Saturday, June 27, 2015

Send email to user from OAAM 11G

We came across one of the interesting requirement few months back that is, when user either blocked or updated his/her self-profile in OAAM, user should notified with an email about their status. Even though OAAM has ability to send email to user using java mail API but, it is hard to main the template. We came out with option that design and create email templates in OIM as all emails templates in centralized in one location and easy to maintain. OAAM will make call to OIM to send emails to user.

Note: OIM-OAM-OAAM-OID-OVD were integrated together.

In this post, we are going to see how to read and connect to OIM from OAAM. Since OIM and OAAM were integrated, OIM connection details were maintained in OAAM properties. If Credential Store Factory (CSF) is enabled in OAAM then, OIM credentials available in Weblogic CSF. Otherwise, it will be in OAAM properties.

Make sure you need to pass OIM user login id as well, email template which you have created in OIM to the below method.
You need to import the below classes in order to read credentials from weblogic CSF:
import oracle.oaam.common.util.CSFUtil;
import oracle.security.jps.service.credstore.PasswordCredential;

private void sendEmailFromOIM(String userLogin, String emailTemplate)
{
 try {
  OIMClient mOimClient = null;
  String oimUsername = null;
  String oimPassword = null;

  boolean isCSFEnabled = BharosaConfig.getBoolean("oaam.oim.csf.credentials.enabled", false);
  System.out.println("isCSFEnabled : " + isCSFEnabled);

  if (isCSFEnabled) {
   // Read OIM Credentials from CSF if enabled. 
   PasswordCredential oimCredentials = (PasswordCredential)CSFUtil.getCredential("oaam", "oim.credentials");
   if (oimCredentials != null) {
    oimUsername = oimCredentials.getName();
    oimPassword = new String(oimCredentials.getPassword());
   } else {
    String message = "OIM CSF Credentials flag 'oaam.oim.csf.credentials.enabled' is set to true but there are no credentials under 'oim.credentials' alias";
    System.out.println("message : " + message);
   }
  } else {
   // Read OIM Credentials from OAAM properties. 
   oimUsername = BharosaConfig.get("oaam.oim.admin.loginid");
   oimPassword = BharosaConfig.get("oaam.oim.admin.password");
  }

  // Print OIM credentials :: TESTING PURPOSE ONLY
  System.out.println("oimUserName : " + oimUsername);
  System.out.println("oimPassword : " + oimPassword);
  
  String oimUrl = BharosaConfig.get("oaam.oim.url");
  System.out.println("oimUrl : " + oimUrl);

  String oimInitCtxFactory = BharosaConfig.get("oaam.oim.initial.context.factory", "weblogic.jndi.WLInitialContextFactory");
  System.out.println("oimInitCtxFactory : " + oimInitCtxFactory);

  String xlHomeDir = BharosaConfig.get("oaam.oim.xl.homedir", "${oracle.oaam.home}/../designconsole");
  System.out.println("xlHomeDir : " + xlHomeDir);

  String authCfg = BharosaConfig.get("oaam.oim.auth.login.config", "${oracle.oaam.home}/../designconsole/config/authwl.conf");
  System.out.println("authCfg : " + authCfg);

  oimUrl = StringUtil.expandProperties(oimUrl);
  oimInitCtxFactory = StringUtil.expandProperties(oimInitCtxFactory);
  xlHomeDir = StringUtil.expandProperties(xlHomeDir);
  authCfg = StringUtil.expandProperties(authCfg);

  System.setProperty("XL.HomeDir", xlHomeDir);
  System.setProperty("java.security.auth.login.config", authCfg);

  Hashtable env = new Hashtable();
  env.put("java.naming.factory.initial", oimInitCtxFactory);
  env.put("java.naming.provider.url", oimUrl);

  System.out.println("connecting to oim....");
  // Instantiate OIMClient
  mOimClient = new OIMClient(env);
  mOimClient.login(oimUsername, oimPassword.toCharArray());
  System.out.println("oim connection established");

  // Data required for email 
  HashMap emailData = new HashMap();
  emailData.put("Display_Name", userLogin);
  
  //Instantiate Notification Service for email
  NotificationService notifySrvc = (NotificationService)mOimClient.getService(NotificationService.class);
  NotificationEvent emailEvent = new NotificationEvent();
  emailEvent.setTemplateName(emailTemplate);
  emailEvent.setSender("NOTIFICATIONADMIN");
  emailEvent.setUserIds(new String[] { userLogin });
  emailEvent.setParams(emailData);
  
  try {
   // Send email to user
   notifySrvc.notify(emailEvent);
  } catch (Exception e) {
   System.out.println("Error on sending email : " + e.getMessage());
   e.printStackTrace();
  }
 }
 catch (Exception e) {
  System.out.println("OIM Changes :" + e.getLocalizedMessage());
  e.printStackTrace();
 }
}

NOTE: In this example, I have printed all values including OIM credentials for testing purpose. Make sure you should not print in any of value in your environment.
Posted by at
Labels: , , ,

Wednesday, June 10, 2015

OIM 11GR2 Disconnected resource creation and provision

This post covers detailed steps about creation and provision of disconnected resource. I hope this will help for new learners who are pretty much interested learning about connectors. And also, it will handy for quick reference.

High Level Steps:
  1. Creation of  IT Resource Type Definition
  2. Creation of Resource Object
  3. Creation of  IT Resource
  4. Creation of User Form
  5. Creation of Process Definition
  6. Creation of Application Instance
  7. Provisioning Resource

Creation of IT Resource Type Definition for Virtual Resource

IT Resource Type Definition represents the resource connection details. Since this is virtual resource that is not going to interact with external system, we can have with dummy values.

Steps to create IT Resource Type Definition:
  1. Log in to the OIM Design Console.
  2. Click IT Resource Type Definition under Resource Management.
  3. Create a new IT Resource Type Definition with the Server Type defined as IT_SSU.
  4. Add parameter Field Name as “Name” and Default Field Value is “SSU” as per below screen shot:


Creation of Resource Object for Virtual Resource

The resource object is OIM representation of resource.

Steps to create Resource Object:
  1. Log in to the OIM Design Console.
  2. Click Resource Objects under Resource Management.
  3. Create a new resource object with the name RO_SSU and save it.

This Resource Object should have below values:
·        Type as Application
·        In Status Definition tab, you should be checked “Enabled” and “Provisioned”



Creation of IT Resource for Virtual Resource

Login in to OIM system admin console and create new IT Resource with name “ITR_SSU”. Since this is dummy resource so, we can give any dummy value to IT Resource parameters. I have given parameter “Name” as Value “SSU”.



Creation of User Form for Virtual Resource

Process form contains provisioning details that needs to be pass to target system. Since this is virtual resource, I have set default value for all field values.

Steps to create process form:
  1. Log in to the Oracle Identity Manager Design Console.
  2. Click Form Designer under Development Tools.
  3. Create a new form with the Table Name UD_SSU as per below screen shot. Save it.
  
  1. Click on Properties tab, add the properties Type as “IT_SSU”, Required as “true”, and IT Resource as “ITR_SSU” for ITResource column as per below screen shots.

  1. Save it.

Creation of Process Definition for Virtual Resource

Process definition defines the behavior of connector. Every operation corresponding task associated with it. In this post, we are covering only provisioning and deprovisioning.

Steps to create Process Definition
  1. Log in to the Oracle Identity Manager Design Console.
  2. Click Process Definition under the Process Management tab.
  3. Create a new process definition and name it PD_SSU
  4. Select Provisioning as the Type of process.
  5. Provide the resource Object Name for the identity connector and select RO_SSU.
  6. Provide the process form Table Name and select UD_SSU.
  7. Save it

  1. Add process task and name it Delete User. This will trigger when a resource is deprovisioning for user.
Create task with name “Delete user”. Save it.

Make sure you should checked the box Conditional and unchecked the Allow Multiple Instances. This is optional, you can set the retry count and retry period in minutes in order to retry failed task by OIM.


In the integration tab, choose  adapter  “tcCompleteTask” because, this is not going to interact with real world target system. 

Add response for complete with status “R”


In Task to Object Status Mapping, the status of the complete to be displayed in Resource history.


  1. Add process task and name it Create User. This will trigger when a resource is provisioning for user.

Create task with name “Create User” and description as your wish. Save it.

Make sure you should unchecked the Conditional as well, Allow Multiple Instances. This is optional, you can set the retry count and retry period in minutes in order to retry failed task by OIM.


In the integration tab, choose  adapter  “tcCompleteTask” because, this is not going to interact with real world target system.


Add response for complete with status “C”


In undo/recovery tab, add the deprovisioning task that is “Delete User”

In Task to Object Status Mapping, the status of the complete to be displayed in Resource history.


Save all process definition changes.

Creation of Application Instance

  1. Log in to OIM system admin console with admin privileges.
  2. Create sandbox “SSU” and activate for Application Instance.
  3. Create New Form “FORMSSU” for resource object “RO_SSU”.
  1.  Create new application instance AppSSU1

  1. Export the sandbox “SSU” in case if you propagating from one environment to another. Otherwise, you can publish it.

Note: Once you created Application Instance, you should run “Catalog Synchronization” job in order to make available newly created app instance to users.


Provision Resource to User

Testing provisioning a resource to user:

  1. Log in to OIM identity console
  2. Select any user and go to accounts tab then, click on “Request Accounts” and it will take you to Catalog page.
  3. Select the application instance “AppSSU1” and then click on “Add to Cart”.
  4. Click on “Checkout” and then, “Ready To Submit”.
  5. Finally click on Submit and the resource will be provisioned to user.
Posted by at
Labels: , , , , , ,

OAAM 11G Redirect User To Security Profile Setting Page

I came across one of the interesting requirement few months back.  Users are migrating from their existing legacy system to Oracle IAM. During migration, user should authenticate against legacy trusted system instead of IAM directory service and should redirect them to product's security profile setting in order to set their profile.

Here we had two challenge's in the requirements are,
    1. Implementing custom authentication instead of product's OOTB authentication.
    2. Redirection to product's security profile setting

Note: Oracle won't provide any support as we are doing customization at extensively.

 1. Authentication Against Legacy System
Once user enters their credentials, a custom servlet  placed in default flow that, intercept the user request and does validation against legacy system.

2. Redirect to Security Profile Setting Page
Once user authentication successful, user redirected to migration page. Upon successful migration, user will be redirected to product's profile setting page to complete security profiles.
In order to redirect security profile page, we should do below changes custom servlet:

   i. Create user object if does not exists otherwise, retrieve user from OAAM using OAAM API. Mostly, user creation will not need as OAAM maintains user details in persistent cookie in the browser.

        User Exists In OAAM
        Retrieve the user id from the session data.
 
UIOSessionData sessionData = UIOSessionData.instance(request);
VCryptAuthUser user = sessionData.getClientAuthUser();
        User Does Not Exists In OAAM
        Whenever user logs in, OAAM creates the user account and will be stored in vcrypt_user table. If user does not exist then, create OAAM user object and set in session data.
// Set user attributes such as user id, customer id, group, status, preference
VCryptAuthUser user = new VCryptAuthUser();

// Create User using Private API
user = getBharosaProxy().createUser(user);

// Retrieve user object 
user = BharosaProxyImpl.getInstance().getUserByLoginId(“chella”);
user.setCustomerGroupId(“Default”);
sessionData.setClientAuthUser(user);
sessionData.setCustomerId(user.getCustomerId());
sessionData.setLoginId(user.getLoginId());
sessionData.setUserEnteredLoginId(user.getLoginId());

 ii. Set authentication result as success and user authenticated should be set to true because, this makes OAAM to believe that user is authenticated successful. 
sessionData.setAuthResult(0); // Success
sessionData.setIsAuthenticated(true); // Authenticate True is success

iii. Update authentication status before redirecting 
UIOUtil uioUtil = UIOUtil.instance();
uioUtil.updateAuthStatus(sessionData);

 iv. Redirect user to oaam server’s updateLoginStatus.do in order to user set security profile setting.

   v. If user profile was not set already then, user will be prompted to choose image and security profile questions.  Otherwise, user will be prompted to answer challenge questions.

Posted by at
Labels: , ,
Subscribe to: Posts (Atom)