ESS: Efecte Identity Management Connector
ESS: Efecte Identity Management Connector
About this document
This document aims that providing insight into configuration of the Efecte Self-Service Efecte Identity connector, how the Efecte Self-Service uses the data it gets from Efecte Identity Management and in which ways end-users can drive updates of their data toward Efecte Identity Management.
This article describes the behavior of Efecte Identity Management Connector in ESS version 2022.3 or newer.
Note
From Efecte Self-Service version 2018.3.0 onwards Efecte Identity Management version 2018.3.1 or newer is required, due to changes to the connector introduced.
Efecte Identity Management connector
This connector handles integration with Efecte Identity Management system (hereon in referred to as EIM or Efecte Identity). Configuration for connector is stored in /etc/integration-hub/tenant-configs/<tenant_name >/connector-idm.xml file. Changes to configuration requires reload of tenant by issuing "integration-hub-tenant reload <tenant_name>" command.
Common part of configuration (used by various notions of this connector) are EIM connection properties in bean with id ="idmRemoteConfiguration".
Parameter |
Description |
accountType |
account type of the technical user for ESS in Efecte Identity |
username |
username of the technical user for ESS in Efecte Identity |
password |
password of the technical user for ESS in Efecte Identity |
host |
Efecte Identity host (name or IP) |
port |
Efecte Identity host port for remote calls, by default JBoss listens to port 4447 |
sslEnabled |
if encrypted SSL connection will be used between ESS and EIM |
invocationTimeout |
A timeout in milliseconds for EIM's EJB invocation request/response cycle, i.e. method invocation. Defaults to 30000. |
In order to use SSL encrypted connection (besides switching 'sslEnabled' flag on) certificate configuration is also necessary. EIM admin should provide you with appropriate one that is also supported on EIM side. To import certificate into local keystore on Integration hub machine issue:
yes yes | keytool -importcert -file "idm-remoting.crt" -alias "idm-remoting.crt" -keystore /etc/pki/java/cacerts -storepass changeitPlease use your own certificate file name and keystore password.
Organization connector
When configured properly, Identity connector can be used as source for Organization Data hereby replacing the LDAP connector.
Organization information data is handled by bean id="idmOrganizationInfoHandler" that contains following parameters:
Parameter |
Description |
efecteIdentityFacade |
instance of configured bean of type com.efecte.integration.connector.idm.EfecteIdentityFacade (see below) |
searchLimit |
max amount of users fetched from Efecte Identity in one go |
userFilter |
a set of filters defining which users are imported from Efecte Identity. One filter can be e.g. "cn=Users,dc=host,dc=domain,dc=com". Can contain multiple filters in multiple <value> tags. If Site settings at the ESS admin view is empty, the ESS picks the list of active OU’s from the userFilter list. |
Sample configuration:
<bean id="idmOrganizationInfoHandler" class="com.efecte.integration.connector.idm.handler.IdmOrganizationInformationHandler">
<property name="efecteIdentityFacade" ref="efecteIdentityFacade"/>
<property name="searchLimit" value="500"/>
<property name="userFilter">
<set>
<value>cn=Users,dc=host,dc=domain,dc=com</value>
</set>
</property>
</bean>Communication between Efecte Identity Management and the connector is handled by bean id="efecteIdentityFacade" with following parameters:
Parameter |
Description |
accountTypeMethodNames |
set of account type methods of the accounts of the users imported from Efecte Identity Management |
serviceAgreementNames |
set of service agreements of the users imported from Efecte Identity |
roleTypeNames |
set of roles imported from Efecte Identity within the organization data |
For properties accountTypeMethodNames, roleTypeNames and/or serviceAgreementNames add additional value tags in efecteIdentityFacade.
Note
All service agreement names that defined in the connector need to exist in Efecte Identity Management, or the organization data fetch will fail.
efecteIdentityFacade
<bean id="efecteIdentityFacade" class="com.efecte.integration.connector.idm.EfecteIdentityFacade">
<constructor-arg ref="idmRemoteConfiguration"/>
<property name="accountTypeMethodNames">
<set>
<value>AD Password</value>
<value>Some Other Password</value>
</set>
</property>
<property name="serviceAgreementNames">
<set>
<value>Customer - AD users</value>
</set>
</property>
<property name="roleTypeNames">
<set>
<value>AD group</value>
</set>
</property>
</bean>Fetching performance
Performance statistics can be enabled to give more detailed view of execution flow. In order to do it configure metrics service in connector configuration xml:
<!-- Performance Metrics -->
<bean class="com.efecte.integration.util.Metrics" id="metrics" init-method="init" destroy-method="destroy">
<property name="metricsEnabled" value="true"/>
<property name="metricsLogName" value="Metrics"/>
<property name="metricsLogMarker" value="METRICS"/>
<property name="reportTimeUnit" value="MINUTES"/>
<property name="reportPeriod" value="1"/>
</bean>
<bean id="idmOrganizationInfoHandler" class="com.efecte.integration.connector.idm.handler.IdmOrganizationInformationHandler">
... existing configuration ...
<property name="metrics" ref="metrics"/>
</bean>and configure appropriate logger in log4j.xml file:
<appender name="agent-stats" class="org.apache.log4j.RollingFileAppender">
<!-- The active file to log to -->
<param name="file" value="/var/log/integration-agent/agent-stats.log"/>
<param name="append" value="true"/>
<param name="encoding" value="UTF-8"/>
<param name="MaxFileSize" value="100MB"/>
<param name="MaxBackupIndex" value="10"/>
<layout class="org.apache.log4j.PatternLayout">
<param name="ConversionPattern" value="%c{1}|%p|%d|%t|%X{hostName}|%m%n"/>
</layout>
</appender>
<!-- Application performance metrics -->
<logger name="Metrics">
<level value="info"/>
<appender-ref ref="agent-stats"/>
</logger>Data from Efecte Identity Management
The following are the key data fields of a user (an agent) in EIM the ESS is using when fetching and writing data.
EIM attribute |
Definition |
ESS use |
Name |
Mandatory, unique The distinguished name of the agent |
Uniquely identifies users from each other. In case two agents exist with exactly the same name, organization data fetch will have errors and missing users. |
|
Mandatory, unique the email address for the agent |
ESS relies on the email address of the agent in communicating with the ESM and for email notifications. ESS can only use the primary email address, no other email addresses can be used. In addition, used in business card form. |
|
Display name |
Optional |
Shown to user as the user’s name. Display name is used with e.g. comment feature and in business card form. |
Last name |
Optional | Used in business card form and commenting feature together with forename; if both absent display name is used. |
Forename |
Optional |
Used in business card form and commenting feature together with forename; if both absent display name is used. |
Account |
Mandatory |
Account user name is used together with domain components (DC) to form Authentication ID which is used in tying tickets and requests to users. This authentication ID is shown to user when display name is not defined (account@dc.dc2.dc3) or the user is missing from organization data. In case there are agents with no account defined ESS does not fetch these users to the organization cache. Note! The authentication ID is the key in associating user with requests in ESS. Change to any of the components results in request history not being visible and the user being handled as a new user. In case of changing the account ID, and thus the authentication ID, old tickets and approval requests are not shown to user. Account ID is case sensitive. |
Cost center |
Optional |
If a user is associated with a cost center, this cost center is used by default when making requests. In case no cost centers are returned to ESS, the cost center selection is not shown in confirmation page. Cost center is used also by the Employee form. |
Supervisors |
Optional | In case the user has a valid supervisor set, the name of the superior is automatically selected for the agent for cases where approval is required. Also, in employee form list of supervisors is used. |
Deputies |
Optional |
Used for approval delegations. Users with subordinates, dedicated approvers, and delegated approvers have this option visible. For any user this can be set in EIM, and with the fetch of organization data this becomes visible to the user. |
mobile |
Optional, used for password reset |
Used for password reset. In case the user has a mobile number set, it is visible in the end-user view. If no mobile number is defined, the end user can set his own mobile phone number, which gets immediately updated to EIM. |
agent.customString13 |
Optional, used for password reset |
This is used to convey the secondary email address information from ESM to EIM and back. Does not map automatically to Agent’s account “E-mail for password reset” |
street address |
Optional |
This is used in the business card form, combined with zip code, city and country into Street Address field |
zip code |
Optional |
This is used in the business card form, combined with zip code, city and country into Street Address field |
city |
Optional |
This is used in the business card form, combined with zip code, city and country into Street Address field |
country |
Optional |
This is used in the business card form, combined with zip code, city and country into Street Address field |
Efecte Self Service configuration
In order to select Efecte Identity connector as Organization connector configure it on Integration Suite side and then open admin page of Efecte Self Service, select Integrations -> Organization -> Organization Connector.
Before changing connector change administrator groups according to new organization data. This could be executed in two ways:
- on admin UI, "Settings" tab: "Administrators' AD group" and “Service owners' AD group”
- in webshop.properties file parameter ldap.administrator.group (note that settings from DB comes first)
Then from "Organization Connector" dropdown choose Efecte Identity connector (if not set as default). Keep in mind that after this organization cache will be cleared and, if user is not logged in as global admin, he could be logged out. Log in once again if needed and click "Show test data" button to check organization information data.
Note
It is highly recommended not to install more than one organization connector for one tenant.
Efecte Identity as organization data connector for global admin
In order to use Efecte Identity Management system as the organization data provider for global admin, in /etc/webshop/webshop.properties file (ESS machine) configure:
- globaladmin.organization.connector.type = com.efecte.integration.connector.idm.IdMConnector
- globaladmin.organization.connector.instanceName = defaultEfecteIdentity
and restart ESS. For users to have access to globaladmin, they need to additionally belong to the AD group defined in webshop.properties as the global administrator group.
My Services
Identity connector can act as source of data for My Services fields
My Services is a common name for a set of integration mechanisms enabling external systems to dynamically modify content of catalog that is visible to users.
Defining MyServices Fields
- Go to ESS admin page -> Integrations -> External data fields -> External data fields
- Press Add MyServices field button
- Enter configuration
- Field name – enter a name to be used as alias for this MyServices field
- Data from – select Efecte Identity connector
-
Service from Efecte Identity mapped to MyServices field (Login to Efecte Identity -> Administration -> Services -> Service Name)
- Data list id - this value should be the same as the name of the service
- Press Update button - if there are no errors, in MyServices field elements table you will see the names of the 'Roles' as defined in Efecte Identity for the service (check 'Roles' on selected Service)
The Efecte Identity connector is not only responsibly for synchronization of elements, but also for tracking associations between elements and users.
My Services & offering catalog
Using MyService entry as the source for Service Item IDs
- On admin page Services tab, open a Service and select Service Item
- In Item properties, open 'External data link' drop-down and select the name of the MyServices field you want to use
- From 'Item ID' drop-down select element that will be used as ItemId when placing order
ID of selected element will be used as the ItemID when users are placing orders for the given item.
Associations between Users and DataCards
Connector is not only responsibly for the retrieval of Identity Service information, but also for:
- tracking associations between Identity Services and users (Identity Agents)
- altering said associations
In order to use this functionality:
- On admin page, open Service and select Service Item
- In Service Item properties, open 'MyServices Link' drop-down and select name of the MyServices field
- From Sub-items drop-down select:
- User using – in this case user will be presented list of Services they are associated with
- User not using – in this case user will be presented list of Services they are not associated with
Submitting order for Service Item will result in
- Removing
- Adding
association between the user (Agent) placing the order and the Efecte Identity Service.
Table of Contents