Set up data export to external data source from Identity Manager
This article describes how to set up data export in Identity Manager Admin. Identity Manager data can be exported during process execution from the process data map to a .csv file, JDBC database, LDAP directory, or SCIM server.
For example, data export is used when activating or deactivating cards to update the access rights in the physical access control system (PACS).
Before setting up a connection to the external JDBC database, LDAP directory, or SCIM server, make sure that the following things apply:
- Connection information to the external JDBC database, LDAP directory, or SCIM server must be known.
- To test the connection or use it during process execution, the JDBC database, LDAP directory, or SCIM server must be available and you must have the rights to access the service and make updates in it.
For SCIM server export:
- Identity Manager provides implementations for the standardized SCIM resources User and Group. To export to another resource, it must be implemented on the client side as a new class implementing ISCIMResource.
- Log in to the Identity Manager Admin as an
admin
user.
Set up export definition and fields
To create a new configuration for a JDBC export in Identity Manager Admin:
- Go to Home > Export Definitions and then click +New.
- Insert a Name and a Description (optional) for your configuration.
- In Type, select the data source to export to and click Save + Edit.
An export inserts or updates one entry of the external database, directory, or SCIM server. For each attribute or table column, you can define a value that should be inserted or updated:
- In the Mappings tab, click + to add a new mapping.
- In Internal Field, enter the value to be inserted or updated, using any of these options:
- Constant value, for example TENANT = Identity Manager or TENANT_ID = 4711.
- Variable, expressed in Java Unified Expression Language (JUEL). You can also use drag-and-drop from the data pools listed on the left. Variables are resolved using the process data map. Example: LAST_CHANGE =${now}.
In External Field, enter the table column or attribute name in the external data source.
Example mapping:Internal Field External Field ${Person_PersonnelNumber} ID ${Person_FirstName} GIVEN_NAME ${Person_LastName} NAME Identity Manager TENANT 4711 TENANT_ID - For each column to be updated, go through steps 2-3.
No need to configure datatype
There is no need to configure a datatype for each mapping, since the datatype of the external table column depends on the database type.
Examples for character-based data:
- Oracle uses datatypes CHAR, VARCHAR, VARCHAR2, NCHAR, or NVARCHAR2.
- MS SQL uses datatypes char, varchar, text, nchar, nvarchar, or ntext.
The mapping of a Java Object to the individual row type is handled by the database driver. Current drivers support the usual Java types and know how to map a Java object to the row. All fields from datapools can be handled this way.
Each value to be inserted for a table column can be:
- a java.lang.Object, if taken from the process data map
- a java.lang.String, otherwise
Troubleshooting: Problems concerning datatypes
- Try another driver class. See the next step: Set export properties.
- Convert the problematic Java object to another Java type in your process and add it to the process data map before the export. Use the converted object in the mapping instead.
- In the Spring configuration you may replace the JuelExpressionResolver by the JdbcExportHandler. By writing your own Resolver you can convert Java Objects to the Java type that is known by the driver.
Set up export properties
In the Properties tab, select one of the data sources listed below, and follow the steps to set up the export details:
In the properties tab, configure the path and .csv file name that define the target of the export. The csv export only creates new output, existing data can not be updated.
- Go to Properties.
- In External Path, specify where to store the file. Enter a File Name, with the extension .csv.
- Check or uncheck the boxes Extend file if existing and Write header row to CSV.
- Select a File Encoding.
- Select Value Separator and formats for Date and Time.
In the Properties tab, configure the directory server and base directory that define the target of the export. All properties may use JUEL expressions that are resolved using the process data map like the values of the mappings. The LDAP export only updates existing directory objects, new objects can not be created.
- Go to Properties.
- In Connection String, insert the URL that should be used to establish an LDAP connection to the LDAP directory server. The URL must contain a post-fixed port number, for example '
:389
' and may be followed by the path of the base directory, for example 'ou=DEV,dc=NexusMSCA2008,dc=NexusTestDomain
'. - Enter the user-distinguished Username and Password to establish a connection to the LDAP directory server.
In Unique Attributes, insert a comma-separated list of attribute names uniquely identifying the object to be updated, or that are declared as unmodifiable by the scheme of the directory. All mapped attributes that are not listed in this field are updated. Their value is set to the internal field value as specified in the Mappings tab. If they do not exist, they will be created. It is not possible to delete existing attributes or to insert new objects with the LDAP export. If there is only one attribute identifying the object uniquely, then a comma separated list is not needed.
All column names must have a mapping in the Mappings tab.
Click Test Configuration to test if a connection can be established to the LDAP directory, using the properties Connection String, User Name and Password. If the test succeeds, a green icon is displayed at the right hand side.
Troubleshooting: Username and password
In case a red icon appears, you may try to test the connection with an empty User Name and Password. If the LDAP directory server supports anonymous logins, a green icon will be displayed, if the server could be reached. In that case, a red icon is caused by incorrect credentials (User name / password).
In the Properties tab, configure the external database and table name that define the target of the export. All properties may use JUEL expressions that are resolved using the process data map like the values of the mappings. The JDBC database export can both insert new and update existing database entries.
- Go to Properties.
- In Database, either select the database type, to automatically fill in JDBC Driver Class Name and Connection String, or select Configure manually to type in the information yourself.
- In JDBC Driver Class Name, insert your driver class name including its package name prefix. The driver class must be available on the classpath.
- In Connection String, insert the URL that should be used to establish a JDBC connection to the external database. The URL may contain a postfixed port number, for example
':1433'
, and driver specific attributes, for example';AUTO_SERVER=TRUE'
. - Enter a valid Username and Password to establish a connection to the external database.
- In Table Name, insert the table name of the external database. The specified user must have rights for insert and update on that table.
- In Unique Key, insert a comma separated list of names of columns, that belong to the primary key, or a unique index of the external table.
This field decides whether an exported row is inserted or updated: If a unique key is specified and the target table contains a row with equal values for all unique key fields, the row is updated, otherwise it is inserted. All column names must have a mapping in the Mappings tab. Click Test Configuration to test if a connection can be established to the external database, using the properties JDBC Driver Class Name, Connection string, Username and Password. If a connection can be established, it is also tested, whether the table specified in the Table Name property exists. If all tests succeed, a green icon is displayed at the right hand side. Otherwise a red icon shows up.
Example properties for JDBC Export definition:
Database | H2 |
JDBC Driver Class Name | org.h2.Driver |
Connection String | jdbc:h2:c:/dev/act3/distribution/jdbc_demo/db/demo;AUTO_SERVER=TRUE |
Username | sa |
Password | |
Table Name | DEMO_DATA |
Uique Key | PERSONNEL_NUMBER |
In the properties tab, configure the connection to the SCIM server that defines the target of the export. All properties may use JUEL expressions that are resolved using the process data map like the values of the mappings. The SCIM server export can both insert new and update existing resources.
- Go to Properties.
- In Connection String, insert the URL that should be used to establish a SCIM connection to the SCIM server. The URL must contain a port number, for example ‘
18444
’. - In Resource, insert the endpoint of the resource type you want to export or choose one from the drop down list.
- To enable transport layer security, and if https is selected as protocol, upload a Server certificate (X.509). It is mandatory to be able to test the connection or save the data source. Using an encrypted protocol is useful not only to encrypt the content of HTTP requests, but also the URL, which typically already holds information, that may be private and confidential.
When the server certificate is uploaded, its identifier is displayed. - If the service requires client authentication, upload a Client Certificate (a PKCS#12 software token), and enter the Client Certificate Password.
The encrypted password is stored in the SecretFieldStore within Identity Manager. However, if a data pool configuration with such a password is exported, the exported configuration file will contain the unencrypted password. It will be encrypted again, when imported into another Identity Manager instance. - Click Test Configuration to test if a connection can be established to the SCIM server, using the property Connection string. If the test succeeds, a green icon is displayed at the right-hand side and the drop-down list Resource will be filled with the supported resource types. Otherwise, a red icon will appear.