Method to Perform SailPoint Sun Identity Manager Provisioning Integration

The integration between IdentityIQ and Sun Identity Manager is very straightforward and requires little configuration on either side to start the initial communication. This blog covers the important points for configuring an integration between these products.

Supported features

The Sun Identity Manager Provisioning Integration Module provides the ability to provision Sun Identity Manager users, Target Application accounts, groups and entitlements from IdentityIQ.
The Provisioning Integration Module supports the following functions:
• User Management
-Manages Sun Identity Manager Users as Accounts
-Aggregating Users
-Create, Update, Delete
-Enable, Disable, Unlock, Reset Password
-Add/Remove User Entitlements
• Target Application Accounts Management
-Manages Target Application Accounts as Accounts
-Target Accounts are aggregated as part of Sun IdM User aggregation
-Create, Update, Delete
-Enable, Disable, Reset Password
-Add/Remove Account Entitlements
• Group Management
-Manages Sun Identity Manager Groups as Account-Groups in IdentityIQ
-Groups are aggregated as part of user aggregation task

Supported platforms

SailPoint Sun Identity Manager Provisioning Integration Module supports the following version of Oracle Waveset:
• Oracle Waveset 8.1.1

General configuration

IdentityIQ communicates with Sun Identity Manager using a Service Provisioning Markup Language (SPML) interface. To enable this communication, the SPML client library, openspml.jar, must be copied from the Sun IdM installation into the INSTALLDIR/WEB-INF/lib directory of the IdentityIQ installation and then the IdentityIQ application should be restarted. A system error will occur in IdentityIQ when defining a Sun Identity Manager application before this configuration step is completed.

Configuration for Aggregation

Configuring IdentityIQ to aggregate accounts from Sun Identity Manager is accomplished by creating an IdentityIQ application as outlined in the following steps:
Configure SPML in Sun Identity Manager
1. If you do not have a Configuration:SPML object in Sun Identity Manager, import sample/spml.xml from the Sun Identity Manager installation.
Note:SPML v1 requests are used only for Aggregation and Provisioning.
2. Add the following object into the SPML classes list:

Define IdentityIQ Application
1. The object name (in this case IIQUserView) should match the Native Object Type of the account schema IdentityIQ application that represents Sun Identity Manager.

2. When creating the Sun Identity Manager application in IdentityIQ, follow the default pattern for the rpcRouterURL to point to the Sun Identity Manager system.

To aggregate Sun Identity Manager users and resource accounts, create and execute an IdentityIQ Account Aggregation task for the Sun Identity Manager application.

When the aggregation task is complete, a new application is created for every managed resource in Sun Identity Manager. The application schema includes attributes from the resource accounts. All users in Sun Identity Manager have an account created that is associated with the Sun Identity Manager application and any administrative capabilities and assigned profiles are included as attributes or direct permissions of those accounts.

Once the initial aggregation from the Sun Identity Manager application is completed, you can aggregate from it again to read in information for all of the resource systems.

Configuration for Provisioning

No additional configuration is needed to enable provisioning to Sun Identity Manager. The Sun Identity Manager PIM is implemented using the latest IdentityIQ connector interface that provides read/write capability. If you wish to provision accounts for Sun Identity Manager applications using another method, then you must remove the PROVISIONING keyword from the feature string in the Sun Identity Manager application in IdentityIQ.

About the author: Devender

Devender is an enthusiastic independent blogger, consultant and freelance trainer whose main area of interests are identity and access management related technologies. His areas of interest are OIM, SailPoint IdentityIQ and much more.

Leave a Reply

Your email address will not be published.