Creating the IntegrationConfig Object
The first step in configuring an integration is designing an instance of the IntegrationConfig object. There is currently no user interface for editing these objects, you must write them in XML and import them. The IntegrationConfig defines the following things:
-
Java class that handles communication with the IDM system
-
Connection parameters such as host name, user name, and password
-
IdentityIQ Application object that represents the IDM system in aggregations
-
List of the applications that are managed by the IDM system
-
Resource and attribute name mappings
Here is an example of IntegrationConfig file that has all of the options:
<IntegrationConfig name='Example Integration'
executor='.integration.ExampleIntegration'
roleSyncStyle='it'>
<!--
Application representing the IDM system in
-->
<ApplicationRef>
<Reference class='Application' name='Example Integration'/>
</ApplicationRef>
<!--
Connection parameters needed by the executor.
-->
<Attributes>
<Map>
<entry key='url' value='http://somehost:8080/rest/'/>
<entry key='username' value='jlarson'/>
<entry key='password' value='1:987zxd9872970293874'/>
</Map>
</Attributes>
<!--
Definitions of managed resources and name mappings.
-->
<ManagedResources>
<ManagedResource name='LDAP 42'>
<ApplicationRef>
<Reference class='Application' name='Corporate Directory'/>
</ApplicationRef>
<ResourceAttributes>
<ResourceAttribute name='memberOf' localName='groups'/>
</ResourceAttributes>
</ManagedResource>
</ManagedResources>The executor attribute has the name of a class that implements the sailpoint.object.IntegrationExecutor interface. This class is conceptually similar to a Connector class in that it does the work specific to a particular integration. Each integration package will come with an example IntegrationConfig that contains the executor class name.
ApplicationRef
Some integrations support identity aggregation. In these cases there is a sailpoint.object.Application object defined to represent the IDM system and an implementation of the sailpoint.connector.Connector interface that handles communication with the IDM system. This is normally a multiplexed connector that returns objects representing the IDM system account as well as accounts on managed resources. Links in the identity cube are created for the managed resource accounts as well as the IDM system account.
<ApplicationRef>
<Reference class='Application' name='Example Integration'/>
</ApplicationRef>The documentation of each integration must describe the supported configuration attributes.
The following attribute is reserved and can only be used for the purposes defined here.
-
universalManager: enables the integration as a manager of all applications
The universalManager attribute is set to the string true to enable this integration as a manager for all IdentityIQ applications without a ManagedResources list. This can be helpful in test environments to validate deployment configuration as well as environments where all provisioning must be fulfilled by a single integration.
ManagedResources
If the integration supports provisioning, it must define a list of managed resources that corresponding to applications defined in IdentityIQ. This determines how provisioning plans created during certification or role assignment are divided and sent to each integration.
<!--
Definitions of managed resources and name mappings.
-->
<ManagedResources>
<ManagedResource name='LDAP 42'>
<ApplicationRef>
<Reference class='Application' name='Corporate Directory'/>
</ApplicationRef>
<ResourceAttributes>
<ResourceAttribute name='memberOf' localName='groups'/>
</ResourceAttributes>
</ManagedResource>
</ManagedResource>The ManagedResources element contains a list of ManagedResource elements. A ManagedResource element must contain an ApplicationRef that defines the associated IdentityIQ application. The ManagedResource element might have an optional name attribute that defines the name of the resource within the IDM system. If the name is not specified it is assumed that the resource name is the same as the IdentityIQ application name.
The ManagedResource element might also contain a ResourceAttributes element that contains one or more ResourceAttribute elements. ResourceAttribute is used to define mappings between attribute names in the IDM system and IdentityIQ. ResourceAttribute has the following XML attributes.
-
name: attribute name in the IDM system
-
localName: attribute name in the IdentityIQ application schema
If a provisioning plan is sent to this integration with attributes that are not in the ResourceAttributes list it is assumed that the name in IdentityIQ is the same as the name in the IDM system.
The ResourceAttributes list does not define a filter for attributes sent to the IDM system it only defines name mappings. When an integration has an IdentityIQ application in the ManagedResource list it is assumed that all attribute requests for that application are sent to that integration. You cannot have more than one integration managing different sets of attributes for the same application.
There is a special attribute that can be defined in Attributes that declares the integration as the manager of all applications in IdentityIQ regardless of the content of the ManagedResources element. You can still use ManagedResources to define name mappings for certain applications when necessary.
Aggregation
Some integrations support feeds of identity information through the normal aggregation process. In these cases the integration package will have a SailPoint.connector.Connector implementation class and an example SailPoint.object.Application object in XML.
IDM connectors are usually multiplexed connectors that return objects representing the IDM system account as well as accounts on all managed resources.
When an aggregation application is defined a reference to it should be placed in the IntegrationConfig. This enables provisioning operations to obtain the account name in the IDM system that corresponds to an identity in IdentityIQ.