The Sailpoint Oracle integration is achieved by deploying a small web application in the application server that hosts OIM. IdentityIQ communicates with the web services contained in this application to read and write account information. The configuration of the OIM integration requires the username and password of the OIM administrator or another user with sufficient permissions.

Salient Features of Sailpoint OIM Integration

The Oracle Identity Manager Provisioning Integration Module supports the following functions:

• Account Management
-Oracle Identity Manager user aggregation along with the connected child accounts and application
-Create, Update, Delete
-Enable, Disable, Unlock
-Add/Remove Entitlements operations for Oracle Identity Manager connected child accounts

• User Management
-Manages Oracle Identity Manager Users as Accounts
-Create, Update, Delete
-Enable, Disable, Unlock
-Add/Remove Entitlements operations for Oracle Identity Manager Users.

Supported Platforms

SailPoint Oracle Identity Manager Provisioning Integration Module supports the following versions of Oracle Identity Manager:
• Oracle Identity Manager 11g R2
• Oracle Identity Manager 11g R1

Installing the OIM Integration Web Application

You must first deploy the OIM Integration Servlet web application to the application server hosting the OIM application. The iiq.war file for this web application is contained in the IdentityIQ distribution as $INSTALLDIR/integration/OIM/iiqIntegration-OIM.jar or in the distribution for an IdentityIQ patch in a .jar file named Integration-oim-.jar.
The iiqIntegration-OIM.jar file contains iiq.war file. You can customize the iiq.war file in many ways before being deployed into the application server hosting OIM.

Note: Ensure that if you are deploying web application as a war file, it should be named as iiq.war. If you are deploying the web application from a directory, then directory should be named as iiq.

The following are the required customization steps:

1.Configure access to OIM by modifying WEB-INF/classes/xellerate.properties to set.

• XL.HomeDir: the full path to the directory where OIM is installed

• userName: the OIM administrator that has the appropriate permission to read and write user and account data

• password: the password for the OIM administrator

For more information on the other properties that need to be set in xellerate.properties file, see “Properties that can be defined in xellerate.properties” on page 9.

2. Copy OIM_ORACLE_HOME/designconsole/lib/oimclient.jar API implementation file from the OIM installation into the WEB-INF/lib directory of the integration application.

Testing the OIM Integration Web Application

Verify if the installation was successful using the following steps:

Note: For each test URL throughout this document, change the hostname and port to match your OIM Server instance.

1.From any browser enter the following URL:

http://localhost:8080/iiq/resources/ping
The following response is displayed:
OIM integration ready
Failure to get a ping response indicates a problem with the deployment of the servlet.

2. Verify the integration servlet can communicate with OIM by entering the following URL:

http//localhost:8080/iiq/resources/users
You should see a response containing the names of all OIM users. This might take a while to assemble depending on
the number of users. To view details of a particular user, enter the following URL where is the name of a user
in your OIM instance:

http://localhost:8080/iiq/resources/user/
To see additional diagnostic information for of a particular user, enter the following URL where is the name of
a user in your OIM instance:
http://localhost:8080/iiq/resources/debug/

If you are unable to request user information, there may be a problem with the credentials you entered in the xellerate.properties file. For more information, see “Properties that can be defined in xellerate.properties”.

Properties that can be defined in xellerate.properties

1. Add a ManagedResource definition in the ManagedResource list for an each OIM resource. For each resource, define a
property prefix by adding a property whose name is the prefix and whose value is
the OIM resource name.
For example:
AD=AD User
Oracle=Oracle DB User
This declares that any property that begins with ERP is related to the OIM resource named ERP Central Component.

2. For each ManagedResource, define the account attribute that represents the unique account identifier. The names used here must be the resource names used by OIM. The identity attributes must have the internal form field name containing the account identifier. Use the OIM Design Console application to find the process form for each resource and view the field names. The example below gives two typical names, one used by the connector for Oracle database users and the other for the Active Directory connector.
AD.id=UD_ADUSER_UID
Oracle.id=UD_DB_ORA_U_USERNAME

3. Define the names of the child forms that support multiple attributes. The value is a CSV of the internal child form names:
AD.childForms=UD_ADUSRC
Oracle.childForms=UD_DB_ORA_R
In this example, UD_ADUSRC is the internal name for the child form AD User Group Details and UD_DB_ORA_R is the internal name for the child form DBUM Grant/Revoke Roles.

4. Each child form name in the Oracle.the child forms property there is another property whose value is a CSV of the child form fields to return and the order in which they will appear in IdentityIQ.
Oracle.UD_DB_ORA_R=UD_DB_ORA_R_ROLE,UD_DB_ORA_R_ADMIN_OPTION
In the previous example, we will return two fields from the child form UD_DB_ORA_R. The first field has the Role name and the second has the Role Admin option.

5. Following is the configuration for the resource with child forms: ERP Central Component:
ERP=ERP Central Component
ERP.id=UD_ECC_USER_ID
ERP.childForms=UD_ECC_PRO,UD_ECCRL
ERP.UD_ECC_PRO=UD_ECC_PRO_SYSTEMNAME,UD_ECC_PRO_USERPR
ERP.UD_ECCRL=UD_ECCRL_SYSTEMNAME,UD_ECCRL_USERROLE

10 SailPoint Integration Guide

Configuration for OIM application

Note: Before IdentityIQ 6.0 there was a parameter in xellerate.properties file as oldChildFormNames which were used for the resources who have only one field in the child form, for example, Active Directory resource. For IdentityIQ version 6.0 onwards, the value must be set to true if the user wants to support oldChildFormNames where field returned would be form name + field name (For example, UD_ADUSRC: UD_ADUSRC_GROUPNAME field in the Active directory).

6. To aggregate all the active and disabled OIM users in IdentityIQ, add a new parameter OIM_USER_TYPE in xelerate.properties file with the value as ALL. If an OIM_USER_TYPE parameter is removed from the xelerate.properties file then only the active OIM users will be aggregated. By default, only active OIM user are aggregated.

Configuration for OIM application

Perform the following steps to create an IdentityIQ application for OIM:

1. Navigate to the IdentityIQ Define=>Application page.
2. Create a new application of type Oracle Identity Manager.
3. On the Attributes tab, enter the Oracle Identity Manager Host and Oracle Identity Manager Port.
4. Click Test Connection to verify the connection to OIM.

Note: You can make use of the “OIM Application creator” task to discover all the resources present in OIM environment. The input for this task would be an newly created application of type “Oracle Identity Manager” and executing this task would result in the creation of all multiplexed resources.

Testing the OIM Integration Client

While any IdentityIQ feature that generates a provisioning request such as a certification remediation, a role assignment, or a Lifecycle Manager request can be used to test the integration, it is sometimes useful to test at the provisioning layer using the IdentityIQ integration console.
Launch the console by using the IdentityIQ script in the INSTALLDIR/WEB-INF/bin directory of the IdentityIQ installation to run iiq integration.
From the console command prompt, use the list command to display the names of all Application objects created in the system. Using the example in the previous section, verify an Application object of type Oracle Identity Manager exits.
Use the following command:
use OIMApplicationName
Use the ping command to initiate a test connection message with OIM. A successful connection will return the following message:
Response: Connection test successful
If any problem occurs in the communication of this application with the OIM Integration Web Application, troubleshoot this application by viewing the application server logs for both the IdentityIQ and OIM application servers. You can enable log4j tracing on both sides by using the following:
log4j.logger.sailpoint.integration=debug
log4j.logger.sailpoint.connector=debug
This lets you see if the requests are transmitting over the network, and how they are processed.
If the OIM servlet is deployed on Weblogic 11g, tracing can be enabled on it by adding an entry to the logging file on the Weblogic server. Following is the logging file:
/config/fmwconfig/servers/oim_server1/logging.xml
Following is the entry that needs to be added:

For more information on enabling system logging in OIM is included in the Oracle Identity Manager Administrator Guide.

Aggregating from OIM

To aggregate OIM users and resource accounts, create and execute an IdentityIQ Account Aggregation task. Include the OIM application in the applications to scan list.
When the aggregation is complete from the OIM application, a new application is created for every resource in OIM. The application schema includes attributes seen in the resource accounts. All users in OIM have an account created that is associated with the OIM application and includes all of the standard and extended user attributes of those users. Additionally, all of the resource accounts are aggregated and associated with the newly created applications.
Once the initial aggregation from the OIM application is completed, you can aggregate from it again to read in information for all managed systems.

Note:You can make use of the “OIM Application Creator task” to discover all of the Resources present in the OIM environment. The input for this task is an application of type Oracle Identity Manager. Executing this task results in the creation of all multiplexed Resource applications.

Known/Open issues

Following is the known/open issue of Oracle Identity Manager:

• You cannot perform provisioning operations simultaneously on the OIM server from IdentityIQ and the OIM console. This is a class loading issue observed with OIM 11g, after deploying iiq servlet(iiq.war) on Weblogic OIM Managed Server.
Workaround for this issue: Create another, empty WLS(Weblogic)Managed server next to the OIM Managed Server and only deploy the IIQ Servlet. Also, update the Xellerate.properties file by un-commenting the attribute java.naming.provider.url. This Url needs the host name of the host where OIM managed server is deployed and the listening port of the OIM managed server.
• Create OIM user and Update OIM user operations are not working with Oracle Identity Manager 11g R2.