Custom Connectors
Custom Connectors
Design
Choose Connector Features
Determine Object Types
Define Schemas
Implementing the openconnector
Create the Project, Package and Class
Write the Required Methods
Compile and Deploy
Integration with IdentityIQ
Define the ConnectorRegistry Entry
Define the Connection Parameters XHTML Page
Create the Application
Testing
Managing Third-Party Libraries for Custom Connectors
Connector Instantiation
Appendix A: Example Memory Connector
This document describes how to create a custom connector using SailPoint’s
openconnector framework.
Requirements
The writer of the connector should be proficient in Java, comfortable working within
the constraints of a software framework, and versed in the use of an IDE such as
Eclipse or Netbeans. The writer should have at least completed the SailPoint
Fundamentals of IdentityIQ Implementation training course.
Design
Connector design involves identifying the features the connector will support, the
object types it will read or provision, and the object schemas.
o GET: will the connector be able to read and return a map of a specific
resource object (by ID)
AUTHENTICATE AUTHENTICATE
CREATE PROVISIONING
DELETE PROVISIONING
DISCOVER_SCHEMA DISCOVER_SCHE
ENABLE ENABLE and PRO
opposite of NO_RA
GET
applications unless
ITERATE no specific feature:
PERMISSIONS DIRECT_PERMISS
SET_PASSWORD PASSWORD and P
UNLOCK UNLOCK and PRO
UPDATE PROVISIONING
Define Schemas
For each of the object types to be supported, the final step is to define the object
schemas and the datatypes of their attributes. The connector‘s schema can support
any of these data types:
Boolean
Date
Int
Long
Permission (SailPoint class with rights and targets)
Secret (an attribute that should not be logged or displayed to any end users)
String
Implementing the
openconnector
getSupportedFeatures() NOTE: This method is not currently used by IdentityIQ; instead, the
FeaturesString is used to determine the connector's supported fea
configure() * NOTE: The default behavior is helpful since it makes the connecto
other methods, so if this method is implemented in the custom con
its super method as well.
Should set the object type, which can influence the read, iterate, a
the connector when the methods supporting those functions conta
setObjectType() *
each object type; is called by the OpenConnectorAdapter to set the
before executing operations
close() Should perform any required steps to close the connection to the a
Should determine if the resource is accessible; e.g. connect to the
testConnection() *
credentials pulled from the connector configuration
discoverSchema() Should return the schema (attributes and data types) of the curren
Should connect to the application with the credentials provided in t
authenticate()
attempt to authenticate to the application with that user id and pass
Should refresh the account or group in IdentityIQ corresponding to
identity to match its current values in the application (i.e. targeted a
read()
This can also be used in preparation for an update operation to en
latest data from the application before performing any updates.
^ These methods each accept a hashmap of options which can influence the
operation. Any arguments passed in the request (within the provisioning plan) are
passed to the target method by the provision() method to be used as needed by the
connector.
The example ant build script below could manage that compilation and deployment.
(Replace directory names and project name with names appropriate to the specific
installation.)
The final step in the implementation process is integrating the connector class with
IdentityIQ. The class must be connected to an application type in IdentityIQ, and an
application must be defined with that application type so the class will be used for
interacting with the resource. This involves these steps:
<Application connector="sailpoint.connector.OpenConnectorAdapter"
featuresString="[LIST OF SUPPORTED FEATURES IN ALL CAPS IN A CSV
LIST]"
name="[CONNECTOR_NAME]" type="[CONNECTOR_TYPE_NAME]">
<Attributes>
<Map>
<entry key="connectorClass" value="[FULLY QUALIFIED CUSTOM
CONNECTOR NAME]"/>
...
</Map>
</Attributes>
<Schemas> (optional; one per object type, defining all the
attributes for each)
<Schema displayAttribute="UserID" groupAttribute="Groups"
identityAttribute="UserID" nativeObjectType="account"
objectType="account">
<AttributeDefinition name="UserID"
remediationModificationType="None" required="true" type="string"/>
...
</Schema>
...
</Schemas>
<ProvisioningForms> (optional; one form per provisioning
policy needed, naming all applicable fields)
<Form name="account" objectType="account" type="Create">
<Field displayName="User ID" name="UserID"
required="true" section="" type="string"/>
...
</Form>
</ProvisioningForms>
</Application>
<Templates>
<Template name="account" usage="Create">
<Field displayName="User Name" name="username" type="string">
<Script>
<Source>return identity.getName(); </Source>
</Script>
</Field>
<Field displayName="First Name" name="firstname" type="string">
<Script>
<Source>return identity.getFirstname(); </Source>
</Script>
</Field>
<Field displayName="Last Name" name="lastname" type="string">
<Script>
<Source>return identity.getLastname(); </Source>
</Script>
</Field>
<Field displayName="Email Address" name="email" type="string">
<Script>
<Source>return identity.getEmail(); </Source>
</Script>
</Field>
<Field name="disabled" type="boolean" value="false"/>
</Template>
<Template name="Group Creation" usage="CreateGroup">
<Field displayName="Group Name" name="name" type="string"/>
<Field displayName="Description" name="description"
type="string"/>
</Template>
</Templates>
The example below illustrates definition of two required fields: input1 and input2. The
CustomConnectorTest (described in Appendix A and attached to this document for
download) is a memory connector which actually requires no connection parameters,
so these two fields are defined just for illustration.
Alternatively, a copy of the same application definition XML that was added to the
connector registry could be independently imported as an application object with any
required connection parameters hard coded into its attributes map to avoid having to
define the .xhtml page at all. The name attribute specified in the application definition
is the name displayed in IdentityIQ to represent the specific application instance;
hence, unlike in the ConnectorRegistry, it value is often different from the type value
in the individual application definition.
Testing
The integration console (run iiq integration from the [IdentityIQ Install
Directory]/WEB-INF/bin directory) can be used to test the various features of your
connector including aggregation and provisioning. From within the console, use
the list command to view all configured integration connectors; the new application
should be listed. Type use <app name> to start testing the new adapter/connector.
Type ? at any point to list all available commands.
A couple of the IIQ console commands are also useful for testing connectors. Use
the connectorDebug command to test read operations; and use provision to test a
provisioning plan directly against your connector (NOTE: The provision command
fully executes provisioning of the provisioning plan - it is not a simulation).
Managing Third-Party
Libraries for Custom
Connectors
IdentityIQ version 7.3p3+ and 8.0+ includes a separate class loader for third party
libraries required by connectors. If your custom connector requires third-party
libraries, they should be included in the IdentityIQ deployment under a separate
folder: WEB-INF/lib-connector/[connectorName]. This prevents collisions with
IdentityIQ’s required versions of those libraries and with other custom connectors’
required versions as well.
Connector Instantiation
The proper way to instantiate a connector in your implementation-specific code is:
This is particularly important in 7.3p3 and later versions because of the separate
class loader support. ConnectorClassloader is plugged into the ConnectorFactory to
load the connector classes, and instantiation of a connector through some other
means will bypass this support.
Appendix A: Example
Memory Connector
To deploy the memory connector into one of these two training VMs, complete the
following steps:
To deploy the memory connector into an IdentityIQ instance unrelated to the training
instances, complete the following steps:
To use this example as a model for implementing other custom connectors, examine
the .java file for examples of how to implement each of the custom connector
methods. These, of course, will contain different logic in other custom connectors,
allowing them to work with the API for the target application or whatever other
infrastructure is available to connect to and communicate with the application.