The following sections provide information about how the REST driver supports the standard driver features:
The REST driver performs the following operations on the Publisher and Subscriber channels:
Publisher Channel: Add, Modify, Delete, and Query operations on User and Group objects, and password synchronization.
Subscriber Channel: Add, Modify, Delete, Migrate, and Query operations on User and Group objects, Password Set/Reset operations only on User objects.
A local installation is an installation of the driver on the Identity Manager server. The REST driver can be installed on the operating systems supported for the Identity Manager server.
For information about the operating systems supported for the Identity Manager server, see the NetIQ Identity Manager Technical Information website.
The REST driver can use the Remote Loader service to run on a server other than the Identity Manager server. The REST driver can be installed on the operating systems supported for the Remote Loader.
For information about the supported operating systems, see the NetIQ Identity Manager Technical Information website.
The REST driver allows you to configure the following authentication methods. By default the REST driver supports Basic authentication method. However, you can change the authentication method using the Driver configuration.
Anonymous: The driver uses anonymous authentication method for authenticating to a RESTful service. On the Subscriber channel, this method allows valid connectivity between the REST driver and any RESTful service that supports anonymous authentication method. On the Publisher channel, the driver allows anonymous access to the Identity Vault for any RESTful service.
IMPORTANT:NetIQ recommends that you do not use anonymous authentication method on the Publisher channel.
Basic: The driver uses the ID and password that you specify during driver configuration for authenticating to the RESTful service. The driver considers the Publisher user credentials as the basic authentication method credentials. In this authentication method, the driver uses these credentials to connect to the endpoints exposed on the Publisher channel.
OAuth2.0: The OAuth 2.0 is an open authentication protocol that enables any third-party application to access data from an HTTP service to share data among various applications. The driver supports OAuth2.0 authentication only on the Subscriber channel.
The resource owner grants authorization to a client application in cooperation with the authorization server associated with the resource server. When requesting for authorization, the client receives an authorization grant from the resource owner. An authorization grant is an authorization credential representing the resource owner authorization. The two authorization grants supported by the REST driver are resource owner password credentials and client credentials.
Client Credentials - Uses the client ID and secret received while registering with the identity provider.
Resource Owner Password - Shares the resource owner credentials with the client application. Uses the user name and password of the resource owner as authorization grant to obtain an access token. For example, you can use your Twitter user name and password to log in to a client application.
NOTE:Ensure that you set the appropriate query options while configuring the authorization query in the driver parameters. For more information, see Subscriber Settings.
The Identity Manager driver for REST supports Publish as Publisher option.
If Publish is selected, the driver exposes the REST endpoints to receive the events from the connected RESTful service and then pushes the events to the Identity Vault.
The REST driver exposes REST endpoints to the Identity Manager engine. This facilitates easy communication between external applications and services with eDirectory and Identity Manager engine via the REST API.
NOTE:The authentication header and content type are mandatory for REST methods.
Table 1-2 lists an example of POST REST method that the driver supports for a User class:
Table 1-2 POST Method
|
METHOD: POST |
|
|
User URI |
http://ipaddress:port/User |
|
Payload |
{"association":”User2","Postal Code":["324324324"],"Surname":["User2"],"CN":["User2"]} |
|
Authorization |
Basic c3lzdGVtL3N5c3RlbQ== |
|
Content-Type |
application/json |
|
Response |
201 Created |
Table 1-3 lists an example of DELETE REST method that the driver supports:
Table 1-3 DELETE Method
|
METHOD: DELETE |
|
|
User URI |
http://ipaddress:port/User/User2 |
|
Payload |
Not required |
|
Authorization |
Basic c3lzdGVtL3N5c3RlbQ== |
|
Content-Type |
application/json |
|
Response |
200 OK |
Table 1-4 lists an example of PUT REST method that the driver supports:
Table 1-4 PUT Method
|
METHOD: PUT |
|
|
User URI |
http://ipaddress:portUser/User2 |
|
Authorization |
Basic c3lzdGVtL3N5c3RlbQ== |
|
Content-Type |
application/json |
|
Payload |
{"Title":[{"add":["Manager"]}]} |
|
Response |
204 No Content |
Table 1-5 lists an example of GET REST method that the driver supports:
Table 1-5 GET Method
|
METHOD: GET |
|
|
User URI |
http://ipaddress:port/User?search-attr=given name eq ‘test*user’ and cn eq ‘test*’&read-attr=title |
|
Payload |
Not Applicable |
|
Authorization |
Basic c3lzdGVtL3N5c3RlbQ== |
|
Content-Type |
application/json |
|
Response |
{ "totalResults": 1, "results": [ { "src-dn": "\\GEN-REST1\\system\\servers\\TestUser", "class-name": "User", "Title": [ "SE" ] } ]} |
Unlike most other drivers, the REST driver synchronizes protocols instead of objects. The driver includes the following features:
HTTP transport of data between the Identity Vault and a Web service
SSL connections using the HTTPS protocol
Subscriber HTTP and HTTPS proxy servers
Potential to act as an HTTP or HTTPS listener for incoming connections on the Publisher channel
Potential extensibility through customized Java code
For more information, see Section B.0, Using Java Extensions.
The driver supports custom entitlements. In the Role-Based Services, assignments are made based on attributes of a user object. Entitlements standardize a method of recording this information on objects in the Identity Vault.
The REST driver supports Permission Collection and Reconciliation Service (PCRS) to map entitlements to resources and automatically assign those entitlements to users when permissions changes in connected system. The driver updates Resource Catalog so that it reflects the exact state of user permissions in the connected system.
PCRS also helps in creating and automatically managing the relationship of identities to resource assignments. To map entitlements to resources, the REST driver uses either a CSV file or queries the connected system for entitlement values.
For a rest driver enabled with PCRS, if an administrator assigns a resource to a user in the User Application or in iManager, this change is reflected in the connected system, and similarly, if a connected system administrator makes a change to the user permission, that change is reflected in the Identity Vault and the corresponding resource is updated with the permission assignment.
The PCRS package contains the content necessary for permission collection and reconciliation service. If you want the driver to support permission collection and reconciliation service, ensure that these packages are installed on the driver. You can turn this functionality on or off using the new set of GCVs included with the driver.
To support only entitlements, turn off PCRS and create the entitlement objects using Designer and then redeploy the driver. If PCRS is turned on, the driver supports custom entitlements on both Subscriber and Publisher channels. If PCRS is turned off, the driver supports custom entitlements only on the Subscriber channel. For more information, refer to Permission Collection and Reconciliation.
NOTE:You should enable entitlements for the drivers only if you plan to use the User Application or Role-Based Entitlements with the drivers.
To support PCRS, you must have the following:
Identity Manager 4.5.1 Engine Patch or later
Designer for Identity Manager 4.5.1.1 or later
Managed System Gateway driver version 4.0.0.6 and later
Driver Set Package:
Common Settings Advanced Edition Package (NOVLACOMSET 2.0.0 and later)
Driver Package:
Driver-specific entitlements packages for REST driver.
Permission Collection and Reconciliation Service package (NOVLCOMPCRS 2.0.0 and later)
This is the common PCRS package for defining custom entitlements on drivers such as REST, SOAP, and JDBC.
Set up administrative user accounts and configure a password policy. For more information, see Setting Up Administrative User Accounts
and Setting Up Administrative Passwords
in the NetIQ Identity Manager Driver Administration Guide.