Microsoft active directory connector

Request-Based Provisioning. When you install the connector on Oracle Identity Manager, the direct provisioning feature is automatically enabled. This means that the process form is enabled when you install the connector. If you configure the connector for request-based provisioning, then the process form is suppressed and the object form is displayed. In other words, direct provisioning is disabled when you configure the connector for request-based provisioning.

If you want to revert to direct provisioning, then perform the steps described in Switching Between Request-Based Provisioning and Direct Provisioning. Figure shows this page. From the list of users displayed in the search results, select the OIM User. The user details page is displayed on the right pane. From the Action menu, select Add Resource. The Provision Resource to User page is displayed in a new window. Figure shows the Step 1: Select a Resource page. Figure shows the Step 2: Verify Resource Selection page.

On the Step 5: Provide Process Data for Active Directory Users Form page, enter the details of the account that you want to create on the target system and then click Continue. Figure shows the user details added. If required, on the Step 5: Provide Process Data for Assigned Groups Form page, search for and select a group for the user on the target system and then click Continue. On the Step 6: Verify Process Data page, verify the data that you have provided and then click Continue.

Figure shows Step 6: Verify Process Data page. On the Resources tab, click Refresh to view the newly provisioned resource. A request-based provisioning operation involves both end users and approvers. Typically, these approvers are in the management chain of the requesters. The following sections discuss the steps to be performed by end users and approvers during a request-based provisioning operation:.

The procedures described in these sections are built on an example in which the end user raises or creates a request for provisioning a target system account. This request is then approved by the approver. Approver's Role in Request-Based Provisioning. If you want to create a provisioning request for more than one user, then from the Available Users list, select users to whom you want to provision the account. A message confirming that your request has been sent successfully is displayed along with the Request ID.

If you have configured the connector for request-based provisioning, you can always switch to direct provisioning. Similarly, you can always switch back to request-based provisioning any time. This section discusses the following topics:. Expand Process Management , and then double-click Process Definition. Expand Resource Management , and then double-click Resource Objects.

Create a user. In the Catalog page, search for and add to cart the application instance created in Creating an Application Instance , and then click Checkout. Specify value for fields in the application form and then click Ready to Submit. In the Catalog page, search for and add to cart the entitlement, and then click Checkout. Uninstalling the connector deletes all the account related data associated with resource objects of the connector. If you want to uninstall the connector for any reason, see Uninstalling Connectors in Administering Oracle Identity Manager.

The connector cannot be uninstalled if a valid access policy is present in Oracle Identity Manager. As a workaround, create a dummy resource type by using the design console. Remove the dependent access policy by directing it to a dummy resource type and then remove the dependency from the resource type that must be deleted.

Uninstalling the connector removes only those IT resource definitions and its IT resources that are attached with the process form. The following topics discuss information related to using the connector for performing reconciliation and provisioning operations: Note: These sections provide both conceptual and procedural information about configuring the connector.

It is recommended that you read the conceptual information before you perform the procedures. You must apply the following guidelines while performing reconciliation and provisioning operations: Guidelines on Configuring Reconciliation Guidelines on Performing Provisioning Operations.

In the identity reconciliation mode, if you want to configure organization reconciliation, then note that: Organization reconciliation does not cover reconciliation of updates to existing organization names on the target system.

The following are the scheduled jobs for lookup field synchronization: Note: The procedure to configure these scheduled tasks is described later in the guide. Table Attributes of the Scheduled Tasks for Lookup Field Synchronization Attribute Description Code Key Attribute Name of the connector or target system attribute that is used to populate the Code Key column of the lookup definition specified as the value of the Lookup Name attribute.

Decode Attribute Enter the name of the connector or target system attribute that is used to populate the Decode column of the lookup definition specified as the value of the Lookup Name attribute.

Depending on the scheduled job you are using, the default values are as follows: For Active Directory Group Lookup Recon: distinguishedName For Active Directory Organization Lookup Recon: distinguishedName Filter Enter a filter to filter out records to be stored in the lookup definition.

IT Resource Name Enter the name of the IT resource for the target system installation from which you want to reconcile records.

Sample value: Active Directory Lookup Name Enter the name of the lookup definition in Oracle Identity Manager that must be populated with values fetched from the target system. OrganizationalUnits Object Type This attribute holds the name of the type of object you want to reconcile.

This section discusses the following topics related to configuring reconciliation: Full Reconciliation and Incremental Reconciliation Limited Reconciliation Batched Reconciliation. For performing a full reconciliation run, values for the following attributes of the scheduled jobs for reconciling user records must not be present: Batch Start Filter Latest Token At the end of the reconciliation run, the Latest Token attribute of the scheduled job for user record reconciliation is automatically set to the highest value of the uSNChanged attribute of a domain controller that is used for reconciliation.

Note: Filters with wildcard characters are not supported. Example : endsWith 'sn','Doe' In this example, all records whose last name ends with 'Doe' are reconciled. Example: contains 'displayName','Smith' In this example, all records whose display name contains 'Smith' are reconciled.

Example: containsAllValues 'objectClass',['person','top'] In this example, all records whose objectClass contains both "top" and "person" are reconciled. Example 1: greaterThan 'cn','bob' In this example, all records whose common name is present after the common name 'bob' in the lexicographical order or alphabetical order are reconciled. Example 2: greaterThan 'employeeNumber','' In this example, all records whose employee number is greater than are reconciled.

Example 2: greaterThanOrEqualTo 'employeeNumber','' In this example, all records whose employee number is greater than or equal to are reconciled. Example 1: lessThan 'sn','Smith' In this example, all records whose last name is present after the last name 'Smith' in the lexicographical order or alphabetical order are reconciled. Example 2: lessThan 'employeeNumber','' In this example, all records whose employee number is less than are reconciled. Example 2: lessThanOrEqualTo 'employeeNumber','' In this example, all records whose employee number is less than or equal to are reconciled.

Example: not contains 'cn', 'Mark' In this example, all records that does not contain the common name 'Mark' are reconciled. To configure batched reconciliation, specify values for the following attributes: Batch Size: Use this attribute to specify the number of records that must be included in each batch.

Note: Sorting large number of records on the target system fails during batched reconciliation. Batch Start Enter the number of the target system record from which a batched reconciliation run must begin. Filter Expression for filtering records. Default value: None Incremental Recon Attribute Enter the name of the target system attribute that holds last update-related number, non-decreasing value.

Add the following code key and decode values in the configuration lookup Lookup. Default value: yes Note: Do not change the value of this attribute. Object Type This attribute holds the type of object you want to reconcile. Default value: User Resource Object Name Enter the name of the resource object against which reconciliation runs must be performed.

Scheduled Task Name This attribute holds the name of the scheduled task. Sync Token This attribute must be left blank when you run delete reconciliation for the first time.

Active Directory Organization Recon This scheduled job is used to reconcile organization data from the target system. See Also: The following sections for information about running group and organization reconciliation: Configuring and Running Group Reconciliation Configuring and Running Organization Reconciliation. Default value: None Note: While creating filters, ensure to use attributes specific to Groups or Organizational Units.

Incremental Recon Attribute Enter the name of the target system attribute that holds last update-related number, non-decreasing value. IT Resource Name Enter the name of the IT resource for the target system installation from which you want to reconcile group or organization data.

Default value: Active Directory Latest Token This attribute holds the value of the uSNChanged attribute of a domain controller that is used for reconciliation. Sample value: 0 Note: The reconciliation engine automatically enters a value for this attribute. Object Type Type of object to be reconciled. Organization Name Enter the name of the organization to which all groups fetched from the target system is linked. Resource Object Name Name of the resource object that is used for reconciliation.

Scheduled Task Name Name of the scheduled task used for reconciliation. Search Base Enter the container in which the search for group or organization records must be performed during reconciliation. Search Scope Enter subtree if you want the scope of the search for records to be reconciled to include the container specified by the Search Base attribute and all of its child containers. Default value: Active Directory Object Type This attribute holds the type of object you want to reconcile.

Default value: Group Resource Object Name Enter the name of the resource object against which reconciliation runs must be performed. Organization Name Enter the name of the organization to which data about all deleted groups fetched from the target system is linked. Depending on the scenario in which you want to perform group reconciliation, perform one of the following procedures: See Reconciling Target System Groups into Individual Organizations to reconcile each target system group into an organization of its own.

To perform group reconciliation in this scenario:. Clear the value in the Latest Token attribute of the scheduled job. Clear the value in the Latest Token attribute. The following is the procedure to run the scheduled job for organization reconciliation:. To configure a scheduled job: If you are using Oracle Identity Manager release In the left pane, under System Management, click Scheduler. Search for and open the scheduled task as follows: On the left pane, in the Search field, enter the name of the scheduled job as the search criterion.

In the search results table on the left pane, click the scheduled job in the Job Name column. On the Job Details tab, you can modify the parameters of the scheduled task: Retries: Enter an integer value in this field.

Note: Attribute values are predefined in the connector XML file that you import. Add entries to the Lookup. Configuration lookup definition. For a custom shell script, enter Shell as the decode value. Enter Resource as the decode value. Note: If you are using a PowerShell script, then before running the script by using the connector or Oracle Identity Manager, verify the following on the computer running the connector server: You must be able to connect manually to the AD server with the values specified in the script using the PowerShell window without any issues.

During create operations, all attributes part of process form are available to the script. During update operations, only the attribute that is being updated is available to the script. ProvAttrMap Lookup. You can call any VB script from a shell and pass the process form fields. Addition of child table attributes belongs to the 'Update' category and not 'Create.

The following sections discuss the steps to be performed by end users and approvers during a request-based provisioning operation: Note: The procedures described in these sections are built on an example in which the end user raises or creates a request for provisioning a target system account. Effective Date Justification A message confirming that your request has been sent successfully is displayed along with the Request ID.

Search for and open the AD User process definition. Select the Auto Save Form check box. Click the Save icon. If you want to enable end users to raise requests for themselves, then: Expand Resource Management , and then double-click Resource Objects. Search for and open the AD User resource object. Select the Self Request Allowed check box. To perform provisioning operations in Oracle Identity Manager release On the Account tab, click Request Accounts.

Click Submit. If you want to provision entitlements, then: On the Entitlements tab, click Request Entitlements.

Note: The connector cannot be uninstalled if a valid access policy is present in Oracle Identity Manager. Enter a filter to filter out records to be stored in the lookup definition. Sample value: Active Directory. This attribute holds the name of the type of object you want to reconcile. String Filters. Records whose attribute value starts with the specified prefix are reconciled. Records whose attribute value ends with the specified suffix are reconciled.

Records where the specified string is contained in the attribute's value are reconciled. Records that contain all the specified strings for a given attribute are reconciled. Equality and Inequality Filters.

Records whose attribute value is equal to the value specified in the syntax are reconciled. Complex Filters.

Records that do not satisfy the given filter condition are reconciled. Enter the number of records that must be included in each batch fetched from the target system. Enter the number of the target system record from which a batched reconciliation run must begin.

Default value: None. Incremental Recon Attribute. Name of the IT resource instance that the connector must use to reconcile data. Enter the number of batches that must be reconciled. This attribute holds the type of object you want to reconcile. Default value: User Note: If you configure the connector to provision users to a custom class for example, InetOrgPerson then enter the value of the object class here. The email attribute is autopopulated for any user with a valid Exchange license.

If user is not email-enabled, this error will be received as the application needs to get this attribute to give access. You can go to portal. Once the Microsoft license is assigned, it may take some minutes to be applied. After that, the user.

In the Azure portal, on the Google Cloud G Suite Connector application integration page, find the Manage section and select single sign-on. These values are not real. If you check the domain specific issuer option it will be google. The following screenshot shows an example for this.

The default value of Unique User Identifier is user. For that you can use user. In this section, you'll enable B. Perform the following configuration changes in the Third-party SSO profile for your organization tab:.

In Google Cloud G Suite Connector, for the Verification certificate , upload the certificate that you have downloaded from Azure portal. After the user has manually been created in Google Cloud G Suite Connector, the user will now be able to sign in using their Microsoft login credentials.

Google Cloud G Suite Connector also supports automatic user provisioning. When not provided, it defaults to the value provided for spec. This field is optional and defaults to 1 when not provided. When not provided, it defaults to true i. Ensure to replace the values with the ones for your AD domain.

The following command deploys the AD connector instance. Currently, only kube-native approach of deploying is supported. After submitting the deployment of AD Connector instance, you may check the status of the deployment using the following command. Skip to main content. This browser is no longer supported. Download Microsoft Edge More info.