IBM Security Verify Governance Adapter
v10.0.11 for Microsoft Office 365 is available.
Compatibility, installation and other getting-started issues are addressed.
Copyright International Business
Machines Corporation 2022, 2024. All rights reserved.
US Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
Welcome to the IBM Security Verify Governance Adapter for Microsoft Office 365.
The Microsoft Office 365 Adapter is designed to create and manage User Accounts on the Microsoft Office 365 domain. The adapter runs in "agentless" mode and communicates using the Graph API to the Microsoft Office 365 Domain being managed.
The IBM Security Verify Governance Adapters are powerful tools that require Administrator Level authority. Adapters operate much like a human system administrator, creating accounts, permissions, and home directories. Operations requested from the IBM Security Verify Governance Identity Manager server and IBM Security Verify Governance server will fail if the Adapter is not given sufficient authority to perform the requested task .
Review and agree to the terms of the IBM Security Verify Governance Adapter License prior to using this product. The license can be viewed from the "license" folder included in the product package.
Adapter Version
|
Component |
Version |
|
Build Date |
2024 May 29 12.11.58 |
|
Adapter Version |
10.0.11 |
|
Component Versions |
Adapter build: 10.0.11.84 Profile: 10.0.11.84 Connector: 10.0.11.84 Dispatcher 7.1.39 or higher (packaged separately) |
|
Documentation |
The following guides will be made available in the IBM Verify Governance Adapters Knowledge Center · Microsoft Office 365 Adapter Installation and Configuration Guide |
|
Internal# |
Enhancement # (RFE / IDEA) |
Description |
|
|
|
Items included in 10.0.11 current release |
|
SVGAD-2221 |
ADAPT-160 |
Add role-assignable groups property to O365Adapter Group, See Installation Guide > reference > From Default Group Attributes table for more details. For errors, refer troubleshooting > Error messages and problem solving. |
|
Items included in 10.0.10 release |
||
|
|
|
|
|
SVGAD-2030 |
ISIM-I-5036 |
Office 365 Adapter should support custom and inactive roles |
|
SVGAD-1881 |
IDEA ADAPT-137 |
Implemented Adapter such that it facilitate user to sync Groups from: 1) (Default) Only Azure Active Directory. 2) Groups form Azure Active Directory and Active Directory. (If ISVG and Identity Manager in hybrid AD/AzureAD environment with AD Sync synchronization enabled.) With Default Option Adapter will ignore (not Sync) Groups on AAD account that are synchronized from AD to avoid modifying of Active Directory Group Objects which are read only objects.
|
|
SVGAD-2106 |
|
Properties file update for
additional Attributes. Additional Attributes of the Office365 Adapter need to
be listed with additionalAttributes key
as mentioned below: additionalAttributes=createdDateTime,ageGroup,businessPhones,companyName,consentProvidedForMinor,creationType,employeeHireDate,employeeId,employeeType,legalAgeGroupClassification,lastPasswordChangeDateTime,onPremisesDistinguishedName,onPremisesDomainName,onPremisesLastSyncDateTime,onPremisesSamAccountName,onPremisesSecurityIdentifier,onPremisesSyncEnabled, onPremisesUserPrincipalName,passwordPolicies,preferredDataLocation,securityIdentifier,signInSessionsValidFromDateTime,manager,mailboxSettings,mailboxSettings_FULLSUPPORT,manager_FULLSUPPORT Properties file location updated to : <SDI_Solution_Directory>\properties\Office365-Attributes.properties
|
|
|
|
|
|
|
ADAPT-104 / ADAPT-I-167 |
|
|
|
ADAPT-134 / ADAPT-128 / ADAPT-125 / ADAPT-98 |
|
|
|
ADAPT-104 / IGI-I-524 |
|
|
|
|
Items included in release (10.0.8) |
|
SVGAD-342 |
ADAPT-98 / ADAPT-I-1 / ADAPT-I-202 |
ImmutableId should be editable |
|
|
|
Items included in release (10.0.7) |
|
|
|
None |
|
|
|
Items included in release (10.0.6) |
|
|
|
None |
|
|
|
Items included in release (10.0.5) |
|
Internal |
|
Internal O365 - Some attributes missing. |
|
|
|
Items included in release (10.0.4) |
|
RTC – 188949 |
|
Internal O365 - License not removed for user account in O365 admin centre |
|
|
|
Items included in release (10.0.3) |
|
RTC – 189673 |
|
Internal O365 - Adapter Refresh Azure Graph API to MS Graph API changes |
|
|
|
Items included in release (10.0.2) |
|
|
|
None |
|
|
|
Items included in release (10.0.1) |
|
|
|
None |
|
|
|
Items included in release (7.1.17) |
|
|
|
None |
|
|
|
Items included in release (7.1.16) |
|
TS002767617 |
|
|
|
|
|
Items included in release (7.1.15) |
|
|
|
|
|
|
|
Items included in release (7.1.14) |
|
|
|
|
|
|
|
Items included in release (7.1.13) |
|
|
|
None
|
|
|
|
Items included in release (7.1.12) |
|
|
|
None
|
|
|
|
Items included in release (7.1.11) |
|
|
|
None
|
|
|
|
Items included in 7.1.10 release |
|
|
167912 |
Office 365 Roles and Office 365 Licenses appear as Service Groups.
|
|
|
|
Items included in 7.1.9 release |
|
|
154064 |
Roles are dynamically populated for the given tenant via tha API when creating or modifying a user.
|
|
|
|
Items included in 7.1.8 release |
|
|
|
Add
support for IGI 5.2.2
|
|
|
|
Items included in 7.0.7 release |
|
|
43248 (143742) |
Support user provisioning in Federated domain
|
|
|
39329 (143742) |
Adapter should manage ObjectGUID attribute - ImmutableID
|
|
|
|
Items included in 7.0.6 release |
|
|
137482 |
Configurable Search Page size parameter added in account form.
|
|
|
|
Items included in 7.0.5 release |
|
|
131866 |
Upgraded to Graph API version 1.6, support to the latest version provided by Microsoft.
|
|
|
|
Items included in 7.0.4 release |
|
|
|
Initial Release
|
Closed Issues
|
Internal# |
Known Issue# / CASE# |
Description |
|
|
|
|
|
|
|
|
|
SVGAD-2441 |
KI: DT381609 / TS015220425 |
Full Recon some groups are not being synced with associated members |
|
|
|
Items closed in release (10.0.10)
|
|
SVGAD-2108 |
|
Performance improvement of Office365 Adapter
Performance enhancement of Full Recon. This is a fix which provide support of endsWithFilter on eruid (User Principal Name) only, which is also a part of performance enhancement. Microsoft document for filter - https://learn.microsoft.com/en-us/graph/filter-query-parameter?tabs=http. EndsWithFilter reconciliation support filtered user data. (* must be at first place only like given example) EndsWithFilter Example : (eruid=*@ibm.com) or (eruid=*abc@ibm.com) or (eruid=*@consultant.ibm.com) For below cases endsWithFilter with eruid will not work on API : 1. more than one * in the filter 2. * is not appears at first place like (eruid=abc*@ibm.com)
|
|
|
|
|
|
|
|
|
|
|
|
Items closed in release (10.0.8)
|
|
|
|
None
|
|
|
|
Items closed in release (10.0.7)
|
|
Bug 3837 RTC-190666
|
TS009134208 |
O365 Password Not Changing. |
|
Bug 3977 RTC-191075
|
TS010901559 |
Office365 adapter doesn't gather all the resources. |
|
Bug 3920 RTC-190849
|
TS010027977 |
O365 service test connection. |
|
Bug 3971 RTC-191048
|
TS010758200 |
Nullpoiner exception attempgin to modify accounts. |
|
RTC-191279
|
wrong oid used for O365 attribute. |
|
|
Bug 3926 RTC-190967
|
TS010174228 |
Question on IBM Security Verify Adapter for Microsoft Office 365. |
|
|
|
Items closed in release (10.0.6)
|
|
Bug 3841 RTC-190591
|
|
Office365 Connector - Issue when creating an account. |
|
|
|
Items closed in release (10.0.2)
|
|
Bug 3413 RTC-188098
|
|
O365 Reconciliation always return the user dump. |
|
|
|
Items closed in release (10.0.1)
|
|
Bug 3205 RTC-186971
|
|
IGI - Office 365 Adapter - error when removing permissions and synchronizing |
|
|
|
|
|
|
|
Items closed in release (7.1.17)
|
|
Bug 3192 RTC-186987
|
|
O365 addUser fails with “SourceAnchor is a required property for creation of a federated user. |
|
|
|
Items closed in release (7.1.16)
|
|
|
|
|
|
|
|
Items closed in release (7.1.15)
|
|
|
IJ20971 |
|
|
RTC-185424 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
RTC-184344 |
|
Office 365 code clean-up and handling exceptions correctly, follow-up for Bugs 2816 |
|
|
|
|
|
|
|
Items closed in release (7.1.13)
|
|
Bug 2866 RTC-183802
|
|
Office365 unable to provision license |
|
Bug 2882 RTC-183801 |
|
Plan id is same as sku id when no. of plan ids is 1
|
|
Bug 2885 RTC -183478
|
|
Issues with immutableid attributes
|
|
Bug 2909 RTC-183806 |
|
O365 filtered recons
|
|
Bug 2916 RTC-183805
|
|
adapter hangs when deleting an account that does not exist on O365 |
|
|
|
Office365 recon failure - adapter is unable to recon large data |
|
|
|
Items closed in release (7.1.12)
|
|
181613
|
|
Facing issue while performing Change Password operation for Office365 adapter on IGI 5.2.5. |
|
180753
|
TS001074802 / IJ11132
|
Modified the GetGroupMembership REST request. Added parameter to fetch defined number of entries from the resource.
|
|
181527 |
|
Internal - As an Office 365 adapter, I must ensure that the dn target attribute should be mapped to dn governance attribute by default
|
|
|
|
Items closed in release (7.1.11)
|
|
172672 |
TS000109852 / IJ04343 |
The Recon doesn't terminate automatically in IGI 5.2.3.1
|
|
|
|
Items closed in 7.1.10 release
|
|
|
|
None
|
|
|
|
Items closed in 7.1.9 release
|
|
154064 |
|
The 'directoryRoles' segment is used to manage roles instead of 'roles' and objectId to reference roles. This is due to a change in Microsoft API.
|
|
154151 |
75579,082,000 |
The license removal needs an explicit call to remove the SKU in case no service plans are enabled. This is due to a change in Microsoft API.
|
|
|
|
Items closed in 7.1.8 release
|
|
|
|
Initial Release compliant with IGI 5.2.2
|
|
|
|
Items closed in 7.0.6 release
|
|
136441 |
|
The list of available license service plans should return licenses that are enabled for provisioning applicable for provisioning at user level.
|
|
136435 |
|
App Key is masked in the Debug log
|
|
|
|
Items closed in 7.0.5 release
|
|
132680 |
|
The App key is hidden in service form. The attribute "ero365appkey" is added in password.attributes list in enRole.properties in <ISIM_HOME>/data directory.
|
|
|
|
Items closed in 7.0.4 release
|
|
|
|
Initial release.
|
|
Internal# |
APAR# / CASE# |
Description |
|
N/A |
N/A |
Attributes that require an SharePoint Online (SPO) license are not supported in the current release of the adapter.
|
|
N/A |
N/A |
Attributes and/or operations that are not supported in the production version of Microsoft Graph API are not supported in the adapter.
|
|
N/A |
N/A |
Currently, we don't support
"Directory (Azure AD) extensions" attributes called also as the
custom attributes indicated in this document: |
|
N/A
|
N/A
|
The adapter doesn't support deletion of all mails in otherMails attribute in case of ISVG.
|
|
N/A
|
N/A
|
The adapter supports each user to enroll in 999 groups, and user can enroll for 999 roles.
|
|
N/A |
N/A |
The adapter does not support case insensitive filter search with (eruid=username@domainname.com). This is a known issue with the Dispatcher which does filtering during reconciliation. Exact user name will need to be used during filter recon until this issue is fixed in the Dispatcher.
|
|
N/A |
N/A |
User Principal Name is ReadWrite Attribute. It is not recommended to update User Principal Name from target as after reconciliation new user will be created and you need to associate user manually again for that user. Always prefer to update User Principal Name from ISIM/IGI to maintain consistency.
|
|
N/A |
N/A |
|
|
N/A |
N/A |
The adapter does not support duplicated Group Display Name.
|
|
N/A |
N/A |
The adapter does not support change of Group Name. This is a limitation of the IBM Security Verify Manager. Attempting to change the Group Name will result in the following error: " CTGIMI046E You cannot change the value of the attribute that is mapped to ergroupname."
|
|
N/A |
N/A |
The adapter does not support setting the group attribute 'mailNickName'. This is a limitation of the Windows Azure Active Directory Graph API. The API only accepts 'BposMailNickName' as the value for this attribute during group creation. Any other value will result in the following error: "Invalid value specified for property 'mailNickname' of resource 'Group'".
|
|
N/A |
N/A |
The service principal that represents the adapter service must be in an administrator role that has permissions to modify role objects to send POST or DELETE requests. It must be in a role that has permissions to read role objects to send GET requests. For more information about administrator roles in Windows Azure AD Graph, see Windows Azure AD Graph and Role-Based Access Control. http://msdn.microsoft.com/en-us/library/azure/dn385717.aspx
|
|
N/A |
N/A |
The adapter does not support setting the user account attribute 'mail'. This is a limitation of the Windows Azure Active Directory Graph API. The API consider the 'mail' attribute as a read-only attribute. Trying to set this attribute will result in the following error:"Property 'mail' is read-only and cannot be set."
|
|
N/A |
N/A |
Microsoft has a limitation that user accounts cannot be added or modified in a federated domain from an on-premise Dir Sync Active Directory, which is not the default domain. Provisioning of users in such domain can be done by using the AD adapter and then syncing it back to the Azure Directory using the Microsoft DirSync tool.
|
|
N/A |
N/A |
The "Enable detailed TDI debugging" on the Service Form has been removed from 7.0.2 release due to security reasons. Instead, "DEBUG" in the ITDI log4j.properties file is to be used to enable extra debug logging.
|
See the IBM Security Verify Governance Adapter Installation and Configuration Guide for detailed instructions.
Corrections to Installation guide:
Chapter 1: Overview
-> Features of the adapter
(modify
the section by adding below point and a note.)
-
Create, modify, suspend, restore, change password, and delete a user and guest
user.
-
Sending guest account Invitations.
Note
: See https://www.ibm.com/docs/en/svgaa?topic=reference-adapter-attributes-by-operations
for more details on guest account creation and operations related to it.
Chapter 2: Planning
No updates for the current release
Chapter 3: Installing
->
Installing ILMT-Tags File
(Please add new section "Installing ILMT-Tags" File under the section Installing > Installing ILMT-Tags in install guide.)
Before you begin:
- The Dispatcher must be installed
Procedure:
Copy the files in the ILMT-Tags folder to the specified location:
1. Windows: <SDI-HOME>/swidtag
2. Unix/Linux: <SDI-HOME>/swidtag
-> Installing in the Verify Governance Virtual Appliance
( Please add this new section at knowledge centre
(under Installing > Installing in the Verify Governance Virtual Appliance)
for Azure AD Adapter to describe installation procedure of adapter in Verify
Governance Virtual Appliance: https://www.ibm.com/docs/en/svgaa?topic=ldap-installing-in-virtual-appliance.
Please add this below note as well after adding the description.)
Note: While uploading the Adapter package, you may receive System Error: A file included in the SDI Adapter zip already exists on the system and the Server Message log under Appliance tab of VA will have a reference to error com.ibm.identity.sdi.SDIManagementService E File ibm.com_IBM_Security_Verify_Governance_xxxx.swidtag found in the adapter zip at location ILMT-Tags/ already exists in system. This is because, you can install the same swidtags only once. So, if another adapter of the same type is installed, remove the swidtags.
The ibm.com_IBM_Security_Verify_Governance_Enterprise-xxxx.swidtag file is common to all adapters. In addition to the
common swidtag file, an application adapter needs ibm.com_IBM_Security_Verify_Governance_Application_Adapters-xxxx.swidtag file and an infra adapter needs ibm.com_IBM_Security_Verify_Governance_Lifecycle-xxxx.swidtag and ibm.com_IBM_Security_Verify_Governance_Compliance-xxxx.swidtag files. So, if an application adapter is already
installed and this is an infra adapter, then only install the infra-specific
swidtags and the other way around. Please visit IBM Security Verify Governance Adapters v10.x link to identify the adapter type of the
installed adapters.
-> (Update sub-section
"Service/Target form details" of "Installing" section and
add below content.)
(in Installing
> Service/Target form details > Complete the service/target form fields
> Azure Active Directory Domain Details)
Configuration File Path
Specify the location of the .properties file containing the additional attributes that the adapter must support. (See "Configuration for additional attributes")
Select Groups to Sync
Please choose an option to sync Groups: (Default) Fetch Only Azure
AD Groups or Fetch Azure AD and Active Directory Groups
(Default) Fetch Only Azure AD Groups- By default Adapter will only fetch Azure
AD(Cloud Groups) Groups.
Fetch Azure AD and Active Directory Groups: To sync all Groups(Cloud Groups and
On-premises Groups) from Azure AD. (Only If ISVG and Identity Manager in hybrid
AD/Azure AD environment with AD Sync synchronization enabled.)
Filter Group Type
Choose an option to sync Group: All or Security Group or Microsoft 365 Group.
All indicate no filter in Group Type. To get Security Groups only select Security Group. To get Microsoft 365 Groups only select Microsoft 365 Group.
Filter Is Assignable To Role
Choose an option to sync Group: All or TRUE or FALSE/UNSPECIFIED
All indicate no filter in is assignable to role. To get assignable to role only select TRUE. To get not assignable to role select FALSE/UNSPECIFIED.
Filter Visibility
Choose an option to sync Group: All or Public or Private or Hidden Membership
All indicate no filter in visibility. Select Public to get groups with public visibility only. Select Private to get groups with Private visibility only. Select Hidden Membership to get groups with Hidden Membership visibility only.
Note: Refer to
the chapter 7 Reference has a table that explains how the filters map to the
group type
-> (Add the below sub-section
under Installing section: "Configuration for additional attributes")
The Office365 adapter is configured to support all the standard user account attributes provided by the Azure. Since collecting additional attributes during reconciliation might have a negative impact on performance, support for additional attributes can be activated using a configuration file. This file must include the additional attributes that are required by your organization.
The additional attributes that currently are supported needs to be added to the configuration file.
==> Follow the below steps to set up and configure the path of Additional
Attribute file:
(A sample Office365-Attributes.properties file, in which all the supported
additional attributes are specified, is available in the adapter package.)
1) In the Adapter Connector/Service form details you can find Configuration
File Path.
2) Specify the file location in the configuration file path. (e.g. C:\Program Files\IBM\TDI\V7.2\timsol\properties\Office365\Office365-Attributes.properties)
- The file must be in .properties formate (Follow steps of setting up the Office365-Attributes.properties file).
- The file must be located in the same machine where the dispatcher is running. (e.g. <ITDI_HOME>\timsol\properties\Office365\Office365-Attributes.properties)
- You must provide the full path of the file in the "Configuration File Path" section of the service form. See "Service/Target form details"
3) Restart dispatcher service.
4) Perform reconciliation.
==> Notes of Additional Attribute Configuration file:
- The Additional Attributes Configuration file(Office365-Attributes.properties)
must be a list of comma separated values.
- Attribute names are case sensitive.
- A warning message will be generated in the SDI log for attributes that can't be processed
- If you try to modify any Additional Attributes and the execution of operation returns success, but the attribute is not actually modified at the target, then verify if this attribute exists in the additional attribute configuration file, and the name matches the name as provided in the "Additional User Attributes" table.
-
If you update the contents of the configuration file, then it is required to
restart the dispatcher and perform a reconciliation.
- Sample
File Data (Ex: You can provide attribute in a file in the below way and
attributes can be included or excluded as needed.)
additionalAttributes=createdDateTime,ageGroup,businessPhones,companyName,consentProvidedForMinor,creationType,employeeHireDate,employeeId,employeeType,legalAgeGroupClassification,lastPasswordChangeDateTime,onPremisesDistinguishedName,onPremisesDomainName,
onPremisesLastSyncDateTime,onPremisesSamAccountName,onPremisesSecurityIdentifier,onPremisesSyncEnabled,onPremisesUserPrincipalName,passwordPolicies,preferredDataLocation,securityIdentifier,signInSessionsValidFromDateTime,manager,mailboxSettings,mailboxSettings_FULLSUPPORT,manager_FULLSUPPORT
- On
Premises Attributes:
1)
onPremisesDistinguishedName: Contains the on-premises Active Directory
distinguished name or DN.
2) onPremisesDomainName: Contains the on-premises domainFQDN,
also called dnsDomainName synchronized from the on-premises directory.
3) onPremisesLastSyncDateTime: Indicates the last time at
which the object was synced with the on-premises directory.
4) onPremisesSamAccountName: Contains the on-premises samAccountName synchronized from the on-premises directory.
5) onPremisesSecurityIdentifier: Contains the on-premises security identifier (SID) for the user that was synchronized from on-premises to the cloud.
6) onPremisesSyncEnabled: True, if
this user object is currently being synced from an on-premises Active Directory
(AD). Otherwise the user isn't being synced and can be managed in Azure Active
Directory.
7)
onPremisesUserPrincipalName: Contains the on-premises userPrincipalName synchronized from the
on-premises directory.
- ageGroup
and consentProvidedForMinor are optional properties used by Azure AD
administrators to help ensure the use of an account is handled correctly based
on the age-related regulatory rules governing the user's country or region.
- Value of
some attributes are depend on other attributes, so once you update such
attributes perform reconciliation to fetch dependent attribute value.
legalAgeGroupClassification: This property is read-only and calculated based on ageGroup and consentProvidedForMinor properties.
mailboxSettings can not be created and deleted, it can be read and modified only.
mailboxSettings : This property do not support full reconciliation.
mailboxSettings_FULLSUPPORT : To enable full reconciliation in mailboxSettings use this property in additional attribute configuration file.
manager : This property do not support full reconciliation.
manager_FULLSUPPORT : To enable full reconciliation in manager use this property in additional attribute configuration file.
-
For SignIn Activity attributes (Last Interactive Sign In Date and Time,
Request Identifier of the Last Interactive Sign In, Last Non Interactive Sign
In Date and Time, Request Identifier of the Last Non Interactive Sign In):
to get
details for this property require an Azure AD Premium P1/P2
license and the AuditLog.Read.All permission.
- Note : At IBM Security Verify Identity Manager(ISIM) For Employee Leave Date Time and Employee Hire Date Time attributes, if its date and time values are empty then by default never check-box will be enabled.
- Not
Included following Attributes as they require various license and few are just
in beta of Graph APIs are listed below:
aboutMe - require a SPO license.
birthday - require a SPO license.
hireDate - require a SPO license.
interests - require a SPO license.
mySite - require a SPO license.
pastProjects - require a SPO license.
preferredName - require a SPO license.
responsibilities - require a SPO license.
schools - require a SPO license.
skills - require a SPO license.
showInAddressList - Do not use in Microsoft Graph. Manage this property through the Microsoft 365 admin centre instead.
==>
Steps to update design form in IGI:
- Select Access Governance Core > manage > Account Configuration.
- Select Office365 adapter Account you created.
- Select on Target Attributes > action > Discover Attributes from Target > Select only attributes you want to process (Only those attributes will be processed - this is applicable to additional attributes only.).
- Update Editable to false for read only attributes.
- Click Save.
- Make sure
to include these list of attributes in Attribute Additional file.
==>
Steps to update Design form in ISIM:
- Select
Configure System > Design Forms
- -
Configure the form and include the additional attributes that you want to
include and/or remove unneeded attributes.
(Account > Office365 Account > $ero365additionaldetails)
- Click
Save.
- Make sure
to include these list of attributes in Attribute Additional file.
Before you begin
The steps to install adapter and related files into the container can be performed using the adapterUtil.sh script, which is shipped with the dispatcher package. This script should be staged on the machine running Kubernetes cli. The adapterUtil.sh script is also readily available in the bin directory of ISIM IBM Security Verify Governance Identity Manager Container Starter Kit installation directory (If ISVDI was selected for installation during the ISIM container installation steps).
If, for any reason, the adapter util script cannot be executed or used, the below manual instructions must be followed to copy the files to the persistent volume.
Note: The container must be restarted after installing or uninstalling the adapter and any changes to the configuration yaml. To activate changes and restart the container run the following commands:
· <path_to_starterkit>/bin/createConfigs.sh isvdi
· For OpenShift container: oc -n isvgim rollout restart deployment isvdi
· For kubernetes container: kubectl -n isvgim rollout restart deployment isvdi
Note: This document only describes the adapterUtil.sh command options that are required to install this adapter. For other command options, such as listing installed connectors and 3rd party jars, please refer to the Dispatcher10 Installation and Configuration Guide.
Installing / Upgrading / Re-installing / Downgrading the adapter
Using Script
Use the below command to install / upgrade/ re-install / downgrade the adapter:
/path/to/adapterUtil.sh -loadAdapter "/path/to/Adapter-Office365-*.zip" accept
Where /path/to/adapterUtil.sh is the location where the adapterUtil.sh script is installed and /path/to/Adapter- Office365-*.zip is the location where the Adapter zip file is staged on the machine running Kubernetes cli.
Manually copying files to Persistent Volume
Copy the files to the persistent volume mapped to the /opt/IBM/svgadapters directory of the container image as per the given directory structure:
Microsoft365Connector.jar
Copy this file to the <Persistent_Volume>/jars/connectors directory.
ILMT-Tags
Copy below files to the <Persistent_Volume>/swidtag directory:
ibm.com_IBM_Security_Verify_Governance_Application_Adapters-10.0.2.swidtag
ibm.com_IBM_Security_Verify_Governance_Enterprise-10.0.2.swidtag
Office365-Attributes.properties
Copy this file to the <Persistent_Volume>/timsol/properties directory.
Copying 3rd party libraries:
Using Script
Use the below command to copy the 3rd party jars:
/path/to/adapterUtil.sh -copyToPatches "/path/to/httpclient-*.jar"
/path/to/adapterUtil.sh -copyToPatches "/path/to/httpcore-*.jar"
/path/to/adapterUtil.sh -copyToPatches "/path/to/ commons-logging-*.jar"
This command will copy the 3rd party jars to the <Persistent_Volume>/jars/patches directory.
Manually copying files to the Persistent Volume
Copy below 3rd party jar files to the <Persistent_Volume>/jars/patches directory (Refer release notes for the supported jar versions):
httpclient-*.jar
httpcore-*.jar
commons-logging-*.jar
Configuring the SSL connection between the IBM Security Verify Directory Integrator Container and the Office 365 Target
Refer https://www.ibm.com/docs/api/v1/content/SSCQGF_10.0.0/container/html/verify-directory-integrator.html#keyfile_trusted-certificates page from SVDI
If the config.yaml file which is used as the YAML_CONFIG_FILE environment variable for the container doesn't have a trusted-certificates element, follow the instructions that are provided in https://www.ibm.com/docs/api/v1/content/SSCQGF_10.0.0/container/html/verify-directory-integrator.html#keyfile_trusted-certificates to add a trusted-certificates section to the config.yaml file.
To add a trusted-certificates element (if it doesn’t exist in current configuration) to the config.yaml file which is used as parameter for YAML_CONFIG_FILE environment variable of the container, download the DigiCert Global Root CA and DigiCert Global Root G2 certificates in DER/CRT format from https://www.digicert.com/kb/digicert-root-certificates.htm and place the certificate in the certs directory of the config volume which contains the config.yaml file. The default location for this config volume is /opt/IBM/dispatcher/config.
Provide this path of the certificate in config.yaml file as shown in the example below:
keyfile:
trusted-certificates:
- '@/opt/IBM/dispatcher/config/certs/DigiCertGlobalRootG2.crt'
- '@/opt/IBM/dispatcher/config/certs/DigiCertGlobalRootCA.crt'
Enabling TLS 1.2
Refer https://www.ibm.com/docs/api/v1/content/SSCQGF_10.0.0/container/html/verify-directory-integrator.html#advanced page from SVDI to add an advanced configuration element (if it don’t exist in current configuration) to the config.yaml file which is used as parameter for YAML_CONFIG_FILE environment variable of the container.
If the config.yaml file which is used as the YAML_CONFIG_FILE environment variable for the container doesn't have an advanced configuration element, follow the instructions that are provided in https://www.ibm.com/docs/api/v1/content/SSCQGF_10.0.0/container/html/verify-directory-integrator.html#advanced to add an advanced configuration section to the config.yaml file.
To enable TLSv1.2, add 2 attr and value key pair (as mentioned in the SVDI guide) as below:
- attr: com.ibm.di.SSLProtocols
value: 'TLSv1.2'
- attr: com.ibm.di.SSLServerProtocols
value: 'TLSv1.2'
Enabling debug logs and disabling json-logging
If the config.yaml file which is used as the YAML_CONFIG_FILE environment variable for the container doesn't have root-level and json-logging configuration elements, follow the instructions that are provided in https://www.ibm.com/docs/api/v1/content/SSCQGF_10.0.0/container/html/verify-directory-integrator.html#general_logging to the add root-level and json-logging configuration elements section to the config.yaml file.
Refer https://www.ibm.com/docs/api/v1/content/SSCQGF_10.0.0/container/html/verify-directory-integrator.html#general_logging page from SVDI to add root-level and json-logging configuration elements (if they don’t exist in current configuration) to the config.yaml file which is used as parameter for YAML_CONFIG_FILE environment variable of the container.
To enable debug logs, set the value for root-level to debug. To disable json logging, set the value for json-logging element to false.
Uninstalling the adapter
Using Script
Use the below command to remove the adapter:
/path/to/adapterUtil.sh -removeAdapter Adapter-Office365
Manually copying / removing files to / from the Persistent Volume
Remove files from the given directory structure of the persistent volume mapped to the /opt/IBM/svgadapters directory of the container image.
Note: Some 3rd party jars and ILMT-Tags files might be common with other installed adapters, and hence should not be removed while uninstalling this adapter:
Microsoft365Connector.jar
Remove this file from <Persistent_Volume>/jars/connectors directory.
ILMT-Tags
Remove below files from <Persistent_Volume>/swidtag directory:
ibm.com_IBM_Security_Verify_Governance_Application_Adapters-10.0.2.swidtag
ibm.com_IBM_Security_Verify_Governance_Enterprise-10.0.2.swidtag
3rd party jars
Remove the appropriate version of the 3rd party jar files used by this adapter as listed below from the <Persistent_Volume>/jars/patches directory:
httpclient-*.jar
httpcore-*.jar
commons-logging-*.jar
Office365-Attributes.properties
Remove this file from the <Persistent_Volume>/timsol/properties directory
Chapter 4: Upgrading
Upgrading the adapter binaries or connector
Take backup of adapter binaries or connector
Procedure:
If O365Connector.jar exists then take a backup of it.
<SDI-HOME>/jars/connectors/ O365Connector.jar.
If Microsoft365Connector.jar exists then take a backup of it.
<SDI-HOME>/jars/connectors/Microsoft365Connector.jar
There will be either O365Connector.jar or Microsoft365Connector.jar in the <SDI-HOME>/jars/connectors/ directory.
Note: Stop the dispatcher service before the upgrading the connector and start it again after the upgrade is complete.
Upgrade adapter binaries or connector
Procedure:
Delete O365Connector.jar and copy/replace Microsoft365Connector.jar from the adapter package to the <SDI-HOME>/jars/connectors directory
Upgrading the adapter profile
Read the adapter Release Notes for any specific instructions before you import a new adapter profile.
The Office365Profile.jar included in the Microsoft Office 365 Adapter distribution package.
Upgrading the AzureAD-Attributes.properties file
Properties file update for additional Attributes. Additional Attributes of the Azure Adapter need to be listed with additionalAttributes key as mentioned below:
additionalAttributes=createdDateTime,ageGroup,businessPhones,companyName,consentProvidedForMinor,creationType,employeeHireDate,employeeId,employeeType,legalAgeGroupClassification,lastPasswordChangeDateTime,onPremisesDistinguishedName,onPremisesDomainName,onPremisesLastSyncDateTime,onPremisesSamAccountName,onPremisesSecurityIdentifier,onPremisesSyncEnabled, onPremisesUserPrincipalName,passwordPolicies,preferredDataLocation,securityIdentifier,signInSessionsValidFromDateTime,manager,mailboxSettings,mailboxSettings_FULLSUPPORT,manager_FULLSUPPORT
Properties file location updated to : <SDI_Solution_Directory>\properties\Office365-Attributes.properties
Note: Restart
the Dispatcher service after importing the profile, connector jar or properties
file. Restarting the Dispatcher clears the assembly lines cache and ensures
that the dispatcher runs the assembly lines from the updated adapter profile.
The AzureAD (from 10.0.11v) and O365 (from 10.0.9v) adapter are using
a single combined Microsoft365Connector.jar implementation.
Chapter 5: Configuring
No updates for the current release
Chapter 6: Troubleshooting
Enabling DEBUG Logs on SDI Server
Procedure:
1. Stop the
SDI Server process
Pre-7.2.0-ISS-SDI-FP0008
2. Edit the <SDI_Solution_Directory>/etc/log4j.properties
3. Modify the following line:
log4j.rootCategory=INFO, Default
to
log4j.rootCategory=DEBUG, Default
Post-7.2.0-ISS-SDI-FP0008
2. Edit the <SDI_HOME_Directory>/etc/log4j2.xml
3. Modify the following line:
<Root level="info">
to
<Root level="debug">
Post-7.2.0-ISS-SDI-FP0011
4. To enable TCB block in debug
5. Append the line com.ibm.di.logging.close=false in
the the <SDI_HOME_Directory>/etc/global.properties file.
6. Start the SDI Server process
7. Re-create the problem and collect the <SDI_Solution_Dir>/logs/ibmdi.log
Error messages and problem solving
Table 2 . Invalid Group attributes value combination and it’s error messages.
1. Mail Nick Name has to be unique for Microsoft 365 type of groups.
2. Adapter support read only of Distribution and Mail-Enabled Security Group.
|
groupType
|
visibility
|
isAssignableToRole
|
securityEnabled
|
ResponseCode
|
Error
|
|
Security |
Public |
true |
true |
400 |
Visibility can only be set to Private for groups assignable to role. |
|
Security |
HiddenMembership |
true |
true |
400 |
Visibility can only be set to Private for groups assignable to role. |
|
Security
|
HiddenMembership
|
|
true |
400 |
HiddenMembership is only supported on Unified groups. |
|
Security |
Private |
false |
false |
400 |
'The service does not currently support writes of mail-enabled groups. Please ensure that the mail-enablement property is unset and the security-enablement property is set.’ |
|
Microsoft 365 |
HiddenMembership |
true |
true |
400 |
HiddenMembership cannot be set on security enabled groups. |
|
Microsoft 365 |
Public |
true |
true |
400 |
Visibility can only be set to Private for groups assignable to role. |
|
Microsoft 365 |
Private |
|
false |
400 |
SecurityEnabled should be set to true for groups assignable to role. |
Chapter 7:
Reference
(Please
make update into below tables for the section "Adapter Attributes and
Object classes".)
- Rename the
table name "Table 1. Supported user attributes" to "Table 1.
Default User Attributes".
- Make a new
table for the section "Adapter Attributes and Object classes" with
table name as " Table 2. Additional User Attributes".
|
IBM Security Verify Governance Identity Manager name |
Attribute name in schema |
Attribute name in Target |
Data Type |
Attribute Type |
|
|
User Creation Date and Time |
ero365createddatetime |
createdDateTime |
String |
Read Only |
|
|
Age Group |
ero365agegroup |
ageGroup |
String |
Read Write |
|
|
Business Phone |
ero365businessphones |
businessPhones |
String |
Read Write |
|
|
Company Name |
ero365companyname |
companyName |
String |
Read Write |
|
|
Consent Provider for Minor |
ero365consentproviderforminor |
consentProvidedForMinor |
String |
Read Write |
|
|
User Creation Type |
ero365creationtype |
creationType |
String |
Read Only |
|
|
Employee Hire Date |
ero365employeehiredate |
employeeHireDate |
String |
Read Write |
|
|
Employee Id |
ero365employeeid |
employeeId |
String |
Read Write |
|
|
Employee Type |
ero365employeetype |
employeeType |
String |
Read Write |
|
|
Legal Age Group Classification of User |
ero365legalagegroupclassification |
legalAgeGroupClassification |
String |
Read Only |
|
|
Last Password Change Date Time Of User |
ero365lastpasswordchangedatetime |
lastPasswordChangeDateTime |
String |
Read Only |
|
|
On Premises Active Directory Distinguished Name |
ero365onpremisesdistiguishedname |
onPremisesDistinguishedName |
String |
Read Only |
|
|
On Premises DomainFQDN / DnsDomainName |
ero365onpremisesdomainname |
onPremisesDomainName |
String |
Read Only |
|
|
On Premises Last Sync Date Time |
ero365onpremiseslastsyncdatetime |
onPremisesLastSyncDateTime |
String |
Read Only |
|
|
samAccountName Synchronized From On Premises Directory |
ero365onpremisessamaccountname |
onPremisesSamAccountName |
String |
Read Only |
|
|
On Premises Security Identifier (SID) |
ero365onpremisessecurityidentifier |
onPremisesSecurityIdentifier |
String |
Read Only |
|
|
On Premises Sync Enabled |
ero365onpremisessyncenabled |
onPremisesSyncEnabled |
String |
Read Only |
|
|
On Premises User Principal Name |
ero365onpremisesuserprincipalname |
onPremisesUserPrincipalName |
String |
Read Only |
|
|
Security Identifier (Sid) Of The User |
ero365securityidentifier |
securityIdentifier |
String |
Read Only |
|
|
Sessions Valid From Date and Time |
ero365signinsessionvalidfromdate |
signInSessionsValidFromDateTime |
String |
Read Only |
|
|
Preferred Data Location |
ero365preferreddatalocation |
preferredDataLocation |
String |
Read Only |
|
|
Password Policies |
ero365passwordpolicies |
passwordPolicies |
String |
Read Write |
|
|
Proxy Addresses |
ero365proxyaddresses |
proxyAddresses |
String |
Read Only |
|
|
IM Addresses |
ero365imaddresses |
imAddresses |
String |
Read Only |
|
|
Provisioned Plans |
ero365assignedplans |
provisionedPlans |
String |
Read Only |
|
|
License Assignment States |
ero365licenseassignmentstates |
licenseAssignmentStates |
String |
Read Only |
|
|
Assigned Plans |
ero365provisionedplans |
assignedPlans |
String |
Read Only |
|
|
Date Time Of User Deletion |
ero365deleteddatetime |
deletedDateTime |
String |
Read Only |
|
|
On-Premises Provisioning Errors |
ero365onpremisesprovisioningerrors |
onPremisesProvisioningErrors |
String |
Read Only |
|
|
Last Interactive Sign In Date and Time |
ero365lastsignindatetime |
lastSignInDateTime |
String |
Read Only |
|
|
Request Identifier of the Last Interactive Sign In |
ero365lastsigninrequestid |
lastSignInRequestId |
String |
Read Only |
|
|
Last Non Interactive Sign In Date and Time |
ero365lastnoninteractivesignindatetime |
lastNonInteractiveSignInDateTime |
String |
Read Only |
|
|
Request Identifier of the Last Non Interactive Sign In |
ero365lastnoninteractivesigninrequestid |
lastNonInteractiveSignInRequestId |
String |
Read Only |
|
|
Division |
ero365division |
division |
String |
Read Write |
|
|
Cost Center |
ero365costcenter |
costCenter |
String |
Read Write |
|
|
Refresh Tokens Valid From Date Time |
ero365refreshtokensvalidfromdatetime |
refreshTokensValidFromDateTime |
String |
Read Only |
|
|
Employee Leave Date Time |
ero365employeeleavedatetime |
employeeLeaveDateTime |
String |
Read Write |
|
|
Identities |
ero365identities |
identities |
String |
Read Write |
|
|
Manager |
ero365manager |
manager |
String |
Read Write |
|
- Note : We can
delete any identity value in identities attribute except for the
userPrincipalName
- Note : To enter
Identities on the ISVG/ISVG Identity Manager, you must follow below mentioned
syntax :
`` a|b|c ``
a=Issuer
b=SignIn Type
c= Issuer Assigned
ID
example :
contoso.onmicrosoft.com|federated|username@contoso.com
- Make a new
table for the section "Adapter Attributes and Object classes" with
table name as " Table. MailboxSettings Attributes".
|
IBM Security Verify Governance Identity Manager name |
Attribute name in schema |
Attribute name in Target |
Data Type |
Attribute Type |
|
|
Archive Folder |
ero365archivefolder |
archivefolder |
String |
Read Only |
|
|
Delegate Meeting Message Delivery Option |
ero365delegatemeetmsgdelopt |
delegateMeetingMessageDeliveryOptions |
String |
Read Write |
|
|
Date Format |
ero365dateformat |
dateFormat |
String |
Read Write |
|
|
Time Format |
ero365timeformat |
timeFormat |
String |
Read Write |
|
|
Time Zone |
ero365timezone |
timeZone |
String |
Read Write |
|
|
Status of Automatic Replies |
ero365status |
automaticRepliesSetting: status |
String |
Read Write |
|
|
External Audience of Automatic Replies |
ero365externalaudience |
automaticRepliesSetting : externalAudience |
String |
Read Write |
|
|
Internal Automatic Reply Message |
ero365internalreplymsg |
automaticRepliesSetting : internalReplyMessage |
String |
Read Write |
|
|
External Automatic Reply Message |
ero365externalreplymsg |
automaticRepliesSetting : externalReplyMessage |
String |
Read Write |
|
|
Scheduled Automatic Replies Start DateTime |
ero365startdatetime |
externalReplyMessage : scheduledStartDateTime : dateTime |
String |
Read Write |
|
|
Scheduled Automatic Replies Start Date Time Zone |
ero365starttimezone |
externalReplyMessage : scheduledStartDateTime : timeZone |
String |
Read Write |
|
|
Scheduled Automatic Replies End DateTime |
ero365endtdatetime |
externalReplyMessage : scheduledEndDateTime : dateTime |
String |
Read Write |
|
|
Scheduled Automatic Replies End Date Time Zone |
ero365endtimezone |
externalReplyMessage : scheduledEndDateTime : timeZone |
String |
Read Write |
|
|
User Purpose |
ero365userpurpose |
user : purpose |
String |
Read Only |
|
|
Locale of Language |
ero365locale |
language : locale |
String |
Read Write |
|
|
Days of Week of Working Hours |
ero365daysofweek |
workingHours : daysOfWeek |
String |
Read Write |
|
|
Start Time of Working Hours |
ero365starttime |
workingHours : startTime |
String |
Read Write |
|
|
End Time of Working Hours |
ero365endtime |
workingHours : endTime |
String |
Read Write |
|
|
Time Zone of Working Hours |
ero365workingname |
workingHours : timeZone : name |
String |
Read Write |
|
- Rename the table name "In mailboxSettings some of the attributes like timezone and locale of language will time to reflect from Azure after modification.
- Rename the table name "Table 2. Supported group attributes" to "Table 3. Default Group Attributes" and update as below: To get More details about group refer to the group resource type.
(Please make update into below tables for the section "Adapter Attributes and Object classes".)
|
IBM Security Verify Governance Identity Manager name |
Attribute name in schema |
Attribute name in Target |
Data Type |
||
|
|
|
id |
String |
||
|
ero365groupdisplayname |
Combination of displayName and Id. displayName#id |
String |
||
|
|
description |
String |
||
|
Group Mail Nick Name
|
ero365grpmailnick |
mailNickName |
String |
||
|
Group Security Enabled
|
ero365grpsecurityenabled |
securityEnabled |
String |
||
|
Group Type
|
ero365grptype |
Managing this attributes based on value of securityEnable, mailEnabled and types. |
String |
||
|
Group Membership
|
ero365grpmembertype |
String |
|||
|
Group Visibility
|
ero365grpvisibility |
visibility |
String |
||
|
Group Is Assignable to Role
|
ero365grpassgntorole |
isAssignableToRole |
String |
We manage Group Type based on value of type, mailEnabled and securityEnabled attributes of Graph API as below. Reference, Working with groups in Microsoft Graph.
|
Group Type |
types |
mailEnabled |
securityEnabled |
Created and managed via the groups APIs |
|
Microsoft 365 Group [Can be called as Unified as well]
|
[“Unified”] |
True |
True/False |
Yes |
|
Security Group |
[] |
False |
True |
Yes |
|
Mail-Enabled Security Group |
[] |
True |
True |
No, read-only through Adapter |
|
Distribution Group |
[] |
True |
False |
No, read-only through Adapter |
1. If types collection includes DynamicMembership then Group Membership will be display Dynamic Membership else display Static Membership. Adapter supports Static Membership only.
2. HiddenMembership visibility only supported for Microsoft 365 type of groups with securityEnabled false.
3. IsAssignableToRole = True only supports Private or HIddenMembership Visibility.
4. From Adapter, you cannot assign role to the group. Can only set isAssignableToRole property.
5. IsAssignableToRole: Only callers with at least the Privileged Role Administrator role can set this property. The caller must also be assigned the RoleManagement.ReadWrite.Directory permission to set this property or update the membership of such groups. Using this feature requires a Microsoft Entra ID P1 license.
6. To process with group in adapter required to have Group.ReadWrite.All, Directory.ReadWrite.All pemissions.
7. The following conditions apply for apps to delete role-assignable groups:
· For delegated scenarios, the app must be assigned the RoleManagement.ReadWrite.Directory delegated permission, and the calling user must be the creator of the group or be assigned at least the Privileged Role Administrator Microsoft Entra role.
· For app-only scenarios, the calling app must be the owner of the group or be assigned the RoleManagement.ReadWrite.Directory application permission or be assigned at least the Privileged Role Administrator Microsoft Entra role.
Table 4. Valid Group Create/Update values with properties in the adapter.
|
GroupType |
IsAssignableToRole |
SecurityEnabled |
Visibility |
|
Security Group |
True |
True |
Private |
|
False |
True |
Public |
|
|
Microsoft 365 Group [Can be called as Unified as well]
|
True |
True |
Private |
|
True |
False |
Private / HiddenMembership |
|
|
False |
False |
Public / Private / HiddenMembership |
|
|
False |
True |
Public / Private |
|
|
Mail-Enabled Security Group |
- |
- |
- |
|
Distribution Group |
- |
- |
- |
- Make a new table for the section
"Adapter Attributes and Object classes" with table name as "
Table 5. Supported On-premise Group Attributes".
|
IBM Security Verify Governance Identity Manager name |
Attribute name in schema |
Attribute name in Target |
Data Type |
|
On-premises Group Domain Name |
ero365grponpremisesdomainname |
onPremisesDomainName |
String |
|
On-premises Last Sync Date and Time |
|
onPremisesLastSyncDateTime |
String |
|
On-premises SamAccount Name |
ero365grponpremisessamaccountname |
onPremisesSamAccountName |
String |
|
On-premises Security Identifier |
ero365grponpremisessecurityidentifier |
onPremisesSecurityIdentifier |
String |
|
On-premises SyncEnabled Status |
ero365grponpremisessyncenabled |
onPremisesSyncEnabled |
String |
|
On-premises NetBiosName |
ero365grponpremisesnetbiosname |
onPremisesNetBiosName |
String |
- Rename the table name "Table 3. Supported object classes" to "Table 6. Supported Object Classes".
- Make a new table for the section "Adapter Attributes and Object
classes" with table name as " Table 7. Default GuestUser
Attributes".
Also
add below written paragraph after the table
|
IBM Security Verify Governance Identity Manager name |
Attribute name in schema |
Attribute name in Target |
Data Type |
|
User Type |
ero365usertype |
userType |
String |
|
External User State change Date and Time |
ero365statechangedatetime |
stateChangeDateTime |
String |
|
Guest Invitation Status |
ero365gueststatus |
guestStatus |
String |
|
Identities |
ero365identities |
identities |
String |
For more information regarding the usage of attributes that are related to inviting and/or creating guest accounts refer: "Adapter attributes by operations"
- Adapter attributes by
operations
Add below to
"Adapter attributes by operations" section
Guest User
attributes
The following tables show the
attributes and object classes that are supported by the Azure Active Directory
Adapter for creating guest Account.
- Make a new table for the
section " Guest User attributes" with table name as " Table 1.
Additional GuestUser Attributes".
Also
add below written paragraph after the table
|
IBM Security Verify Governance Identity Manager name |
Attribute name in schema |
Attribute name in Target |
Data Type |
Required |
|
User Type |
ero365usertype |
userType |
String |
Yes |
|
External User State change Date and Time |
ero365statechangedatetime |
stateChangeDateTime |
String |
No(ReadOnly) |
|
Guest Invitation Status |
ero365gueststatus |
guestStatus |
String |
No (ReadOnly) |
|
Guest Redirect Url |
ero365redirecturl |
redirectUrl |
String |
Yes |
|
Send Guest Invitation Mail |
ero365sendinvitation |
sendInvitation |
Boolean |
No |
|
Reset Redemption |
ero365resetredemption |
resetRedemption |
Boolean |
No |
|
Guest Redeem URL |
ero365redeemurl |
redeemUrl |
Boolean |
No |
|
Redemption Email |
ero365redemptionmail |
redemptionMail |
String |
Yes(only in case of Reset Redemption) |
|
Custom Message Body |
ero365custommessage |
customMessageBody |
String |
No |
|
|
ero365mail |
|
String |
Yes |
|
CC Recipient Mail Address |
ero365ccrecipientmail |
ccRecipientMail |
String |
No |
|
Preferred Message Language |
ero365prefmessagelang |
preferredMessageLanguage |
String |
No |
|
Identities |
ero365identities |
identities |
String |
No |
Info : The
following operations are supported by adapter for guest Accounts.
- Creation of guest
accounts through invitation.
- Modify, suspend,
restore, delete guest user accounts.
- Resend invitation
to guest user accounts.
- Reset redemption
of guest user accounts.
Note : In case of Reset redemption, the Redemption Email should match
any emails on the user object. If an e-mail address that does not yet exist in
AzureAD for this user is specified as the value for the redemption e-mail
address in ISVG /ISVG Identity Manager for reset redemption operation and the
response shows "Account is modified, reset redemption is
unsuccessful", please retry after few minutes starting with filter
reconciliation and recheck that the new redemption email matches the mails in
otherMails attribute.
For more details on requesting and maintaining guest accounts, visit : https://learn.microsoft.com/en-us/azure/active-directory/external-identities/user-properties
and https://learn.microsoft.com/en-us/azure/active-directory/external-identities/reset-redemption-status
Installation Platform
The IBM Security Verify Governance Adapter for was built and tested on the following product versions.
Adapter Installation Platform:
Due to continuous Java security updates that may be applied to your IBM Security Verify Governance server and IBM Security Verify Governance Identity Manager server, the following SDI releases are the officially supported versions:
Note: Earlier SDI supported versions may function properly, however to resolve any communication errors, you must upgrade your SDI releases to the officially supported versions.
Managed Resource:
Office 365 supported HTTP Client component:
- Apache HTTP Component Client
3rd Party Client Libraries:
httpclient-4.5.14.jar
Download the httpclient-4.5.14.jar from
https://mvnrepository.com/artifact/org.apache.httpcomponents/httpclient/4.5.14
httpcore-4.4.16.jar
Download the httpcore-4.4.16.jar from
https://mvnrepository.com/artifact/org.apache.httpcomponents/httpcore/4.4.16
commons-logging-1.2.jar
Download the commons-logging-1.2.jar from
https://mvnrepository.com/artifact/commons-logging/commons-logging/1.2
Supported IBM Security Verify Governance servers:
- IBM Security Verify Governance Identity Manager v10.0*
- IBM Security Verify Governance v10.0
* Unless this document specifies a specific fix pack version of ISVG Identity Manager v10, we expect the adapter to work with ISIM 6 as well. However, it will only be debugged and fixed from the perspective of ISVG-IM v10.
This information was developed for products and
services offered in the U.S.A. IBM may not offer the products, services, or
features discussed in this document in other countries. Consult your local IBM
representative for information on the products and services currently available
in your area. Any reference to an IBM product, program, or service is not
intended to state or imply that only that IBM product, program, or service may
be used. Any functionally equivalent product, program, or service that does not
infringe any IBM intellectual property right may be used instead. However, it
is the user's responsibility to evaluate and verify the operation of any
non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter
described in this document. The furnishing of this document does not give you
any license to these patents. You can send license inquiries, in writing, to:
IBM
Director of Licensing
IBM Corporation
North Castle Drive
Armonk, NY 10504-1785 U.S.A.
For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to:
Intellectual
Property Licensing
Legal and Intellectual Property Law
IBM Japan, Ltd.
1623-14, Shimotsuruma, Yamato-shi
Kanagawa 242-8502 Japan
This information could include technical inaccuracies or
typographical errors. Changes are periodically made to the information herein;
these changes will be incorporated in new editions of the publication. IBM may
make improvements and/or changes in the product(s) and/or the program(s)
described in this publication at any time without notice.
Any references in this information to non-IBM Web sites are provided for
convenience only and do not in any manner serve as an endorsement of those Web
sites. The materials at those Web sites are not part of the materials for this
IBM product and use of those Web sites is at your own risk.
IBM may use or distribute any of the information you supply in any way it
believes appropriate without incurring any obligation to you.
Licensees of this program who wish to have information about it for the purpose
of enabling: (i) the exchange of information between independently created
programs and other programs (including this one) and (ii) the mutual use of the
information which has been exchanged should contact:
IBM
Corporation
2ZA4/101
11400 Burnet Road
Austin, TX 78758 U.S.A.
Such information may be available, subject to
appropriate terms and conditions, including in some cases, payment of a fee.
The licensed program described in this information and all licensed material
available for it are provided by IBM under terms of the IBM Customer Agreement,
IBM International Program License Agreement, or any equivalent agreement
between us.
Any performance data contained herein was determined in a controlled
environment. Therefore, the results obtained in other operating environments
may vary significantly. Some measurements may have been made on
development-level systems and there is no guarantee that these measurements
will be the same on generally available systems. Furthermore, some measurements
may have been estimated through extrapolation. Actual results may vary. Users
of this document should verify the applicable data for their specific
environment.
Information concerning non-IBM products was obtained from the suppliers of
those products, their published announcements or other publicly available
sources. IBM has not tested those products and cannot confirm the accuracy of
performance, compatibility or any other claims related to non-IBM products.
Questions on the capabilities of non-IBM products should be addressed to the
suppliers of those products.
Trademarks
IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of
International Business Machines Corp., registered in many jurisdictions worldwide.
Other product and service names might be trademarks of IBM or other companies.
A current list of IBM trademarks is available on the Web at "Copyright and
trademark information" at www.ibm.com/legal/copytrade.shtml.
Microsoft, Windows, and the Windows logo are trademarks of Microsoft
Corporation in the United States, other countries, or both.
Java and all Java-based trademarks and logos are trademarks or registered
trademarks of Oracle and/or its affiliates.