HOW TO: Resolve case sensitive global users for OIA

Typically, OIA would use the global user import will use the Username as the authoritative information for that identity. Based on different scenarios, OIA will treat this in a different manner.
February 8, 2013
OIA-11g

Scenario One: Import 1 user
Scenario Two: Import 1 user though surname changes
Scenario Three: Import 2 users
Scenario Four: Import 1 user, then another user (non-case sensitive UN)
Scenario Five: Import 1 user, then another user (case sensitive UN)


Scenario One: Import 1 user

Username: C000020
Name: Daniel Redfern

You will find when you import the user, and the user does not exist within the globaluser table, it will create an identity as normal. If you import the same user and nothing has changes, OIA will acknowledge the existing user and will reframe from creating a new one


Scenario Two: Import 1 user though surname changes

You import the data feed, though the user gets married. (Daniel Redfern marries and is now called Daniel Rogers) If you import a new identity data feed this time, with the surname being the only data that changed, OIA will acknowledge that and simply update the surname, still with only 1 globaluser account.


Scenario Three: Import 2 users

Username: C000020
Name: Daniel Redfern

Username: c000020
Name: David Rogers

This is where the ruling changes, because if you import 2 users, both with the same username though different because it's case sensitive, OIA will treat the last user within the globaluser feed and only create one identity within globalusers table.


Scenario Four: Import 1 user, then another user (non-case sensitive UN)

Username: C000020
Name: Daniel Redfern

Username: C000020
Name: David Rogers

Same scenario as #3, though this time the globaluser data is separated into two file. If you import the file one first with Daniel Redfern in, it will create the globaluser. If you then import the second feed, which contains only David Rogers with the same username, it will simply update the 'Daniel Redfern' globaluser (thinking this person has changed personal information


Scenario Five: Import 1 user, then another user (case sensitive UN)

https://technicalconfessions.com/images/postimages/postimages/_143_6_globaluser case sentitive.png

Username: C000020
Name: Daniel Redfern

Username: c000020
Name: David Rogers

Same scenario as #4, though this time the username information is case sensitive. OIA will treat this as a separate user within the globalusers table with the idea that the globaluser import is taken from 2 separate identity repositories.


Conclusion

OIA is case sensitive on globalusers, though only if it's imported into two separate data feeds.

About the author

Daniel is a Technical Manager with over 10 years of consulting expertise in the Identity and Access Management space.
Daniel has built from scratch this blog as well as technicalconfessions.com
Follow Daniel on twitter @nervouswiggles

Comments

Other Posts

NameID element must be present as part of the Subject in the Response message

ShibbolethSAML

August 7, 2018
Created by: Daniel Redfern
NameID element must be present as part of the Subject in the Response message, please enable it in the IDP configuration.
Read More...

HOW TO provision AD group membership from OpenIDM

OpenIDMICFAD-connector

June 15, 2018
Created by: Daniel Redfern
For what I see, there's not too many supportive documentations out there that will demonstrate how provision AD group membership with the ICF connector using OpenIDM. The use of the special ldapGroups attribute is not explained anywhere in the Integrators guides to to the date of this blog. This quick blog identifies the tasks required to provision AD group membership from OpenIDM to AD using the LDAP ICF connector. However this doesn't really explain what ldapGroups actually does and there's no real worked example of how to go from an Assignment to ldapGroups to an assigned group in AD. I wrote up a wiki article for my own reference: AD group memberships automatically to users This is just my view, others may disagree, but I think the implementation experience could be improved with some more documentation and a more detailed example here.
Read More...

ForgeRock OpenIDM - InvalidCredentialException: Remote framework key is invalid

ICFIDMOpenIDMOpenICF

November 8, 2017
Created by: Daniel Redfern
In the past, the similar error occurred though for the Oracle Identity Management solution. invalidcredentialexception remote framework key is invalid Because they all share the ICF connector framework, the error/solution would be the same.
Read More...

org.forgerock.script.exception.ScriptCompilationException: missing ; before statement

IDMsync.confforgerockopenidm

November 8, 2017
Created by: Daniel Redfern
org.forgerock.script.exception.ScriptCompilationException: missing ; before statement
Read More...

ForgeRock IDM - org.forgerock.script.exception.ScriptCompilationException: missing ; before statemen

OpenIDMsync.confForgeRock

September 17, 2017
Created by: Daniel Redfern
ForgeRock IDM - org.forgerock.script.exception.ScriptCompilationException: missing ; before statement
Read More...

Caused by: org.forgerock.json.resource.BadRequestException: Target does not support attribute groups

OpenIDMForgeRockICFConnector

September 17, 2017
Created by: Daniel Redfern
When performing the attempt of a reconciliation from ForgeRock IDM to Active Directory, I would get the following error
Read More...

ForgeRock OpenIDM - InvalidCredentialException: Remote framework key is invalid

OpenIDMForgeRockICFConnectorAD

September 17, 2017
Created by: Daniel Redfern
In the past, the similar error occurred though for the Oracle Identity Management solution. invalidcredentialexception remote framework key is invalid Because they all share the ICF connector framework, the error/solution would be the same.
Read More...

ERROR Caused by com.google.api.client.auth.oauth2.TokenResponseException 400 Bad Request - invalid_g

OpenIDMIDMGoogleGoogle-AppsICFreconciliation

September 12, 2017
Created by: Daniel Redfern
During the reconcilation from OpenIDM to the ICF google apps connector, the following error response would occur. ERROR Caused by com.google.api.client.auth.oauth2.TokenResponseException 400 Bad Request - invalid_grant
Read More...

forgerock-openidm-encryptedjwt-error

OpenIDMIDMForgeRockJWTIAM

August 29, 2017
Created by: Daniel Redfern
Received the JWT error
Read More...

Unexpected character ('¾' (code 190)): expected a valid value

ForgeRock-OpenIDMOpenIDMIDMKeystore

June 25, 2017
Created by: Daniel Redfern
Unexpected character occurred when the IP addresses changes and the virtual instance was migrated into a separate network subnet.
Read More...