OIM Connector for Identity Cloud Service

The IDCS Connector is an OIM REST based connector for Oracle’s Identity Cloud Service (IDCS). In this blog post we will look at use case scenarios for hybrid cloud solutions, that span both the Oracle Public Cloud and an on-premise Oracle identity management deployment.This blog post aims to cover the most common scenarios from an […]

Comparing the SCIM REST and OIG REST APIs

The objective of this post is to show the differences and similarities of the two REST APIs offered by OIM – the SCIM REST API and the OIG REST API. OIM Java APIs have been available in OIM for many versions now (since OIM 9.x or earlier), although each successive version has added new Java […]

Secure Access to Oracle Identity Manager 11g R2 PS3 REST APIs

REST APIs for Oracle Identity Manager (OIM) 11g R2 PS3 were released recently. The availability of REST APIs enables a variety of newer integrations with the product in addition to already available mechanisms using Java APIs. In this article, we discuss various ways of accessing these REST APIs in a secure manner. Please note that […]

Authenticating to the OIG REST API from an OAM-protected web app

The objective of this post is to describe how a web app protected by an OAM WebGate can authenticate to the OIG REST APIs. In a previous blog post, I provided detailed steps to do the same thing for the SCIM REST APIs; now in this blog post I will explain how the same approach […]

OIM 11g R2 Catalog

The Catalog is one of most commented new features in OIM 11g. It introduces a new way to search items and to create access requests and it also introduces the ‘shopping cart’ experience.

The request process was drastically simplified with the Catalog. Whereas in OIM 11g R1 users have to go through a multiple step wizard to create a request, in OIM 11g R2 the work is done in two pages: the catalog search and the shopping cart summary.

End users use the catalog to create requests for the following OIM objects:

  • Roles
  • Application Instances
  • Entitlements

The catalog search result picture below shows all the above mentioned objects. Highlighted on the right the ‘Refine Search’ area, where users can choose specific object types. On the center-left, the highlight shows how catalog log items are identified by different icons (application instance, role and entitlement respectively).

The catalog content is created based on the three different objects mentioned above. The catalog information is stored in specific database tables to facilitate the indexing and searching of catalog items.

The task to keep the catalog data up to date is performed by an OIM scheduled job called ‘Catalog Synchronization’. This job should be scheduled on a regular basis interval to guarantee that the catalog content gets updated quickly whenever a object is created or updated in OIM. This task has different execution modes: “Incremental” where only objects created after the last execution date are pulled into the catalog, and “Full” where all OIM objects will be analyzed and pulled into the catalog. The task can be configured to work only on one specific object type (role, application instance or entitlement), and it can also load data in bulk from a flat file.

The search experience in the catalog user interface leverages the powerful features provided by Oracle Text, an Oracle database content indexing feature. Oracle Text improves the performance and provides advanced search capabilities like the use of operators to build search expressions (AND, OR, etc). Some ‘trickiness’ is also introduced: both ‘*’ and ‘&’ work as wildcard, but the behavior is a little different for them, ‘*’ is preferable; end user must provide at least one character along with the wild card (wildcard only search does not bring any results).

With the introduction of Oracle Text, there are two database scheduler jobs that must be running:

  • FAST_OPTIMIZE_CAT_TAGS
  • REBUILD_OPTIMIZE_CAT_TAGS

These are DATABASE JOBS and not OIM scheduler jobs, therefore any action on them is performed directly at the database. Both jobs are responsible for keeping the catalog indexes optimized and for preventing index fragmentation.

When creating OIM ‘requestable’ objects, it is important to provide information in the description fields. This information, along with ‘name’ and ‘display name’, is used to build the catalog index. Good description makes easier to search and find specific catalog items and add them to the shopping car.

There are two different ways of getting to the catalog search page:

  • Directly: an end user logs in to OIM and simply click on the catalog menu link. In this case the request beneficiary will be the user her/himself.
  • Through another user’s profile: in this case an administrator searches for an user in OIM, go to user’s details and clicks on a ‘Request’ action button (like ‘Request Role’). In this case the request beneficiary will be the searched user.

 Another particularity in the catalog is the fact that users can see and add to the shopping cart any objects that they have access to request, even the ones that are already provisioned. Then, at shopping cart submission time, OIM will prevent the submission if an already provisioned object is among the cart items.

Shopping cart submission will create, if necessary, the approval processes. The approvals are not that different from OIM 11g R1. A shopping cart submission will create a request process. Wen an approval is needed, this process will go through request and operational level approvals (in the default configuration).

The picture below shows the shopping cart details page:

The security model in the catalog follows the Organization-based scoping OIM security model. In this model, the catalog items (roles, application instances and entitlements) are published to specific organizations in OIM (with or without following the organization chain). End users will be able to see only those catalog items that are published (directly or indirectly) to the organization that they belong to. The security model does not follow the organization based scoping if the user is a system or catalog administrator, these users must have access to all catalog content.

Catalog customization is also available in R2. Catalog can be extended by the creation of catalog ‘UDFs’, and the catalog user interface can be customized through the use of sandboxes and the other WebCenter/ADF features. Custom catalog attributes data can also be indexed in the Oracle Text based catalog index.

Catalog APIs are also available and can be used in direct customization or even to perform searches (among other catalgo functions) in custom applications. The API documentation is available here.

OIM 11g R2 documentation has a whole chapter dedicated to the catalog. Such documentation is available here.