Configuring the Salesforce Application - Oracle · List of Figures 1-1 Salesforce Connector Architecture 1-5 1-2 Manage Roles, Groups, and Profiles to Control Access by the User 1-7

Oracle® Identity GovernanceConfiguring the Salesforce Application

12c (12.2.1.3.0)F12377-03May 2020

Oracle Identity Governance Configuring the Salesforce Application, 12c (12.2.1.3.0)

F12377-03

Copyright © 2018, 2020, Oracle and/or its affiliates.

Primary Author: Gowri.G.R

Contributors: Azra Shakeel

This software and related documentation are provided under a license agreement containing restrictions onuse and disclosure and are protected by intellectual property laws. Except as expressly permitted in yourlicense agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify,license, transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means.Reverse engineering, disassembly, or decompilation of this software, unless required by law forinteroperability, is prohibited.

The information contained herein is subject to change without notice and is not warranted to be error-free. Ifyou find any errors, please report them to us in writing.

If this is software or related documentation that is delivered to the U.S. Government or anyone licensing it onbehalf of the U.S. Government, then the following notice is applicable:

U.S. GOVERNMENT END USERS: Oracle programs (including any operating system, integrated software,any programs embedded, installed or activated on delivered hardware, and modifications of such programs)and Oracle computer documentation or other Oracle data delivered to or accessed by U.S. Government endusers are "commercial computer software" or “commercial computer software documentation” pursuant to theapplicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, the use,reproduction, duplication, release, display, disclosure, modification, preparation of derivative works, and/oradaptation of i) Oracle programs (including any operating system, integrated software, any programsembedded, installed or activated on delivered hardware, and modifications of such programs), ii) Oraclecomputer documentation and/or iii) other Oracle data, is subject to the rights and limitations specified in thelicense contained in the applicable contract. The terms governing the U.S. Government’s use of Oracle cloudservices are defined by the applicable contract for such services. No other rights are granted to the U.S.Government.

This software or hardware is developed for general use in a variety of information management applications.It is not developed or intended for use in any inherently dangerous applications, including applications thatmay create a risk of personal injury. If you use this software or hardware in dangerous applications, then youshall be responsible to take all appropriate fail-safe, backup, redundancy, and other measures to ensure itssafe use. Oracle Corporation and its affiliates disclaim any liability for any damages caused by use of thissoftware or hardware in dangerous applications.

Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks oftheir respective owners.

Intel and Intel Inside are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks areused under license and are trademarks or registered trademarks of SPARC International, Inc. AMD, Epyc,and the AMD logo are trademarks or registered trademarks of Advanced Micro Devices. UNIX is a registeredtrademark of The Open Group.

This software or hardware and documentation may provide access to or information about content, products,and services from third parties. Oracle Corporation and its affiliates are not responsible for and expresslydisclaim all warranties of any kind with respect to third-party content, products, and services unless otherwiseset forth in an applicable agreement between you and Oracle. Oracle Corporation and its affiliates will not beresponsible for any loss, costs, or damages incurred due to your access to or use of third-party content,products, or services, except as set forth in an applicable agreement between you and Oracle.

Contents

Preface

Audience viii

Documentation Accessibility viii

Related Documents viii

Conventions ix

What’s New In This Guide?

Software Updates x

Documentation-Specific Updates x

1 About the Salesforce Connector

1.1 Certified Components 1-2

1.2 Usage Recommendation 1-2

1.3 Certified Languages 1-3

1.4 Supported Connector Operations 1-4

1.5 Connector Architecture 1-4

1.6 Supported Use Cases 1-6

1.7 Supported Connector Features Matrix 1-7

1.8 Connector Features 1-7

1.8.1 Support for Full Reconciliation 1-8

1.8.2 Support for Limited Reconciliation 1-8

1.8.3 Transformation and Validation of Account Data 1-8

1.8.4 Support for Cloning Applications and Creating Instance Applications 1-8

1.8.5 Secure Communication to the Target System 1-9

1.8.6 Support for the Connector Server 1-9

2 Creating an Application by Using the Salesforce Connector

2.1 Process Flow for Creating an Application By Using the Connector 2-1

2.2 Prerequisites for Creating an Application By Using the Connector 2-3

2.2.1 Downloading the Connector Installation Package 2-3

iii

2.2.2 Registering a Client Application 2-3

2.3 Creating an Application By Using the Connector 2-5

3 Configuring the Salesforce Connector

3.1 Basic Configuration Parameters 3-1

3.2 Advanced Settings Parameters 3-4

3.3 Attribute Mappings 3-6

3.3.1 Attribute Mappings for a Target Application 3-6

3.3.2 Attribute Mappings for an Authoritative Application 3-10

3.4 Rules, Situations, and Responses 3-12

3.4.1 Rules, Situations, and Responses for a Target Application 3-12

3.4.2 Rules, Situations, and Responses for an Authoritative Application 3-14

3.5 Reconciliation Jobs 3-16

4 Performing Postconfiguration Tasks for the Salesforce Connector

4.1 Configuring Oracle Identity Governance 4-1

4.1.1 Creating and Activating a Sandbox 4-1

4.1.2 Creating a New UI Form 4-2

4.1.3 Publishing a Sandbox 4-2

4.1.4 Creating an Application Instance 4-2

4.1.5 Updating an Existing Application Instance with a New Form 4-3

4.2 Harvesting Entitlements and Sync Catalog 4-3

4.3 Managing Logging 4-4

4.3.1 Understanding Log Levels 4-4

4.3.2 Enabling Logging 4-5

4.4 Configuring the IT Resource for the Connector Server 4-6

4.5 Localizing Field Labels in UI Forms 4-8

4.6 Configuring SSL for the Connector 4-10

4.7 Obtaining GUID of Roles 4-11

5 Using the Salesforce Connector

5.1 Configuring Reconciliation 5-1

5.1.1 Performing Full Reconciliation 5-1

5.1.2 Performing Limited Reconciliation 5-2

5.1.3 Reconciling Large Number of Records 5-2

5.2 Configuring Provisioning 5-3

5.2.1 Guidelines on Performing Provisioning Operations 5-3

5.2.2 Performing Provisioning Operations 5-3

5.3 Scheduled Job for Reconciliation of Groups 5-4

iv

5.4 Configuring Reconciliation Jobs 5-5

5.5 Uninstalling the Connector 5-6

6 Extending the Functionality of the Salesforce Connector

6.1 Configuring the Connector for Multiple Installations of the Target System 6-1

6.2 Configuring Transformation and Validation of Data 6-1

6.3 Configuring Action Scripts 6-2

6.4 Configuring the Connector Extension for Permission Sets 6-2

7 Upgrading the Salesforce Connector

7.1 Preupgrade Steps 7-1

7.2 Upgrade Steps 7-2

7.3 Postupgrade Steps 7-2

A Files and Directories in the Salesforce Connector Package

v

List of Figures

1-1 Salesforce Connector Architecture 1-5

1-2 Manage Roles, Groups, and Profiles to Control Access by the User 1-7

2-1 Overall Flow of the Process for Creating an Application By Using the Connector 2-2

3-1 Default Attribute Mappings for a Salesforce Target User Account 3-8

3-2 Default Attribute Mappings for Groups 3-9

3-3 Default Attributes for Phone Number Entitlement 3-10

3-4 Default Attributes for a Salesforce Authoritative Application 3-12

3-5 Simple Correlation Rule for a Salesforce Target Application 3-13

3-6 Predefined Situations and Responses for a Salesforce Target Application 3-14

3-7 Simple Correlation Rule for a Salesforce Authoritative Application 3-15

3-8 Predefined Situations and Responses for a Salesforce Authoritative Application 3-16

4-1 Manage IT Resource Page for Connector Server IT Resource 4-7

4-2 Edit IT Resource Details and Parameters Page for the Connector Server IT Resource 4-7

vi

List of Tables

1-1 Certified Components 1-2

1-2 Supported Connector Operations 1-4

1-3 Supported Connector Features Matrix 1-7

3-1 Parameters in the Basic Configuration 3-1

3-2 Advanced Settings Parameters for a Salesforce Target and Authoritative Application 3-4

3-3 Default Attributes Mappings for Salesforce User Account 3-7

3-4 Default Attribute Mappings for Groups 3-9

3-5 Default Attributes for Phone Number Entitlement 3-10

3-6 Default Attributes for a Salesforce Authoritative Application 3-11

3-7 Predefined Identity Correlation Rule for a Salesforce Target Application 3-13

3-8 Predefined Situations and Responses for a Salesforce Target Application 3-14

3-9 Predefined Identity Correlation Rule for a Salesforce Authoritative Application 3-15

3-10 Predefined Situations and Responses for a Salesforce Authoritative Application 3-16

3-11 Parameters of the Target User Reconciliation Job 3-17

3-12 Parameters of the Authoritative User Reconciliation Job 3-17

3-13 Parameters of the Reconciliation Jobs for Entitlements 3-18

4-1 Log Levels and ODL Message Type:Level Combinations 4-5

4-2 Parameters of the IT Resource for the Salesforce Connector Server 4-7

5-1 Attributes of the Salesforce Group Recon Scheduled Job 5-4

A-1 Files and Directories in the Connector Installation Package A-1

vii

Preface

This guide describes the connector that is used to onboard Salesforce applications toOracle Identity Governance.

AudienceThis guide is intended for resource administrators and target system integration teams.

Documentation AccessibilityFor information about Oracle's commitment to accessibility, visit the OracleAccessibility Program website at http://www.oracle.com/pls/topic/lookup?ctx=acc&id=docacc.

Access to Oracle Support

Oracle customers that have purchased support have access to electronic supportthrough My Oracle Support. For information, visit http://www.oracle.com/pls/topic/lookup?ctx=acc&id=info or visit http://www.oracle.com/pls/topic/lookup?ctx=acc&id=trs if you are hearing impaired.

Related DocumentsFor information about installing and using Oracle Identity Governance 12.2.1.3.0, visitthe following Oracle Help Center page:

http://docs.oracle.com/middleware/12213/oig/index.html

For information about installing and using Oracle Identity Manager 11.1.2.3, visit thefollowing Oracle Help Center page:

http://docs.oracle.com/cd/E52734_01/index.html

For information about Oracle Identity Governance Connectors 12.2.1.3.0documentation, visit the following Oracle Help Center page:

http://docs.oracle.com/middleware/oig-connectors-12213/index.html

For information about Oracle Identity Manager Connectors 11.1.1 documentation, visitthe following Oracle Help Center page:

http://docs.oracle.com/cd/E22999_01/index.htm

Preface

viii

http://www.oracle.com/pls/topic/lookup?ctx=acc&id=docacc

http://www.oracle.com/pls/topic/lookup?ctx=acc&id=docacc

http://www.oracle.com/pls/topic/lookup?ctx=acc&id=info

http://www.oracle.com/pls/topic/lookup?ctx=acc&id=info

http://www.oracle.com/pls/topic/lookup?ctx=acc&id=trs

http://www.oracle.com/pls/topic/lookup?ctx=acc&id=trs

http://docs.oracle.com/middleware/12213/oig/index.html

http://docs.oracle.com/cd/E52734_01/index.html

http://docs.oracle.com/middleware/oig-connectors-12213/index.html

http://docs.oracle.com/cd/E22999_01/index.htm

ConventionsThe following text conventions are used in this document:

Convention Meaning

boldface Boldface type indicates graphical userinterface elements associated with an actionor terms defined in text or the glossary.

italic Italic type indicates book titles, emphasis, orplaceholder variables for which you supplyparticular values.

monospace Monospace type indicates commands within aparagraph, URLs, code in examples, text thatappears on the screen, or text that you enter.

Preface

ix


These are the updates made to the software and documentation for release 12.2.1.3.0of Configuring the Salesforce Application.

The updates discussed in this chapter are divided into the following categories:

• Software Updates

This section describes updates made to the connector software. This section alsopoints out the sections of this guide that have been changed in response to eachsoftware update.

• Documentation-Specific Updates

These include major changes made to this guide. For example, the relocation of asection from the second chapter to the third chapter is a documentation-specificupdate. These changes are not related to software updates.

Software UpdatesThese are the updates made to the connector software.

Software Updates in Release 12.2.1.3.0

The following is the software update in release 12.2.1.3.0:

Support for Onboarding Applications Using the Connector

From this release onward, the connector bundle includes application onboardingtemplates required for performing connector operations on the Salesforce targetsystem. This helps in quicker onboarding of the applications for Salesforce into OracleIdentity Governance by using an intuitive UI.

Documentation-Specific UpdatesThese are the updates made to the connector documentation.

Documentation-Specific Updates in Release 12.2.1.3.0

The following documentation-specific updates have been made in revision "3" of thisguide:

• A Note on using the Salesforce-12.2.1.3.0A patch has been added to BasicConfiguration Parameters and Attribute Mappings for a Target Application.

• Configuring the Connector Extension for Permission Sets has been added.

The following documentation-specific updates have been made in revision "2" of thisguide:


x

• The "Oracle Identity Governance or Oracle Identity Manager" row of CertifiedComponents has been updated to include support for Oracle Identity Governancerelease 12c PS4 (12.2.1.4.0).

• Some editorial corrections have been made.


xi

1About the Salesforce Connector

Oracle Identity Governance is a centralized identity management solution thatprovides self service, compliance, provisioning and password management servicesfor applications residing on-premises or on the Cloud. Oracle Identity Governanceconnectors are used to integrate Oracle identity Governance with the external identity-aware applications.

The Salesforce connector lets you create and onboard Salesforce applications inOracle Identity Governance.

Note:

In this guide, the connector that is deployed using the Applications optionon the Manage tab of Identity Self Service is referred to as an AOBapplication. The connector that is deployed using the Manage Connectoroption in Oracle Identity System Administration is referred to as a CI-basedconnector (Connector Installer-based connector).

From Oracle Identity Governance release 12.2.1.3.0 onward, connector deployment ishandled using the application onboarding capability of Oracle Identity Self Service.This capability lets business users to onboard applications with minimum details andeffort. The connector installation package includes a collection of predefined templates(XML files) that contain all the information required for provisioning and reconcilingdata from a given application or target system. These templates also include basicconnectivity and configuration details specific to your target system. The connectoruses information from these predefined templates allowing you to onboard yourapplications quickly and easily using only a single and simplified UI.

Application onboarding is the process of registering or associating an applicationwith Oracle Identity Governance and making that application available for provisioningand reconciliation of user information.

The following topics provide a high-level overview of the Salesforce connector:

• Certified Components

• Usage Recommendation

• Certified Languages

• Supported Connector Operations

• Connector Architecture

• Supported Use Cases

• Supported Connector Features Matrix

• Connector Features

1-1

1.1 Certified ComponentsThese are the software components and their versions required for installing and usingthe Salesforce connector.

Table 1-1 Certified Components

Component Requirement for AOBApplication

Requirement for CI-BasedConnector

Oracle Identity Governance orOracle Identity Manager

You can use any one of thefollowing releases:• Oracle Identity

Governance release 12cPS4 (12.2.1.4.0)

• Oracle IdentityGovernance 12c(12.2.1.3.0)

You can use one of thefollowing releases of OracleIdentity Manager or OracleIdentity Governance:

• Oracle IdentityGovernance release 12cPS4 (12.2.1.4.0)

• Oracle IdentityGovernance 12c(12.2.1.3.0)

• Oracle Identity Manager11g Release 2 PS3(11.1.2.3.0)

Target Systems Salesforce Winter 2012 andlater releases

Salesforce Winter 2012 andlater releases

Connector Server JDK JDK 1.8.0_131 and later, orJRockit JDK 1.8.0_131 andlater

JDK 1.8.0_131 and later

Connector Server 11.1.2.1.0 and later 11.1.2.1.0 and later

1.2 Usage RecommendationThese are the recommendations for the Salesforce connector version that you candeploy and use depending on the Oracle Identity Manager version that you are using.

• If you are using Oracle Identity Governance 12c (12.2.1.3.0) or later, then use thelatest 12.2.1.x version of this connector. Deploy the connector usingthe Applications option on the Manage tab of Identity Self Service.

• If you are using any of the Oracle Identity Manager releases listed in the“Requirement for CI-Based Connector” column in Table 1-1, then use the11.1.2.3.0 version of the connector. If you want to use the 12.2.1.x version of thisconnector, then you can install and use it only in the CI-based mode. If you want touse the AOB application, then you must upgrade to Oracle Identity Governance12c (12.2.1.3.0) or later.

Chapter 1Certified Components

1-2

Note:

If you are using the latest 12.2.1.x version of the Salesforce connector in theCI-based mode, then see Oracle Identity Manager Connector Guide forSalesforce, Release 11.1.1 for complete details on connector deployment,usage, and customization.

1.3 Certified LanguagesThese are the languages that the connector supports.

• Arabic

• Chinese (Simplified)

• Chinese (Traditional)

• Czech

• Danish

• Dutch

• English

• Finnish

• French

• French (Canadian)

• German

• Greek

• Hebrew

• Hungarian

• Italian

• Japanese

• Korean

• Norwegian

• Polish

• Portuguese

• Portuguese (Brazilian)

• Romanian

• Russian

• Slovak

• Spanish

• Swedish

• Thai

• Turkish

Chapter 1Certified Languages

1-3

1.4 Supported Connector OperationsThese are the list of operations that the connector supports for your target system.

Table 1-2 Supported Connector Operations

Operation Supported

User Management

Create user Yes

Update user Yes

Delete user

Note: The target does not support the Deleteoperation, and so the Delete operation fromOracle Identity Governance disables the useron the target.

Yes

License Grant Management

Add group Yes

Update group Yes

Remove group Yes

1.5 Connector ArchitectureYou can configure the Salesforce connector to run in the Target (or accountmanagement) and Authoritative (or trusted) mode, and is implemented using theIdentity Connector Framework (ICF) component.

The ICF is a component that is required in order to use Identity Connector. ICFprovides basic reconciliation and provisioning operations that are common to allOracle Identity Governance connectors. In addition, ICF provides common featuresthat developers would otherwise need to implement on their own, such as, buffering,time outs, and filtering. ICF is distributed together with Oracle Identity Governance.Therefore, you do not need to configure or modify ICF.

The connector is configured to run in one of the following modes:

• Identity reconciliation

Identity reconciliation is also known as authoritative or trusted sourcereconciliation. In this mode, the target system is used as the trusted source andusers are directly created and modified on it. During reconciliation, each userrecord fetched from the target system is compared with existing OIM Users. If amatch is found between the target system record and the OIM User, then the OIMUser attributes are updated with changes made to the target system record. If nomatch is found, then the target system record is used to create an OIM User.

• Account management

Account management is also known as target resource management. In thismode, the target system is used as a target resource and the connector enablesthe following operations:

– Provisioning

Chapter 1Supported Connector Operations

1-4

Provisioning involves creating or updating users on the target system throughOracle Identity Governance. When you allocate (or provision) a Salesforceresource to the OIM User, the operation results in the creation of an accounton Salesforce for that user. In the Oracle Identity Governancecontext, the termprovisioning also covers updates made to the target system account throughOracle Identity Governance.

– Target resource reconciliation

In target resource reconciliation, data related to the newly created andmodified target system accounts can be reconciled and linked with existingOIM Users and provisioned resources. A scheduled task is used forreconciliation. Salesforce.com provides the details of only the active useraccounts.

Figure 1-1 Salesforce Connector Architecture

As shown in Figure 1-1, Salesforce.com is configured as a target resource of OracleIdentity Governance. Through provisioning operations performed on Oracle IdentityGovernance, accounts are created and updated on the target system for OIG Users.

Through reconciliation, account data that is created and updated directly on the targetsystem is fetched into Oracle Identity Governance and stored against thecorresponding OIM Users.

Identity Connector Framework (ICF) is a component that is required in order to useIdentity Connectors. ICF is distributed together with Oracle Identity Governance. Youdo not need to configure or modify ICF.

During provisioning, the Adapters invoke ICF operation, ICF inturn invokes createoperation on Salesforce Identity Connector Bundle and then the bundle callsSalesforce Provisioning API. The Salesforce provisioning API on the target systemaccepts provisioning data from the bundle, carries out the required operation on thetarget system, and returns the response from the target system back to the bundle,which passes it to the adapters.

During reconciliation, a scheduled task invokes ICF operation, ICF inturn invokescreate operation on Salesforce Identity Connector Bundle and then the bundle callsSalesforce Reconciliation API. The API extracts user records that match the

Chapter 1Connector Architecture

1-5

reconciliation criteria and hands them over through the bundle and ICF back to thescheduled task, which brings the records to Oracle Identity Governance.

1.6 Supported Use CasesThese are common scenarios in which the connector can be used.

• Salesforce License Management

On Salesforce.com, Profiles are used to manage licences which are in turnassociated with user types. So for a particular user type, there is a fixed set ofprofiles. Using the Salesforce connector, you can reconcile all the profiles fromSalesforce and assign them to users without worrying about the user types. Thus,switching the user from one license type to another is accomplished easily with theuse of the Salesforce connector. This will arise if one Chatter Free user ispromoted to Standard user in Salesforce and can enjoy the privileges that comealong with those predefined licenses.

Salesforce Connector is also used to enable specific Salesforce.com profiles foryour users, you must choose one profile for each user. A profile is a template thatcontains a collection of predefined settings and can determine what a user cansee and do within the platform. The basic rule of Profiles is whether a given usercan see and use each application as well as each tab within the application.

• One Stop Identity Solution for Multiple Cloud Applications

Salesforce.com can act as a trusted source of identities which can be used to mapusers against various target cloud applications. In this case, a user fromSalesforce can be created in any and every cloud and non-cloud applications thatOracle Identity Governance supports.

Salesforce.com can be used as a trusted source and an organization can use thisfeature to provide the list of users and further provision the account of these usersto a third-party application that has been configured as target source.

• Evolve Identity and Data Security of Salesforce Beyond the Parameter

Identity management solutions must support more than the traditional parameter-based authentication, and offer a single, simple, and trusted way to manageauthentication and authorization of salesforce-based authentications. Enterprisesmaking use of various IT systems (servers, devices, applications etc.) facenumerous challenges due to the proliferation of passwords. Any vulnerability forpassword creates an opportunity for an attacker to acquire password values andconsequently impersonate users. Oracle Salesforce Connector helps reduceadministrative and help desk costs by enabling self-service password reset andpassword change.

This following image illustrates about controlling the access that the user has bymanaging Roles, Groups and Profiles.

Chapter 1Supported Use Cases

1-6

Figure 1-2 Manage Roles, Groups, and Profiles to Control Access by the User

1.7 Supported Connector Features MatrixProvides the list of features supported by the AOB application and CI-basedconnector.

Table 1-3 Supported Connector Features Matrix

Feature AOB Application CI-Based Connector

Perform Full Reconciliation Yes Yes

Perform Limited Reconciliation Yes Yes

Configure validation andtransformation of account data

Yes Yes

Support multiple instancesand multiple versions of thetarget system

Yes Yes

Use connector server Yes Yes

Provide securecommunication to the targetsystem through SSL

Yes Yes

1.8 Connector FeaturesThe features of the connector include support for connector server, full reconciliation,limited reconciliation, and transformation and validation of account data.

• Support for Full Reconciliation

• Support for Limited Reconciliation

Chapter 1Supported Connector Features Matrix

1-7

• Transformation and Validation of Account Data

• Support for Cloning Applications and Creating Instance Applications

• Secure Communication to the Target System

• Support for the Connector Server

1.8.1 Support for Full ReconciliationFull reconciliation involves reconciling all existing user records from the target systeminto Oracle Identity Governance. After you deploy the connector, you must firstperform full reconciliation. A default filter is present in the Full ReconciliationScheduled Job. This is the default filter which needs to be present while performing fulluser reconciliation.

Filter Value: greaterThan ('userType','AutomatedProcest') |lessThan('userType','AutomatedProcess')

Note:

Do not remove this filter value while performing full user reconciliation.

For more information, see Performing Full Reconciliation.

1.8.2 Support for Limited ReconciliationLimited or filtered reconciliation is the process of limiting the number of records beingreconciled based on a set filter criteria.

To limit or filter the records that are fetched into Oracle Identity Governance during areconciliation run, you can specify the subset of added or modified target systemrecords that must be reconciled. See Performing Limited Reconciliation.

1.8.3 Transformation and Validation of Account DataYou can configure transformation and validation of account data that is brought into orsent from Oracle Identity Governance during reconciliation and provisioning operationsby writing Groovy scripts while creating your application.

For more information, see Validation and Transformation of Provisioning andReconciliation Attributes in Oracle Fusion Middleware Performing Self Service Taskswith Oracle Identity Governance.

1.8.4 Support for Cloning Applications and Creating InstanceApplications

You can configure this connector for multiple installations of the target system bycloning applications or by creating instance applications.

When you clone an application, all the configurations of the base application arecopied into the cloned application. When you create an instance application, it sharesall configurations as the base application.

Chapter 1Connector Features

1-8

For more information about these configurations, see Cloning Applications and Creating Instance Applications in Oracle Fusion Middleware Performing Self ServiceTasks with Oracle Identity Governance.

1.8.5 Secure Communication to the Target SystemTo provide secure communication to the target system, SSL is required. You canconfigure SSL between Oracle Identity Governance and the Connector Server andbetween the Connector Server and the target system.

If you do not configure SSL, passwords can be transmitted over the network in cleartext. For example, this problem can occur when you are creating a user or modifying auser's password.

See Configuring SSL for the Connector.

1.8.6 Support for the Connector ServerConnector Server is one of the features provided by ICF. By using one or moreconnector servers, the connector architecture permits your application to communicatewith externally deployed bundles.

A Java connector server is useful when you do not wish to execute a Java connectorbundle in the same VM as your application. It can be beneficial to run a Javaconnector on a different host for performance improvements.

For information about installing, configuring, and running the Connector Server, andthen installing the connector in a Connector Server, see Using an Identity ConnectorServer in Oracle Fusion Middleware Developing and Customizing Applications forOracle Identity Governance.

Chapter 1Connector Features

1-9

2Creating an Application by Using theSalesforce Connector

Learn about onboarding applications using the connector and the prerequisites fordoing so.

• Process Flow for Creating an Application By Using the Connector

• Prerequisites for Creating an Application By Using the Connector

• Creating an Application By Using the Connector

2.1 Process Flow for Creating an Application By Using theConnector

From Oracle Identity Governance release 12.2.1.3.0 onward, connector deployment ishandled using the application onboarding capability of Identity Self Service.

Figure 2-1 is a flowchart depicting high-level steps for creating an application in OracleIdentity Governance by using the connector installation package.

2-1

Figure 2-1 Overall Flow of the Process for Creating an Application By Using the Connector

Chapter 2Process Flow for Creating an Application By Using the Connector

2-2

2.2 Prerequisites for Creating an Application By Using theConnector

Learn about the tasks that you must complete before you create the application.

• Downloading the Connector Installation Package

• Registering a Client Application

2.2.1 Downloading the Connector Installation PackageYou can obtain the installation package for your connector on the Oracle TechnologyNetwork (OTN) website.

To download the connector installation package:

1. Navigate to the OTN website at http://www.oracle.com/technetwork/middleware/id-mgmt/downloads/connectors-101674.html.

2. Click OTN License Agreement and read the license agreement.

3. Select the Accept License Agreement option.

You must accept the license agreement before you can download the installationpackage.

4. Download and save the installation package to any directory on the computerhosting Oracle Identity Governance.

5. Extract the contents of the installation package to any directory on the computerhosting Oracle Identity Governance. This creates a directory namedCONNECTOR_NAME-RELEASE_NUMBER.

6. Copy the CONNECTOR_NAME-RELEASE_NUMBER directory to theOIG_HOME/server/ConnectorDefaultDirectory directory.

2.2.2 Registering a Client ApplicationRegistering a client application (that is, the Salesforce connector) with the targetsystem is a step that is performed to obtain the client ID and client secret forauthenticating to the target system. It also involves creating a custom profile and anaccount in the target system that the connector (or client) can use for performingconnector operations.

Registering a client application involves performing the following tasks on the targetsystem:

Note:

The detailed instructions for performing these preinstallation tasks areavailable in the Salesforce documentation.

1. Register your client application with the target system by creating a ConnectedApp in Salesforce. While creating the Connected App, ensure to select the OAuth

Chapter 2Prerequisites for Creating an Application By Using the Connector

2-3

http://www.oracle.com/technetwork/middleware/id-mgmt/downloads/connectors-101674.html

http://www.oracle.com/technetwork/middleware/id-mgmt/downloads/connectors-101674.html

scopes in the following table which represent the operations that can be performedthrough the Connected App you can configure. After the Connected App iscreated, note down the client ID and client secret values.

OAuth Scope Description

Access your basicinformation (id,profile, email,address, phone).

This scope allows access to the Identity URL service.

Access and manageyour data (api)

This scope allows access to the logged-in user’s account usingAPIs, such as SCIM API and REST API. This value also includeschatter_api, which allows access to Chatter REST API resources.

Full access (full) Allows access to all data accessible by the logged-in user, andencompasses all other scopes. full does not return a refresh token.You must explicitly request the refresh_token scope to get a refreshtoken.

The consumer key and consumer secret values for the Connected App aregenerated.

2. Note down the consumer key and consumer secret values as they are requiredwhile configuring the IT resource parameters. The consumer key corresponds tothe clientId parameter while the consumer secret corresponds to the clientSecretparameter.

3. Create a custom profile by cloning a standard user profile with the followingminimum set of administrative permissions:

• API Enabled

• API Only User

• Assign Permission Sets

• Chatter Internal User

• Manage Internal Users

• Manage IP Addresses

• Manage Login Access Policies

• Manage Package Licenses

• Manage Password Policies

• Manage Profiles and Permission Sets

• Manage Roles

• Manage Sharing

• Manage Unlisted Groups

• Manage Users

• Moderate Chatter

• Reset User Passwords and Unlock Users

• View All Users

• View Help Link

• View Setup and Configuration

Chapter 2Prerequisites for Creating an Application By Using the Connector

2-4

4. Create a target system user account to connect to the target system during eachconnector operation.

2.3 Creating an Application By Using the ConnectorYou can onboard an application into Oracle Identity Governance from the connectorpackage by creating a Target application. To do so, you must log in to Identity SelfService and then choose the Applications box on the Manage tab.

The following is the high-level procedure to create an application by using theconnector:

Note:

For detailed information on each of the steps in this procedure, see CreatingApplications of Oracle Fusion Middleware Performing Self Service Taskswith Oracle Identity Governance.

1. Create an application in Identity Self Service. The high-level steps are as follows:

a. Log in to Identity Self Service either by using the System Administrationaccount or an account with the ApplicationInstanceAdministrator adminrole.

b. Ensure that the Connector Package option is selected when creating anapplication.

c. Update the basic configuration parameters to include connectivity-relatedinformation.

d. If required, update the advanced setting parameters to update configurationentries related to connector operations.

e. Review the default user account attribute mappings. If required, add newattributes or you can edit or delete existing attributes.

f. Review the provisioning, reconciliation, organization, and catalog settings foryour application and customize them if required. For example, you cancustomize the default correlation rules for your application if required.

g. Review the details of the application and click Finish to submit the applicationdetails.

The application is created in Oracle Identity Governance.

h. When you are prompted whether you want to create a default request form,click Yes or No.

If you click Yes, then the default form is automatically created and is attachedwith the newly created application. The default form is created with the samename as the application. The default form cannot be modified later. Therefore,if you want to customize it, click No to manually create a new form and attachit with your application.

2. Verify reconciliation and provisioning operations on the newly created application.

Chapter 2Creating an Application By Using the Connector

2-5

See Also:

• Configuring the Salesforce Connector for details on basic configurationand advanced settings parameters, default user account attributemappings, default correlation rules, and reconciliation jobs that arepredefined for this connector

• Configuring Oracle Identity Governance for details on creating a newform and associating it with your application, if you chose not to createthe default form

Chapter 2Creating an Application By Using the Connector

2-6

3Configuring the Salesforce Connector

While creating an application, you must configure connection-related parameters thatthe connector uses to connect Oracle Identity Governance with your target system andperform connector operations. In addition, you can view and edit attribute mappingsbetween the process form fields in Oracle Identity Governance and target systemcolumns, predefined correlation rules, situations and responses, and reconciliationjobs.

• Basic Configuration Parameters

• Advanced Settings Parameters

• Attribute Mappings

• Rules, Situations, and Responses

• Reconciliation Jobs

3.1 Basic Configuration ParametersThese are the connection-related parameters that Oracle Identity Governance requiresto connect to a Target or an Authoritative application.

Note:

• The parameters in the table are applicable to both target andauthoritative applications.

• To use v2 SCIM, apply patch Salesforce-12.2.1.3.0A or later. Thissupports extra attributes and helps bring disabled users as well.

Table 3-1 Parameters in the Basic Configuration

Parameter Mandatory? Description

acceptType No Accept type for the headerthat denotes how the requestbody must be parsed. Therequest body should only beparsed as JSON ifthe Content-Type header isapplication/json.

3-1

Table 3-1 (Cont.) Parameters in the Basic Configuration


authenticationServerUrl No URL of the authenticationserver that validates the clientID and client secret.

Sample Value: https://login.windows.net/mydomain /oauth2/token?api-version=1.0

baseURI No Base relative URI of yourtarget system.

For example if the URL is /services/scim/v1.

clientId No The client identifier (a uniquestring) issued by theauthorization server to yourdomain during the registrationprocess described in Registering a ClientApplication .

SampleValue: 3MVG9Z8h6Bxz0zc6gU3lDg8zQflDLyyydUdH151g9VVT7O.ys_WFNz5q0EDkFWDAjDeavV5.XWVP6Hyhdg6zS

clientSecret No Value used to authenticate theidentity of your domain. Thisvalue is obtained whileperforming the proceduredescribed in Registering aClient Application .

SampleValue: 6551799938364196225

Configuration Lookup No Name of the lookup definitionthat stores configurationinformation used duringreconciliation andprovisioning.

DefaultValue: Lookup.Salesforce.Configuration

ConnectorServer Name No If you are using SalesforceConnector together with theJava Connector Server, thenprovide the name ofConnector Server IT Resourcehere.

Chapter 3Basic Configuration Parameters

3-2

Table 3-1 (Cont.) Parameters in the Basic Configuration


contentType No This entry holds the contenttype expected by the targetsystem in the header.

DefaultValue: application/json

grantType Yes Type of authentication used byyour target system.

Default Value: password

Host Yes Enter the host name or IPaddress of the computerhosting the target system.

Sample Value:www.example.com

Password No Enter the password of thetarget system user accountthat you create for connectoroperations.

sslEnabled No If the target system requiresSSL connectivity, set the valueof this parameter to true.Otherwise set the valueto false.

proxyHost No Enter the name of the proxyhost used to connect to anexternal target.

Sample Value:www.example.com.

proxyPassword No Enter the password of theproxy user ID of the targetsystem user account thatOracle Identity Governanceuses to connect to the targetsystem.

proxyPort No Enter the proxy port number.

Sample Value: 80

proxyUser No Enter the proxy user name ofthe target system useraccount that Oracle IdentityGovernance uses to connectto the target system.

Username No Enter the user name of thetarget system that you createfor performing connectoroperations.

Chapter 3Basic Configuration Parameters

3-3

3.2 Advanced Settings ParametersThese are the configuration-related entries that the connector uses duringreconciliation and provisioning operations.

Note:

Unless specified, the parameters in the table are applicable to both targetand authoritative applications.

Table 3-2 Advanced Settings Parameters for a Salesforce Target andAuthoritative Application

Parameter Mandatory Description

Bundle Name No This entry holds the name ofthe connector bundlepackage.Default Value:org.identityconnectors.genericscim

Do not modify this entry.

Bundle Version No This entry holds the version ofthe connector bundlepackage.Default Value: 12.3.0

Do not modify this entry.

Connector Name No This entry holds the name ofthe connector class.

Default Value:org.identityconnectors.genericscim.GenericSCIMConnector

defaultBatchSize No This entry holds the value ofthe number of records that canbe retrieved from the targetsystem in one go.Default Value: 200

Chapter 3Advanced Settings Parameters

3-4

Table 3-2 (Cont.) Advanced Settings Parameters for a Salesforce Target andAuthoritative Application


customPayload No This entry holds the payloadsfor all operations that are notin the standard format.

Default Value:"__ACCOUNT__.groups.AddOp={\"displayName\":\"$(__GROUP__.displayName)$\",\"members\":[{\"operation\":\"add\",\"value\":\"$(__ACCOUNT__.__UID__)$\"}]}","__ACCOUNT__.groups.RemoveOp={\"displayName\":\"$(__GROUP__.displayName)$\",\"members\":[{\"operation\":\"delete\",\"value\":\"$(__ACCOUNT__.__UID__)$\"}]}","__ACCOUNT__.phoneNumbers.RemoveOp={\"phoneNumbers\":[{\"type\":\"$(__ACCOUNT__.phoneNumbers.type)$\",\"value\":\"\"}]}"

nameAttributes Yes This is the __NAME__attribute mapping of OracleIdentity Governance to therelevant attribute on targetsystem.

Default Value:"Users=userName","Groups=displayName","Entitlement=displayName"

attrToOClassMapping No This is used to map anattribute present under oneobject class to another objectclass. For example "groups"under "__ACCOUNT__"Object Class should bemapped to "__GROUP__"object class.

Default Value:"__ACCOUNT__.groups=Groups"

Chapter 3Advanced Settings Parameters

3-5

Table 3-2 (Cont.) Advanced Settings Parameters for a Salesforce Target andAuthoritative Application


jsonResourcesTag No This entry holds the name ofthe JSON tag that holds userdetails in the responsepayload.Default Value: Resources

scimVersion Yes This entry specifies thesupported SCIM version of thetarget system.Default Value: 1

statusAttributes No This is the __ENABLE__attribute mapping of OracleIdentity Governance to theStatus attribute on targetsystem.Default Value:"Users=active"

uidAttributes Yes This is the __UID__ attributemapping of Oracle IdentityGovernance to the GUIDattribute on target system.

Default Value:"Users=id","Groups=id","Entitlement=id"

passwordAttributes No This entry holds the name ofthe target system attribute thatis mapped to the__PASSWORD__ attribute ofthe connector in OIG.Default Value:"Users=password"

3.3 Attribute MappingsThe attribute mappings on the Schema page vary depending on whether you arecreating a target application or a trusted application.

• Attribute Mappings for a Target Application

• Attribute Mappings for an Authoritative Application

3.3.1 Attribute Mappings for a Target ApplicationThe schema page for a Target application displays the default schema (provided bythe connector) that maps Oracle Identity Governance attributes to target system

Chapter 3Attribute Mappings

3-6

columns. The connector uses these mappings during reconciliation and provisioningoperations.

Default Attributes for Salesforce User Account

Table 3-3 lists the user-specific attribute mappings between the process form fields inOracle Identity Governance and the Salesforce Target application columns.

If required, you can edit the default attribute mappings by adding new attributes ordeleting existing attributes as described in Creating a Target Application in OracleFusion Middleware Performing Self Service Tasks with Oracle Identity Governance.

Table 3-3 Default Attributes Mappings for Salesforce User Account

DisplayName

TargetAttribute

DataType

MandatoryProvisioningProperty?

ProvisionField?

ReconField

KeyField?

CaseInsensitive?

Profile __ACCOUNT__.entitlements.value,primary:true

String Yes Yes Yes No Notapplicable

UserName

__NAME__


LastName

name.familyName


Email __ACCOUNT__.emails.value,type:work


FirstName

name.givenName

String No Yes Yes No Notapplicable

NickName

nickname String No Yes Yes No Notapplicable

Id __UID__ String No Yes Yes Yes Notapplicable

Password __PASSWORD__

String No Yes No No Notapplicable

PreferredLanguage

preferredLanguage


Locale Locale String No Yes Yes No Notapplicable


3-7

Table 3-3 (Cont.) Default Attributes Mappings for Salesforce User Account

DisplayName

TargetAttribute

DataType

MandatoryProvisioningProperty?

ProvisionField?

ReconField

KeyField?

CaseInsensitive?

Role

Note: Fordynamicrolesupport,applypatchSalesforce-12.2.1.3.0A or later

__ACCOUNT__.roles.value


Title Title String No Yes Yes No Notapplicable

Status __ENABLE__

String No No Yes No Notapplicable

Figure 3-1 shows the default User account attribute mappings.

Figure 3-1 Default Attribute Mappings for a Salesforce Target User Account


3-8

Default Attribute Mappings for Groups

Table 3-4 lists the group attribute mappings between the process form fields in OracleIdentity Governance and the Salesforce Target application columns.


Table 3-4 Default Attribute Mappings for Groups

DisplayName

TargetAttribute

Data Type MandatoryProvisioningProperty?

ReconField

Key Field? CaseInsensitive?

GroupName

__ACCOUNT__.groups~__ACCOUNT__.groups~value

String No Yes Yes Notapplicable

Figure 3-2 shows the group attributes mapping.

Figure 3-2 Default Attribute Mappings for Groups

Default Attributes for Phone Number Entitlement

Table 3-5 lists the phone numbers attribute mappings between the process form fieldsin Oracle Identity Governance and the Salesforce Target application columns.



3-9

Table 3-5 Default Attributes for Phone Number Entitlement

DisplayName

TargetAttribute

Data Type MandatoryProvisioningProperty?

ReconField

Key Field? CaseInsensitive?

PhoneNumber

__ACCOUNT__.phoneNumbers~__ACCOUNT__.phoneNumbers~value

String No Yes Yes Notapplicable

Type __ACCOUNT__.phoneNumbers~__ACCOUNT__.phoneNumbers~type

String No Yes No Notapplicable

Figure 3-3 shows the default attributes for phone number entitlement.

Figure 3-3 Default Attributes for Phone Number Entitlement

3.3.2 Attribute Mappings for an Authoritative ApplicationThe Schema page for an Authoritative application displays the default schema(provided by the connector) that maps Oracle Identity Governance attributes to theAuthoritative application columns. The connector uses these mappings duringreconciliation and provisioning operations.

Default Attributes for a Salesforce Authoritative Application

Table 3-6 lists the user-specific attribute mappings between the process form fields inOracle Identity Governance and the Salesforce Authoritative application columns.


The Organization Name, Xellerate Type, and Role identity attributes are mandatoryfields on the OIG User form. They cannot be left blank during reconciliation. The targetattribute mappings for these identity attributes are empty by default because there are


3-10

no corresponding columns in the target system. Therefore, the connector providesdefault values (as listed in Table 3-6) that it can use during reconciliation. Forexample, the default target attribute value for the Organization Name attribute isXellerate Users. This implies that the connector reconciles all target system useraccounts into the Xellerate Users organization in Oracle Identity Governance.Similarly, the default attribute value for Xellerate Type attribute is End-User, whichimplies that all reconciled user records are marked as end users.

Table 3-6 Default Attributes for a Salesforce Authoritative Application

DisplayName

AuthoritativeAttribute

Data Type MandatoryReconProperty?

Recon Field CaseInsensitiv e?

Id __UID__ String No Yes Not applicable

User Login __NAME__ String No Yes Not applicable

First Name name.givenName

String No Yes Not applicable

Last Name name.familyName


Display Name String No No Not applicable

Xellerate Type String No Yes Not applicable

usr_locale preferredLanguage


Email __ACCOUNT__.emails.value,type:work


Status __ENABLE__ String No Yes Not applicable

OrganizationName


Role String No Yes Not applicable

Figure 3-4 shows the default User account attribute mappings.


3-11

Figure 3-4 Default Attributes for a Salesforce Authoritative Application

3.4 Rules, Situations, and ResponsesLearn about the predefined rules, responses and situations for Target andAuthoritative applications. The connector use these rules and responses forperforming reconciliation.

• Rules, Situations, and Responses for a Target Application

• Rules, Situations, and Responses for an Authoritative Application

3.4.1 Rules, Situations, and Responses for a Target ApplicationLearn about the predefined rules, responses, and situations for a Target application.The connector uses these rules and responses for performing reconciliation.

Predefined Identity Correlation Rules

By default, the Salesforce connector provides a simple correlation rule when youcreate a Target application. The connector uses this correlation rule to compare theentries in Oracle Identity Governance repository and the target system repository,determine the difference between the two repositories, and apply the latest changes toOracle Identity Governance.

Chapter 3Rules, Situations, and Responses

3-12

lists the default simple correlation rule for Salesforce connector. If required, you canedit the default correlation rule or add new rules. You can create complex correlationrules also. For more information about adding or editing simple or complex correlationrules, see Creating a Target Application in Oracle Fusion Middleware Performing SelfService Tasks with Oracle Identity Governance.

Table 3-7 Predefined Identity Correlation Rule for a Salesforce TargetApplication

Target Attribute Element Operator Identity Attribute Case Sensitive?

__NAME__ Equals User Login No

In this identity rule:

• __NAME__ is a single-valued attribute on the target system that identifies the useraccount.

• User Login is the field on the OIG User form.

Figure 3-5 shows the simple correlation rule for a Salesforce Target application.

Figure 3-5 Simple Correlation Rule for a Salesforce Target Application

Predefined Situations and Responses

The Salesforce connector provides a default set of situations and responses when youcreate a Target application. These situations and responses specify the action thatOracle Identity Governance must take based on the result of a reconciliation event.

Table 3-8 lists the default situations and responses for a Salesforce Target application.If required, you can edit these default situations and responses or add new ones. Formore information about adding or editing situations and responses, see Creating aTarget Application in Oracle Fusion Middleware Performing Self Service Tasks withOracle Identity Governance


3-13

Table 3-8 Predefined Situations and Responses for a Salesforce TargetApplication

Situation Response

No Matches Found Assign to Administrator With Least Load

One Entity Match Found Establish Link

One Process Match Found Establish Link

Figure 3-6 shows the situations and responses for Salesforce that the connectorprovides by default.

Figure 3-6 Predefined Situations and Responses for a Salesforce Target Application

3.4.2 Rules, Situations, and Responses for an AuthoritativeApplication

Learn about the predefined rules, responses, and situations for an Authoritativeapplication. The connector uses these rules and responses for performingreconciliation.

Predefined Identity Correlation Rules

By default, the Salesforce connector provides a simple correlation rule when youcreate a Authoritative application. The connector uses this correlation rule to comparethe entries in Oracle Identity Governance repository and the authoritative applicationrepository, determine the difference between the two repositories, and apply the latestchanges to Oracle Identity Governance.

Table 3-9 lists the default simple correlation rule for Salesforce connector. If required,you can edit the default correlation rule or add new rules. You can create complexcorrelation rules also. For more information about adding or editing simple or complexcorrelation rules, see Creating a Target Application in Oracle Fusion MiddlewarePerforming Self Service Tasks with Oracle Identity Governance.


3-14

Table 3-9 Predefined Identity Correlation Rule for a Salesforce AuthoritativeApplication

AuthoritativeAttribute

Element Operator Identity Attribute Case Sensitive?

__NAME__ Equals Salesforce GUID No

_UID_ Equals User Login No

Correlation Rule element: (__NAME__ Equals Salesforce GUID ) OR (_UID_ EqualsUser Login)

In the first correlation rule element:

• __NAME__ is a single-valued attribute on the target system that identifies the useraccount.

• Salesforce GUID is the unique login name of a user.

In the second correlation rule element:

• __UID__ is an attribute on the target system that uniquely identifies the useraccount.

• User Login is the field on the OIG User form.

• Rule operator: OR

Figure 3-7 shows the simple correlation rule for a Salesforce Authoritative application.

Figure 3-7 Simple Correlation Rule for a Salesforce Authoritative Application

Predefined Situations and Responses

The Salesforce connector provides a default set of situations and responses when youcreate a Authoritative application. These situations and responses specify the action


3-15

that Oracle Identity Governance must take based on the result of a reconciliationevent.

Table 3-10 lists the default situations and responses for a Salesforce AuthoritativeApplication. If required, you can edit these default situations and responses or addnew ones. For more information about adding or editing situations and responses, see Creating a Target Application in Oracle Fusion Middleware Performing Self ServiceTasks with Oracle Identity Governance.

Table 3-10 Predefined Situations and Responses for a Salesforce AuthoritativeApplication

Situation Response

No Matches Found Assign to Administrator With Least Load

One Entity Match Found Establish Link

One Process Match Found Establish Link

Figure 3-8 shows the situations and responses for Salesforce that the connectorprovides by default.

Figure 3-8 Predefined Situations and Responses for a Salesforce Authoritative Application

3.5 Reconciliation JobsLearn about reconciliation jobs that are automatically created in Oracle IdentityGovernance after you create a target or an authoritative application for your targetsystem.

You can either use these predefined jobs or edit them to meet your requirements.Alternatively, you can create custom reconciliation jobs. For information about editingthese predefined jobs or creating new ones, see Creating Applications in OracleFusion Middleware Performing Self Service Tasks with Oracle Identity Governance.

User Reconciliation Jobs

The following reconciliation jobs are available for reconciling user data:

• Target User Reconciliation: Use this reconciliation job to reconcile user data froma Target application.

Chapter 3Reconciliation Jobs

3-16

• Authoritative User Reconciliation: Use this reconciliation job to reconcile user datafrom an Authoritative application.

Table 3-11 Parameters of the Target User Reconciliation Job

Parameter Description

Application Name Name of the application you created for your targetsystem. This value is the same as the value that youprovided for the Application Name field while creatingyour target application.

Do not modify this value.

Filter Enter the expression for filtering records that thescheduled job must reconcile.

Sample value:equalTo('__UID__','SEPT12USER1')

Default value:greaterThan('userType','AutomatedProcest') |lessThan('userType','AutomatedProcess')

For information about the filters expressions that you cancreate and use, see ICF Filter Syntax in Oracle FusionMiddleware Developing and Customizing Applications forOracle Identity Governance.

Object Type Type of object you want to reconcile.

Default value: User

Scheduled Task Name Name of the scheduled job.

Note: For the scheduled job included with thisconnector, you must not change the value of thisattribute. However, if you create a new job or create acopy of the job, then enter the unique name for thatscheduled job as the value of this attribute.

The following table liste the parameters of the Authoritative User Reconciliation job.

Table 3-12 Parameters of the Authoritative User Reconciliation Job




Filter Enter the expression for filtering records that thescheduled job must reconcile.

Sample value:equalTo('__UID__','SEPT12USER1')

Default value:greaterThan('userType','AutomatedProcest') |lessThan('userType','AutomatedProcess')

For information about the filters expressions that you cancreate and use, see ICF Filter Syntax in Oracle FusionMiddleware Developing and Customizing Applications forOracle Identity Governance.


3-17

Table 3-12 (Cont.) Parameters of the Authoritative User Reconciliation Job


Object Type Type of object you want to reconcile.

Default value: User

No. of Batches This attribute specifies the total number of batches thatmust be reconciled.

Batch start index This attribute specifies the record number from whichbatched reconciliation needs to begin.

Scheduled Task Name Name of the scheduled job.

Note: For the scheduled job included with thisconnector, you must not change the value of thisattribute. However, if you create a new job or create acopy of the job, then enter the unique name for thatscheduled job as the value of this attribute.

OIG Employee Type Enter the employee type that must be set for OIG Userscreated through reconciliation.

OIG User Type Enter the role that must be set for OIG Users createdthrough reconciliation.

OIG Organization Name Enter the name of the Oracle Identity Governanceorganization in which reconciled users must be created.

Reconciliation Jobs for Entitlements

The following jobs are available for reconciling entitlements:

• Salesforce Group Lookup Reconciliation

• Salesforce Profile Lookup Reconciliation

These reconciliation jobs are available only for a Target application. The parametersfor all the reconciliation jobs are the same.

Table 3-13 Parameters of the Reconciliation Jobs for Entitlements




Lookup Name This parameter holds the name of the lookup definitionthat maps each lookup definition with the data sourcefrom which values must be fetched.

Depending on the reconciliation job you are using, thedefault values are as follows:

• For Salesforce Group Lookup Reconciliation -Lookup.Salesforce.Groups

• For Salesforce Profile Lookup Reconciliation-Lookup.Salesforce.Profiles


3-18

Table 3-13 (Cont.) Parameters of the Reconciliation Jobs for Entitlements


Object Type Enter the type of object whose values must besynchronized.

Depending on the scheduled job you are using, thedefault values are as follows:

• For Salesforce Profile Lookup Reconciliation -__Entitlement__

• For Salesforce Group Lookup Reconciliation -__GROUP__

Note: Do not change the value of this attribute.

Code Key Attribute Enter the name of the connector or target systemattribute that is used to populate the Code Key column ofthe lookup definition (specified as the value of theLookup Name attribute).

Default value: __UID__

Note: Do not change the value of this attribute.

Decode Attribute Enter the name of the connector or target systemattribute that is used to populate the Decode column ofthe lookup definition (specified as the value of theLookup Name attribute).

Default value: __NAME__


3-19

4Performing Postconfiguration Tasks for theSalesforce Connector

These are the tasks that you must perform after creating an application in OracleIdentity Governance.

• Configuring Oracle Identity Governance

• Harvesting Entitlements and Sync Catalog

• Managing Logging

• Configuring the IT Resource for the Connector Server

• Localizing Field Labels in UI Forms

• Configuring SSL for the Connector

• Obtaining GUID of Roles

4.1 Configuring Oracle Identity GovernanceDuring application creation, if you did not choose to create a default form, then youmust create a UI form for the application that you created by using the connector.

Note:

Perform the procedures described in this section only if you did not choose tocreate the default form during creating the application.

• Creating and Activating a Sandbox

• Creating a New UI Form

• Publishing a Sandbox

• Creating an Application Instance

• Updating an Existing Application Instance with a New Form

4.1.1 Creating and Activating a SandboxYou must create and activate a sandbox to begin using the customization and formmanagement features. You can then publish the sandbox to make the customizationsavailable to other users.

See Creating a Sandbox and Activating a Sandbox in Oracle Fusion MiddlewareDeveloping and Customizing Applications for Oracle Identity Governance.

4-1

4.1.2 Creating a New UI FormYou can use Form Designer in Oracle Identity System Administration to create andmanage application instance forms.

See Creating Forms By Using the Form Designer in Oracle Fusion MiddlewareAdministering Oracle Identity Governance.

While creating the UI form, ensure that you select the resource object correspondingto the newly created application that you want to associate the form with. In addition,select the Generate Entitlement Forms check box.

4.1.3 Publishing a SandboxBefore publishing a sandbox, perform this procedure as a best practice to validate allsandbox changes made till this stage as it is difficult to revert the changes after asandbox is published.

1. In Identity System Administration, deactivate the sandbox.

2. Log out of Identity System Administration.

3. Log in to Identity Self Service using the xelsysadm user credentials and thenactivate the sandbox that you deactivated in Step 1.

4. In the Catalog, ensure that the application instance form for your resource appearswith correct fields.

5. Publish the sandbox. See Publishing a Sandbox in Oracle Fusion MiddlewareDeveloping and Customizing Applications for Oracle Identity Governance.

4.1.4 Creating an Application InstanceCreate an application instance as follows:

See Managing Application Instances in Oracle Fusion Middleware AdministeringOracle Identity Governance.

1. In the left pane of the Identity System Administration, under Configuration, clickApplication Instances. The Application Instances page appears.

2. From the Actions menu, select Create. Alternatively, click Create on the toolbar.

The Create Application Instance page appears.

3. Specify values for the following fields:

• Name: The name of the application instance

• Display Name: The display name of the application instance.

• Description: A description of the application instance.

• Resource Object: The resource object name. Click the search icon next tothis field to search for and select Salesforce User.

• IT Resource Instance: The IT resource instance name. Click the search iconnext to this field to search for and select Salesforce.

• Form: Select the form name (created in Creating a New UI Form).

Chapter 4Configuring Oracle Identity Governance

4-2

4. Click Save.

The application instance is created.

5. Publish the application instance to an organization to make the applicationinstance available for requesting and subsequent provisioning to users. See Managing Organizations Associated With Application Instances in Oracle FusionMiddleware Administering Oracle Identity Governance.

4.1.5 Updating an Existing Application Instance with a New FormFor any changes that you do in the schema of your application in Identity Self Service,you must create a new UI form and update the changes in an application instance.

To update an existing application instance with a new form:

1. Create and activate a sandbox.

2. Create a new UI form for the resource.

3. Open the existing application instance.

4. In the Form field, select the new UI form that you created.

5. Save the application instance.

6. Publish the sandbox.

See Also:

• Creating a Sandbox and Activating a Sandbox in Oracle FusionMiddleware Developing and Customizing Applications for Oracle IdentityGovernance

• Creating Forms By Using the Form Designer in Oracle FusionMiddleware Administering Oracle Identity Governance

• Publishing a Sandbox in Oracle Fusion Middleware Developing andCustomizing Applications for Oracle Identity Governance

4.2 Harvesting Entitlements and Sync CatalogTo harvest entitlements and sync catalog:

1. Run the scheduled jobs for lookup field synchronization listed in ReconciliationJobs .

2. Run the Entitlement List scheduled job to populate Entitlement Assignmentschema from child process form table.

3. Run the Catalog Synchronization Job scheduled job.

Chapter 4Harvesting Entitlements and Sync Catalog

4-3

See Also:

Predefined Scheduled Tasks in Oracle Fusion Middleware AdministeringOracle Identity Governance for a description of the Entitlement List andCatalog Synchronization Job scheduled jobs

4.3 Managing LoggingOracle Identity Governance uses the Oracle Diagnostic Logging (ODL) logging servicefor recording all types of events pertaining to the connector.

The following topics provide detailed information about logging:

• Understanding Log Levels

• Enabling Logging

4.3.1 Understanding Log LevelsWhen you enable logging, Oracle Identity Governance automatically stores in a log fileinformation about events that occur during the course of provisioning andreconciliation operations.

ODL is the principle logging service used by Oracle Identity Governance and is basedon java.util.logger. To specify the type of event for which you want logging to takeplace, you can set the log level to one of the following:

• SEVERE.intValue()+100

This level enables logging of information about fatal errors.

• SEVERE

This level enables logging of information about errors that might allow OracleIdentity Governance to continue running.

• WARNING

This level enables logging of information about potentially harmful situations.

• INFO

This level enables logging of messages that highlight the progress of theapplication.

• CONFIG

This level enables logging of information about fine-grained events that are usefulfor debugging.

• FINE, FINER, FINEST

These levels enable logging of information about fine-grained events, whereFINEST logs information about all events.

These message types are mapped to ODL message type and level combinations asshown in Table 4-1.

Chapter 4Managing Logging

4-4

Table 4-1 Log Levels and ODL Message Type:Level Combinations

Java Level ODL Message Type:Level

SEVERE.intValue()+100 INCIDENT_ERROR:1

SEVERE ERROR:1

WARNING WARNING:1

INFO NOTIFICATION:1

CONFIG NOTIFICATION:16

FINE TRACE:1

FINER TRACE:16

FINEST TRACE:32

The configuration file for OJDL is logging.xml, which is located at the following path:

DOMAIN_HOME/config/fmwconfig/servers/OIM_SERVER/logging.xml

Here, DOMAIN_HOME and OIM_SERVER are the domain name and server namespecified during the installation of Oracle Identity Governance.

4.3.2 Enabling LoggingTo enable logging in the Oracle WebLogic Server:

1. Edit the logging.xml file as follows:

a. Add the following blocks in the file:

<log_handler name='Salesforce-handler' level='[LOG_LEVEL]' class='oracle.core.ojdl.logging.ODLHandlerFactory'><property name='logreader:' value='off'/> <property name='path' value='[FILE_NAME]'/> <property name='format' value='ODL-Text'/> <property name='useThreadName' value='true'/> <property name='locale' value='en'/> <property name='maxFileSize' value='5242880'/> <property name='maxLogSize' value='52428800'/> <property name='encoding' value='UTF-8'/></log_handler>

<logger name="ORG.IDENTITYCONNECTORS.GENERICSCIM" level="[LOG_LEVEL]" useParentHandlers="false"> <handler name="Salesforce-handler"/> <handler name="console-handler"/> </logger>

b. Replace both occurrences of [LOG_LEVEL] with the ODL message type andlevel combination that you require. Table 4-1 lists the supported message typeand level combinations.

Similarly, replace [FILE_NAME] with the full path and name of the log file inwhich you want log messages to be recorded.

The following blocks show sample values for [LOG_LEVEL] and[FILE_NAME]:

Chapter 4Managing Logging

4-5

<log_handler name='Salesforce-handler' level='NOTIFICATION:1' class='oracle.core.ojdl.logging.ODLHandlerFactory'> <property name='logreader:' value='off'/> <property name='path' value='F:\MyMachine\middleware\user_projects\domains\base_domain1\servers\oim_server1\logs\ oim_server1-diagnostic-1.log'/> <property name='format' value='ODL-Text'/> <property name='useThreadName' value='true'/> <property name='locale' value='en'/> <property name='maxFileSize' value='5242880'/> <property name='maxLogSize' value='52428800'/> <property name='encoding' value='UTF-8'/> </log_handler>

<logger name="ORG.IDENTITYCONNECTORS.GENERICSCIM" level="NOTIFICATION:1" useParentHandlers="false"> <handler name="Salesforce-handler"/> <handler name="console-handler"/> </logger>

With these sample values, when you use Oracle Identity Governance, allmessages generated for this connector that are of a log level equal to orhigher than the NOTIFICATION:1 level are recorded in the specified file.

2. Save and close the file.

3. Set the following environment variable to redirect the server logs to a file:

For Microsoft Windows: set WLS_REDIRECT_LOG=FILENAME

For UNIX: export WLS_REDIRECT_LOG=FILENAME

Replace FILENAME with the location and name of the file to which you want toredirect the output.

4. Restart the application server.

4.4 Configuring the IT Resource for the Connector ServerIf you have used the Connector Server, you must configure values for the parametersof the Connector Server IT resource.

Note:

This procedure is optional and is required only when the Connector Server isbeing used.

To configure or modify the IT resource for the Connector Server:

1. Log in to Oracle Identity System Administration.

2. Create and activate a sandbox. For detailed instructions on creating and activatinga sandbox, see Managing Sandboxes in Oracle Fusion Middleware Developingand Customizing Applications for Oracle Identity Governance.

3. In the left pane, under Configuration, click IT Resource.

Chapter 4Configuring the IT Resource for the Connector Server

4-6

4. In the IT Resource Name field on the Manage IT Resource page, enterSalesForce and then click Search. Figure 4-1 shows the Manage IT Resourcepage.

Figure 4-1 Manage IT Resource Page for Connector Server IT Resource

5. Click the edit icon corresponding to the Connector Server IT resource.

6. From the list at the top of the page, select Details and Parameters.

7. Specify values for the parameters of the Connector Server IT resource. Figure 4-2shows the Edit IT Resource Details and Parameters page.

Figure 4-2 Edit IT Resource Details and Parameters Page for the ConnectorServer IT Resource

Table 4-2 provides information about the parameters of the IT resource.

Table 4-2 Parameters of the IT Resource for the Salesforce Connector Server


Host Enter the host name or IP address of the computer hosting the Connector Server.

Sample value: HostName

Key Enter the key for the Connector Server.

Port Enter the number of the port at which the Connector Server is listening.

Default value: 8763

Chapter 4Configuring the IT Resource for the Connector Server

4-7

Table 4-2 (Cont.) Parameters of the IT Resource for the Salesforce Connector Server


Timeout Enter an integer value which specifies the number of milliseconds after which theconnection between the Connector Server and Oracle Identity Governance timesout.

If the value is zero or if no value is specified, the timeout is unlimited.

Sample value: 0 (recommended value)

UseSSL Enter true to specify that you will configure SSL between Oracle IdentityGovernance and the Connector Server. Otherwise, enter false.

Default value: false

8. To save the values, click Update.

4.5 Localizing Field Labels in UI FormsYou can localize UI form field labels by using the resource bundle corresponding to thelanguage you want to use. Resource bundles are available in the connector installationmedia.

To localize field label that is added to the UI forms:

1. Log in to Oracle Enterprise Manager.

2. In the left pane, expand Application Deployments and then selectoracle.iam.console.identity.sysadmin.ear.

3. In the right pane, from the Application Deployment list, select MDS Configuration.

4. On the MDS Configuration page, click Export and save the archive to the localcomputer.

5. Extract the contents of the archive, and open the following file in a text editor:

SAVED_LOCATION\xliffBundles\oracle\iam\ui\runtime\BizEditorBundle_en.xlf

6. Edit the BizEditorBundle.xlf file in the following manner:

a. Search for the following text:

<file source-language="en" original="/xliffBundles/oracle/iam/ui/runtime/BizEditorBundle.xlf" datatype="x-oracle-adf">

b. Replace with the following text:

<file source-language="en" target-language="LANG_CODE"original="/xliffBundles/oracle/iam/ui/runtime/BizEditorBundle.xlf" datatype="x-oracle-adf">

Chapter 4Localizing Field Labels in UI Forms

4-8

In this text, replace LANG_CODE with the code of the language that you wantto localize the form field labels. The following is a sample value for localizingthe form field labels in Japanese:

<file source-language="en" target-language="ja" original="/xliffBundles/oracle/iam/ui/runtime/BizEditorBundle.xlf" datatype="x-oracle-adf">

c. Search for the application instance code. This procedure shows a sample editfor Oracle Database application instance. The original code is:

<trans-unit id="${adfBundle['oracle.adf.businesseditor.model.util.BaseRuntimeResourceBundle']['persdef.sessiondef.oracle.iam.ui.runtime.form.model.user.entity.use rEO.UD_SF_USERNAME__c_description']}">

<source>Username</source>

</target> </trans-unit> <trans-unit

id="sessiondef.oracle.iam.ui.runtime.form.model.Salesforce.entity. sEO.UD_SF_USR_USERNAME__c">

<source>Username</source>

</target> </trans-unit>

d. Open the resource file from the connector package, for exampleSalesforce_ja.properties, and get the value of the attribute from the file, forexample, global.udf.UD_SF_USR_USERNAME=\u30A2\u30AB\u30A6\u30F3\u30C8\u540D.

e. Replace the original code shown in Step 6.c with the following:

<trans-unitid="${adfBundle['oracle.adf.businesseditor.model.util.BaseRuntimeResourceBundle']['persdef.sessiondef.oracle.iam.ui.runtime.form.model.user.entity.userEO.UD_SF_USR_USERNAME__c_description']}">

<source>User Name</source> <target>u30A2\u30AB\u30A6\u30F3\u30C8\u540D</target></trans-unit> <trans-unit id="sessiondef.oracle.iam.ui.runtime.form.model.Salesforce.entity sEO.UD_SF_USR_USERNAME__c_LABEL"><source>Account Name</source> <target>\u30A2\u30AB\u30A6\u30F3\u30C8\u540D</target> </trans-unit>

f. Repeat Steps 6.a through 6.d for all attributes of the process form.

Chapter 4Localizing Field Labels in UI Forms

4-9

g. Save the file as BizEditorBundle_LANG_CODE.xlf. In this file name, replaceLANG_CODE with the code of the language to which you are localizing.Sample file name: BizEditorBundle_ja.xlf

7. Repackage the ZIP file and import it into MDS.

See Also:

Deploying and Undeploying Customizations in Oracle Fusion MiddlewareDeveloping and Customizing Applications for Oracle Identity Governancefor information about exporting and importing metadata files.

8. Log out of and log in to Oracle Identity Governance.

4.6 Configuring SSL for the ConnectorConfigure SSL to secure data communication between Oracle Identity Governanceand Salesforce.

Note:

If you are using this connector along with a Connector Server, then there isno need to configure SSL. You can skip this section.

Salesforce validates the client system dates to be in sync with the SSL certificate (thecertificate issued by Salesforce application) date. If there is any deviation, then thetarget system might throw an error. The client machine date must be in sync with thecertificate timestamp range. Obtain SSL certificate from the target system.

Importing the Certificate

Use the keytool command to import the SSL certificate from the target system into theidentity keystore in Oracle Identity Governance.

keytool -import -alias alias -trustcacerts -file file-to-import -keystorekeystore-name -storepass keystore-password

In the following example, the certificate file supportcert.pem is imported to theidentity keystore client_store.jks with password example_password:

keytool -import -alias serverwl -trustcacerts -file supportcert.pem -keystore client_store.jks -storepass example_password

Note:

Change the parameter values passed to the keytool command according toyour requirements. Ensure that there is no line break in thekeytool arguments.

Chapter 4Configuring SSL for the Connector

4-10

4.7 Obtaining GUID of RolesYou must obtain the GUID of roles from the target system to populate the Code Keyvalues of the Lookup.Salesforce.Roles lookup definition.

The SCIM services exposed by Salesforce.com do not provide any endpoint to fetchthe Role GUIDs programatically. Therefore, to manage provision roles for users, youhave to populate the Lookup.Salesforce.Roles lookup manually.

To obtain GUID of roles, from your organization’s role hierarchy, click on any role forwhich you want to determine the GUID. The GUID is available as part of the URL. Forexample, in the following URL, 00E800000016mY is the GUID of the selected role:

https://cs40.salesforce.com.00E800000016mY.setupid=Roles

Chapter 4Obtaining GUID of Roles

4-11

5Using the Salesforce Connector

You can use the connector for performing reconciliation and provisioning operationsafter configuring it to meet your requirements.

• Configuring Reconciliation

• Configuring Provisioning

• Scheduled Job for Reconciliation of Groups

• Configuring Reconciliation Jobs

• Uninstalling the Connector

5.1 Configuring ReconciliationReconciliation involves duplicating in Oracle Identity Governance the creation of andmodifications to user accounts on the target system.

This section provides details on the following topics related to configuringreconciliation:

• Performing Full Reconciliation

• Performing Limited Reconciliation

• Reconciling Large Number of Records

5.1.1 Performing Full ReconciliationFull reconciliation involves reconciling all active user records from the target systeminto Oracle Identity Governance.

A default filter is present in the Full Reconciliation Scheduled Job. This is the defaultfilter that is required while performing full user reconciliation.

Filter Value: greaterThan('userType','AutomatedProcest') |lessThan('userType','AutomatedProcess')

Note:

This filter value must not be modified or removed during Full UserReconciliation.

The connector cannot support incremental reconciliation because the target systemdoes not provide a way for tracking the time at which account data is created ormodified.

5-1

If the target system contains more than 2200 records, then use the Flat File connectorto perform full reconciliation as Salesforce.com does not allow you to reconcile morethan 2200 users even after pagination. See Reconciling Large Number of Records.

5.1.2 Performing Limited ReconciliationLimited or filtered reconciliation is the process of limiting the number of records beingreconciled based on a set filter criteria.

By default, all target system records that are added or modified after the lastreconciliation run are reconciled during the current reconciliation run. You cancustomize this process by specifying the subset of added or modified target systemrecords that must be reconciled. You do this by creating filters for the reconciliationmodule.

You can perform limited reconciliation by creating filters for the reconciliation module.This connector provides a filter attribute that allows you to use any of the attributes ofthe target system to filter target system records.

You specify a value for the filter attribute while configuring the user reconciliationscheduled job.

Note:

If the target system contains more than 2200 records, then use the Flat Fileconnector to perform limited reconciliation as Salesforce does not allow youto reconcile more than 2200 users even after pagination. Otherwise, useappropriate filters to reduce the records count. See Reconciling LargeNumber of Records.

5.1.3 Reconciling Large Number of RecordsDuring a reconciliation run, if the target system contains more than 2200 records, thenyou must use the Flat File connector to fetch all the records into Oracle IdentityGovernance.

To reconcile a large number of records from the target system into Oracle IdentityGovernance:

1. Export all users in the target system to a flat file.

2. Copy the flat file to a location that is accessible from Oracle Identity Governance.

3. Create a schema file representing the structure of the flat file.

4. Install the Flat File connector.

5. Configure the Flat File IT resource.

6. If you want to perform trusted source reconciliation, then configure and run the FlatFile Users Loader scheduled job.

While configuring this scheduled job, ensure that you set the value of the TargetIT Resource Name attribute to Salesforce and Target Resource Object Nameto Salesforce User Trusted.

Chapter 5Configuring Reconciliation

5-2

7. If you want to perform target resource reconciliation, then configure and run theFlat File Accounts Loader scheduled job.

While configuring this scheduled job, ensure that you set the value of the TargetIT Resource Name attribute to Salesforce and Target Resource Object Nameto Salesforce User.

5.2 Configuring ProvisioningLearn about performing provisioning operations in Oracle Identity Governance and theguidelines that you must apply while performing these operations.

• Guidelines on Performing Provisioning Operations

• Performing Provisioning Operations

5.2.1 Guidelines on Performing Provisioning OperationsThese are the guidelines that you must apply while performing provisioning operations.

• For a Create User provisioning operation, you must specify a value for the UserName field along with the domain name. For example, [email protected].

• During a group provisioning operation you must give a value for DisplayName.

• While assigning multiple groups with the same name, the target system appends anumber to the group name. Therefore, you must execute Group targetreconciliation job every time multiple groups with the same name are provisionedon the target system to bring the target system and Oracle Identity Governance insynchronization.

5.2.2 Performing Provisioning OperationsYou create a new user in Identity Self Service by using the Create User page. Youprovision or request for accounts on the Accounts tab of the User Details page.

To perform provisioning operations in Oracle Identity Governance:

1. Log in to Identity Self Service.

2. Create a user as follows:

a. In Identity Self Service, click Manage. The Home tab displays the differentManage option. Click Users. The Manage Users page is displayed.

b. From the Actions menu, select Create. Alternatively, you can click Create onthe toolbar. The Create User page is displayed with input fields for user profileattributes.

c. Enter details of the user in the Create User page.

3. On the Account tab, click Request Accounts.

4. In the Catalog page, search for and add to cart the application instance for theconnector that you configured earlier, and then click Checkout.

5. Specify value for fields in the application form and then click Ready to Submit.

6. Click Submit.

Chapter 5Configuring Provisioning

5-3

See Also:

Creating a User in Oracle Fusion Middleware Performing Self Service Taskswith Oracle Identity Governance for details about the fields on the CreateUser page

5.3 Scheduled Job for Reconciliation of GroupsAfter you create an application, the Salesforce Group Recon scheduled job isautomatically created for Group Management in Oracle Identity Governance. You mustconfigure the scheduled job to suit your requirements by specifying values for itsattributes.

Table 5-1 Attributes of the Salesforce Group Recon Scheduled Job

Attribute Description

Application Name Name of the application you created for yourtarget system. This value is the same as thevalue that you provided for the ApplicationName field while creating your targetapplication.


Lookup Name This parameter holds the name of the lookupdefinition that maps each lookup definition withthe data source from which values must befetched.

Default Value: Lookup.Salesforce.Groups

Object Type Enter the type of object whose values must besynchronized.

Default Value: __GROUP__

Note: Do not change the value of thisattribute.

Code Key Attribute Enter the name of the connector or targetsystem attribute that is used to populate theCode Key column of the lookup definition(specified as the value of the Lookup Nameattribute).

Default Value: __UID__

Note: Do not change the value of thisattribute.

Decode Attribute Enter the name of the connector or targetsystem attribute that is used to populate theDecode column of the lookup definition(specified as the value of the Lookup Nameattribute).

Default Value: __NAME__

Chapter 5Scheduled Job for Reconciliation of Groups

5-4

5.4 Configuring Reconciliation JobsConfigure reconciliation jobs to perform reconciliation runs that check for newinformation on your target system periodically and replicates the data in Oracle IdentityGovernance.

You can apply this procedure to configure the reconciliation jobs for users andentitlements.

To configure a reconciliation job:

1. Log in to Identity System Administration.

2. In the left pane, under System Management, click Scheduler.

3. Search for and open the scheduled job as follows:

a. In the Search field, enter the name of the scheduled job as the searchcriterion. Alternatively, you can click Advanced Search and specify the searchcriterion.

b. In the search results table on the left pane, click the scheduled job in the JobName column.

4. On the Job Details tab, you can modify the parameters of the scheduled task:

• Retries: Enter an integer value in this field. This number represents thenumber of times the scheduler tries to start the job before assigning theStopped status to the job.

• Schedule Type: Depending on the frequency at which you want the job to run,select the appropriate schedule type. See Creating Jobs in Oracle FusionMiddleware Administering Oracle Identity Governance.

In addition to modifying the job details, you can enable or disable a job.

5. On the Job Details tab, in the Parameters region, specify values for the attributesof the scheduled task.

Note:

Values (either default or user-defined) must be assigned to all theattributes. If even a single attribute value is left empty, then reconciliationis not performed.

6. Click Apply to save the changes.

Note:

You can use the Scheduler Status page in Identity SystemAdministration to either start, stop, or reinitialize the scheduler.

Chapter 5Configuring Reconciliation Jobs

5-5

5.5 Uninstalling the ConnectorUninstalling the connector deletes all the account-related data associated with itsresource objects.

If you want to uninstall the connector for any reason, then run the Uninstall Connectorutility. Before you run this utility, ensure that you set valuesfor ObjectType and ObjectValues properties in the ConnectorUninstall.propertiesfile. For example, if you want to delete resource objects, scheduled tasks, andscheduled jobs associated with the connector, then enter "ResourceObject","ScheduleTask", "ScheduleJob" as the value of the ObjectType property and asemicolon-separated list of object values corresponding to your connector (forexample, Salesforce User; Salesforce Group) as the value of theObjectValues property.

Note:

If you set values for the ConnectorName and Release properties along withthe ObjectType and ObjectValue properties, then the deletion of objectslisted in the ObjectValues property is performed by the utility and theConnector information is skipped.

For more information, see Uninstalling Connectors in Oracle Fusion MiddlewareAdministering Oracle Identity Governance.

Chapter 5Uninstalling the Connector

5-6

6Extending the Functionality of theSalesforce Connector

You can extend the functionality of the connector to address your specific businessrequirements.

This section provides more information about the following topics:

• Configuring the Connector for Multiple Installations of the Target System

• Configuring Transformation and Validation of Data

• Configuring Action Scripts

• Configuring the Connector Extension for Permission Sets

6.1 Configuring the Connector for Multiple Installations ofthe Target System

You must create copies of configurations of your base application to configure it formultiple installations of the target system.

The following example illustrates this requirement:The London and New York offices of Example Multinational Inc. have their owninstallations of the target system, including independent schema for each. Thecompany has recently installed Oracle Identity Governance, and they want toconfigure it to link all the installations of the target system.

To meet the requirement posed by such a scenario, you must clone your applicationwhich copies all configurations of the base application into the cloned application. Formore information about cloning applications, see Cloning Applications in Oracle FusionMiddleware Performing Self Service Tasks with Oracle Identity Governance.

6.2 Configuring Transformation and Validation of DataConfigure transformation and validation of user account data by writing Groovy scriptlogic while creating your application.

You can configure transformation of reconciled single-valued user data according toyour requirements. For example, you can use First Name and Last Name values tocreate a value for the Full Name field in Oracle Identity Governance.

Similarly, you can configure validation of reconciled and provisioned single-valueddata according to your requirements. For example, you can validate data fetched fromthe First Name attribute to ensure that it does not contain the number sign (#). Inaddition, you can validate data entered in the First Name field on the process form sothat the number sign (#) is not sent to the target system during provisioningoperations.

6-1

To configure transformation or validation of user account data, you must write Groovyscripts while creating your application. For more information about writing Groovyscript-based validation and transformation logic, see Validation and Transformation ofProvisioning and Reconciliation Attributes of Oracle Fusion Middleware PerformingSelf Service Tasks with Oracle Identity Governance.

6.3 Configuring Action ScriptsYou can configure Action Scripts by writing your own Groovy scripts while creatingyour application.

These scripts can be configured to run before or after the create, update, or delete anaccount provisioning operations. For example, you can configure a script to run beforeevery user creation operation.

For information on adding or editing action scripts, see Updating the ProvisioningConfiguration in Oracle Fusion Middleware Performing Self Service Tasks with OracleIdentity Governance.

6.4 Configuring the Connector Extension for PermissionSets

You can configure the connector extension for permission sets by performing thefollowing steps:

1. Open the Identity Self Service Console.

2. Select the Schema tab.

3. Click Add Child Form. Enter Permission Sets in the Form Name field, and thenclick OK.

4. Select the Permission Sets child form, click Add Attribute, and enter thefollowing values:

• Display Name: Permission Sets

• Target Attribute:__ACCOUNT__.entitlements~__ACCOUNT__.entitlements~value as thevalue for Target Attribute

5. Ensure that the Reconciliation Field and Key Field checkboxes are selected.

6. Similarly ensure that the Advance Flag for Lookup and Entitlement is checked asfollows:

a. In the Permission Sets child form, navigate to Permission Sets attribute, andclick on the advance setting icon in the extreme right.

b. In the Advanced Flags dialog box, select the Lookup checkbox and click OK.

c. Verify and confirm that Data Type is set to String and click on the advancesetting icon in the extreme right once again.

d. Enter Lookup.Salesforce.PermissionSets in the List of values text box andclick OK.

7. Add an entitlement schedule job for Permission Sets as follows:

a. Select the Settings tab, and then the Reconciliation tab.

Chapter 6Configuring Action Scripts

6-2

b. Expand Reconciliation Jobs, and then Entitlement.

c. Click Add Job, enter the following details in the New Job dialog box, and clickOK:

• Job Name: Permission Sets

• Decode Attribute: __NAME__

• Lookup Name: Lookup.Salesforce.PermissionSets

• Object Type: Entitlement

• Code Key Attribute: __UID__

• Application Name: salesforceApp

d. Click Apply to apply changes.

Chapter 6Configuring the Connector Extension for Permission Sets

6-3

7Upgrading the Salesforce Connector

If you have already deployed the 11.1.1.5.0 version of the Salesforce connector, thenyou can upgrade the connector to version 12.2.1.3.0 by uploading the new connectorJAR files to the Oracle Identity Manager database.

Note:

Before you perform the upgrade procedure:

• It is strongly recommended that you create a backup of the OracleIdentity Manager database. Refer to the database documentation forinformation about creating a backup.

• As a best practice, perform the upgrade procedure in a test environmentinitially.

The following sections discuss the procedure to upgrade the connector:

• Preupgrade Steps

• Upgrade Steps

• Postupgrade Steps

7.1 Preupgrade StepsPreupgrade steps for the connector involves performing a reconciliation run to fetchrecords from the target system, defining the source connector in Oracle IdentityManager, creating copies of the connector if you want to configure it for multipleinstallations of the target system, and disabling all the scheduled jobs.

Perform the following preupgrade steps:

1. Perform a reconciliation run to fetch all latest updates to Oracle Identity Manager.

2. Perform the preupgrade procedure documented in Managing Connector Lifecyclein Oracle Fusion Middleware Administering Oracle Identity Manager.

3. Define the source connector (an earlier release of the connector that must beupgraded) in Oracle Identity Manager. You define the source connector to updatethe Deployment Manager XML file with all customization changes made to theconnector. See Managing Connector Lifecycle in Oracle Fusion MiddlewareAdministering Oracle Identity Manager for more information.

4. If required, create the connector XML file for a clone of the source connector.

5. Disable all the scheduled jobs.

7-1

7.2 Upgrade StepsThis is a summary of the procedure to upgrade the connector for both staging andproduction environments.

Depending on the environment in which you are upgrading the connector, perform oneof the following steps:

• Staging Environment

Perform the upgrade procedure by using the wizard mode.

Note:

Do not upgrade IT resource type definition. In order to retain the defaultsetting, you must map the IT resource definition to "None".

• Production Environment

Perform the upgrade procedure by using the silent mode.

See Managing Connector Lifecycle in Oracle Fusion Middleware Administering OracleIdentity Manager for detailed information about the wizard and silent modes.

7.3 Postupgrade StepsPostupgrade steps involve uploading new connector JAR to the Oracle IdentityManager database.

1. Delete the old Connector JARs. Run the Oracle Identity Manager Delete JARs($ORACLE_HOME/bin /DeleteJars.sh) utility to delete the existing ICFbundle org.identityconnectors.genericscim-1.0.11150.jar from theOracle Identity Manager database.

When you run the Delete JARs utility, you are prompted to enter the logincredentials of the Oracle Identity Manager administrator, URL of the OracleIdentity Manager host computer, context factory value, type of JAR file beingdeleted, and the name of the JAR file to be removed. Specify 4 as the value of theJAR type.

2. Upload the new connector JARs:

a. Run the Oracle Identity Manager Upload JARs ($ORACLE_HOME/bin/UploadJars.sh) utility to upload the connector JARs.

b. Upload the org.identityconnectors.genericscim-12.3.0.jarbundle as an ICF Bundle. Run the Oracle Identity Manager Upload JARs utilityto post the new ICF bundleorg.identityconnectors.genericscim-12.3.0.jar file to the OracleIdentity Manager database.

When you run the Upload JARs utility, you are prompted to enter the logincredentials of the Oracle Identity Manager administrator, URL of the OracleIdentity Manager host computer, context factory value, type of JAR file beinguploaded, and the location from which the JAR file is to be uploaded. Specify4 as the value of the JAR type.

Chapter 7Upgrade Steps

7-2

c. Delete the following Code Key and Decode entries in theLookup.Salesforce.Configuration lookup definition:

Code Key: Bundle Version; Decode: 1.0.1115

3. Restart Oracle Identity Manager.

4. If the connector is deployed on a Connector Server, then:

a. Stop the connector server.

b. Replace the existing bundle JAR fileorg.identityconnectors.genericscim-1.0.1115.jar with the newbundle JAR file org.identityconnectors.genericscim-12.3.0.jar.

c. Start the connector server.

Chapter 7Postupgrade Steps

7-3

AFiles and Directories in the SalesforceConnector Package

These are the files and directories on the connector installation package that comprisethe Salesforce connector.

Table A-1 Files and Directories in the Connector Installation Package

File in the Installation Media Directory Description

bundle/org.identityconnectors.genericscim-12.3.0.jar

This JAR is the ICF connector bundle.

configuration/Salesforce-CI.xml This file is used for installing a CI-basedconnector. This XML file contains configurationinformation that is used by the ConnectorInstaller during connector installation.

Files in the resources directory Each of these resource bundles containslanguage-specific information that is used bythe connector. During connector installation,these resource bundles are copied to theOracle Identity Governance database.

Note: A resource bundle is a file containinglocalized versions of the text strings that aredisplayed on the Administrative and UserConsole. These text strings include GUIelement labels and messages.

xml/Salesforce-ConnectorConfig.xml This XML file contains definitions for thefollowing connector objects:• IT resource definition• Process forms• Process tasks and adapters• Lookup definitions• Resource objects• Process definition• Scheduled tasks• Reconciliation rules

xml/Salesforce-auth-template.xml This file contains definitions for the connectorobjects required for creating an Authoritativeapplication. It includes certain details requiredto connect Oracle Identity Governance withthe target system. It also includesconfiguration details specific to your targetsystem, attribute mappings, correlation rules,and reconciliation jobs.

xml/Salesforce-pre-config.xml This XML file contains definitions for theconnector objects associated with any non-User object like Groups.

A-1

Table A-1 (Cont.) Files and Directories in the Connector Installation Package

File in the Installation Media Directory Description

xml/Salesforce-target-template.xml This file contains definitions for the connectorobjects required for creating a Targetapplication. It includes certain details requiredto connect Oracle Identity Governance withthe target system. It also includesconfiguration details specific to your targetsystem, attribute mappings, correlation rules,and reconciliation jobs.

Appendix A

A-2

Index

Symbols(target) resource of Oracle Identity Governance,

3-1

AApplication Instance, 4-2

Cconfigure

Configuring Reconciliation for SalesforceConnector, 5-1

connector architecture, 1-4connector features, 1-7

Ffeatures of the salesforce connector, 1-7flat file, 5-2Full Reconciliation, 5-1

GGUID of Roles, 4-11

Iidentity aware, 3-1

Llimited reconciliation, 5-2

Pprovisioning, 1-4

Ttarget resource reconciliation, 1-4trusted resource reconciliation, 1-4

Uuse cases, 1-6

Index-1