Notes covering Identity Connect prerequisites, fixes, and known issues. Last updated :
Chapter 1. What's New in Identity Connect 2.1.0
Identity Connect 2.1.0 provides support for Java 8 and removes support for Java 7. No additional new functionality is included in this release. For more information on supported Java versions, see Section 2.1, "Java Requirements".
Chapter 2. Before You Install Identity Connect 2.1.0
This chapter covers software and hardware prerequisites for installing and running the Identity Connect software.
2.1. Java Requirements
Make sure you have an appropriate version of Java installed. Identity Connect 2.1.0 requires a 64-bit version of Java 8. 32-bit Java versions are not supported.
To check the Java version on UNIX systems:
$ java -version java version "1.8.0_74" Java(TM) SE Runtime Environment (build 1.8.0_74-b02) Java HotSpot(TM) 64-Bit Server VM (build 25.74-b02, mixed mode)
To check the Java version on Windows systems:
C:\>java -version java version "1.8.0_74" Java(TM) SE Runtime Environment (build 1.8.0_74-b02) Java HotSpot(TM) 64-Bit Server VM (build 25.74-b02, mixed mode)
In addition, on Windows systems, you must set the
JAVA_HOME
environment variable to point to the root of a
valid Java installation. The following steps indicate how to set the
JAVA_HOME
environment variable on Windows Server 2008 R2.
Adjust the steps for your specific environment.
Locate your JRE Installation Directory. If you have not changed the installation path for the Java Runtime Environment during installation, it will be in a directory under
C:\Program Files\Java\
.Select Start > Control Panel > System and Security > System.
Click Advanced System Settings.
Click Environment Variables.
Under System Variables, click New.
Enter the Variable name (
JAVA_HOME
) and set the Variable value to the JRE installation directory, for exampleC:\Program Files\Java\jre8
.Click OK.
Increasing the heap size available to the JVM can improve performance of the
Identity Connect server. By default, Identity Connect runs with an initial
heap and a maximum heap of 2 Gbytes. You can increase both the initial and
maximum heap size available to the JVM by setting the
OPENIDM_OPTS
environment variable prior to startup.
The following command changes the initial and maximum heap to 3 Gbytes. Adjust the command, according to your shell. To set the environment variable on Windows Systems, see the Microsoft TechNet article at http://technet.microsoft.com/en-us/library/cc772047.aspx.
$ export OPENIDM_OPTS="-Xmx3g -Xms3g"
2.2. Supported Platforms
Identity Connect 2.1.0 has been tested primarily on the following platforms:
CentOS 6.4 64-bit with Java 1.8.0 update 74
Microsoft Windows 2008 R2 server and Microsoft Windows 2012 R2 server, with Java 1.8.0 update 74
Testing was performed with an Active Directory server and an Active Directory Lightweight Directory Services (AD LDS) instance, running on Microsoft Windows 2008 R2 server and on Microsoft Windows 2012 R2 server.
2.3. Supported Repositories
OrientDB is provided with Identity Connect as an internal (embedded) repository. The following JDBC repositories are also supported but require a separate download:
MySQL 5.1 or 5.5 with Connector/J 5.1.18 or later
MS SQL Server 2008 R2, or later
Note
Running Identity Connect 2.1.0 in a clustered deployment is supported only with a MySQL repository running on a CentOS/Red Hat Enterprise Linux system.
2.4. Supported Browsers
The following table lists the browsers with which the Identity Connect user (login) interface, and the Identity Connect administrative interface have been tested.
Browser | Version | Comments |
---|---|---|
Google Chrome | Most recent stable version | User and administrative interface |
Mozilla Firefox | Most recent stable version | User and administrative interface |
Microsoft Internet Explorer | Version 10 and 11 | User and administrative interface |
Versions 8 and 9 | User interface only | |
Safari | Version 5 and later | User and administrative interface |
For information about the browsers that are supported for the Salesforce UI, see the Salesforce documentation.
2.5. Hardware Requirements
You need at least 200 MB disk space and 2 GB memory for a minimal evaluation installation. For a production installation, disk space and memory requirements will depend on the number of Active Directory users, and on the size of the log files that Identity Connect writes.
Chapter 3. Known and Resolved Issues in Identity Connect 2.1.0
This chapter lists the main issues and limitations that are known to exist in this Identity Connect release, as well as major issues that have been fixed since the previous release.
3.1. Limitations
In Identity Connect 2.1.0, MySQL is the only supported repository for use in a clustered environment. There are known limitations with the use of the embedded OrientDB repository in a clustered Identity Connect deployment in this release.
Identity Connect does not support mapping and synchronization of Salesforce Permission Set License Assignments.
Identity Connect supports mapping between an Active Directory group and a Salesforce Permission Set but not if that Permission Set is available as the result of a Permission Set License Assignment being granted to the user.
For more information about Permission Set License Assignments, see PermissionSetLicense and PermissionSetLicenseAssign in the Salesforce Developer Documentation.
3.2. Known Issues in This Release
This section lists the known issues with Identity Connect 2.1.0.
- IB-1229
On a Windows 2012 R2 server, with Java 8, Identity Connect occasionally throws the following exceptions the first time it is started:
March 09, 2016 4:07:12 ODP. org.eclipse.jetty.util.log.JavaUtilLog warn WARNING: 1 threads could not be stopped March 09, 2016 4:07:12 ODP. org.forgerock.openidm.logging.LogServiceTracker logEntry SEVERE: Bundle: org.forgerock.openidm.servlet [80] [org.forgerock.openidm.ui.context] Cannot create component instance due to failure to bind reference webContainer March 09, 2016 4:07:12 ODP. org.forgerock.openidm.logging.LogServiceTracker logEntry SEVERE: Bundle: org.forgerock.openidm.servlet [80] [org.forgerock.openidm.ui.context] Component instance could not be created, activation failed ...
Restarting Identity Connect resolves the problem.
- IB-1215
When mapping a custom SalesForce user attribute with multiple values, the group autocomplete window appears with the wrong focus.
- IB-1206
Occasionally, an updated Permission Set to AD group mapping or Salesforce group to AD group mapping does not display immediately. When the browser is refreshed, the updated configuration is displayed.
- IB-1197
When a public group is deleted in Salesforce, the deletion of that group is not reflected immediately in the Admin UI, and still displays in mappings until the browser is refreshed.
- IB-1195
The OrientDB database backup feature is not working as expected.
- IB-1191
Identity Connect throws exceptions the first time it is started.
- IB-1183
There are hard-coded references to database schema and table names in the JDBC configuration file for MySQL.
- IB-1165
For an Active Directory LDS server, the
pwdLastSet
attribute is not visible on the Mapping page, and is therefore not able to be mapped.- IB-1157
When multiple Salesforce organizations are configured, updating the Salesforce Connector configuration incorrectly returns administrators to the Create / Clone Organization page.
- IB-1107
In certain situations, the LiveSync scheduler for Active Directory groups is not enabled during the Identity Connect configuration.
- IB-1106
Value Precedence for Profile mappings is not working correctly for LiveSync operations.
- IB-1104
The WARNING message
Unexpected failure during source reconciliation
should provide more information on what has caused the problem.- IB-1096
During configuration, a large number of messages are logged at WARNING level, when in fact they are harmless and can be ignored.
- IB-1086
Starting Identity Connect as a windows service occasionally fails on a Windows 2012R2 server.
- IB-1073
The progress status for a reconciliation operation triggered by "Synch Now" is no longer displayed after a user logs out and logs back in.
- IB-1007
When Identity Connect is configured in a cluster with persisted schedules configured on multiple nodes, it is possible for one node to 'steal' the trigger from under another node. When this happens the exception is logged as SEVERE. In fact, this exception is harmless and should be logged at the INFO level or hidden.
- IB-1006
When the Salesforce access token expires and is silently refreshed by Identity Connect the following messages are logged as SEVERE:
Jul 16, 2014 4:37:40 PM org.restlet.engine.security.AuthenticatorUtils parseRequest WARNING: Couldn't find any helper support the HTTP_Token challenge scheme. Jul 16, 2014 4:37:40 PM org.forgerock.openidm.salesforce.internal.SalesforceConnection getJsonResourceException SEVERE: REST API error:[ { "message" : "Session expired or invalid", "errorCode" : "INVALID_SESSION_ID" } ] Jul 16, 2014 4:37:40 PM org.forgerock.openidm.salesforce.internal.SalesforceConnection getJsonResourceException SEVERE: Remote REST error: { "error": 401, "reason": "Unauthorized", "message": "Unauthorized", "detail": { "message": "Session expired or invalid", "INVALID_SESSION_ID": { "message": "Session expired or invalid", "errorCode": "INVALID_SESSION_ID" } } }
In addition a number of WARNING level connection reset messages are also logged to the IC log:
Jul 16, 2014 4:37:41 PM org.restlet.engine.http.connector.Connection writeMessage WARNING: Exception while writing the message headers. java.net.SocketException: Connection reset
These messages should be hidden as they are harmless, and their inclusion in the logs is confusing.
- IB-999
When a CA-signed certificate is uploaded into Identity Connect by using the UI, Identity Connect must be restarted for the new certificate to be taken into account.
- IB-988
In a clustered environment, with an OrientDB repository, if the primary node is down, the user login screen is not available.
- IB-969
When Identity Connect was configured on a Windows Server, with Internet Explorer 11, a CA certificate added via the UI was not saved.
- IB-967
When a base context is changed in the Active Directory data source, Identity Connect does not update the mappings accordingly.
- IB-937
There is currently no way to refresh permission set license agreements from within the Identity Connect user interface. The current refresh rate is every hour.
- IB-875
If the data source type is changed from Active Directory to AD LDS, reconciliation fails.
- IB-802
The liveSync mechanism does not synchronize user changes in a subdomain after a change from domain controller (DC) mode to global catalog (GC) mode.
- IB-777
Identity Connect can be installed as a Windows service only as the
administrator
, rather than as any user with administrative privileges.- IB-760
In a clustered environment, with an OrientDB repository, when the primary node is restarted login fails on the secondary nodes. Restarting the secondary nodes solves the problem.
- IB-658
When the connection to Salesforce.com is lost (due to a network outage, for example) the message that is displayed in the UI (
"unknown error"
) does not indicate the problem.- IB-602
Failure to synchronize when the maximum number of APIs is reached is not reported in the UI. Instead, a partial list of users is retrieved. The error messages are, however, output to the logs.
- IB-529
HTTP endpoints should automatically be redirected to
https
and root endpoints should be redirected tohttps://host.domain:8443/connect
.- IB-325
With Internet Explorer 9, an error in the Active Directory connector configuration can cause the browser to hang during the connector validation process, with no error displayed.
- IB-319
Certain attributes that are not replicated to the global catalog, are still displayed by the UI when port 3268 or 3269 is used.
3.3. Issues Fixed in This Release
No major issues have been fixed in this release.