ca identityminder learn by example code
DESCRIPTION
CA IdentityMinder Volume II: Learn by Example Code will guide you through the advanced examples. You will learn provisioning & de-provisioning by API and advanced workflow generation.Who this book forThis book is intended for advanced developer who has some CA IdentityMinder programming experience and would like to learn how to implement complex requirements by API.About This BookThis book contains:Example code: Provisioning APIExample code: Workflow and integrationExample code: De-provisioning APIExample code: Moving user and accountExample code: API and Policy SetExample code: scheduling job and calling admin taskExample code: Modify account attributes directlyExample code: Advanced Workflow and ApprovalTRANSCRIPT
-
5/20/2018 CA IdentityMinder Learn by Example Code
1/19
i
-
5/20/2018 CA IdentityMinder Learn by Example Code
2/19
ii
Preface
CA IdentityMinder Volume II: Learn by Example Code will guide you through the advanced
examples. You will learn provisioning & de-provisioning by API and advanced workflow generation.
My CA Identity Manager (formerly CA IdentityMinder) Programming is a series of three books:
CA Identity Manager Volume I: Java Developer's Guide, for beginning level.
CA Identity Manager Volume II: Learn by Example Code, for advanced level.
CA Identity Manager: Custom Connectors Guide, for the custom connector developer.
Please visit books web site for more details.
About This Book
This book contains:
Example code: Provisioning API
Example code: Workflow and integration
Example code: De-provisioning API
Example code: Moving user and account
Example code: API and Policy Set
Example code: scheduling job and calling admin task
Example code: Modify account attributes directly
Example code: Advanced Workflow and Approval
Who this book for
This book is intended for advanced developer who has some CA IdentityMinder programming
experience and would like to learn how to implement complex requirements by API.
-
5/20/2018 CA IdentityMinder Learn by Example Code
3/19
iii
Convention
The following text conventions are used in this document:
Convention Meaning
Boldface Boldface type indicates book titles
Italic Italic type indicates emphasis, or placeholder variables
monospace Monospace type indicates language and syntax elements
Customer Support
Feedback from our readers is always welcome. Let us know what you think about this book.
Please visit web site for more details:
The web site for books: http://www.caidentitymanagerbook.com
Blog and updated contents: http://caidentitymanager.blogspot.com
To send us general feedback or any questions, simply send an e-mail. Please check my email
from web site.
Download Source Code
Please visit our web site:http://www.caidentitymanagerbook.com
Trademarks
CA IdentityMinder, CA Identity Manager and CA SiteMinder are registered trademark of CA
Technologies.
http://www.caidentitymanagerbook.com/http://www.caidentitymanagerbook.com/http://caidentitymanager.blogspot.com/http://caidentitymanager.blogspot.com/http://www.caidentitymanagerbook.com/http://www.caidentitymanagerbook.com/http://www.caidentitymanagerbook.com/http://www.caidentitymanagerbook.com/http://caidentitymanager.blogspot.com/http://www.caidentitymanagerbook.com/ -
5/20/2018 CA IdentityMinder Learn by Example Code
4/19
iv
Please accept my apologies:
DELAY:I expected to release this book September 2013 but I delay almost one year.
GRAMMAR:Please accept my apology for grammar mistake. Reviewing process may require up
to 3 months. Hopefully, my next release will fix this issue.
NO POLICY XPRESS: Policy Xpress is easy to learn. We may not need beginning level book.
EXAMPLES:I knew some examples can implement by Policy Xpress but I implement all examples
by programming because I want to show how to use APIs.
NO BASIC LEVEL:I apologize for some readers may complain this book is not for beginner. I will
fix by adding bonus chapters & VDO demo. Please visit my blog.
SUPPORT: I am full time programmer. I may not response your email immediately. Please allow
24 hours for a response. My time zone is New York EST.
Hopefully, my second edition will be better and fix all these issues.
Regard,
Kosakarika
About Author
I am Java Developer and live in New York.
Experience:
Front End: ExtJS, JQuery, Content Management(WebSphere Portal), and Portlet
(WebSphere/Weblogic/SUN Portal)
SOA: Rule JBoss Drools/Guvnor, ESB(ServiceMix/Camel) and BPEL(WebSphere Process Server)
IDM and SSO: CA IdentityMinder, CA SiteMinder, and SUN Access Manager.
Implemented multi-threading, high transaction real-time brokerage projects.
Certification:
Sun Certified Java Programmer 1.2
Sun Certified Business Component Developer 1.3
IBM Certified Developer - IBM WebSphere Portal Developer V6.1
IBM Certified Developer - Web Services Development for WebSphere V6.1 IBM System Administrator - WebSphere Application Server V6.1
IBM Enterprise Developer - IBM WebSphere Studio V5.0
-
5/20/2018 CA IdentityMinder Learn by Example Code
5/19
v
Copyright 2014 W. Kosakarika
All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted
in any form or by any means, without the prior written permission of the author, except in the case of
brief quotations embedded in critical articles or reviews.
Every effort has been made in the preparation of this book to ensure the accuracy of the information
presented. However, the information contained in this book is sold without warranty, either express or
implied. The author will be held liable for any damages caused or alleged to be caused directly or
indirectly by this book.
Author has endeavored to provide trademark information about all of the companies and products
mentioned in this book by the appropriate use of capitals. However, author cannot guarantee the
accuracy of this information.
First published: September 2014
-
5/20/2018 CA IdentityMinder Learn by Example Code
6/19
vi
Contents
Chapter 1: Introduction ................................................................................................................................ 1
1.1 Requirements Overview ..................................................................................................................... 1
1.1.1 Provisioning Process: New hire and re-hire ................................................................................ 4
1.1.2 De-provisioning Termination process ......................................................................................... 7
1.1.3 De-provisioning Pre-delete process ............................................................................................ 7
1.1.4 Lock AD account .......................................................................................................................... 8
1.1.5 Workflow ..................................................................................................................................... 9
1.2 Utility Components .......................................................................................................................... 10
1.2.1 DisplayUtils.java ........................................................................................................................ 10
1.2.2 WorkpointHelper.java ............................................................................................................... 11
1.2.3 TaskSessionUtils.java ................................................................................................................. 12
1.2.4 EmailUtils.java ........................................................................................................................... 12
1.3 Conclusion ........................................................................................................................................ 13
Chapter 2 Configuring Server and IDE ........................................................................................................ 14
2.1 Configuring Server Environment ...................................................................................................... 14
2.1.1 CA IdentityMinder User Store ................................................................................................... 14
2.1.2 Active Directory ......................................................................................................................... 15
2.1.3 IDM Configuration ..................................................................................................................... 15
2.1.4 Admin task and Listener ............................................................................................................ 19
2.1.5 Code and email template .......................................................................................................... 19
2.1.6 HR System and Ticket System ................................................................................................... 19
2.1.7 Email .......................................................................................................................................... 20
2.2 Configuring IDE ................................................................................................................................. 21
2.2.1 Eclipse ........................................................................................................................................ 21
2.2.2 Workpoint ................................................................................................................................. 23
2.3 Conclusions ...................................................................................................................................... 24
Chapter 3 Example: Provisioning new Hire process ................................................................................... 25
3.1 Requirement..................................................................................................................................... 25
3.2 Design ............................................................................................................................................... 26
3.3 Code and configuration .................................................................................................................... 27
-
5/20/2018 CA IdentityMinder Learn by Example Code
7/19
vii
3.3.1 Code .......................................................................................................................................... 28
3.3.2 Configuration: Admin Task ........................................................................................................ 28
3.3.3 Configuration: ProvUserListener ............................................................................................... 31
3.3.4 Configuration: EventErrorListener ............................................................................................ 32
3.4 How it works ..................................................................................................................................... 32
3.4.1 Step1: Put new employee information. ................................................................................... 34
3.4.2 Step2: Search employee number .............................................................................................. 35
3.4.3 Step 3: Start workflow and select routing path to new hire process ........................................ 37
3.4.4 Step 4: Create User .................................................................................................................... 40
3.4.5 Step 5: Send email to inform IDM admin .................................................................................. 44
3.4.6 Step 6: Add provisioning Role ................................................................................................... 44
3.4.7 Step 7: Create account .............................................................................................................. 45
3.4.8 Step 8: Call workflow for Ticket System and delay execution ................................................... 46
3.4.9 Exception handling .................................................................................................................... 47
3.5 Conclusions ...................................................................................................................................... 49
Chapter 4 Example: Workflow and integration .......................................................................................... 50
4.1 Requirement..................................................................................................................................... 50
4.2 Design ............................................................................................................................................... 50
4.3 Code and configuration .................................................................................................................... 51
4.3.1 Code .......................................................................................................................................... 51
4.3.2 Configuration ............................................................................................................................. 51
4.3 How it works ..................................................................................................................................... 52
4.3.1 Step 1: call Ticket System .......................................................................................................... 53
4.3.2 Step 2: Wait until hire date ....................................................................................................... 57
4.3.3 Step 3: enable User and Account .............................................................................................. 58
4.3.4 Step 4: email ticket id to IDM admin ......................................................................................... 60
4.3.5 Step 5: Check location ............................................................................................................... 61
4.4 Conclusions ...................................................................................................................................... 63
Chapter 5 Example: De-provisioning Termination process ........................................................................ 64
5.1 Requirement..................................................................................................................................... 64
5.2 Design ............................................................................................................................................... 64
5.3 Code and configuration .................................................................................................................... 65
-
5/20/2018 CA IdentityMinder Learn by Example Code
8/19
viii
5.3.1 Code .......................................................................................................................................... 65
5.3.2 Configuration ............................................................................................................................. 65
5.4 How it works ..................................................................................................................................... 68
5.4.1 Step1: Entry employee number ................................................................................................ 68
5.4.2 Step2: Check users state. ......................................................................................................... 68
5.4.3 Step3: disable user. ................................................................................................................... 70
5.4.4 Step4: disable account. ............................................................................................................. 70
5.4.5 Step5: revoke provisioning user. ............................................................................................... 71
6.4.6 Exception handling .................................................................................................................... 72
5.5 Conclusions ...................................................................................................................................... 72
Chapter 6 Example: De-provisioning Pre-delete process ........................................................................... 73
6.1 Requirement..................................................................................................................................... 73
6.2 Design ............................................................................................................................................... 73
6.3 Code and configuration .................................................................................................................... 74
6.3.1 Code .......................................................................................................................................... 74
6.3.2 Configuration: admin task ......................................................................................................... 74
6.3.2 Configuration: PreDeleteListener .............................................................................................. 76
6.4 How it works ..................................................................................................................................... 76
6.4.1 Step1: Entry employee number ................................................................................................ 77
6.4.2 Step2: Check users state. ......................................................................................................... 77
6.4.3 Step3: move user ....................................................................................................................... 77
6.4.4 Step4: move account ................................................................................................................. 79
6.4.5 Exception handling .................................................................................................................... 82
6.5 Conclusion ........................................................................................................................................ 82
Chapter 7 Example: Provisioning Rehire process ....................................................................................... 83
7.1 Requirement..................................................................................................................................... 83
7.2 Design ............................................................................................................................................... 83
7.3 Code and configuration .................................................................................................................... 85
7.3.1 Code .......................................................................................................................................... 85
7.3.2 Configuration ............................................................................................................................. 85
7.3.3 Configuration: Identity Policy .................................................................................................... 85
7.4 How it works ..................................................................................................................................... 86
-
5/20/2018 CA IdentityMinder Learn by Example Code
9/19
ix
7.4.1 Step1: Put the rehire employee information. ........................................................................... 89
7.4.2 Step2: Search employee number .............................................................................................. 89
7.4.3 Step 3: Start workflow and set routing path to re-hire process. ............................................... 90
7.4.4 Step 4: Setup User ..................................................................................................................... 90
7.4.5 Step 5: Call Identity Policy to add provisioning role .................................................................. 91
7.4.6 Step 6: Send email to inform IDM admin .................................................................................. 91
7.4.7 Step 7: Update account attribute .............................................................................................. 92
Step 8: Call workflow for Ticket System and delay execution. ........................................................... 94
7.5 Conclusion ........................................................................................................................................ 95
Chapter 8 Example: scheduling job and calling task .................................................................................. 96
8.1 Requirement..................................................................................................................................... 96
8.2 Design ............................................................................................................................................... 96
8.3 Code and configuration .................................................................................................................... 97
8.3.1 Code .......................................................................................................................................... 97
8.3.2 Configuration admin task: WS Configuration ............................................................................ 98
8.3.3 Configuration admin task: WS Execution .................................................................................. 99
8.4 How it works ................................................................................................................................... 101
8.4.1 Step 1: configure web services properties for connecting HR web services. .......................... 103
8.4.2 Step 2: run schedule. ............................................................................................................... 104
8.4.3 Step 3: calling web services to get employees list. ................................................................ 104
8.4.4 Step 4: calling admin task: provisioning task ........................................................................... 106
8.5 Conclusion ...................................................................................................................................... 108
Chapter 9 Example: Modify account attributes ....................................................................................... 109
9.1 Requirement................................................................................................................................... 109
9.2 Design ............................................................................................................................................. 109
9.3 Code and configuration .................................................................................................................. 110
9.3.1 Code ........................................................................................................................................ 110
9.3. 2 Configuration: admin task ...................................................................................................... 110
9.4 How it works ................................................................................................................................... 111
9.4.2 Step 1: Entry employee number.............................................................................................. 111
9.4.2 Step 2: Account in AD is locked. .............................................................................................. 111
9.5 Conclusion ...................................................................................................................................... 113
-
5/20/2018 CA IdentityMinder Learn by Example Code
10/19
x
Chapter 10 Example: Workflow and Approval ......................................................................................... 114
10.1 Requirement................................................................................................................................. 114
10.2 Design ........................................................................................................................................... 115
10.3 Code and configuration ................................................................................................................ 118
10.3.1 Code ...................................................................................................................................... 118
10.3.2 Configuration: Admin Task Request Application ................................................................... 118
10.3.3 Configuration: Admin Task Approve Request Application .................................................... 120
10.3.4 Provisioning Role BookPrj.HR ................................................................................................ 121
10.3.5 Configuration: Approver........................................................................................................ 122
10.4 How it works ................................................................................................................................. 123
10.4.1 Entry employee number and check request ......................................................................... 126
10.4.2 Generate workflow: request CRM application ...................................................................... 127
10.4.3 Participant Resolver API ........................................................................................................ 130
10.4.4 Request CRM Application workflow ...................................................................................... 131
10.4.5 Generate workflow: request HR application ......................................................................... 133
10.4.6 Request HR Application workflow ......................................................................................... 137
10.4.7 Sending Email: Request waiting approval ............................................................................. 138
10.4.8 Sending Email: Request rejected ........................................................................................... 141
10.4.9 Sending Email: Notification after 5 minutes.......................................................................... 141
10.4.10 Time out .............................................................................................................................. 143
10.5 Conclusion .................................................................................................................................... 145
-
5/20/2018 CA IdentityMinder Learn by Example Code
11/19
1
Chapter 1: Introduction
The goal of this book is demonstrating how to solve complex requirement by programming. You
will learn the advanced techniques from example. We do not explain the basic concepts. We assume
you have already had some experience with CA IdentityMinder API and you should able to customized
workflow.
If you do not familiar with CA IdentityMinder API or workflow, I suggest to get book volume I.
The volume I for beginner explains concepts and examples code, steps by step.
This chapter covers 2 topics:
Overview requirements of this book.
Explain Utility components features of this book.
Technical Terms
To avoid confusion, we define some terms:
Usermeans user information maintained by CA IdentityMinder Server. User is stored in CA
IdentityMinder User Store.
Global Usermeans user information maintained by the Provisioning Server. It is stored in
Provisioning Director.
Accountmeans user information in Endpoint. For example account in Active Directory.
Endpointis destination of user information after provisioning.
BLTHstand for Business Logic Task Handler. Listenermeans listener API
1.1 Requirements Overview
Forward company wants to implement new IDM System.
Existing System
Forward company has HR system provides web services interface.
The HR System feeds new employees information. We do not know exactly when new
employees arrive. The IDM System needs to run schedule to check new data.
Forward company has Ticket System. Some processes are required to call it by web services.
Forward company has one endpoint is Active Directory.
-
5/20/2018 CA IdentityMinder Learn by Example Code
12/19
2
Figure 1-1 shows existing system
Employee States
There are 3 states of employee
o Regular for fulltime employee. The attribute employeeType is Fulltime.
o Termination is status for employee who quitted. the attribute employeeType is
Terminated
o
Pre-delete: it is status for terminated employee. We want to store these users in special
ou predelete. For example, after 90 days of termination, we plan to delete the
terminated user. We move these user to ou predelete
The status can convert:
o From regular state to termination state
o
From termination state back to regular stateo
From termination state to pre-delete state
Figure 1-2 shows employee state
The status cannot convert jumping across state from regular to pre-delete.
We do not convert pre-delete state back to termination state.
-
5/20/2018 CA IdentityMinder Learn by Example Code
13/19
3
Provisioning process
There are 2 types of provisioning process:
o New Hireis process for provisioning brand new employee. It has never been in our
system before.
o
Re-Hireis process convert termination state back to be regular.
De-provisioning process
There are 2 types of de-provisioning process:
o
Terminatedis process for convert regular state to terminated state.
o
Pre-deleteis process for convert terminated state to pre-delete state.
Figure 1-3 shows relationship between employees state and processes
Additional requirements
IDM System has to:
Require employee number as key for all screen.
Provide screen to configure web services properties.
Provide schedule for calling web services
Provide a screen for lock AD account.
Provide a dynamic workflow for request access CRM and HR application.
-
5/20/2018 CA IdentityMinder Learn by Example Code
14/19
4
1.1.1 Provisioning Process: New hire and re-hire
The provisioning process starts from scheduling task to get new employees information by web
services of HR System. When we get data, we have to search user (exclude OU pre-delete):
If user is not found, start the new hire process.
If user is found and status is terminated, start the re-hire process.
After finished create or set up user/account, both process will go to Ticket System, and enable
user process. We can write as flow chart below:
Figure 1-4 shows high level flow chart of provisioning process
The requirement details of each process, we show in steps below:
Scheduling task requirements
Step1: Get HR system endpoint from configuration.
Step2: Call web services
Step3: Call provisioning process.
-
5/20/2018 CA IdentityMinder Learn by Example Code
15/19
5
Figure 1-5 shows how to implement scheduling task.
We implement Scheduling task in chapter 8 you will learn how to:
Save admin task configuration.
Access other admin tasks configuration.
Create schedule task
Calling other admin task by internal API.
New hire process requirements
Step1: Generate unique NT Login and user id in the right format.
Step2: Create User in the right OU.
Step3: Send email to IDM Admin: there is new user created.
Step4: Add provisioning role.
Step5: Create account in AD.
Step6: Go to process: Ticket System.
We implement new hire process in chapter 3 you will learn how to:
Initial, validate and capture input by BLTH
Search user by API
Share session attributes between BLTH, workflow and listener
Create routing path in workflow Create user, add provisioning role by API
Develop listener API capture events.
Add account by API
Generate event and embedded workflow by API
Exception handling
-
5/20/2018 CA IdentityMinder Learn by Example Code
16/19
6
Re-hire process requirements
Step1: Update users attributes. We keep the old user id and password.
Step2: Send email to IDM Admin: There is user starts re-hire process.
Step3: Add provisioning role
Step4: Update accounts attributes in AD Step5: Go to process: Ticket System
We implement re-hire process in chapter 7 you will learn how to:
API working with Identity Policy.
Update global users attribute by generating event SynchronizeAttributesWithAccountsEvent.
Figure 1-6 shows how new hire and re-hire workflow
Ticket System and enable user/account process requirements
Step1: Calling Ticket System, if there is error, send web services request to IDM admin by email.
Step2: Wait until hire date
o Enable user and account
Step3: Send email to IDM Admin: user and account are enabled and ticket number.
Step4: If office == US101, wait until 6 am on hire date
o
Calling Ticket System again
We implement ticket process in chapter 4 you will learn how to:
Calling web services (Ticket System)
Implement delay for waiting until hire date.
Enable user and account
Generating event by Advanced API (Task Session) Sharing attribute (ticket ID) inside workflow.
-
5/20/2018 CA IdentityMinder Learn by Example Code
17/19
7
Figure 1-7 shows workflow for calling ticket system and enable user/account
1.1.2 De-provisioning Termination process
The terminated process is process to employee who quitted. We can describe as steps below:
Step 1: Enters employee number.
Step 2: Our system search active user by employee number.
Step 3: Change status to be terminated and disable user.
Step 4: Disable account.
Step 5: Revoke provisioning role.
Figure 1-8 shows overall de-provisioning Termination process
All implementation will show in chapter 5. You will learn how to:
Disable user and account by API
Revoke provisioning role by API
1.1.3 De-provisioning Pre-delete process
Pre-Deleted process is process for moving terminated user and account to special OU
predelete. The pre-delete process can describe as below steps:
Step1: Enter employee number that they want to terminate.
Step2: Check users state. Only terminated user can be move.
-
5/20/2018 CA IdentityMinder Learn by Example Code
18/19
8
Step3: move user to OU predelete.
Step4: move account to AD container PreDelete.
Figure 1-9 shows the final result for pre-delete process
We implement in Chapter 6: De-provisioning process: Pre-Deleted and you will learn:
Moving user and account by API.
1.1.4 Lock AD accountThis example demonstrates how to modify AD accounts attribute directly. Administrator enters
employee number. IDM system looks up AD account to lock account, hide email from exchange and
disable log on remote terminal.
Figure 1-10 shows screen and locked AD account.
We implement in Chapter 9. You will learn how to modify accounts attribute directly by API.
-
5/20/2018 CA IdentityMinder Learn by Example Code
19/19
9
1.1.5 Workflow
IDM System provides form for requesting CRM and HR application.
If request CRM application
o
Requires approvers from web services (HR System)
o
If request has been approve, IDM system will send ticket. If request HR application
o Requires the first approver from admin role.
If users office is US101, requires second approver from properties file.
o
If request has been approve, IDM system will add provisioning role to user.
Figure 1-11 shows workflow.
Additional requirements:
Send email inform all approvers. Request is waiting.
Send email alert after request is still waiting. For testing, we set 5 minutes for alert.
Send email inform the request is time out. For testing, we set 10 minutes for timeout.
Send email to requester when request rejected.
You will learn how to:
Generate workflow by API.
Set approver by API.
Using velocity email template in workflow.
Implement time out in workflow.