Notes covering Identity Connect prerequisites, fixes, and known issues. Last updated :

Chapter 1. What's New in Identity Connect 2.1.0

Identity Connect 2.1.0 provides support for Java 8 and removes support for Java 7. No additional new functionality is included in this release. For more information on supported Java versions, see Section 2.1, "Java Requirements".

Chapter 2. Before You Install Identity Connect 2.1.0

This chapter covers software and hardware prerequisites for installing and running the Identity Connect software.

2.1. Java Requirements

Make sure you have an appropriate version of Java installed. Identity Connect 2.1.0 requires a 64-bit version of Java 8. 32-bit Java versions are not supported.

To check the Java version on UNIX systems: 

$ java -version
java version "1.8.0_74"
Java(TM) SE Runtime Environment (build 1.8.0_74-b02)
Java HotSpot(TM) 64-Bit Server VM (build 25.74-b02, mixed mode)

To check the Java version on Windows systems: 

C:\>java -version
java version "1.8.0_74"
Java(TM) SE Runtime Environment (build 1.8.0_74-b02)
Java HotSpot(TM) 64-Bit Server VM (build 25.74-b02, mixed mode)

In addition, on Windows systems, you must set the JAVA_HOME environment variable to point to the root of a valid Java installation. The following steps indicate how to set the JAVA_HOME environment variable on Windows Server 2008 R2. Adjust the steps for your specific environment.

  • Locate your JRE Installation Directory. If you have not changed the installation path for the Java Runtime Environment during installation, it will be in a directory under C:\Program Files\Java\.

  • Select Start > Control Panel > System and Security > System.

  • Click Advanced System Settings.

  • Click Environment Variables.

  • Under System Variables, click New.

  • Enter the Variable name (JAVA_HOME) and set the Variable value to the JRE installation directory, for example C:\Program Files\Java\jre8.

  • Click OK.

Increasing the heap size available to the JVM can improve performance of the Identity Connect server. By default, Identity Connect runs with an initial heap and a maximum heap of 2 Gbytes. You can increase both the initial and maximum heap size available to the JVM by setting the OPENIDM_OPTS environment variable prior to startup.

The following command changes the initial and maximum heap to 3 Gbytes. Adjust the command, according to your shell. To set the environment variable on Windows Systems, see the Microsoft TechNet article at http://technet.microsoft.com/en-us/library/cc772047.aspx. 

$ export OPENIDM_OPTS="-Xmx3g -Xms3g"

2.2. Supported Platforms

Identity Connect 2.1.0 has been tested primarily on the following platforms:

  • CentOS 6.4 64-bit with Java 1.8.0 update 74

  • Microsoft Windows 2008 R2 server and Microsoft Windows 2012 R2 server, with Java 1.8.0 update 74

Testing was performed with an Active Directory server and an Active Directory Lightweight Directory Services (AD LDS) instance, running on Microsoft Windows 2008 R2 server and on Microsoft Windows 2012 R2 server.

2.3. Supported Repositories

OrientDB is provided with Identity Connect as an internal (embedded) repository. The following JDBC repositories are also supported but require a separate download:

  • MySQL 5.1 or 5.5 with Connector/J 5.1.18 or later

  • MS SQL Server 2008 R2, or later

Note

Running Identity Connect 2.1.0 in a clustered deployment is supported only with a MySQL repository running on a CentOS/Red Hat Enterprise Linux system.

2.4. Supported Browsers

The following table lists the browsers with which the Identity Connect user (login) interface, and the Identity Connect administrative interface have been tested.

BrowserVersionComments
Google Chrome Most recent stable version User and administrative interface
Mozilla Firefox Most recent stable version User and administrative interface
Microsoft Internet Explorer Version 10 and 11 User and administrative interface
Versions 8 and 9 User interface only
Safari Version 5 and later User and administrative interface

For information about the browsers that are supported for the Salesforce UI, see the Salesforce documentation.

2.5. Hardware Requirements

You need at least 200 MB disk space and 2 GB memory for a minimal evaluation installation. For a production installation, disk space and memory requirements will depend on the number of Active Directory users, and on the size of the log files that Identity Connect writes.

Chapter 3. Known and Resolved Issues in Identity Connect 2.1.0

This chapter lists the main issues and limitations that are known to exist in this Identity Connect release, as well as major issues that have been fixed since the previous release.

3.1. Limitations

  • In Identity Connect 2.1.0, MySQL is the only supported repository for use in a clustered environment. There are known limitations with the use of the embedded OrientDB repository in a clustered Identity Connect deployment in this release.

  • Identity Connect does not support mapping and synchronization of Salesforce Permission Set License Assignments.

    Identity Connect supports mapping between an Active Directory group and a Salesforce Permission Set but not if that Permission Set is available as the result of a Permission Set License Assignment being granted to the user.

    For more information about Permission Set License Assignments, see PermissionSetLicense and PermissionSetLicenseAssign in the Salesforce Developer Documentation.

3.2. Known Issues in This Release

This section lists the known issues with Identity Connect 2.1.0.

IB-1229

On a Windows 2012 R2 server, with Java 8, Identity Connect occasionally throws the following exceptions the first time it is started: 

March 09, 2016 4:07:12 ODP. org.eclipse.jetty.util.log.JavaUtilLog warn
WARNING: 1 threads could not be stopped
March 09, 2016 4:07:12 ODP. org.forgerock.openidm.logging.LogServiceTracker logEntry
SEVERE: Bundle: org.forgerock.openidm.servlet [80] [org.forgerock.openidm.ui.context]
      Cannot create component instance due to failure to bind reference webContainer
March 09, 2016 4:07:12 ODP. org.forgerock.openidm.logging.LogServiceTracker logEntry
SEVERE: Bundle: org.forgerock.openidm.servlet [80] [org.forgerock.openidm.ui.context]
      Component instance could not be created, activation failed
...

Restarting Identity Connect resolves the problem.

IB-1215

When mapping a custom SalesForce user attribute with multiple values, the group autocomplete window appears with the wrong focus.

IB-1206

Occasionally, an updated Permission Set to AD group mapping or Salesforce group to AD group mapping does not display immediately. When the browser is refreshed, the updated configuration is displayed.

IB-1197

When a public group is deleted in Salesforce, the deletion of that group is not reflected immediately in the Admin UI, and still displays in mappings until the browser is refreshed.

IB-1195

The OrientDB database backup feature is not working as expected.

IB-1191

Identity Connect throws exceptions the first time it is started.

IB-1183

There are hard-coded references to database schema and table names in the JDBC configuration file for MySQL.

IB-1165

For an Active Directory LDS server, the pwdLastSet attribute is not visible on the Mapping page, and is therefore not able to be mapped.

IB-1157

When multiple Salesforce organizations are configured, updating the Salesforce Connector configuration incorrectly returns administrators to the Create / Clone Organization page.

IB-1107

In certain situations, the LiveSync scheduler for Active Directory groups is not enabled during the Identity Connect configuration.

IB-1106

Value Precedence for Profile mappings is not working correctly for LiveSync operations.

IB-1104

The WARNING message Unexpected failure during source reconciliation should provide more information on what has caused the problem.

IB-1096

During configuration, a large number of messages are logged at WARNING level, when in fact they are harmless and can be ignored.

IB-1086

Starting Identity Connect as a windows service occasionally fails on a Windows 2012R2 server.

IB-1073

The progress status for a reconciliation operation triggered by "Synch Now" is no longer displayed after a user logs out and logs back in.

IB-1007

When Identity Connect is configured in a cluster with persisted schedules configured on multiple nodes, it is possible for one node to 'steal' the trigger from under another node. When this happens the exception is logged as SEVERE. In fact, this exception is harmless and should be logged at the INFO level or hidden.

IB-1006

When the Salesforce access token expires and is silently refreshed by Identity Connect the following messages are logged as SEVERE: 


Jul 16, 2014 4:37:40 PM org.restlet.engine.security.AuthenticatorUtils parseRequest
  WARNING: Couldn't find any helper support the HTTP_Token challenge scheme.
Jul 16, 2014 4:37:40 PM org.forgerock.openidm.salesforce.internal.SalesforceConnection
  getJsonResourceException
  SEVERE: REST API error:[ { "message" : "Session expired or invalid", "errorCode" :
  "INVALID_SESSION_ID" } ]
Jul 16, 2014 4:37:40 PM org.forgerock.openidm.salesforce.internal.SalesforceConnection
  getJsonResourceException
  SEVERE: Remote REST error: { "error": 401, "reason": "Unauthorized", "message":
  "Unauthorized", "detail": { "message": "Session expired or invalid",
  "INVALID_SESSION_ID": { "message": "Session expired or invalid", "errorCode":
  "INVALID_SESSION_ID" } } }

In addition a number of WARNING level connection reset messages are also logged to the IC log: 


Jul 16, 2014 4:37:41 PM org.restlet.engine.http.connector.Connection writeMessage
  WARNING: Exception while writing the message headers. java.net.SocketException:
  Connection reset

These messages should be hidden as they are harmless, and their inclusion in the logs is confusing.

IB-999

When a CA-signed certificate is uploaded into Identity Connect by using the UI, Identity Connect must be restarted for the new certificate to be taken into account.

IB-988

In a clustered environment, with an OrientDB repository, if the primary node is down, the user login screen is not available.

IB-969

When Identity Connect was configured on a Windows Server, with Internet Explorer 11, a CA certificate added via the UI was not saved.

IB-967

When a base context is changed in the Active Directory data source, Identity Connect does not update the mappings accordingly.

IB-937

There is currently no way to refresh permission set license agreements from within the Identity Connect user interface. The current refresh rate is every hour.

IB-875

If the data source type is changed from Active Directory to AD LDS, reconciliation fails.

IB-802

The liveSync mechanism does not synchronize user changes in a subdomain after a change from domain controller (DC) mode to global catalog (GC) mode.

IB-777

Identity Connect can be installed as a Windows service only as the administrator, rather than as any user with administrative privileges.

IB-760

In a clustered environment, with an OrientDB repository, when the primary node is restarted login fails on the secondary nodes. Restarting the secondary nodes solves the problem.

IB-658

When the connection to Salesforce.com is lost (due to a network outage, for example) the message that is displayed in the UI ("unknown error") does not indicate the problem.

IB-602

Failure to synchronize when the maximum number of APIs is reached is not reported in the UI. Instead, a partial list of users is retrieved. The error messages are, however, output to the logs.

IB-529

HTTP endpoints should automatically be redirected to https and root endpoints should be redirected to https://host.domain:8443/connect.

IB-325

With Internet Explorer 9, an error in the Active Directory connector configuration can cause the browser to hang during the connector validation process, with no error displayed.

IB-319

Certain attributes that are not replicated to the global catalog, are still displayed by the UI when port 3268 or 3269 is used.

3.3. Issues Fixed in This Release

No major issues have been fixed in this release.

Read a different version of :