Chatee ahora con Soporte
Chat con el soporte

Identity Manager 9.2 - Administration Guide for Integration with OneLogin Cloud Directory

Integration with OneLogin Cloud Directory Synchronizing a OneLogin domain
Setting up initial synchronization with a OneLogin domain Customizing the synchronization configuration Running synchronization Tasks following synchronization Troubleshooting Ignoring data error in synchronization Pausing handling of target system specific processes (Offline mode)
Managing OneLogin user accounts and identities Managing memberships in OneLogin roles Login credentials for OneLogin user accounts Mapping OneLogin objects in One Identity Manager
OneLogin domains OneLogin user accounts OneLogin applications OneLogin roles OneLogin authentication methods OneLogin service providers OneLogin clients OneLogin scopes OneLogin policies OneLogin groups OneLogin privileges OneLogin custom user fields Reports about OneLogin objects
Handling of OneLogin objects in the Web Portal Base data for OneLogin domains Configuration parameters for managing OneLogin domains Default template for OneLogin domains Editing OneLogin system objects OneLogin connector settings

Creating an initial synchronization project for OneLogin domains

NOTE: The following sequence describes how to configure a synchronization project if the Synchronization Editor is both:

  • Run in default mode

  • Started from the Launchpad

If you run the project wizard in expert mode or directly from the Synchronization Editor, additional configuration settings can be made. Follow the project wizard instructions through these steps.

NOTE: Just one synchronization project can be created per target system and default project template used.

To set up an initial synchronization project for a OneLogin-based target system

  1. Start the Launchpad and log in on the One Identity Manager database.

    NOTE: If synchronization is run by an application server, connect the database through the application server.

  2. Select the Target system type OneLogin entry and click Start.

    This starts the Synchronization Editor's project wizard.

  1. On the wizard's start page, click Next.

  2. On the System access page, specify how One Identity Manager can access the target system.

    • If access is possible from the workstation on which you started the Synchronization Editor, do not change any settings.

    • If access is not possible from the workstation on which you started the Synchronization Editor, you can set up a remote connection.

      Enable the Connect using remote connection server option and select the server to be used for the connection under Job server.

  1. On the Connection data page, enter the connection data for logging in to the OneLogin domain.

    • OneLogin domain: Enter the full name of the OneLogin domain, for example <your domain>.onelogin.com.

    • URI of API without version: Enter the URI under which the API can be reached. Only the part of the URL used in common by all endpoints to be called, is required.

      If the complete URL is https://my-identities.onelogin.com/api/2, then enter api as the URI here. The version part and the object type part are given in the resource configuration.

    • Authentication endpoint/URL: Enter the URI under which authentication is possible. Only the part of the URL added to the common part, is required to reach the authentication endpoints. If authentication of another server or another root URL is used for authentication, the full URL must be entered here.

      If the complete URI is https://my-identities.onelogin.com/api/auth/oauth2/token, enter auth/oauth2/token here. If the base URL or the server is different to the resource URL, enter the full URL, for example https://api.us.onelogin.com/auth/oauth2/v2/token.

  2. On the OAuth authentication page, enter the login credentials and select a grant type.

    • Client secret: Secret security token for logging in. If the security token is not known, enter the user name and password.

    • User name and password: User name and password for logging in if the security token is not known.

    • Application/Client ID: Enter the client ID with which the application is registered in OneLogin.

    • Grant type: Select the type of access for the login. Enable Client credentials or Password credentials.

    • Scope: (Optional) Enter a scope parameter valid for target system login. If several parameter apply, separate them with spaces.

  3. On Verify connection settings page, you can test the connection. Click Test.

    One Identity Manager tries to connect to the OneLogin domain.

    TIP: One Identity Manager saves the test result. When you reopen the page and the connection data has not changed, the result of the test is displayed. You do not have to run the connection test again if it was successful.

  4. On the Optimizations page, you can configure additional settings for optimizing synchronization performance.

    • Use local cache: Specify whether to use the OneLogin connector's local cache.

      Local cache is used to speed up synchronization. Access to the cloud application is minimized during full synchronization. The option is ignored during provisioning.

      It does not make sense to use the cache during synchronization with revision filtering. If the target system supports revision filtering, disable the option after initial synchronization.

    • Max. number of parallel queries: Maximum number of target system queries that can be carried out simultaneously. Enter a value between 1 and 32.

    • Use HTTP Keep-Alive : Specifies whether HTTP connections are kept open. If the option is not set, connections are closed immediately and cannot be used for further queries.

  5. On the Display Name page, enter a unique display name.

    You can use the display names to differentiate between the various connection configurations for the OneLogin REST API.

  6. On the last page of the system connection wizard you can save the connection data locally and finish the system connection configuration.

    • Set the Save connection locally option to save the connection data. This can be reused when you set up other synchronization projects.

    • Click Finish, to end the system connection wizard and return to the project wizard.
  1. On the One Identity Manager Connection tab, test the data for connecting to the One Identity Manager database. The data is loaded from the connected database. Reenter the password.

    NOTE:

    • If you use an unencrypted One Identity Manager database and have not yet saved any synchronization projects to the database, you need to enter all connection data again.

    • This page is not shown if a synchronization project already exists.

  2. The wizard loads the target system schema. This may take a few minutes depending on the type of target system access and the size of the target system.

  1. On the Restrict target system access page, specify how system access should work. You have the following options: Read-only access to target system.
    Table 5: Specify target system access
    Option Meaning

    Specifies that a synchronization workflow is only to be set up for the initial loading of the target system into the One Identity Manager database.

    The synchronization workflow has the following characteristics:

    • Synchronization is in the direction of One Identity Manager.

    • Processing methods in the synchronization steps are only defined for synchronization in the direction of One Identity Manager.

    Read/write access to target system. Provisioning available.

    Specifies whether a provisioning workflow is set up in addition to the synchronization workflow for the initial loading of the target system.

    The provisioning workflow displays the following characteristics:

    • Synchronization is in the direction of the Target system.

    • Processing methods are only defined in the synchronization steps for synchronization in the direction of the Target system.

    • Synchronization steps are only created for such schema classes whose schema types have write access.

  1. On the Synchronization server page, select the synchronization server to run the synchronization.

    If the synchronization server is not declared as a Job server for this target system in the One Identity Manager database yet, you can add a new Job server.

    1. Click to add a new Job server.

    2. Enter a name for the Job server and the full server name conforming to DNS syntax.

      TIP: You can also implement an existing Job server as the synchronization server for this target system.

      • To select a Job server, click .

      This automatically assigns the server function matching this Job server.

    3. Click OK.

      The synchronization server is declared as Job server for the target system in the One Identity Manager database.

    4. NOTE: After you save the synchronization project, ensure that this server is set up as a synchronization server.

  1. To close the project wizard, click Finish.

    This sets up, saves and immediately activates the synchronization project.

    NOTE:

    • If enabled, a consistency check is carried out. If errors occur, a message appears. You can decide whether the synchronization project can remain activated or not.

      Check the errors before you use the synchronization project. To do this, in the General view on the Synchronization Editor‘s start page, click Verify project.

    • If you do not want the synchronization project to be activated immediately, disable the Activate and save the new synchronization project automatically option. In this case, save the synchronization project manually before closing the Synchronization Editor.

Related topics

Configuring the synchronization log

All the information, tips, warnings, and errors that occur during synchronization are recorded in the synchronization log. You can configure the type of information to record separately for each system connection and synchronization workflow.

To configure the content of the synchronization log for a system connection

  1. To configure the synchronization log for target system connection, in the Synchronization Editor, select the Configuration > Target system category.

    - OR -

    To configure the synchronization log for the database connection, in the Synchronization Editor, select the Configuration > One Identity Manager connection category.

  2. In the General section, click Setup.

  3. In the Synchronization log section, set Create synchronization log.

  4. Enable the data to be logged.

    NOTE: Some content generates a particularly large volume of log data. The synchronization log should only contain data required for error analysis and other analyzes.

  5. Click OK.

To configure the content of the synchronization log for a synchronization workflow

  1. In the Synchronization Editor, select the Workflows category.

  2. Select a workflow in the navigation view.

  3. In the General section, click Edit.

  4. Select the Synchronization log tab.

  5. Enable the data to be logged.

    NOTE: Some content generates a particularly large volume of log data. The synchronization log should only contain data required for error analysis and other analyzes.

  6. Click OK.

Synchronization logs are stored for a fixed length of time.

To modify the retention period for synchronization logs

  • In the Designer, enable the DPR | Journal | LifeTime configuration parameter and enter the maximum retention period.

Related topics

Customizing the synchronization configuration

Having used the Synchronization Editor to set up a synchronization project for initial synchronization of a OneLogin domain, you can use the synchronization project to load OneLogin objects into the One Identity Manager database. If you manage user accounts and their authorizations with One Identity Manager, changes are provisioned in the OneLogin domain.

You must customize the synchronization configuration in order to compare the database with the OneLogin domain regularly and to synchronize changes.

  • To use One Identity Manager as the primary system during synchronization, create a workflow with synchronization in the direction of the Target system.

  • You can use variables to create generally applicable synchronization configurations that contain the necessary information about the synchronization objects when synchronization starts. Variables can be implemented in base objects, schema classes, or processing method, for example.

  • Use variables to set up a synchronization project for synchronizing different domains. Store a connection parameter as a variable for logging in to the domain.

  • To specify which OneLogin objects and database objects are included in synchronization, edit the scope of the target system connection and the One Identity Manager database connection. To prevent data inconsistencies, define the same scope in both systems. If no scope is defined, all objects will be synchronized.

  • Update the schema in the synchronization project if the One Identity Manager schema or target system schema has changed. Then you can add the changes to the mapping.

  • To synchronize additional schema properties, update the schema in the synchronization project. Include the schema extensions in the mapping.

For more information about configuring synchronization, see the One Identity Manager Target System Synchronization Reference Guide.

Detailed information about this topic

Customizing synchronization projects for OneLogin privileges

OneLogin privileges synchronization is disabled by default. To synchronize privileges, the synchronization project must be customized.

  • In the Initial Synchronization workflow, enable the Privilege and UserPrivilege synchronization steps.

  • In the Provisioning workflow, enable the UserPrivilege synchronization step.

Related topics
Documentos relacionados

The document was helpful.

Seleccionar calificación

I easily found the information I needed.

Seleccionar calificación