OIM SCIM Java Client

OIM SCIM Java Client.

/*Jar needed - commons-codec-1.10.jar & json-20140107.jar

Steps to run belwo code
      Update Host, Port & password and then call Create User method
      Once user is created in OIM then get the user key from DB and pass it to Update User method.
*/

package com.test;

import java.io.OutputStreamWriter;
import java.net.HttpURLConnection;
import java.net.URL;

import org.apache.commons.codec.binary.Base64;
import org.json.JSONArray;
import org.json.JSONObject;

public class SCIMClient {

static String authStringEnc = "";
static String scimURL = "";
public static void main(String[] args) throws Exception {
        String name = "xelsysadm";
        String password = "password"; // Update Password
        scimURL = "http://host:port/idaas/im/scim/v1"; // Update Host, Port
     
        String authString = name + ":" + password;
        authStringEnc = "Basic " + new String(Base64.encodeBase64(authString.getBytes()));
        System.out.println("Base64 encoded auth string: " + authStringEnc);
     
       createUser();
       //updateUser("144"); // Change the user key '144' with actual one.

}

public static void createUser() throws Exception{
    JSONObject obj = workerJSON();
    boolean flag = processHTTPCall(scimURL + "/Users", "POST", obj);
        if (flag)
        System.out.println("User created successfully!");
}

public static void updateUser(String userKey) throws Exception{
        JSONObject obj = workerJSON();
        boolean flag = processHTTPCall(scimURL +"/Users/"+ userKey, "PUT", obj);
        if (flag)
        System.out.println("User updated successfully!");
}

public static boolean processHTTPCall(String httpUrl, String method, JSONObject obj) throws Exception{
boolean flag = false;

        HttpURLConnection connection = null;
        URL url = new URL(httpUrl);
        connection = (HttpURLConnection)url.openConnection();
        connection.setRequestMethod(method);
        connection.setRequestProperty("Content-Type","application/scim+json");
        connection.setRequestProperty("Authorization", authStringEnc);
        connection.setConnectTimeout(50000);
        connection.setDoOutput(true);
        connection.setReadTimeout(50000);
        OutputStreamWriter out =
            new OutputStreamWriter(connection.getOutputStream());
        out.write(obj.toString());
        out.close();

        System.out.println("Response code from server is ::" +connection.getResponseCode());
        System.out.println("Response Message from server is ::" +connection.getResponseMessage());
     
        if(connection.getResponseCode() < 300){
        System.out.println("HTTP Call was successful!");
        flag = true;
        }else{
        System.out.println("Error Encountered during HTTP Call");
        }
     
        return flag;
}

// get the JSON object by running curl command and build exact format for create/update. It supports single, multiple, full attributes update.
public static JSONObject workerJSON(){
        JSONObject workerObj = new JSONObject();

        JSONArray schemas = new JSONArray();
        schemas.put("urn:ietf:params:scim:schemas:extension:oracle:2.0:OIG:User");
        schemas.put("urn:ietf:params:scim:schemas:core:2.0:User");
        schemas.put("urn:ietf:params:scim:schemas:extension:enterprise:2.0:User");
        schemas.put("urn:ietf:params:scim:schemas:extension:oracle:2.0:IDM:User");
        workerObj.put("schemas", schemas);
     
        JSONObject userOIGObj = new JSONObject();
        userOIGObj.put("Department", "Security");

        JSONObject homeValue = new JSONObject();
        homeValue.put("value", "1");
        homeValue.put("$ref", scimURL + "/Organizations/1");

        userOIGObj.put("homeOrganization", homeValue);

        workerObj.put("urn:ietf:params:scim:schemas:extension:oracle:2.0:OIG:User", userOIGObj);
     

        workerObj.put("displayName", "John peter");
     
        JSONArray email = new JSONArray();
        JSONObject mailObj = new JSONObject();
        mailObj.put("value", "john.peter3@test.com");
        mailObj.put("type", "work");
        email.put(mailObj);
        workerObj.put("emails", email);
     
        workerObj.put("organization", "Xellerate Users");
     
        JSONObject userEntObj = new JSONObject();
        userEntObj.put("employeeNumber", "12345");
     
        JSONObject mgrObj = new JSONObject();
        mgrObj.put("value", "1");
        userEntObj.put("manager", mgrObj);
     
        workerObj.put("urn:ietf:params:scim:schemas:extension:enterprise:2.0:User", userEntObj);
     
   
        JSONArray contactNumber = new JSONArray();
     
        JSONObject mobileNumber = new JSONObject();
        mobileNumber.put("value", "123-456-7999");
        mobileNumber.put("type", "mobile");
        contactNumber.put(mobileNumber);
     
        JSONObject workNumber = new JSONObject();
        workNumber.put("value", "123-456-7888");
        workNumber.put("type", "work");
        contactNumber.put(workNumber);

        workerObj.put("phoneNumbers", contactNumber);
     

        JSONObject nameObj = new JSONObject();
        nameObj.put("middleName", "M");
        nameObj.put("familyName", "John");
        nameObj.put("givenName", "Peter");
        workerObj.put("name", nameObj);


        JSONObject addrObj = new JSONObject();
        JSONArray homeAddr = new JSONArray();
        addrObj.put("region", "AMER");
        addrObj.put("country", "US");
        addrObj.put("type", "work");
        homeAddr.put(addrObj);
        workerObj.put("addresses", homeAddr);

        workerObj.put("title", "Lead Developer");
     
        System.out.println("Jason object is --->" + workerObj);
return workerObj;
}
}

/*
To get sample JSON object using CURL [https://curl.haxx.se/] in CMD
      curl --user xelsysadm:password http://host:port/idaas/im/scim/v1/Users/1
*/

OIM Terminology

-------- OIM Terminology

Reconciliations - Process to sync up OIM with other system

                  Trusted Recon - Sync up against HR system [Identity]

                   Target Recon - Sync up against target system [Access]

Resource Object - Symbolic representation of Target system

SOA Composite - Approval workflow logic deployed in SOA

IT Resource - Target system connection info

Adapter - Java method symbolic representation

Provisioning Workflow - Set of task flow to manage access in target system

Process Form - Place holder form used by provisioning task

Lookup - Place holder for any config used by OIM code

Catalog - Name itself suggest. It contains all available target so user can pick and request

Email Template - Contains email template used by OIM to send communication

Schedule Task - Job running on period basic. Like recon process.

Policy

             Approval Policy - Contains Application vs SOA Composite mapping

             Access Policy - Contains rule for automatic giving target access to any user

----------- Commonly used Configuration

OIM is used for managing Identity and Access. So we have to onboard users and target system inside OIM before managing the Access.

User On-boarding - Process is called Trusted Reconciliation. Typically we create a schedule job to pull delta from HR system and sync OIM identity.

Application on-boarding - Multiple steps need to follow for boarding new target system in OIM.

                  Create Resource Object [Symbolic representation of target system]

                  Create IT Resource [target system connection parameter]

                  Configure Provisioning Workflow [Task flow to manage access]

                  Configure Process Form

                  Crete Application Instance and publish in catalog

Application Recon - Also called as Target Reconciliations. Typically we create a schedule job to pull delta from target system and sync OIM access.

OIM Product Installation

--------------- High level steps for OIM Installation

 Install Java

 Install database

 Run the Repository Creation Utility (RCU)

 Install WebLogic

 Install SOA suite

 Install OIM suite

 Create domain

 Middle ware configuration [Deploy ear file in servers]

----------- Product usage

OIM - Used for managing Identity and Access

SOA - Used for approval process. SOA composite contains approval workflow and java code. Jdeveloper tool is used to create new composite. 

BI Publisher - Used for viewing report.

------------- Access Diff product

OIM Access - 

           Browser - /identity

                             /sysadmin

           Design Console

SOA Access - Browser - /soa-infra

BI Publisher - Browser - /xmlpserver

-------- Folder Structure in unix box 

MW_Home

           - Java

           - Weblogic

           - OIM

           - SOA

            - Oracle Common

Weblogic_Domain

               - contains config file [ear file deployment configuration], Admin Server, Managed Servers [OIM, SOA, BI Publisher]

----------- DB Schema

            - OIM

            - SOAINFRA

            - BIPUBLISHER

            - MDS [Meta data, contains properties and config file]

            - OPSS [Platform Security]

System for Cross-domain Identity Management (SCIM)

These days enterprise applications are mushrooming inside the premise and over the cloud. All applications need to communicate with IDM system for getting basic use details or any similar info. To facilitate this communicate application owner depends on IDM system lib and expertise which makes integration painful and slower.

To overcome this issue SCIM  (System for Cross-domain Identity Management) came in picture as open standard to exchange the user information between identity domains.

SCIM standard uses JSON object to exchange info and doesn't require IDM system specified lib. Most of IDM system has implemented this feature in thr product. Oracle has also included this feature in PS3 product.


OIM SCIM Service URL in PS3 :- http://host:port/idaas/im/scim/v1/Users

To get sample JSON object using CURL in CMD
      curl --user xelsysadm:password http://host:port/idaas/im/scim/v1/Users/1

Method -
             POST [Create Resource eg - User, Group]
             GET [Get Resource]
             PUT [Update Resource]
             PATCH [Modify Particular field]
             DELETE [Delete Resource]


Java Client to get sample JSON obj ------------------

//lib - sun.misc.BASE64Decoder.jar or any BASE 64 encoder


  public static void getUser() throws Exception{
 
    String authStringEnc = "Basic "+ new String(new Decoder.BASE64Encoder().encode(("xelsysadm:password").getBytes()));
 
     URL url = new URL("http://host:port/idaas/im/scim/v1/Users?filter=userName eq SMITHJ");
     HttpURLConnection connection = null;
     connection = (HttpURLConnection) url.openConnection();
     connection.setRequestMethod("GET");
     connection.setRequestProperty("Content-Type", "application/scim+json");
     connection.setRequestProperty("Authorization", authStringEnc);
     connection.setConnectTimeout(5000);
     connection.setDoOutput(true);
     connection.setReadTimeout(5000);
         
   int responseCode = connection.getResponseCode();
   System.out.println("Response Code : " + responseCode);

    BufferedReader in = new BufferedReader(
           new InputStreamReader(connection.getInputStream()));
   String inputLine;
   StringBuffer response = new StringBuffer();

    while ((inputLine = in.readLine()) != null) {
    response.append(inputLine);
   }
   in.close();

    //print JSON Objcet
   System.out.println(response.toString());

 }

OIM 11gR2 PS3 Upgrade Steps

OIM 11gR2 PS3 Upgrade high level steps -

Single Server

             Upgrade JDK

             Patch WebLogic

             Upgrade SOA binary

             Upgrade OIM binary

             Upgrade RCU

             Crete BI Publisher Schema

             Upgrade Existing Schema

             Run Middle Tier Upgrade Offline

             Run Middle Tier Upgrade Online

             Patch SOA

             Patch OIM

Multi Servers [High Availability]

             Upgrade JDK in all servers

             Patch WebLogic in all servers

             Upgrade SOA binary in all servers

             Upgrade OIM binary in all servers

             Upgrade RCU

             Crete BI Publisher Schema

             Upgrade Existing Schema

             Run Middle Tier Upgrade Offline in Primary node
             Pack/Unpack domain config from Primary to other domain

             Run Middle Tier Upgrade Online in Primary node

             Patch SOA in all servers

             Patch OIM in all servers

             Extend BI Publisher Servers