OpenSSO-Sun IDM integration

Similar Messages

• Movement of accounts in AD natively; How Sun IDM identity is affected

  Dear Reader,
  We are planning to integrate Windows Active Directory with Sun IDM 6.0 SP1. Even after integrating AD with Sun IDM there will be lots of changes to the native account like especially moving the account from one OU to another etc
  Since Sun IDM identity has the distinguished name of AD account for its reference; if someone moves the AD Account natively how will that affect IDM identity.
  I heard from couple of my friends that Sun IDM uses objectGUID to refer account in AD so even if the account is moved from one OU to another there will be no issue, is that right?
  Will Sun IDM 6.0 SP1 work that way or this fix was introduced in the later release?
  Is there any other factor involved in this which will affect the way Sun IDM works when the account is moved natively?
  Any help is appreciated
  Thanks in advance

  We use IdM 7.1.1.11 and AD.
  Sun does use the GUID once it has it. And, if the dn changes and the GUID stays the same, IdM won't care. Although in examining logs I saw that Sun asks AD first based on the GUID, then if it can't find it, reverts to the dn. We manage what OU our accounts are in via IdM. So we don't allow AD admins to move accounts around. During our initial migration, we are syncing up GUIDs, and correcting any bad OU values. Don't know if that helps, but I have some experience looking at some of this and can offer my oberservations.

• Hirarchy Structure implementation in Sun IDM

  Hello Friends, I have an interesting topic to discuss on which I am facing here at my work. In detail below :
  Sun IDM is integrated with e-Directory.
  The Org A, has two sub-units, say PD and SD. This PD and SD has virtual sub-orgs as per e-Dir, PD has GET and SET virtual sub-orgs & SD has Regional, Division and Dealership virtual Sub-orgs. Each sub-org has users who could be an admin or a user. So, a PD can has PD Admins, GET Admins, SET Admins, GET Users, SET Users. So similiar in SD... SD contains, SD Admins, Regional Admins, Divisional Admins, Dealership Admins and respective users.
  The Org structure created in Sun IDM 5.0 here, is Org A containing PD & SD. Thats all.
  Now my requirement here is, the admin's inside PD or SD, shouldnt see other admins and cannt change any other attributes on other admins. If the logged users is SET Admin, he should see only SET users below him not GET Admins or PD Admins, though everyone has been assigned same controlled organization i.e PD.....
  So similar with SD sub-org too.... I want to know is there anyway I can customorize the way "List Accounts" applet shows when an Admin logs in ??
  Thanks and Regards, Vagic.

  Change the SET Admin's controlled organization to only include the virtual org "SET Users". When that admin logs in they should only see that one organization and the user's contained within.
  I'm assuming that the members rule for your "Set Users" virtual org should filter out any administrators.

• SPML URL for Sun IdM Server

  How to find SPML URL for Sun IdM Server?
  I'm trying to configure 'New Provisioning Server Connection' from Sun Role Manager (Vaau's RBACx) Admin and this requires SPML URL.
  Please help me,
  Thanks

  Hi All,
  I'm working on the integration between Sun Identity Manager 7.1 and Sun Role Manager 4.1. When I import users from idm to role manager, i had this error:
  15:04:51,093 ERROR [WavesetIAMSolution] SPML request returned a failure - com.waveset.exception.ItemNotFound: Configuration:listUsernames
  15:04:51,093 ERROR [IAMJobExecutor] Failed to execute iam job 'import_user':
  com.vaau.rbacx.iam.RbacxIAMException: com.waveset.exception.ItemNotFound: Configuration:listUsernames
       at com.vaau.rbacx.iam.sun.WavesetIAMSolution.listUsernames(WavesetIAMSolution.java:1474)
       at com.vaau.rbacx.iam.sun.WavesetIAMSolution.readUsers(WavesetIAMSolution.java:1049)
       at com.vaau.rbacx.iam.service.impl.RbacxIAMServiceImpl.importUsers(RbacxIAMServiceImpl.java:71)
       at sun.reflect.GeneratedMethodAccessor698.invoke(Unknown Source)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
       at java.lang.reflect.Method.invoke(Unknown Source)
       at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:310)
       at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:182)
       at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:149)
       at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:106)
       at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
       at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
       at $Proxy25.importUsers(Unknown Source)
       at com.vaau.rbacx.scheduling.executor.iam.IAMJobExecutor.execute(IAMJobExecutor.java:78)
       at com.vaau.rbacx.scheduling.manager.providers.quartz.jobs.AbstractQuartzJob.execute(AbstractQuartzJob.java:68)
       at org.quartz.core.JobRunShell.run(JobRunShell.java:203)
       at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:520)
  Any help is greatly appreciated!
  Thanks.

• Future of Sun IdM

  Hi,
  I heard that Oracle is going to wipe off Sun IdM, actually my team attended Oracale webcast meeting may be some of you guys attended that meeting and they revealed this information, I am wondering how true is that statement? Also heard that this will be done in next 2 years, so SIM will die after 2 years?
  I don't have much knowledge on OIM...I have some questions any experts please guide..
  1. Does OIM supports Express language?
  2. What are all the basic technologies that we need to learn if we want to move to OIM from SIM?
  3. Which langaue will be used in OIM to develop forms/workflows?
  If anybody is having any additional info please share so that it will useful for us to go in a right direction.
  Thanks in advance.
  Edited by: idmus on Jan 28, 2010 9:55 AM

  MichaelSt wrote:
  So, to put it all clearly in a nutshell : exactly WHAT is the fate of Sun IDM ?Oracle has stated that Oracle IDM (not Sun IDM) is their going forward product. Usually that's corporate talk for "we're no longer working on this product". Sun IDM is going to be put on maintenance support for several years but there will likely be no further development on it. That is you can expect to see bug fixes and patches for a few years, but no new features.
  Is it going to be scrapped totally, or not?Yes. That's the impression I got from Oracle's announcement. Watch their web cast at [http://oracle.com.edgesuite.net/ivt/4000/8104/9236/12628/lobby_external_flash_clean_480x360/default.htm|http://oracle.com.edgesuite.net/ivt/4000/8104/9236/12628/lobby_external_flash_clean_480x360/default.htm] . It's only 15 minutes long.
  >
  We just recently installed Sun IDM 8.1, and have only just begun to use it.
  It would be a shame to have to scrap it after only a year or so, considering all the effort that went into it.
  However, of course, if there's nothing to be done ---- if IDM is being scrapped ---- then it would be great to know this now, and not further down the road.Those of us who have had it installed for years are even worse off. The time and effort that needs to be reinvested into another competing IDM product is huge.
  Does anybody know the verdict? Is IDM being exterminated? Or can we continue to use it for years to come?Yes it's being terminated. You can expect to see Sun IDM technology integrated into Oracle IDM, but in what fashion nobody knows. You can continue to use it for several years as Oracle has committed to providing regular support until 2014, extended support until 2017 and indefinite sustaining support. Personally, I wouldn't rely on anything past the standard support period.
  Do not get confused with the renaming of the Sun IDM product. It's being called Oracle Waveset but from what I can tell that doesn't change any of the plans to terminate the product. It's just a removal of the Sun branding.

• SUN idM integrate with GRC AC

  There are documents available for best practice on provisioning using CUP by integrating SUN idM with GRC AC...I have not found any document on best practice for deprovisioning when some one leaves organization...
  Is there any one who has worked on the same or are there any best practice guide on how it can be implemented...What should be architecture or data flow?
  Regards,
  Milan

  Hi Milan,
  here is the document you need:
  http://www.sdn.sap.com/irj/scn/index?rid=/library/uuid/e0b2e5c5-fa62-2c10-9687-ff98bc0b99f8
  Best,
  Frank

• How to delete the recon Taskresults in Sun IdM 7.1 thru automation

  How to delete the recon Taskresults in Sun IdM 7.1 thru automation either thru workflows or using java programs...
  We need to delete only recon Taskresults.

  Hi Dinesh,
  Try using waveset.adminRoles
  Thanks

• Error while Reading Idocs from ECC 6.0 to Sun IDM .

  Hi Gurus,
  We have a scenerio where we have to update the Sun IDM Server with all the changes in HR Data happening in ECC.
  For that... we have
  1. Created a Logical System for Sun IDM server, Port, RFC Connection (TCP/IP).
  2. Assigned Partner Profiles, Distribution Model etc. for msg. type HRMD_A ;
  3. We have created a Communications User used by the IDM server to connect to ECC.
  Idocs are created daily and are in status 03 - Data passed to Port OK !
  and on the In Sun Identity manager 8.0 we have created SAP resource adapter for ECC 6.0,
  after giving resource parameters our test connection is successful.
  We also changed edit synchronisation policy for the same but when we start synchronisation in IDM, it is unable to read any idocs although Idocs are generated in SAP .
  Log file gives the message as "Incoming IDoc list request containing 0 documents"
  We also have one more error ;
  some times while doing a connection test : JCO.Server could not find server function '剆䍟偉乇'
  while most of the times the connection is successful.
  Please suggest .

  Hi Gurus,
  The error got resolved .
  The changes in the settings i did :
  SAP SIDE : Made the RFC Connection Unicode.
  IDM SIDE : Checked on the "SAP Server Unicode" checkbox; while doing the HR Activ Synch Settings.
  This Resolved the error.
  regards
  Vaibhav

• SUN IDM with Windows Vista

  Hello,
  Has anybody tried installing SUN IDM with windows vista
  I tried IDM 7.1 with vista home premium and doesnt seem to work. Curious to know if any body has success with vista
  Awaiting replies
  Thanks,

  What error message are you getting?
  Have you installed Java and an apllication servers as requested?
  1) Set Up a Java Virtual Machine Software Development Kit and Java Compiler
  The application requires a Java compiler and a Java Virtual Machine (JVM) to run the Java classes that perform actions within Identity Manager. Both of these can be found in a Java SDK. Download from or http://java.sun.com/javase/downloads/index_jdk5.jsp *** You should add JAVA_HOME to your list of system environment variables and to your system path. To do this, add JAVA_HOME to your system environment and JAVA_HOME\bin to your path, making sure to list it before any other Java environment variables.
  2) Install Tomcat application server from official http://tomcat.apache.org/ to local hard drive. Configure Tomcat memory requirements and restart. Min: 256k

• Looking for some one who can help me in SUN IDM

  Hi Friends,
  I am looking for some one who can help me to learn sun IDM. Off couse I will pay for your time.
  I can be reached at [email protected]
  Please let me know if you have some time
  Thx

  Hi Zebra,
  I really appreciate your reply. I would like to discuss out of this forum so that no one here annoyed with our newbie questions. Please send me email as I listed earlier to discuss best ways. I send email to Andy to join us.

• Exploratory Programming of the Sun IDM API

  Exploratory Programming of the Sun IDM API using Rhino
  Sun IDM comes with a JavaScript interpreter (Rhino) that can be invoked from the command-line. This gives developers an easy way to explore the large number of classes that comprised the product.
  Let's say for example that you need the approvers of a role object in order to display them on a form. (The role view provides this information, but let's ignore this for the purpose of this example.) The role javadoc mentions two methods to get the approvers, getApproverRefs() and getApprovers(). Unfortunately they are not described clearly, and the difference between the two is not clear either.
  In order to understand what these methods do and what they return, you can use the interpreter to invoke each one directly.
  First start the interpreter with the 'lh.bat js' command:
  lh.bat jsYou will be greeted with the javascript prompt "js>"
  Then the first thing to do is to login to the application server. Copy-paste the following code into the shell interpreter.
  // Java packages are prepended with the word 'Packages'
  // and are imported using the 'importPackage' function
  importPackage(Packages.com.waveset.util);
  importPackage(Packages.com.waveset.object);
  importPackage(Packages.com.waveset.security.authn);
  importPackage(Packages.com.waveset.session);
  importPackage(Packages.com.waveset.ui);
  importPackage(Packages.java.util);
  // Use arguments[0] and arguments[1] if you want to pass credentials from the command line
  // Here we just use the built-in account "configurator"
  var epass = new EncryptedData("configurator");
  var session = SessionFactory.getSession("configurator", epass);
  print("Waveset session established");Alternatively save the above code to a text file called "idm-init.js" and load the file from the interpreter.
  js> load("idm-init.js")
  Waveset session establishedOnce a session has been established, objects can be loaded from the repository. Enter this line at the prompt to get the role object named "testrole3"
  js> var roleObject = session.getObject("Role", "testrole3");Enter the variable name at the prompt to cause the interpreter to invoke the object's 'toString' method.
  js> roleObject
  Role:testrole3Use a 'for' loop to print out all of the object's method and fields.
  js> for (i in roleObject) { print(i) }Enter a method's name to invoke it. Let's call getApproverRefs().
  js> var approvers1 = roleObject.getApproverRefs();
  js> approvers1
  [User:role1approver(id=#ID#1CC1759638D9AF96:182C132:10F3E8040B5:-7FBE), User:role2approver(id=#ID#1CC1759638D9AF96:182C132:10F3E8040B5:-7FB8)]
  js> approvers1.get(0).getClass();
  class com.waveset.object.ObjectRefNow let's check out getApprovers().
  js> var approvers2 = roleObject.getApprovers();
  js> approvers2
  [Lcom.waveset.object.WSUser;@d3c69c
  js> approvers2[0].getClass()
  class com.waveset.object.WSUserSo getApproverRefs() returns a list of ObjectRef objects, while getApprover() returns an array of WSUser objects.
  In summary the Sun IDM JavaScript interpreter can be used to explore the product's vast API. This article used the role class and its getApprovers() and getApproverRefs() methods as an example for exploratory programming. Other applications include automated testing and administrative scripts.
  [email protected]

  Yes you can customise IDM it is all available in courses and the manuals also provide some info.
  As long as you can write the code you need in java or javascript you can call it from IDM: that could be an interface to you naming app.
  Otherwise use the SPML interface if you want to use something else then the GUI. This is also described in the manuals.
  WilfredS

• Expert pls help: Sun IDM with ldap active sync

  Hi all,
  Currently i am configuring Sun IDM 6.0 SP1 to active sync with Sun directory server. I have enabled Retro Change Log but yet i cant find my changeNumber in directory server. Could anyone show me a way (search?) to get what changeNumber directory server currently running?

  Check the account used by IDM to access DS can search cn=changelog branch. If he is not Directory Manager, you probably need to set an ACI on that branch.
  HTH

• Managing LDAP groups and roles through SUN IDM

  Hi Guys,
  We have a requirement to build the following functionality in our Sun IDM tool.
  1.     Ability to create/manage Static LDAP group.
  2.     Ability to create/manage filtered LDAP group.
  3.     Ability to create/manage Static LDAP roles.
  4.     Ability to create/manage filtered LDAP roles.
  Can anyone let us know any pointers as to how to accomplish this or any ideas for the path to follow for this.
  Any reply will be appreciated.

  http://myidm.blogspot.com/2009/06/how-to-create-groups-in-ldap-or-active.html

• SUN IDM Role removal does not remove the set atributes

  Hi,
  I am using SUN IDM Roles to set a multi valued attrubute on a resource using merge with value property.
  But when I remove any of the assigned role the corresponding ATTRIBUTE value is not getting removed.
  Is there anything specific which needs to be done.
  eg: Role1 sets attribute PRIV on resource A to "ADMIN"
  Role2 sets attribute PRIV on resource A to "MANAGER"
  If I assign both Role1 and Role2 the PRIV will have "ADMIN" and "MANAGER"
  But if I remove Role1 still "ADMIN" is present under PRIV.
  Is there any workaround for this. Please advice.
  - Thanks, ARK

  Try using "Authoritative Merge with Value" instead of just "Merge with Value".

• Getting Error IDM8.1patch11WebLogic Server com/sun/idm/idmx/txn/Transaction

  I installed IDM 8.1 Patch 11 on WebLogic server. When I start the server I am getting following error. The Login page never shows up. I will appreciate if you can give me the pointer.
  ] Root cause of ServletException.
  java.lang.NoClassDefFoundError: com/sun/idm/idmx/txn/TransactionManager
       at com.waveset.ui.LoginHelper.csrfGuardTokenEnabled(LoginHelper.java:2471)
       at com.waveset.ui.LoginHelper.handleCSRFGuardToken(LoginHelper.java:2186)
       at jsp_servlet.__login._jspService(__login.java:251)
       at weblogic.servlet.jsp.JspBase.service(JspBase.java:34)
       at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
       at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
       at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:300)
       at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:26)
       at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
       at com.sun.idm.profiler.instrumentation.RequestTimingFilter.doFilter(RequestTimingFilter.java:76)
       at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
       at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.doIt(WebAppServletContext.java:3684)
       at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3650)
       at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
       at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:121)
       at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2268)
       at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2174)
       at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1446)
       at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
       at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
  Edited by: 842717 on Mar 8, 2011 12:16 PM

  You are receiving this error because one of the fields being pulled from IdM, exceeds he column limit defined in the GLOBALUSERS database table.
  I received this error before because the PRIMARYEMAIL column in the GLOBALUSERS table was defined as [PRIMARYEMAIL] [nvarchar](50).
  I went into Microsoft SQL Server Management Studio and updated the field to [PRIMARYEMAIL] [nvarchar](100), and then the import worked.
  Hope this helps,
  Larry L. Viars | Senior Consultant
  Logic Trends, Identity & Access Management Specialists