Split profiles with AD and OID for Fusion Apps IDM

Introduction

 

A split profile, or split directory configuration, is one where identity data is stored in multiple directories. A split profile is used to store custom attributes required for Fusion Application Deployment. This type of deployment is used when you do not want to modify the existing Identity Store by extending the schema. In that case, deploy a new Oracle Internet Directory instance to store the extended attributes.
Another multidirectory scenario is one where you have distinct user and group populations. In this configuration, Oracle-specific entries and attributes are stored in Oracle Internet Directory. Enterprise-specific entries that might have Fusion Applications-specific attributes are stored in Active Directory

In this post I will walk you through on How to set up split profiles with AD and OID .Oracle Virtual Directory unifies AD and OID together to present a single consolidated abstract view.This is a very generic implementation scenario but is very important when setting up IDM for Fusion Applications, where clients would like to use their existing Enterprise Repository for the user base but would not wish to modify existing Enterprise Repository Schema. Very common example is to provision users out of existing AD without replicating the user base to some other repository. Split profile with AD and OID fits this scenario and OVD is the presenter of consolidated view.

Details

Commonly asked questions:

  1. 1.Why do we need OID  for Fusion Applications when existing Enterprise Repository can be used ?
  • All the Fusion Applications specific and Oracle specific attributes are created in OID
  1. Q2. Can multiple directories still be used as Identity stores?
  • Yes. Multiple directories can still be used as Identity stores with oracle specific attributes present in OID and enterprise specific attributes and Fusion Application specific attributes present in say AD.I will discuss this scenario in upcoming blogs
  1. Q3. Are User Login Ids unique across directories?
  • Yes , this a pre requisite and other pre requisites and limitations are very well discussed in IDM Enterprise Deployment Guide for Fusion Applications for configuration of directories other than OID
  1. Q4. When is a good time to configure split directory mode, before or after FA provisioning?
  • I recommend to this configuration Post FA provisioning.
  • Since this can also be done prior to FA provisioning  , in that case the recommendation is to complete the IDM Environment with OVD and OID (ID Store,Policy Store) >>Validate IDM Environment >> Then proceed with split AD Configuration
  • Configuring AD and OID before IDM validation is prone to good number of user errors which might cascade in to FA Provisioning when unchecked.

 

For easy understanding and simple configuration I will stick to the scenario of split profile configuration where existing Enterprise Repository is not extended.In this scenario this is how the view is from OVD level (adapter plug-in view/ unified view).

split-ovd-view

As you see in the image above even though the actual base of both OID and AD repositories are same ‘dc=us,dc=oracle,dc-com’ , OVD Adapters are configured to map uniquely and to consolidate to a unified view  of ‘dc=adidm,dc=oididm,dc=com’

On a high level this configuration can be split in to 5 tasks

1.Setting up Shadow directory  in OID
2. Create a shadow joiner
3. Create user Adapters for AD and OID
4. Create Changelog Adapters for AD and OID
5. Create Join View Adapter and Global Change Log Plug-In

1. Set up OID as shadow directory

a. Since AD is not being extended, OID will be used as a shadow directory and use Oracle Virtual Directory to merge the entities from the directories and for this purpose we need to create a container in OID to store Fusion Apps specific attributesa. Create ‘shadowentries’ container in oid ( below is sample ShadowADContainer.ldif)
dn: cn=shadowentries
cn: shadowAD1
objectclass: top
objectclass: orclContainer

b. Load the group with following command$ORACLE_HOME/bin/ldapadd -h <oid-host> -p <oid-port> -D cn=orcladmin -w <password> -c -v -f
ShadowADContainer.ldif

c. Create acis on the newly created group/container  to grant access to RealmAdministrators and OIMAdministrators(This is the group that does all ID Administration in OIM)

dn: cn=shadowentries
changetype: modify
add: orclaci
orclaci: access to entry by group=”cn=RealmAdministrators,cn=groups,cn=OracleContext,dc=us,dc=oracle,dc=com” (browse,add,delete)
orclaci: access to attr=(*) by group=”cn=RealmAdministrators,cn=groups,cn=OracleContext,dc=us,dc=oracle,dc=com” (read,write,search,compare)
orclaci: access to entry by group=”cn=OIMAdministrators,cn=groups,dc=us,dc=oracle,dc=com” (browse,add,delete)
orclaci: access to attr=(*) by group=”cn=OIMAdministrators,cn=groups,dc=us,dc=oracle,dc=com” (search,read,compare,write)

changetype: modify
add: orclentrylevelaci
orclentrylevelaci: access to entry by * (browse,noadd,nodelete)
orclentrylevelaci: access to attr=(*) by * (read,search,nowrite,nocompare)

d. An image of how the shadow container looks after creation. shadow_container

 Note: All the steps here after are to be performed by connecting to OVD via ODSM.You can use the screen shots as pointers for configuration

2. Create Shadow Joiner Adapter

Shadow Joiner User Adapter settings

Snap15

 

Snap16

 

Snap17

3. Create User Adapters for AD and OID

You would need to create a User Adapter for AD and OID.Use these screen-shots as pointers

3.1 User Adapter for AD

Snap2

Snap3

AD User Adapter Parameters

new1

3.2   User Adapter for OID

Snap10

Snap11

OID User Adapter Parameters

parameters

4.Create Change Log Adapters for AD and OID

4.1 Change Log Adapter for AD

Snap8

Snap9

Snap20_changeLog_ad_params

Snap20_changeLog_ad_params_2

4.2 Change Log Adapter for OID

Snap12

Snap13

Snap22_changeLog_OID_params

Snap22_changeLog_OID_params_2

5.Create a Join View Adapter and Global Change Log Plug-in

5.1 Join View Adapter Settings

Snap19

5.2 Global Change Log Plug-in

Global Plugin

Finally this is how the summary of all the OVD Adapters is shown in HOME tab for OVD in ODSM  summary_view_adapters

Next Steps ? Now that split profile is configured, what are the settings that need to change in OAM and OIM , I will discuss that in next blog,  found here:

OAM and OIM Configuration Changes for Split Profile

Add Your Comment