The Identity Center's identity store contains entries with attributes. Normally the attribute values are stored in the identity store, but there may be cases where the attributes are retrieved from an external data source when needed. The reasons for this may be:
Avoiding duplicate storage of data, for example for sensitivity reasons.
Dynamic data. The attribute value changes so often that it should be retrieved from the source every time it is accessed.
The size of the attribute value is so big that either it should not be stored in the identity store at all, or it should only be retrieved when needed.
The external source must be an LDAP server. You can define the server as a repository in the Identity Center. The Virtual Directory Server provides LDAP access to any kind of data source, so by combining the two products it will be possible to use for example a database as source for an external attribute.
When configuring an identity store attribute you can specify that the value should be retrieved from an external source. This is done by specifying an LDAP URL that can be used to retrieve the attribute value.
The identity store can act as a cache for external attributes. This is configured by specifying a time to live for the attribute. You can specify that the attribute should be deleted from the identity store after a certain period of time. As long as the attribute value is present in the identity store, this value will be used/returned for provisioning or when accessing the entry. After the attribute is removed from the identity store it will be retrieved from the external data source when accessed the next time. If Time to live is set to "Indefinite", the attribute is retrieved from the external source the first time it is accessed, and will never be deleted from the identity store.
Fail-safe means that it is possible to define a "backup" if the value for an attribute value cannot be found. In this case the fail-safe value is retrieved from the revisions (history). If the LDAP request to the external source fails, the Identity Center will try to retrieve the most recent value from the attribute's history.
The attribute must be configured to keep at least one revision of the attribute that can be used for the fail-safe. Additionally, you must configure the period for which the fail-safe is valid (Fail-safe time to live). This value can be set to "Indefinite", meaning that the fail-safe value is valid "forever". The fail-safe time to live can also be limited to a certain period of time. After this period, no old value will be returned.
If combining cache (Time to live) with fail-safe (Fail-safe time to live), the fail-safe time to live must be longer than the cache time to live for the fail-safe to have any effect.
Some error situations that may occur:
The LDAP request fails. This can happen if the directory server is not available. In this case fail-safe is used if defined. If fail-safe is not defined, or there is no fail-safe value is found, an error is returned.
The LDAP request returns no entries. In this case the selected method for "Empty value handling" is used.
The LDAP request returns more than one entry. This will return an error.
If an error is returned, the job will terminate and retried using the generic mechanisms in the Identity Center. When an external attribute is referenced from a task, the task will be displayed and the field contains a text that the value is temporarily unavailable.