Oracle® Identity Management Integration Guide
10g Release 2 (10.1.2) B14085-02 |
|
Previous |
Next |
This section explains how applications are provisioned with the Oracle Provisioning Service. It contains these topics:
A provisioning-integrated application can maintain user information in Oracle Internet Directory or a third-party repository. Applications that maintain user information in Oracle Internet Directory can use the Data Access Java plug-in to create, modify, and delete user entries whenever the change occurs in Oracle Internet Directory.
See Also: Oracle Identity Management Application Developer's Guide for more information on the Data Access Java plug-in |
The Data Access Java plug-in can be invoked directly from Oracle Identity Management, including the Provisioning Console, bulk provisioning with the Directory Integration and Provisioning Assistant, and command-line LDAP tools. For this reason, applications that can be provisioned with the Data Access Java plug-in are provisioned synchronously; no separate provisioning event needs to be sent to the application from the Oracle directory integration and provisioning server. The Data Access Java plug-in returns an execution status of SUCCESS
or FAILURE
to the Oracle directory integration and provisioning server. If an execution status of SUCCESS
is returned for the Data Access Java plug-in, then a provisioning status is also returned, which is recorded in user's provisioning status attribute in Oracle Internet Directory for the specific provisioning-integrated application. If an execution status of FAILURE is returned for new user provisioning requests, then the user's provisioning status is assigned a value of PROVISIONING_FAILURE
. See "Provisioning Status in Oracle Internet Directory" for a list of provisioning statuses.
Figure 12-1 illustrates the process of how an application is synchronously provisioned from the Provisioning Console, bulk provisioning with the Directory Integration and Provisioning Assistant, and from third-party directories.
Figure 12-1 Synchronous Provisioning Process
As illustrated in Figure 12-1, synchronous provisioning with the Oracle Provisioning Service from the Provisioning Console, bulk provisioning with the Directory Integration and Provisioning Assistant, and from third-party directories follows this process:
A new user entry is created in Oracle Internet Directory from one of the following sources:
Oracle Internet Directory Provisioning Console
Bulk provisioning with the Directory Integration and Provisioning Assistant
Synchronization with third-party directories
The Oracle Identity Management component that created the new user entry invokes the Data Access Java plug-in.
The Data Access Java plug-in provisions the new user account in the application.
Figure 12-2 illustrates the process of how an application is synchronously provisioned using command-line LDAP tools.
Figure 12-2 Synchronous Provisioning from Command-Line LDAP Tools
As illustrated in Figure 12-2, synchronous provisioning from command-line LDAP tools follows this process:
A command-line LDAP tool creates a new user entry in Oracle Internet Directory.
At the next scheduled synchronization interval, the Oracle directory integration and provisioning server identifies new users entries in Oracle Internet Directory that require provisioning.
The Oracle directory integration and provisioning server invokes the Data Access Java plug-in.
The Data Access Java plug-in provisions the new user accounts in the application.
The Oracle directory integration and provisioning server propagates PL/SQL events to a provisioning-integrated application, which then executes a PL/SQL plug-in to process the events. Execution of a PL/SQL plug-in occurs within the application repository and not within the address space of any Oracle Identity Management components. Because, provisioning is handled by a PL/SQL plug-in and not by any components of Oracle Identity Management, provisioning-integrated applications that implement a PL/SQL plug-in are provisioned asynchronously. The PL/SQL plug-in returns an execution status of SUCCESS
or FAILURE
to the Oracle directory integration and provisioning server. If an execution status of SUCCESS
is returned for the PL/SQL plug-in, then a provisioning status is also returned, which is recorded in the user's provisioning status attribute in Oracle Internet Directory for the specific provisioning-integrated application. If an execution status of FAILURE is returned for new user provisioning requests, then the user's provisioning status is assigned a value of PROVISIONING_FAILURE
. See "Provisioning Status in Oracle Internet Directory" for a list of provisioning statuses.
Figure 12-3 illustrates the process of how an application is asynchronously provisioned from the Provisioning Console, by using bulk provisioning with the Directory Integration and Provisioning Assistant, or from third-party directories.
Figure 12-3 Asynchronous Provisioning Process
As illustrated in Figure 12-3, asynchronous provisioning from the Provisioning Console, bulk provisioning with the Directory Integration and Provisioning Assistant, and third-party directories follows this process:
A new user entry and an associated entry containing application-specific user preferences are created in Oracle Internet Directory from one of the following sources:
Oracle Internet Directory Provisioning Console
Bulk provisioning with the Directory Integration and Provisioning Assistant
Synchronization with third-party directories
At the next scheduled synchronization interval, the Oracle directory integration and provisioning server identifies new users entries in Oracle Internet Directory that require provisioning.
Provisioning events are sent from the Oracle directory integration and provisioning server to the PL/SQL plug-in.
Figure 12-4 illustrates the process of how an application is asynchronously provisioned using command-line LDAP tools.
Figure 12-4 Asynchronous Provisioning using Command-Line LDAP Tools
As illustrated in Figure 12-4, asynchronous using command-line LDAP tools follows this process:
A new user entry is created in Oracle Internet Directory from one of the following sources using a command-line LDAP tool.
At the next scheduled synchronization interval, the Oracle directory integration and provisioning server identifies new users entries in Oracle Internet Directory that require provisioning and creates an associated entry containing application-specific user preferences.
Provisioning events are sent from the Oracle directory integration and provisioning server to the PL/SQL plug-in.
Regardless of whether it is provisioned synchronously or asynchronously, an application can invoke the Pre-Data Entry and Post-Data Entry plug-ins to enhance provisioning intelligence and implement business policies. Both plug-ins are invoked by Oracle Identity Management components such as the Oracle Internet Directory Provisioning Console and bulk provisioning with the Directory Integration and Provisioning Assistant.
The Pre-Data Entry plug-in populates fields according to provisioning policies. The primary purpose of this plug-in is to determine whether a user should be provisioned in a given application. For example, if an organization has a a policy where only managers are provisioned for a financial application, the Pre-Data Entry plug-in can be used to identify which user entries to provision. Common user attributes are already populated when this plug-in is invoked, so it should have adequate information to make provisioning decisions.
The Post-Data Entry plug-in primarily validates data entered by users for common attributes and application-specific attributes. The validation for the plug-in must be successful in order for provisioning to continue.
Figure 12-5 illustrates the provisioning data flow using the Pre-Data Entry and Post-Data Entry plug-ins.
As illustrated in Figure 12-5, the provisioning data flow follows this process:
Base user information is created.
The Pre-Data Entry plug-in is invoked, which populates fields according to policies.
The Post-Data Entry plug-in is invoked, which validates data entered by the user.
Depending on the provisioning approach, either asynchronous or synchronous provisioning procedures are invoked.
If provisioning is performed with the Provisioning Console, then after the Pre-Data Entry Plug-in is invoked, but before the Post-Data Entry plug-in is invoked, an administrator can modify the application attributes.