ca identityminder learn by example code

5/20/2018 CA IdentityMinder Learn by Example Code

1/19

i


2/19

ii

Preface

CA IdentityMinder Volume II: Learn by Example Code will guide you through the advanced

examples. You will learn provisioning & de-provisioning by API and advanced workflow generation.

My CA Identity Manager (formerly CA IdentityMinder) Programming is a series of three books:

CA Identity Manager Volume I: Java Developer's Guide, for beginning level.

CA Identity Manager Volume II: Learn by Example Code, for advanced level.

CA Identity Manager: Custom Connectors Guide, for the custom connector developer.

Please visit books web site for more details.

About This Book

This book contains:

Example code: Provisioning API

Example code: Workflow and integration

Example code: De-provisioning API

Example code: Moving user and account

Example code: API and Policy Set

Example code: scheduling job and calling admin task

Example code: Modify account attributes directly

Example code: Advanced Workflow and Approval

Who this book for

This book is intended for advanced developer who has some CA IdentityMinder programming

experience and would like to learn how to implement complex requirements by API.


3/19

iii

Convention

The following text conventions are used in this document:

Convention Meaning

Boldface Boldface type indicates book titles

Italic Italic type indicates emphasis, or placeholder variables

monospace Monospace type indicates language and syntax elements

Customer Support

Feedback from our readers is always welcome. Let us know what you think about this book.

Please visit web site for more details:

The web site for books: http://www.caidentitymanagerbook.com

Blog and updated contents: http://caidentitymanager.blogspot.com

To send us general feedback or any questions, simply send an e-mail. Please check my email

from web site.

Download Source Code

Please visit our web site:http://www.caidentitymanagerbook.com

Trademarks

CA IdentityMinder, CA Identity Manager and CA SiteMinder are registered trademark of CA

Technologies.
http://www.caidentitymanagerbook.com/http://www.caidentitymanagerbook.com/http://caidentitymanager.blogspot.com/http://caidentitymanager.blogspot.com/http://www.caidentitymanagerbook.com/http://www.caidentitymanagerbook.com/http://www.caidentitymanagerbook.com/http://www.caidentitymanagerbook.com/http://caidentitymanager.blogspot.com/http://www.caidentitymanagerbook.com/


4/19

iv

Please accept my apologies:

DELAY:I expected to release this book September 2013 but I delay almost one year.

GRAMMAR:Please accept my apology for grammar mistake. Reviewing process may require up

to 3 months. Hopefully, my next release will fix this issue.

NO POLICY XPRESS: Policy Xpress is easy to learn. We may not need beginning level book.

EXAMPLES:I knew some examples can implement by Policy Xpress but I implement all examples

by programming because I want to show how to use APIs.

NO BASIC LEVEL:I apologize for some readers may complain this book is not for beginner. I will

fix by adding bonus chapters & VDO demo. Please visit my blog.

SUPPORT: I am full time programmer. I may not response your email immediately. Please allow

24 hours for a response. My time zone is New York EST.

Hopefully, my second edition will be better and fix all these issues.

Regard,

Kosakarika

About Author

I am Java Developer and live in New York.

Experience:

Front End: ExtJS, JQuery, Content Management(WebSphere Portal), and Portlet

(WebSphere/Weblogic/SUN Portal)

SOA: Rule JBoss Drools/Guvnor, ESB(ServiceMix/Camel) and BPEL(WebSphere Process Server)

IDM and SSO: CA IdentityMinder, CA SiteMinder, and SUN Access Manager.

Implemented multi-threading, high transaction real-time brokerage projects.

Certification:

Sun Certified Java Programmer 1.2

Sun Certified Business Component Developer 1.3

IBM Certified Developer - IBM WebSphere Portal Developer V6.1

IBM Certified Developer - Web Services Development for WebSphere V6.1 IBM System Administrator - WebSphere Application Server V6.1

IBM Enterprise Developer - IBM WebSphere Studio V5.0


5/19

v

Copyright 2014 W. Kosakarika

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted

in any form or by any means, without the prior written permission of the author, except in the case of

brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information

presented. However, the information contained in this book is sold without warranty, either express or

implied. The author will be held liable for any damages caused or alleged to be caused directly or

indirectly by this book.

Author has endeavored to provide trademark information about all of the companies and products

mentioned in this book by the appropriate use of capitals. However, author cannot guarantee the

accuracy of this information.

First published: September 2014


6/19

vi

Contents

Chapter 1: Introduction ................................................................................................................................ 1

1.1 Requirements Overview ..................................................................................................................... 1

1.1.1 Provisioning Process: New hire and re-hire ................................................................................ 4

1.1.2 De-provisioning Termination process ......................................................................................... 7

1.1.3 De-provisioning Pre-delete process ............................................................................................ 7

1.1.4 Lock AD account .......................................................................................................................... 8

1.1.5 Workflow ..................................................................................................................................... 9

1.2 Utility Components .......................................................................................................................... 10

1.2.1 DisplayUtils.java ........................................................................................................................ 10

1.2.2 WorkpointHelper.java ............................................................................................................... 11

1.2.3 TaskSessionUtils.java ................................................................................................................. 12

1.2.4 EmailUtils.java ........................................................................................................................... 12

1.3 Conclusion ........................................................................................................................................ 13

Chapter 2 Configuring Server and IDE ........................................................................................................ 14

2.1 Configuring Server Environment ...................................................................................................... 14

2.1.1 CA IdentityMinder User Store ................................................................................................... 14

2.1.2 Active Directory ......................................................................................................................... 15

2.1.3 IDM Configuration ..................................................................................................................... 15

2.1.4 Admin task and Listener ............................................................................................................ 19

2.1.5 Code and email template .......................................................................................................... 19

2.1.6 HR System and Ticket System ................................................................................................... 19

2.1.7 Email .......................................................................................................................................... 20

2.2 Configuring IDE ................................................................................................................................. 21

2.2.1 Eclipse ........................................................................................................................................ 21

2.2.2 Workpoint ................................................................................................................................. 23

2.3 Conclusions ...................................................................................................................................... 24

Chapter 3 Example: Provisioning new Hire process ................................................................................... 25

3.1 Requirement..................................................................................................................................... 25

3.2 Design ............................................................................................................................................... 26

3.3 Code and configuration .................................................................................................................... 27


7/19

vii

3.3.1 Code .......................................................................................................................................... 28

3.3.2 Configuration: Admin Task ........................................................................................................ 28

3.3.3 Configuration: ProvUserListener ............................................................................................... 31

3.3.4 Configuration: EventErrorListener ............................................................................................ 32

3.4 How it works ..................................................................................................................................... 32

3.4.1 Step1: Put new employee information. ................................................................................... 34

3.4.2 Step2: Search employee number .............................................................................................. 35

3.4.3 Step 3: Start workflow and select routing path to new hire process ........................................ 37

3.4.4 Step 4: Create User .................................................................................................................... 40

3.4.5 Step 5: Send email to inform IDM admin .................................................................................. 44

3.4.6 Step 6: Add provisioning Role ................................................................................................... 44

3.4.7 Step 7: Create account .............................................................................................................. 45

3.4.8 Step 8: Call workflow for Ticket System and delay execution ................................................... 46

3.4.9 Exception handling .................................................................................................................... 47

3.5 Conclusions ...................................................................................................................................... 49

Chapter 4 Example: Workflow and integration .......................................................................................... 50

4.1 Requirement..................................................................................................................................... 50

4.2 Design ............................................................................................................................................... 50


4.3.1 Code .......................................................................................................................................... 51

4.3.2 Configuration ............................................................................................................................. 51

4.3 How it works ..................................................................................................................................... 52

4.3.1 Step 1: call Ticket System .......................................................................................................... 53

4.3.2 Step 2: Wait until hire date ....................................................................................................... 57

4.3.3 Step 3: enable User and Account .............................................................................................. 58

4.3.4 Step 4: email ticket id to IDM admin ......................................................................................... 60

4.3.5 Step 5: Check location ............................................................................................................... 61

4.4 Conclusions ...................................................................................................................................... 63

Chapter 5 Example: De-provisioning Termination process ........................................................................ 64

5.1 Requirement..................................................................................................................................... 64

5.2 Design ............................................................................................................................................... 64



8/19

viii

5.3.1 Code .......................................................................................................................................... 65

5.3.2 Configuration ............................................................................................................................. 65

5.4 How it works ..................................................................................................................................... 68

5.4.1 Step1: Entry employee number ................................................................................................ 68

5.4.2 Step2: Check users state. ......................................................................................................... 68

5.4.3 Step3: disable user. ................................................................................................................... 70

5.4.4 Step4: disable account. ............................................................................................................. 70

5.4.5 Step5: revoke provisioning user. ............................................................................................... 71


5.5 Conclusions ...................................................................................................................................... 72

Chapter 6 Example: De-provisioning Pre-delete process ........................................................................... 73

6.1 Requirement..................................................................................................................................... 73

6.2 Design ............................................................................................................................................... 73


6.3.1 Code .......................................................................................................................................... 74

6.3.2 Configuration: admin task ......................................................................................................... 74

6.3.2 Configuration: PreDeleteListener .............................................................................................. 76

6.4 How it works ..................................................................................................................................... 76

6.4.1 Step1: Entry employee number ................................................................................................ 77

6.4.2 Step2: Check users state. ......................................................................................................... 77

6.4.3 Step3: move user ....................................................................................................................... 77

6.4.4 Step4: move account ................................................................................................................. 79


6.5 Conclusion ........................................................................................................................................ 82

Chapter 7 Example: Provisioning Rehire process ....................................................................................... 83

7.1 Requirement..................................................................................................................................... 83

7.2 Design ............................................................................................................................................... 83


7.3.1 Code .......................................................................................................................................... 85

7.3.2 Configuration ............................................................................................................................. 85

7.3.3 Configuration: Identity Policy .................................................................................................... 85

7.4 How it works ..................................................................................................................................... 86


9/19

ix

7.4.1 Step1: Put the rehire employee information. ........................................................................... 89

7.4.2 Step2: Search employee number .............................................................................................. 89

7.4.3 Step 3: Start workflow and set routing path to re-hire process. ............................................... 90

7.4.4 Step 4: Setup User ..................................................................................................................... 90

7.4.5 Step 5: Call Identity Policy to add provisioning role .................................................................. 91

7.4.6 Step 6: Send email to inform IDM admin .................................................................................. 91

7.4.7 Step 7: Update account attribute .............................................................................................. 92

Step 8: Call workflow for Ticket System and delay execution. ........................................................... 94

7.5 Conclusion ........................................................................................................................................ 95

Chapter 8 Example: scheduling job and calling task .................................................................................. 96

8.1 Requirement..................................................................................................................................... 96

8.2 Design ............................................................................................................................................... 96


8.3.1 Code .......................................................................................................................................... 97

8.3.2 Configuration admin task: WS Configuration ............................................................................ 98

8.3.3 Configuration admin task: WS Execution .................................................................................. 99

8.4 How it works ................................................................................................................................... 101

8.4.1 Step 1: configure web services properties for connecting HR web services. .......................... 103

8.4.2 Step 2: run schedule. ............................................................................................................... 104

8.4.3 Step 3: calling web services to get employees list. ................................................................ 104

8.4.4 Step 4: calling admin task: provisioning task ........................................................................... 106

8.5 Conclusion ...................................................................................................................................... 108

Chapter 9 Example: Modify account attributes ....................................................................................... 109

9.1 Requirement................................................................................................................................... 109

9.2 Design ............................................................................................................................................. 109

9.3 Code and configuration .................................................................................................................. 110

9.3.1 Code ........................................................................................................................................ 110

9.3. 2 Configuration: admin task ...................................................................................................... 110

9.4 How it works ................................................................................................................................... 111

9.4.2 Step 1: Entry employee number.............................................................................................. 111

9.4.2 Step 2: Account in AD is locked. .............................................................................................. 111

9.5 Conclusion ...................................................................................................................................... 113


10/19

x

Chapter 10 Example: Workflow and Approval ......................................................................................... 114

10.1 Requirement................................................................................................................................. 114

10.2 Design ........................................................................................................................................... 115

10.3 Code and configuration ................................................................................................................ 118

10.3.1 Code ...................................................................................................................................... 118

10.3.2 Configuration: Admin Task Request Application ................................................................... 118

10.3.3 Configuration: Admin Task Approve Request Application .................................................... 120

10.3.4 Provisioning Role BookPrj.HR ................................................................................................ 121

10.3.5 Configuration: Approver........................................................................................................ 122

10.4 How it works ................................................................................................................................. 123

10.4.1 Entry employee number and check request ......................................................................... 126

10.4.2 Generate workflow: request CRM application ...................................................................... 127

10.4.3 Participant Resolver API ........................................................................................................ 130

10.4.4 Request CRM Application workflow ...................................................................................... 131

10.4.5 Generate workflow: request HR application ......................................................................... 133

10.4.6 Request HR Application workflow ......................................................................................... 137

10.4.7 Sending Email: Request waiting approval ............................................................................. 138

10.4.8 Sending Email: Request rejected ........................................................................................... 141

10.4.9 Sending Email: Notification after 5 minutes.......................................................................... 141

10.4.10 Time out .............................................................................................................................. 143

10.5 Conclusion .................................................................................................................................... 145


11/19

1

Chapter 1: Introduction

The goal of this book is demonstrating how to solve complex requirement by programming. You

will learn the advanced techniques from example. We do not explain the basic concepts. We assume

you have already had some experience with CA IdentityMinder API and you should able to customized

workflow.

If you do not familiar with CA IdentityMinder API or workflow, I suggest to get book volume I.

The volume I for beginner explains concepts and examples code, steps by step.

This chapter covers 2 topics:

Overview requirements of this book.

Explain Utility components features of this book.

Technical Terms

To avoid confusion, we define some terms:

Usermeans user information maintained by CA IdentityMinder Server. User is stored in CA

IdentityMinder User Store.

Global Usermeans user information maintained by the Provisioning Server. It is stored in

Provisioning Director.

Accountmeans user information in Endpoint. For example account in Active Directory.

Endpointis destination of user information after provisioning.

BLTHstand for Business Logic Task Handler. Listenermeans listener API

1.1 Requirements Overview

Forward company wants to implement new IDM System.

Existing System

Forward company has HR system provides web services interface.

The HR System feeds new employees information. We do not know exactly when new

employees arrive. The IDM System needs to run schedule to check new data.

Forward company has Ticket System. Some processes are required to call it by web services.

Forward company has one endpoint is Active Directory.


12/19

2

Figure 1-1 shows existing system

Employee States

There are 3 states of employee

o Regular for fulltime employee. The attribute employeeType is Fulltime.

o Termination is status for employee who quitted. the attribute employeeType is

Terminated

o

Pre-delete: it is status for terminated employee. We want to store these users in special

ou predelete. For example, after 90 days of termination, we plan to delete the

terminated user. We move these user to ou predelete

The status can convert:

o From regular state to termination state

o

From termination state back to regular stateo

From termination state to pre-delete state

Figure 1-2 shows employee state

The status cannot convert jumping across state from regular to pre-delete.

We do not convert pre-delete state back to termination state.


13/19

3

Provisioning process

There are 2 types of provisioning process:

o New Hireis process for provisioning brand new employee. It has never been in our

system before.

o

Re-Hireis process convert termination state back to be regular.

De-provisioning process

There are 2 types of de-provisioning process:

o

Terminatedis process for convert regular state to terminated state.

o

Pre-deleteis process for convert terminated state to pre-delete state.

Figure 1-3 shows relationship between employees state and processes

Additional requirements

IDM System has to:

Require employee number as key for all screen.

Provide screen to configure web services properties.

Provide schedule for calling web services

Provide a screen for lock AD account.

Provide a dynamic workflow for request access CRM and HR application.


14/19

4

1.1.1 Provisioning Process: New hire and re-hire

The provisioning process starts from scheduling task to get new employees information by web

services of HR System. When we get data, we have to search user (exclude OU pre-delete):

If user is not found, start the new hire process.

If user is found and status is terminated, start the re-hire process.

After finished create or set up user/account, both process will go to Ticket System, and enable

user process. We can write as flow chart below:

Figure 1-4 shows high level flow chart of provisioning process

The requirement details of each process, we show in steps below:

Scheduling task requirements

Step1: Get HR system endpoint from configuration.

Step2: Call web services

Step3: Call provisioning process.


15/19

5

Figure 1-5 shows how to implement scheduling task.

We implement Scheduling task in chapter 8 you will learn how to:

Save admin task configuration.

Access other admin tasks configuration.

Create schedule task

Calling other admin task by internal API.

New hire process requirements

Step1: Generate unique NT Login and user id in the right format.

Step2: Create User in the right OU.

Step3: Send email to IDM Admin: there is new user created.

Step4: Add provisioning role.

Step5: Create account in AD.

Step6: Go to process: Ticket System.

We implement new hire process in chapter 3 you will learn how to:

Initial, validate and capture input by BLTH

Search user by API

Share session attributes between BLTH, workflow and listener

Create routing path in workflow Create user, add provisioning role by API

Develop listener API capture events.

Add account by API

Generate event and embedded workflow by API

Exception handling


16/19

6

Re-hire process requirements

Step1: Update users attributes. We keep the old user id and password.

Step2: Send email to IDM Admin: There is user starts re-hire process.

Step3: Add provisioning role

Step4: Update accounts attributes in AD Step5: Go to process: Ticket System

We implement re-hire process in chapter 7 you will learn how to:

API working with Identity Policy.

Update global users attribute by generating event SynchronizeAttributesWithAccountsEvent.

Figure 1-6 shows how new hire and re-hire workflow

Ticket System and enable user/account process requirements

Step1: Calling Ticket System, if there is error, send web services request to IDM admin by email.

Step2: Wait until hire date

o Enable user and account

Step3: Send email to IDM Admin: user and account are enabled and ticket number.

Step4: If office == US101, wait until 6 am on hire date

o

Calling Ticket System again

We implement ticket process in chapter 4 you will learn how to:

Calling web services (Ticket System)

Implement delay for waiting until hire date.

Enable user and account

Generating event by Advanced API (Task Session) Sharing attribute (ticket ID) inside workflow.


17/19

7

Figure 1-7 shows workflow for calling ticket system and enable user/account

1.1.2 De-provisioning Termination process

The terminated process is process to employee who quitted. We can describe as steps below:

Step 1: Enters employee number.

Step 2: Our system search active user by employee number.

Step 3: Change status to be terminated and disable user.

Step 4: Disable account.

Step 5: Revoke provisioning role.

Figure 1-8 shows overall de-provisioning Termination process

All implementation will show in chapter 5. You will learn how to:

Disable user and account by API

Revoke provisioning role by API

1.1.3 De-provisioning Pre-delete process

Pre-Deleted process is process for moving terminated user and account to special OU

predelete. The pre-delete process can describe as below steps:

Step1: Enter employee number that they want to terminate.

Step2: Check users state. Only terminated user can be move.


18/19

8

Step3: move user to OU predelete.

Step4: move account to AD container PreDelete.

Figure 1-9 shows the final result for pre-delete process

We implement in Chapter 6: De-provisioning process: Pre-Deleted and you will learn:

Moving user and account by API.

1.1.4 Lock AD accountThis example demonstrates how to modify AD accounts attribute directly. Administrator enters

employee number. IDM system looks up AD account to lock account, hide email from exchange and

disable log on remote terminal.

Figure 1-10 shows screen and locked AD account.

We implement in Chapter 9. You will learn how to modify accounts attribute directly by API.


19/19

9

1.1.5 Workflow

IDM System provides form for requesting CRM and HR application.

If request CRM application

o

Requires approvers from web services (HR System)

o

If request has been approve, IDM system will send ticket. If request HR application

o Requires the first approver from admin role.

If users office is US101, requires second approver from properties file.

o

If request has been approve, IDM system will add provisioning role to user.

Figure 1-11 shows workflow.

Additional requirements:

Send email inform all approvers. Request is waiting.

Send email alert after request is still waiting. For testing, we set 5 minutes for alert.

Send email inform the request is time out. For testing, we set 10 minutes for timeout.

Send email to requester when request rejected.

You will learn how to:

Generate workflow by API.

Set approver by API.

Using velocity email template in workflow.

Implement time out in workflow.

ca identityminder learn by example code

Documents

account example code

integration example

policy set example code

admin task example code

ca siteminder

provisioning apiexample

ca identity manager

book forthis book