules.
-
Restart OHS Server.
4.3.2.2 Configuring WLS Authentication Providers Using Automated Script
Configure WLS Authentication Providers using the
OIGOAMIntegration.sh
automated script for OIG-OAM integration.
Configure SSO logout for OIM. The security providers in OIM domain should be configured so both, the SSO login and OIM client-based login, work appropriately.
For example, after executing OIGOAMIntegration.sh
-configureWLSAuthnProviders
script, the authenticators order would be
as follows for OID:
-
OAMIDAsserter
-
OIMAuthenticationProvider
-
OIDAuthenticator
-
DefaultAuthenticator
-
DefaultIdentityAsserter
- Trust Service Identity Asserter
To configure WLS Authentication Providers using automated script:
-
Update the
configureWLSAuthnProviders.config
file (Located atORACLE_HOME/idm/server/ssointg/config
).OIM_WLSHOST: oighost1example.com OIM_WLSPORT: 9002 OIM_WLSADMIN: weblogic OIM_WLSADMIN_PWD: password WLS_IS_SSLENABLED: true WLS_TRUSTSTORE: /u01/oracle/config/keystores/idmTrustStore.p12 WLS_TRUSTSTORE_PASSWORD:password WLS_SSL_HOST_VERIFICATION: true IDSTORE_DIRECTORYTYPE: OUD IDSTORE_HOST: idstore.example.com IDSTORE_PORT: 1636 IDSTORE_SSL_ENABLED: true IDSTORE_KEYSTORE_FILE: /u01/oracle/config/keystores/idmTrustStore.p12 IDSTORE_KEYSTORE_PASSWORD: password IDSTORE_BINDDN: cn=oimLDAP,cn=systemids,dc=example,dc=com IDSTORE_BINDDN_PWD: password IDSTORE_USERSEARCHBASE: cn=Users,dc=example,dc=com IDSTORE_GROUPSEARCHBASE: cn=Groups,dc=example,dc=com
The following table provides descriptions of the parameters related to configuring WLS Authentication Providers.
Table 4-4 Parameters in
configureWLSAuthnProviders.config
fileProperty Description Sample Value IDSTORE_BINDDN
An administrative user in Oracle Internet Directory, Oracle Unified Directory or Active Directory.
cn=oimLDAP,cn=systemids,dc=example,dc=com
IDSTORE_BINDDN_PWD
Enter the Password for administrative user in Oracle Internet Directory or Oracle Unified Directory.
<password>
IDSTORE_DIRECTORYTYPE
Enter the identity store directory type. Valid options are OID, OUD, and AD.
OUD
IDSTORE_GROUPSEARCHBASE
Enter the location in the directory where groups are stored.
cn=groups,dc=example,dc=com
IDSTORE_HOST
Enter the identity store host name.
idstore.example.com
IDSTORE_PORT
Enter the identity store port.
1636
IDSTORE_USERSEARCHBASE
Enter the Container under which Access Manager searches for the users.
cn=users,dc=example,dc=com
OIM_WLSADMIN
Enter the weblogic administrator user in OIM domain.
weblogic
OIM_WLSADMIN_PWD
Enter the password for the weblogic admin user in OIM domain.
<password>
OIM_WLSHOST
Enter the OIG admin server host name.
oighost1example.com
OIM_WLSPORT
Enter the OIG admin server port.
9002
-
Run the automated script for OIG-OAM integration to configure WLS Authentication Providers.
OIGOAMIntegration.sh -configureWLSAuthnProviders
You have successfully executed the automated script for configuring WLS Authentication Providers.
- Restart OIG domain servers. See Starting the Servers in Installing and Configuring Oracle Identity and Access Management.
4.3.2.3 Configuring LDAP Connector Using Automated Script
Configure LDAP Connector using automated script for integration, OIGOAMIntegration.sh
.
-
Copying the Application On-boarding LDAP templates into the downloaded Connector bundle.
-
Obtaining application names and other property values such as LDAP host and port from the configuration file.
-
Creating Application objects, target application and authoritative application, from the unmarshalled LDAP templates.
-
Executing create API method through the Application Manager to create the Application Instances from the Application objects.
-
Updating the IT Resource instance with values obtained from the configuration file as follows:
-
baseContexts
-
principal
-
credentials
-
host and port
-
SSL (
true
orfalse
)
-
-
Setting SSO.DefaultCommonNamePolicyImpl system property.
-
Setting properties in SSOIntegrationMXBean with values obtained from the configuration file:
-
targetAppInstanceName
-
targeITResourceNameForGroup
-
directorytype
-
-
Updating the scheduled jobs with the SSO trusted and target parameters.
-
Updating container rules by invoking SSOIntegrationMXBean addContainerRules operation with values obtained from the configuration file:
-
Directory type
-
User search base
-
User search base description
-
Group search base
-
Group search base description
-
Note:
Executing the script for configuring connector seeds only the default LDAP container rules into MDS. You can use custom container rules and manually upload them to MDS.To configure the LDAP Connector:
-
Update the
configureLDAPConnector.config
file (located atORACLE_HOME/idm/server/ssointg/config
).IDSTORE_DIRECTORYTYPE=OUD IDSTORE_HOST=idstore.example.com IDSTORE_PORT=1636 IDSTORE_BINDDN=cn=oudadmin IDSTORE_BINDDN_PWD=password IDSTORE_SSL_ENABLED=true IDSTORE_KEYSTORE_FILE=/u01/oracle/config/keystores/idmTrustStore.p12 IDSTORE_KEYSTORE_PASSWORD=password IDSTORE_OIMADMINUSERDN=cn=oimLDAP,cn=systemids,dc=example,dc=com IDSTORE_OIMADMINUSER_PWD=password IDSTORE_SEARCHBASE=dc=example,dc=com IDSTORE_USERSEARCHBASE=cn=Users,dc=example,dc=com IDSTORE_GROUPSEARCHBASE=cn=Groups,dc=edg,dc=com IDSTORE_USERSEARCHBASE_DESCRIPTION=Default user container IDSTORE_GROUPSEARCHBASE_DESCRIPTION=Default group container IDSTORE_EMAIL_DOMAIN=edg.com OIM_HOST=oighost1.example.com OIM_PORT=14000 WLS_OIM_SYSADMIN_USER=xelsysadm WLS_OIM_SYSADMIN_USER_PWD=password OIM_WLSHOST= oighost1.example.com OIM_WLSPORT=9200 WLS_IS_SSLENABLED: true WLS_TRUSTSTORE: /u01/oracle/config/keystores/idmTrustStore.p12 WLS_TRUSTSTORE_PASSWORD: password OIM_WLSADMIN=weblogic OIM_SERVER_NAME=oim_server1 CONNECTOR_MEDIA_PATH=/u01/oracle/products/idm/server/ConnectorDefaultDirectory/OID-12.2.1.3.0
The following table provides descriptions of the parameters in the
configureLDAPConnector.config
file example.Table 4-5 Parameters in
configureLDAPConnector.config
fileProperty Description Sample Value AD_CONNECTORSERVER_HOST
Enter the host name or IP address of the computer hosting the connector server.
192.0.2.1
AD_CONNECTORSERVER_KEY
Enter the key for the connector server.
<connectorserverkey>
AD_CONNECTORSERVER_PORT
Enter the number of the port at which the connector server is listening.
8759
AD_CONNECTORSERVER_TIMEOUT
Enter an integer value that specifies the number of milliseconds after which the connection between the connector server and the Oracle Identity Governance times out. A value of 0 means that the connection never times out.
0
AD_CONNECTORSERVER_USESSL
Enter
true
to specify that you will configure SSL between Oracle Identity Governance or Oracle Unified Directory and the Connector Server. Otherwise, enterfalse
.For Active Directory, the value should be yes or no. The default value is
false
Note:
It is recommended that you configure SSL to secure communication with the connector server.true (or false)
AD_DOMAIN_NAME
Enter the domain name configured in Microsoft Active Directory.
example.com
CONNECTOR_MEDIA_PATH
Enter the location of the Connector bundle downloaded and unzipped. Oracle Identity Governance would use this location to pick the Connector bundle to be installed.
OID/OUD = /u01/oracle/products/identity/idm/server/ConnectorDefaultDirectory/OID-12.2.1.3.0
AD = /u01/oracle/products/identity/idm/server/ConnectorDefaultDirectory/activedirectory-12.2.1.3.0
IDSTORE_BINDDN
An administrative user in Oracle Internet Directory, Oracle Unified Directory or Active Directory.
- OID:
cn=orcladmin
- OUD:
cn=oudadmin
- AD:
CN=Administrator, CN=Users, DC=example.com, DC=example, dc=com
IDSTORE_BINDDN_PWD
Enter the Password for administrative user in Oracle Internet Directory or Oracle Unified Directory.
<password>
IDSTORE_EMAIL_DOMAIN
Enter the domain used for e-mail For example,
user@example.com
.edg.com
IDSTORE_GROUPSEARCHBASE
Enter the location in the directory where groups are stored.
cn=Groups, dc=edg, dc=com
IDSTORE_DIRECTORYTYPE
Enter the identity store directory type. Valid options are OID, OUD, and AD.
OUD
IDSTORE_GROUPSEARCHBASE_DESCRIPTION
Enter the description for the directory group search base.
Default group container
IDSTORE_HOST
Enter the identity store host name.
idstore.example.com
IDSTORE_OIMADMINUSER_PWD
Enter the Password for the user that Oracle Identity Governance uses to connect to the identity store.
<password>
IDSTORE_OIMADMINUSERDN
Enter the location of a container in the directory where system-operations users are stored. There are only a few system-operations users and are kept separate from enterprise users stored in the main user container.
For example, the Oracle Identity Governance reconciliation user which is also used for the bind DN user in Oracle Virtual Directory adapters.
cn=oimLDAP, cn=systemids, dc=example, dc=com
IDSTORE_PORT
Enter the identity store port.
OUD: 1389 or 1636
OID: 3060
IDSTORE_SEARCHBASE
Enter the location in the directory where users and groups are stored.
dc=example,dc=com
IDSTORE_USERSEARCHBASE
Enter the Container under which Access Manager searches for the users.
cn=users,dc=example,dc=com
IDSTORE_USERSEARCHBASE_DESCRIPTION
Enter the description for the directory user search base
Default user container
IS_LDAP_SECURE
It indicates the usage of SSL for LDAP Communication. Use
yes
orno
for ActiveDirectory.false
OIM_HOST
Enter the host name for OIM managed server.
oighost1.example.com
OIM_PORT
Enter the port for OIM Server.
14000
OIM_SERVER_NAME
Enter the OIG server name.
oim_server1
OIM_WLSADMIN
Enter the weblogic administrator user in OIM domain.
weblogic
OIM_WLSADMIN_PWD
Enter the password for the weblogic admin user in OIM domain.
<password>
OIM_WLSHOST
Enter the OIM admin server host name.
oighost1.example.com
OIM_WLSPORT
Enter the OIM admin server port.
9002
for Administration port enable Domains.7001
for non secure mode deployments.SSO_TARGET_APPINSTANCE_NAME
Enter the Target application instance name used for provisioning account to target LDAP.
SSOTarget
WLS_OIM_SYSADMIN_USER
Enter the system admin user to be used to connect to OIG while configuring SSO. This user needs to have system admin role.
xelsysadm
WLS_OIM_SYSADMIN_USER_PWD
Enter the password for OIG system administrator user.
<password>
The following table provides descriptions of the parameters applicable for Active Directory.Table 4-6 Parameters for
Active Directory
Property Description Sample Value AD_CONNECTORSERVER_HOST
Enter the host name or IP address of the computer hosting the connector server.
192.0.2.1
AD_CONNECTORSERVER_KEY
Enter the key for the connector server.
<connectorserverkey>
AD_CONNECTORSERVER_PORT
Enter the number of the port at which the connector server is listening.
8759
AD_CONNECTORSERVER_TIMEOUT
Enter an integer value that specifies the number of milliseconds after which the connection between the connector server and the Oracle Identity Governance times out. A value of 0 means that the connection never times out.
0
AD_CONNECTORSERVER_USESSL
Enter
true
to specify that you will configure SSL between Oracle Identity Governance or Oracle Unified Directory and the Connector Server. Otherwise, enterfalse
.For Active Directory, the value should be yes or no. The default value is
false
Note:
It is recommended that you configure SSL to secure communication with the connector server.true (or false)
AD_DOMAIN_NAME
Enter the domain name configured in Microsoft Active Directory.
example.com
IS_LDAP_SECURE
It indicates the usage of SSL for LDAP Communication. Use
yes
orno
for ActiveDirectory.false
- OID:
-
Run the automated script for OIG-OAM integration to configure the LDAP Connector.
OIGOAMIntegration.sh -configureLDAPConnector
You have successfully executed the automated script for configuring LDAP Connector.
4.3.2.4 Configuring SSO Integration Using Automated Script
Configure SSO Integration using automated script for integration, OIGOAMIntegration.sh
.
OIGOAMIntegration.sh
to register OIM as TAP partner for OAM, add the resource policies for OIG-OAM communication, and update SSOIntegrationMXBean values in MDS.
To configure SSO integration:
-
Open the
configureSSOIntegration.config
file from the OIG Oracle home directory (Located atORACLE_HOME/idm/server/ssointg/config
) in a text editor and update the parameters.Example
configureSSOIntegration.config
FileNAP_VERSION: 4 COOKIE_EXPIRY_INTERVAL: 120 OAM_HOST: oamhost.example.com OAM_PORT: 14100 ACCESS_SERVER_HOST: oamaccesshost.example.com ACCESS_SERVER_PORT: 5557 OAM_SERVER_VERSION: 11g WEBGATE_TYPE: ohsWebgate11g ACCESS_GATE_ID: Webgate_IDM ACCESS_GATE_PWD: <password> COOKIE_DOMAIN: .example.com OAM_TRANSFER_MODE: Open SSO_ENABLED_FLAG: true SSO_INTEGRATION_MODE: CQR OIM_LOGINATTRIBUTE: User Login OAM11G_IDSTORE_NAME: OAMIDSTORE OAM11G_WLS_ADMIN_HOST: oamadminhost.example.com OAM11G_WLS_ADMIN_PORT: 7001 OAM11G_WLS_ADMIN_USER: weblogic OAM11G_WLS_ADMIN_PASSWD: <password> ## Required if OAM_TRANSFER_MODE is not OPEN #SSO_KEYSTORE_JKS_PASSWORD: <password> #SSO_GLOBAL_PASSPHRASE: <passphrase> OIM_WLSHOST: oimadminhost.example.com OIM_WLSPORT: 7001 OIM_WLSADMIN: weblogic OIM_WLSADMIN_PWD: <password> OIM_SERVER_NAME: oim_server1 IDSTORE_OAMADMINUSER: oamAdmin IDSTORE_OAMADMINUSER_PWD: <password> ## Required in SSL mode #OIM_TRUST_LOC=/u01/oracle/products/identity/wlserver/server/lib/DemoTrust.jks #OIM_TRUST_PWD=<password> #OIM_TRUST_TYPE=JKS
The following table describes the parameters that you can set in the
configureSSOIntegration.config
file.Table 4-7 Parameters in
configureSSOIntegration.config
FileProperty Description Sample Value NAP_VERSION
Enter the NAP protocol version. (4 indicates 11g+)
4
OAM11G_IDSTORE_NAME
Enter the name of the identity Store configured in OAM. This will be set as the default/System ID Store in OAM.
OAMIDStore
COOKIE_EXPIRY_INTERVAL
Enter the Cookie expiration period.
120
OAM_HOST
Enter the hostname for OAM server.
oamhost.example.com
OAM_PORT
Enter the port for OAM Server
14100
ACCESS_SERVER_HOST
Enter the Access Manager OAP host.
oamaccesshost.example.com
ACCESS_SERVER_PORT
Enter the Access Manager OAP port.
5575
OAM_SERVER_VERSION
Only OAM 12c is supported. OAM 10g is not supported in 12c integration.
11g
WEBGATE_TYPE
Enter the WebGate agent type you want to create. 10g is no longer supported in 12c.
ohsWebgate12c
orohsWebgate11g
ACCESS_GATE_ID
Name to be assigned to the WebGate. This is the value specified during OAM configuration. For more information, see Configuring OAM Using Automated Script.
Webgate_IDM
ACCESS_GATE_PWD
Enter the Password for Access Gate ID.
<password>
COOKIE_DOMAIN
Enter the domain in which the WebGate functions.
.example.com
OAM_TRANSFER_MODE
Enter the security mode in which the access servers function. Supported value is OPEN.
Note:
Switching the integration of CERT mode can be done as a postconfiguration step by changing OAM Server and the WebGate, which can be modified as described in Securing Communication Between OAM Servers and WebGates in Administering Oracle Access Manager.
OPEN
SSO_ENABLED_FLAG
Set it to
true
if OIG-OAM integration is enabled.False
, otherwise.true
SSO_INTEGRATION_MODE
Enter the integration mode with OAM. With Challenge Question Response (CQR) mode, OIG will handle the password policy and password operations. With One Time Password (OTP) mode, any password operations will be handled by OAM itself and there will be no password change or reset in OIG.
CQR
OIM_LOGINATTRIBUTE
Enter the login attribute of the identity store that contains the user's login name. User uses this attribute for logging in. For example, User Login.
User Login
OAM11G_WLS_ADMIN_HOST
Enter the host for Admin server in OAM Domain.
oamadminhost.example.com
OAM11G_WLS_ADMIN_PORT
Enter the port for Admin server in OAM domain.
7001
OAM11G_WLS_ADMIN_USER
Enter the weblogic administrator user in OAM domain.
weblogic
OAM11G_WLS_ADMIN_PASSWD
Enter the password for the weblogic admin user in OAM domain.
Note:
All password fields are optional. If you do not enter them in the file (security issues), then you are prompted to enter them when the script runs.
password
SSO_GLOBAL_PASSPHRASE
The random global passphrase for SIMPLE security mode communication with Access Manager. By default, Access Manager is configured to use the OPEN security mode. If you want to use the installation default of OPEN mode, you can skip this property.
Note:
The global passphrase is obtained from the value of theglobal_passphrase
attribute in the saved connection configuration file. For information about this connection configuration file, see Saved Connection Configuration File.password
OIM_WLSHOST
Enter the OIG admin server host name.
oimadminhost.example.com
OIM_WLSPORT
Enter the OIG admin server port.
17001
OIM_WLSADMIN
Enter the weblogic administrator user in OIM domain.
weblogic
OIM_WLSADMIN_PWD
Enter the password for the weblogic admin user in OIM domain.
<password>
OIM_SERVER_NAME
Enter the OIG server name.
oim_server1
IDSTORE_OAMADMINUSER
Enter the user you use to access your Oracle Access Management Console.
oamAdmin
IDSTORE_OAMADMINUSER_PWD
Enter the password for the user you use to access your Oracle Access Management Console.
<password>
OIM_TRUST_LOC
Enter the location of the OIG trust store.
ORACLE_HOME/wlserver/server/lib/DemoTrust.jks
OIM_TRUST_PWD
Enter the password to access the trust store
<password>
OIM_TRUST_TYPE
Enter the type of the trust store. JKS, by default
JKS
-
Run the
OIGOAMIntegration.sh
script from the OIG Oracle home directory (Located atORACLE_HOME/idm/server/ssointg/bin
) to configure SSO Integration:OIGOAMIntegration.sh -configureSSOIntegration
Note:
When you run the
OIMOAMIntegration.sh
script with theconfigureSSOIntegration
option, a command not found error is displayed. However, this is a benign error and the script continues to run, as shown:[2020-09-11 08:26:05] ----------------------------------------------------------------- [2020-09-11 08:26:05] [2020-09-11 08:26:05] ================================================== [2020-09-11 08:26:05] Executing configureSSOIntegration [2020-09-11 08:26:05] -------------------------------------------------- [2020-09-11 08:26:05] /scratch/username_folder/interopps4/oimmw/idm/server/ssointg/bin/_OIGOAMIntegration.sh : line 72: =OAM_IDSTORE_NAME: command not found [2020-09-11 08:26:05] Now running wlst.sh updateOAMConfigIDStore.py Initializing WebLogic Scripting Tool (WLST) ... Welcome to WebLogic Server Administration Scripting Shell
The
OIGOAMIntegration.sh
adds the following policy to OAM:/FacadeWebApp/* /OIGUI/* /iam/governance/* /soa/** /ucs/** /reqsvc/** /workflowservice/** /HTTPClnt/** /callbackResponseService/** /role-sod/** /sysadmin/** /oim/** /admin/** /spml-xsd/** /spmlws/** /sodcheck/** /SchedulerService-web/** /jmx-config-lifecycle/** /integration/** /identity/** /provisioning-callback/** /soa-infra/** /CertificationCallbackService/** /identity/faces/firstlogin /admin/faces/pages/pwdmgmt.jspx /sysadmin/ /xmlpserver /sysadmin /identity/faces/taskdetails /identity/faces/trackregistrationrequests /identity/faces/request /identity/ /identity /sysadmin/faces/home /identity/faces/home /oim/faces/pages/Admin.jspx /oim/faces/pages/Self.jspx /admin/faces/pages/Admin.jspx
-
Add the following policies to OAM:
-
Log in to the Oracle Access Management Console:
http://oam_adminserver_host:oam_adminserver_port/oamconsole
-
From the Application Security Launch Pad, click Application Domains in the Access Manager section.
The Search Application Domains page is displayed.
-
Click Search on the Search page.
A list of Application domains appears.
-
Click the domain IAM Suite.
-
Click the Resources Tab.
-
Click Create.
-
Select HTTP as the Resource Type and IAMSuiteAgent as the Host Identifier.
-
Enter the following Resource URLs:
Note:
Choose the Protection Level as Excluded./iam/governance/configmgmt/**
/iam/governance/scim/v1/**
/iam/governance/token/api/v1/**
/iam/governance/applicationmanagement/**
/iam/governance/adminservice/api/v1/**
/iam/governance/selfservice/api/v1/**
-
Click Apply.
-
-
Seed the OIG Policy Resources by performing the following steps:
- Run
wlst.sh
from$ORACLE_HOME <OIG_INSTALL_LOCATION>/oracle_common/common/bin
- Type
connect()
- Provide OAM domain Admin username. For example,
weblogic
- Provide OAM domain Admin password
- Provide the OAM Admin server URL. For example,
t3://<OAM Host>:<OAM WLS Port>
- Run the following
command:
importPolicyDelta(pathTempOAMPolicyFile="ORACLE_HOME <OAM_INSTALL_LOCATION>/idm/oam/def_import_policies/oim-resource-policy.xml", isAppDomainUpdate="true")
- Run
-
Verify the attribute version in
SSOIntegrationMXBean
.-
Open a browser, and access the Oracle Enterprise Manager Fusion Middleware Control for the OIG using the following URL format:
http://ADMINSTRATION_SERVER:PORT/em
-
Expand Domain and open System MBean Browser.
-
Search the mbean with name
SSOIntegrationMXBean
. -
Click SSOIntegrationMXBean.
-
Make sure that the attribute Version = 11g.
Note:
Perform the above steps to enable auto-login in a new 14.1.2.1.0 integrated environment.
-
You have successfully executed the automated script for configuring SSO Integration.
Verifying the SSO Integration Configuration
Perform the following steps:
-
Verify the resources
-
Log in to the Oracle Access Management Console:
http://oam_adminserver_host:oam_adminserver_port/oamconsole
-
From the Application Security Launch Pad, click Application Domains in the Access Manager section.
The Search Application Domains page is displayed.
-
Click Search on the Search page.
A list of Application domains appears.
-
Click the domain IAM Suite.
-
Click the Resources tab and verify that the following resources are created.
/soa/**
/jmx-config-lifecycle/**
/SchedulerService-web/**
/sodcheck/**
/spmlws/**
/spml-xsd/**
/XIMDD/**
/admin/**
/oim/**
/sysadmin/**
/role-sod/**
/callbackResponseService/**
/HTTPClnt/**
/iam/governance/*
/OIGUI/*
/FacadeWebApp/*
/provisioning-callback/**
/CertificationCallbackService/**
/iam/governance/configmgmt/**
/iam/governance/scim/v1/**
/iam/governance/token/api/v1/**
/iam/governance/applicationmanagement/**
/iam/governance/adminservice/api/v1/**
/iam/governance/selfservice/api/v1/**
-
-
Verify that the
proposed value
in theoig-oam-integration
log file and the values in theSSOIntegrationMXBean
are same.-
Open the
oig-oam-integration
log file (Located atORACLE_HOME/idm/server/ssointg/logs
) and search for theproposed value
.Example
oig-oam-integration
Log FileOIMIntegrationAutomationTool.connectToDomainRuntime... Connecting to t3://myhost.us.example.com:7002 OIMIntegrationAutomationTool.getJMXConnector... mserver: /jndi/weblogic.management.mbeanservers.domainruntime Connection to domain runtime mbean server established SSOIntegrationMXBean name: oracle.iam:Location=oim_server1,name=SSOIntegrationMXBean,type=IAMAppRuntimeMBean,Application=oim sak SSOIntegrationAutomationTool: got SSOIntegrationMXBean... sak current value of accessServerHost=myhost.us.example.com proposed value of accessServerHost=myhost.us.example.com sak new value of accessServerHost=myhost.us.example.com sak current value of oamAdminUser=oamAdminUser sak proposed value of oamAdminUser=oamAdminUser sak new value of oamAdminUser=oamAdminUser current value of tapEndpointUrl=http://myhost.us.example.com:14100/oam/server/dap/cred_submit sak proposed value of tapEndpointUrl=http://myhost.us.example.com:14100/oam/server/dap/cred_submit sak new value of tapEndpointUrl=http://myhost.us.example.com:14100/oam/server/dap/cred_submit current value of loginIdAttribute=User Login current value of version=12c proposed value of version=12c new value of version=12c current value of accessServerPort=5575 proposed value of accessServerPort=5575 new value of accessServerPort=5575 current value of oamServerPort=14100 proposed value of oamServerPort=14100 new value of oamServerPort=5575 current value of accessGateID=Webgate_IDM proposed value of accessGateID=Webgate_IDM new value of accessGateID=Webgate_IDM current value of napVersion=4 proposed value of napVersion=4 new value of napVersion=4 current value of cookieDomain=.us.example.com proposed value of cookieDomain=.us.example.com new value of cookieDomain=.us.example.com current value of cookieExpiryInterval=120 proposed value of cookieExpiryInterval=120 new value of cookieExpiryInterval=120 current value of transferMode=Open proposed value of transferMode=Open new value of transferMode=Open current value of webgateType=ohsWebgate11g proposed value of webgateType=ohsWebgate11g new value of webgateType=ohsWebgate11g proposed value of SSOEnabled=true new value of isSSOEnabled=true current value of integrationMode=CQR proposed value of integrationMode=CQR new value of integrationMode=CQR Connection closed sucessfully sak configure oam Connecting to OAM Domain MBean Server... looking for OAM domain credentials. JMX URL : service:jmx:t3://myhost.us.example.com:7001/jndi/weblogic.management.mbeanservers.domainruntime sak mbeanObjectNames size: 1 sak Registering OIM as a TAP partner with OAM... sak Registering OIM as a TAP partner with OAM was successful!! sak configure oam before strCipherKey=DEC40506366E926CACC9A0D666E94F85 sak mbeanObjectNames size: 1 Getting OAM/TAP Endpoint URL... Getting OAM/TAP Endpoint URL was successful!! MBean server connection closed sucessfully
-
Open a browser, and access the Oracle Enterprise Manager Fusion Middleware Control for the OIG using the following URL format:
http://ADMINSTRATION_SERVER:PORT/em
-
Expand Domain and open System MBean Browser.
-
Search the mbean with name
SSOIntegrationMXBean
. -
Ensure that all the required fields are updated as per the
proposed value
in theoig-oam-integration
log file.
-
-
Open the
oam-config.xml
in the OAM Domain underDOMAIN_HOME/config/fmwconfig
and verify thatUserStore
attribute points to the name of the identity store you specified in theconfigureSSOIntegration.config
file (For example,OAMIDSTORE
).
4.3.2.5 Enabling OAM Notifications Using Automated Script
Enable OAM notifications using the automated script for OIG-OAM integration, OIGOAMIntegration.sh
.
Event handlers are required to terminate user sessions. OAM notification handlers are not loaded by default. Run OIGOAMIntegration.sh -enableOAMsessionDeletion
to import OAM notification handlers and register OIG System Administrator to utilize OAM REST APIs.
To enable OAM notification:
-
Update the
enableOAMSessionDeletion.config
file (Located atORACLE_HOME/idm/server/ssointg/config
).OIM_SERVER_NAME OIM_WLSHOST OIM_WLSPORT OIM_WLSADMIN OIM_WLSADMIN_PWD IDSTORE_DIRECTORYTYPE IDSTORE_HOST IDSTORE_PORT ## Specify the IDStore admin credentials below IDSTORE_BINDDN IDSTORE_BINDDN_PWD IDSTORE_USERSEARCHBASE IDSTORE_GROUPSEARCHBASE IDSTORE_SYSTEMIDBASE IDSTORE_OAMADMINUSER IDSTORE_OAMSOFTWAREUSER
The following table provides descriptions of the parameters related to enabling OAM Notifications in the
enableOAMSessionDeletion.config
file example.Table 4-8 Parameters in
enableOAMSessionDeletion.config
fileProperty Description Sample Value IDSTORE_BINDDN
An administrative user in Oracle Internet Directory, Oracle Unified Directory or Active Directory.
OID = cn=orcladmin OUD = cn=oudadmin AD = CN=Administrator,CN=Users,DC=example.com,DC=example,dc=com
IDSTORE_BINDDN_PWD
Enter the Password for administrative user in Oracle Internet Directory or Oracle Unified Directory.
<password>
IDSTORE_DIRECTORYTYPE
Enter the identity store directory type. Valid options are OID, OUD, and AD.
OID
IDSTORE_GROUPSEARCHBASE
Enter the location in the directory where groups are stored.
cn=groups,dc=example,dc=com
IDSTORE_HOST
Enter the identity store host name.
idstore.example.com
IDSTORE_OAMADMINUSER
Enter the user you use to access your Oracle Access Management Console.
oamAdmin
IDSTORE_OAMSOFTWAREUSER
Enter the user you use to interact with the LDAP server.
oamLDAP
IDSTORE_PORT
Enter the identity store port.
3060
IDSTORE_SYSTEMIDBASE
Enter the location of a container in the directory where system-operations users are stored. There are only a few system operations users and are kept separate from enterprise users stored in the main user container.
For example, the Oracle Identity Governance reconciliation user which is also used for the bind DN user in Oracle Virtual Directory adapters.
cn=systemids,dc=example,dc=com
IDSTORE_USERSEARCHBASE
Enter the Container under which Access Manager searches for the users.
cn=users,dc=example,dc=com
OIM_SERVER_NAME
Enter the OIG server name.
oim_server1
OIM_WLSADMIN
Enter the weblogic administrator user in OIM domain.
weblogic
OIM_WLSADMIN_PWD
Enter the password for the weblogic admin user in OIM domain.
<password>
OIM_WLSHOST
Enter the OIG admin server host name.
oimadminhost.example.com
OIM_WLSPORT
Enter the OIG admin server port.
7001
-
Run the automated script for OIG-OAM integration to enable OAM notifications.
OIGOAMIntegration.sh -enableOAMSessionDeletion
-
Update
Setting
in theoam-config.xml
file.- Export the
oam-config.xml
file from the dbstore. See Updating OAM Configuration in Administering Oracle Access Management for details - Search for the section
<Setting Name="SessionRuntime" Type="htf:map">
- Update the Setting name
UserStore
such that its value equals the name of User Identity Store created during oam-oig integration.For example, by default, the
Setting
name shows as:<Setting Name="UserStore" Type="xsd:string">UserIdentityStore1</Setting>
Update the setting to the following:<Setting Name="UserStore" Type="xsd:string">OAMIDStore</Setting>
where,
OAMIDStore
is the name of User Identity Store created during oam-oig integration. - Import the
oam-config.xml
file back into the dbstore. See Updating OAM Configuration in Administering Oracle Access Management for details
- Export the
You have successfully executed the automated script to enable OAM notifications.
4.3.2.6 Restarting Servers
After executing the automated script to complete the OIG-OAM integration process, restart all the servers.
-
Copy the
oim.conf
file fromORACLE_HOME/server/ssointg/templates/oim.conf
toOHS_DOMAIN_HOME/config/fmwconfig/components/OHS/ohs1/moduleconf
. -
Restart OHS Server.
-
Restart OIG and OAM domain.
You have successfully executed the automated script and completed the OIG-OAM Integration process.
Proceed with validation of your integration setup. See Validating OIG-OAM integration.
4.3.2.7 Adding JDK Arguments
ADF_FACES-30200: For more information, please see the server's error log for an entry beginning with: The UIViewRoot is null. Fatal exception during PhaseId: RESTORE_VIEW 1.
However, this error disappears after multiple attempts.
-Dadf.security.clearCache.enabled=false
4.4 Validating the Access Manager and Oracle Identity Governance Integration
Performing the following sanity checks (validating the integrated environment) can help you avoid some common issues that could be encountered during runtime.
In this release, Oracle Identity Governance is integrated with Access Manager using the
OIGOAMIntegration.sh
script. After Oracle Identity Governance is
integrated with Oracle Access Manager, the following configuration settings and files
are updated:
-
The
SSOConfig
section in theoim-config.xml
file, stored in the OIG Metadata store. -
The realm security providers in
OIM_DOMAIN_HOME
/config.xml
. -
The OIG domain credential store in
OIM_DOMAIN_HOME
/config/fmwconfig/cwallet.sso
. -
The orchestration event-handlers required for SSO integration in
Eventhandler.xml
, stored in the OIG Metadata store.. -
The SSO logout configuration in
OIM_DOMAIN_HOME
/config/fmwconfig/jps-config.xml
.
See Also:
-
Validating the Oracle Identity Manager SSO Configuration Settings
-
Validating the Oracle Identity Governance Security Provider Configuration
-
Validating the Access Manager Security Provider Configuration
-
Validating the Oracle Identity Governance Event Handlers Configured for SSO
-
Validating the Oracle Identity Governance SSO Logout Configuration
-
Functionally Testing the Access Manager and Oracle Identity Governance Integration
4.4.1 Validating the Oracle Identity Governance SSO Configuration Settings
This procedure explains how to validate the SSOConfig
settings in oim-config.xml
:
See Also:
Getting Started Using the Fusion Middleware Control MBean Browsers in Administering Oracle Fusion Middleware.4.4.2 Validating the Oracle Identity Governance Security Provider Configuration
This procedure explains how to validate the Oracle Identity Governance Security Provider configuration.
4.4.3 Validating the Access Manager Security Provider Configuration
This procedure explains how to validate the Access Manager Security Provider configuration.
4.4.4 Validating the Oracle Identity Governance Domain Credential Store
All passwords and credentials used during communication between Oracle Identity Governance and Access Manager are stored in the domain credential store.
To validate the passwords and credentials used to communicate:
4.4.5 Validating the Oracle Identity Governance Event Handlers Configured for SSO
EventHandlers.xml
file, located at /db/ssointg/EventHandlers.xml
.
See Also:
- Getting Started Using the Fusion Middleware Control MBean Browsers in Administering Oracle Fusion Middleware.
-
Deploying and Undeploying Customizations in Developing and Customizing Applications for Oracle Identity Governance.
To confirm all event handlers are configured correctly, export the EventHandlers.xml
file using Oracle Enterprise Manager Fusion Middleware Control:
4.4.6 Validating the Oracle Identity Governance SSO Logout Configuration
Oracle Identity Governance logout is configured to use single logout after the integration is complete. After a user logs out from Oracle Identity Governance, they are logged out from all the Access Manager protected applications as well.
To verify the configuration of single logout, do the following:
4.4.7 Functionally Testing the Access Manager and Oracle Identity Governance Integration
The final task is to verify the Access Manager and Oracle Identity Governance integration.
Perform the steps shown in the following table in sequence.
Table 4-9 Verifying Access Manager and Oracle Identity Governance Integration
Step | Description | Expected Result |
---|---|---|
1 |
Log in to the Oracle Access Management Console as the http://admin_server_host:admin_server_port/oamconsole |
Provides access to the administration console. |
2 |
Access the Oracle Identity Governance administration page with the URL:
where hostname:port can be for either Oracle Identity Management or OHS, depending on whether a Domain Agent or WebGate is used. |
The Oracle Access Management login page from the Access Manager managed server should display. Verify the links for "Forgot Password", "Register New Account" and "Track User Registration" features appear in the login page. Verify that each link works. For more information about these features, see About Password Management Scenarios. |
3 |
Log in as |
The Oracle Identity Governance Admin Page should be accessible. |
4 |
Create a new user using Oracle Identity Self Service. Close the browser and try accessing the OIG Identity Page. When prompted for login, provide valid credentials for the newly-created user. |
You should be redirected to Oracle Identity Governance and be required to reset the password. After resetting the password and setting the challenge question, user should be automatically logged into the application. Auto-login should work. |
5 |
Close the browser and access Oracle Identity Self Service. |
The Oracle Access Management login page from the Access Manager managed server should display. Verify the links for "Forgot Password", "Register New Account" and "Track User Registration" features appear in the login page. Verify that each link works. For more information about these features, see About Password Management Scenarios. |
6 |
Verify the lock/disable feature works by opening a browser and logging in as a test user. In another browser session, log in as an administrator, then lock or disable the test user account. |
The user must be redirected back to the login page while accessing any of the links. |
7 |
Verify the SSO logout feature works by logging into Oracle Identity Self Service as test user or system administrator. |
Upon logout from the page, you are redirected to the SSO logout page. |
4.4.8 Validating Integration Configuration
Validate that the oam-config.xml
in the OAM Domain under DOMAIN_HOME/config/fmwconfig
contains the IDStore provided during OAM configuration, say OAMIDSTORE. XML node SessionRuntime>UserStore should not have UserIdentityStore1, but OAMIDSTORE.
-
Validate if scheduled jobs exist:
-
SSO Group Create And Update Full Reconciliation
-
SSO Group Create And Update Incremental Reconciliation
-
SSO Group Delete Full Reconciliation
-
SSO Group Delete Incremental Reconciliation
-
SSO Group Hierarchy Sync Full Reconciliation
-
SSO Group Hierarchy Sync Incremental Reconciliation
-
SSO Group Membership Full Reconciliation
-
SSO Group Membership Incremental Reconciliation
-
SSO Post Enable Provision Role Hierarchy to LDAP
-
SSO Post Enable Provision Roles to LDAP
-
SSO Post Enable Provision Users to LDAP
-
SSO User Incremental Reconciliation
-
SSO User Full Reconciliation
-
SSO Post Enable Provision Role Membership to LDAP
-
-
Validate if the IT Resources are updated or created appropriately.
-
Navigate to Provisioning Configuration>ITResource.
-
Search for IT resource Type OID Connector.
-
Verify that IT Resources such as SSOTargetApp and SSOTrusted-for-SSOTargetApp have correct parameter values.
-
-
Verify that the log at
$ORACLE_HOME/idm/server/ssointg/logs/oig-oam-integration_*.log
contains:[2017-12-22 02:25:13] Seeding OIM Resource Policies into OAM [2017-12-22 02:25:13] Loading xml... /scratch/userid/devtools/Middleware///idm/server/ssointg/templates/Resources.xml [2017-12-22 02:25:14] Loading xml... /scratch/userid/devtools/Middleware///idm/server/ssointg/templates/AuthnPolicies.xml [2017-12-22 02:25:14] Loading xml... /scratch/userid/devtools/Middleware///idm/server/ssointg/templates/AuthzPolicies.xml [2017-12-22 02:25:14] Getting Application Domains... [2017-12-22 02:25:14] WebResourceClient::getAppDomainResource(): http://host:port/oam/services/rest/11.1.2.0.0/ssa/policyadmin/appdomain [2017-12-22 02:25:15] Authenticating using {oamAdmin:******} [2017-12-22 02:25:15] Getting Resources from domain 'IAM Suite' [2017-12-22 02:25:15] WebResourceClient::getResource(): http://host:port/oam/services/rest/11.1.2.0.0/ssa/policyadmin/resource [2017-12-22 02:25:16] Getting Resources from domain 'Fusion Apps Integration' [2017-12-22 02:25:16] WebResourceClient::getResource(): http://host:port/oam/services/rest/11.1.2.0.0/ssa/policyadmin/resource [2017-12-22 02:25:16] Getting Authentication Policies from domain 'IAM Suite' [2017-12-22 02:25:16] WebResourceClient::getAuthenticationPolicyResource(): http://host:port/oam/services/rest/11.1.2.0.0/ssa/policyadmin/authnpolicy [2017-12-22 02:25:16] Getting Authorization Policies from domain 'IAM Suite' [2017-12-22 02:25:16] WebResourceClient::getAuthorizationPolicyResource(): http://host:port/oam/services/rest/11.1.2.0.0/ssa/policyadmin/authzpolicy [2017-12-22 02:25:16] Resources Seeded!!
4.4.9 Improving Reset Password Performance in Active Directory Integration
Note:
These steps are applicable only to AD. No separate process is required to improve Reset Password Performance operation for OUD/OID.- Create the
SSO.RESETPASSWORDONTARGETBYPASSINGCONNECTOR
system property and set it totrue
. - Import the AD certificate into Oracle Identity Governance (OIG):
- If Demo identity and trust store is used then import the AD certificate
into Demo trust
keystore:
$JAVA_HOME/jre/bin/keytool -import -alias ad_trusted_cert -file $CERT_FILE -keystore $MW_HOME/wlserver/server/lib/DemoTrust.jks -storepass DemoTrustKeyStorePassPhrase
- If custom identity and trust store is used then import the
AD certificate into custom trust
keystore:
$JAVA_HOME/jre/bin/keytool -import -alias ad_trusted_cert -file $CERT_FILE -keystore $DOMAIN_HOME/config/fmwconfig/<CUSTOM_TRUST_STORE>.jks -storepass <CustomTrustKeyStorePassPhrase>
Note:
You must place the custom trust keystore under$DOMAIN_HOME/config/fmwconfig
and it must be file-based.
- If Demo identity and trust store is used then import the AD certificate
into Demo trust
keystore:
4.5 Scheduled Jobs for OIG-OAM Integration
OIG offers two sets of scheduled jobs for synchronizing with LDAP: Reconciliation Jobs and SSO Post Enable Jobs.
Reconciliation Jobs
The following reconciliation jobs are provided:
-
SSO User Full Reconciliation
-
SSO User Incremental Reconciliation
-
SSO Group Create and Update Full Reconciliation
-
SSO Group Create and Update Incremental Reconiliation
-
SSO Group Delete Full Reconciliation
-
SSO Group Delete Incremental Reconciliation
-
SSO Group Membership Full Reconciliation
-
SSO Group Membership Incremental Reconciliation
-
SSO Group Hierarchy Sync Full Reconciliation
-
SSO Group Hierarchy Sync Incremental Reconciliation
Note:
SSO Group Hierarchy Sync Incremental Reconciliation is supported only for Oracle Internet Directory and Oracle Unified Directory.
Parameter Values for Reconciliation Jobs
Table 4-10 Parameter values for reconciliation jobs
Reconciliation job | Parameter Name | Parameter Value | Description |
---|---|---|---|
SSO User Full Reconciliation |
Resource Object Name |
SSOTarget |
Name of the target resource object against which reconciliation runs must be performed. This corresponds to the target account which has to be reconciled for the user. This value is equal to the target application instance name. |
SSO User Full Reconciliation |
IT Resource Name |
SSOTarget |
Name of the target IT resource instance that the connector must use to reconcile data.This corresponds to the target account which has to be reconciled for the user. This value is equal to the target application instance name. |
SSO User Full Reconciliation |
Object Type |
User |
This attribute holds the type of object you want to reconcile. This value is fixed. |
SSO User Full Reconciliation |
Trusted Resource Object Name |
SSOTrusted-for-SSOTarget |
Name of the trusted resource object against which reconciliation runs must be performed. This corresponds to the target account which has to be reconciled for the user. This value is equal to the trusted application instance name (auto-generated by OIGOAMIntegrationScript.sh). |
SSO User Full Reconciliation |
Trusted IT Resource Name |
SSOTrusted-for-SSOTarget |
Name of the trusted IT resource instance that the connector must use to reconcile data.This corresponds to the target account which has to be reconciled for the user. This value is equal to the trusted application instance name (auto-generated by OIGOAMIntegrationScript.sh). |
SSO User Full Reconciliation |
Scheduled Task Name |
SSO User Full Reconciliation |
This attribute holds the name of the scheduled job. This value is fixed. |
SSO User Full Reconciliation |
Incremental Recon Attribute |
NA |
This attribute should be left empty for SSO User Full Reconciliation job |
SSO User Full Reconciliation |
Latest Token |
NA |
This attribute should be left empty for SSO User Full Reconciliation job |
SSO User Full Reconciliation |
Sync Token |
NA |
This attribute should be left empty for SSO User Full Reconciliation job |
SSO User Full Reconciliation |
Filter |
NA |
Expression for filtering records that must be reconciled by the scheduled job. Sample value: startsWith('cn','Samrole1') Default value: None See Section 7.8 ICF Filter Syntax in Integrating ICF with Oracle Identity Governance documentation for the syntax of this expression. |
SSO User Incremental Reconciliation |
Resource Object Name |
SSOTarget |
Name of the target resource object against which reconciliation runs must be performed. This corresponds to the target account which has to be reconciled for the user. This value is equal to the target application instance name. |
SSO User Incremental Reconciliation |
IT Resource Name |
SSOTarget |
Name of the target IT resource instance that the connector must use to reconcile data.This corresponds to the target account which has to be reconciled for the user. This value is equal to the target application instance name. |
SSO User Incremental Reconciliation |
Object Type |
User |
This attribute holds the type of object you want to reconcile. This value is fixed. |
SSO User Incremental Reconciliation |
Trusted Resource Object Name |
SSOTrusted-for-SSOTarget |
Name of the trusted resource object against which reconciliation runs must be performed. This corresponds to the target account which has to be reconciled for the user. This value is equal to the trusted application instance name (auto-generated by OIGOAMIntegrationScript.sh). |
SSO User Incremental Reconciliation |
Trusted IT Resource Name |
SSOTrusted-for-SSOTarget |
Name of the trusted IT resource instance that the connector must use to reconcile data.This corresponds to the target account which has to be reconciled for the user. This value is equal to the trusted application instance name (auto-generated by OIGOAMIntegrationScript.sh). |
SSO User Incremental Reconciliation |
Scheduled Task Name |
SSO User Full Reconciliation |
This attribute holds the name of the scheduled job. This value is fixed. |
SSO User Incremental Reconciliation |
Incremental Recon Attribute |
Name of the target system attribute that holds the change number at which the last reconciliation run started. The value in this attribute is used during incremental reconciliation to determine the newest or latest record reconciled from the target system. This value is fixed. |
|
SSO User Incremental Reconciliation |
Latest Token |
This attribute holds the value of the uSNChanged attribute of a domain controller that is used for reconciliation. Note: The reconciliation engine automatically enters a value for this attribute. It is recommended that you do not change the value of this attribute. If you manually specify a value for this attribute, then only group whose uSNChanged value is greater than the Latest Token attribute value are reconciled. Default value: None |
|
SSO User Incremental Reconciliation |
Sync Token |
This job parameter is only present if the target directory is Oracle Internet Directory or Oracle Unified Directory. You can manually enter the first Sync Token. To retrieve this token, query cn=changelog on rootDSE on the target system. Then, every time sync reconciliation is run, Sync Token is updated. Browse the changelog attribute of the target system to determine a value from the changelog that must be used to resume a reconciliation run. From the next reconciliation run onward, only data about records that are created or modified since the last reconciliation run ended are fetched into Oracle Identity Governance. Or, you can also leave this field blank, which causes the entire changelog to be read. This attribute stores values in one of the following formats: If you are using a target system for which the value of the standardChangelog entry in the Configuration lookup definition is set to true, then this attribute stores values in the following format: <Integer>VALUE</Integer> Sample value: <Integer>476</Integer> If you are using a target system (for example, OUD) for which the value of the standardChangelog entry in the Configuration lookup definition is set to false, then this attribute stores values in the following format: <String>VALUE</String> Sample value: <String>dc=example,dc=com:0000013633e514427b6600000013;</String> Default value: None |
|
SSO User Incremental Reconciliation |
Filter |
Default value: None Expression for filtering records that must be reconciled by the scheduled job. Sample value: startsWith('cn','Samrole1') Default value: None See Section 7.8 ICF Filter Syntax in Integrating ICF with Oracle Identity Governance documentation for the syntax of this expression. |
|
SSO Group Create and Update Full Reconciliation |
Resource Object Name |
SSO Group |
Name of the resource object against which reconciliation runs must be performed This value is fixed. |
SSO Group Create and Update Full Reconciliation |
Object Type |
Group |
This attribute holds the type of object you want to reconcile. This value is fixed. |
SSO Group Create and Update Full Reconciliation |
IT Resource Name |
SSO Server |
Name of the IT resource instance that the connector must use to reconcile data. This value is fixed. |
SSO Group Create and Update Full Reconciliation |
Scheduled Task Name |
SSO Group Create And Update Full Reconciliation |
This attribute holds the name of the scheduled job. This value is fixed. |
SSO Group Create and Update Full Reconciliation |
Filter |
Expression for filtering records that must be reconciled by the scheduled job. Sample value: startsWith('cn','Samrole1') Default value: None See Section 7.8 ICF Filter Syntax in Integrating ICF with Oracle Identity Governance documentation for the syntax of this expression. |
|
SSO Group Create and Update Full Reconciliation |
Organization Name |
Top |
This job parameter is only present if the target directory is Active Directory. OIG Organization to which the reconciled role should be provisioned. This value is fixed. |
SSO Group Create and Update Full Reconciliation |
Organization Type |
Company |
This job parameter is only present if the target directory is Active Directory. Type of therganization to which the reconciled role is being provisioned. This attribute is used only with in connector reconciliation scope and does not have significance in OIG. This value is fixed. |
SSO Group Create and Update Incremental Reconciliation |
Resource Object Name |
SSO Group |
Name of the resource object against which reconciliation runs must be performed This value is fixed. |
SSO Group Create and Update Incremental Reconciliation |
Object Type |
Group |
This attribute holds the type of object you want to reconcile. This value is fixed. |
SSO Group Create and Update Incremental Reconciliation |
IT Resource Name |
SSO Server |
Name of the IT resource instance that the connector must use to reconcile data. This value is fixed. |
SSO Group Create and Update Incremental Reconciliation |
Scheduled Task Name |
SSO Group Create And Update Incremental Reconciliation |
This attribute holds the name of the scheduled job. This value is fixed. |
SSO Group Create and Update Incremental Reconciliation |
Filter |
Expression for filtering records that must be reconciled by the scheduled job. Sample value: startsWith('cn','Samrole1') Default value: None See Section 7.8 ICF Filter Syntax in Integrating ICF with Oracle Identity Governance documentation for the syntax of this expression. |
|
SSO Group Create and Update Incremental Reconciliation |
Sync Token |
This job parameter is only present if the target directory is Oracle Internet Directory or Oracle Unified Directory. You can manually enter the first Sync Token. To retrieve this token, query cn=changelog on rootDSE on the target system. Then, every time sync reconciliation is run, Sync Token is updated. Browse the changelog attribute of the target system to determine a value from the changelog that must be used to resume a reconciliation run. From the next reconciliation run onward, only data about records that are created or modified since the last reconciliation run ended are fetched into Oracle Identity Governance. Or, you can also leave this field blank, which causes the entire changelog to be read. This attribute stores values in one of the following formats: If you are using a target system for which the value of the standardChangelog entry in the Configuration lookup definition is set to true, then this attribute stores values in the following format: <Integer>VALUE</Integer> Sample value: <Integer>476</Integer> If you are using a target system (for example, OUD) for which the value of the standardChangelog entry in the Configuration lookup definition is set to false, then this attribute stores values in the following format: <String>VALUE</String> Sample value: <String>dc=example,dc=com:0000013633e514427b6600000013;</String> Default value: None |
|
SSO Group Create and Update Incremental Reconciliation |
Incremental Recon Attribute |
uSNChanged |
This job parameter is only present if the target directory is Active Directory. Name of the target system attribute that holds the change number at which the last reconciliation run started. The value in this attribute is used during incremental reconciliation to determine the newest or latest record reconciled from the target system. This value is fixed. |
SSO Group Create and Update Incremental Reconciliation |
Latest Token |
This attribute holds the value of the uSNChanged attribute of a domain controller that is used for reconciliation. Note: The reconciliation engine automatically enters a value for this attribute. It is recommended that you do not change the value of this attribute. If you manually specify a value for this attribute, then only group whose uSNChanged value is greater than the Latest Token attribute value are reconciled. Default value: None |
|
SSO Group Create and Update Incremental Reconciliation |
Organization Name |
Top |
This job parameter is only present if the target directory is Active Directory. OIG Organization to which the reconciled role should be provisioned. This value is fixed. |
SSO Group Create and Update Incremental Reconciliation |
Organization Type |
Company |
This job parameter is only present if the target directory is Active Directory. Type of therganization to which the reconciled role is being provisioned. This attribute is used only with in connector reconciliation scope and does not have significance in OIG. This value is fixed. |
SSO Group Delete Full Reconciliation |
IT Resource Name |
SSO Server |
Name of the IT resource instance that the connector must use to reconcile data. This value is fixed. |
SSO Group Delete Full Reconciliation |
Object Type |
Group |
This parameter holds the type of object you want to reconcile. This value is fixed. |
SSO Group Delete Full Reconciliation |
Resource Object Name |
SSO Group |
Name of the group resource object against which reconciliation runs must be performed This value is fixed. |
SSO Group Delete Full Reconciliation |
Scheduled Task Name |
SSO Group Delete Full Reconciliation |
This attribute holds the name of the scheduled job. This value is fixed. |
SSO Group Delete Full Reconciliation |
Delete Recon |
yes |
This parameter is present only in SSO Group Delete Reconciliation for Active Directory. This value is fixed. |
SSO Group Delete Full Reconciliation |
Organization Name |
This parameter is present only in SSO Group Delete Reconciliation for Active Directory. This value can be left empty. |
|
SSO Group Delete Incremental Reconciliation |
IT Resource Name |
SSO Server |
Name of the IT resource instance that the connector must use to reconcile data. This value is fixed. |
SSO Group Delete Incremental Reconciliation |
Object Type |
Group |
This attribute holds the type of object you want to reconcile. This value is fixed. |
SSO Group Delete Incremental Reconciliation |
Resource Object Name |
SSO Group |
Name of the group resource object against which reconciliation runs must be performed This value is fixed. |
SSO Group Delete Incremental Reconciliation |
Scheduled Task Name |
SSO Group Delete Full Reconciliation |
This attribute holds the name of the scheduled job. This value is fixed. |
SSO Group Delete Incremental Reconciliation |
Sync Token |
This job parameter is only present if the target directory is Oracle Internet Directory or Oracle Unified Directory. You can manually enter the first Sync Token. To retrieve this token, query cn=changelog on rootDSE on the target system. Then, every time sync reconciliation is run, Sync Token is updated. Browse the changelog attribute of the target system to determine a value from the changelog that must be used to resume a reconciliation run. From the next reconciliation run onward, only data about records that are created or modified since the last reconciliation run ended are fetched into Oracle Identity Governance. Or, you can also leave this field blank, which causes the entire changelog to be read. This attribute stores values in one of the following formats: If you are using a target system for which the value of the standardChangelog entry in the Configuration lookup definition is set to true, then this attribute stores values in the following format: <Integer>VALUE</Integer> Sample value: <Integer>476</Integer> If you are using a target system (for example, OUD) for which the value of the standardChangelog entry in the Configuration lookup definition is set to false, then this attribute stores values in the following format: <String>VALUE</String> Sample value: <String>dc=example,dc=com:0000013633e514427b6600000013;</String> Default value: None |
|
SSO Group Delete Incremental Reconciliation |
Delete Recon |
yes |
This parameter is present only in SSO Group Delete Reconciliation for Active Directory. This value is fixed. |
SSO Group Delete Incremental Reconciliation |
Organization Name |
This parameter is present only in SSO Group Delete Reconciliation for Active Directory. This value can be empty. |
|
SSO Group Membership Full Reconciliation |
Application Name |
SSOTarget |
Name of the target application name from which you reconcile records |
SSO Group Membership Full Reconciliation |
Object Type |
User |
This attribute holds the type of object you want to reconcile. This value is fixed. |
SSO Group Membership Full Reconciliation |
IT Resource Name |
SSOTarget |
Name of the IT resource user by target application instance from which you reconcile records. |
SSO Group Membership Full Reconciliation |
Scheduled Task Name |
SSO Group Membership Full Reconciliation |
This attribute holds the name of the scheduled job. This value is fixed. |
SSO Group Membership Full Reconciliation |
Filter |
<Empty> |
Expression for filtering records that must be reconciled by the scheduled job. Sample value: startsWith('cn','Samrole1') Default value: None See Section 7.8 ICF Filter Syntax in Integrating ICF with Oracle Identity Governance documentation for the syntax of this expression. |
SSO Group Membership Incremental Reconciliation |
Application Name |
SSOTarget |
Name of the target application name from which you reconcile records |
SSO Group Membership Incremental Reconciliation |
Resource Object Name |
SSO Group |
Name of the group resource object against which reconciliation runs must be performed This value is fixed. |
SSO Group Membership Incremental Reconciliation |
IT Resource Name |
SSO Server |
Name of the IT resource instance that the connector must use to reconcile data. This value is fixed. |
SSO Group Membership Incremental Reconciliation |
User IT Resource Name |
SSOTarget |
Name of the IT resource used by target application instance installation from which you reconcile records. This would be same as target application instance |
SSO Group Membership Incremental Reconciliation |
User Resource Object Name |
SSOTarget |
Resource Object name corresponding to target application instance. This would be same as target application instance |
SSO Group Membership Incremental Reconciliation |
Scheduled Task Name |
SSO Group Membership Incremental Reconciliation |
Fixed for this job. Not changeable |
SSO Group Membership Incremental Reconciliation |
Object Type |
Group |
This attribute holds the type of object you want to reconcile. This value is fixed. |
SSO Group Membership Incremental Reconciliation |
Sync Token |
This job parameter is only present if the target directory is Oracle Internet Directory or Oracle Unified Directory. You can manually enter the first Sync Token. To retrieve this token, query cn=changelog on rootDSE on the target system. Then, every time sync reconciliation is run, Sync Token is updated. Browse the changelog attribute of the target system to determine a value from the changelog that must be used to resume a reconciliation run. From the next reconciliation run onward, only data about records that are created or modified since the last reconciliation run ended are fetched into Oracle Identity Governance. Or, you can also leave this field blank, which causes the entire changelog to be read. This attribute stores values in one of the following formats: If you are using a target system for which the value of the standardChangelog entry in the Configuration lookup definition is set to true, then this attribute stores values in the following format: <Integer>VALUE</Integer> Sample value: <Integer>476</Integer> If you are using a target system (for example, OUD) for which the value of the standardChangelog entry in the Configuration lookup definition is set to false, then this attribute stores values in the following format: <String>VALUE</String> Sample value: <String>dc=example,dc=com:0000013633e514427b6600000013;</String> Default value: None |
|
SSO Group Membership Incremental Reconciliation |
Incremental Recon Attribute |
uSNChanged |
This job parameter is only present if the target directory is Active Directory. Name of the target system attribute that holds the change number at which the last reconciliation run started. The value in this attribute is used during incremental reconciliation to determine the newest or latest record reconciled from the target system. This value is fixed. |
SSO Group Membership Incremental Reconciliation |
Latest Token |
This attribute holds the value of the uSNChanged attribute of a domain controller that is used for reconciliation. Note: The reconciliation engine automatically enters a value for this attribute. It is recommended that you do not change the value of this attribute. If you manually specify a value for this attribute, then only group whose uSNChanged value is greater than the Latest Token attribute value are reconciled. Default value: None |
|
SSO Group Membership Incremental Reconciliation |
Filter |
Expression for filtering records that must be reconciled by the scheduled job. Sample value: startsWith('cn','Samrole1') Default value: None See Section 7.8 ICF Filter Syntax in Integrating ICF with Oracle Identity Governance documentation for the syntax of this expression. |
|
SSO Group Hierarchy Full Reconciliation |
Resource Object Name |
SSO Group |
Name of the resource object against which reconciliation runs must be performed This value is fixed. |
SSO Group Hierarchy Full Reconciliation |
Object Type |
Group |
This attribute holds the type of object you want to reconcile. This value is fixed. |
SSO Group Hierarchy Full Reconciliation |
IT Resource Name |
SSO Server |
Name of the IT resource instance that the connector must use to reconcile data. This attribute holds the type of object you want to reconcile. This value is fixed. |
SSO Group Hierarchy Full Reconciliation |
Scheduled Task Name |
SSO Group Hierarchy Full Reconciliation |
This attribute holds the name of the scheduled job. This value is fixed. |
SSO Group Hierarchy Full Reconciliation |
Sync Token |
This value should always be empty for SSO Group Hierarchy Full Reconciliation |
|
SSO Group Hierarchy Incremental Reconciliation |
Resource Object Name |
SSO Group |
Name of the resource object against which reconciliation runs must be performed This value is fixed. |
SSO Group Hierarchy Incremental Reconciliation |
Object Type |
Group |
This attribute holds the type of object you want to reconcile. This value is fixed. |
SSO Group Hierarchy Incremental Reconciliation |
IT Resource Name |
SSO Server |
Name of the IT resource instance that the connector must use to reconcile data. This value is fixed. |
SSO Group Hierarchy Incremental Reconciliation |
Scheduled Task Name |
SSO Group Hierarchy Full Reconciliation |
This attribute holds the name of the scheduled job. This value is fixed. |
SSO Group Hierarchy Incremental Reconciliation |
Sync Token |
This job parameter is only present if the target directory is Oracle Internet Directory or Oracle Unified Directory. You can manually enter the first Sync Token. To retrieve this token, query cn=changelog on rootDSE on the target system. Then, every time sync reconciliation is run, Sync Token is updated. Browse the changelog attribute of the target system to determine a value from the changelog that must be used to resume a reconciliation run. From the next reconciliation run onward, only data about records that are created or modified since the last reconciliation run ended are fetched into Oracle Identity Governance. Or, you can also leave this field blank, which causes the entire changelog to be read. This attribute stores values in one of the following formats: If you are using a target system for which the value of the standardChangelog entry in the Configuration lookup definition is set to true, then this attribute stores values in the following format: <Integer>VALUE</Integer> Sample value: <Integer>476</Integer> If you are using a target system (for example, OUD) for which the value of the standardChangelog entry in the Configuration lookup definition is set to false, then this attribute stores values in the following format: <String>VALUE</String> Sample value: <String>dc=example,dc=com:0000013633e514427b6600000013;</String> Default value: None |
SSO Post Enable Jobs
OIG offers post enable jobs to seed identities and their relation from OIG to LDAP.
The post enable jobs are to be used in case of following deployment scenario: OIG is already been in deployment for certain period of time and OIG is now being integrated with OAM and LDAP. During such scenarios, the existing users and roles and their relations in OIG needs to seeded to synchronize LDAP with data in OIG. After OIG-OAM integration configuration has been performed, these jobs should be run once to seed the users, roles and their relationships to LDAP.
The following post enable jobs are offered:
-
SSO Post Enable Provision Users to LDAP:
For each user in OIG, this job creates an user in LDAP and provisions SSO target application instance to the user. -
SSO Post Enable Provision Roles to LDAP:
For each role in OIG, this job creates a role in LDAP and subsequently creates a lookup, entitlement and catalog entry for the entitlement. -
SSO Post Enable Provision Role Membership to LDAP:
For each role granted to the user, this job grants entitlement (corresponding to the role) and in-turn grants the membership for the user in LDAP. -
SSO Post Enable Provision Role Hierarchy to LDAP:
For each role-role relation in OIG, this job adds relationship for the groups in LDAP.
Reconciliation Behavior
User Reconciliation
-
InetOrgPerson
-
orclIDXPerson
-
OblixOrgPerson
-
OblixPersonPwdPolicy
-
OIMPersonPwdPolicy
For user reconciliation, set the value for the two mandatory attributes: sn and uid.
User Matching rule:
<matchingRule>((UPPER(USR.usr_ldap_guid)=UPPER(RA_SSOTRUSTEDFORSSAEC4C34A.RA_LDAPGUID94FE1B62)) OR (UPPER(USR.usr_login)=UPPER(RA_SSOTRUSTEDFORSSAEC4C34A.RA_USERLOGIN7C7B96D4)))</matchingRule>
Account Matching rule:
<matchingRule>((UPPER(USR.usr_login)=UPPER(RA_SSOTARGE.RA_USERLOGIN7C7B96D4)) OR (UPPER(USR.usr_ldap_guid)=UPPER(RA_SSOTARGE.RA_ORCLGUID)))</matchingRule>
Group Reconciliation
-
groupOfUniqueNames - in case of OID and OUD
-
group - in case of AD
Group reconciliation job requires that group names are unique in OIG. That is, when the job reconciles a create changelog for a group with name 'Business Administrator' and if OIG already has a role with name 'Business Administrator', then Business Administrator group would not be created again in OIG and the reconciled role will be skipped from further processing.
Alternatively, if a group exists in OIG that has a matching GUID with the group being reconciled from LDAP, then reconciliation engine would perform an update for the existing group in OIG.
Group Matching Rule:<matchingRule>(UD_SSO_GR.UD_SSO_GR_SERVER=RA_SSOGROUP4DF6ECEE.RA_ITRESOURCENAME70C9F928 and UD_SSO_GR.UD_SSO_GR_ORCLGUID=RA_SSOGROUP4DF6ECEE.RA_ORCLGUID)</matchingRule>
Group Membership Reconciliation
Group membership reconciliation reconciles the current role grants for user in LDAP. On successful reconciliation, for each role granted to the user, an entitlement corresponding to the role is assigned to the user's SSO account.
Entitlement assignment to the user during reconciliation is executed by database trigger for child form table. This child form table stores the membership grants for the user (i.e. account). In some circumstances, the entitlement assignment trigger may not have executed and hence, the user may not have the entitlement assignment yet corresponding to the role grant reconciliation. In such scenarios, execute 'Entitlement Assignment' job to assign entitlments.
Group Hierarchy Reconciliation
Group hierarchy reconciliation job reconcilies current role relations from LDAP.
Reconciliation Job Errors and Remedial Actions
-
Group membership reconciliation
-
Group hierarchy reconciliation
Group membership reconciliation
Group membership Full reconciliation
-
The user entry which is reconciled is looked up in OIG corresponding to it's GUID. If no matching user is found, recon event creation for that user entry is skipped and an error message corresponding to the skipped user entry is added to job error messages.
-
If the user entry is present but one of the parent roles, with matching role DN, is not existing in OIG, then recon event creation for that user entry is skipped and an error message corresponding to the skipped user entry is added to job error messages.
If there are no missing parent roles for an user entry, then recon event is created for the user entry and added to batch recon service. Once reconciliation job, error message is set for the Job ID.
Group membership Incremental reconciliation
Group membership incremental reconciliation has same behavior as group membership full reconciliation. In addition to reporting the error message, incremental reconciliation also doesn't update the latest incremental token. This is to ensure that when the job is re-run (after performing remedy actions such as running user or group reconciliation jobs), then the user entry(s) which were skipped earlier are assigned a recon event during their next error-free execution.
In situations where customer decide to bypass the error-encountered user entry and want to run incremental reconciliation with latest incremental token, they can do so by checking the schedule job error message from the job UI and the latest token will be printed at the end of the error message. Refer 'Example for reconciliation error due to missing user or role'
Group hierarchy reconciliation
Group Hierarchy Full reconciliation
-
The role entry which is reconciled is looked up in OIG corresponding to it's GUID. If no matching role is found, recon event creation for that role entry is skipped and an error message corresponding to the skipped user entry is added to job error messages
-
If the role entry is present but one of the child roles, with matching role DN, is not existing in OIG, then recon event creation for the parent role entry is skipped and an error message corresponding to the skipped user entry is added to job error messages.
If there are no missing parent or child roles, then recon event is created for the parent role entry and added to batch recon service.
Once reconciliation job completes, error message is set for the Job ID.
Group Hierarchy Incremental reconciliation
Group hierarchy incremental reconciliation has same behavior as group hierarchy full reconciliation. In addition to reporting the error message if dataErrorDetected is true, incremental reconciliation also doesn't update the latest incremental token. This is to ensure that when the job is re-run (after performing remedy actions), then the role entry(s) which were skipped earlier are assigned a recon event during their next error-free execution.
In situations where customer decide to bypass the error-encountered role entry and want to run hierarhcy incremental reconciliation with latest incremental token, they can do so by checking the schedule job error message from the job UI and the latest token will be printed at the end of the error message.
Example for Reconciliation Error due to Missing User or Role
The scheduled job status would be failed.
oracle.iam.connectors.icfcommon.exceptions.OIMException: Role with GUID 54A78A7F44E41C39E053211CF50A7639 does not exist in OIM. Skipping group membership incremental reconciliation for the role Role with GUID 5E750AB0341F16D3E053211CF50A866D does not exist in OIM. Skipping group membership incremental reconciliation for the role Role with GUID 5E750AB0342016D3E053211CF50A866D does not exist in OIM. Skipping group membership incremental reconciliation for the role Role with GUID 5E750AB0346116D3E053211CF50A866D does not exist in OIM. Skipping group membership incremental reconciliation for the role Role with GUID 5E750AB0346216D3E053211CF50A866D does not exist in OIM. Skipping group membership incremental reconciliation for the role Role with DN cn=SYSTEM ADMINISTRATORS,cn=Groups,dc=us,dc=oracle,dc=com is not found in OIM - Skipping group membership reconciliation for the user with GUID: 5376289A3A766EE7E053211CF50A8B24. Latest Token value: <Integer>4204</Integer>
Corrective Actions for Reconciliation Error
-
Customer can execute 'SSO Group Create or Update Reconciliation' job to fix the above errors and re-run group membership incremental reconciliation job. Similarly, execute 'SSO User Reconciliation' job if the error message relates to 'user not existing in OIG'.
-
Alternatively, if customer prefer to ignore the error for these roles and would like to proceed beyond with incremental reconciliation in future, then customer can set the Sync Token job parameter value to the latest token value listed in the error message. For example, for the above sample message, the Sync Token job parameter value would be: <Integer>4204</Integer>
-
In case of group membership full reconciliation or group hierarchy full reconciliation, if any of the user(s) and/or group(s) reconciled does not exist in OIG, then the job would report failed status for the missing user and/or group in all subsequent runs.
Ensuring identity Tables Data Synchronization With Child Form Tables
During group membership reconciliation and group hierarchy reconciliation, the reconciliaiton engine updates the child form table corresponding to each recon event data in reconciliation batch. When reconciliation engine triggers post process orchestration for each reconciliation batch, the post process handlers fetches the child form entry corresponding to each recon event in batch and updates OIG's identity relation tables.
-
Sync Group Membership with SSO Form Table:
For each user in parent form, this job synchronizes membership child form data with USG table. This job accepts an 'Group Membership Child Form Table' name as input parameter and it is assigned a default value. If membership child form table name is different in customer's deployment, then this parameter has to be assigned with appropriate value. -
Sync Group Hierarchy with SSO Form Table:
For each role in parent form, this job synchronizes role relationship data with GPG table. Child form table name for role relationship is fixed for a deployment and hence, this job does not accept child form table name as input.
4.6 Configuring User Defined Fields
This section contains the following topics:
4.6.1 Configuring User Defined Fields with SSO
You can configure custom attributes or user-defined fields (UDFs) with SSO.
To do so, complete the following steps:
-
Create the UDFs for OIG. For more information, see Creating a Custom Attribute.
Note:
Do not specify any value for the LDAP Attribute in the Create Text Field page. -
Add the UDF into the Create User Form. For more information, see Adding a Custom Attribute Category into Create User Form in Administering Oracle Identity Governance.
-
Add UDF to the SSO target application instance. For more information, see Adding Attribute in Performing Self Service Tasks with Oracle Identity Governance.
-
Add UDF to the SSO trusted application instance. For more information, see Providing Schema Information for Authoritative Application in Performing Self Service Tasks with Oracle Identity Governance.
4.6.2 Configuring Role UDFs
- OIM-OAM integration setup created using Integrating OIG with OAM and LDAP Connectors.
- LDAP Connector Sync support for non OAM installations using
Doc ID 2833544.1
at https://support.oracle.com.
Note:
Before configuring role UDFs, apply the latest bundle patch available for your release.To configure role UDFs, complete the following steps:
- Create UDFs for OIG Role entity. For more information, see Configuring Custom Attributes .
- Define the Reconciliation mapping for the created role UDFs. Table 4-11 lists the exact entity names to be used while defining the
reconciliation mapping.
Note:
- For more information on defining reconciliation mapping for AD, see Adding Custom Fields for Target Resource Reconciliation of Groups and Organizational Units.
- For more information on defining reconciliation mapping for OUD/OID, see Adding the Custom Field to Resource Object Reconciliation Fields.
- Define the Provisioning mapping for this role UDF. Table 4-11 lists the exact entity names to be used while defining the
provisioning mapping.
Note:
- For more information on defining provisioning mapping for AD, see Adding Custom Fields for Provisioning Groups and Organizational Units.
- For more information on defining provisioning mapping for OUD/OID, see Adding the new Field to the Process Form.
- Log in to Oracle Identity System Administrator.
- Open the Lookup.RoleAttrFormField.Map file and set the Code and
Meaning field values, where:
- Code – Refers to the OIM Role Entity's attribute that is, UDF.
- Meaning – Refers to Process Form field name defined in design console.
Note:
- The Code and Meaning in the Lookup.RoleAttrFormField.Map must be the same as that is created in Form and Role UDF.
- If the lookup file does not exist, then create a new lookup file and then update the values. For more information on creating and updating the lookup, see Managing Lookups.
All the required mappings are done now to map the Role UDF to the target field.
Table 4-11 Reconciliation and Provisioning Mapping
LDAP Directory | Resource Object Name | UAD Table Name | Provisioning Lookup | Reconciliation Lookup | Adapter |
---|---|---|---|---|---|
AD | SSO Group | UD_SSOGRP | Lookup.SSO.GM.ProvAttrMap | Lookup.SSO.GM.ReconAttrMap | adpSSOADIDCUPDATEATTRIBUTEVALUE |
OUD | SSO Group | UD_SSO_GR | Lookup.SSO.Group.ProvAttrMap | Lookup.SSO.Group.ReconAttrMap | adpSSOLDAPUPDATE |
OID | SSO Group | UD_SSO_GR | Lookup.SSO.Group.ProvAttrMap | Lookup.SSO.Group.ReconAttrMap | adpSSOOIDUPDATE |
- If you are creating role UDF mapping for the check box type UDF field and the mapped attribute on Target LDAP is storing values for a Boolean field as 'True' or 'False', then add a recon transformation script to convert the value 'True' to '1' and 'False' to '0' for successful Reconciliation. For more information on the steps to create a transformation script, see Transformation Script.
- To support the
Date
type of Role UDF which is mapped to theDate
type of target field:- Add the field flag
[DATE]
to the Provisioning and Recon attribute Map. For example,Joining Date[DATE]
. - For OID/OUD integration, update attribute
dateFormat
anddateTypeAttrNames
in the lookup Lookup.SSO.Configuration. - For AD integration, update attribute
CustomDateAttributes
in the lookup Lookup.Configuration.SSO.
- Add the field flag
4.7 Known Limitations and Workarounds in OIG-OAM Integration
For Oracle Identity Governance Integration Issues and Workarounds, see Integration Issues and Workarounds in Release Notes for Oracle Identity Management.