Вы находитесь на странице: 1из 19

Preface

CA IdentityMinder Volume II: Learn by Example Code will guide you through the advanced examples. You will learn provisioning & de-provisioning by API and advanced workflow generation.

My CA Identity Manager (formerly CA IdentityMinder) Programming is a series of three books:

CA Identity Manager Volume I: Java Developer's Guide, for beginning level.

CA Identity Manager Volume II: Learn by Example Code, for advanced level.

CA Identity Manager: Custom Connectors Guide, for the custom connector developer.

Please visit book’s web site for more details.

About This Book

This book contains:

Example code: Provisioning API

Example code: Workflow and integration

Example code: De-provisioning API

Example code: Moving user and account

Example code: API and Policy Set

Example code: scheduling job and calling admin task

Example code: Modify account attributes directly

Example code: Advanced Workflow and Approval

Who this book for

This book is intended for advanced developer who has some CA IdentityMinder programming experience and would like to learn how to implement complex requirements by API.

has some CA IdentityMinder programming experience and would like to learn how to implement complex requirements

Convention

The following text conventions are used in this document:

Convention

Meaning

Boldface

Boldface type indicates book titles

Italic

Italic type indicates emphasis, or placeholder variables

monospace

Monospace type indicates language and syntax elements

Customer Support

Feedback from our readers is always welcome. Let us know what you think about this book. Please visit web site for more details:

The web site for books:

Blog and updated contents:

To send us general feedback or any questions, simply send an e-mail. Please check my email from web site.

Download Source Code

Please visit our web site: http://www.caidentitymanagerbook.com

Trademarks

CA IdentityMinder, CA Identity Manager and CA SiteMinder are registered trademark of CA Technologies.

Please accept my apologies: DELAY: I expected to release this book September 2013 but I

Please accept my apologies:

DELAY: I expected to release this book September 2013 but I delay almost one year. GRAMMAR: Please accept my apology for grammar mistake. Reviewing process may require up to 3 months. Hopefully, my next release will fix this issue. NO POLICY XPRESS: Policy Xpress is easy to learn. We may not need beginning level book. EXAMPLES: I knew some examples can implement by Policy Xpress but I implement all examples by programming because I want to show how to use APIs. NO BASIC LEVEL: I apologize for some readers may complain this book is not for beginner. I will fix by adding bonus chapters & VDO demo. Please visit my blog. SUPPORT: I am full time programmer. I may not response your email immediately. Please allow 24 hours for a response. My time zone is New York EST. Hopefully, my second edition will be better and fix all these issues.

Regard,

Kosakarika

About Author I am Java Developer and live in New York.

Experience:

Front End: ExtJS, JQuery, Content Management(WebSphere Portal), and Portlet (WebSphere/Weblogic/SUN Portal)

SOA: Rule JBoss Drools/Guvnor, ESB(ServiceMix/Camel) and BPEL(WebSphere Process Server)

IDM and SSO: CA IdentityMinder, CA SiteMinder, and SUN Access Manager.

Implemented multi-threading, high transaction real-time brokerage projects.

Certification:

Sun Certified Java Programmer 1.2

Sun Certified Business Component Developer 1.3

IBM Certified Developer - IBM WebSphere Portal Developer V6.1

IBM Certified Developer - Web Services Development for WebSphere V6.1

IBM System Administrator - WebSphere Application Server V6.1

IBM Enterprise Developer - IBM WebSphere Studio V5.0

Copyright © 2014 W. Kosakarika

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the author, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. The author will be held liable for any damages caused or alleged to be caused directly or indirectly by this book.

Author has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, author cannot guarantee the accuracy of this information.

First published: September 2014

Contents

Chapter 1: Introduction

1

1.1

Requirements Overview

1

1.1.1 Provisioning Process: New hire and re-hire

4

1.1.2 De-provisioning Termination process

7

1.1.3 De-provisioning Pre-delete process

7

1.1.4 Lock AD account

8

1.1.5 Workflow

9

1.2

Utility Components

10

1.2.1 DisplayUtils.java

10

1.2.2 WorkpointHelper.java

11

1.2.3 TaskSessionUtils.java

12

1.2.4 EmailUtils.java

12

1.3

Conclusion

13

Chapter 2 Configuring Server and IDE

14

2.1

Configuring Server Environment

14

2.1.1 CA IdentityMinder User Store

14

2.1.2 Active Directory

15

2.1.3 IDM Configuration

15

2.1.4 Admin task and Listener

19

2.1.5 Code and email template

19

2.1.6 HR System and Ticket System

19

2.1.7 Email

20

2.2

Configuring IDE

21

2.2.1 Eclipse

21

2.2.2 Workpoint

23

2.3

Conclusions

24

Chapter 3 Example: Provisioning new Hire process

25

3.1 Requirement

25

 

3.2 Design

26

3.3 Code and configuration

27

3.3.1

Code

28

 

3.3.2 Configuration: Admin Task

28

3.3.3 Configuration: ProvUserListener

31

3.3.4 Configuration: EventErrorListener

32

3.4

How it works

32

3.4.1 Step1: Put new employee

34

3.4.2 Step2: Search employee number

35

3.4.3 Step 3: Start workflow and select routing path to new hire process

37

3.4.4 Step 4: Create User

40

3.4.5 Step 5: Send email to inform IDM admin

44

3.4.6 Step 6: Add provisioning Role

44

3.4.7 Step 7: Create account

45

3.4.8 Step 8: Call workflow for Ticket System and delay execution

46

3.4.9 Exception handling

47

3.5

Conclusions

49

Chapter 4 Example: Workflow and integration

50

4.1 Requirement

50

 

4.2 Design

50

4.3 Code and configuration

51

 

4.3.1 Code

51

4.3.2 Configuration

51

4.3

How it works

52

4.3.1 Step 1: call Ticket System

53

4.3.2 Step 2: Wait until hire date

57

4.3.3 Step 3: enable User and Account

58

4.3.4 Step 4: email ticket id to IDM admin

60

4.3.5 Step 5: Check location

61

4.4

Conclusions

63

Chapter 5 Example: De-provisioning Termination process

64

5.1 Requirement

64

 

5.2 Design

64

5.3 Code and configuration

65

5.3.1

Code

65

5.3.2

Configuration

65

5.4

How it works

68

5.4.1

Step1: Entry employee number

68

5.4.2

Step2: Check user’s

68

5.4.3

Step3: disable

70

5.4.4

Step4: disable

70

5.4.5

Step5: revoke provisioning

71

6.4.6

Exception handling

72

5.5

Conclusions

72

Chapter 6 Example: De-provisioning Pre-delete process

73

 

6.1 Requirement

73

6.2 Design

73

6.3 Code and configuration

74

6.3.1

Code

74

6.3.2

Configuration: admin task

74

6.3.2

Configuration: PreDeleteListener

76

6.4

How it works

76

6.4.1

Step1: Entry employee number

77

6.4.2

Step2: Check user’s

77

6.4.3

Step3: move user

77

6.4.4

Step4: move account

79

6.4.5

Exception handling

82

6.5

Conclusion

82

Chapter 7 Example: Provisioning Rehire process

83

 

7.1 Requirement

83

7.2 Design

83

7.3 Code and configuration

85

7.3.1 Code

85

7.3.2 Configuration

85

7.3.3 Configuration: Identity Policy

85

7.4

How it works

86

7.4.1

Step1: Put the rehire employee

89

 

7.4.2 Step2: Search employee number

89

7.4.3 Step 3: Start workflow and set routing path to re-hire process

90

7.4.4 Step 4: Setup User

90

7.4.5 Step 5: Call Identity Policy to add provisioning role

91

7.4.6 Step 6: Send email to inform IDM admin

91

7.4.7 Step 7: Update account attribute

92

Step 8: Call workflow for Ticket System and delay execution

94

7.5

Conclusion

95

Chapter 8 Example: scheduling job and calling task

96

8.1 Requirement

96

 

8.2 Design

96

8.3 Code and configuration

97

 

8.3.1 Code

97

8.3.2 Configuration admin task: WS Configuration

98

8.3.3 Configuration admin task: WS Execution

99

8.4

How it works

101

8.4.1 Step 1: configure web services properties for connecting HR web services

103

8.4.2 Step 2: run schedule

104

8.4.3 Step 3: calling web services to get employees’

104

8.4.4

Step 4: calling admin task: provisioning task

106

8.5

Conclusion

108

Chapter 9 Example: Modify account attributes

109

9.1 Requirement

109

 

9.2 Design

109

9.3 Code and configuration

110

 

9.3.1

Code

110

9.3. 2 Configuration: admin task

110

9.4

How it works

111

9.4.2

Step 1: Entry employee number

111

9.4.2

Step 2: Account in AD is

111

9.5

Conclusion

113

Chapter 10 Example: Workflow and Approval

114

10.1 Requirement

114

 

10.2 Design

115

10.3 Code and configuration

118

10.3.1 Code

118

10.3.2 Configuration: Admin Task Request Application

118

10.3.3 Configuration: Admin Task Approve Request Application

120

10.3.4 Provisioning Role BookPrj.HR

121

10.3.5 Configuration: Approver

122

10.4

How it works

123

10.4.1 Entry employee number and check request

126

10.4.2 Generate workflow: request CRM application

127

10.4.3 Participant Resolver API

130

10.4.4 Request CRM Application workflow

131

10.4.5 Generate workflow: request HR application

133

10.4.6 Request HR Application workflow

137

10.4.7 Sending Email: Request waiting approval

138

10.4.8 Sending Email: Request rejected

141

10.4.9 Sending Email: Notification after 5 minutes

141

10.4.10 Time out

143

10.5

Conclusion

145

Chapter 1: Introduction

The goal of this book is demonstrating how to solve complex requirement by programming. You will learn the advanced techniques from example. We do not explain the basic concepts. We assume you have already had some experience with CA IdentityMinder API and you should able to customized workflow.

If you do not familiar with CA IdentityMinder API or workflow, I suggest to get book volume I. The volume I for beginner explains concepts and examples code, steps by step.

This chapter covers 2 topics:

Overview requirements of this book.

Explain Utility components features of this book.

Technical Terms

To avoid confusion, we define some terms:

User means user information maintained by CA IdentityMinder Server. User is stored in CA IdentityMinder User Store.

Global User means user information maintained by the Provisioning Server. It is stored in Provisioning Director.

Account means user information in Endpoint. For example account in Active Directory.

Endpoint is destination of user information after provisioning.

BLTH stand for Business Logic Task Handler.

Listener means listener API

1.1 Requirements Overview

Forward company wants to implement new IDM System.

Existing System

Forward company has HR system provides web services interface.

The HR System feeds new employees’ information. We do not know exactly when new employees arrive. The IDM System needs to run schedule to check new data.

Forward company has Ticket System. Some processes are required to call it by web services.

Forward company has one endpoint is Active Directory.

Figure 1-1 shows existing system Employee States  There are 3 states of employee o

Figure 1-1 shows existing system

Employee States

There are 3 states of employee

o

Regular for fulltime employee. The attribute employeeType is Fulltime.

o

Termination is status for employee who quitted. the attribute employeeType is Terminated

o

Pre-delete: it is status for terminated employee. We want to store these users in special ou “predelete”. For example, after 90 days of termination, we plan to delete the terminated user. We move these user to ou “predelete”

The status can convert:

o

From regular state to termination state

o

From termination state back to regular state

o

From termination state to pre-delete state

state o From termination state to pre-delete state Figure 1-2 shows employee state  The status

Figure 1-2 shows employee state

The status cannot convert jumping across state from regular to pre-delete.

We do not convert pre-delete state back to termination state.

Provisioning process

There are 2 types of provisioning process:

o

New Hire is process for provisioning brand new employee. It has never been in our system before.

o

Re-Hire is process convert termination state back to be regular.

De-provisioning process

There are 2 types of de-provisioning process:

o

Terminated is process for convert regular state to terminated state.

o

Pre-delete is process for convert terminated state to pre-delete state.

is process for convert terminated state to pre-delete state. Figure 1- 3 shows relationship between employee’s

Figure 1-3 shows relationship between employee’s state and processes

Additional requirements

IDM System has to:

Require employee number as key for all screen.

Provide screen to configure web services properties.

Provide schedule for calling web services

Provide a screen for lock AD account.

Provide a dynamic workflow for request access CRM and HR application.

1.1.1 Provisioning Process: New hire and re-hire The provisioning process starts from scheduling task to get new employees’ information by web services of HR System. When we get data, we have to search user (exclude OU pre-delete):

If user is not found, start the new hire process.

If user is found and status is terminated, start the re-hire process.

After finished create or set up user/account, both process will go to Ticket System, and enable user process. We can write as flow chart below:

and enable user process. We can write as flow chart below: Figure 1-4 shows high level

Figure 1-4 shows high level flow chart of provisioning process

The requirement details of each process, we show in steps below:

Scheduling task requirements

Step1: Get HR system endpoint from configuration.

Step2: Call web services

Step3: Call provisioning process.

Figure 1-5 shows how to implement scheduling task. We implement Scheduling task in chapter 8

Figure 1-5 shows how to implement scheduling task.

We implement Scheduling task in chapter 8 you will learn how to:

Save admin task configuration.

Access other admin task’s configuration.

Create schedule task

Calling other admin task by internal API.

New hire process requirements

Step1: Generate unique NT Login and user id in the right format.

Step2: Create User in the right OU.

Step3: Send email to IDM Admin: there is new user created.

Step4: Add provisioning role.

Step5: Create account in AD.

Step6: Go to process: Ticket System.

We implement new hire process in chapter 3 you will learn how to:

Initial, validate and capture input by BLTH

Search user by API

Share session attributes between BLTH, workflow and listener

Create routing path in workflow

Create user, add provisioning role by API

Develop listener API capture events.

Add account by API

Generate event and embedded workflow by API

Exception handling

Re-hire process requirements

Step1: Update user’s attributes. We keep the old user id and password.

Step2: Send email to IDM Admin: There is user starts re-hire process.

Step3: Add provisioning role

Step4: Update account’s attributes in AD

Step5: Go to process: Ticket System

We implement re-hire process in chapter 7 you will learn how to:

API working with Identity Policy.

Update global user’s attribute by generating event SynchronizeAttributesWithAccountsEvent.

by generating event SynchronizeAttributesWithAccountsEvent. Figure 1-6 shows how new hire and re-hire workflow Ticket

Figure 1-6 shows how new hire and re-hire workflow

Ticket System and enable user/account process requirements

Step1: Calling Ticket System, if there is error, send web services request to IDM admin by email.

Step2: Wait until hire date

o Enable user and account

Step3: Send email to IDM Admin: user and account are enabled and ticket number.

Step4: If office == US101, wait until 6 am on hire date

o Calling Ticket System again

We implement ticket process in chapter 4 you will learn how to:

Calling web services (Ticket System)

Implement delay for waiting until hire date.

Enable user and account

Generating event by Advanced API (Task Session)

Sharing attribute (ticket ID) inside workflow.

Figure 1-7 shows workflow for calling ticket system and enable user/account 1.1.2 De-provisioning Termination process

Figure 1-7 shows workflow for calling ticket system and enable user/account

1.1.2 De-provisioning Termination process The terminated process is process to employee who quitted. We can describe as steps below:

Step 1: Enters employee number.

Step 2: Our system search active user by employee number.

Step 3: Change status to be terminated and disable user.

Step 4: Disable account.

Step 5: Revoke provisioning role.

4: Disable account.  Step 5: Revoke provisioning role. Figure 1-8 shows overall de-provisioning Termination process

Figure 1-8 shows overall de-provisioning Termination process

All implementation will show in chapter 5. You will learn how to:

Disable user and account by API

Revoke provisioning role by API

1.1.3

De-provisioning Pre-delete process Pre-Deleted process is process for moving terminated user and account to special OU

“predelete”. The pre-delete process can describe as below steps:

Step1: Enter employee number that they want to terminate.

Step2: Check user’s state. Only terminated user can be move.

Step3: move user to OU predelete.

Step4: move account to AD container PreDelete.

 Step4: move account to AD container PreDelete. Figure 1-9 shows the final result for pre-delete

Figure 1-9 shows the final result for pre-delete process

We implement in Chapter 6: De-provisioning process: Pre-Deleted and you will learn:

Moving user and account by API.

1.1.4 Lock AD account This example demonstrates how to modify AD account’s attribute directly. Administrator enters employee number. IDM system looks up AD account to lock account, hide email from exchange and disable log on remote terminal.

hide email from exchange and disable log on remote terminal. Figure 1-10 shows screen and locked

Figure 1-10 shows screen and locked AD account.

We implement in Chapter 9. You will learn how to modify account’s attribute directly by API.

1.1.5 Workflow IDM System provides form for requesting CRM and HR application.

If request CRM application

o

Requires approvers from web services (HR System)

o

If request has been approve, IDM system will send ticket.

If request HR application

o

Requires the first approver from admin role.

If user’s office is US101, requires second approver from properties file.

o

If request has been approve, IDM system will add provisioning role to user.

been approve, IDM system will add provisioning role to user. Figure 1-11 shows workflow. Additional requirements:

Figure 1-11 shows workflow.

Additional requirements:

Send email inform all approvers. Request is waiting.

Send email alert after request is still waiting. For testing, we set 5 minutes for alert.

Send email inform the request is time out. For testing, we set 10 minutes for timeout.

Send email to requester when request rejected.

You will learn how to:

Generate workflow by API.

Set approver by API.

Using velocity email template in workflow.

Implement time out in workflow.

Оценить