Chat now with support
Chat mit Support

Identity Manager 8.2.1 - Configuration Guide

About this guide One Identity Manager software architecture Customizing the One Identity Manager default configuration Customizing the One Identity Manager base configuration One Identity Manager schema basics Editing the user interface
Object definitions for the user interface User interface navigation Forms for the user interface Statistics in One Identity Manager Extending the Launchpad Task definitions for the user interface Applications for configuring the user interface Icons and images for configuring the user interface Using predefined database queries
Localization in One Identity Manager Process orchestration in One Identity Manager
Mapping processes in One Identity Manager Setting up Job servers
The One Identity Manager Service functionality Tracking changes with process monitoring Conditional compilation using preprocessor conditions Scripts in One Identity Manager
Visual Basic .NET scripts usage Notes on message output Notes on using date values Tips for using Windows PowerShell scripts Using dollar ($) notation Using base objects Calling functions Pre-scripts for use in processes and process steps Using session services Using #LD-notation Script library Support for processing scripts in the Script Editor Creating and editing scripts in the Script Editor Copying scripts in the Script Editor Testing scripts in the Script Editor Testing script compilation in the Script Editor Overriding scripts Permissions for running scripts Editing and testing script code with the System Debugger Extended debugging in the Object Browser
One Identity Manager query language Reports in One Identity Manager Adding custom tables or columns to the One Identity Manager schema Web service integration One Identity Manager as SCIM 2.0 service provider SOAP Web Service One Identity Manager as SPML provisioning service provider Processing DBQueue tasks One Identity Manager Service configuration files

Authenticating SCIM plugins in One Identity Manager

To access the One Identity Manager database, the SCIM plugin be authenticated. Authentication is carried out by the One Identity Manager authentication modules. For more information, see the One Identity Manager Authorization and Authentication Guide.

The authentication modules are checked in the following order and the first successful authentication module is used for logging in. Ensure sure that at least one authentication module is enabled and configured.

  1. Employee (Person)

  2. Active Directory user account (ADSAccount)

  3. Employee (role-based) (RoleBasedPerson)

  4. Active Directory user account (role-based) (RoleBasedADSAccount)

  5. HTTP Header (role-based) (RoleBasedHTTPHeader)

  6. HTTP Header (HTTPHeader)

  7. OAuth 2.0/OpenID Connect (role-based) (OAuthRoleBased)

Related topics

Special features of generating the SCIM schema

The SCIM 2.0 schema exported to the /Schemas endpoint is generated from the One Identity Manager schema. The table definitions to take into account are supplied as are the M:N figures to publish. A data object description with simple and complex properties is created for each table.

Columns in a table

The columns of a table are mapped to simple properties of integral types.

Foreign key relations

The foreign key relations of a table are only included in the schema if the reference's target table is also part of the schema. In this case, a complex property is published with the foreign key's column name. This complex property has the value, $ref, and displayName properties.

The complex property is marked in the schema with the "returned" : "request" attribute. To be able to read this data, the property must be explicitly requested by the SCIM client using the attributes URL parameter.

Example:

https://<servername>.<domainname>/ApiServer/scim/v2/Locality/0294ce3c-8286-4641-bc13-9bcd4a2fd714?attributes=cn,City,UID_PersonHead

M:N tables

M:N tables are published under the members complex property in the schema. This also applies if there are several M:N tables to take into account. This complex property defines an array of subelements that have the value, type, $ref, and display properties.

The members complex property is marked in the schema with the attribute "returned" : "request". To be able to read this data, the property must be explicitly requested by the SCIM client via the URL parameter attributes.

Example:

http://<servername>.<domainname>/ApiServer/scim/v2/UNSGroupB/94bbe614-0a6e-4659-8fe9-20da94d967c8?attributes=cn,members

If several M:N tables are grouped together, the distinction, from which table the respective element originates, is made on the basis of the value in the type property. Ensure that the value in the type property is also passed when writing to the property. The values accepted as correct are defined in the schema on the respective type subattribute as a list in canonicalValues.

If the value for type cannot be determined for the SCIM client, it can be left blank and is not transmitted with the PUT or PATCH request. The SCIM plugin tries to determine the correct type. The element's ID passed in the value property is used to search in all One Identity Manager tables that are part of the members definition. If the object is found in the process, the operation can be performed.

SCIM plugin requests

Base URL requests

The SCIM 2.0 specification provides optional requests for the SCIM service provider base URL. These requests can contain a filter expression if required. This is mainly used to search for objects when their endpoint is not known exactly and so the search must be across endpoints.

The SCIM plugin supports these requests. In the filter, only logical OR operations and the comparison operators eq, sw, ew as well as co are allowed, which must reference the Resourcetype metadata.

Example:

https://<servername>.<domainname>/ApiServer/scim/v2?filter=(meta.Resourcetype eq “Locality”) or (meta.Resourcetype sw “D”)

The result can contain a list of objects of different types, but the number of returned elements must not exceed 10,000 for load and performance reasons. Otherwise an error message of type tooMany is returned. The search condition should be refined and the result should be more restricted.

Endpoint URL requests

The SCIM 2.0 specification provides for optional filter, attributes, count, and startIndex parameters for requests to the endpoints defined by /ResourceTypes. Requests with the ID of a concrete object (the URL contains the id of the object) can have the excludedAttributes and attributes parameters. The SCIM plugin supports these parameters.

Endpoint requests return a list of all elements (or all elements matching the filter). This allows the SCIM client to initiate index-based paging by specifying the desired number of records per page ( count and startIndex parameters).

Example: Endpoint request

http://<servername>.<domainname>/ApiServer/scim/v2/Person

Example: Request the first 100 elements of an endpoint with paging

http://<servername>.<domainname>/ApiServer/scim/v2/Person?startindex=1&count=100

Example: Endpoint request with filter

http://<servername>.<domainname>/ApiServer/scim/v2/Person?filter=InternalName co "Y"

Example: Endpoint request with filter and output of two additional properties

http://<servername>.<domainname>/ApiServer/scim/v2/Person?filter=InternalName co "Y"&attributes=ExitDate,TechnicalEntryDate

Example: Endpoint request for an object

http://<servername>.<domainname>/ApiServer/scim/v2/UNSGroupB/94bbe614-0a6e-4659-8fe9-20da94d967c8

Example: Endpoint request for specific properties of an object

http://<servername>.<domainname>/ApiServer/scim/v2/UNSGroupB/94bbe614-0a6e-4659-8fe9-20da94d967c8?attributes=cn,members

SOAP Web Service

One Identity Manager's SOAP Web Service provides a SOAP interface for accessing the One Identity Manager object model. The SOAP Web Service manages a connection pool. Not every call opens a new connection. Not all object layer functions are support by the SOAP Web Service. The SOAP Web Service supplies methods for single objects, object lists, and function call.

Table 184: Methods for single objects
Method Description

CreateSingleObject

Adds a new single object.

GetCompleteSingleObject

Loads a single complete object from the database with all parameters.

GetCompleteSingleObjectEx

Functionality analog to GetCompleteSingleObject with support for a multi-column primary key.

GetSingleObject

Loads a single object from the database.

GetSingleObjectEx

Functionality analog to GetSingleObject with support for a multi-column primary key.

ChangeSingleObject

Saves changes to a single object.

ChangeSingleObjectEx

Functionality analog to ChangeSingleObject with support for a multi-column primary key.

DeleteSingleObject

Deletes a single object.

DeleteSingleObjectEx

Functionality analog to DeleteSingleObject with support for a multi-column primary key.

Exists

Does a specific single object exist?

ExistsEx

Functionality analog to Exists with support for a multi-column primary key.

GetSingleProperty

Gets a single value from an object.

GetSinglePropertyEx

Functionality analog to GetSingleProperty with support for a multi-column primary key.

Table 185: Methods for object lists
Method Description

GetListObject

Loads a list of objects.

GetListObjectWithDisplays

Loads a list of objects with data additional to the primary key about the columns to load.

Table 186: Methods for function calls
Function Description

InvokeCustomizer

Calls a customizer method for an object.

InvokeCustomizerEx

Functionality analog to InvokeCustomizer with support for a multi-column primary key.

InvokeDialogMethod

Calls a dialog method for a dialog object.

InvokeDialogMethodEx

Functionality analog to InvokeDialogMethod with support for a multi-column primary key.

FireGenEvent

Generates processes of a specific event.

FireGenEventEx

Functionality analog to FireGenEvent with support for a multi-column primary key.

Detailed information about this topic
Verwandte Dokumente

The document was helpful.

Bewertung auswählen

I easily found the information I needed.

Bewertung auswählen