Set up data pool in Identity Manager
This article includes updates for Smart ID 23.04.
This article describes how to create or edit a data pool in Identity Manager Admin.
User data in Smart ID Identity Manager is obtained from data sources that are connected to Identity Manager through data pool objects. Data pools are used regardless of data source and storage technology, independent if the data source is the internal Identity Manager database or an external SQL database or LDAP directory.
- Installed Identity Manager
See more prerequisites for the specific data sources below.
Add or edit data pool
- Log in to the Identity Manager Admin as an
admin
user.
- Go to Home > Data pool.
- To add a new data pool, click +New. Enter a Name, for example
DatapoolEmployee
, and a Description. Click Save+Edit. - To edit an existing data pool, double-click the data pool name.
The data fields in the Field List tab represent the data in the internal or external data source. For data pools connected to an internal database or lookup table, the data fields are taken directly from the database.
Passwords vs. Encrypted fields
Passwords are hashed automatically before they are stored. They can never be restored. It's only possible to decide whether another provided input has the same hash code. Then it can be considered as equal to the original password.
Encrypted fields get decrypted and are stored separately. It is guaranteed that they can only be restored by an authorized user.
For external data sources, follow the steps below to create fields:
- Go to the Field List tab.
- To add a new field, click +.
- To edit a field, select the field in the list.
- In Field Details, enter the Field Name, Data Type, Field Size, and optionally a Description.
- If Binary Data is selected as Data Type, select Binary Data Definition, either Photo or Signature.
- To delete a field, click Delete.
- Use the arrow keys to change the order of the fields. This has no effect on the data pool function, with the exception of .csv sources without a header row.
- Click Save to save your settings.
Connect data source
In the Data sources tab, select one of the data sources listed below, and follow the steps to connect it to the data pool:
Prerequisites: None
To connect to the CSV file:
- In Type, select Internal Table (DAO).
- Optionally, edit the Name and enter a Description.
- In DAO Bean Name, select the database table, for example
personDAO
. - Click Field Selection. Check the fields to be assigned to the data pool, and then click Save. The selected fields will show up in the Field List tab.
- Save your settings by clicking on Save.
Prerequisites: An available CSV file, on a known location.
To connect to the CSV file:
- In Type, select CSV File.
- Optionally, edit the Name and enter a Description.
- In File Name, enter the absolute path and file name.
If the .csv file contains a header row with the field name, tick the Contains Header Row checkbox. During data accesses the values are then assigned automatically to the fields of the same name of the data object. Otherwise, the Field List must define the data fields in the same order as they exist in the .csv file.
Limited to read operations
Only read operations from CSV files are supported in the current product version. That means the imported CSV files can not be edited.
Save your settings by clicking on Save.
Prerequisites: None
To connect to a lookup table:
- In Type, select Lookup Table.
- Optionally, edit the Name and enter a Description.
- In DAO Bean Name, select the database table, for example
personDAO
. - Click Field Selection. Check the fields to be assigned to the data pool, and then click Save. The selected fields will show up in the Field List tab.
- Save your settings by clicking on Save.
Prerequisites: A working LDAP service, with known connection information to it, such as URL, and the required permission to connect to the service and fetch data from it.
To connect to an LDAP directory service:
- In Type, select LDAP.
- Optionally, edit the Name and enter a Description.
- In Connection string, enter the URL of the LDAP server and base address in the directory service.
Example: ldap://localhost:389/ou=NexusEmployees,dc=nexus,dc=localwhere
ou = organizationalUnitName
dc = domainComponent
For more information on LDAP string attributes, see RFC 2253, LDAP (v3): UTF-8 String Representation of Distinguished Names. - In Username and Password, enter the Active Directory domain user name and password.
In Initial Search Filter, enter a filter.
The Initial Search Filter is used to locate the LDAP data objects (nodes) which carry the user data of the data pool by searching in the directory. The scope of the search (base-, one-level subnode, or subtree), the object class (class) sought and other search parameters can be indicated.
Example: (objectclass=person)Dates/datetimes need to be stored in the GeneralizedTime format. Read more here: https://ldapwiki.com/wiki/GeneralizedTime.
For more information on search filters, see RFC 2254, The String Representation of LDAP Search Filters.Click on Test Connection to test the connection and entry address. If a scheme description is stored in the directory, the available LDAP attributes are shown in the list underneath. Drag-and-drop the selected LDAP attributes that are to be assigned to the data pool fields.
Save your settings by clicking on Save.
Limited to read operations
Only read operations from LDAP directories are supported in the current product version. That means the imported CSV files can not be edited.
Prerequisites: An active, already running database, with known connection information to it, such as URL, and the required permission to connect to the service and fetch data from it.
To connect to a JDBC database:
- In Type, select JDBC.
- Optionally, edit the Name and enter a Description.
- In Database, either select the database type, to automatically fill in JDBC Driver Class Name and Connection String, or select Configure manually to type in the information yourself.
- In JDBC Driver Class Name, insert your driver class name including its package name prefix. The driver class must be available on the classpath.
- In Connection String, insert the URL that should be used to establish a JDBC connection to the remote database. The URL may contain a postfixed port number, for example
':1433'
, and driver specific attributes, for example';AUTO_SERVER=TRUE'
. - Enter a valid Username and Password to establish a connection to the remote database.
- In Table Name, insert the table name of the remote database. The specified user must have rights for insert and update on that table.
- In Unique Key, insert a comma separated list of names of columns, that belong to the primary key, or a unique index of the remote table.
This field decides whether an exported row is inserted or updated: If a unique key is specified and the target table contains a row with equal values for all unique key fields, the row is updated, otherwise it is inserted. All column names must have a mapping in the Mappings tab. Click Test Configuration to test if a connection can be established to the remote database, using the properties JDBC Driver Class Name, Connection string, Username and Password. If a connection can be established, it is also tested, whether the table specified in the Table Name property exists. If all tests succeed, a green icon is displayed at the right hand side. Otherwise a red icon shows up.
Save your settings by clicking on Save.
The SCIM data source enables using data provided by a SCIM service.
Prerequisites: An available SCIM service, with known connection information to it, such as URL, and the required permission to connect to the service and fetch data from it.
To connect to a SCIM service:
- In Type, select SCIM.
- Optionally, edit the Name and enter a Description.
- In Connection string, enter the URL of the SCIM server, in the following format:
<protocol>://<host>:<port>/context
.
There is no default port. - To enable transport layer security, and if
https
is selected as protocol, upload a Server certificate (X.509). It is mandatory to be able to test the connection or save the data source. Using an encrypted protocol is useful not only to encrypt the content of HTTP requests, but also the URL, which typically already holds information, that may be private and confidential.
When the server certificate is uploaded, its identifier is displayed. - If the service requires client authentication, upload a Client Certificate (a PKCS#12 software token), and enter the Client Certificate Password.
The encrypted password is stored in the SecretFieldStore within Identity Manager. However, if a data pool configuration with such a password is exported, the exported configuration file will contain the unencrypted password. It will be encrypted again, when imported into another Identity Manager instance. - Click Test Configuration. Identity Manager Admin then tries to reach the SCIM server and retrieves information about available resources. In case the SCIM server could be reached, a green icon will be displayed that signals a working connection and the available resources are listed in the combo box. If the SCIM server could not be reached, a red icon signals a connection problem. This might be due to an incorrect connection string or the SCIM server might be down temporarily.
- In Resource, either select a resource from the combo box or enter the resource name with or without leading slash
'/'
. - For each Datapool Field, define the External Field (source field) of the specified resource. Single components of fields can be accessed using brackets, for example
name[givenName]
. - Save your settings by clicking on Save.
Set up search configuration
For external data sources, a field mapping must be defined, in the Data Sources tab:
- For each Datapool field, drag-and-drop the corresponding field from the External Fields list.
In the Search Configuration tab, you can configure one or more search masks and hit lists adapted to the intended purpose or role. These then appear in the Search tab in Identity Manager Operator. Search dialogs can also be integrated into processes.
- Go to the Search Configuration tab.
- Enter a Name.
- Add search criteria to the search mask and search results. For more information, see Set up search configuration in Identity Manager.
- To add another search mask, click +. Configure the new search mask, according to step 3.
- To delete a search mask, select it in the drop-down list and click Delete.
- Click Save to save the data pool.
- Go to Home > Search Configurations. Double-click the search configuration that was just created, to edit it. Go to the Permissions tab and add permissions for the intended roles and users.