Integrating Oracle Identity Manager with Microsoft Active Directory: Performing Reconciliation and Trusted Reconciliation
Integrating Oracle Identity Manager with Microsoft Active
Directory: Performing Reconciliation and Trusted Reconciliation
This OBE tutorial describes and shows you how to perform
reconciliation and trusted reconciliation with the Active Directory Adapter.
Approximately 1½ hour
This OBE tutorial covers the following topics:
 Place
the cursor over this icon to load and view all the screenshots for this tutorial.
(Caution: Because this action loads all screenshots simultaneously, response
time may be slow depending on your Internet connection.)
Note: Alternatively, you can place the cursor
over each individual icon in the following steps to load and view only the screenshot
associated with that step.
The screenshots will not reflect the specific environment
you are using. They are provided to give you an idea of where to locate specific
functionality in Oracle Identity Manager.
All components that are used by Oracle Identity Manager to
communicate with a particular resource, for the purposes of performing either
provisioning or reconciliation with that resource, are placed into a container.
This container is known as an Oracle Identity Manager Connector. Provisioning
or reconciliation occurs as a result of the components of this connector working
with one another. The Active Directory connector can be used in the following
ways:
- Provisioning Only: In this mode,
users, organizations, groups, and group memberships are provisioned to Active
Directory. There is no return flow of information from Active Directory to
Oracle Identity Manager.
- Provisioning with Reconciliation:
In this mode, users, organizations, groups, and group memberships are provisioned
to Active Directory. Reconciliation detects changes in the user’s profile
in Active Directory and updates the Oracle Identity Manager AD Resource profile
for the user corresponding to the AD user. To enable Oracle Identity Manager
in matching the AD user to the Oracle Identity Manager user, a reconciliation
rule is defined. If a match is found, the Oracle Identity Manager user's AD
account profile is updated.
- Provisioning with Trusted Reconciliation: When the
connector runs in this mode, users that exist in Active Directory but are
nonexistent in Oracle Identity Manager are created as Oracle Identity Manager
users. The provisioning functionality remains the same in this case.
Back to Topic List
Linda works as a network administrator for Mydo Main Corporation.
In Mydo Main, Linda is responsible for managing the access privileges for various
user groups to various resources within the organization. In addition to performing
provisioning, she needs to do reconciliation and trusted reconciliation tasks.
One of her tasks is to perform reconciliation and trusted reconciliation for
users, organizations, groups, and group memberships to an Active Directory instance
that needs to be connected to the Oracle Identity Manager Server.
Back to Topic List
You need to define reconciliation fields
to determine the reconciliation data that needs to be taken from Active
Directory and how that information is used in Oracle Identity Manager. You need
to define basic fields that are used to map the Oracle Identity Manager User
Resource object to the Active Directory data and also the rule used to associate
an Active Directory user record with an Oracle Identity Manager user record.
To define the basic fields, perform the following steps:
|
1.
|
Navigate to E:\oracle\oim_designConsole\xlclient
and double-click the xlclient.cmd
file. This launches the Oracle Identity Manager Design Console.
Note: Ensure that the Oracle database and the
JBoss application server are already running.
|
|
2.
|
Log in with the user ID xelsysadm and password abcd1234.
|
| 3. |
You will change the values for the AD Server IT Resource. For performing
this task, in the left pane, click Resource Management and then
double-click IT Resources.
|
| 4. |
Click the search icon to retrieve the record for the AD Server IT Resource.
For this AD Server IT Resource, modify the Root Context value to CN=Users,dc=mydomain,dc=com
and then click the Save icon.
Note: The remaining parameter values for the AD Server IT Resource
should not be modified.
|
| 5. |
After you have updated the Root Context, in the left pane, double-click
Resource Objects.
|
| 6. |
Click the search icon and then click the next arrow icon to load the
Xellerate User resource object and then click the Object Reconciliation
tab.
|
| 7. |
Under the Reconciliation Fields section, click Add Field.
|
| 8. |
In the Add Reconciliation Field Window, enter the field names
and field types using the following table:
| Field Name |
Field Type |
| sAMAccountName |
String |
| sn |
String |
| givenName |
String |
| Xellerate Type |
String |
| Role |
String |
| Organization Name |
String |
Note: Save each field while you are creating
the individual fields. Click the X icon in the Reconciliation Data Field
window to view all the added fields.
|
| 9. |
Notice all the fields being added to the Xellerate user. Next, click
Reconciliation Action Rules.
|
| 10. |
To create the rule condition and its relevant action, click Add.
|
| 11. |
Create two rules with the following conditions:
| Rule Condition |
Rule Action |
| No Matches Found |
Create User |
| One Entity Match Found |
Establish Link |
Note: Click the Save icon to store each rule while you are creating
the individual rules.
|
| 12. |
Click the Resource Object tab and then click the next record icon
to retrieve the AD user resource object.
|
| 13. |
Click the Object Reconciliation tab and then click the Reconciliation
Fields tab to view the list of attributes that will be reconciled
from the AD User.
|
| 14. |
Click the Reconciliation Action Rules tab.
|
| 15. |
Remove the two default rules listed in the Reconciliation Action Rules
section. Click Delete twice to remove both the entries and then
add the following reconciliation rules:
| Rule Condition |
Rule Action |
| One Process Match Found |
Establish Link |
| One Entity Match Found |
Establish Link |
|
| 16. |
Click the Save icon to store the AD user resource object.
|
| 17. |
In the left pane, click Process Management and then double-click
Process Definition.
|
| 18. |
Click the search icon and then the next arrow icon to load the Xellerate
User process definition and then click the Reconciliation Field
Mappings tab.
|
| 19. |
Click Add Field Map to link the field names to the user attributes.
|
| 20. |
Create the Reconciliation Field Mappings according to the following table:
| Field Name |
User Attribute |
| sAMAccountName |
User Login |
| sn |
Last Name |
| givenName |
First Name |
| Xellerate Type |
Xellerate Type |
| Role |
Role |
| Organization Name |
Organization Name |
Note: Click the Save icon to store each of these field names.
|
| 21. |
Click the Save icon to store the Xellerate User process definition.
|
| 22. |
Next, you will create the rule for the Oracle Identity Manager user reconciliation
with Active Directory. In the left pane, click Development Tools
and then double-click Reconciliation Rules to open a new Reconciliation
Rule Builder form.
|
| 23. |
Enter OIM User Recon
in the Name field and OIM/XL
User Reconciliation in the Description field.
|
| 24. |
Double-click in the Object field to look up and then select Xellerate User.
|
| 25. |
Click the Save icon to store the rule so that a new Rule Definition Rule:
OIM User Recon is created.
|
| 26. |
Click Add Rule Element, and then create a new rule with the User
Profile Data as User Login, Operator as Equals, and Attribute
as sAMAccount.
|
| 27. |
Click the Save icon to store the reconciliation rule and then select
the Active option. The Active option enables the newly created
rule.
|
| 28. |
Click the Save icon to store the reconciliation rule.
|
Back to Topic List
After you have configured the resource objects, process definitions,
and reconciliation rules used during reconciliation, you will configure the
task scheduler to define when to perform the reconciliation and on which IT
resources this reconciliation will be implemented. To configure the task scheduler,
perform the following steps:
|
1.
|
In the left pane, click Xellerate Administration
and then double-click Task Scheduler to open a blank Task Definition
form.
|
|
2.
|
The task for the Active Directory Task Definition needs to be set for
this configuration. Click the Search icon to load the ActiveDirectoryReconTask
scheduled task and change the following values:
| Attribute Name |
Attribute Value |
| Server |
AD Server |
| Use Field Mapping |
false |
Note: Click the Save icon to store the values.
|
| 3. |
In the Interval section, select Once.
|
| 4. |
Use the Delete key to clear the value of the "Start time" field.
Note: If the existing date is not removed then
the field would still retain the old date even if you choose a new date.
|
| 5. |
Double-click in the Start time field to open the Date & Time scheduler
window.
|
| 6. |
Click OK to select the current date and time to start the task.
|
| 7. |
Select the Disabled option to enable the task definition.
|
| 8. |
Click the Save icon to store the task definition.
|
Back to Topic List
After activating the reconciliation for a one-time event,
you can monitor the reconciliation process. To monitor this task, perform the
following steps:
|
1.
|
In the left pane, click User Management and then
click Reconciliation Manager.
|
| 2. |
Click the Search icon to open the Reconciliation Manager
Table tab.
|
| 3. |
The lists of your reconciliation events will differ
from what is displayed in the screen. You can refresh the list by clicking
the Refresh (circling arrows) icon.
Note: This task may take several minutes to complete.
|
Back to Topic List
To search for the users created in the reconciliation process,
perform the following steps:
|
1.
|
Open a browser window and enter the URL to access the
Oracle Identity Manager Admin Console in the following format:
http://<hostname>.<domainname>:<port>/xlWebApp
Note: Ensure that the Oracle
database and the JBoss application server are already running.
|
|
2.
|
Log in with the user ID xelsysadm and password abcd1234.
|
|
3.
|
In the Oracle Identity Manager Administrative Console,
click Users and then click Manage.
|
|
4.
|
Click Search User. You can view the new records that have been
created in Oracle Identity Manager using trusted reconciliation with Active
Directory.
|
Back to Topic List
After configuring the resource parameters, you need to back up
the Oracle Identity Manger Server database. To run this backup, perform the
following steps:
|
1.
|
At the command prompt, enter the following
command:
exp system/abcd1234
file=E:\OimDB_backups\Lab09_3_AD_TrustedRecon_Completed.dmp owner=oimuser
Press the Enter key to confirm the database backup.
Note: You can view the database export progress.
This backup may take a few minutes to run. Note the completion of the
database export.
|
Back to Topic List
You have now completed configuring the system for trusted
reconciliation, which has linked copies of the records from Active Directory
into Oracle Identity Manager. This process does not assign an IT Resource to
the user related to the system from which the users were reconciled. You can
switch from trusted reconciliation to reconciliation (also called untrusted
reconciliation) and perform a reconciliation event again for Active Directory
to assign all of the users the AD Server IT resource.
To alter the reconciliation configuration for performing untrusted
reconciliation and initiate a reconciliation in order to assign an AD Server
IT resource to each reconciled user record, perform the following tasks:
|
1.
|
In the Oracle Identity Manager Design Console window,
navigate to Resource Management and then double-click IT Resources.
|
|
2.
|
Click the Search icon to load the AD Server resource and change the following
parameters:
| Name |
Value |
| Last Modified Time Stamp |
0 |
| Last Modified Time Stamp Group |
0 |
| Root Context |
dc=mydomain,dc=com |
|
| 3. |
Click the Save icon to store the attribute values.
|
| 4. |
Navigate to Xellerate Administration and then double-click Task
Scheduler.
|
| 5. |
Click the Search icon to load the ActiveDirectoryReconTask task definition
and perform the following changes:
| Attribute Name |
Attribute Value |
| XellerateObject |
false |
| UseFieldMapping |
false |
Note: By default, the UseFieldMapping Attribute Name might be
set to false.
|
| 6. |
Click the Save icon to store the changes.
|
| 7. |
Use the Delete key to clear the value of the "Start time" field.
|
| 8. |
Double-click in the "Start time" field to open the Date & Time scheduler
window and then click OK to select the current date and time.
Note: You can then again monitor the reconciliation (this may
take several minutes).
|
Back to Topic List
After configuring the resource parameters, you need to back up
the Oracle Identity Manger Server database. To run this backup, perform the
following steps:
|
1.
|
At the command prompt, enter the following
command:
exp system/abcd1234
file=E:\OimDB_backups\Lab09_4_AD_Resource_Recon_Completed.dmp owner=oimuser
Press the Enter key to confirm the database backup.
Note: You can view the database export progress.
This backup may take a few minutes to run. Note the completion of the
database export.
|
Back to Topic List
In this lesson, you learned how to:
Back to Topic List
 |
Configure resource objects
and the reconciliation rule |
|
Configuring scheduled tasks |
|
Monitor reconciliation |
|
Test reconciliation |
|
Back up the Oracle Identity Manager
Server database |
|
Change to untrusted reconciliation |
|
Back up the Oracle Identity Manager
Server database |
|
To ask a question about this OBE tutorial, post a query on the OBE
Discussion Forum. |
Back to Topic List
Place the cursor over this icon to hide all screenshots.
|
Bookmark
