IBM Support

How to configure the Office 365 Adapter with additional guide

Product Documentation


Abstract

Some users have questions regarding the Microsoft Office 365 Adapter configuration.

Here is the recommendation prior to the Office 365 Adapter installation and configuration.

You expect to have already
1. An understanding of the general idea of how to work with the operations of the IBM Identity Adapters
2. Some experience on the RMI adapters, including installing the IBM Security Identity Integrator
3. Experience with the adapter dispatcher
4. Understanding of the administration task in the Azure Office 365 management membership and permissions related to the Office 365 APIs
5. Experience with API development
6. Understanding of the trial and error troubleshooting techniques for certain areas; ability to find the error code in the IBM Knowledge Center
7. Understanding of general errors

Content

Summary of the prerequisites for adapter setup
You can expect
  • That some areas of different versions of the Microsoft Azure Office 365 Admin console vary from each other.
  • The Office 365 APIs most likely is the same way and extended some new areas. Some permission for IBM registrations -> Azure APIs permission should be the same. However, the extended page in Azure Active Directory Graph might be challenging since it is required to understand what those APIs do, and what is allowed and disallowed.
  • The permission and rule membership configuration location in the MAO 365 Admin console also is different.
  • IBM Knowledge Center only offers generic information and references can be limited for beginners.
  • The IBM Knowledge Center readme suggests, "Creating accounts, permissions, and home directories. Operations requested from the IBM Security server will fail if the Adapter is not given sufficient authority to perform the requested task. IBM recommends that this Adapter run with administrative (root) permissions."
  • This article provides an overview of the Microsoft 365 Adapter configuration guide and the aspects of it. The article does provide a detailed explanation of it.
Recommended:
  1. Install the Office 365 adapter successfully by checking the Readme and understand the known issue and requirements
  2. Install the correct SDI/Dispatcher/JRE/Adapter profile
  3. Place the correct the 365 connector/the library files 
  4. Configure the ISIM office 365 adapter in general
  5. Review the latest Adapter guide which will help you to review the overall supportive hardware and software version
  6. The IBM Knowledge Center also available the Office 365 adapters are supported for IGI, ISIM, and PIM so all configuration settings are very similar, URL listed under IBM Security product, for some references and the older version references are very helpful
 
The APIs permission reference below
Permisison of the Office 365 APIs
7. User should have an administrator role and able to login
          portal.azure.com as a user administrator.
8. The App should have full directory access, to read/write user, group data. (add permissions in the setting menu, API Access. Grant full access in Application settings and Delegated Permissions)
       For example, to reconcile operation, user should have minimum "User.Read, User.Read.All, User.ReadBasic.All" in permissions of Azure active directory graph.
9. The latest SDI 7.2 and JRE 1.8 should be used, an outdated JRE would not work.
 
10. The libraries are downloadable; certain versions are no longer there, and you might need to try the latest one or earlier or relevant version/older ones, could be a try "trial and error troubleshooting techniques" to do the test connection from the IBM service form since those libraries are not owned by the IBM. Please report to IBM Technical jSupport and Support will address the issue in detail.
The error
java.lang.NoClassDefFoundError: org/apache/http/params/SyncBasicHttpParams
Above typicaly, the libs are missing, or JRE folder either misused, or wrong JRE version
you can go to <SDI_HOME>jre/bin, and check your version of Java by java -version
 
11. Azure Admin has to generate the application ID and password key for the IBM service form.
   
13. Rest of general steps to configure reference here
 
14. We also recommend to have the Adapter tested in the UTA or test machine first before the real Production deployment.
 
15. Usually connection test is a good indication of the Adapter/JRE/SDI and profile import are working. However, reconciliation would do search API method, so for operations testing, has to do the recon, add, modify and delete operations. Refer to the logs for those tests.
16. Trace.log/msg.log and IBMDI.log for any errors or any successful status must be reviewed after the Adapter compoments installed. The reference URL for the logs configuration and setting.
Tips for SSL connection
keytool.exe -import -alias rootbase64 -file c:\rootbase64.cer -keystore "c:\Program Files\IBM\TDI\V7.2\timsol\serverapi\testadmin.jks" -storepass administrator
Owner: CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE
Issuer: CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE
Serial number: 20000b9
Valid from: 5/12/00 8:46 AM until: 5/12/25 1:59 PM
Certificate fingerprints:
         MD5:  AC:B6:94:A5:9C:17:E0:D7:91:52:9B:B1:97:06:A6:E4
         SHA1: D4:DE:20:D0:5E:66:FC:53:FE:1A:50:88:2C:78:DB:28:52:CA:E4:74
         SHA256: 16:AF:57:A9:F6:76:B0:AB:12:60:95:AA:5E:BA:DE:F2:2A:B3:11:19:D6:44:AC:95:CD:4B:93:DB:F3:F2:6A:EB
         Signature algorithm name: SHA1withRSA
         Version: 3
Under the timsol folder, solution.properties
Locate the testadmin.jks file

## server authentication
javax.net.ssl.trustStore=serverapi/testadmin.jks
{protect}-javax.net.ssl.trustStorePassword={encr}slxU3JrLfEayRoGRxI+xVg4ypOnoDg1UT1p+KvkUB2LXagBc+Dx3Ow5TjqZM/JCyCrtcVUcdc0x3LQghPR4uAhtiNtlgXgDZ7BrEoT/8faYMlWhi7LLdM7UPi4yAs53Vd/1QQSv1rzhPO6SYVF2NxHfyyEyF1brMAALFHoAgLK8=
javax.net.ssl.trustStoreType=jks
## client authentication
javax.net.ssl.keyStore=serverapi/testadmin.jks
{protect}-javax.net.ssl.keyStorePassword={encr}sHyue4F4oGwJCYzC/eY1G8Zvm3I5w/1fpAyUDI1nuDHZUtWjG6X1GAxEbRg4BwMkh6hBdcmpW9e/53Qw4nv1Qg9EJI0S5kAVu+bE3S76cCYrCtAF0cIBgno4ty4MeJ5HiwVjGDHq5FIWqvGxWVn2Gp+nCsAuzkHSs6o854GU1tM=
javax.net.ssl.keyStoreType=jks
The default password is administrator
Make sure the testadmin.jks is located properly, some cases are at different location.
keytool.exe -list -v -keystore "C:\Program Files\IBM\TDI\V7.2\timsol\serverapi\testadmin.jks" -storepass administrator
Alias name: rootbase64
Creation date: Oct 24, 2019
Entry type: trustedCertEntry
Owner: CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE
Issuer: CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE
Serial number: 20000b9
Valid from: 5/12/00 8:46 AM until: 5/12/25 1:59 PM
Certificate fingerprints:
         MD5:  AC:B6:94:A5:9C:17:E0:D7:91:52:9B:B1:97:06:A6:E4
         SHA1: D4:DE:20:D0:5E:66:FC:53:FE:1A:50:88:2C:78:DB:28:52:CA:E4:74
         SHA256: 16:AF:57:A9:F6:76:B0:AB:12:60:95:AA:5E:BA:DE:F2:2A:B3:11:19:D6:44:AC:95:CD:4B:93:DB:F3:F2:6A:EB
         Signature algorithm name: SHA1withRSA
         Version: 3
Extensions:
#1: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:3
]
verify whether the Baltimore is at the root certificate extracted below

Procedure

  1. Open a browser.
  2. Go to https://accounts.accesscontrol.windows.net
    Note The Internet Explorer browser might return a HTTP 400 Bad Request message. You might be unable to view the SSL lock button. To correct this issue:
    1. On the browser, go to Tools > Internet Options and click the Advanced tab.
    2. In the Settings panel, locate the Show friendly HTTP error messages option under Browsing.
    3. Disable the Show friendly HTTP error messages option.
    4. Click Apply and then click OK to close the panel.
    5. Click the Refresh button to reload the link and display the SSL lock.
  3. View the certificate.
    • Click SSL lock.
    • If your browser reports that revocation information is not available, click View Certificate.
  4. Click Certification Path
  5. Select the MSIT Machine Auth CA 2 certificate.
  6. Export the certificate into a file that is encoded in the Base64 format.
Otherwise, the error for test connection below.
CTGIMU107W
The connection to the specified service cannot be established. Verify the service information, and try again.CTGIMT001E
The following error occurred. Error: Initialize Error: com.ibm.di.connector.o365.user.UserConnectorException: Failed to create token for connection. Office 365 message: 'peer not authenticated'
The ADD request failed
2019-10-24 22:47:53,652 INFO  [ITIM_Dispatcher] - CTGDIS004I *** Finished dumping Entry
2019-10-24 22:47:53,655 ERROR [AssemblyLine.AssemblyLines/O365AddUser_Office 365 7.1.14 on SDI 7.2 JRE 1.8 on 9.199.139.106_8878396626655530593_a4e1cd84-2c1e-11b2-2095-000009c78b6a.6] - [addUser] CTGDIS181E Error while evaluating Hook 'Default On Error' in the Component 'addUser' (addUser.default_fail).
java.lang.Exception: 'gOperationType' not found
The Service form for the Office 365
Manage Services > Change a Service > Adapter Details
Required fields below
Service name  --->  any name
Tivoli Directory Integrator location
rmi://<IP>:<port>/ITDIDispatcher
Office 365 Tenant Domain Name    ---> where the users located like domain.com     
requiredApplication ID  --> you need to obtain from the Azure server
requiredApplication Key  --> you need to obtain from the Azure server

Document Location

Worldwide

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSRMWJ","label":"IBM Security Identity Manager"},"Component":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
26 September 2022

UID

ibm11085721

Page Feedback