Chat now with support
Chat con el soporte

Starling Connect Identity Manager Integrated - Administration Guide

About this guide One Identity Starling Connect overview One Identity Starling Supported cloud applications Configuring connectors Connector versions Salesforce Facebook Workplace SAP Cloud Platform JIRA Server RSA Archer SuccessFactors Amazon S3 AWS ServiceNow Dropbox Crowd Atlassian JIRA Confluence Trello Box Pipedrive SuccessFactors HR NutShell Insightly Egnyte SugarCRM Oracle IDCS Statuspage Zendesk Sell Workbooks DocuSign Citrix ShareFile Zendesk Azure AD GSuite Concur Tableau GoToMeeting Coupa AWS Cognito Okta Creating a service account in GSuite Setting a trial account on Salesforce Working with Azure AD Generating a private key for service account in GoToMeeting OneIM limitations Configuring Amazon S3 AWS connector to support entitlements for User and Group Outbound IP addresses

Amazon S3 AWS

Amazon S3 AWS offers a suite of cloud-computing services that make up an on-demand computing platform. The most central and best-known of these are Amazon Elastic Compute Cloud (EC2) and Amazon Simple Storage Service (S3). AWS offers more than 70 services, including computing, storage, networking, database, analytics, application services, deployment, management, mobile, developer tools, and tools for the Internet of Things.

For more information about configuring Amazon S3 AWS connector with One Identity Manager, see Configuring Amazon S3 AWS connector to support entitlements for User and Group.

 

Supervisor configuration parameters

To configure the connector, following parameters are required:

  • Connector Name

  • Client Id of the cloud account
  • Client Secret of the cloud account

  • Region of the cloud account

  • SCIM URL (Cloud application's REST API's base URL)

Supported objects and operations

Users
Table 35: Supported operations and objects for Users

Operation

VERB

Create

POST

Update

PUT

Delete DELETE
Get all users GET
Get (Id) GET
Pagination GET
Groups
Table 36: Supported operations and objects for Groups

Operation

VERB

Create POST
Update PUT
Delete DELETE
Get all groups GET
Get (Id) GET

NOTE: Currently, addition or removal of entitlements for Groups is not supported by One Identity Manager.

Profiles
Table 37: Supported operations for Profiles

Operation

VERB

Get All Profiles

GET

Get Profile

GET

Mandatory fields

Users
  • User Name
  • Password - This is applicable only for the Create operation.
Groups
  • Group Name

User and Group mapping

The user and group mappings are listed in the tables below.

Table 38: User mapping
SCIM parameter Amazon S3 AWS parameter
Id UserName
UserName UserName
Password password
DisplayName Arn

Active

(true)

Groups

(ListGroupsForUserResult)Group

Entitlements

(ListAttachedUserPoliciesResult)AttachedPolicies

Created CreateDate
LastModified PasswordLastUsed

 

Table 39: Group mapping
SCIM parameter Amazon S3 AWS parameter
Id GroupName
displayName UserName
Entitlements (ListAttachedGroupPoliciesResult)AttachedPolicies
Members (GetGroupResult)Users
Created CreateDate
LastModified PasswordLastUsed

Connector limitations

  • Signature generation is embedded within a data process. Hence, the performance of the application is affected.

  • The Last Modified date is not available. Hence, the field contains the value of the recently used Password.

  • While performing Delete User or Delete Group operation, users or groups that are part of the deleted users or groups get detached from the below mentioned services. However, some services must be detached manually.

    • AccessKey
    • Roles
    • Groups
  • The task of assigning entitlements to groups is available with the connector. For successful working, certain changes must be made in One Identity Manager.

ServiceNow

ServiceNow is a service management platform that can be used for many different business units, including IT, human resources, facilities, and field services.

Supervisor configuration parameters

To configure the connector, following parameters are required:

  • Connector name

  • Username for the cloud account

  • Password for the cloud account

  • Custom Properties (List of custom properties, if any, to be mapped)

  • SCIM URL (Cloud application's REST API's base URL)

Supported objects and operations

Users
Table 40: Supported operations for Users

Operation

VERB

Create

POST

Update

PUT

Delete

DELETE

Get all users

GET

Get (Id)

GET

Pagination GET
Groups
Table 41: Supported operations for Groups

Operation

VERB

Create

POST

Update

PUT

Delete 

DELETE

Get all groups

GET

Get (id)

GET

Get

GET

Pagination GET
Roles
Table 42: Supported operations for Roles

Operation

VERB

Get All Roles

GET

Get Role (Id)

GET

Mandatory fields

Users
  • Username
Groups
  • Group Name

User and Group mapping

The user and group mapping is listed in the table below.

Table 43: User mapping
SCIM parameter ServiceNow parameter
userName user_name
name.familyName last_name
name.givenName first_name
name.middleName middle_name
displayName name
emails[0].value email
addresses[0].streetAddress street
addresses[0].locality city
addresses[0].region state
addresses[0].postalCode zip
addresses[0].country country
phoneNumbers[0].value phone
title title
preferredLanguage preferred_language
timeZone time_zone
active active
password user_password
roles.value {resource}.role.value
extension.organization company
extension.department department
extension.manager.value manager.value
extension.employeeNumber employee_number
id sys_id
groups.value {resource}.group.value

extension.lastLogon

last_login_time

Table 44: Group mapping
SCIM parameter ServiceNow parameter
id sys_id
displayName name
members.value {resource}.user.value
extension.description description
extension.email email

extension.groupType

type

extension.manager.value

manager.value

Configuring custom attributes in ServiceNow

This feature allows you to configure custom attributes in Starling Connector during connector subscription. You can provide the list of custom attributes in a defined format with the name, type and allowed values of the attributes. The custom mappings in the One Identity Manager provide the values for these custom attributes.

To configure custom attributes in ServiceNow:

  1. Create a Custom Attribute in ServiceNow.

    NOTE: The Starling Platform currently supports only the types String, dateTime, True/False and Choice in the ServiceNow sys_user table.

  2. To configure the custom attributes in Starling UI, enter the Custom Properties in the specified format in the Starling Platform.

  3. On the One Identity Manager, map the created custom attributes that were specified in the Starling Platform.

  4. Perform a synchronization and verify if the custom attributes are available in the One Identity Manager.

    NOTE:

    • The Starling UI for registering a ServiceNow connector has an input field to provide the custom attributes to be mapped in the connector's User resource type apart from the default mapped attributes.

    • The custom attributes in the User resource type must be in the following format:

      {field_name}|{data_type}|{choice_value1,choice_value2,etc};{field_name}|{data_type}|{choice_value1,choice_value2,etc};etc.

      Example:

      u_employee_status|string;u_date_of_termination_of_employments|DateTime;u_test_field_with_canonical_values|string|Choice 1,Choice 2,Choice 3

      field_name = Column name in ServiceNow

      data_type = string (or) boolean (or) datetime

    • All custom attributes are mapped in the enterprise user extensions.

    • The supported data types in the Starling Connect ServiceNow connector are string, boolean and dataTime.

      Choice type in the ServiceNow will become string type in OneIM with Canonical Values.

    • Only simple json attributes are supported. Complex json attributes are not supported.

    • All custom user attributes have 'mutability': 'readWrite', 'returned': 'default', 'caseExact': 'false', 'required': 'false', 'multiValued': 'false','uniqueness': 'none'.

Connector limitations

  • ServiceProviderAuthority contains only the Id field with the value being same as the instance id of the ServiceNow instance, as there are no APIs to fetch the tenant details in ServiceNow.

  • If the department name and organization name is provided during user create or update operations, the user gets assigned to the department and organization if the department and organization with the same name exists in ServiceNow cloud application.

  • If the invalid manager id is used for user's manager fields while performing user create or update operations, ServiceNow does not display any error. Instead, it invalid id is returned as the manager id.

  • In the request, if there are invalid values for timezone, language, and so on, ServiceNow does not display any error. Instead, the fields with invalid values would be blank.
  • GET Roles operation might not fetch all the roles. Some roles must be retrieved based on ServiceNow Access Control List (ACL).

  • If an invalid role id is used for user create or update operation, no error is displayed. Instead, the same invalid id in the role list is returned.
  • If an invalid member id is used for group create or update, no error is displayed. Instead, the same invalid id as the member id is returned.

  • Create User operation with existing user details shows the status code as 403 instead 409. The status code and the status message cannot be interpreted.

Dropbox

Dropbox offers secure file sharing and storage. It helps users manage sharing capabilities with groups and external collaborators through central folders with granular permissions.

Supervisor configuration parameters

To configure the connector, following parameters are required:

  • Connector name

  • API key (access token) for the cloud account

Supported objects and operations

Users
Table 45: Supported operations for Users

Operation

VERB

Create

POST

Update

PUT

Delete

DELETE

Get all users

GET

Get user by Id

GET

Get users with pagination GET
Groups
Table 46: Supported operations for Groups

Operation

VERB

Create

POST

Update

PUT

Delete 

DELETE

Get all groups

GET

Get group by Id

GET

Get groups with pagination

GET

Roles
Table 47: Supported operations for Roles

Operation

VERB

Get all roles

GET

Get role by Id

GET

Mandatory fields

Users
  • emails.value
Groups
  • displayName

User and Group mapping

The user and group mappings are listed in the tables below.

Table 48: User mapping
SCIM parameter Dropbox parameter
id profile.team_member_id
externalId profile.external_id
userName profile.email
name.familyName profile.name.surname

name.givenName

profile.name.given_name
name.formatted profile.name.display_name
displayName profile.name.display_name
emails[0].value profile.email
active profile.status[".tag"]
groups profile.groups

roles

role[".tag"]

meta.created

profile.joined_on

 

Table 49: Group mapping
SCIM parameter Dropbox parameter
id group_id
displayName group_name
members[].value members[].profile.team_member_id
members[].display members[].profile.name.display_name
enterpriseExtension.externalId group_external_id
meta.created created

Connector limitations

  • The LastModified date is not applicable for Groups.

  • Both created and lastModified dates are not applicable for Users.
  • Invalid Target URL returns the below mentioned status code and error message.

    • Status code: 500
    • Error message: There was an issue processing this request error.
  • User's role cannot be updated.

  • The user cannot be set as active while performing create or update.

  • The information about groups will not be present in the Create user response.

  • The Dropbox user statuses active and invited are considered as active in the connector.

  • APIs are not available to retrieve roles from Dropbox. Hence, the endpoints of the connector's roles provide predefined set of roles.

  • Deleted members cannot be added to a group. In a request to add multiple members to a group, if any user is deleted (members_not_in_team), then the entire request is not executed.

  • The userName property for user is read-only. However, this can be updated by updating the emails → value. The emails → value has been mapped against userName.

  • Dropbox returns error 500 without any message being shown, on cursor pagination with cursor length equal to 1. The same is observed when trying to update a deleted group. In this case, the connector returns the following error code and message:

    • Error Code: 400
    • Error message: Error occurred.

Crowd

Crowd is a single sign-on software that lets your system administrator connect multiple applications to one user login and password. Users only need one user ID and password to access any connected platform.

Supervisor configuration parameters

To configure the connector, following parameters are required:

  • Connector Name

  • Username

  • Password

  • SCIM URL

Supported objects and operations

Users
Table 50: Supported operations for Users

Operation

VERB

Create

POST

Update

PUT

Delete

DELETE

Get All Users

GET

Get User by Id

GET

Get All Users with pagination GET
Groups
Table 51: Supported operations for Groups

Operation

VERB

Create

POST

Update

PUT

Delete

DELETE

Get All Groups

GET

Get Group by Id

GET

Get All Groups with pagination GET

Mandatory fields

Users
  • Username
  • Password
Groups
  • DisplayName

User and Group mapping

The user and group mapping is listed in the table below.

Table 52: User mapping
SCIM parameter Crowd parameter
Id name
userName name
password password
active active
givenName first-name
familyName last-name
displayName display-name
Formatted display-name
email.value email
Created createdDate
LastModified lastModified
Table 53: Group mapping
SCIM parameter Crowd parameter
Id name
GroupName name
Active active
Description description
members.value members.name

Connector limitations

  • Crowd application does not have the ID field for Users and Groups. User name is considered as the userId, and the group name is considered as groupId.

  • Crowd cloud application does not have a created date and modified date for Groups.

  • UserName and GroupName must be used as a single term as the usage is same for userId and groupId.

  • UserName cannot be updated because it is used as an Id in cloud application.

  • DisplayName of Groups cannot be updated as required by the cloud application.

Documentos relacionados