X

An Oracle blog about Access Management

Recent Posts

Custom Attributes in Access Token

In the 12CPS3 OAM-OAuth Server, custom attributes can be defined either at the Resource Server or the Client. At run time, these attributes are evaluated and populated into the access token. The attributes are defined as name-value pairs.These are evaluated only for the following flows: JWT Bearer Grant, Resource Owner Password Credential, AuthZ Code Flow and Implicit Grant Flow. There are 2 types of attributes: Static: The value is fixed at the time of attribute definition. Dynamic: These values are similar to the policy responses and use the $user and $session namespace to define the attributes. These are evaluated for the user and populated into the token.  Ideally the attribute names should be unique. In case they have the same name at the client and resource server, the client takes precedence and the attribute defined at the client is populated into the token.  Configuring Custom Attributes under the Resource Server: The POSTMAN scripts shared earlier can be used to create a Resource Server. In this example, I've outlined a few examples of static and dynamic attributes. The dynamic attributes use the $user and $session namespace. The $session related attributes give meaningful responses during 3 legged -AuthZ Code and Implict Flows. The $user namespace can be used to fetch user's information such as specific attributes( description in this example) and groups information. Configuring Custom Attributes under the Client: In this example, I've outlined how the attribute - "ResServerConstAttr" is defined at both the levels. In this case, the "ResServerConstAttr" is evaluated at the Client level and populated into the token. Sample Access Token with evaluated attributes: The custom attributes are evaluated and added along the set of standard claims into the access token. In this particular example, the values are obtained from a 2 legged - Resource Owner Password Grant flow - hence there are no values for SessionCreation and SessionCount attributes.  

In the 12CPS3 OAM-OAuth Server, custom attributes can be defined either at the Resource Server or the Client. At run time, these attributes are evaluated and populated into the access token....

Integration with Facebook via OpenIDConnect Plugin

Apart from being a full fledged OAuth/OIDC server, OAM can also choose to delegate authentication to other OpenID – social identity providers – such as Google, Facebook, IDCS or even OAM, thus behaving like a Relying party(Service provider). From 12CPS3BP02 onwards OAM provides an out of the box authentication plug-in – “OpenIDConnectPlugin”, that can redirect to any third party Identity Provider using OIDC protocol. After authenticating the user, the IDP redirects back to OAM where the user is asserted by OAM and an OAM Session is created. In this post, we will see how the OpendIDConnectPlugin can be used to integrate with Facebook. First we need to register a client in Facebook and provide those credentials to the plugin. 1. Client Creation: Go to “developers.facebook.com” as shown in the picture below and select “MyApps”. 2. Create a new App ID by providing a display name and email. ​ 3. This will create a client_id and secret which needs to be provided to the OpenIDConnectPlugin.  4. We also need to provide the “redirect_uri” for the client created. This needs to be the end point on the OAM server where credentials are submitted eg: http(s)://OAM Host:port/oam/server/auth_cred_submit. This takes care of the settings on the Facebook side. Now let's configure an authentication module to use the OpenIDConnectPlugin. Authentication Module changes in OAM 1. Create a new authentication module, consisting of 2 steps: OpenIDConnectPlugin UserIdentificationPlugin 2. OpenIDConnectPlugin changes: For Facebook, we need to explicitly provide the token, authz and userinfo endpoints. Note: The "scope" parameter can be overridden with a suitable value if required. In case of Facebook this needs to be set to "email". The "username_attr" indicates to the plugin which attribute is to be read from the identity token to get information about the user. 3. UserIdentificationPlugin changes: The user authenticated by the IDP needs to be present in the Identity Store of OAM.  Note:- There is no account linking at this point, hence the user needs to be created in the IDStore in OAM. The “name” attribute in the Identity Token obtained from Facebook, contains the “display name” of the user. We need to assert the user whose “display name” attribute matches this value. For this we need to add the KEY_LDAP_FILTER. A sample of this filter is: :”&(objectclass=inetorgperson)(DISPLAYNAME={KEY_USERNAME})” 4. Authentication Scheme changes Create a new Authentication scheme, which uses the module created above. Importantly we need to set the challenge parameter “initial_command=NONE” for this scheme.  5. Application Domain Policy changes Modify the authentication policy in the application domain of the protected resource to use the scheme created above. With these changes, when we access a protected resource, control is given to this module and you will be redirected to the Facebook login page. After authenticating at Facebook, when control is submitted back to the server, the UserIdentification Plug-in asserts the user and the session are created in OAM.  

Apart from being a full fledged OAuth/OIDC server, OAM can also choose to delegate authentication to other OpenID – social identity providers – such as Google, Facebook, IDCS or even OAM,...

Customize the OAuth consent page in OAM12CPS3

In a 3 legged flow, the consent page needs to be protected by WebGate as discussed in the series -3 Legged OAuth with OAM in 12c PS3. Let us look at how we can use a custom consent page in our environment:- 1. Develop the Custom WAR with the consent page: Write a custom consent page jsp and bundle it as part of a WAR file. This file can contain the custom logic about displaying the scopes and requesting for the user’s consent. The below highlighted parts of the code, are required to read scopes, send back the “state” and submit necessary data to the specific end points on the OAM server /* Read the Data sent from OAM */ String formState = (String) request.getParameter ("state"); String clientName = (String) request.getParameter ("client_id"); String user = (String) request.getHeader ("OAM_REMOTE_USER"); //Code to retrieve each of the requested scope String scope = (String) request.getParameter ("scopes"); //String scopes[] = scope.split(OAuthConstants.SCOPES_URL_SEPARATOR); //Convert to an array of scopes String scopes[] = scope.split("+"); //Convert to an array of scopes for (int i = 0; i < scopes.length; i++) {   String scopeRequested = URLDecoder.decode(scopes[i],"UTF-8"); } /* FORM endpoint to submit to OAM */ <form action="<http(s)://OAM-LBR-Host:Port/oauth2/rest/approval" method="post" name="consentform” id="consentform"> /* Data that needs to be sent back to the OAM Server OAM expects 2 values to be sent back: state and act The “act” holds the values of consent or deny 0 : Deny 1 : Consent */ <input type="hidden" name="state" id="state" value="<%=formState%>"> <input type="hidden" name="act" id="act" value="">  /* Sample code to set the value of Consent/Deny Action */ <script type="text/javascript"> function deny() { var frm = document.getElementById('consent_frm'); var act = document.getElementById('act'); act.value = "0"; frm.submit(); } function allow() { var frm = document.getElementById('consent_frm'); var act = document.getElementById('act'); act.value = "1"; frm.submit(); } </script> Let us consider in this case, we have a CustomWAR - ready with context root as “/CustomConsent” and the page is “/pages/CustomConsent.jsp”. 2. Deploy the Custom WAR on any application server (it is assumed here, that it is an external server). 3. Update the OAuth Identity Domain profile Modify the OAuth domain to set the consent page as “/CustomConsent/pages/CustomConsent.jsp”. This needs to be a relative URL. 4. Update the policy to add the custom page The new custom page – “/CustomConsent/*” in this case needs to be added under the WebGate that had earlier been registered in the 3 Legged OAuth with OAM in 12c PS3. 5. Update the mod_wl_ohs.conf settings Make the following mod_wl_ohs.conf changes in the OHS that is proxying to the OAM Managed server. <Location /CustomConsent>      SetHandler weblogic-handler      WebLogicHost HostWhereCutomAppIsDeployed      WeblogicPort Port  </Location> 6. Test the 3 legged Flows Sample Code Flow Request: http://ohs-lbr-host.example.com:port/oauth2/rest/authorize?response_type=code&domain=DemoDomain&client_id=DemoClientID&scope=DemoResServer.scope1&state=code1234&redirect_uri=http://localhost:8080/Sample.jsp Redirected to Custom Consent Page Note: Is there a way to ByPassUserConsent? At this point in 12CPS3 and higher versions, there is no way to ByPassUserConsent at the server level. If this needs to be done, this can also be handled as custom logic in the custom consent page. The consent state of allow, can be persisted somewhere (such as a cookie) via this page. When the client initiates a 3 legged flow, there could be 2 cases:   1. OAM_ID is not present  a. When the flow is initiated the first time, user is prompted to login, before he is displayed the consent page (which is a protected page).  b. After login, user gives his consent in the page and this consent state can be persisted ( as a cookie perhaps).  c. On submitting back to the server, the AuthZ code is generated. 2. OAM_ID is present  a. When the flow is initiated, we are directly redirected to the consent page.  b. The custom logic can retrieve the persisted consent state and submit back to the OAM server with the necessary data.  c. The code is generated by the OAM server.

In a 3 legged flow, the consent page needs to be protected by WebGate as discussed in the series -3 Legged OAuth with OAM in 12c PS3.Let us look at how we can use a custom consent page in...

3-Legged OAuth with OAM in 12CPS3 Series - Part II

In the previous part(Part-I), we looked at the necessary artifacts and how they are created. In this series, we will look at how a Client Application (DemoClientId - which we created previously) can initiate a browser based 3 Legged OAuth flow(AuthZ Code or Implicit) against the OAM/OAuth Server. Before we get into how to setup OAM for the 3-legged flow, let us look at how the 3-Legged Flow works. As we see in the picture, "consent.jsp" page needs to be protected. Let us have a look at what configurations are required to do this. A: Front end the OAM Server with an OHS / Register a Web Gate to protect the consent page 1. In 12CPS3 BP02, the following resources for 3-legged flows are available under IAMSuite out of the box. Figure A.1 : OOTB Resources for OAuth flows 2. Register a Web Gate with the preferred host as “IAMSuiteAgent”, so that this protects “consent.jsp”. 3. Front end the OAM server with this OHS. 4. mod_wl_ohs.conf changes Make the following mod_wl_ohs.conf changes in the OHS to proxy to the OAM Managed server. <IfModule weblogic_module>    WebLogicHost OAM Server Host    WebLogicPort OAM Server Managed Port </IfModule> <Location /oauth2>    SetHandler weblogic-handler </Location> <Location /oam>    SetHandler weblogic-handler </Location> ## Add the below 2 sections to access the Discovery URLs. ## The URL is: http://ohs-lbr-host.example.com:port/.well-known/openid-configuration <Location /.well-known/openid-configuration>    SetHandler weblogic-handler    PathTrim /.well-known    PathPrepend /oauth2/rest </Location> <Location /.well-known/oidc-configuration>    SetHandler weblogic-handler    PathTrim /.well-known    PathPrepend /oauth2/rest </Location> With this configuration done, we have an OHS, lets call it ohs-lbr-host.example.com front ending the OAM server. All the AuthZ Code flow requests are made against this endpoint which is: http://ohs-lbr-host.example.com:port/oauth2/rest/authorize. Note:- The above configurations are described for 12CPS3 BP02. If you are using an older version (12CPS3 or 12CPS3BP01), a few manual steps are required, which are talked about in the end. B: Sample AuthZ Code Flow Request 1. AuthZ Code flow request: The client initiates a 3- legged browser flow against the “authorize” endpoint on the server: http://ohs-lbr-host.example.com:port/oauth2/rest/authorize?response_type=code&domain=DemoDomain&client_id=DemoClientID&scope=DemoResServer.scope1&state=code1234&redirect_uri=http://localhost:8080/Sample.jsp Note:- redirect_uri is the URL registered during client registration. This is a landing page to which we are redirected at the end of the 3 legged flow. The server validates the request and redirects the user to “consent.jsp”. Since the Web Gate that we registered above protects this page, OAM server throws the login page. 2. OAM authenticates the user with the submitted credentials and redirects to the consent page. 3. On giving the approval, the user is redirected to the landing page, defined in “redirect_uri” which was passed in the request. 4. This code is passed to the server’s “Token” endpoint to the get the Access Token. The POSTMAN REST commands uploaded earlier can be used to get the access token. Thus we saw how an OAuth client can be registered against the OAM-OAuth server and initiate a 3 legged flow. NOTE:- In case you are using 12CPS3 or 12CPS3BP01, there are some manual changes listed below, that are needed on the OAM side to protect the consent page. 1. The 3 resources, - /oauth2/rest/approval, /oam/pages/consent.jsp and /oauth2/rest/** need to be manually defined. These can be defined under the IAMSuite application domain with IAMSuiteAgent as the host identifier. The rest of the steps 2 to 4 under Section A, can be used as is. a) Create /oauth2/rest/approval as a protected resource. b) Create /oam/pages/consent.jsp as a protected resource. c) Create /oauth2/rest/** as an excluded resource. With these manually created under IAMSuite application domain, we will have the necessary resources as shown in Figure A.1. The remaining steps can be replicated as it. Note, that Discovery URLs are not supported in versions prior to 12CPS3BP02.   In our next series we will talk about how an application protected by Webgate that used to communicate with the OAM server using proprietary OAP protocol can now communicate with the OAM server using standards based OpenIDConnect protocol.  

In the previous part(Part-I), we looked at the necessary artifacts and how they are created. In this series, we will look at how a Client Application (DemoClientId - which we created previously) can...

3-Legged OAuth with OAM in 12CPS3 Series - Part I

From 12CPS3 onward, OAM is a full-fledged OAuth server supporting 2-legged and 3-legged flows across Multi Data Centers (MDC). This 3 part series talks about the following: What are the artifacts in OAM for OAuth/OIDC, how do we create them? How do we setup OAM/OAuth Server to support the 3-legged flows? How can we protect an on premise application with WebGate against the OAM/OAuth server using OIDC protocol. ​In this article, I will talk about what artifacts need to be created and how we can do so. In 12CPS3, all the artifacts for OAuth flows have to be created via the newly exposed REST commands. There is no UI support for the creation of these artifacts. The important artifacts to get started are Identity Domain, Resource Server and Client. A sample set of the REST commands to create/read/update or delete any of these artifacts are available via the POSTMAN script here. These can be executed via a REST client such as POSTMAN or via curl commands. Setup your scripts first 1. Download the script and import into POSTMAN client. Once imported, you should see the list of REST commands under the collection called "Final OAuth Admin API". 2. Set up the following environment variables before executing any of the REST commands. The host name of the server, passwords for the users and the client secret have been hidden out for security. Now the scripts can be executed to create the artifacts. 1. Create an Identity Domain  Identity domain corresponds to the notion of a tenant. All artifacts such as resource server and client needs to be created under an identity domain.  We have set a "domainname" variable to "DemoDomain" value. The script when executed, will thus create an Identity Domain with this name.   The same command if executed via CURL looks like this: We can retrieve the details of the created domain, by executing the "GET" command on the domain. 2. Create a Resource Server A Resource server is the server hosting the protected resources. It must be capable of accepting and responding to resource requests using access tokens. We have set a "resservername" environment variable to "DemoResServer" value. The script when executed, will create a Resource Server with this name. A set of "scopes" needs to be defined for the resource server. In this script we have seeded 3 scopes - scope1, scope2 and scope3. A set of static and dynamic custom attributes can also be defined by a resource server.  NOTE- Notice that the resource server - "DemoResServer" is created under the domain "DemoDomain". Once the scopes are defined under a resource server, they can be referred to <ResServerName>.<scopeName>. 3. Create a Client A client is an application making resource requests on behalf of the resource owner with the resource owner's authorization. We have set a "clientname" environment variable to "DemoClient" value. The script when executed, will create a Client with this name. The client is also given a "clientid" - "DemoClientId". This is the unique identifier for the client during all the run time requests. In this script, we have created a confidential client. Hence it needs to be created with a "clientsecret". A set of "scopes", as well as a defaultScope needs to be associated with the client. In this script we have associated the earlier created scopes - DemoResServer.scope1 with the client. A set of static and dynamic custom attributes can also be defined by a client. These will then be added as custom attributes to the access token, generated for this client.       Once these artifacts are created, the OAuth flows can be executed. A sample run time POSTMAN REST commands is available for the 2 Legged Flows. In the next part, we will talk about how the "DemoClient" that we created, can initiate a 3 Legged Flow against the OAM/OAuth Server.  

From 12CPS3 onward, OAM is a full-fledged OAuth server supporting 2-legged and 3-legged flows across Multi Data Centers (MDC). This 3 part series talks about the following: What are the artifacts in OAM...

OIM11gR2PS3: Whats new?

OIM R2PS3 comes with considerable amount of improvisation compared to its predecessor PS2. In this article lets review a few key features of OIM PS3 -  1. Improved Self-service UI OIM PS3 uses new ADF Alta which makes UI rich.  Be it the tiled icon on the landing page or guided catalog navigation or tabbed browsing all these together make awesome user experience. 2.  Access Catalog with Guided Navigation Though one can notice some amount of change in the look and feel of the access catalog and request submission process, all that boils down to improving usability.   3.  Temporal Grants for New and Existing Access For new request and for existing grants as well, start and end dates can be assigned. This way the user gets access the right time and user is revoked with the access right time. Only empowered users can extend the access. 4. Self Capabilities The 'Self Capabilities' features empowers the administrator with a capability where the allowed self-service capabilities can be controlled. The admin now need not deal with admin roles to control end user's self-service capabilities. It's now a set of simple rules being declared using admin UI. 5.Simplified Admin Roles In this release OIM deprecates Authorization Policy Manager (APM) and Oracle Entitlement Server (OES). This means the existing admin roles from PS2 are also deprecated. OIM allows to create new admin roles for granting various functional capabilities to users over organizations. Note: To make use of the new admin role functionality, workflow policies feature must be enabled.  6.  Role Lifecycle Management Oracle Identity Manager allows empowered users to create, modify, approve, and certify business roles. Users composing new business roles or modifying existing roles can define business-friendly metadata, control membership, and specify which organizations have access to the role. They can also associate one or more access policies, which are collections of application entitlements, with the role. Access policies abstract out the complexities associated with application entitlements from business users, simplifying the role modeling and composition process. The application-specific access policy model also encourages reuse across roles simplifying the overall process. As part of role composition or approval, users can see the impact of their actions, including potential compliance violations in a simple graphical manner. They can see which users will be impacted, whether there are other roles similar to the one being worked on, and whether any compliance policies are violated. The use of this feature requires you to be licensed for its use.  7. Identity Audit Policy Management Ensuring compliance with security controls across applications and enforcement of these controls are a key part of regulatory compliance. This requires you to define access controls that span applications and the ability to enforce these in real-time when access is being granted or modified, but also in a detective manner, for access that has already been granted. Oracle Identity Manager makes it possible for organizations to meet their compliance objectives by allowing business users to define audit policies. Audit policies specify what type of access a user may or may not have. For example, a user who has access to both Accounts Payables and Accounts Receivables is violating Sarbanes-Oxley guidelines. This is known as a Segregation of Duties (SoD) violation. Oracle Identity Manager allows organizations to define SoD policies that can be enforced during access request and can also be used to scan existing access to identify toxic combinations of access privileges, known as policy violations. Oracle Identity Manager identifies the violations and initiates a workflow allowing remediators, who could be business manager or administrators to fix these violations. This process is known as remediation. All actions taken by remediators are recorded and a comprehensive audit trail is maintained.   The use of this feature requires you to be licensed for its use.  8. Enhanced Auditing This release of Oracle Identity Manager introduces a lightweight auditing engine which is used by user, role, and organization management, and other components excluding provisioning. Unlike the existing audit engine, it does not depend on audit snapshots and JMS and is synchronous in operation. This audit engine is the strategic choice, and the current audit engine will be deprecated in the next release of the product. 9.Enhanced Password Policy Management This release of Oracle Identity Manager provides a common password policy management framework between Oracle Identity Manager and Oracle Access Manager (OAM). It also introduces the concept of a challenge policy, which allows you to specify whether challenge questions are system-defined or end-user defined (or a combination of both). You can specify different password policies for different organizations, allowing granular control of passwords and challenge questions. 10. SCIM-Based REST Services Representational State Transfer (REST) services is the standard approach for creating scalable web services over HTTP. System for Cross-Domain Identity Management (SCIM) is the standard used to represent users and groups and provides a REST API for all necessary CRUD operations. This release of Oracle Identity Manager exposes several services as SCIM-based REST services. The SPML XSD-based SOAP web service is deprecated in favor of SCIM-based REST Services. It is recommended to move to the new REST services as soon as possible.  11.  Simplified Workflow Policies Approval policies are used in Oracle Identity Manager to determine the approval workflow to be launched for a particular action. This feature has been deprecated in favor of workflow policies. Functionally, workflow policies are equivalent to approval policies but perform better, expose additional configuration options, and conform to the UI of this release. You can continue using approval policies if you are upgrading to this release of Oracle Identity Manager. However, you cannot leverage the simplified admin roles capabilities. You must work with workflow policies only for a fresh deployment of Oracle Identity Manager. If you are upgrading to Oracle Identity Manager 11g Release 2 (11.1.2.3), then it is recommended that you convert the approval policies to workflow policies as soon as possible.  12. Simplified SSO Integration The recommended approach of Oracle Identity Manager to Single Sign On (SSO) is to use WebLogic plug-ins (Identity Asserters or Authenticators). These plug-ins are provided by Web Access Management solutions, such as OAM or SiteMinder. This release of Oracle Identity Manager supports a simplified single sign on integration by using HTTP Header variables. This approach requires you to configure a HTTP Server similar to Oracle HTTP Server or Apache HTTP Server as a reverse proxy for Oracle Identity Manager, and install and configure the vendor-provided web server plug-in. References: OTN Documentation

OIM R2PS3 comes with considerable amount of improvisation compared to its predecessor PS2. In this article lets review a few key features of OIM PS3 -  1. Improved Self-service UI OIM PS3 uses new ADF...

Event Handlers upon Resource Provisioning Activities

After deprecation of entity adapters, everyone know that Oracle has introduced event handlers to perform operations on pre and post of insert, update and delete activities.  By now, almost all OIM developers might have worked on writing Event Handlers pre and post of creating and updating a user/identity profile. This is a very frequent requirement.  There is a chance one might want to write event handler that triggers on account provisioning activities. The blog post is intended to provide an example of how to trigger an event handler on successful provisioning of a resource.  Before getting to the details one must understand there are various operations supported by OIM like Create User, Update User, Provision Account, Disable Account, Create Role, Delete Role, Update Role, Provision Account by Access Policy, Revoke Account etc... and each operation is considered to be a different orchestration.   1. Entry to EventHandler XML file for AP based provisioning: <action-handler     class="com.xyz.oim.account.usermgmt.impl.handlers.OIMProvisionAccountPostProcessEmailHandler"     entity-type="Resource"      operation="ACCESS_POLICY_BASED_PROVISION"       name="OIMProvisionAccountPostProcessEmailHandler"     stage="postprocess"     order="10000"      sync="TRUE"/>   Notice the values for entity-type and operation. The values indicate that the event handler should trigger upon provisioning a resource. The operation value especially indicate that the event handler should trigger only if a resource is provisioned using Access Policy.   2. Entry to EventHandlers XML file for direct provisioning: <action-handler     class="com.xyz.oim.account.usermgmt.impl.handlers.OIMProvisionAccountPostProcessEmailHandler"     entity-type="Resource"      operation="PROVISION"       name="OIMProvisionAccountPostProcessEmailHandler"     stage="postprocess"     order="10000"      sync="TRUE"/>   In this case the value of operation is 'PROVISION'. One can similarly use REVOKE for triggering event handler upon revoking an account. OTN documentation provides right value for 'operation' and 'entity-type'  for certain frequently used operations. In order to find all possible values, use the following and perform the operation: <action-handler     class="com.xyz.oim.account.usermgmt.impl.handlers.OIMHandler"     entity-type="Any"      operation="Any"       name="OIMHandler"     stage="postprocess"     order="10000"      sync="TRUE"/>  The handler code can print the values for operation and entity-type: 1. abstractGenericOrchestration.getOperation() 2. abstractGenericOrchestration.getTarget().getType()  The input parameter to the execute method of event handler differ based on the operations. In case of 'Resource' type use conditional event handler and identify the resource being provisioned in the context. Based on the resource decide whether the actual handler logic is required or not.  Important Note: Using Any/Any is for the properties is not supported. This is for internal purposes only. Using this may have high impact of product performance.  

After deprecation of entity adapters, everyone know that Oracle has introduced event handlers to perform operations on pre and post of insert, update and delete activities.  By now, almost all OIM...

OIM11gR2: Side-effects of using EntityManager API on update Event Handlers

The main purpose of using EntityManager API to update a user-profile on a post-update event handler is that the event handler shouldn't get into an infinite loop. This is very clear. Consider a scenario where there is a UDF 'Company Name' which is populated based on user's Organization. Assume, it is just a simple 1-1 mapping between user's Company Name and Organization.  The 'Company Name' attribute is read-only on the user profile and its value needs to be propagated to downstream applications and LDAP Synced. The 'Company Name' attribute is populated using a user-post-update event handler. When user's Organization changes, the event handler is held responsible for updating the 'Company Name value' and it works awesome.  Sample code on event handler at this point: HashMap<String, Object> mapAttrs = new HashMap<String, Object>();                   mapAttrs.put(COMPANY_ATTR_NAME, companyCode);            //Use profile is updated here with non-null company code.  EntityManager entMgr = Platform.getService(EntityManager.class);                 entMgr.modifyEntity(targetType,usrKey, mapAttrs);    After changing the user's organization from UI, the user profile is updated with new Company Name value, however, either the downstream applications or LDAP Sync directory is not updated with new value. This is because, the EntityManager API does not initiate new orchestration when an update happens. This is as good as database insert/update.  It is now clear EntityManger API is not suitable in the above mentioned scenarios. Thinking of which API to use? The obvious answer is UserManager API. Yes, use UserManager API. Instantiate and use this API as shown: HashMap<String, Object> mapAttrs = new HashMap<String, Object>();              mapAttrs.put(COMPANY_ATTR_NAME, companyCode);  UserManager usrManagerAPI = Platform.getServiceForEventHandlers(UserManager.class, null, null, null, null); User userToModify = new User(usrKey,mapAttrs);              usrManagerAPI.modify(userToModify);  This way a new orchestration is started and rest of the operations like LDAP Sync, User process triggers etc..are placed accordingly. 

The main purpose of using EntityManager API to update a user-profile on a post-update event handler is that the event handler shouldn't get into an infinite loop. This is very clear. Consider a...

OIM11gR2PS2: Disconnected System Resource status based on manual fulfillment outcome

When an OIM disconnected system application is provisioned to a user, a manual fulfillment activity is generated and can be viewed in the inbox. This task indicates the person has to complete the provisioning activity manually on the target system and mark the status in OIM. The task to outcomes possible: Complete Reject   When the activity is in pending for completion, the resource/account status is 'Provisioning'. Depending on the outcome from SOA, OIM account status is set. If the fulfillment person has completed the task and clicked 'Complete' in OIM, the resource status changes to 'Provisioned' from 'Provisioning'.  If the fulfillment person decides to reject and clicked 'Reject' in OIM, the resource status remains in 'Provisioning' status. This status at this point is not apt. A meaningful status at this point could be 'Cancelled' , 'Rejected' or 'Revoked'. [Note:For a full view, open the image in a new tab] While OIM supports custom object status, it is a bit tricky to induce the new status into the object life cycle. Hence, it is simpler to set the object status as 'Revoked' than any other. In the following section lets understand what has to be done to achieve this. Notice that OIM Provisioning process definition of a disconnected system is auto generated and has the following tasks(Has many other tasks, but list shows what we are interested in):  ManualProvisioningStart ManualProvisiongEnd  The ManualProvisioningStart process task is invoked when the resource is provisioned to the user as this is the process task marked as 'Required For Completion'. This will invoke a SOA composite 'DisconnectedProvisioning' and create a human task. The process task is completed successfully and a manual task is pending for approval. This doesn't have any impact on the resource/account status  When an action is taken on the pending human task, the process task ManualProvisiongEnd is triggered. This task is responsible for setting the object status. The OOB setting in the Responses of this process task is shown here:  On the 'Task to Object Status Mapping', the status 'X' is mapped to 'None' OOB. This has to be mapped to 'Revoked' for the object status to be set as 'Rejected' when the fulfillment person Rejects the task. The following screenshot illustrates this configuration change:  This is a very simple change doesn't require any downtime. Even if the manual fulfillment human task has an expiry setting, this approach works !!

When an OIM disconnected system application is provisioned to a user, a manual fulfillment activity is generated and can be viewed in the inbox. This task indicates the person has to complete...

OIM11gR2: SOA composite for Request Approval Process

Thisthread discuss the detailed steps for creating SOA composite for Application & Entitlement(in this case SAP Role) request approval process explained below. Requirement: The Identity Management (OIM 11gR2) system is installed and configuredwith SAP connector. And SAP roles are reconciled to OIM using lookupreconciliation schedule task. And for each SAP role reconciled an equivalentOIM role with a suffix "_Approver" will be created and users whoneeds to approve the SAP role access will be added as members. And followingapproval rules needs to be considered while developing SOA composite.  1)SAP account or entitlement (role) request needs be approved by user's managerat first level. 2) And if the request contains SAP role access then it needs to beapproved by role approver at second level, otherwise it will be auto approved. Athigh-level this thread cover following task of implementing aforesaidrequirement 1)  DesigningSOA Composite 2)  DeployingSOA Composite 3) ConfiguringEmail Notification 4)  ConfiguringOIM Approval Policy 1 Workflow Design To accommodate the requirements described in section 3, the followingtwo SOA workflow composites will be developed, customized and deployed. 1) BeneficiaryManager Approval · This isan OOB workflow composite available with OIM 11g R2 installation. Butcustomized to include few additional requirement changes. · Thiscomposite will be used for user manager approval · Thiscomposite will be used in both request type, i.e., requesting an account androle access. 2) SAPRole Approval · This isa custom built workflow composite. · Thiscomposite will be used for initiating approval task for SAP role approvers · Thiscomposite will be configured to be used with SAP role access request only. The following matrix table details the use and scope of approval composites. Workflow Name Request Type Process Level Scope Beneficiary Manager Approval Requesting Account (or Requesting an application instance) Request Level For any account creation request in OIM SAP Role Approval Requesting Role Access (or Requesting an Entitlement) Operation Level For SAP role/ entitlement request only 1.1 Developing Beneficiary Manager Approval This section details step to customize the OOB Beneficiary ManagerApproval SOA composite to include following additional functionality a) Renaming Approval Task b) Renaming Approval Task stage name. c) Adding approval notification for approvalcompletion. 1) Loginto serer where Oracle Identity Manger 11g R2 is installed. 2) Navigateto following directory cd ${ORACLE_Middleware_HOME}/Oracle_IDM1/server/workflows/composites 3) CopyBeneficiaryManagerApproval.zip file to server where JDeveloper Studio 11genvironment is setup and extract the content to JDeveloper workspace. 4) OpenBeneficiaryManagerApproval application from JDeveloper Studio. 5) Expandthe content of BeneficiaryManagerApproval project 6) Open“ApprovalTask.task” file for edit. 7) Onthe “General” section of approval task configuration , change the Task Tile asfollows TaskTitle: Manager approval forRequest ID <%/task:task/task:payload/task:RequestID%> 8) Navigateto “Assignment” tab and switch to source view. 9) Onthe source view for Approval Task, change the participant name value ashighlighted below <participants isAdhocRoutingSupported="false"> <stage name="Stage1"> <participant name="Manager Approval"> <list> <resourceList> <ruleset> <name>BeneficiaryManagerRuleset</name> </ruleset> </resourceList> </list> </participant> </stage> </participants> 10) Switchback to “Designer” view, navigate to “Notification” tab and press add button tocreate new notification event 11) Setnew notification event parameter as follows TaskStatus: Complete Recipient:Initiator NotificationHeader: Press edit button and set following value for notificationmessage Email Template The <%/task:task/task:payload/task:RequestModel%> request has been <%translate(/task:task/task:systemAttributes/task:outcome, 'ABCDEFGHIJKLMNOPQRSTUVWXYZ','abcdefghijklmnopqrstuvwxyz')%>d by the approver. <BR><BR> Request ID: <%/task:task/task:payload/task:RequestID%> <BR> Request type: <%/task:task/task:payload/task:RequestModel%> <BR> <BR> Check your request in the <A style="text-decoration: none;" href=<%substring-before(/task:task/task:payload/task:url, "/workflowservice/CallbackService")%>/identity/faces/request?key<%/task:task/task:payload/task:RequestID%> > Identity Self Service </A> 12) Savethe changes. 13) Createdeployment artifact for BeneficiaryManagerApproval composite, by following thesteps below a. Rightclick on the project name, select Deploy option and select“BeneficiaryManagerApproval”. b. Onthe “Deployment Action” window, select “Deploy to SAR” and press “Next”. c. Click“Next” button on “Deployment Configuration” screen. d. Press“Finish” button on “Summary” screen to generate new SOA composite jardeployment file. 1.2 Developing SAP Application Instance Approval This section details the step for developing custom approval workflowfor SAP Role Approval. 1.2.1 Create New Composite 1) Loginto server where Oracle Identity Manager 11g R2 is installed 2) Navigateto directory${ORACLE_Middleware_HOME}/Oracle_IDM1/server/workflows/new-workflow cd ${ORACLE_Middleware_HOME}/Oracle_IDM1/server/workflows/new-workflow 3) Runfollowing ANT script to generate default workflow template for SAP RoleApproval. And provide inputs as given below. ant –f new_project.xml Pleaseenter application name: SAPAppInstanceApproval Pleaseenter project name: SAPAppInstanceApproval Pleaseenter the service name of the composite: SAPAppInstanceApproval 4) Navigateto following directory cd ${ORACLE_Middleware_HOME}/Oracle_IDM1/server/workflows/new-workflow/process-template 5) Compressthe newly created SOA composite directory “SAPAppInstanceApproval” using a ziputility zip -rSAPAppInstanceApproval SAPAppInstanceApproval 6) Move“SAPAppInstanceApproval.zip” file to server where JDeveloper Studio 11genvironment is setup and extract the content of the zip to to JDeveloperworkspace. 7) Followthe step below to copy schema definition files (xsd) and wsdl file for RequestWeb Service to SAPAppInstanceApproval project. 1.2.2 Copy WSDL and Schema Files 1) Copythe request web service EAR, reqsvc.ear,from <OIM_HOME>/webapp/optional/ to the location where you copiedthe SOA composite. 2) Renamethe reqsvc.war file to reqsvc.zip and extract it. 3) Inthe extracted reqsvc.war, navigate to /reqsvc/reqsvc/WEB-INF/wsdl/. 4) Copyall the files under “xsd” directory to project directory“SAPAppInstanceApproval/SAPAppInstanceApproval/xsd”. 5) Copythe “requestdataservice.wsdl” to project directory“SAPAppInstanceApproval/SAPApprovalInstance” 1.2.3 Configure Request Web Service Partner Links 1) OpenSAPRoleApproval application from JDeveloper Studio 2) Nowexpand the content of SAPRoleApproval project 3) Open“ApprovalProcess.bpel” file for edit 4) Rightclick on the “Partner Links” section and choose “Create Partner Link..” optionfrom pop-up menu. 5) Inthe Create Partner Link dialog box, enter RequestWSPartnerLink as thename. 6) Tospecify the WSDL URL, click the SOA Resource Browser icon, as shown in thescreen shot below. 7) Enterthe following values to create the partner link, and thenclick Apply and OK. WSDLURL: requestdataservice.wsdl PartnerRole: RequestDataServiceProvider 8) Switchto the Composite view by opening “composite.xml” file. Right-click the newlycreated partner link, and select Configure WS Policies, as shown in thescreen shot below. The Configure SOA WS Policies dialog box is displayed. 9) Inthe Security section, click the Add icon. The Select Client Security Policiesdialog box is displayed. 10) Select oracle/wss_username_token_client_policy,and click OK. 11) Selectthe policy that you added to the Security section. 12) Clickthe Edit icon. The Configure Override Properties dialog box is displayed. 13) Selectthe CSF Key parameter, enter “RequestWSKey” asthe value, and then click OK. 1.2.4 Configure Sequence for Getting Request Details from OIM 1) Addan assign activity next to “receiveInput” activity, and name it AssignRequestWSURL, 2) Selectthe activity, and open the BPEL process in the Source view. 3) Replacethe line <assign name="AssignRequestWSURL"/> with thefollowing: <assign name="AssignRequestWSURL"> <copy> <from> <EndpointReference xmlns="http://www.w3.org/2005/08/addressing"><Address/> </EndpointReference> </from> <to variable="partnerLink"/> </copy> <copy> <from expression="concat(substring-before(bpws:getVariableData('inputVariable','payload','/ns3:process/ns4:url'),'workflowservice'),'reqsvc/reqsvc')"/> <to variable="partnerLink" query="/ns14:EndpointReference/ns14:Address"/> </copy> <copy> <from variable="partnerLink"/> <to partnerLink="RequestWSPartnerLink"/> </copy> </assign> 4) Switchback to Design view. 5) Dragthe Invoke activity from the Component Palette and drop it below the AssignRequestWSURL activity. Rename itto InvokeRequestDetailsOperation. 6) Right-click InvokeRequestDetailsOperation,and select Edit. 7) Selectpartner link from the Partner Link Chooser as RequestWSPartnerLink, andoperation as getRequestDetails 8) Underthe Variables section, click the plus (+) icon for the Input and Output fieldsto create the input and output variables. Name the input and output variablesasrequestDetails_InputVariable and requestDetails_OutputVariable respectively.Then click Apply and OK. 9) Dragand drop an assign activity, rename it to AssignRequestInput, and place it above the InvokeRequestDetailsOperation invoke activity. 10) Right-click AssignRequestInput tomap the input of the InvokeRequestDetailsOperation, as shown below. inputVariables/payload//ns3:process/ns4:RequestID -> requestDetails_InputVariable/RequestId//ns16:RequestId 1.2.5 Configure Workflow Selection 1) Adda switch activity next to “InvokeRequestDetailsOperation” 2) Selectthe first condition under the switch activity and enter following details. Label : Has Child Data Condition: bpws:getVariableData('requestDetails_OutputVariable','RequestData','/ns16:RequestData/ns16:BeneficiaryData/ns16:Beneficiary/ns16:Entity/ns16:DataAttribute[@Name="UD_APPROLES"]') 3) Addan assign activity under otherwise section of newly created switch activity.And name it “AutoApproval” 4) Select“AutoApproval” activity and switch to “Source” view. 5) Replace“<assign name=”AutoApproval”/> with following block <assign name="AutoApproval"> <copy> <from expression="string('approved')"/> <to variable="outputVariable" part="payload" query="/ns3:processResponse/ns3:result"/> </copy> <copy> <from expression="ora:getConversationId()"/> <to variable="Invoke_1_callback_InputVariable_1" part="parameters" query="/ns1:callback/arg0"/> </copy> <copy> <from expression="string('approved')"/> <to variable="Invoke_1_callback_InputVariable_1" part="parameters" query="/ns1:callback/arg1"/> </copy> </assign> 6) Switchto Design view. 7) Drag“ApprovalTask_1” and the switch activity below it to “Has Child Data” switchcase as shown below. 1.2.6 Configure Workflow Selection 1) Open“ApprovalTask.Task” file for edit 2) Onthe “General” section of “ApprovalTask” edit page enter following details TaskTile:SAP Role Approval for Request ID<%/task:task/task:payload/task:RequestID%> Description: Approval Task for SAP Role Request 3) Onthe “Data” section, add a new string parameter namely “ApproverRole” 4) Nowopen “ApprovalProcess.bpel” , right click and edit “ApprovalTask_1” activity.And map “ApproverRole” parameter as follows ApproverRole->/ns16:RequestData/ns16:BeneficiaryData/ns16:Beneficiary/ns16:Entity/ns16:DataAttribute/ns16:ChildRow/ns16:ChildDataAttribute/@Value 5) Re-openApprovalTask.task file and on the “Assignment” section, select the stage“Stage1.Participant1” and press the Edit button. 6) Onthe “Edit Participant Type” dialog enter following details Label: SAP Role Approvers Specifyattributes using: select “Rule-based” radio option ListRuleSet: SAPRoleApproverRule 7) Savethe participant type by pressing “Ok” button. And wait for the Oracle BusinessRule component to be retendered. 8) Onthe “ApprovalTaskRules.rules” page, press “Create Rule” button. 9) Onthe Rule configuration section, set the details as follows a. Select“Rule1” and name it “SAPApproverRule” b. Select“Description” and enter value as “Rule to get approver from OIM SAP ApprovalRole” c. Andexpand “SAPApproverRule” Advanced setting and select “Advanced Mode” option. 10) Onthe rule builder section enter variables and operands as follows for “IF THENELSE” block a. Select“Variable” on the IF section and enter value as “Task” b. Select“fact type” on the IF section and select “Task” from the drop-down c. Select“<insert pattern>” on the IF section of the rule builder to add anothercondition d. Setthe new conditions’ variable and fact type as follows Variable: Lists Fact Type: Lists e. Select“<insert action>” button on “THEN” section of IF block and select “call”action. f. Select“<target>” placeholder on the call action and select “CallResourceList” action from the drop-down. g. Set“CreateResourceList” function parameter as follows Users : null Groups: set following value using expressionbuilder IfRole Name is String (without IT Resource Key prefix) Task.payload.approverRole+”_Approver” IfRole Name is DN set following, RL.string.substring before(RL.string.substringafter(Task.payload.approverRole, "cn="), ",ou=")+"_Approver" NOTE: The current assumption is that the naming convention used to create OIM approver roles for equivalent SAP role/ entitlement is as follows. <COMMONNAME_OF_SAP_ROLE>_Approver Eg. If SAP Role is “cn=TestRole,ou=Role,dc=mydomain,dc=com” then OIM approver role is “TestRole_Approver”. If there is a change in the naming convention used for OIM approver role then the same need be reflected in the value for “Groups” parameter. Approles: null ResponseType: ResponseType.REQUIRED RuleName: Enter following text within the expression box and pressenter “SAPRoleApproverRule” Lists: Lists 11) Savethe changes. 12) Theupdated “SAPRoleApproverRule” looks as follows 13) Click“Validate” button to check for errors. 14) Close“ApprovalTaskRules.rules” window 15) Andopen “ApprovalTask.task” file for edit. 16) Navigateto “Notification” tab 17) Selectnotification configured “Assign” task status and click “Edit” button 18) Copyand paste the content below to “Edit Notification Message” text box. Email Template A <%/task:task/task:payload/task:RequestModel%> request has been assigned to you for approval. <BR><BR> Request ID: <%/task:task/task:payload/task:RequestID%> <BR> Request type: <%/task:task/task:payload/task:RequestModel%> <BR> <BR> Access this task in the <A style="text-decoration: none;" href=<%substring-before(/task:task/task:payload/task:url, "/workflowservice/CallbackService")%>/identity/faces/home?tf=approval_details > Identity Self Service </A> application or take direct action using the links below. Approvers are required to provide a justification when rejecting the request. 19) ClickOk and Save the changes 20) Selectand edit notification for “Complete” task status. And set followingnotification message. Email Template The <%/task:task/task:payload/task:RequestModel%> request has been <%translate(/task:task/task:systemAttributes/task:outcome, 'ABCDEFGHIJKLMNOPQRSTUVWXYZ','abcdefghijklmnopqrstuvwxyz')%>d by the approver. <BR><BR> Request ID: <%/task:task/task:payload/task:RequestID%> <BR> Request type: <%/task:task/task:payload/task:RequestModel%> <BR> <BR> Check your request in the <A style="text-decoration: none;" href=<%substring-before(/task:task/task:payload/task:url, "/workflowservice/CallbackService")%>/identity/faces/request?key<%/task:task/task:payload/task:RequestID%> > Identity Self Service </A> 21) ClickOk and Save the changes 22) Navigateto “Advanced” tab of Notification configuration and select following options · Make notification actionable 1.2.7 Make SOA Composite 1) Createdeployment artifact for SAPAppInstanceApproval composite, by following thesteps below a. Rightclick on the project name, select Deploy option and select“SAPAppInstanceApproval”. b. Onthe “Deployment Action” window, select “Deploy to SAR” and press “Next”. c. Click“Next” button on “Deployment Configuration” screen. d. Press“Finish” button on “Summary” screen to generate new SOA composite jardeployment file. 1.3 Developing SAP Role Approval This section details the step for developing custom approval workflowfor SAP Role Approval. 2) Loginto server where Oracle Identity Manager 11g R2 is installed 3) Navigateto directory${ORACLE_Middleware_HOME}/Oracle_IDM1/server/workflows/new-workflow cd ${ORACLE_Middleware_HOME}/Oracle_IDM1/server/workflows/new-workflow 4) Runfollowing ANT script to generate default workflow template for SAP RoleApproval. And provide inputs as given below. ant –f new_project.xml Pleaseenter application name: SAPRoleApproval Pleaseenter project name: SAPRoleApproval Pleaseenter the service name of the composite: SAPRoleApproval 5) Navigateto following directory cd ${ORACLE_Middleware_HOME}/Oracle_IDM1/server/workflows/new-workflow/process-template 6) Compressthe newly created SOA composite directory “SAPRoleApproval” using a zip utility zip -r SAPRoleApproval SAPRoleApproval 7) Move“SAPRoleApproval.zip” file to server where JDeveloper Studio 11g environment issetup and extract the content of the zip to to JDeveloper workspace. 8) OpenSAPRoleApproval application from JDeveloper Studio 9) Nowexpand the content of SAPRoleApproval project 10) Open“ApprovalTask.Task” file for edit 11) Onthe “General” section of “ApprovalTask” edit page enter following details TaskTile:SAP Role Approval for Request ID<%/task:task/task:payload/task:RequestID%> Description: Approval Task for SAP Role Request 12) Onthe “Assignment” section, select the stage “Stage1.Participant1” and press theEdit button. 13) Onthe “Edit Participant Type” dialog enter following details Label: SAP Role Approvers Specifyattributes using: select “Rule-based” radio option ListRuleSet: SAPRoleApproverRule 14) Savethe participant type by pressing “Ok” button. And wait for the Oracle BusinessRule component to be retendered. 15) Onthe “ApprovalTaskRules.rules” page, press “Create Rule” button. 16) Onthe Rule configuration section, set the details as follows a. Select“Rule1” and name it “SAPApproverRule” b. Select“Description” and enter value as “Rule to get approver from OIM SAP ApprovalRole” c. Andexpand “SAPApproverRule” Advanced setting and select “Advanced Mode” option. 17) Onthe rule builder section enter variables and operands as follows for “IF THENELSE” block a. Select“Variable” on the IF section and enter value as “Task” b. Select“fact type” on the IF section and select “Task” from the drop-down c. Select“<insert pattern>” on the IF section of the rule builder to add anothercondition d. Setthe new conditions’ variable and fact type as follows Variable: Lists Fact Type: Lists e. Select“<insert action>” button on “THEN” section of IF block and select “call”action. f. Select“<target>” placeholder on the call action and select “CallResourceList” action from the drop-down. g. Set“CreateResourceList” function parameter as follows Users : null Groups: set following value using expressionbuilder IfRole Name is String (without IT Resource Key prefix) Task.payload.objectDetails.name+”_Approver” IfRole Name is DN set following, RL.string.substring before(RL.string.substringafter(Task.payload.objectDetails.name.toLowerCase(), "cn="),",ou=")+ "_Approver" NOTE: The current assumption is that the naming convention used to create OIM approver roles for equivalent SAP role/ entitlement is as follows. <COMMONNAME_OF_SAP_ROLE>_Approver Eg. If SAP Role is “cn=TestRole,ou=Role,dc=mydomain,dc=com” then OIM approver role is “TestRole_Approver”. If there is a change in the naming convention used for OIM approver role then the same need be reflected in the value for “Groups” parameter. Approles: null ResponseType: ResponseType.REQUIRED RuleName: Enter following text within the expression box and pressenter “SAPRoleApproverRule” Lists: Lists 18) Savethe changes. 19) Theupdated “SAPRoleApproverRule” looks as follows 20) Click“Validate” button to check for errors. 21) Close“ApprovalTaskRules.rules” window 22) Andopen “ApprovalTask.task” file for edit. 23) Navigateto “Notification” tab 24) Selectnotification configured “Assign” task status and click “Edit” button 25) Copyand paste the content below to “Edit Notification Message” text box. Email Template A <%/task:task/task:payload/task:RequestModel%> request has been assigned to you for approval. <BR><BR> Request ID: <%/task:task/task:payload/task:RequestID%> <BR> Request type: <%/task:task/task:payload/task:RequestModel%> <BR> <BR> Access this task in the <A style="text-decoration: none;" href=<%substring-before(/task:task/task:payload/task:url, "/workflowservice/CallbackService")%>/identity/faces/home?tf=approval_details > Identity Self Service </A> application or take direct action using the links below. Approvers are required to provide a justification when rejecting the request. 26) ClickOk and Save the changes 27) Selectand edit notification for “Complete” task status. And set following notificationmessage. Email Template The <%/task:task/task:payload/task:RequestModel%> request has been <%translate(/task:task/task:systemAttributes/task:outcome, 'ABCDEFGHIJKLMNOPQRSTUVWXYZ','abcdefghijklmnopqrstuvwxyz')%>d by the approver. <BR><BR> Request ID: <%/task:task/task:payload/task:RequestID%> <BR> Request type: <%/task:task/task:payload/task:RequestModel%> <BR> <BR> Check your request in the <A style="text-decoration: none;" href=<%substring-before(/task:task/task:payload/task:url, "/workflowservice/CallbackService")%>/identity/faces/request?key<%/task:task/task:payload/task:RequestID%> > Identity Self Service </A> 28) ClickOk and Save the changes 29) Navigateto “Advanced” tab of Notification configuration and select following options · Make notification actionable 30) Createdeployment artifact for SAPRoleApproval composite, by following the steps below a. Rightclick on the project name, select Deploy option and select “SAPRoleApproval”. b. Onthe “Deployment Action” window, select “Deploy to SAR” and press “Next”. d. Press“Finish” button on “Summary” screen to generate new SOA composite jardeployment file. Note:This section of the Requirements Specification contains all software requirements to alevel of detail sufficient to enable designers to design a system to satisfythose requirements and testers to test that the system satisfies thoserequirements. When using use case modeling, these requirements are captured inthe use cases and the applicable supplemental specifications. If use casemodeling is not used, the outline for supplemental specifications may beinserted directly into this section. 2 Deployment This section details the step for deploying or configuring followingcomponents. a) Deploying SOA Composites b) Configuring SOA Email Notification c) Configuring OIM Approval Policy 2.1 Deploying SOA Composites As pre-requisite to deploying SOAcomposites, prepare the SOA composite JAR file as explained in section 4 andmake following two JAR files available at the host system from whereadministrator will perform deployment. a. sca_BeneficiaryManagerApproval_rev1.0.jar b. sca_SAPAppInstanceApproval_rev1.0.jar c. sca_SAPRoleApproval_rev1.0.jar 2.1.1 Un-deploying OOB Manager approval composite 1. Loginto Weblogic Enterprise Manager web console as administrative user http://<Weblogic_Host>:<Weblogic_Admin_Server_Port>/em 2. ExpandWeblogic Farm as shown below Farm_<OIM_Domain_Name> -> SOA -> soa-infra (<soa_server_instance_name>) -> default 3. Selectand right click on the “BeneficiaryManagerApproval[1.0]” SOA composite. Andselect “Undeploy” option from drop-down as shown 4. On theconfirmation screen, press “Undeploy” button and wait for composite to beun-deployed. 2.1.2 Deploying custom build sOA composite Follow theinstructions detailed below to deploy listed composites. a. sca_BeneficiaryManagerApproval_rev1.0.jar b. sca_SAPAppInstanceApproval_rev1.0.jar c. sca_SAPRoleApproval_rev1.0.jar 1) Expand Weblogic farm from Enterprise Manageras administrative user. Farm_<OIM_Domain_Name> -> SOA -> soa-infra (<soa_server_instance_name>) 2) Select and right click on “default” namespace. And select “Deploy To This partition…” option from the drop-down menu toopen “Deploy SOA Composite” wizard Default -> SOA Deployment ->Deploy To This Partition… 3) On the “Select Archive” page, choose “Archive is on the machine where this web browser is running” option,browse the composite to upload and press “Next” button. 4) Wait for the “Confirmation”page to load and press “Deploy” button to initiate composite upload . 2.2 Deploying the Request Web Service To deploy the Requestweb service: 1. Login to Weblogic Enterprise Manager as administrative user. http://<Weblogic_Host>:<Weblogic_Admin_Server_Port>/em 2. Expand Weblogic Farm as shown below Farm_<OIM_Domain_Name> ->Weblogic Domain -> <OIM Domain Name> 3. Select and right click on “OIM Server”. And choose followingoptions “Application Deployment -> Deploy” from pop-up menu. 4. On the “Select Archive” page, choose Archive orexploded directory is on the server where Enterprise Manager is running option. 5. Click Browse toopen a file browser popup, select the following web service and press “Next”button. <OIM_HOME>/server/webapp/optional/reqsvc.ear 6. Ensure “OIM server” is selected on the “Select Target” page andpress “Next” button. 7. Press “Deploy” button on the “Application Attributes” page todeploy request web service. 2.3 Securing the Web Service The Request web service isprotected with the wss_username_token_service_policy security policy.Therefore, the composite that acts as a client to the web service must validateand pass the username and password for authentication. As a result, you muststore the credential of the System Administrator in the CSF. To store credentials in CSF: 1. Login to Weblogic Enterprise Manager as administrative user. http://<Weblogic_Host>:<Weblogic_Admin_Server_Port>/em 2. Expand Weblogic Farm as shown below Farm_<OIM_Domain_Name>-> Weblogic Domain 3. Right-click OIM domain and select following options from pop-upmenu. Security -> Credentials 4. Select oracle.wsm.security, and click Create Key.The Create Key dialog box is displayed. 5. Enter following details on Create Key dialog box. o Select Map: oracle.wsm.security o Key: RequestWSKey o Type: Password o Username: Oracle Identity Manager system administratorlogin ID o Password: OracleIdentity Manager system administrator password o Description:Security token for Request Web Service 2. Click OK. 2.4 Configuring SOA Email Notification 2.4.3 Configure Email driver properties 1. Loginto Weblogic Enterprise Manager web console as administrative user http://<Weblogic_Host>:<Weblogic_Admin_Server_Port>/em 2. ExpandWeblogic Farm as shown below Farm_<OIM_Domain_Name> ->User Message Service 3. Selectand right click on “usermessagingdriver-email (soa_server_name)”. And select“Email Driver Properties” option as shown below. 4. On the“Email Driver Properties” page, navigate to “Driver-specific Configuration”section Set following attribute values to send email from SOA environment Attribute Name Description OutgoingMailServer Hostname of the SMTP email server OutgoingMailServerPort Port on which SMTP email server is listening. OutgoingMailServerSecurity Set to SSL / TLS if the email server only accepts secure connection. Otherwise “None” OutgoingUsername Username to be used to connect SMTP server. Can be blank if anonymous authentication is supported OutgoingPassword Password to be used for SMTP server connection. The following set ofproperties must be configured if notification needs to be actionable. § MessageAccessPortocol § IncomingMailServer § IncomingMailServerPort § IncomingMailServerSSL § IncomingMailIDs § IncomingUserIDs § IncomingUserPasswords 5. Afterupdating email driver properties, press “Apply” button to save the changes. 2.4.4 Configure SOA Suite Workflow Notification property 1) Expand Weblogic farm from Enterprise Manageras administrative user. Farm_<OIM_Domain_Name> ->SOA -> soa-infra (<soa_server_instance_name>) 2) Select and right click on “soa-infra”. Andselect “SOA Administration -> Workflow Config” option. 3) On “Workflow Notification Properties” page,set values for following properties. Notification Mode: Email From Address: <From address to be used for email sentfrom SOA> Actionable Address: <Mail address to which approval taskaction reply will be sent> Reply Address: <A default reply address to be used> 4) Press “Apply” button to save the changes. 2.5 Configuring OIM Approval Policy 2.5.5 Application Instance Approval Policy 2.5.5.1 Request Level Policy 1) Fromthe OIM sysadmin console, open “Approval Policies” Configuration wizard. 2) Createa new Approval Policy, with following details. Basic Information PolicyName:ApplicationAccountPolicy-RL Description: Approval policy for applicationaccount/instance request RequestType: ProvisioningApplicationInstance Level: Request Level Approval ProcessConfiguration ApprovalProcess:default/BeneficiaryManagerApproval!1.0 Leave other parameters as default. 3) Press“Next” button, to bring “Set Approval Rule and Component” and fill in thedetails as below Rule Name: AccountApprovalRule And add the following simple rule to Rule Components section. 4) Press“Next” button followed by “Finish” button on the “Review Approval PolicySummary” screen to create new approval policy. 2.5.5.2 Operation Level Policy 1) Createanother Approval Policy for application account request at operation level,with following details. Basic Information PolicyName:ApplicationAccountPolicy-OL Description: Approval policy for application account/instancerequest at operation level RequestType: ProvisioningApplicationInstance Level: Operation Level Scope: Select the Application Instance configuredfor SAP resource Approval ProcessConfiguration ApprovalProcess:default/SAPAppInstanceApproval!1.0 Leave other parameters as default. 2) Press“Next” button, to bring “Set Approval Rule and Component” and fill in thedetails as below Rule Name: AccountApprovalRule And add the following simple rule to Rule Components section. 3) Press“Next” button followed by “Finish” button on the “Review Approval PolicySummary” screen to create new approval policy. 2.5.6 Application Entitlement Approval Policy 2.5.6.1 Request Level Policy 1) Fromthe OIM sysadmin console, open “Approval Policies” Configuration wizard. 2) Createa new Approval Policy, with following details. Basic Information PolicyName:ApplicationEntitlementPolicy-RL Description: Approval policy for applicationentitlement request RequestType: Provision Entitlement Level: Request Level Approval Process Configuration ApprovalProcess:default/BeneficiaryManagerApproval!1.0 Leave other parameters as default. 3) Press“Next” button, to bring “Set Approval Rule and Component” page and fill in thedetails as below Rule Name: EntitlementApprovalRule And add the following simple rule to Rule Components section. 4) Press“Next” button followed by “Finish” button on the “Review Approval PolicySummary” screen to create new approval policy. 2.5.6.2 Operation Level Policy 1) Createanother Approval Policy for application account request at operation level,with following details. Basic Information PolicyName:ApplicationEntitlementPolicy-OL Description: Approval policy for applicationentitlement request at operation level RequestType: Provision Entitlement Level: Operation Level Scope: Select the Application Instance configuredfor SAP resource Approval ProcessConfiguration ApprovalProcess:default/SAPRoleApproval!1.0 Leave other parameters as default. 2) Press“Next” button, to bring “Set Approval Rule and Component” and fill in thedetails as below Rule Name: AccountApprovalRule And add the following simple rule to Rule Components section. 3) Press“Next” button followed by “Finish” button on the “Review Approval PolicySummary” screen to create new approval policy.

This thread discuss the detailed steps for creating SOA composite for Application & Entitlement (in this case SAP Role) request approval process explained below. Requirement: The Identity Management...

OIM11gR2: How to handle child data in a custom ICF connector

This blog entry explains how to perform child table operations in custom ICF connector code.This blog does not explains in detail about how to write ICF connectors. This is just to help set up and perform child table operations through ICF.   We will only discuss here what APIs to use to perform child table operations in your custom ICF code. Second section of this blog entry will discuss a typical requirement of setting up reconciliation for a resource with multi-column child table through custom ICF.  SECTION 1 - Child table operation APIs in custom ICF connector We may want to perform different provisioning operations such as add, remove, update on a child table through our custom ICF code.   Operation Add/ Remove operations on child table: To perform child table operations in custom ICF connector, youneed to implement UpdateAttributeValuesOpinterface in your connector code. The methods addAttributeValues& removeAttributeValuesdeal with adding and removing child table data. addAttributeValues(objectClass, uid, attributes, operationOptions); removeAttributeValues(objectClass, uid, attributes, operationOptions); Here one should note that, UpdateOp is used for updating only Parent form attributes.To handle parent form updates & child form creation/updation/deletion wehave to implement both the interfaces i.e., UpdateOp and UpdateAttributeValuesOp. UpdateOp interface:  http://docs.oracle.com/cd/E37115_01/apirefs.1112/e28160/org/identityconnectors/framework/spi/operations/UpdateOp.html UpdateAttributeValuesOp interface: http://docs.oracle.com/cd/E37115_01/apirefs.1112/e28160/org/identityconnectors/framework/spi/operations/UpdateAttributeValuesOp.html Update operations on child table: 1)     You may have a question as to "How is update to childtable data handled in ICF"? This is how it works :-         When child table row is updated,OIM triggers removeAttributeValues(oldValue) followed byaddAttributeValues(newValue) in the connector.   Now how do we pass values to following methods: public String addChildTableValue(String objectType, StringchildTableName, long childPrimaryKey) publicString removeChildTableValue(String objectType, String childTableName, Integer taskInstanceKey)  Here, objectType will be User, ChildTableName should be the name of child table process form of your implementation and refer below images for mapping childPrimaryKey and taskInstanceKey:  childPrimaryKey Mapping taskInstanceKey Mapping Using above information you can perform different provisioning operations on child table through custom ICF connector code. SECTION 2:  Setting up reconciliation for Multi-column child table in custom ICF connector We often see requirements where multi-column child data has to be processed using custom ICF. We had a requirement where we were required to reconcile a resource with more than one column in its child form.  We could not find enough information about how to achieve this in any of the blogs/ product documentation or even training docs. Training guide, though talks about Flat file custom ICF with child table, but that only is for child tables which have single column.   Handling multi-column child table in custom ICF is different from how you would see for single-column in lab guides or product documentation ( Developer guide: http://docs.oracle.com/cd/E37115_01/dev.1112/e27150/icf_integration.htm).  Below is what was done in our case: Requirement: To Provisionand Reconcile multi column child table data using custom ICF Below is how the parent and child form data looked in our case: Child table DataReconciliation Implementation:  The recon lookup for our implementation was set up as below: Recon Lookup :  2.  Apart from implementing  addAttributeValues & removeAttributeValues methods in your code, you also need to have executeQuery(), schema(), getEmbeddedObjAttributeInfo() and addAttrInObjClass() methods in your custom ICF code. Below is the code snippet of different methods that weimplemented for child table: Here,  APPS = ‘apps’ and APPLICATIONS = ‘Applications’  (from lookup entry above) in the code below. ‘Applications’ and ‘UserName’ in getEmbeddedObjAttributeInfo method are the child table columns    3.  Below is the snippet from executeQuery method for childtable data wrapping Here too,  APPS = ‘apps’ and APPLICATIONS = ‘Applications’  (from lookup entry above) in the code below. 4.  Below is how we had set up Reconciliation Field Mapping in ProcessDefinition:

This blog entry explains how to perform child table operations in custom ICF connector code.This blog does not explains in detail about how to write ICF connectors. This is just to help set up...

OIM11gR2: Uninstall connector utility

Unlike earlier version of OIM, you can now uninstall a connecter that is installed using a connector bundle or created on an environment directly. Note: Before deleting a connector, navigate to Resource Object and click Create Reconciliation profile before deleting connector. Otherwise you see the connector delete is unsuccessful. The following are the steps involved in uninstalling a connector:  1. Set up the properties file with appropriate information. Location: $OIM_HOME/bin/ConnectorUninstall.properties 2. Execute the uninstall script. Location: $OIM_HOME/bin/uninstallConnector.bat or uninstallConnector.sh Almost all the properties on the ConnectorUninstall.properties file are explained in the OOB file. The focus here would be on ObjectType and ObjectValues properties. If the connector is installed using a connector bundle and you wanted to uninstall it, ignore these properties.  If a connector is installed using Deployment Manager --> Import then these properties are helpful. By providing ObjectType=Resource and ObjectValue=<Name of RO>, a few of the important connector components can be deleted. If a connector is uninstalled using the Resource Object Name and it is value, the objects like Process Definition, Process Form, IT Resource, Application Instance are deleted. Note that the request dataset is not deleted.

Unlike earlier version of OIM, you can now uninstall a connecter that is installed using a connector bundle or created on an environment directly. Note: Before deleting a connector, navigate to...

OIM11gR2: ADF: Frequently used EL expressions

Category Usage EL [Expression Language] User Get the current user’s attribute value by passing the attribute name #{oimcontext.currentUser['ATTRIBUTE_NAME']} User Similarly get the value for a UDF #{oimcontext.currentUser['UDF_NAME']} User Gets the roles assigned to current user. Returns list of RoleEntity objects. It is a Java Bean having name, description, key, and displayName properties #{oimcontext.currentUser.roles} User Return true if user is a system administrator #{oimcontext.currentUser.roles['SYSTEM ADMINISTRATORS'] ne null}   User Returns true if user is assigned with admin role 'OrclOIMSystemAdministrator' #{oimcontext.currentUser.adminRoles['OrclOIMSystemAdministrator'] ne null}   User Returns user key #{oimcontext.currentUser.usr_key}   User Returns user key #{oimcontext.currentUser['usr_key']}   User Returns user login #{oimcontext.currentUser['User Login']}   Request Returns current operation. Possible values: CREATE/MODIFY #{pageFlowScope.requestFormContext.operation}   Request Returns true if the current operation is Modify #{pageFlowScope.requestFormContext.operation eq 'MODIFY'}   Request Return the current action type. Possible values: APPROVAL/ FULFILL/ REQUEST/ VIEW/ SUMMARY. On all approval pages/ approver view the value is APPROVAL For Manual fulfillment page the value is FULFILL #{pageFlowScope.requestFormContext.actionType}   Request Returns true if the action type is Request i.e. the user is about to submit the request #{pageFlowScope.requestFormContext.actionType eq 'REQUEST'}   Request Returns true if the request is bulk #{pageFlowScope.requestFormContext.bulk}   Request Returns beneficiaries user ids[user login values] #{pageFlowScope.requestFormContext.beneficiaryIds}   Request Returns keys for cart items #{pageFlowScope.requestFormContext.cartItemIds}   Request Returns the type of item added to request. Possible values: ROLE/ ENTITLEMENT/ APP_INSTANCE/ USER. #{pageFlowScope.requestFormContext.requestEntityType}   Request Returns true if added item is Application Instance #{pageFlowScope.requestFormContext.requestEntityType eq 'APP_INSTANCE'}   Request Returns application instance key for the item added #{pageFlowScope.requestFormContext.requestEntitySubType}   Request Returns provisioned instance key for a modify type request #{pageFlowScope.requestFormContext.instanceKey}   General Invoke a method present on backing bean #{backingBean.<Bean Name>.<bean method>} General To show a field disabled on all FULFILL and APPROVAL pages disabled="#{pageFlowScope.requestFormContext.actionType ne 'REQUEST'}"

Category Usage EL [Expression Language] User Get the current user’s attribute value by passing the attribute name #{oimcontext.currentUser['ATTRIBUTE_NAME']} User Similarly get the value for a UDF #{oimcontext...

OIM11gR2: Issue with (request form prepop Vs process form prepop)

Background Pre-Populating known information on a request form during a provisioning operation is a very common need. OIM11g R2 supports request form pre-population using plug-in concept. The plug-in point is "oracle.iam.request.plugins.PrePopulationAdapter". A sample entry in plug-in.xml is shown here: <plugin pluginclass="PrePopulateUserLogin" version="1.0" name="PrePopulateUserLogin">   <metadata name="PrePopulationAdapater">    <value>PrepopTestApp::User Login|FileTransfer::Account Login</value>   </metadata>  </plugin> Issue The class  PrePopulateUserLogin is used maintain the logic to fetch and return the value of User Login. The returned value is populated on the attributes mentioned in the <value> element of the above seen snippet. They are 'user Login' field on the 'PrepopTestApp' application and 'Account Login' on 'FileTransfer' application. In case the plugin class couldn't fetch a value for User Login and it is programmed in such a way that a blank/empty string is returned. In this scenario doing this may look smooth and robust enough. However, this is an issue if you also have a logic to pre-populate the same attribute using a pre-populate adapter attached on the process form. Flow  The User Login is returned blank by the request form pre-populate code. The request is submitted with a blank User Login value. Say the request had gone through required approvals. The process form pre-populate adapter gets triggered because the 'User Name' attribute is blank. Any OIM developer can state that, once the pre-populate adapter is triggered and returns a value, the value is populated on the process form. Surprisingly, this doesn't happen in this case. The adapter is triggered and a value is returned, but the form is not populated. In case your User Name attribute is mandatory on the process form, you account stands in provisioning state and you can see from the Resource History that 'System Validation' is pending. Try this out!!! Solution At least I felt that it is a good discovery. The solution is simple. In your request form pre-population logic if you don't find a value to return, return null instead of blank string Case1:   If we do this, the process form pre-poptriggers but will not a set a value . The weird thing is since it is triggered,it should set the value fetched, but it doesn’t. if (attrValue!=null)      return attrValue;     else      return ""; Case2: The process form pre-populate gets triggered and sets avalue if (attrValue!=null)      return attrValue;     else      return null; Conclusion This means, for request form pre-populate we should return null, if thesource attribute value is either blank/null. 

Background Pre-Populating known information on a request form during a provisioning operation is a very common need. OIM11g R2 supports request form pre-population using plug-in concept. The...

OIM11g R2: Reconciling a Disconnected System Account

Reconciliation of disconnected system account is same as reconciling a connected system account. The main difference lies in the source of reconciliation. In case of a connected system, a connection is established with the actual target system and data is pulled to OIM. Where as in case of a disconnected system, the data is made available to OIM using a CSV, Flat File or a database table. Reconciliation on both these types of systems look same in case of initial load. Some implementations make data available externally during initial load for all types of target systems.  In any type of System's reconciliation, including IT Resource attribute among the RO attributes and recon data is mandatory. In case this information(IT Resource in the recon data) is missed in the recon data when submitting reconciliation event, the reconciliation event is created and linked successfully. The status on the recon event shows 'Creation Succeeded'. However, when navigated to the 'Accounts' tab or 'My Access' tab, the resource is not shown. The reconciliation rules are evaluated, the event gets linked, but the resource doesn't appear on the user's resource profile. Yes, you read it correctly. Also, when another recon event is created for the same account, the event shows 'Update Succeeded' , but again no resource is seen is the user's resource profile. The code snippet for submitting a simple recon even is here: ReconOperationsService reconOp = client.getService(ReconOperationsService.class);        System.out.println("reconOp="+reconOp);          Map<String,Object> roDataMap = new HashMap<String,Object> ();           roDataMap.put("User Name","name");          roDataMap.put("Email","name@xyz.com"); roDataMap.put("IT Resource","ITR"); - This is most important           try {            EventAttributes ea=new EventAttributes();           ea.setEventFinished(true);            long eventKey = reconOp.createReconciliationEvent(RESOURCE_OBJECT, roDataMap , ea);           reconOp.processReconciliationEvent(eventKey);           System.out.println("eventKey="+eventKey);           } catch (Exception e) {               e.printStackTrace();          }

Reconciliation of disconnected system account is same as reconciling a connected system account. The main difference lies in the source of reconciliation. In case of a connected system, a connection...

OIM 11g R1 - Multi Valued attribute reconciliation of a child form

This topic gives a brief description on how we can do reconciliation of a child form attribute which is also multi valued from a flat file . The format of the flat file is (an example): ManagementDomain1|Entitlement1|DIRECTORY SERVER,EMAIL ManagementDomain2|Entitlement2|EMAIL PROVIDER INSTANCE - UMS,EMAIL VERIFICATION In OIM there will be a parent form for fields Management domain and Entitlement.Reconciliation will assign Servers ( which are multi valued) to corresponding Management  Domain and Entitlement .In the flat file , multi valued fields are seperated by comma(,). In the design console, Create a form with 'Server Name' as a field and make it a child form . Open the corresponding Resource Object and add this field for reconcilitaion.While adding , choose 'Multivalued' check box. (please find attached screen shot on how to add it , Child Table.docx) Open process definiton and add child form fields for recociliation. Please click on the 'Create Reconcilitaion Profile' buttton on the resource object tab. The API methods used for child form reconciliation are : 1.           reconEventKey =   reconOpsIntf.createReconciliationEvent(resObjName, reconData,                                                           false); ·                                    ‘False’  here tells that we are creating the recon for a child table .2.               2.       reconOpsIntf.providingAllMultiAttributeData(reconEventKey, RECON_FIELD_IN_RO, true);               RECON_FIELD_IN_RO is the field that we added in the Resource Object while adding for reconciliation, please refer the screen shot)3.    reconOpsIntf.addDirectBulkMultiAttributeData(reconEventKey,RECON_FIELD_IN_RO, bulkChildDataMapList);                bulkChildDataMapList  is coded as below :                List<Map> bulkChildDataMapList = new ArrayList<Map>();                  for (int i = 0; i < stokens.length; i++) {                           Map<String, String> attributeMap = new HashMap<String, String>();                          String serverName = stokens[i].toUpperCase();                          attributeMap.put("Server Name", stokens[i]);                          bulkChildDataMapList.add(attributeMap);                        }4                  4.       reconOpsIntf.finishReconciliationEvent(reconEventKey);5.       reconOpsIntf.processReconciliationEvent(reconEventKey);Now, we have to register the plug-in, import metadata into MDS and then create a scheduled job to execute which will run the reconciliation.

This topic gives a brief description on how we can do reconciliation of a child form attribute which is also multi valued from a flat file . The format of the flat file is (an example): ManagementDomain1...

Configuring Weblogic Server 10.3.6 from 32-bit mode to 64-bit mode

This post pertains tothe configuration of Weblogic Server from 32-bit mode to 64-bit mode on SolarisOS. Just in case, you have WLS 10.3.6 running in 32-bit mode and the JDK beingused is installed for 64-bit mode [On Solaris OS, JDK 64-bit installation comprisesof installing 32-bit JDK followed by a patch for 64-bit JDK].  Verification of the mode being used One can verify the mode of Weblogic Server in the following ways Either checkthe commonEnv.sh script located at$MIDDLEWARE_HOME/wlserver_10.3/common/bin where $MIDDLEWARE_HOME refers to theinstall directory of Middleware. Look for the patterns - SUN_ARCH_DATA_MODELand JAVA_USE_64BIT in the file. For 32-bit mode, the parameters would appear as shown belowSUN_ARCH_DATA_MODEL="32"JAVA_USE_64BIT=false Check the server console logs; which JDK is being used during start-up By checking which JDK is used by the running process of Weblogic Server ConfigurationSteps Take a backup ofthe commonEnv.sh script located at$MIDDLEWARE_HOME/wlserver_10.3/common/bin where $MIDDLEWARE_HOME refers to theinstall directory of Middleware Modify the commonEnv.sh script for the following parameters: The values should be 64 and true respectively for 64-bit modeSUN_ARCH_DATA_MODEL="64"JAVA_USE_64BIT=true  Restart the weblogic server. One can confirm that theJDK being used is 64-bit by looking at the Weblogic console logs during server start up or by looking at the running process.

This post pertains to the configuration of Weblogic Server from 32-bit mode to 64-bit mode on Solaris OS. Just in case, you have WLS 10.3.6 running in 32-bit mode and the JDK beingused is installed...

OAM OVD integration - Error Encounterd while performance test "LDAP response read timed out, timeout used:2000ms"

While working on OAM OVD integration for one of my client, I have been involved in the performance test of the products wherein I encountered OAM authentication failures while talking to OVD during heavy load. OAM logs revealed the following: oracle.security.am.common.policy.common.response.ResponseException: oracle.security.am.engines.common.identity.provider.exceptions.IdentityProviderException: OAMSSA-20012: Exception in getting user attributes for user : dummy_user1, idstore MyIdentityStore with exception javax.naming.NamingException: LDAP response read timed out, timeout used:2000ms.; remaining name 'ou=people,dc=oracle,dc=com' at oracle.security.am.common.policy.common.response.IdentityValueProvider.getUserAttribute(IdentityValueProvider.java:271) ... During the authentication and authorization process, OAM complains that the LDAP repository is taking too long to return user attributes.The default value is 2 seconds as can be seen from the exception, "2000ms". While troubleshooting the issue, it was found that we can increase the ldap read timeout in oam-config.xml.  For reference, the attribute to add in the oam-config.xml file is: <Setting Name="LdapReadTimeout" Type="xsd:string">2000</Setting> However it is not recommended to increase the time out unless it is absolutely necessary and ensure that back-end directory servers are working fine. Rather I took the path of tuning OVD in the following manner: 1) Navigate to ORACLE_INSTANCE/config/OPMN/opmnfolder and edit opmn.xml. Search for <dataid="java-options" ………> and edit the contents of the file with the highlighted items: <category id="start-options"><data id="java-bin" value="$ORACLE_HOME/jdk/bin/java"/><data id="java-options" value="-server -Xms1024m -Xmx1024m -Dvde.soTimeoutBackend=0 -Didm.oracle.home=$ORACLE_HOME -Dcommon.components.home=$ORACLE_HOME/../oracle_common -XX:+PrintGCDetails -XX:+PrintGCDateStamps -Xloggc:/opt/bea/Middleware/asinst_1/diagnostics/logs/OVD/ovd1/ovdGClog.log -XX:+UseConcMarkSweepGC -Doracle.security.jps.config=$ORACLE_INSTANCE/config/JPS/jps-config-jse.xml"/><data id="java-classpath" value="$ORACLE_HOME/ovd/jlib/vde.jar$:$ORACLE_HOME/jdbc/lib/ojdbc6.jar"/></category></module-data><stop timeout="120"/><ping interval="60"/></process-type> When the system is busy, a ping from the Oracle Process Manager and Notification Server (OPMN) to Oracle Virtual Directory may fail. As a result, OPMN will restart Oracle Virtual Directory after 20 seconds (the default ping interval). To avoid this, consider increasing the ping interval to 60 seconds or more. 2) Navigate to ORACLE_INSTANCE/config/OVD/ovd1folder.Open listeners.os_xml file and perform the following changes: · Search for <ldap id=”Ldap Endpoint”…….>and point the cursor to that line. · Change threads count to 200. · Change anonymous bind to Deny. · Change workQueueCapacity to 8096. Add a new parameter <useNIO> and set itsvalue to false viz: <useNIO>false</useNio> Snippet: <ldap version="8" id="LDAP Endpoint"> ....... .......  <socketOptions><backlog>128</backlog>         <reuseAddress>false</reuseAddress>         <keepAlive>false</keepAlive>         <tcpNoDelay>true</tcpNoDelay>         <readTimeout>0</readTimeout>      </socketOptions> <useNIO>false</useNIO></ldap> Restart OVD server. For more information on OVD tuneup refer to http://docs.oracle.com/cd/E25054_01/core.1111/e10108/ovd.htm. Please Note: There were few patches released from OAM side for performance tune-up as well. Will provide the updates shortly !!!

While working on OAM OVD integration for one of my client, I have been involved in the performance test of the products wherein I encountered OAM authentication failures while talking to OVD during...

WNA Configuration in OAM 11g

Pre-Requisite:Kerberos authentication scheme has to exist. This is usually pre-configured OAM authentication scheme. It should have Authentication Level - "2", Challenge Method - "WNA", Challenge Direct URL - "/oam/server" and Authentication Module- "Kerberos". The default authentication scheme name is "KerberosScheme", this name can be changed. The DNS name has to be resolvable on the OAM Server. The DNS name with referrals to AD have to be resolvable on OAM Server. Ensure nslookup work for the referrals. Pre-Install:AD team to produce keytab file on the AD server by running ktpass command. Provide OAM Hostname to AD Team. Receive from AD team the following:Keypass file produced when running the ktpass command ktpass username ktpass password Copy the keytab file to convenient location in OAM install tree and rename the file if desired. For instance where oam-policy.xml file resides. i.e. /fa_gai2_d/idm/admin/domains/idm-admin/IDMDomain/config/fmwconfig/keytab.kt Configure WNA Authentication on OAM Server:Create config file krb.config and set the environment variable to the path to this file:KRB_CONFIG=/fa_gai2_d/idm/admin/domains/idm-admin/IDMDomain/config/fmwconfig/krb.confThe variable KRB_CONFIG has to be set in the profile for the user that OAM java container(i.e. Wbelogic Server) runs as, so that this setting is available to the OAM server. i.e. "applmgr" user. In the krb.conf file specify:[libdefaults]default_realm= NOA.ABC.COMdns_lookup_realm= truedns_lookup_kdc= trueticket_lifetime= 24hforwardable= yes[realms]NOA.ABC.COM={kdc=hub21.noa.abc.com:88admin_server=hub21.noa.abc.com:749default_domain=NOA.ABC.COM[domain_realm].abc.com=ABC.COMabc.com=ABC.COM.noa.abc.com=NOA.ABC.COMnoa.abc.com=NOA.ABC.COMWhere hub21.noa.abc.com is load balanced DNS VIP name for AD Server and NOA.ABC.COM is the name of the domain. Create authentication policy to WNA protect the resource( i.e. EBSR12) and choose the "KerberosScheme" as authentication scheme.Login to OAM Console => Policy Configuration Tab => Browse Tab => Shared Components => Application Domains => IAM Suite => Authentication Policies => CreateName: ABC WNA Auth PolicyAuthentication Scheme: KerberosSchemeFailure URL: http://hcm.noa.abc.com/cgi-bin/welcome Edit System Configuration for KerberosSystem Configuration Tab => Access Manager Settings => expand Authentication Modules => expand Kerberos Authentication Module => double click on Kerberos Edit "Key Tab File" textbox - put in /fa_gai2_d/idm/admin/domains/idm-admin/IDMDomain/config/fmwconfig/keytab.kt Edit "Principal" textbox - put in HTTP/OAM_Host@NOA.ABC.COM Edit "KRB Config File" textbox - put in /fa-gai2_d/idm/admin/domains/idm-admin/IDMDomain/config/fmwconfig/krb.conf Cilck "Apply" In the script setting environment for the WLS server where OAM is deployed set the variable:KRB_CONFIG=/fa_gai2_d/idm/admin/domains/idm-admin/IDMDomain/config/fmwconfig/krb.conf Re-start OAM server and OAM Server Container( Weblogic Server)

Pre-Requisite: Kerberos authentication scheme has to exist. This is usually pre-configured OAM authentication scheme. It should have Authentication Level - "2", Challenge Method - "WNA",...

Using ant to register plugins and deploy metadata xmls

Ant can be used to register plugins directly to MDS. Following is the ant script to register plugin zip:<target name="register_plugin" depends="compile_package">    <echo> Register Plugin : ${plugin.base}/${project.name}.zip</echo>    <java classname="oracle.iam.platformservice.utils.PluginUtility" classpathref="classpath" fork="true">        <sysproperty key="XL.HomeDir" value="${oim.home.server}"/>        <sysproperty key="OIM.Username" value="${oim.username}"/>            <sysproperty key="OIM.UserPassword" value="${oim.password}"/>        <sysproperty key="ServerURL" value="${oim.url}"/>       <sysproperty key="PluginZipToRegister" value="${plugin.base}/${project.name}.zip"/>        <sysproperty key="java.security.auth.login.config" value="${oim.home}\designconsole\config\authwl.conf"/>        <arg value="REGISTER"/>        <redirector error="redirector.err" errorproperty="redirector.err" output="redirector.out" outputproperty="redirector.out"/>    </java>    <copy file="${plugin.base}/${project.name}.zip" todir="${oim.home.server}\plugins"/></target> This script requires following properties: plugin.base project.name oim.home.server oim.username oim.password You can either define a properties file for these properties or definethem directly in build.xml. Build.properties will look like: # Set the OIM home here oim.home=C:/Oracle/Middleware02/Oracle_IDM # Set the weblogic home here wls.home=C:/Oracle/Middleware02/wlserver_10.3 OIM.ServerName=oim_server1 # e.g.: used in building the jar and zipfiles #Note : no spaces in the project name project.name=ScheduledTask_Sample #Set the oim username oim.username=xelsysadm # set the oim password oim.password=Welcome1 WL.Username=weblogic WL.UserPassword=weblogic1 #set the oim URL here oim.url=t3://localhost:14000 WL.url=t3://localhost:7001 #Location from where the metadata filesare pickedup for MDS import metadata.location=C:/Project /src/ScheduledTask_Sample/metaxml/ Following is the ANT script to importmetadata xml: <target name="ImportMetadata">                 <echo> Preparing for MDS xmls Upload...</echo>                 <copy file="${oim.home}/bin/weblogic.properties" todir="."/>                 <replaceregexp file="weblogic.properties" match="wls_servername=(.*)" replace="wls_servername=${OIM.ServerName}" byline="true"/>                <replaceregexp file="weblogic.properties" match="application_name=(.*)" replace="application_name=OIMMetadata" byline="true"/>                <replaceregexp file="weblogic.properties" match="metadata_from_loc=(.*)" replace="metadata_from_loc=${metadata.location}" byline="true"/>                <copy file="${oim.home}/bin/weblogicImportMetadata.py" todir="."/>                 <replace file="weblogicImportMetadata.py">                      <replacefilter token="connect()" value="connect('${wl.username}', '${wl.password}', '${wl.url}')"/>                </replace>                 <echo> Importing metadata xmls to MDS... </echo>                 <exec dir="." vmlauncher="false" executable="${oim.home}/../common/bin/wlst.sh">                         <arg value="-loadProperties"/>                         <arg value="weblogic.properties"/>                         <arg value="weblogicImportMetadata.py"/>                         <redirector output="deletemd_redirector.out" logerror="true" outputproperty="deletemd_redirector.out" />                </exec>                 <echo>${deletemd_redirector.out}</echo>                 <echo>${deletemd_redirector.out}</echo>                 <echo>Completed metadata xmls import to MDS</echo> </target>

Ant can be used to register plugins directly to MDS. Following is the ant script to register plugin zip: <target name="register_plugin" depends="compile_package">    <echo> Register Plugin...

OAM11gR2: Enabling SSL in the Data Store

Enabling SSL in the Data Store ofOAM11gR2 comprises of the below mentioned steps. Import the certificate/s required for establishing the trust with the Store(backend) in the keystore(cacerts) on the machine hosting OAM's Weblogic Admin server Restart the Weblogic Admin server Specify the <Hostname>:<SSL port> in the "Location" field of the Data Store and select the "Enable SSL" checkbox Pre-requisite:- Certificate/s to be imported are available for import Data Store has already been created using OAM admin console and the connection to the store is successful on non-SSL port( though one can always create a Data Store with SSL settings on the first go) Steps for importing thecertificate/s:- One can use the keytool utility thatcomes bundled with JDK to import the certificate. The step for importing thecertificate would be same for self-signed and third party certificates (like VeriSign) $JAVA_HOME/bin/keytool -import -v-noprompt -trustcacerts -alias <aliasname> -file <Path to thecertificate file> -keystore $JAVA_HOME/jre/lib/security/cacerts Here $JAVA_HOME refers to the pathof JDK install directory Note: In case multiple certificates are required for establishing the trust, import all those certificates using the same keytool command mentioned above  One can verify the import of thecertificate/s by using the below mentioned command $JAVA_HOME/bin/keytool -list -alias <aliasname>-v -keystore $JAVA_HOME/jre/lib/security/cacerts When the trust gets established for the SSLcommunication, specifying the SSL specific settings in the Data Store (via OAMadmin console) wouldn't result into the previously seen error (whenCertificates are yet to be imported) and the "Test Connection" wouldbe successful.

Enabling SSL in the Data Store of OAM11gR2 comprises of the below mentioned steps. Import the certificate/s required for establishing thetrust with the Store(backend) in the keystore(cacerts) on...

E-Business Integration with SSO using AccessGate

Moving away from the legacy Oracle SSO, Oracle E-Business Suite (EBS) came up with EBS AccessGate as the way forward to provide Single Sign On with Oracle Access Manager (OAM). As opposed to AccessGate in OAM terminology, EBS AccessGate has no specific connection with OAM with respect to configuration. Instead, EBS AccessGate uses the header variables sent from the SSO system to create the native user-session, like any other SSO enabled web application. E-Business Suite Integration with Oracle Access Manager It is a known fact that E-Business suite requires Oracle Internet Directory (OID) as the user repository to enable Single Sign On. This is due to the fact that E-Business Suite needs to be registered with OID to for Single Sign On. Additionally, E-Business Suite uses “orclguid” in OID to map the Single Sign On user with the corresponding local user profile. During authentication, EBS AccessGate expects SSO system to return orclguid and EBS username (stored as a user-attribute in SSO user store) in two header variables USER_ORCLGUID and USER_NAME respectively. Following diagram depicts the authentication flow once SSO system returns EBS Username and orclguid after successful authentication:

Moving away from the legacy Oracle SSO, Oracle E-Business Suite (EBS) came up with EBS AccessGate as the way forward to provide Single Sign On with Oracle Access Manager (OAM). As opposed to...

New Features in OIM11gR2

WEB CONSOLEs in OIM 11gR2 ** In 11gR1 there were 3 Admin Web Consoles : · Self Service Console · Administration Console and · Advanced Administration Console accessible Whereas in OIM 11gR2 , Self Service and Administration Console have are now combined and now called as Identity Self Service Console http://host:port/identity This console has 3 features in it for managing self profile (My Profile), Managing Requests like requesting for App Instances and Approving requests (Requests) and General Administration tasks of creating/managing users, roles, organization, attestation etc (Administration) ** In OIM 11gR2 – new console sysadmin has been added Administrators which includes some of the design console functions apart from general administrations features. http://host:port/sysadmin Application Instances Application instance is the object that is to be provisioned to a user. Application Instances are checked out in the catalog and user can request for application instances via catalog. · In OIM 11gR2 resources and entitlements are bundled in Application Instance which user can select and request from catalog. · Application instance is a combination of IT Resource and RO. So, you cannot create another App Instance with the same RO & IT Resource if it already exists for some other App Instance. One of these ( RO or IT Resource) must have a different name. · If you want that users of a particular Organization should be able to request for an Application instances through catalog then App Instances must be attached to that particular Organization. · Application instance can be associated with multiple organizations. · An application instance can also have entitlements associated with it. Entitlement can include Roles/Groups or Responsibility. · Application Instance are published to the catalog by a scheduled task “Catalog Synchronization Job” · Application Instance can have child/ parent application instance where child application instance inherits all attributes of parent application instance. Important point to remember with Application Instance If you delete the application Instance in OIM 11gR2 and create a new one with the same name, OIM will not allow doing so. It throws error saying Application Instance already exists with same Resource Object and IT resource. This is because there is still some reference that is not removed in OIM for deleted application Instance. So to completely delete your application Instance from OIM, you must: 1. Delete the app Instance from sysadmin console. 2. Run the App Instance Post Delete Processing Job in Revoke/Delete mode. 3. Run the Catalog Synchronization job. Once done, you should be able to create a new App instance with the previous RO & IT Resouce name. Catalog Catalog allows users to request Roles, Application Instance, and Entitlements in an Application. Catalog Items – Roles, Application Instance and Entitlements that can be requested via catalog are called as catalog items. Detailed Information ( attributes of Catalog item) Category – Each catalog item is associated with one and only one category. Catalog Administrators can provide a value for catalog item. · Tags – are search keywords helpful in searching Catalog. When users search the Catalog, the search is performed against the tags. To define a tag, go to Catalog->Search the resource-> select the resource-> update the tag field with custom search keyword. Tags are of three types:a) Auto-generated Tags: The Catalog synchronization process auto-tags the Catalog Item using the Item Type, Item Name and Item Display Nameb) User-defined Tags: User-defined Tags are additional keywords entered by the Catalog Administrator.c) Arbitrary Tags: While defining a metadata if user has marked that metadata as searchable, then that will also be part of tags. Sandbox Sanbox is a new feature introduced in OIM11gR2. This serves as a temporary development environment for UI customizations so that they don’t affect other users before they are published and linked to existing OIM UI. All UI customizations should be done inside a sandbox, this ensures that your changes/modifications don’t affect other users until you have finalized the changes and customization is complete. Once UI customization is completed, the Sandbox must be published for the customizations to be merged into existing UI and available to other users. Creating and activating a sandbox is mandatory for customizing the UI by .Without an active sandbox, OIM does not allow to customize any page. a) Before you perform any activity in OIM (like Create/Modify Forms, Custom Attribute, creating application instances, adding roles/attributes to catalog) you must create a Sand Box and activate it. b) One can create multiple sandboxes in OIM but only one sandbox can be active at any given time. c) You can export/import the sandbox to move the changes from one environment to the other. Creating Sandbox To create sandbox, login to identity manager self service (/identity) or System Administration (/sysadmin) and click on top right of link “Sandboxes” and then click on Create SandBox. Publishing Sandbox Before you publish a sandbox, it is recommended to backup MDS. Use /EM to backup MDS by following the steps below : Creating MDS Backup 1. Login to Oracle Enterprise Manager as the administrator. 2. On the landing page, click oracle.iam.console.identity.self-service.ear(V2.0). 3. From the Application Deployment menu at the top, select MDS configuration. 4. Under Export, select the Export metadata documents to an archive on the machine where this web browser is running option, and then click Export. All the metadata is exported in a ZIP file. Creating Password Policy through Admin Console : In 11gR1 and previous versions password policies could be created & applied via OIM Design Console only. From OIM11gR2 onwards, Password Policies can be created and assigned using Admin Console as well.

WEB CONSOLEs in OIM 11gR2 ** In 11gR1 there were 3 Admin Web Consoles : · Self Service Console · Administration Console and ·Advanced Administration Console accessible Whereas in OIM 11gR2 , Self Service and...

OIM 11g notification framework

OIM 11g has introduced an improved and template based Notifications framework. New release has removed the limitation of sending text based emails (out-of-the-box emails) and enhanced to support html features. New release provides in-built out-of-the-box templates for events like 'Reset Password', 'Create User Self Service' , ‘User Deleted' etc. Also provides new APIs to support custom templates to send notifications out of OIM. OIM notification framework supports notification mechanism based on events, notification templates and template resolver. They are defined as follows: Ø Events are defined as XML file and imported as part of MDS database in order to make notification event available for use. Ø Notification templates are created using OIM advance administration console. The template contains the text and the substitution 'variables' which will be replaced with the data provided by the template resolver. Templates support internationalization and can be defined as HTML or in form of simple text. Ø Template resolver is a Java class that is responsible to provide attributes and data to be used at runtime and design time. It must be deployed following the OIM plug-in framework. Resolver data provided at design time is to be used by end user to design notification template with available entity variables and it also provides data at runtime to replace the designed variable with value to be displayed to recipients. Steps to define custom notifications in OIM 11g are: Steps# Steps 1. Define the Notification Event 2. Create the Custom Template Resolver class 3. Create Template with notification contents to be sent to recipients 4. Create Event triggering spots in OIM 1. Notification Event metadata The Notification Event is defined as XML file which need to be imported into MDS database. An event file must be compliant with the schema defined by the notification engine, which is NotificationEvent.xsd. The event file contains basic information about the event.XSD location in MDS database: “/metadata/iam-features-notification/NotificationEvent.xsd”Schema file can be viewed by exporting file from MDS using weblogicExportMetadata.sh script.Sample Notification event metadata definition: 1: <?xml version="1.0" encoding="UTF-8"?> 2: <Events xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance xsi:noNamespaceSchemaLocation="../../../metadata/NotificationEvent.xsd"> 3: <EventType name="Sample Notification"> 4: <StaticData> 5: <Attribute DataType="X2-Entity" EntityName="User" Name="Granted User"/> 6: </StaticData> 7: <Resolver class="com.iam.oim.demo.notification.DemoNotificationResolver"> 8: <Param DataType="91-Entity" EntityName="Resource" Name="ResourceInfo"/> 9: </Resolver> 10: </EventType> 11: </Events> Line# Description 1. XML file notation tag 2. Events is root tag 3. EventType tag is to declare a unique event name which will be available for template designing 4. The StaticData element lists a set of parameters which allow user to add parameters that are not data dependent. In other words, this element defines the static data to be displayed when notification is to be configured. An example of static data is the User entity, which is not dependent on any other data and has the same set of attributes for all event instances and notification templates. Available attributes are used to be defined as substitution tokens in the template. 5. Attribute tag is child tag for StaticData to declare the entity and its data type with unique reference name. User entity is most commonly used Entity as StaticData. 6. StaticData closing tag 7. Resolver tag defines the resolver class. The Resolver class must be defined for each notification. It defines what parameters are available in the notification creation screen and how those parameters are replaced when the notification is to be sent. Resolver class resolves the data dynamically at run time and displays the attributes in the UI. 8. The Param DataType element lists a set of parameters which allow user to add parameters that are data dependent. An example of the data dependent or a dynamic entity is a resource object which user can select at run time. A notification template is to be configured for the resource object. Corresponding to the resource object field, a lookup is displayed on the UI. When a user selects the event the call goes to the Resolver class provided to fetch the fields that are displayed in the Available Data list, from which user can select the attribute to be used on the template. Param tag is child tag to declare the entity and its data type with unique reference name. 9. Resolver closing tag 10 EventType closing tag 11. Events closing tag Note: - DataType needs to be declared as “X2-Entity” for User entity and “91-Entity” for Resource or Organization entities. The dynamic entities supported for lookup are user, resource, and organization. Once notification event metadata is defined, need to be imported into MDS database. Fully qualified resolver class name need to be define for XML but do not need to load the class in OIM yet (it can be loaded later). 2. Coding the notification resolver All event owners have to provide a resolver class which would resolve the data dynamically at run time. Custom resolver class must implement the interface oracle.iam.notification.impl.NotificationEventResolver and override the implemented methods with actual implementation. It has 2 methods: S# Methods Descriptions 1. public List<NotificationAttribute> getAvailableData(String eventType, Map<String, Object> params); This API will return the list of available data variables. These variables will be available on the UI while creating/modifying the Templates and would let user select the variables so that they can be embedded as a token as part of the Messages on the template. These tokens are replaced by the value passed by the resolver class at run time. Available data is displayed in a list. The parameter "eventType" specifies the event Name for which template is to be read.The parameter "params" is the map which has the entity name and the corresponding value for which available data is to be fetched. Sample code snippet: List<NotificationAttribute> list = new ArrayList<NotificationAttribute>(); long objKey = (Long) params.get("resource"); //Form Field details based on Resource object key HashMap<String, Object> formFieldDetail = getObjectFormName(objKey); for (Iterator<?> itrd = formFieldDetail.entrySet().iterator(); itrd.hasNext(); ) { NotificationAttribute availableData = new NotificationAttribute(); Map.Entry formDetailEntrySet = (Entry<?, ?>)itrd.next(); String fieldLabel = (String)formDetailEntrySet.getValue(); availableData.setName(fieldLabel); list.add(availableData); } return list; 2. Public HashMap<String, Object> getReplacedData(String eventType, Map<String, Object> params); This API would return the resolved value of the variables present on the template at the runtime when notification is being sent. The parameter "eventType" specifies the event Name for which template is to be read.The parameter "params" is the map which has the base values such as usr_key, obj_key etc required by the resolver implementation to resolve the rest of the variables in the template. Sample code snippet: HashMap<String, Object> resolvedData = new HashMap<String, Object>();String firstName = getUserFirstname(params.get("usr_key"));resolvedData.put("fname", firstName); String lastName = getUserLastName(params.get("usr_key"));resolvedData.put("lname", lastname);resolvedData.put("count", "1 million");return resolvedData; This code must be deployed as per OIM 11g plug-in framework. The XML file defining the plug-in is as below: <?xml version="1.0" encoding="UTF-8"?> <oimplugins xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <plugins pluginpoint="oracle.iam.notification.impl.NotificationEventResolver"> <plugin pluginclass= " com.iam.oim.demo.notification.DemoNotificationResolver" version="1.0" name="Sample Notification Resolver"/> </plugins> </oimplugins> 3. Defining the template To create a notification template: Log in to the Oracle Identity Administration Click the System Management tab and then click the Notification tab From the Actions list on the left pane, select Create On the Create page, enter values for the following fields under the Template Information section: Template Name: Demo template Description Text: Demo template Under the Event Details section, perform the following: From the Available Event list, select the event for which the notification template is to be created from a list of available events. Depending on your selection, other fields are displayed in the Event Details section. Note that the template Sample Notification Event created in the previous step being used as the notification event. The contents of the Available Data drop down are based on the event XML StaticData tag, the drop down basically lists all the attributes of the entities defined in that tag. Once you select an element in the drop down, it will show up in the Selected Data text field and then you can just copy it and paste it into either the message subject or the message body fields prefixing $ symbol. Example if list has attribute like First_Name then message body will contains this as $First_Name which resolver will parse and replace it with actual value at runtime. In the Resource field, select a resource from the lookup. This is the dynamic data defined by the Param DataType element in the XML definition. Based on selected resource getAvailableData method of resolver will be called to fetch the resource object attribute detail, if method is overridden with required implementation. For current scenario, Map<String, Object> params will get populated with object key as value and key as “resource” in the map. This is the only input will be provided to resolver at design time. You need to implement the further logic to fetch the object attributes detail to populate the available Data list. List string should not have space in between, if object attributes has space for attribute name then implement logic to replace the space with ‘_’ before populating the list. Example if attribute name is “First Name” then make it “First_Name” and populate the list. Space is not supported while you try to parse and replace the token at run time with real value. Make a note that the Available Data and Selected Data are used in the substitution tokens definition only, they do not define the final data that will be sent in the notification. OIM will invoke the resolver class to get the data and make the substitutions. Under the Locale Information section, enter values in the following fields: To specify a form of encoding, select either UTF-8 or ASCII. In the Message Subject field, enter a subject for the notification. From the Type options, select the data type in which you want to send the message. You can choose between HTML and Text/Plain. In the Short Message field, enter a gist of the message in very few words. In the Long Message field, enter the message that will be sent as the notification with Available data token which need to be replaced by resolver at runtime. After you have entered the required values in all the fields, click Save. A message is displayed confirming the creation of the notification template. Click OK 4. Triggering the event A notification event can be triggered from different places in OIM. The logic behind the triggering must be coded and plugged into OIM. Examples of triggering points for notifications: Event handlers: post process notifications for specific data updates in OIM users Process tasks: to notify the users that a provisioning task was executed by OIM Scheduled tasks: to notify something related to the task The scheduled job has two parameters: Template Name: defines the notification template to be sent User Login: defines the user record that will provide the data to be sent in the notification Sample Code Snippet: public void execute(String templateName , String userId) { try { NotificationService notService = Platform.getService(NotificationService.class); NotificationEvent eventToSend=this.createNotificationEvent(templateName,userId); notService.notify(eventToSend); } catch (Exception e) { e.printStackTrace(); } } private NotificationEvent createNotificationEvent(String poTemplateName, String poUserId) { NotificationEvent event = new NotificationEvent(); String[] receiverUserIds= { poUserId }; event.setUserIds(receiverUserIds); event.setTemplateName(poTemplateName); event.setSender(null); HashMap<String, Object> templateParams = new HashMap<String, Object>(); templateParams.put("USER_LOGIN",poUserId); event.setParams(templateParams); return event; } public HashMap getAttributes() { return null; } public void setAttributes() {} }

OIM 11g has introduced an improved and template based Notifications framework. New release has removed the limitation of sending textbased emails (out-of-the-box emails) and enhanced to support...

OIM 11g : Multi-thread approach for writing custom scheduled job

In this post I have shared my experience of designing and developing an OIM schedule job that uses multi threaded approach for updating data in OIM using APIs. I have used thread pool (in particular fixed thread pool) pattern in developing the OIM schedule job. The thread pooling pattern has noted advantages compared to thread per task approach. I have listed few of the advantage here · Threads are reused· Creation and tear-down cost of thread is reduced· Task execution latency is reduced· Improved performance· Controlled and efficient management of memory and resources used by threads More about java thread pool http://docs.oracle.com/javase/tutorial/essential/concurrency/pools.html The following diagram depicts the high-level architectural diagram of the schedule job that process input from a flat file to update OIM process form data using fixed thread pool approach The custom scheduled job shared in this post is developed to meet following requirement 1) Need to process a CSV extract that contains identity, account identifying key and list of data to be updated on an existing OIM resource account. 2) CSV file can contain data for multiple resources configured in OIM 3) List of attribute to update and mapping between CSV column to OIM fields may vary between resources The following are three Java class developed for this requirement (I have given only prototype of the code that explains how to use thread pools in schedule task) CustomScheduler.java - Implementation of TaskSupport class that reads and passes the parameters configured on the schedule job to Thread Executor class. package com.oracle.oim.scheduler; import java.util.HashMap;import com.oracle.oim.bo.MultiThreadDataRecon;import oracle.iam.scheduler.vo.TaskSupport; public class CustomScheduler extends TaskSupport { public void execute(HashMap options) throws Exception { /* Read Schedule Job Parameters */ String param1 = (String) options.get(“Parameter1”); . int noOfThread = (int) options.get(“No of Threads”); . String paramn = (int) options.get(“ParamterN”); /* Provide all the required input configured on schedule job to Thread Pool Executor implementation class like 1) Name of the file, 2) Delimiter 3) Header Row Numer 4) Line Escape character 5) Config and resource map lookup 6) No the thread to create */ new MultiThreadDataRecon(all_required_parameters, noOfThreads).reconcile(); } public HashMap getAttributes() { return null; } public void setAttributes() { } } MultiThreadDataRecon.java – Helper class that reads data from input file, initialize the thread executor and builds the task queue. package com.oracle.oim.bo; import <required file IO classes>;import <required java.util classes>;import <required OIM API classes>;import <csv reader api>; public class MultiThreadDataRecon { private int noOfThreads; private ExecutorService threadExecutor = null; public MetaDataRecon(<required params>, int noOfThreads) { //Store parameters locally . . this.noOfThread = noOfThread; } /** * Initialize  */ private void init() throws Exception { try { // Initialize CSV file reader API objects // Initialize OIM API objects /* Initialize Fixed Thread Pool Executor class if no of threads  configured is more than 1 */ if (noOfThreads > 1) { threadExecutor = Executors.newFixedThreadPool(noOfThreads); } else { threadExecutor = Executors.newSingleThreadExecutor(); } /* Initialize TaskProcess clas s which will be executing task  from the Queue */ TaskProcessor.initializeConfig(params); } catch (***Exception e) { // TO DO } } /** * Method to reconcile data from CSV to OIM */ public void reconcile() throws Exception { try { init(); while(<csv file has line>){ processRow(line); } /* Initiate thread shutdown */ threadExecutor.shutdown(); while (!threadExecutor.isTerminated()) { // Wait for all task to complete. } } catch (Exception e) { // TO DO } finally { try { //Close all the file handles } catch (IOException e) { //TO DO } } } /** * Method to process  */ private void processRow(String row) { // Create task processor instance with the row data  // Following code push the task to work queue and wait for next available thread to execute threadExecutor.execute(new TaskProcessor(rowData)); } } TaskProcessor.java – Implementation of “Runnable” interface that executes the required business logic to update data in OIM. package com.oracle.oim.bo; import <required APIs> class TaskProcessor implements Runnable { //Initialize required member variables /** * Constructor       */ public TaskProcessor(<row data>) { // Initialize and parse csv row } /* * Method to initialize required object for task execution */ public static void initializeConfig(<params>) { // Process param and initialize the required configs and object } /* * (non-Javadoc) *  * @see java.lang.Runnable#run() */ public void run() { if (<is csv data valid>){ processData(); } } /** * Process the the received CSV input */ private void processData() { try{ //Find the user in OIM using the identity matching key value from CSV // Find the account to be update from user’s account based on account identifying key on CSV // Update the account with data from CSV }catch(***Exception e){ //TO DO } } }

In this post I have shared my experience of designing and developing an OIM schedule job that uses multi threaded approach for updating data in OIM using APIs. I have used thread pool (in particular...

Web Application Integration Steps in OAM 11gR2 (High Level)

Install OAM, Webtier (OHS) and WebGate as per the standard installation steps. Create a WebGate instance (i.e deploy WebGate) A WebGateinstance must be created that will copy required bits of agent fromWEBGATE_HOME to WebGate instance location that shares the same INSTANCE_HOMEwith OHS ./deployWebGateInstance.sh –w /Oracle/Middleware/Oracle_WT1/instances/instance1/config/ohs1 –oh /Oracle/Middleware/Oracle_OAMWebGate1 Note: Here –w flag indicates OHS instance folder and –oh indicates the WebGate Oracle home Configure WebGate In the webgateconfiguration the EditHttpdConfutility will copy OUI instantiated apache_webgate.template from WEBGATE_HOME towebgate instance location (renamed to webgate.conf), and update httpd.conf withone additional line to include webgate.conf. export LD_LIBRARY_PATH=$ LD_LIBRARY_PATH:/Oracle/Middleware/Oracle_WT1/lib Navigate to /Oracle/Middleware/Oracle_OAMWebGate1/webgate/ohs/tools/setup/InstallTools ./EditHttpdConf –w /Oracle/Middleware/Oracle_WT1/instances/instace1/config/OHS/ohs1 –oh /Oracle/Middleware/Oracle_OAMWebGate1 –o webgate.conf Register WebGate Use RREG tool to register the OAM11G WebGate Navigate to /Oracle/Middleware/Oracle_IDM1/oam/server/rreg/input Edit OAM11Grequest.xml. Change the specific xml content to include the weblogic admin URL, agentBaseURL, host identifier etc.. Navigate to /Oracle/Middleware/Oracle_IDM1/oam/server/rreg/bin Set permissions to oamreg.sh à chmod 777 oamreg.sh Edit oamreg.sh and set OAM_REG_HOME=/Oracle/Middleware/Oracle_IDM1/oam/server/rreg ./oamreg.sh inband input/OAM11Grequest.xml Enter the WebLogic admin credentials when prompted. After performing the above steps,there will be two artifcats created underOracle/Middleware/Oracle_IDM1/oam/server/rreg/output, namely ObAccessClient.xml (Stroing webgateconfig parameters) and cwallet.sso(storing the agent key). These files must be copied to WebGate instance configfolder(/Oracle/Middleware/Oracle_WT1/instances/instance1/config/ohs1/webgate/config) Restart OHS Deploy the web application (myApp) in WebLogic application server Proxy Configuration in OHS The mod_wl_ohs module enables requests tobe proxied from Oracle HTTP Server 11g to Oracle WebLogic Server. Navigate to /Oracle/Middleware/Oracle_WT1/instances/instance1/config/OHS/ohs1 Edit mod_wl_ohs.conf file to include the following: <IfModule weblogic_module> WebLogicHost <WEBLOGIC_HOST> WebLogicPort <WEBLOGIC_PORT> # Debug ON # WLLogFile /tmp/weblogic.log MatchExpression *.jsp </IfModule> <Location /myApp> SetHandler weblogic-handler # PathTrim /weblogic # ErrorPage http:/WEBLOGIC_HOME:WEBLOGIC_PORT/ </Location> Note: Here WEBLOGIC_HOST and WEBLOGIC_PORT are the WebLogic admin server host and port respectively Restart OHS. Nowif we access the web application URL with OHS host and port (Ex: http://OHS_HOST:<OHS_PORT>/myApp)so that the requests will be proxied to WebLogic server. Create a new application domain Login to OAM Admin Console Navigate to Shared Componentsà Authentication Schemesà Create Authentication Scheme (Ex: LDAP Auth Scheme. Here the scheme is assoicated with LDAP Authentication Module) Navigate to Policy Configuration à Application Domain à Create Application Domain Enter the Application Domain Name and Click Apply. Navigate to Resources tab and add the resource urls (Web Application URLs that needs to be protected) Navigate to Authentication Policy tab à Create a new authentication ploicy by providing the Resource URLs (The sample Web Application URLs) and Authentication Scheme. Navigate to Authorization Policy tab à Create a new authorization policy à Enter authorization policy name and navigate to Resource Tab à Attach the Reource URL, Host Identifiers here. Navigate to Conditions tab à Add the conditions like whom to allow and whom to deny access. Navigate to Rules tab à Crate the Allow Rule and Deny Rule with the available conditions from the previous step so that the Authorization Policy may authorize the logins. Navigate to Resources tab and attach the Authentication and Authorization plocies created in the above steps. Test the Web Application Integration.

Install OAM, Webtier (OHS) and WebGate as per the standard installation steps. Create a WebGate instance (i.e deploy WebGate) A WebGateinstance must be created that will copy required bits of...

How do you test an ICF based connector using Connector Facade Standalone?

The following code helps in writing a standalone java program to test an ICF based connector. The sample code in this example takes into account an ICF based flatfile connector. It is possible to test various operations like create, update, delete, search etc... It is also possible to set values to the connector configuration parameters, add/remove attributes and their values. public class FlatFile{ private static final java.lang.String BUNDLE_NAME = "<PACKAGE_NAME>"; //Ex:org.info.icf.flatfile private static final java.lang.String BUNDLE_VERSION = "1.0.0"; private static final java.lang.String CONNECTOR_NAME = "org.info.icf.flatfile.FlatFileConnector"; //Name of connector class i.e. the class implemting the connector SPIoperations public ConnectorFacadegetFacade() throws IOException { ConnectorInfoManagerFactory fact = ConnectorInfoManagerFactory .getInstance(); File bundleDirectory = new File("<BUNDLE_LOCATION>"); //Ex:/usr/oracle/connector_bundles/ URL url = IOUtil.makeURL(bundleDirectory, "org.info.icf.flatfile-1.0.0.jar"); ConnectorInfoManager manager = fact.getLocalManager(url); ConnectorKey key = new ConnectorKey(BUNDLE_NAME, BUNDLE_VERSION, CONNECTOR_NAME); ConnectorInfo info = manager.findConnectorInfo(key); //From the ConnectorInfo object, create the default APIConfiguration. APIConfiguration apiConfig =info.createDefaultAPIConfiguration(); //From the default APIConfiguration, retrieve the //ConfigurationProperties. ConfigurationProperties properties = apiConfig .getConfigurationProperties(); //Print out what the properties are (not necessary) List propertyNames = properties.getPropertyNames(); for (String propName :propertyNames) { ConfigurationProperty prop =properties.getProperty(propName); System.out.println("PropertyName: " + prop.getName() + "\tPropertyType: " + prop.getType()); } properties .setPropertyValue("fileLocation", "/usr/oracle/accounts.csv"); //Set all of the ConfigurationProperties needed by the connector. //properties.setPropertyValue("host", FOOBAR_HOST); //properties.setPropertyValue("adminName", FOOBAR_ADMIN); //properties.setPropertyValue("adminPassword", FOOBAR_PASSWORD); //properties.setPropertyValue("useSSL", false); // Use the ConnectorFacadeFactory'snewInstance() method to get a new //connector. ConnectorFacade connFacade = ConnectorFacadeFactory.getInstance() .newInstance(apiConfig); //Make sure we have set up the Configuration properly connFacade.validate(); return connFacade; } public static void main(String[] args) throws IOException { FlatFile file = new FlatFile(); ConnectorFacade cfac = file.getFacade(); Set attrSet = new HashSet(); attrSet.add(AttributeBuilder.build(Name.NAME, "Test01")); attrSet.add(AttributeBuilder.build("FIRST_NAME", "Test_First")); attrSet.add(AttributeBuilder.build("LAST_NAME", "Test_Last")); //Create Uid uid = cfac.create(ObjectClass.ACCOUNT, attrSet, null); //Delete Uid uidP = new Uid("Test01"); cfac.delete(ObjectClass.ACCOUNT, uidP, null); } }

The following code helps in writing a standalone java program to test an ICF based connector. The sample code in this example takes into account an ICF based flatfile connector. It is possible to test...