ISE Identity Manager Auth Source

This tutorial is part of the Identity Manager track within the Identity Suite Essentials program.

Description

This tutorial covers:

  • Loading users from an authoritative feed. The data is loaded via a flat file which represents the feed from a HR system.
  • Delegated Administration in its simplest form is shown.
  • Different event types are shown: create, update and delete user and its accounts.
  • Demonstration of task results and simple Audit Log use

Top

Learning Objectives

After completing this tutorial, the following topics should be understood.

  1. The configuration of a flat file resource adapter
  2. Specifying a synchronization policy
  3. Extended the user attributes
  4. Defining a form to handle the loading of user data an performing the assignments of the attribute values
  5. Defining and the use of User Member Rules
  6. Defining and the use of proxy users
  7. The use of Capabilities
  8. The use of Roles

Top

Prerequisites

The following items must be completed before starting this tutorial.

Top

Setup

The following steps need to performed to enable the demonstration.

Section 1: Extending the user attributes

By default the IdM User object may contain the following attributes: name (q,s), firstname, fullname, lastname, idmManager, email. The following steps show how to extend the schema so that the IdM User contains additionally the attributes: organization, division, employeeId, telephone, jobTitle, startDate and endDate.

  1. Access the Admin Interface http://localhost:8080/idm and log in as: configurator / configurator
  2. Replace home/index.jsp in the URL with debug and hit enter
  1. Select Configuration in the drop down list just beside the List Objects button
  2. Press the List Objects button
  1. Scroll down to the IDM Schema Configuration
  2. Click the Edit link
  1. Scroll down in the text area to
  2. Enter the attribute configuration (see the end of the section for a copy paste selection)
  1. Scroll further down to
  2. Enter the object class attribute definition (see the end of the section for a copy paste selection)
Attribute Configuration: <IDMAttributeConfiguration name='department' syntax='STRING'/>
<IDMAttributeConfiguration name='division' syntax='STRING'/>
<IDMAttributeConfiguration name='employeeId' syntax='STRING'/>
<IDMAttributeConfiguration name='telephone' syntax='STRING'/>
<IDMAttributeConfiguration name='jobTitle' syntax='STRING'/>
<IDMAttributeConfiguration name='startDate' syntax='STRING'/>
<IDMAttributeConfiguration name='endDate' syntax='STRING'/>
<IDMAttributeConfiguration name='userType' syntax='STRING'/>
Object Class Attribute Configuration: <IDMObjectClassAttributeConfiguration name='organization' queryable='true'/>
<IDMObjectClassAttributeConfiguration name='department' queryable='true'/>
<IDMObjectClassAttributeConfiguration name='employeeId' queryable='true'/>
<IDMObjectClassAttributeConfiguration name='telephone'/>
<IDMObjectClassAttributeConfiguration name='jobTitle'/>
<IDMObjectClassAttributeConfiguration name='startDate' queryable='true'/>
<IDMObjectClassAttributeConfiguration name='endDate' queryable='true'/>
<IDMObjectClassAttributeConfiguration name='userType' queryable='true'/>

Top

Section 2: Creating additional "simulated" Contractor Role

  1. Access the Admin Interface http://localhost:8080/idm and log in as: configurator / configurator
  2. Go to the Roles tab and there to
  3. The List Roles sub-tab and
  4. Click New button
  1. In the Identity sub-tab enter Contractor as Name and
  2. Enter Just to show delegated administration as Description and
  3. Click Save
  1. On the result screen just click Ok

Top

Section 3: Creating new Organizations for managed identities

  1. Access the Admin Interface http://localhost:8080/idm and log in as: configurator / configurator
  2. Go to the Accounts tab and there to
  3. The List Accounts sub-tab and
  1. If the People is not already present (it is added automatically with the Netbeans project configuration from module1) Select New Organization in the  New Actions drop down list
  2. On the edit screen just insert People in the name field
  3. Leave the other fields as they are
  4. The click Save and
  5. On the main List Accounts screen click Reset View
 
  1. If the All Users is not already present under People (it is added automatically with the Netbeans project configuration from module1) Add a new organization All Users below People. For this select the box to the left of the People organization
  2. Then select New Organization from the --- New Actions --- drop down list (refer to the right)
  3. Enter All in the name field, leave all others fields as they are and click Save
  4. Repeat this for Employee and Contractor
  1. Finally the main List Accounts screen looks as follows.

Top

Section 4: Creating new Organization and System User Account

  1. If the System Accounts  is not already present under People (it is added automatically with the Netbeans project configuration from module1) Access the Admin Interface http://localhost:8080/idm and log in as: configurator / configurator
  2. Go to the Accounts tab and there to
  3. The List Accounts sub-tab and
  4. Select New Organization in the --- New Actions --- drop down list
  1. On the edit screen just insert System Accounts in the name field
  2. Leave the other fields as they are
  3. The click Save
  4. The org structures looks as follows now
  1. Now add a new user below System Accounts". For this select the box to the left of the *System Accounts organization
  2. Then select New User from the --- New Actions --- drop down list
  1. In the Identity tab enter HR Feed Proxy for Account ID
  2. HR Feed for First Name
  3. Proxy for Last Name
  4. password for Password and Confirm Password
  1. In the Security tab assign User Account Administrator for Capabilities
  2. Top for Controlled Organizations
  3. Empty Form for User Form and then
  4. Click Save
 
  1. Now there appears a result screen (see right), click Ok
  1. Finally the List Accounts main screen should look as follows

Top

Section 5: Creating a FF Resource Adapter for HR feed

NOTE:  This step was performed in module 2.  Verify that the Flat File ActiveSync is configured as a Managed Resource.
  1. Access the Admin Interface http://localhost:8080/idm and log in as: configurator / configurator
  2. Go to the Resources tab and there to
  3. The Configure Types sub-tab
  4. Select Flat File ActiveSync and
  5. Click the Save button
  1. Next, change to the List Resources sub-tab and
  2. Select New Resource in the * Resource Type Actions*
  1. On the following screen select Flat File Active Sync
  2. Press *New" button (see image to the right)
  3. On the succeeding screen just press Next (nothing to select there)
  1. First screen: Fill in the value as shown in the image to the right
  2. Replace *<BASE> *with the location of your feed files.  This is in the Netbeans project under custom/WEB-INF/config/ISE/module3/users/users-1.csv   In the Virtual Box image the feed files are under /var/tmp
  3. You can test the connection by pressing Test Configuration. If every thing is ok a green text "Test connection succeeded for resource(s):
    HR Feed" shows at the top
  4. If there is something wrong a message in red similar to the following one will show up: "Test connection failed for resource(s):
    HR Feed: Parser (com.waveset.util.ConfigurableDelimitedFileParser) Error ==> java.io.FileNotFoundException: <BASE>\idmResources\HRfeed\users.csv (The filename, directory name, or volume label syntax is incorrect) "
  5. Then click Next
  1. Second screen: Select the tick box in front of the "accountId" line
  2. Click Remove Attribute
  3. Then there is no Schema map entry present (is not necessary if the left and right hand side of the map would be the same)
 
  1. Third Screen: Nothing to enter
  1. Enter the name of the Resource Adapter HR Feed at the top
  2. Enter accountId in the second field
  3. Leave the remaining fields as they are
 
  1. Press the Save button and the Resource overview screen looks like:

Top

Section 6: Define Synchronization Policy

  1. Access the Admin Interface http://localhost:8080/idm and log in as: configurator / configurator
  2. Go to the Resources tab and there to
  3. The List Resources sub-tab
  4. Open FlatFileActiveSync folder and
  5. Select the box to the left of HR Feed
  6. Select Edit Synchronization Policy
  1. For Repeat Every set "30 Seconds"
  2. For Unique Key for Diff set UNIQUE_ID
  3. For Proxy Administrator set HR Feed Proxy
  4. For Input Form set Custom HR Feed Form FF
  5. For Correlation Rule (optional) set Custom UNIQUE_ID Matches Name
  6. For Log File Path set <BASE>/ (Replace BASE with /var/tmp or preferred log file locaiton)
  7. For Maximum Log File Size set 4096
  8. For Log Level set 4
  9. Then press Save
 

Top

Section 7: Extend Contractor and Employee organization with user member rule

  1. Access the Admin Interface http://localhost:8080/idm and log in as: configurator / configurator
  2. Go to the Accounts tab and there to
  3. The List Accounts sub-tab
  4. Click on Contractor folder/link
  1. On the Edit Form scroll down to User Members Rule and select Custom Contractor User Member Rule
  2. Select 1 Minutes for Cache Timeout
  1. Repeat this procedure for the *Employee" organization
  2. Select Custom Employee User Member Rule as the User Member Rule

Top

Demonstration

After completing the setup above, the following steps should be performed to complete this tutorial.

User Case 1: Loading of the first user

  1. Open a terminal and go to <Base>/idmResources/HRfeed
  2. take a look at the files user-1.csv vi user-1.csv (This file contains only one user)
  3. copy user-1.csv to user.csv cp user-1.csv user.csv
  1. Access the Admin Interface http://localhost:8080/idm and log in as: configurator / configurator
  2. Go to the Resources tab and there to
  3. The List Resources sub-tab
  4. Open the FlatFileActiveSync folder and select HR Feed
  5. Select Start for Identity Manager in the --- Resource Actions ---
  1. The List Resources page looks as follows
  2. The time of the next run/poll is shown
  3. Clicking on Resources tab refreshes the display of the time for the next run
  1. Go to the Server Tasks tab and there to
  2. The All Tasks sub-tab
  3. The activity ov creating the user jbaker can be found
  4. It is also shown that the task was executed as the user HR Feed Proxy and NOT configurator as which the ActiveSync process was started
  1. Now click on the Creating jbaker link
  2. The detailed overview appears with information about
    1. The task execution (Task Summary) and
    2. Detailed information date what was set
  3. The Audit Log (available under the Reports tab) contains similar information
  1. Go to the Accounts tab and there to
  2. The List Accounts sub-tab
  3. The user jbaker is shown
    1. In the organisation Top:People:All where it resides "physically
    2. In the organisation Top:People:Employee where it appears because of the user member rule for Employees and the user configurator controls this organization too.
  1. Click on the green jbaker and the edit user form appears
  1. Click on the Attributes tab and the attributes from the resources appear (in this case those from the Portal)

Top

Use Case 2: Load additional 18 users

  1. Open a terminal and go to <Base>/idmResources/HRfeed
  2. take a look at the files user-2.csv vi user-2.csv (This file contains 19 users)
  3. copy user-2.csv to user.csv cp user-2.csv user.csv
  
  1. Access the Admin Interface http://localhost:8080/idm and log in as: configurator / configurator
  2. Go to the Resources tab and there to
  3. The List Resources sub-tab
  4. Open the FlatFileActiveSync folder and select HR Feed
  5. Select Start for Identity Manager in the --- Resource Actions ---
  6. Or if the FFAS is still running wait until the next poll
  7. Go to the Reports tab and there to
  8. The Run Reports sub-tab
  9. Scroll down to Today's Activity and click Run
 
  1. The the result page with all activities appears. This page may differ heavily but the last 36 entries should be similar
 
  1. Now click the entry Create - Identity System Account - PLUSSO. This should be the 6th entry from the top. (marked in green on the result page)
  2. The following pages shows the create result/data similar to the task result seen in Case 1
  1. After clicking Ok on the above page the whole result page appears again
  2. This time click the entry *Execute - ProvisioningTask - CREATE USER *. This entry is just above the in the last step, the 5th from the top
  3. The page shows Audit Details
  1. Go to the Accounts tab and there to
  2. The List Accounts sub-tab
  3. Open all organization folders to get the view as to the right
  4. The user acooper appears in the organization All as well as Employee because the TYPE in the csv file is either 1, 2, 3 or 4 (which makes her a "normal" Employee)
  5. The user bobama appears in the organization All as well as Contractor because the TYPE in the csv file is 5
 
  1. Click on the arrow in the black circle and remember the job title in the green area

Top

Use Case 3: Modify 5 users

  1. Open a terminal and go to <Base>/idmResources/HRfeed
  2. take a look at the files user-3.csv vi user-3.csv (This file contains 19 users of which 5 have modified job titles)
  3. copy user-3.csv to user.csv cp user-3.csv user.csv
  1. Access the Admin Interface http://localhost:8080/idm and log in as: configurator / configurator
  2. Go to the Resources tab and there to
  3. The List Resources sub-tab
  4. Open the FlatFileActiveSync folder and select HR Feed
  5. Select Start for Identity Manager in the --- Resource Actions ---
  6. Or if the FFAS is still running wait until the next poll
  1. Go to the Reports tab and there to
  2. The Run Reports sub-tab
  3. Scroll down to Today's Activity and click Run
  4. The green section on the result page contains all modification events
  1. Click on *Modify" event for pmoreno (marked in blue)
  2. On the appearing page the details of the changes (old and new value) are shown
  1. Click on *Execute" event for pmoreno (marked in violet)
  2. On the appearing page the audit details are shown
  1. Go to the Accounts tab and there to
  2. The Find Accounts sub-tab
  3. Click beside Name, use starts with and enter pmore in the text field
  4. Then hit Search
  1. The result page of the search just shows the entry for pmoreno
  1. Click on the link for pmoreno (do you remember the job title in the green area from the previous use case?)

Top

Use Case 4: Delete 6 users

  1. Open a terminal and go to <Base>/idmResources/HRfeed
  2. take a look at the files user-4.csv vi user-4.csv (This file contains 19 users of which 6 have a status of 3 which means to delete them)
  3. copy user-4.csv to user.csv cp user-4.csv user.csv
  1. Access the Admin Interface http://localhost:8080/idm and log in as: configurator / configurator
  2. Go to the Resources tab and there to
  3. The List Resources sub-tab
  4. Open the FlatFileActiveSync folder and select HR Feed
  5. Select Start for Identity Manager in the --- Resource Actions ---
  6. Or if the FFAS is still running wait until the next poll
  1. Go to the Reports tab and there to
  2. The Run Reports sub-tab
  3. Scroll down to Today's Activity and click Run
  4. The green section on the result page contains all delete events
  1. Click the Delete User event for user mkramer, marked in red
  1. Click the Delete Identity System Account event for user mkramer, marked in blue
  1. Click the Execute event for user mkramer, marked in violet
  1. Go to the Accounts tab and there to
  2. The List Accounts sub-tab
  3. Click on *Reset View"
  4. Open all organization folder
  5. Then no user are anymore in Contractor, for example

Top

Use Case 5: Reload all users again for the next modules

  1. Open a terminal and go to <Base>/idmResources/HRfeed
  2. copy user-2.csv to user.csv cp user-2.csv user.csv
  1. Access the Admin Interface http://localhost:8080/idm and log in as: configurator / configurator
  2. Go to the Resources tab and there to
  3. The List Resources sub-tab
  4. Open the FlatFileActiveSync folder and select HR Feed
  5. Select Start for Identity Manager in the --- Resource Actions ---
  6. Or if the FFAS is still running wait until the next poll
  1. Verify that the 6 users deleted in Use Case 4 are loaded again
  2. Especially verify that the 4 Contractors: bobama, jbiden, jmccain, spalin. These are used in later modules

Top

Resources

The following links provide more information:

Copyright (c) 2008-2009, Sun Microsystems, Inc.
All rights reserved

Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.

Sign up or Log in to add a comment or watch this page.


The individuals who post here are part of the extended Sun Microsystems community and they might not be employed or in any way formally affiliated with Sun Microsystems. The opinions expressed here are their own, are not necessarily reviewed in advance by anyone but the individual authors, and neither Sun nor any other party necessarily agrees with them.

Copyright 1994-2009 Sun Microsystems, Inc.
Powered by Atlassian Confluence Sun Guidelines on Public Discourse Privacy Policy Terms of Use Trademarks Site Map Employment Investor Relations Contact