Onboarding Technical Guide (OpenIAM 4.2.1.12) – ██FR█████ █INTELL███████████

This content originally appeared on DEV Community and was authored by hediyeh kianmehr

Overview

This guide describes the technical steps to onboard a new Managed System into OpenIAM. Onboarding ensures that user accounts, groups, and entitlements in the target system (e.g., Active Directory, LDAP, HRMS, or application database) are synchronized with OpenIAM.

Key objectives:

Establish a secure connection to the target system.
Define attribute mappings for users and groups.
Apply validation and transformation rules.
Test user creation and synchronization.
Verify expected results and troubleshoot common issues.

The audience is IAM administrators, system integrators, and support engineers.

2. Managed System Configuration

Steps to configure a managed system:

Login as IAM Administrator in OpenIAM Web Console.
Navigate to Administration → Provisioning → Managed Systems.
Click New to create a managed system.
- Name: Unique identifier (e.g., AD_Prod).
- Connector Type: AD, LDAP, DB, etc.
- Connection Details: Host/URL, Port, Protocol (LDAPS/JDBC), Credentials.
- Synchronization: Enable reconciliation or scheduled sync.

Protocol (LDAPS, JDBC, etc.)
Credentials / Bind DN
Synchronization Options: Enable reconciliation or scheduled sync.

Save the configuration and test connection.

Best Practice: Use a service account with minimum privileges required for provisioning.

3. Attribute Mapping

Define how OpenIAM attributes map to target system attributes.

Example – Active Directory Mapping

OpenIAM Attribute	AD Attribute	Rule / Note
`firstName`	`givenName`	Direct mapping
`lastName`	`sn`	Direct mapping
`displayName`	`displayName`	First + Last Name
`email`	`mail`	Must be unique
`employeeId`	`employeeID`	From HR feed
`status`	`userAccountControl`	Controlled via enable/disable

Configuration Steps:

Go to Administration → Provisioning → Policy Map.
Select the managed system created earlier.
Add or edit mappings.
Save and validate.

4. Validation & Transformation Scripts

OpenIAM supports Groovy scripts to enforce business rules.

Validation Example – Ensure Email Exists

if (user.email == null || user.email.isEmpty()) {
   throw new Exception("Email cannot be empty")
}


## Transformation Example – Generate Login ID

user.login = (user.firstName + “.” + user.lastName).toLowerCase()




**Steps:**

1. Go to Administration → Scripts → Transformation.
2. 
3. Create or edit the script.
4. 
5. Attach it to the policy map.
6. 
7. Test with sample input.

-------------------------------------------------------------------

## 5. Test User Creation

1.  Navigate to Administration → User Management → New User.
2.  Fill in required attributes (First Name, Last Name, Email, Login ID).
3.  Assign a role (e.g., Employee_Default).
4.  Save the user.
5.  Monitor provisioning logs:

- Audit Log Viewer → search for user events.
- Check connector response for success/failure.

---------------------------------------------------------------

## 6. Expected Results

- User is created in OpenIAM.
- User account is provisioned in the target system.
- Attributes match mapping rules.
- Business rules (scripts) are applied.
- Audit logs confirm provisioning success.
---------------------------------------------------------------

## 7. Troubleshooting

| Issue                             | Cause                             | Resolution                               |
| --------------------------------- | --------------------------------- | ---------------------------------------- |
| User not created in target system | Connector error / mapping missing | Check policy map, connector config, logs |
| Duplicate email error             | Validation script failure         | Correct input data or adjust script      |
| Account created but disabled      | Status attribute misconfigured    | Verify `status` mapping                  |
| Provisioning delayed              | Scheduler not triggered           | Restart scheduler service                |
| Script errors                     | Groovy syntax issue               | Review logs, fix, redeploy script        |

**Logs to Check:**

- Audit Log Viewer (Web Console).
- Connector logs (RabbitMQ messages).
- Application logs: `/opt/openiam/logs/`.


---

## Appendix

- [OpenIAM Documentation](https://docs.openiam.com/docs-4.2.1.12/getting-started/)  
- [OpenIAM Admin Guide](https://docs.openiam.com/docs-4.2.1.12/admin/)  
- [Provisioning Tutorial](https://docs.openiam.com/docs-4.2.1.12/getting-started/6-automatedprovisioning/2-tutorial)

This content originally appeared on DEV Community and was authored by hediyeh kianmehr