Skip to main content
Skip table of contents

Application Connector

Definition

An Application Connector holds the technical configuration required to access a remote application, such as a LDAP directory. A CSV file also falls into the "remote application" category.

An Application Connector is composed of 4 parts:

  • the usual fields of a configuration aggregate: id, name, description

  • meta information, identifying the Connector type (CSV or LDAP), and the connector version. This must be (for now) considered as a fixed configuration value, that must be copies "as is" in each Connector Definition. See the XML representation below to obtain the fixed value of the connector Metadata configuration field for the CSV case.

  • a list of generic key-value pairs, named Connector Properties. The keys and values are specific to the connector type. For a CSV connector, a property will typically located the CSV file on disk

  • whether the Connector instance is local to Synchronization service or externalized to a dedicated remote Connector Server (the support of a remote Connector Server is not implemented yet)

  • Retry Policy pertaining to the outbound provisioning case only, configuring whether and when to retry provisioning attempts that failed because of a network error, i.e. the target remote application was not reachable

ConnectorSync.png

Application Connector Configuration

Configuration

You can access the Application Connector Definition configuration :

  • by clicking on "Synchronization" â†’ "Application Connector"

  • by clicking on "System" â†’ "Configurations"->”Synchronization Service” and perform an import/export.

Properties

The technical settings enabling to communicate with a remote Application are :

Property Name

Type

Mandatory

Description

id

String

YES

The Connector identifier.

name

String

YES

The Connector name.

description

String

NO

The Connector description.

connectorProperties

-

YES

The list of Connector Properties specific to the Connector type (see CSV Connector Properties for the CSV Connector case).

connectorMetadata

-

YES

The Connector type; to be considered for now as a constant value that must be copies "as is" from examples.

connectorSystemConfiguration

-

NO

Technical settings required for example to setup a connection pool (not used yet, can be left empty).

objectSchema

-

NO

A meta description of the connector capabilities (not used yet, can be left empty).

provisioningGroup

Integer

NO

Pertains to outbound provisioning only. The "group" reflects the responsiveness of a target application, and helps compartmentalize applications into groups, namely to ensure that "slow" applications won't hinder fast ones.
The group defaults to "3", there are 4 groups:

  • 0: reserved for the OpenAM LDAP provisioning, to guarantee fast authentication-related operations, such as an account creation or a password update

  • 1: fast responding applications

  • 2: slow responding applications

  • 3: newly deployed applications whose response time is still uncertain/unproven

capabilitiesDefinition

-

NO

Capabilities Definition is the parent configuration of the connector "capabilities".

provisioningRetryPolicy

-

NO

Pertains to outbound provisioning Connectors only (not to inbound synchronization Connectors).
Whether to retry or not provisioning attempts that failed because the target remote application is unreachable.
If not configured (or if the RetryPolicy is "disabled"), then network provisioning failures won't be retried.

See table listing the properties of a RetryPolicy  below, along with the XML example.

provisioningQuotaPolicy

-

NO

Pertains to outbound provisioning Connectors only (not to inbound synchronization Connectors).

A quota policy defines how to slow down provisioning operations initiated by this connector, in order to comply with quota restrictions imposed by third-party remote applications.

See table listing the properties of a QuotaPolicy  below, along with the XML examples.

CSV Connector Properties

Headers are optional in the CSV file to import. If the CSV file has no header, then the following conventions apply: col0col1, etc. Those names are not configurable.

This section lists the Connector Properties specific to a CSV Connector.

Property Name

Type

Mandatory

Description

Values (default value in bold)

filePath

String

NO

The relative path to the CSV file on disk, appended to the root directory under which all CSV files must be located. The root directory is defined by the configuration property: domino.sync.input-data-root-dir.

When running in multi-tenancy mode, the tenant name is always appended to the root directory, such as: /{root-directory}/{tenant}.

-

encoding

String

NO

The CSV file encoding.

utf-8

fieldDelimiter

Single char

NO

The separator between CSV fields.

;

recordSeparator

String

YES

The separator between CSV lines.

\r\n

headerExists

Boolean

NO

Whether headers are present or not in the CSV file. If headers are not present, then the col0, col1... conventions apply.

true,false

uniqueAttribute

String

NO

The name of the CSV field holding the entry's unique identifier (the equivalent of a SQL table's primary key).

-

nameAttribute

String

NO

The name of the CSV field holding the "displayable name" of an entry.

-

referencingAttribute

-

NO

Useful to sort data to import. The name of the CSV field holding a reference to another CSV entry, e.g. "manager". Managers will be imported first. The value of such an attribute is a "uniqueAttribute".

This property may be specified multiple times, since multiple CSV headers may constitute sort criteria, e.g. "manager" and "hr_supervisor".

-

multivalueDelimiter

Single char

NO

The separator between multiple values within a field. Beware, special separators such as the pipe "|" must be escaped with a backslash, which gives: "\|".

-

multiValueAttributes

-

YES

The name of the fields that contain multiple values (see multivalueDelimiter). Those names must be separated with the same char used by multivalueDelimiter, which would give for example: attr1|attr2 if the attribute value delimiter is the pipe char.

-

quote

Single char

NO

The quote character, useful when fields contain separator characters, such as fieldDelimiter or recordSeparator.

"

escape

Single char

NO

Escape character.

\

ignoreEmptyLines

Boolean

NO

Whether empty lines are ignored or not.

true,false

ignoreMissingUid

Boolean

NO

Whether faulty lines with an empty “uid” column are reported as individual faulty records or generate a global error that stops the whole import.

true,false

ignoreWrongColumnCount

Boolean

NO

Whether faulty lines with wrong column count are reported as individual faulty records or generate a global error that stops the whole import.

false,true

maxNumberOfFilesMatchingPattern

Integer

NO

The maximum allowed number of files matching a file name containing wildcards. If not defined no check is performed.

-

Reporting Provisioning Connector Properties

This section lists the Connector Properties specific to a Reporting Provisioning Connector.

Property Name

Type

Mandatory

Description

Values (default value in bold)

connectionUri

String

YES

The Connection URI, not including the username:password/authDB authentication settings, because the password is stored separately as a Secret Setting. Any other standard connection option is allowed, as documented in https://mongodb.github.io/mongo-java-driver/4.0/apidocs/mongodb-driver-core/com/mongodb/ConnectionString.html

-

database

String

YES

The database name

-

username

String

NO

Optional (but strongly recommended): the connection user.

-

password

String

NO

Optional (but strongly recommended): the connection password.

-

authenticationDatabase

Boolean

NO

The authentication database name containing the connection user. Meaningful only if username is set. If authenticationDatabase is not set although username is set, then it is assumed that the connection user is located into the database configured above.

-

multiValuedAttributes

List<String>

NO

The list of the reporting array fields, as a comma-separated list of field names, such as orgChain,roles. It must be coherent with Domino's configuration of AttributesMappingDefinition.

Empty list

Capabilities Definition

When an application supports the principles of disabled or locked, the Capabilities definition allows to specifythe attribute that carries the disabled or locked information.

For now, this part is not configurable in the UI but can only be configurated by XML.

Property Name

Type

Mandatory

Description

emulatedActivationDefinition

EmulatedActivationDefinition

NO

Emulated Activation Definition is the configuration of the "emulated" activation/deactivation of a remote Connector Account

emulatedLockoutDefinition

EmulatedLockoutDefinition

NO

Emulated Lockout Definition is the configuration of the "emulated" lockout of a remote Connector Account

Emulated Activation Definition

Property Name

Type

Mandatory

Description

Values (default value in bold)

attributeName

String

YES

Name of the attribute that contains a value stating whether the object is enabled or not.

-

enabledValues

List<String>

NO

List of attribute values that represent the "enabled" state. If any of those values is present in the attribute then the object is considered "enabled".

-

disabledValues

List<String>

YES

List of attribute values that represent the "disabled" state. If any of those values is present in the attribute then the object is considered "disabled".

-

includedInObjectAttributes

Boolean

NO

If set to false then the attribute which is used for emulated activation will not be included in Shadow attributes list.

false, true

Emulated Lockout Definition

Property Name

Type

Mandatory

Description

Values (default value in bold)

attributeName

String

YES

Name of the attribute that contains a value stating whether the account is locked or not.

-

unlockedValues

List<String>

NO

List of attribute values that represent the "unlocked" (normal) state. If any of those values is present in the attribute then the object is considered in a normal state (unlocked).

-

lockedValues

List<String>

YES

List of attribute values that represent the "locked" state. If any of those values is present in the attribute then the object is considered "locked".

-

includedInObjectAttributes

Boolean

NO

If set to false (the default) then the attribute which is used for emulated activation will not be included in Shadow attributes list.

false, true

Retry Policy

When a provisioning target is unavailable, we don't wan't to lose IDM events that occurred during the downtime. Events should be securely stored and retried later.

To meet this need, it is possible to configure a retry policy allowing the retry of provisioning errors that have been stored. Below are the properties available to configure a retry policy:

Property Name

Type

Mandatory

Description

Values (default value in bold)

enabled

Boolean

NO

Whether retry is enabled or not.

false, true

maxRetryNb

Integer

NO

The he maximum number of retries, must be greater than or equal to 1.

10

initialIntervalMs

Integer

NO

The initial sleep interval, must be greater than or equal to 1.

60 000

maxIntervalMs

Integer

NO

The maximum value of the retry interval in milliseconds, must be greater than or equal to 1.

1 800 000

intervalMultiplier

Float

NO

Multiplier to increment the interval for each retry attempt, must be greater than or equal to 1.

2

Quota Policy

A quota policy defines how to slow down provisioning operations initiated by this connector, in order to comply with quota restrictions imposed by third-party remote applications.

There are two quota strategies available, they are not mutually exclusive, one or both can be applied, but at least one must be configured:

  • strategy to limit the provisioning operation rate, e.g. do not attempt more than 10 provisioning operations per second

  • strategy to wait some delay when a "quota exceeded exception" is returned by the remote REST application. This strategy makes sense for a REST Connector only, where “quota exceeded” error handling can be performed in Groovy scripts sending HTTP requests to remote applications (more on that below)

Property Name

Type

Mandatory

Description

Values (default value in bold)

rateLimitingStrategy

RateLimitingStrategy (see table below)

NO

Strategy applied to limit the provisioning operation rate (see table below).

null (if null then quotaExceededStrategy must be configured)

quotaExceededStrategy

QuotaExceededStrategy (see table below)

NO

Strategy applied when a "quota exceeded exception" is returned by the remote application (see table below).

null (if null then rateLimitingStrategy must be configured)

Rate Limiting Strategy

A “rate limiting strategy” essentially defines how many provisioning operations targeting a remote application can be attempted during a fixed period of time.

Its configuration properties properties are listed below:

Property Name

Type

Mandatory

Description

Values (default value in bold)

maxRequests

Integer

YES

The maximum number of provisioning operations that can be attempted during duration (see below).

-

duration

Duration

NO

The period of time during which maxRequests can ben sent.

Usual duration format. Default: PT1S (1 second)

burst

Integer

NO

the burst size of provisioning attempts, less than or equal to maxRequests. Default value: maxRequests.

A value of “1” means that one provisioning operation will be performed at a time, at the rate defined by maxRequests / duration.

A value “N” greater than 1 means that at most N operations will be performed in parallel, but it is still guaranteed that no more than maxRequests will be performed during duration.

If defined, must be comprised between 1 and maxRequests

XML example for a provisioning Connector with a QuotaPolicy based on a RateLimitingStrategy, which limits to 100 requests per minute with an allowed burst of 50 requests:

Provisioning Connector with QuotaPolicy
XML 
    <dmn:ConnectorDefinition id="some-rest-app-connector">
        <connectorProperties>...</connectorProperties>
        <provisioningQuotaPolicy>
           <rateLimitingStrategy>
              <maxRequests>100</maxRequests>
              <duration>PT1M</duration>
              <burst>50</burst>
           </rateLimitingStrategy>
        </provisioningQuotaPolicy>
    </ConnectorDefinition>
Quota Exceeded Strategy

A “quota exceeded strategy” essentially defines how to react when a "quota exceeded exception" is returned by the remote REST application. This strategy makes sense for a REST Connector only, where “quota exceeded” error handling is performed in Groovy scripts sending HTTP requests to remote applications (seeApplication Connector | Handling-Quota-Exceeded-Exceptions).

Its configuration properties properties are listed below:

Property Name

Type

Mandatory

Description

Values (default value in bold)

waitFor

Duration

NO

Wait for this duration before attempting to perform another provisioning operation.

This property is mutually exclusive with waitUntil below.

Usual duration format. Default value: null. If null then waitUntil must be configured.

waitUntil

LocalTime

NO

A "hard" time limit until which no request can be sent.

This property is mutually exclusive with waitFor above.

Usual localTime format. Default value: null. If null then waitFor must be configured.

ex: 16:00

timeZone

String

NO

The time zone corresponding to waitUntil. This property can be defined only if waitUntil is defined.

Timezone abbreviation. Default: UTC

XML example for a provisioning Connector with a QuotaPolicy based on a QuotaExceededStrategy, which waits for one minute when an application signals that the permitted quota has been reached:

Provisioning Connector with QuotaPolicy
XML 
    <dmn:ConnectorDefinition id="some-rest-app-connector">
        <connectorProperties>...</connectorProperties>
        <provisioningQuotaPolicy>
           <quotaExceededStrategy>
              <waitFor>PT1M</waitFor>
           </quotaExceededStrategy>
        </provisioningQuotaPolicy>
    </ConnectorDefinition>

Warning display message in Shadow widget

Handling Quota Exceeded Exceptions

In order to signal that a remote REST application refused to process an HTTP request because its quota has been reached, a Groovy script, upon receiving such a refusal from the REST application, must throw a QuotaExceededException as follows:

GROOVY 
// The application sent a '429' response code, meaning 'Too many requests'
Response response = REST.get(OBJECT_ID) {
    onStatusCode 429, { throw new QuotaExceededException('Too many requests sent to application my-rest-app, pausing for a while') }
}

Example

Here is a simple XML representation of a CSV Connector Definition:

CSV ConnectorDefinition
XML 
    <dmn:ConnectorDefinition id="connector-test-csv">
        <name>Name of connector-test-csv</name>
        <description>Description of connector-test-csv</description>
        <connectorMetadata>
            <connectorRef>
                <connectorName>com.evolveum.polygon.csvfile.CSVFileConnector</connectorName>
            </connectorRef>
        </connectorMetadata>
        <connectorProperties>
            <connectorProperty>
                <name>filePath</name>
                <value>/csv/test.csv</value>
            </connectorProperty>
            <connectorProperty>
                <name>uniqueAttribute</name>
                <value>uid</value>
            </connectorProperty>
            <connectorProperty>
                <name>referencingAttribute</name>
                <value>manager</value>
            </connectorProperty>
        </connectorProperties>
    </ConnectorDefinition>

Here is another example for a provisioning Connector with a RetryPolicy :

Provisioning Connector with RetryPolicy
XML 
    <dmn:ConnectorDefinition id="openam-ldap-provisioning">
        <name>Name of connector-test-csv</name>
        <connectorMetadata>...</connectorMetadata>
        <connectorProperties>...</connectorProperties>
       <provisioningRetryPolicy>
          <enabled>true</enabled>
          <initialIntervalMs>60000</initialIntervalMs>
          <intervalMultiplier>3.0</intervalMultiplier>
          <maxIntervalMs>1800000</maxIntervalMs>
          <maxRetryNb>10</maxRetryNb>
       </provisioningRetryPolicy>
    </ConnectorDefinition>

Read Next

AM Connector — This page describes the usage and the configuration of the Synchronization AM Connector aimed at provisioning the AM user store.
Reporting Connector — This page describes the usage and the configuration of the Synchronization Reporting Connector aimed at provisioning the Reporting database

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close