Wednesday, April 18, 2012

Split profiles with AD and OID for Fusion Apps IDM

In this post I will walk you through on How to set up split profiles with AD and OID as backend directory server while Oracle Virtual Directory links them together to present a single consolidated view.

This is a very generic implementation scenario but is very important when setting up IDM for Fusion Applications, where clients would like to use their existing Enterprise Repository for the user base. Very common example is to provision users out of existing AD without replicating the user base to some other repository, that’s when split profile AD and OID comes into place, while OVD becomes the presenter of consolidated view.

Here are some of the FAQs:
  1. Why do we need OID  for Fusion Applications when existing Enterprise Repository can be used ?
    a.       All the Fusion Applications specific and Oracle specific attributes are created in OID
  2.  Can multiple directories still be used as Identity stores?
    a.       Yes. Multiple directories can still be used as Identity stores with oracle specific attributes present in OID and enterprise specific attributes and Fusion Application specific attributes present in say AD.I will discuss this scenario in upcoming blogs
  3. A re User Login Ids unique across directories?
    a.       Yes , this a pre requisite and other pre requisites and limitations are very well discussed in IDM Enterprise Deployment Guide for Fusion Applications for configuration of directories other than OID
  4. W hen is the good time to configure split directory mode, before or after FA provisioning?
    a.       I will stress this  and recommend to go with this configuration after FA provisioning is completed 
    b.      Since this can also be done prior to FA provisioning  , in that case the recommendation is to complete the IDM Environment with OVD and OID (ID Store,Policy Store) >>Validate IDM Environment >> Then proceed with split AD Configuration
    c.       Configuring AD and OID before IDM validation is prone to good number of user errors.

     
    For easy understanding and simple configuration I will stick to the scenario of split profile configuration where existing Enterprise Repository is not extended.In this scenario this is how the view is from OVD level (adapter plug-in view/ unified view).

    As you see in the image above even though the actual base of both OID and AD repositories are same ‘dc=us,dc=oracle,dc-com’ , OVD Adapters are configured to map uniquely and to consolidate to a unified view  of ‘dc=adidm,dc=oididm,dc=com’


    Now let’s get in to action on how to create above configuration. On a high level this can be split in to 5 tasks
    1. Setting up Shadow directory  in OID
    2. Create a shadow joiner
    3. Create user Adapters for AD and OID
    4. Create Changelog Adapters for AD and OID
    5. Create Join View Adapter and Global Change Log Plug-In




    1.Set up OID as shadow directory

    Since AD is not being extended, OID will be used as a shadow directory and use Oracle Virtual Directory to merge the entities from the directories and for this purpose we need to create a container in OID to store Fusion Apps specific attributes

    a. Create 'shadowentries' container in oid ( below is sample ShadowADContainer.ldif)

    dn: cn=shadowentries
    cn: shadowAD1
    objectclass: top
    objectclass: orclContainer

    b. Load the group with following command

    $ORACLE_HOME/bin/ldapadd -h <oid-host> -p <oid-port> -D cn=orcladmin -w <password> -c -v -f
    ShadowADContainer.ldif

    c. Create acis on the newly created group/container  to grant access to RealmAdministrators and OIMAdministrators(This is the group that does all ID Administration in OIM)

    dn: cn=shadowentries
    changetype: modify
    add: orclaci
    orclaci: access to entry by group="cn=RealmAdministrators,cn=groups,cn=OracleContext,dc=us,dc=oracle,dc=com" (browse,add,delete)
    orclaci: access to attr=(*) by group="cn=RealmAdministrators,cn=groups,cn=OracleContext,dc=us,dc=oracle,dc=com" (read,write,search,compare)
    orclaci: access to entry by group="cn=OIMAdministrators,cn=groups,dc=us,dc=oracle,dc=com" (browse,add,delete)
    orclaci: access to attr=(*) by group="cn=OIMAdministrators,cn=groups,dc=us,dc=oracle,dc=com" (search,read,compare,write)
    -
    changetype: modify
    add: orclentrylevelaci
    orclentrylevelaci: access to entry by * (browse,noadd,nodelete)
    orclentrylevelaci: access to attr=(*) by * (read,search,nowrite,nocompare)

    d. An image of how the shadow container looks after creation.




     Note: All the steps here after are to be performed by connecting to OVD via ODSM.You can use the screen shots as pointers for configuration.

     


    2.Create Shadow Joiner Adapter

    Shadow Joiner User Adapter settings 




     

    3.Create User Adapters for AD and OID

    you would need to create a User Adapter for AD and OID.Use these screen-shots as pointers

    3.1 User Adapter for AD
      


              AD User Adapter Parameters


    3.2   User Adapter for OID




          OID User Adapter Parameters


    4.Create Change Log Adapters for AD and OID

      4.1 Change Log Adapter for AD





    4.2 Change Log Adapter for OID





    5.Create a Join View Adapter and Global Change Log Plug-in

    5.1 Join View Adapter Settings



     5.2 Global Change Log Plug-in



    Finally this is how the summary of all the OVD Adapters is shown in HOME tab for OVD in ODSM


    Next Steps ? 
    Now that split profile is configured, what are the settings that need to change in OAM and OIM , I will discuss that in next blog.
Posted by at
Labels: , , ,

13 comments:

  1. Nice Post.

    This has got me thinking. Can you explain

    1)what is the role of cn=shadowentries

    2)what is the role of global change logs in this integration.

    ReplyDelete
    Replies

    1. Thanks Sanjay.

      Answer 1 ) Here is the background on shadowentries.A Shadow Joiner need to be used when you must store entries in a source such as an LDAP(in our Example AD)but the schema extension is not possible for business or technical reasons. In such cases Shadow Joiner enables you to the extended attributes in another store ( OID in our example)

      Net result is we are using cn=shadowentries to store Fusion Applications specific attributes and since we are not using AD( extending/modifying into AD) , and creating in OID.

      Answer 2)
      By definition, a Consolidated Changelog plugin provides a consolidated changenumber when OVD is providing a consolidated view of multiple directories.This plug-in also provides a consolidated, normalized view of the data from the different changelogs. You can only deploy this plug-in as a Global plug-in. What this means is you are able to track every request and response to all underlying adapters ( in our example AD and OID)

      Sorry for delayed reply.

      Delete

  2. Please correct the ldif syntax in step 1 :

    dn: cn=shadow
    changetype: modify
    replace: orclaci
    orclaci: access to entry by group="cn=RealmAdministrators,cn=Groups,cn=OracleContext,dc=us,dc=oracle,dc=com" (browse,add,delete)
    orclaci: access to attr=(*) by group="cn=RealmAdministrators,cn=Groups,cn=OracleContext,dc=us,dc=oracle,dc=com" (read,write,search,compare)
    orclaci: access to entry by group="cn=OIMAdministrators,cn=Groups,dc=us,dc=oracle,dc=com" (browse,add,delete)
    orclaci: access to attr=(*) by group="cn=OIMAdministrators,cn=Groups,dc=us,dc=oracle,dc=com" (search,read,compare,write)

    dn: cn=shadow
    changetype: modify
    replace: orclentrylevelaci
    orclentrylevelaci: access to entry by * (browse,noadd,nodelete)
    orclentrylevelaci: access to attr=(*) by * (read,search,nowrite,nocompare)

    ReplyDelete
    Replies

    1. Dinesh,
      Thank you, I have corrected few more typos.

      -Uday

      Delete

  3. Hi Experts,

    I wanted to write web service call where OIF will talk to OVD than OVD will have join adaptor which will pull few data like msisdn from Siebel and few data from oid like given name and generate SAML assertion.

    I wanted to know how to write join view adaptor for the same

    Help Appreciated.

    ReplyDelete
    Replies

    1. Hi Vimal,

      It's difficult to give you any meaningful guidance without more knowledge of your use case. The basics for constructing OVD adapters can be found here:

      http://docs.oracle.com/cd/E29505_01/oid.1111/e10046/basic_adapters.htm

      Is there a reason that you have for considering a web service call from OIF to OVD as opposed to just setting up OVD as the identity store for OIF? Following the web service route will add a lot of processing overhead that can be avoided by sticking to LDAP.

      Regards,

      Steve

      Delete

    2. Steve,
      I have a similar situation and looks like you might be able to help -
      I have identity in OID(username/email , password, some other stuff) and user profile in OVD(phone numbers(one user to multiple number),billing plan, active/inactive etc). Now I need to create a join view adapter to get a consolidated view of these so that OIF can query OVD to create SAML authn and attribute statements. My question to be precise is, how to create a join view adapter that encompasses both Siebel and OID

      Delete

    3. Steve,
      Please ignore the previous one (there was a typo), here's the problem statement.
      I have a similar situation and looks like you might be able to help -
      I have identity in OID(username/email , password, some other stuff) and user profile in SIEBEL(phone numbers(one user to multiple number),billing plan, active/inactive etc). Now I need to create a join view adapter to get a consolidated view of these so that OIF can query OVD to create SAML authn and attribute statements. My question to be precise is, how to create a join view adapter that encompasses both Siebel and OID

      Delete

    4. Hi, Anonymous:

      It sounds to me like you can use a simple joiner for this scenario. OID would be the primary adapter, and Siebel the secondary. In order for this to work, you need a data element (e.g., employee number) that is present in both places so that you can use this as a join criterion. The OVD documentation addresses this.

      Steve

      Delete

    5. Thanks very much Steve. My only concern is that there is no OOTB OVD adapter for SIEBEL (please correct me if I'm wrong). I see two possibilities -
      1) Use the standard FMW adapter for SIEBEL and expose as SOAP/Http web service --> use a OVD adapter to connect to the web service endpoint
      2) Use OVD adapter for database and directly hook into the SIEBEL database

      It would really help to know your thoughts on this. And thanks indeed for your response.

      Regards,

      Delete

  4. Hi Steve,

    After your last step, Once all adapter looks ok

    Is there any way one can test their Join view adapter/LDAP adapter/Databse adapter ?

    Help Appreciated.

    ReplyDelete
    Replies

    1. The easiest way to test it is to do an LDAP search for one or more representative entries.

      Steve

      Delete

  5. Thanks for this blog post. I have a LDAP adapter (primary - SunOne directory) which pulls in only user objects. I have a secondary LDAP adapter for the same directory which pulls in only their organization objects. I have a join view adapter which provides a flattened view of users and their organization attributes aggregated to user object.

    Example:
    uid=TESTUSER,ou=people,dc=myco has orgid=TESTORG, and
    orgid=TESTORG,ou=orgs,dc=myco has orgloc=TESTLOC.

    user and org objects are joined with simple join criteria: orgid=orgid. users will now have all of their attributes plus all of their org attributes.

    What I want to do is establish a single changelog in OVD which will show me changes for the user that happen because of modification on user attributes or their org's attributes. Is this possible? If so, do I -

    1. create changelog on primary adapter
    2. create changelog on secondary adapter
    3. create consolidated change log on join adapter?

    ReplyDelete

Subscribe to: Post Comments (Atom)