Exposing User System Attributes in OIM 11gR2PS2 GUI Customization

Introduction

Recently while working with a customer to help with an upgrade from OIM 11gR1 to 11gR2PS2, one interesting request came up regarding OIM GUI customization.

The requirement was to expose some User System Attributes that in R1 were directly available in the GUI customization data but in R2 are not exposed in the GUI Customization options.

There is a way in R2 to easily expose the data using a custom Managed Bean along with some GUI tweaks.

The process for customizing the OIM UI is easy enough and well documented in the OIM Customization Guide.

The following content takes you through the steps for exposing the User System Attributes.

Logging in OIM custom code

Proper logging is one of the main considerations during custom development. This is no different in OIM projects in which custom code is being developed and deployed to OIM. Proper logging is fundamental part of development, helping in finding issues, fixing them and also in reporting relevant runtime conditions.

This post shows how to leverage the Oracle Fusion Middleware infrastructure in which OIM runs in order to create proper logging information from custom code. It is not the intent of this post to cover all logging considerations; there are plenty of materials on the internet and book stores to cover the basics.

A checklist for OIM go-live

This post presents a list of configuration points in OIM that must be taken into account whenever a customer is planning an OIM go-live. This list is not intended to replace the OIM documentation, instead, the idea is to complement it. It provides tips on a few topics that are not part of the documentation.

Let's go for them:

Loading unique passwords with OIM bulk load

Using Oracle Identity Manager's bulk load tool is a great way to load large numbers of user records into OIM in an efficient and performant way. The standard and documented usage of the tool does not make provision for the loading of unique user passwords, though. This article describes an approach that can be used to achieve that requirement. This post is also part of the OIM 11g Academy Series.

OIM 11g R2 Self Registration with CAPTCHA

This post walks you through the fun of customizing OIM and adding a CAPTCHA solution to the self-registration page. Captcha solutions are largely used in web sites to try to prevent automated robots from registering, filling forms, sending messages and many other things.

The captcha solution used is Simple Captcha and it is available here. It is easy to use and easy to hook into applications.

This is another post of the Oracle Identity Manager Academy. To check other tricks, tips and examples you can find the academy post here.

Synchronization of Roles in Catalog OIM 11g R2

Introduction 

The Catalog is one of the most fundamental features of OIM 11g R2 request based provisioning. All requests for Resources/Accounts, Entitlements and Roles are accomplished through the Catalog. Roles in OIM 11g R2 can be defined within a given category. There are two main out-of-the-box categories: OIM Roles and Default. The category affects the visibility of the Role in the Catalog.

Sometimes, customers may require to change the category of an existing Role in order to make it possible to request the Role through the Catalog. If the Role was initially created within the OIM Roles category,  it will not be visible in the Catalog because there is no entry in the Catalog's table for the Role.

Procedure

A Role is available in the Catalog when its category is set to 'Default'. This can be ensured by modifying the Role's attributes in the Self-Service User Interface and selecting the 'Default' category from the List of Values. The picture that follows shows where this is done and provides an example:

In the example above, the role MASSACHUSETTS ORG MEMBER was originally created with OIM Roles as the selected category. As a result, this role can't be requested through the Catalog. The role's category will need to be updated to 'Default'. The images below demonstrate the change:

Roles are published immediately after they are created; however, if a Role is updated after creation like in the previous example, the Catalog Synchronization Job has to be executed to reflect the changes in the Catalog.

To invoke the Catalog Synchronization Job, an Administrator needs to log in to the System Administration Console of OIM and open the Scheduler Window; then navigate to the Catalog Synchronization Job as shown in the following picture:

The Job must be executed with the following values in the Job's attributes: 

• Mode = full
• Process Roles set to Yes
• Updated Date must be blank

After the execution of the Catalog Synchronization Job, searching for the Role in the Catalog should now display the role in the results as shown below:

Summary

The Catalog is one of the main components of OIM 11g R2. The Request-Based provisioning functionality revolves around it. Any entity in OIM that can be requested by users needs to be visible in the Catalog. Roles that have OIM Roles as their category, are not visible in the Catalog; only the ones in the 'Default' category will be displayed in Catalog Search Results.

If a Role was initially created with OIM Roles as its category and then is updated to the Default category will not be displayed in the results of a Catalog search unless the Role is added to the CATALOG table in OIM's Database. This is accomplished by running the Catalog Synchronization Job through OIM's Scheduler. The job must be executed in Full mode, the 'Process Roles' option must be set to 'Yes' and the 'Updated Date' value must be blank.

Populating request attributes in OIM 11g R2 Part II - UI Customization

This is the second post of a two-post series about pre-populating requests in OIM 11g R2. The first post is available here. This post is also part of OIM 11g Academy Series.

The approach describe in this post is more sophisticated when compared to the pre-populate plug-in described in the previous post. The emphasis here is UI interaction. It is also important to mention that this approach does not work for requests created through the APIs, it works only for UI based requests. Another difference is that while the pre-populated plug-ins are specific to request attributes, this approach is application instance specific. In other words, each different application instance request form will require a different customization.

Populating request attributes in OIM 11g R2 Part I - Prepopulate Plug-in

This is the first of a two posts series about pre-populating requests in OIM 11 R2. This post is also part of the OIM 11g Academy Series.

With the introduction of the Catalog, request creation process changed from a wizard to a shopping cart experience style. But request pre-populating is still a common requirement for OIM customers.

There are two different approaches to pre-populate a request:

1. Pre-populate plug-ins
2. UI customization

Authenticating OIM APIs without end user's password

A common requirement in an OIM implementation is to not expose OIM user interface to all types of end users. To address this requirement, usually a custom application using OIM APIs is developed and deployed. Such application will expose specific OIM functionalities to end users. In most of the cases, customers want the custom application/OIM APIs to act as the end user, and not as a service account; this approach leverages OIM security model, and the actions will be correctly audited in OIM. Usually this custom application will be protected by a SSO solution, and asking the end user to provide his/her password is not an option. So the big question is: how to authenticate the OIM APIs against OIM server and make them act as the end user?

This is another post in the OIM Academy series. To view the entire OIM 11g Academy series click here

In OIM 9.x, the APIs provide two different ways of authentication: through OIM user's credentials (username and password) and through the so called digital signature authentication. The digital signature authentication process allows authentication without a password, and because of that it is a largely used approach in custom OIM APIs based applications.

With the introduction of OIM 11g, the digital signature APIs are being deprecated. They will still work when correctly configured, but they may be discontinued in future OIM releases.

In R2 there is an easier way of using OIM APIs without the need of end's user password. This post shows how this can be done.

OIM 11g Assets

Since the first 11g release, OIM engineering and product management teams have been working hard on field enablement. As part of this work, they created a wonderful set of reusable OIM customizations examples. Such components are called 'OIM assets'.

Among these great assets, you can find examples of approval workflow, event handler, scheduled task, UI customization, and others.  They can be used as learning assets; and they can be easily modified and deployed to your OIM environment to address some common use cases. Another nice thing is that there are examples for the three major releases of OIM 11g: 11.1.1.3, 11.1.1.5 and 11.1.2.0.

They can be found at Oracle Technology Network on this page. Have fun!

OIM-OAM-OAAM integration using TAP

I was going to make a test post just to test our RSS feed.  However, Atul Kumar published a good introductory post today on OAM-OAAM-OIM integration.  So I figured that I would share that with you today and suggest it as a little light weekend reading.

You can find Atul's post here.

OIM 11g R2 Catalog Customization Example

This post shows how OIM catalog can be customized by using OIM UI capabilities such as managed beans and EL expressions. The post first describes the use case and the solution to address the use case; then it describes the solution details as well as provides links to the artifacts.

In order to have a better understanding of the customization described in this post, one should read the posts about the catalog and about the OIM UI customization.

OIM 11g R2 UI customization

OIM 11g R2 new user interface is probably one of the most expected new features of this release. The main reason for that is the great customization capability provided by the underlying technologies: Oracle ADF and Oracle WebCenter Composer.

OIM user interface customizations are easier now, and they 'survive' patch applications (there is no need to reapply them after patching). Adding new artifacts,  new skins, and 'plugging' code directly into the user interface components became an easier task.

This post introduces some of the customization related concepts provided by the new OIM user interface.

OIM 11g R2 Catalog

The Catalog is one of most commented new features in OIM 11g. It introduces a new way to search items and to create access requests and it also introduces the ‘shopping cart’ experience.

The request process was drastically simplified with the Catalog. Whereas in OIM 11g R1 users have to go through a multiple step wizard to create a request, in OIM 11g R2 the work is done in two pages: the catalog search and the shopping cart summary.

OIM 11g R2 & X.509 authentication

OIM 11g R2 is out! This release brings a lot of new features and also improvements to existing features.

OIM authentication providers are among the ones that were improved. The improvements make easier to integrate OIM with SSO solutions (for both SSO products and custom SSO solutions).

The integration with OpenSSO is documented here. The integration with OAM is still a powerful solution for SSO and password management and it is documented here.

The improvements also bring the support to X.509 based user authentication. In previous 11g release, one would need to leverage a SSO solution like OAM to do such authentication. In R2, X.509 authentication can be directly configured in WebLogic. This post describes how to configure this authentication.

Domain Architecture and Middleware Homes Revisited

Over a year ago I wrote a couple important posts about the domain architectures used in Oracle Identity Management deployments.  You can find these posts here and here.

These posts have been very popular.  I’ve received lots of positive feedback on them but also a fair number of questions.  So, I thought that it would be worth revisiting the topic now.

Split profile setup with AD and OID for Fusion Apps IDM

I have discussed split profile set up scenario for Fusion Applications IDM Environment with AD and OID , process of creation of Adapters needed in OVD for consolidating the two directory servers AD and OID and the configuration changes needed in OAM , OIM  and WLS of IDM Environment in these 2 Blog posts.

Part1 , Part 2

This process is relevant to FA Release RUP1 . From release RUP2 some of these manual steps have been automated, which i will discuss in a future blog.

Custom transformation provider for OIM GTC connector

GTC based connector is one of the most used approaches for reconciling data into OIM, specially through the use of flat files. A common issue is that some customers do not allow direct communication between OIM and the HR system (for different reasons like outsourced HR system, security constraints and others), hence a flat file is made available to OIM so that it reconcile users.

Very often, there is a need to manipulate the data to be reconciled in OIM through the GTC connector. When that is true, most of customers end up creating event handlers to manipulate reconciled data. The problem with this approach is that in OIM 11g, only 'post process' event handlers can be used to manipulate reconciliation data (and the data can only be manipulated after reconciled into OIM), and this can make some manipulations really tricky and/or cumbersome.

Validating an Oracle IDM Environment (including a Fusion Apps build out)

In this post I walk you through how to validate an Oracle Identity Management build out containing OID, OVD, OIM, and OAM. This post was motivated by work I have done with Fusion Apps.

It is important to validate the IDM build out for Fusion Apps before you move on to the provisioning of Fusion Apps itself. Problems detected during the IDM build out are much easier to diagnose and fix than problems detected during FA provisioning, FA functional setup or FA operations themselves.

In addition, it is important to have documented validation steps for your Oracle IDM environment to use at other points as well. For instance, you will want to validate your IDM environment when you bring it back online following a backup.

Lastly, you will want to be able to go through validation steps for your IDM environment as a means of debugging IDM related application issues. For example, let’s say people come to you all of the sudden saying they can’t login to a Fusion HCM application. You’ll want to be able to go through the IDM validation steps to see what if anything is wrong with the IDM infrastructure that could be causing this issue.

Live webcast (April 11th) with ING on their OIA-OIM implementation

Scale Up Without Getting Bogged Down

If your organization is like many, you’ve conducted access certification for a handful of applications. But what about the other thousand applications? Organizations are spending up to 40% of their IT budgets on compliance, yet many chief information security officers don’t feel any safer than they were before. With the large volume of systems, applications, users, and entitlements to review, the process is error-prone and difficult.

In this session, Mark Robison of ING shares his learning experiences on how to address these challenges. He will discuss how to:

• Simplify the user experience and achieve better service levels
• Reduce the help-desk workload with closed-loop remediation
• Scale the process of certifying applications
• Strike a balance between security risk and audit compliance

Register now for the Webcast. 

https://event.on24.com/eventRegistration/EventLobbyServlet?target=registration.jsp&eventid=389882&sessionid=1&key=DA263A8A48EC01E1F41904939FFC7C56&partnerref=evite_sec_idmmulti42012&sourcepage=register