IBM Tivoli Identity Manager Salesforce.com Adapter 5.1.9 is available. Compatibility, installation, and other getting-started issues are addressed.
Welcome to the IBM Tivoli Identity Manager Salesforce.com Adapter.
These Release Notes contain information for the following products that was not available when the IBM Tivoli Identity Manager manuals were printed:
IBM Tivoli Identity Manager Salesforce.com Adapter Installation and Configuration Guide
The Salesforce.com Adapter is designed to create and manage User Accounts on the Salesforce.com platform. The adapter runs in "agentless" mode and communicates using HTTPS and LDAP protocol.
IBM recommends the installation of this Adapter (and the prerequisite Tivoli Directory Integrator) on each node of an Identity Manager WAS cluster. A single copy of the adapter can handle multiple Identity Manager Services. The optimum deployment configuration is based, in part, on the topology of your network domain, but the primary factor is the planned structure of your Identity Manager Provisioning Policies and Approval Workflow process. Please refer to the Identity Manager Information Center for a discussion of these topics.
The Identity Manager Adapters are powerful tools that require Administrator Level authority. Adapters operate much like a human system administrator, creating accounts, permissions and home directories. Operations requested from the Identity Manager server will fail if the Adapter is not given sufficient authority to perform the requested task. IBM recommends that this Adapter run with administrative (root) permissions.
Service Groups Management
The ability to manage service groups is a new feature introduced in Tivoli Identity Manager 5.1. By service groups, Identity Manager is referring to any logical entity that can group accounts together on the managed resource.
Managing service groups implies the following:
Create service groups on the managed resource.
Modify attribute of a service group.
Delete a service group.
Note that service group name change is not supported in Tivoli Identity Manager 5.1 release.
The Salesforce.com adapter does not support service groups management.
Adapter Version
|
Component |
Version |
|
Build Date |
2016 September 07 04.15.51 |
|
Adapter Version |
5.1.9 |
|
Component Versions |
Adapter build: 5.1.9.26 Profile: 5.1.9.26 Connector: 5.1.9.26 Dispatcher 5.722 or higher (packaged separately) |
|
Documentation |
Directory Integrator-Based Salesforce.com Adapter Installation and Configuration Guide (SC22-5422-00) |
New Features
|
Enhancement # (RFE) |
Description |
|
|
Items included in Current Release |
|
none |
|
|
Release v5.1.8 |
|
none |
|
|
Release v5.1.7 |
Internal |
All Salesforce user attributes are available on Design Form |
|
Release v5.1.6 |
|
RFE 54943 Internal |
Support for Permission Sets assignment |
|
Release v5.1.5 |
|
|
RFE 56668 |
Support for multivalue custom attribute |
|
Internal |
Optimized lookup and filtered recon capability |
| Release v5.1.4 |
|
|
RFE 34685 |
Option to restore deleted user, enhanced suspend and restore operation process. |
|
Internal |
Public Groups included as supporting data |
|
Internal |
Added support for logging into Salesforce.com without security token. |
|
|
Release v5.1.3 |
|
RFE14407 |
Support for Suspend and Restore operations. |
|
Internal |
New field in Service Form allows optimized reconciliation operation by specifying only the attributes required for reconciliation. |
|
Internal |
HTTP Compression is enabled to reduce bandwidth usage. |
|
Internal |
Auto-recovery of Session timeout error. |
|
Internal |
Account form user interface changes. |
|
|
Release v5.1.2 |
|
Internal |
Reconciliation operation dynamically retrieves user schema |
|
|
Release v5.1.1 |
|
|
Initial release for IBM Tivoli Identity Manager v5.1 |
Closed Issues
|
Internal# |
APAR/PMR |
Description |
|
|
|
Items included in Current Release |
|
|
IV86576/32145,122,000 |
Semicolon delimited string attribute value will be partially removed |
|
|
|
Release v5.1.8 |
|
141251 |
91706,003,756 |
Salesforce Adapter recon does not return all attributes |
|
N/A |
IV81916/ 45519,442,000 |
Removed Manager attribute value through ITIM does not remove the value from managed target |
|
|
|
Release v5.1.7 |
|
N/A |
80703,L6Q,000 |
Add all Salesforce user attributes to Objectclass and modify assembly lines to cope with them. |
|
N/A |
82729,L6Q,000 |
Add User group membership to the Account Form. |
|
|
|
Release v5.1.6 |
|
110377 |
N/A |
Upgrade SOAP WSDL to version v31.0 |
|
N/A |
77491,379,000 |
Modify operation handles both group and user attribute modification together. |
|
|
|
Release v5.1.5 |
|
112196 |
66876,379,000 |
Remove Default mapping on all assemblylines |
|
108366 |
IV60093 |
Salesforce adapter issue with "Salesforce API Security Token" value |
|
|
|
Release v5.1.4 |
|
76609 |
N/A |
AboutMe attribute increased to 1024 characters. |
|
87477 |
N/A |
HTTP Connection Manager waits for threads to free up. |
|
|
|
Release v5.1.3 |
|
N/A |
IV34810 |
Reconciliation of large data set caused an error in Connector. |
|
74003 |
N/A |
Slow connectivity to Salesforce.com server may cause a timeout error |
|
|
|
Release v5.1.2 |
|
50224 |
N/A |
Expired password for the API Account will not result in an error during reconciliation operation |
Known Issues
|
Internal# |
APAR# |
Description |
|
N/A |
N/A |
Maximum length of attributes specified on Salesforce.com may not correspond to the schema in Identity Manager which may cause those entries in violation of the schema to be skipped during reconciliation. |
Profile for Suspended Users
The Profile for Suspended Users setting on the service form for assigning a profile when suspending users is deprecated. This setting will be removed in a future version of Salesforce.com Adapter.
New Features
All Salesforce user attributes are added to the account Objectclass. They are available on the Salesforce account attribute list and customers can add them to the account form.
User Permission Set Assignment in Salesforce.com is now supported in the adapter. The permission set is included as supporting data.
Please change the Salesforce API Login URL from https://login.salesforce.com/services/Soap/u/23.0 to https://login.salesforce.com/services/Soap/u/31.0
See the IBM Tivoli Identity Manager Adapter Installation Guide for detailed instructions.
The Salesforce.com Adapter Installation and Configuration Guide can be obtained from IBM Knowledge Center at http://www-01.ibm.com/support/knowledgecenter/SSRMWJ/welcome
Corrections to Installation Guide
The following corrections to the Installation Guide apply to this release:
The Salesforce.com Adapter ships with a Salesforce.com connector. Install the connector as follows:
Update the enRole.properties file located under the server home data directory by appending attribute "erSFloginPassword" to the list of attributes of the "password.attribute" property. For example:
###########################################################
## Schema information
###########################################################
# specifies which attribute will be encrypted by the dataservices component.
password.attributes=ersynchpassword erServicePassword erServicePwd1 erServicePwd2 erServicePwd3 erServicePwd4 erADDomainPassword erPersonPassword erNotesPasswdAddCert eritamcred erep6umds erposixpassphrase erSFloginPassword
Configuration Notes
Salesforce no longer supports SSL or TLS 1.0 connections. Salesforce Adapter depends on JVM used by ITDI to handle the connection, and Java 1.6 SR10 is the minimum level that provides TLS 1.1/1.2 support. To configure the adapter to use the higher TLS versions, make sure ITDI is using Java 1.6 SR10 or later, and update the following entry in solution.properties:
com.ibm.di.SSLProtocols=TLSv1.1,TLSv1.2
The Salesforce adapter profile might takes some time to import. The complete import is indicated by Service Type Description displayed as "Salesforce Service Profile", on ISIM's Manage Service Types page. Creating service before complete import might cause problem.
By default the URL for logging in to Salesforce.com API Webservices is https://login.salesforce.com/services/Soap/u/[version_number]. For example, a valid Salesforce.com Login URL to specify when creating a Salesforce.com Service in Tivoli Identity Manager is https://login.salesforce.com/services/Soap/u/23.0 which uses the API v23.0. See the Salesforce.com API Developer's Guide under the topic Implementation Considerations for more details.
A unique security token can be generated for the Salesforce.com account configured in the adapter. To generate a new security token, see "Resetting Your Security Token" in the Salesforce online help.
To login without a security token in the adapter, specify NONE in the Security Token field on the service form.
If password generator is used when creating user or changing passwords, then Tivoli Identity Manager must generate a password with enough complexity to meet Salesforce.com requirements. A new password policy should be created for the random password generated by Tivoli Identity Manager to meet Salesforce.com requirements. For details on creating a new password policy in Tivoli Identity Manager, see the topic Password Administration under the Tivoli Identity Manager Administration Guide.
Additionally, the Salesforce.com minimum password complexity policy can be modified via the Salesforce.com Administration User Interface. For more details, see the topic Setting Password Policies in Salesforce.com Help.
Salesforce.com requires users to verify the email address change request at the new email's inbox. Thus when a Tivoli Identity Manager request to change an email address for a Salesforce.com account is submitted, the change is not immediately reflected in Salesforce.com. However, Tivoli Identity Manager will update the email address in its directory store as soon as the request is successfully sent to Salesforce.com. This will result in a period where Tivoli Identity Manager will contain the updated email address while Salesforce.com will still contain the old email address. During this time one of the following 3 outcomes are expected:
Email address is verified by the user. This results in the email address being in sync between Salesforce.com and Tivoli Identity Manager. No further action is necessary.
Email address is not verified by the user. In this case, the email address in Tivoli Identity Manager should reflect the old address. The email will revert to the old address upon the next reconciliation operation.
Reconciliation happens before the user has verified the email address. The old email address will be reconciled into the account in TIM. As such, the email address in Salesforce.com and Tivoli Identity Manager are now synchronized. There will be 2 outcomes from this state:
Email address is verified by the user. The email in Tivoli Identity Manager will be updated with the new address on the next reconciliation operation with Salesforce.com.
Email address is not verified by the user. The email address is already synchronized, so no further action is necessary.
As long as the reconciliation policy is setup with a determined frequency, then the email address for the Salesforce.com accounts in Tivoli Identity Manager will be eventually consistent.
Salesforce.com does not allow users to be deleted. Instead, a user should be marked as “Inactive� if access to the account is to be terminated. Therefore, the Salesforce.com Adapter marks a user account as “Inactive� when it receives a request to delete the account from Tivoli Identity Manager. If a Salesforce.com administrator reactivates a user from the Salesforce.com user interface, then the user will be returned as an orphan account on the next reconciliation.
Note that the option selected in Account Operations Settings will affect how inactive accounts behave in Tivoli Identity Manager.
The following 2 fields has been added to the Service Form:
User Fields for Reconciliation
Optional: Specify the fields that are reconciled for users on Salesforce.com. The fields in the list are separated by commas. You must specify Email, Username, LastName, Alias, TimeZoneSidKey, LocaleSidKey, EmailEncodingKey, ProfileId,LanguageLocaleKey, IsActive, Id. You can specify more fields, however, the reconciliation performance might be affected. It is also recommended to modify the Account Form and Assembly Lines to correspond with the fields specified here. See “Taking the first steps after installation� in the Adapter Installation and Configuration Guide for instructions. If you leave this field blank all fields are reconciled by default.
Account Operations Settings
Define the behavior of account deletion and enable or disable the Suspend Account and Restore Account operations:
Enable Suspend/Restore (Deleted accounts are reconciled as orphan accounts.) Select this option to enable the Suspend and Restore account operations. Suspended users are marked as “Inactive� on Salesforce. At account deletion, the user is marked “Inactive� on Salesforce; however, the adapter reconciles the user back as an Orphan Account.
Disable Suspend/Restore (Accounts can be reactivated) Select this option to disable Suspend and Restore account operations. An error is returned when an account under the Salesforce.com Service is submitted for restoration or suspension. Deleted accounts are not reconciled. If the account was deleted and is later re-created in IBM Tivoli Identity Manager, it is restored from Salesforce.com by marking it as “Active� again.
Disable Suspend/Restore (Accounts cannot be reactivated) This default option has behavior that is compatible with previous versions of the adapter. Accounts that are deleted cannot be restored. If the account is re-created later, it fails.
Salesforce.com custom user attributes, such as multi-select picklists, can be configured to store multiple values in a single field. The adapter supports multivalue custom attributes. To configure the adapter to support fields with multiple values, perform the following steps:
Add the custom attribute as per the Installation and Configuration Guide, First steps after installation -> Adapter configuration -> Customized attributes
When updating the schema.dsml file, ensure that attribute-type single-value="false"
In the service.def file, locate the section <operation cn="sfModify">. Add a child element to the operation with the following format <replaceMultiValue name="custom_mutlivalue_attribute_name" /> and replace the text custom_multivalue_attribute_name inside the quotes with the name of the custom attribute specified in schema.dsml.
To add the field into the Service's Account Form, edit the form in the Form Designer. Typically, the attribute type to handle a multi-select picklist in the Form Designer would be a ListBox. However, you may choose any controls that support multiple values. For more information about modifying the adapter form, see the IBM Security Identity Manager product documentation.
Note: It is recommended to populate the values of the control in the Form Designer to correspond to those specified in the custom field on Salesforce.com.
The IBM Tivoli Identity Manager adapters can be customized and/or extended. The type and method of this customization may vary from adapter to adapter.
Getting Started
Customizing and extending adapters requires a number of additional skills. The developer must be familiar with the following concepts and skills prior to beginning the modifications:
IBM Tivoli Identity Manager administration
IBM Tivoli Directory Integrator management
IBM Tivoli Directory Integrator assemblyline development
LDAP schema management
Working knowledge of Java scripting language
Working knowledge of LDAP object classes and attributes
Working knowledge of XML document structure
Note: If the customization requires a new IBM Tivoli Directory Integrator connector, the developer must also be familiar with IBM Tivoli Directory Integrator connector development and working knowledge of Java programming language.
IBM Tivoli Identity Manager Resources:
Check the "Training" section of the IBM Tivoli Identity Manager Support web site for links to training, publications, and demos.
IBM Tivoli Directory Integrator Resources:
Check the "Training" section of the IBM Tivoli Directory Integrator Support web site for links to training, publications, and demos.
Support for Customized Adapters
The integration to the IBM Tivoli Identity Manager server "the adapter framework" is supported. However, IBM does not support the customizations, scripts, or other modifications. If you experience a problem with a customized adapter, IBM Support may require the problem to be demonstrated on the GA version of the adapter before a PMR is opened.
Installation Platform
The IBM Tivoli Identity Manager Adapter was built and tested on the following product versions.
Adapter Installation Platform:
IBM Tivoli Directory Integrator 7.1.1 + 7.1.1-TIV-TDI-FP0005 + 7.2.0-ISS-SDI-LA0008
Security Directory Integrator 7.2
Earlier versions of TDI that are still supported may function properly, however to resolve any communication errors, you must upgrade your TDI/SDI releases to the officially supported versions by the adapter.
Please refer to the adapters installation and configuration guides for the latest update on IBM Tivoli Directory Integrator versions and fix packs
Managed Resource:
Salesforce.com API v31.0
IBM Tivoli Identity Manager:
Tivoli Identity Manager v5.1
This information was developed for products and services offered in the U.S.A. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to:
IBM Director of Licensing
IBM Corporation
North Castle Drive
Armonk, NY 10504-1785 U.S.A.
For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to:
IBM World Trade Asia Corporation
Licensing
2-31 Roppongi 3-chome, Minato-ku
Tokyo 106-0032, Japan
The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law:
INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you.
This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice.
Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk.
IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.
Licensees of this program who wish to have information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information which has been exchanged should contact:
IBM Corporation
2ZA4/101
11400 Burnet Road
Austin, TX 78758 U.S.A.
Such information may be available, subject to appropriate terms and conditions, including in some cases, payment of a fee.
The licensed program described in this information and all licensed material available for it are provided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement, or any equivalent agreement between us.
Any performance data contained herein was determined in a controlled environment. Therefore, the results obtained in other operating environments may vary significantly. Some measurements may have been made on development-level systems and there is no guarantee that these measurements will be the same on generally available systems. Furthermore, some measurements may have been estimated through extrapolation. Actual results may vary. Users of this document should verify the applicable data for their specific environment.
Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products.
Trademarks
IBM, the IBM logo, and ibm.com® are trademarks or registered trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.
Adobe, Acrobat, PostScript and all Adobe-based trademarks are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, other countries, or both.
IT Infrastructure Library is a registered trademark of the Central Computer and Telecommunications Agency which is now part of the Office of Government Commerce.
Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries.
Linux is a trademark of Linus Torvalds in the United States, other countries, or both.
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both.
ITIL is a registered trademark, and a registered community trademark of the Office of Government Commerce, and is registered in the U.S. Patent and Trademark Office.
UNIX is a registered trademark of The Open Group in the United States and other countries.
Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates.
Cell Broadband Engine is a trademark of Sony Computer Entertainment, Inc. in the United States, other countries, or both and is used under license therefrom.
Linear Tape-Open, LTO, the LTO Logo, Ultrium, and the Ultrium logo are trademarks of HP, IBM Corp. and Quantum in the U.S. and other countries.
Other company, product, and service names may be trademarks or service marks of others.