IBM® Security Verify Governance Adapter v10.0.7 for Salesforce.com - Release notes
IBM Security Verify Governance Adapter for Salesforce.com 10.0.7 is available. Compatibility, installation, and other getting-started issues are addressed.
Copyright International Business Machines Corporation 2003, 2025. All rights reserved.
US Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
· Preface
· Adapter Features and Purpose
· Installation and Configuration Notes
· Updates to the Installation and Configuration Guide
· Customizing or Extending Adapter Features
· Notices
Welcome to the IBM Security Verify Governance Adapter Salesforce.com Adapter.
These Release Notes contain information for the following products that was not available when the IBM Security Verify Governance Adapter manuals were printed:
· IBM Security Verify Governance Adapter Salesforce.com Adapter Installation and Configuration Guide
The Salesforce.com Adapter is designed to create and manage User Accounts on the Salesforce.com platform. The adapter runs in "agentless" mode and communicates using HTTPS and LDAP protocol.
The IBM Security Verify Governance Adapters are powerful tools that require Administrator Level authority. Adapters operate much like a human system administrator, creating accounts, permissions and home directories. Operations requested from the IBM Security Verify Governance and IBM Security Verify Governance Identity Manager servers will fail if the Adapter is not given sufficient authority to perform the requested task. IBM recommends that this Adapter run with administrative (root) permissions.
Service Groups Management
Managing service groups implies the following:
· Create service groups on the managed resource.
· Modify attribute of a service group.
· Delete a service group.
The Salesforce.com adapter does not support service groups management.
Review and agree to the terms of the IBM Security Verify Governance License prior to using this product. The license can be viewed from the "license" folder included in the product package.
Adapter Version
|
Component |
Version |
|
Build Date |
2025 December 15 23.19.33 |
|
Adapter Version |
10.0.7 |
|
Component Versions |
Adapter build: 10.0.7.3 Profile: 10.0.7.3 Connector: 10.0.7.3 Dispatcher 7.0.39 or higher (packaged separately) |
|
Documentation |
The following guides are available in the IBM Security Verify Governance Adapters Knowledge Center SalesForce Adapter Installation and Configuration Guide |
New Features
|
Internal# |
Enhancement # (RFE/Idea) |
Description |
|
|
|
Items included in current release (10.0.7) |
|
SVGAD-5323 |
ADAPT-236 |
Certify the adapter for use with IBM Verify Identity Governance version 11.x |
|
Items included in release (10.0.6) |
||
|
SVGAD-684 |
Certify the adapter with SDI 7.2 FP0012 and SDI 10.0.0. |
|
|
SVGAD-413 |
Test the adapter on API 60.0.0 (Spring 2024) |
|
|
|
|
Items included in release (10.0.5) |
|
|
|
None |
|
Items included in release (10.0.4) |
||
|
None |
||
|
|
|
Items included in release (10.0.3) |
|
|
|
None |
|
|
|
Items included in release (10.0.2) |
|
|
|
None |
|
|
|
Items included in release version 10.0.1 |
|
|
|
None |
|
|
|
Items included in release version 7.1.16 |
|
RTC 186979 |
RFE 139258 (60731) |
ISIM salesforce adapter should support permissionset groups |
|
RTC 186991 |
|
Internal - Test salesforce
adapter on API 48/49 |
|
|
|
Items included in release version 7.1.15 |
|
|
|
None |
|
|
|
Items included in release version 7.1.14 |
|
RTC 184347 |
|
Add proxy support |
|
RTC 184348 |
RFE 134014 (59106) |
IGI Salesforce adaptor manage resource for API v46 |
|
RTC 184349 |
RFE 120778 (54386) |
Ability to customize Salesforce adapter to manage 'isFrozen' attribute from userLogin Object class |
|
|
|
Items included in release version 7.1.13 |
|
|
RTC 182747 |
US - As a Salesforce adapter developer, I must ensure that the adapter supports attribute value lookup for IGI 5.2.5 Note :- Attribute value lookup is not enabled for Manager (ersfmanagerid) and Delegated Approver ID (ersfdelegatedapproverid) attributes |
|
|
|
Release v7.1.12 |
|
|
Internal |
Role and Permission information are reconciled and displayed in IGI. |
|
|
|
Release v7.1.11 |
|
|
Internal |
Upgrade SOAP WSDL to Salesforce.com API v38.0 |
|
|
|
Release v7.1.10 |
|
|
|
Add support for IGI 5.2.2. This adapter is now designed for use with IBM Security Identity Manager, Privileged Identity Manager, and Identity Governance and Intelligence. |
|
|
|
Release v7.0.9 |
|
|
|
None |
|
|
|
Release v7.0.8 |
|
|
|
None |
|
|
|
Release v7.0.7 |
|
|
Internal |
CreatedDate and LastLoginDate added to default Account Form |
|
|
Release v6.0.6 |
|
|
|
Internal |
All Salesforce user attributes are available in Design Form |
|
|
Release v6.0.5 |
|
|
|
RFE 54943,Internal |
Support for Permission Sets assignment |
|
|
Release v6.0.4 |
|
|
|
Initial Release |
Closed Issues
|
Internal# |
APAR# / CASE# / Known Issue # |
Description |
|
Items closed in current release 10.0.7 |
||
|
SVGAD-4877Â / Bug 4581 |
DT425777/ TS019882647 |
Adapter: Salesforce adapter v10.0.6 reconciliations fail when using API 60.0. |
|
|
Items closed in Release version 10.0.6 |
|
|
SVGAD-1807 / Bug 4270 |
DT259559/TS015105660 |
Adapter: Salesforce adapter should return a failure if part of the reconciliation request fails. |
|
|
Items closed in Release version 10.0.5 |
|
|
Bug 4098/SVGAD-295 |
TS012780277 |
CTGDIS802I Getting reconnect choice for connector class = class com.ibm.di.connector.salesforce.SalesforceConnector, connector name = Recon, error = java.util.ConcurrentModificationException. No matching rule found. Using default action - error. |
|
|
Items closed in Release version 10.0.4 |
|
|
RTC 191037 / Bug 3968 |
TS010697783 / IJ45887 |
Salesforce adapter only returns 2000 groups |
|
Bug 3945 /RTC 191037 |
TS010697783 |
Add description to supporting data in targetProfile.json |
|
RTC 191246 |
Filtered reconciliation does not return groups, only memberships |
|
|
|
|
Items closed in Release version 10.0.3 |
|
Bug 3477 / RTC - 189278 |
IJ32921 |
TS004754931 / Public group assignment to a user is not working in some cases |
|
Bug 3332 / RTC - 189276 |
IJ32771 |
TS004117322 / Issue with Salesforce Adapter "Error reconciling permission set assignment: Error queryMore" |
|
|
|
Items closed in Release version 10.0.2 |
|
Bug 3332 RTC - 188424 |
Internal |
TS004117322 / Salesforce Adapter performance issue |
|
Bug 3421 / RTC - 188263 |
IJ30256 |
TS004754931 / ISIM 6.0.2 - Salesforce Public Groups management failure - Salesforce adapter gives incorrect status if the group assignment for a user fails |
|
|
|
Items closed in Release version 10.0.1 |
|
Bugz 3332 / Bugz 3336 /Bugz 3378 /RTC 187863 |
IJ29078 |
Issue with Salesforce Adapter "Error reconciling permission set assignment: Error queryMore" |
|
|
|
Items closed in Release version 7.1.16 |
|
Bugz 3249 |
IJ25606 |
Duplicate PermissionSetAssignment error when attempting to provision SalesForce account |
|
RTC 187122 |
Internal |
Fix bad syntax issues in the canonicalValuesMapping.json file in profile for SalesForce |
|
Bug 3258 RTC 187123 |
|
add/modify for custom SF boolean attributes fails with: "value not of required type" |
|
|
|
Items closed in Release version 7.1.15 |
|
RTC 185242 |
|
Use encrypted attribute for SalesForce API Password on service form From 7.1.15 release onwards, the password on the service form is stored in a different encrypted attribute. New services - no issues. Existing services - Enter password and save the service again. Password will be saved on isim ldap in encrypted format in the new attribute. Note: the password saved in the old attribute will still be present on isim ldap in clear text. If you want to completely remove the password in clear text, then delete the existing SalesForce service and remove the old profile. Import the new profile and recreate the service |
|
RTC 185774 |
|
Internal - Fix issues caused by adding/deleting password attribute in SalesForce adapter 7.1.14 |
|
|
|
Items closed in Release version 7.1.14 |
|
Bugz 3065, RTC 185301 |
IJ20897 |
Duplicate PermissionSetAssignment during account re-add |
|
|
|
Items included in release version 7.1.13 |
|
RTC 182694 |
|
As a Salesforce adapter developer, I must ensure that the mapping for dn is correct in attributemapping.def file |
|
RTC 183065, Bug 2813 |
TS001582670 |
As a Salesforce adapter developer, I must ensure that on IGI, the user can set the profileID during account creation |
|
|
|
Release v7.1.12 |
|
|
|
None |
|
|
|
Release v7.1.11 |
|
|
68728,442,000 |
Add user failed for SSO enabled user. |
|
|
|
Release v7.1.10 |
|
|
|
none |
|
|
|
Release v7.0.9 |
|
|
IV86576/32145,122,000 |
Semicolon delimited string attribute value will be partially removed |
|
|
|
Release v7.0.8 |
|
141251 |
91706,003,756 |
Salesforce Adapter recon does not return all attributes |
|
N/A |
IV81916/ 45519,442,000 |
Removed Manager attribute value through ITIM does not remove the value from managed target |
|
|
|
Release v7.0.7 |
|
N/A |
IV72393 |
Salesforce filtered recon does not bring back groups,permissions, Data.com User Type, Monthly Data.com Monthly Addition |
|
|
|
Release v6.0.6 |
|
N/A |
80703,L6Q,000 |
Add all Salesforce user attributes to Objectclass and modify assembly lines to cope with them. |
|
N/A |
82729,L6Q,000 |
Add User group membership to the Account Form. |
|
|
|
Release v6.0.5 |
|
110377 |
N/A |
Upgrade SOAP WSDL to version v31.0 |
|
N/A |
77491,379,000 |
Modify operation handles both group and user attribute modification together. |
|
|
|
Release v6.0.4 |
|
|
|
Initial Release |
Known Limitations
|
Internal# |
APAR# |
Description |
|
Attribute value lookup is not enabled for Manager (ersfmanagerid) and Delegated Approver ID (ersfdelegatedapproverid) attributes |
||
|
N/A |
N/A |
Maximum length of attributes specified on Salesforce.com may not correspond to the schema in Identity Manager which may cause those entries in violation of the schema to be skipped during reconciliation. |
|
N/A |
N/A |
From 7.1.15 release onwards, the password on the service form is stored in a different encrypted attribute. New services - no issues. Existing services - Enter password and save the service again. Password will be saved on isim ldap in encrypted format in the new attribute. Note: the password saved in the old attribute will still be present on isim ldap in clear text. If you want to completely remove the password in clear text, then delete the existing SalesForce service and remove the old profile. Import the new profile and recreate the service |
See the IBM Security Verify Governance Adapter Installation Guide for detailed instructions.
The following corrections to the Installation Guide apply to this release:
No updates for the current release
No updates for the current release
Installing Service/Target form details Connection:
         Proxy Server Host
            Specify the proxy server Host.
         Proxy Server Port
           Specify the proxy server Port.
  User Fields for Reconciliation:
    Optionally, specify the fields that are reconciled for users on Salesforce.com. The fields in the list are separated by commas.when there are spaces observed after each ',' in "User Fields to Reconcile" parameter.
    Set the fields without space. You must specify the fields as in this example:
    User Fields to Reconcile : Email,Username,LastName,Alias,TimeZoneSidKey,LocaleSidKey,EmailEncodingKey,ProfileId,LanguageLocaleKey,IsActive,Id.
    You can specify more fields. However, the reconciliation performance might be affected. If you leave this field blank, all fields are reconciled by default. .
Installing the adapter binaries or connector
  Download these 3rd party jars and copy them to the ITDI_HOME/jars/patches folder
  Force-wsc-*.jar
  common-beanutils-*.jar
  Note: Refer to the release notes for exact version of the jars.
Installing ILMT-Tags File
 Before you begin:
 The Dispatcher must be installed
 Procedure:
 Copy the files from ILMT-Tags folder to the specified location:
 1. Windows: <SDI-HOME>\swidtag
 2. Unix/Linux: <SDI-HOME>/swidtag
Installing in the Verify Governance Virtual Appliance
For Verify Governance target management, you can install an IBM Security Verify Governance Adapters or a custom adapter on the built-in Security Directory Integrator in the virtual appliance instead of installing the adapter externally. As such, there is no need to manage a separate virtual machine or system.
About this task
This procedure is applicable to install this adapter on the virtual appliance.
Procedure
1. Download the adapter package from the
IBM Passport Advantage.
For example, Adapter-<Adaptername>.zip.
The adapter package includes the following files:
|
Table 1. Adapter package contents |
|
|
Files |
Descriptions |
|
bundledefinition.json |
The adapter definition file. It specifies the content of the package, and the adapter installation and configuration properties that are required to install and update the adapter. |
|
Adapter JAR profile |
A Security Directory Integrator adapter always include a JAR profile which contains: targetProfile.json o Service provider configuration o Resource type configuration o List of assembly lines A set of assembly lines in XML files A set of forms in XML files Custom properties that include labels and messages for supported languages.
Use the Target Administration module to import the target profile. |
|
Additional adapter specific files |
Examples of adapter specific files: Connector jar files Configuration files Script files Properties files
The file names are specified in the adapter definition file along with the destination directory in the virtual appliance. |
|
|
|
2. From the top-level menu of the Appliance Dashboard, click Configure > SDI Management.
3. Select
the instance of the Security Directory Integrator for which you want to manage
the adapters and click Manage > SDI Adapters
The SDI Adapters window is displayed with a table that list the name,
version, and any comments about the installed adapters.
4. On the SDI Adapters window, click Install.
5. On the
File Upload window, click Browse to locate the adapter package
and then click OK.
For example, Adapter-<Adaptername>.zip.
6. Provide the missing 3rd party libraries when prompted.
a. On the File
Upload for Pre-requisite files window, click Select Files.
A new File Upload window is
displayed.
b. Browse and select all the missing libraries and files. For example, httpclient-4.0.1.jar
c. Click Open.
The selected files are listed in the
File Upload for Pre-requisite files window.
d. Click OK.
The missing files are uploaded and the adapter package is updated with the 3rd
party libraries.
7. Enable secure communication.
a. Select the instance of the Security Directory Integrator for which you want to manage the adapter.
b. Click Edit.
c. Click the Enable SSL check box.
d. Click Save Configuration.
8. Import the SSL certificate to the IBM Security Directory Integrator server.
a. Select the instance of the Security Directory Integrator for which you want to manage the adapter.
b. Click Manage > Certificates.
c. Click the Signer tab.
d. Click Import.
The Import Certificate window is displayed.
e. Browse for the certificate file.
f. Specify a label for the certificate. It can be any name.
g. Click Save.
Note: While uploading the Adapter package, you may receive System Error: A file included in the SDI Adapter zip already exists on the system and the Server Message log under Appliance tab of VA will have a reference to error com.ibm.identity.sdi.SDIManagementService File ibm.com_ IBM _Verify_Identity_Governance_xxxx.swidtag found in the adapter zip at location ILMT-Tags/ already exists in system. This is because, you can install the same swidtags only once. So, if another adapter of the same type is installed, remove the swidtags.
The ibm.com_IBM _Verify_Identity_Governance_Enterprise-xxxx.swidtag file is common to all adapters. In addition to the common swidtag file, an application adapter needs ibm.com_IBM_ IBM _Verify_Identity_Governance_Application_Adapters-xxxx.swidtag file and an infra adapter needs ibm.com_ IBM _Verify_Identity_Governance_Lifecycle-xxxx.swidtag and ibm.com_ IBM _Verify_Identity_Governance_Compliance-xxxx.swidtag files. So, if an application adapter is already installed and this is an infra adapter, then only install the infra-specific swidtags and the other way around. Please visit Security Verify Governance Adapters v10.x link to identify the adapter type of the installed adapters.
Installing in an IBM Security Verify Directory Dispatcher Container
Before you begin
The steps to install adapter and related files into the container can be performed using the adapterUtil.sh script, which is shipped with the dispatcher package. This script should be staged on the machine running Kubernetes cli. The adapterUtil.sh script is also readily available in the bin directory of IBM Security Verify Governance Identity Manager Container Starter Kit installation directory, if ISVDI was selected for installation during the ISVG-IM container installation steps.
If, for any reason, the adapter util script cannot be executed or used, the below manual instructions must be followed to copy the files to the persistent volume.
Note: The container must be restarted after installing or uninstalling the adapter and any changes to the configuration yaml. To active changes and restart the container run the following commands:
· <path_to_starterkit>/bin/createConfigs.sh isvdi
· For OpenShift container: oc -n isvgim rollout restart deployment isvdi
· For Kubernetes container: kubectl -n isvgim rollout restart deployment isvdi
Note: This document only describes the adapterUtil.sh command options that are required to install this adapter. For other command options, such as listing installed connectors and 3rd party jars, please refer to the Dispatcher10 Installation and Configuration Guide.
Installing / Upgrading / Re-installing / Downgrading the adapter
Using Script
Use the below command to install / upgrade/ re-install / downgrade the adapter:
/path/to/adapterUtil.sh -loadAdapter "/path/to/Adapter-Salesforce-*.zip" accept
Where /path/to/adapterUtil.sh is the location where the adapterUtil.sh script could be found is installed and /path/to/Adapter-UnixLinux-*.zip is the location where the Adapter zip file is staged on the machine running Kubernetes cli.
After doing so, follow the given instructions for manually uploading the 3rdparty jars.
Manually copying files to Persistent Volume
Copy files from the given directory structure of the persistent volume mapped to the /opt/IBM/svgadapters directory of the container image.
                       Copy this file to the <Persistent_Volume>/jars/connectors directory:
                                SalesforceConnector.jar
                        Copy these files to the <Persistent_Volume>/jars/patches directory:
                             sforce_partner.jar.jar
                             force-wsc-xx.x.x.jar
                             commons-beanutils-x.x.x.jar
ILMT-Tags
Copy the below files to the <Persistent_Volume>/swidtag directory:
ibm.com_IBM_Verify_Identity_Governance_Enterprise-xx.x.x.swidtag
                     ibm.com_IBM_Verify_Identity_Governance_Application-xx.x.x.swidtag
Updating the container
Using Script
To update the dispatcher container with the using the ISVG-IM starter kit , run the following commands:
<path_to_starterkit>/bin/createConfigs.sh isvdi
for OpenShift container: oc -n isvgim rollout restart deployment isvdi
for kubernetes container: kubectl -n isvgim rollout restart deployment isvdi
Manually
To update the dispatcher container on Kubernetes/OpenShift, now run the following commands to create a config map and update the dispatcher specific yaml :
<kubectl or oc > create configmap <namespace> --from-file=<path to main isvdi config yaml> --from-file=<directory where certificates are stored> --dry-run=client -o yaml –namespace=<namespace where dispatcher container resides> > <path_to_dispatcher_container_that_runs_this_adapter_yaml>
e.g.
kubectl create configmap isvgimsdi --from-file=/root/isvg/config/adapters/isvdi_config.yaml --from-file=/root/isvg/config/certs --dry-run=client -o yaml --namespace=isvgim > /root/isvg/yaml/045-config-adapters.yaml
Then apply the updated dispatcher that runs this adapter yaml .
<kubectl or oc> appply -f <path_to_dispatcher_container_that_runs_this_adapter_yaml>
e.g.
oc apply -f /root/isvg/yaml/045-config-adapters.yaml
Finally restart the container
<kubectl or oc> rollout restart deployment <isvdi container deployment>
e.g.
oc -n isvgim rollout restart deployment isvdi
Configuring the SSL connection between the IBM Security Verify Directory Integrator container and the Salesforce target
Uploading the certificates
Copy the below files to the machine that runs the adapter in the <path_to_starterkit>/config/certs directory:
cp <path_to_certificate_that_was_downloaded_from_salesforce> <path_to_starterkit>/config/certs
e.g.
cp /home/ibmuser/ap24-salesforce-com-chain.pem /root/isvg/config/certs
Refer https://www.ibm.com/docs/api/v1/content/SSCQGF_10.0.0/container/html/verify-directory-integrator.html#keyfile_trusted-certificates page from SVDI
If the config.yaml file which is used as the YAML_CONFIG_FILE environment variable for the container doesn't have a trusted-certificates element, follow the instructions that are provided in https://www.ibm.com/docs/api/v1/content/SSCQGF_10.0.0/container/html/verify-directory-integrator.html#keyfile_trusted-certificates to add a trusted-certificates section to the config.yaml file.
To add a trusted-certificates element (if it doesn’t exist in current configuration) to the config.yaml file which is used as parameter for YAML_CONFIG_FILE environment variable of the container, download the DigiCert Global Root CA and DigiCert Global Root G2 certificates in DER/CRT format from https://www.digicert.com/kb/digicert-root-certificates.htm and place the certificate in the certs directory of the config volume which contains the config.yaml file. The default location for this config volume is /opt/IBM/dispatcher/config.
Provide this path of the certificate in config.yaml file as shown in the example below:
keyfile:
 trusted-certificates:
 - '@/opt/IBM/dispatcher/config/certs/ap24-salesforce-com-chain.pem'
Follow the steps in “Updating the container� to active the changes
Enabling TLS 1.2
Refer https://www.ibm.com/docs/api/v1/content/SSCQGF_10.0.0/container/html/verify-directory-integrator.html#advanced page from SDI to add advanced configuration element (if it don’t exist in current configuration) to the config.yaml file which is used as parameter for YAML_CONFIG_FILE environment variable of the container.
If the config.yaml file which is used as the YAML_CONFIG_FILE environment variable for the container doesn't have an advanced configuration element, follow the instructions that are provided in https://www.ibm.com/docs/api/v1/content/SSCQGF_10.0.0/container/html/verify-directory-integrator.html#advanced to add an advanced configuration section to the config.yaml file.
To enable TLSv1.2, add 2 attr and value key pair (as mentioned in the SDI guide) as below:
- attr: com.ibm.di.SSLProtocols
 value: 'TLSv1.2'
- attr: com.ibm.di.SSLServerProtocols
 value: 'TLSv1.2'
Follow the steps in “Updating the container� to active the changes
Enabling debug logs and disabling json-logging
If the config.yaml file which is used as the YAML_CONFIG_FILE environment variable for the container doesn't have root-level and json-logging configuration elements, follow the instructions that are provided in https://www.ibm.com/docs/api/v1/content/SSCQGF_10.0.0/container/html/verify-directory-integrator.html#general_logging to the add root-level and json-logging configuration elements section to the config.yaml file.
Refer https://www.ibm.com/docs/api/v1/content/SSCQGF_10.0.0/container/html/verify-directory-integrator.html#general_logging page from SDI to add root-level and json-logging configuration elements (if they don’t exist in current configuration) to the config.yaml file which is used as parameter for YAML_CONFIG_FILE environment variable of the container.
To enable debug logs, set the value for root-level to debug. To and to disable json logging, set the value for json-logging element to false.
           Follow the steps in “Updating the container� to active the changes
Uninstalling the adapter
Using Script
Use the below command to remove the adapter:
/path/to/adapterUtil.sh -removeAdapter Adapter-Salesforce
Manually removing files from the Persistent Volume
Remove files from the given directory structure of the persistent volume that is mapped to the /opt/IBM/svgadapters directory of the container image.
Note: Some 3rd party jars and ILMT-Tags files might be common with other installed adapters, and hence should not be removed while uninstalling this adapter:
Remove this file from the <Persistent_Volume>/jars/connectors directory:
SalesforceConnector.jar
Remove these files from the <Persistent_Volume>/jars/patches directory:
sforce_partner.jar.jar
force-wsc-xx.x.x.jar
commons-beanutils-x.x.x.jar
ILMT-Tags
Remove the below files from the <Persistent_Volume>/swidtag directory:
ibm.com_IBM_Verify_Identity_Governance_Enterprise-xx.x.x.swidtag
                     ibm.com_IBM_Verify_Identity_Governance_Application-xx.x.x.swidtag
No updates for the current release
Enabling TLSv1.2 in Security Directory Integrator
Procedure:
1. Apply recommended fix packs and limited availability (LA) versions on the Security Directory Integrator. See Recommended fixes for IBM Tivoli Directory Integrator (TDI) & IBM Security Directory Integrator (SDI).
2. After applying the appropriate updates, modify the /solution.properties file by appending the following text to the bottom of the file:
#####################
# # Protocols to enforce SSL protocols in a SDI Server
# # Optional values for com.ibm.di.SSL* property (TLSv1, TLSv1.1, TLSv1.2). # # This can be a multi-valued comma separated property
# # Optional values for com.ibm.jsse2.overrideDefaultProtocol property (SSL_TLSv2, TLSv1,TLSv11,TLSv12).
# # This is a single value property.
#####################
com.ibm.di.SSLProtocols=TLSv1,TLSv1.1,TLSv1.2
com.ibm.di.SSLServerProtocols=TLSv1,TLSv1.1,TLSv1.2
com.ibm.jsse2.overrideDefaultProtocol=TLSv1
com.ibm.jsse2.overrideDefaultTLS=true
#####################
Enabling DEBUG Logs on SDI Server
Procedure:
1. Stop the SDI Server process
Pre-7.2.0-ISS-SDI-FP0008
2. Edit the <SDI_Solution_Directory>/etc/log4j.properties
3. Modify the following line:
log4j.rootCategory=INFO, Default
to
log4j.rootCategory=DEBUG, Default
Post-7.2.0-ISS-SDI-FP0008
2. Edit the <SDI_HOME_Directory>/etc/log4j2.xml
3. Modify the following line:
<Root level="info">
To
<Root level="debug">
Post-7.2.0-ISS-SDI-FP0011
4. To enable TCB block in debug
5. Append the line com.ibm.di.logging.close=false in the <SDI_HOME_Directory>/etc/global.properties file
6. Start the SDI Server process
7. Re-create the problem and collect the <SDI_Solution_Dir>/logs/ibmdi.log
Logs are not getting printed in FP13 in Windows OS
Procedure:
1. Copy log4j2.xml file from <SDI_Home_Dir>/etc and add to the <SDI_Solution_Dir>/etc (which was missing there).
2. Configure <SDI_Solution_Dir>/ibmdiservice.props with below parameter:
jvmcmdoptions=-Dlog4j2.configurationFile=etc\log4j2.xml
3. Restart SDI Server process
Known Issues and Limitations
Reconciliation of permissions with non-unique names fail in ISVG
If groups of different types (role, queue , collaboration, see https://developer.salesforce.com/docs/atlas.en-us.object_reference.meta/object_reference/sforce_api_objects_group.htm for an overview of types) are defined with the same name, this will result in an error in ISVG as the adapter currently doesn’t distinguish between the different group types. In ISVG the index ENTITLEMENT_FULL_UNIQUE_INDX checks if the fields LOWER(NAME),INT_TYPE,EXT_TYPE,APPLICATION and PROFILE_TYPE . As there will be multiple entitlements with the same name and profile_type, this will result in an error.
Attribute descriptions-> Table 1. Attributes for the erSFAccount object class
Add following entry
|
Attribute name and definition |
Data type |
Single-valued |
Permissions |
Required |
Description |
|
erSFpermissionSetGroupAssignments |
String |
No |
RW |
No |
|
Add IsFrozen attribute to account form
Update the Attribute table under Reference Attribute Description with below content.
|
Attribute name and definition |
Data type |
Single-valued |
Permissions |
Required |
Description |
|
erisfrozen |
String |
Yes |
RW |
No |
Displays if the current user is frozen or not. |
IBM Security Verify Governance Adapter adapters can be customized and/or extended. The type and method of this customization may vary from adapter to adapter. For more information please see:
IBM Security Verify Governance Adapter Development and Customization Guide
However, IBM does not support the customizations, scripts, or other modifications. If you experience a problem with a customized adapter, IBM Support may require the problem to be demonstrated on the GA version of the adapter before a Case is opened.
Installation Platform
The IBM Security Verify Governance was built and tested on the following product versions.
Adapter Installation Platform:
This adapter installs into Security Directory Integrator (SDI) and may be installed on any platform supported by the SDI product and supported by the target system libraries or client, where applicable. IBM recommends installing SDI on each node of the IBM Security Identity Server WAS Cluster and then installing this adapter on each instance of SDI. Supported SDI versions include:
Due to continuous Java security updates that may be applied to your ISIM or IGI or IVIG servers, the following SDI releases are the officially supported versions:
Security Directory Integrator 7.2 + FP14
Security Verify Directory Integrator 10.0 FP5
Note: Earlier SDI supported versions may function properly, however to resolve any communication errors, you must upgrade your SDI releases to the officially supported versions.
Supported thirdparty jars :
Force-wsc
https://repo1.maven.org/maven2/com/force/api/force-wsc/48.0.0/force-wsc-48.0.0.jar
https://repo1.maven.org/maven2/com/force/api/force-wsc/49.0.0/force-wsc-49.0.0.jar
https://repo1.maven.org/maven2/com/force/api/force-wsc/60.0.0/force-wsc-60.0.0.jar
common-beanutils
https://repo1.maven.org/maven2/commons-beanutils/commons-beanutils/1.9.4/commons-beanutils-1.9.4.jar
Managed Resource:
Salesforce.com API v48.0 - url extension /services/Soap/u/48
Salesforce.com API v49.0 - url extension /services/Soap/u/49
Salesforce.com API v60.0 - url extension services/Soap/u/60.0
Verify Governance
IBM Verify Identity Governance 11.x
IBM Security Verify Governance Identity Manager
10.x
IBM Security Verify Governance 10.x*
*Unless this document
specifies a specific fix pack version of ISVG Identity Manager v10, we expect
the adapter to work with ISIM 6 as well. However, it will only be debugged and
fixed from the perspective of ISVG-IM v10
Notices
This information was developed for products and services offered in the U.S.A. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service.
IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to:
IBM Director of Licensing
IBM Corporation
North Castle Drive
Armonk, NY 10504-1785 U.S.A.
For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to:
Intellectual Property Licensing
Legal and Intellectual Property Law
IBM Japan, Ltd.
1623-14, Shimotsuruma, Yamato-shi
Kanagawa 242-8502 Japan
This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice.
Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk.
IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.
Licensees of this program who wish to have information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information which has been exchanged should contact:
IBM Corporation
2ZA4/101
11400 Burnet Road
Austin, TX 78758 U.S.A.
Such information may be available, subject to appropriate terms and conditions, including in some cases, payment of a fee.
The licensed program described in this information and all licensed material available for it are provided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement, or any equivalent agreement between us.
Any performance data contained herein was determined in a controlled environment. Therefore, the results obtained in other operating environments may vary significantly. Some measurements may have been made on development-level systems and there is no guarantee that these measurements will be the same on generally available systems. Furthermore, some measurements may have been estimated through extrapolation. Actual results may vary. Users of this document should verify the applicable data for their specific environment.
Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products.
Trademarks
IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.
Microsoft, Windows, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both.
Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates