Configuring automatic ITIM Account creation for ISIM AD Authentication

Configuring automatic ITIM Account creation for ISIM AD Authentication↑

Adding the extension to ISIM↑

For ISIM to be able to use the workflow extension, it first must be made available to it.

• Copy the attached createITIMAccountExtension.jar to $ISIM_HOME/lib

• Add the copied jar to the WAS classpath

  • On the WebSphere admin site: Environment / Shared libraries / Choose ITIM_LIB
  • In the classpath field, add the path to the copied jar, e.g. ${ITIM_HOME}/lib/createITIMAccountExtension.jar

• Register the new extension with ISIM

  • Open the $ISIM_HOME/data/workflowextensions.xml file

  • Add a new XML element to the file, inside the <WORKFLOWEXTENSIONS> section:

  • The newly added element should be the following:

     <ACTIVITY ACTIVITYID="createITIMAccountForPerson" LIMIT="0">
         <IMPLEMENTATION_TYPE>
             <APPLICATION CLASS_NAME="com.ti.ch.itim.extensions.workflow.accountExtension.CreateAccountExtension" METHOD_NAME="createITIMAccount"/>
         </IMPLEMENTATION_TYPE>
         <TRANSITION_RESTRICTION SPLIT="XOR"/>
         <PARAMETERS>
             <IN_PARAMETERS PARAM_ID="owner" TYPE="Person"/>
             <IN_PARAMETERS PARAM_ID="username" TYPE="String"/>
             <IN_PARAMETERS PARAM_ID="password" TYPE="String"/>
         </PARAMETERS>
     </ACTIVITY>

  • The end result should look like the following:

      <WORKFLOWEXTENSIONS>
          <ACTIVITY ACTIVITYID="createITIMAccountForPerson" LIMIT="0">
          ...
          </ACTIVITY>
          <ACTIVITY ...>
          ...
      </WORKFLOWEXTENSIONS>

Handling new accounts↑

For every newly created AD account, an ISIM account must also be created, to enable AD authenticated login to ISIM.

This can be accomplished by modifying the AD Account Add operation:

• Open Configure System / Manage Operations

• Choose Entity level, Windows AD Account

• Modify the add operation.

• Add relevant Data to the operation

  • Open the properties panel of the workflow (upper right corner)
  • Add new relevant data, named accountName and accountPassword, both String type.

• Add a new Script node to the workflow

  • The script node should contain the following script:

      uid = account.get().getPropertyAsString("eruid");
      accountName.set(uid);
      accountPassword.set(account.get().getAndDecryptPassword());

• Add a new Extension to the workflowexexexex

  • For the Extension Name, choose the custom extension configured, createITIMAccountForPerson
  • For each Input parameter, set the corresponding Relevant Data.

• Set up the newly created nodes

  • Connect the out of the script node, to the in of the extension node.
  • Insert these after the CREATEACCOUNT node, but before the fork.

• The workflow should look something like the following:

Creating a new operation, and a Lifecycle rule↑

Reconciled accounts must also be handled, so for these a Lifecycle rule must be created.

• Open Configure System / Manage Operations

• Choose Entity level, Windows AD Account

• Create a new operation, e.g. addISIMAccount

• In the Properties menu, add new relevant data:

  • Owner: Person type
  • accountName: String type
  • accountPassword: String type

• In the Properties menu, set the workflow type to Non-Static.

• Add a new Script node to the workflow

  • The Script node should contain the following script:

      var acc = Entity.get();
      activity.auditEvent(acc);
      var account_owner = acc.getProperty('owner');
      var account_name = acc.getPropertyAsString('eruid');
      Owner.set(null);
    
      if(account_owner != null){
          var person = new Person(account_owner[0]);
          accounts = new AccountSearch.searchByOwner(account_owner[0]);
    
          if(accounts != null && accounts.length > 0){
              var tim_account_found = false;
              for(var i = 0; i< accounts.length; i++){
                  var acc = accounts[i] 
                  var account_profile_name = acc.profileName;
                  if(acc.getPropertyAsString("eruid") == account_name && account_profile_name == "ITIMAccount"){
                      tim_account_found = true;
                  }
              }
              if(!tim_account_found){
                  Owner.set(person);
                  accountName.set(account_name);
                  accountPassword.set(acc.getAndDecryptPassword());
              }
          }else{
              activity.auditEvent("No accounts found for person, this should never happen"); 
          }
      }else{
         activity.auditEvent("No person found for the account");
      }

• Add a new Extension node to the workflow

  • For the Extension Name, choose the custom extension configured, createITIMAccountForPerson
  • For each Input parameter, set the corresponding Relevant Data.

• Set up the newly created nodes

  • Connect the out of the Script node, to the in of the Extension node.
    • Set the condition of the connection to Owner.get()!=null
  • Connect the Script node to the Start node.
  • Connect the Extension node to the End node.
  • Connect the Script node to the End node, and set the condition of the connection to Owner.get()==null
  • The workflow should look something similar to this: