User and Group mapping
Zendesk is a unified customer service platform. It features a common user interface, single login, and a platform for sharing customer data.
Supervisor configuration parameters
To configure the connector, following parameters are required:
Supported objects and operations
Users
Table 170: Supported operations for Users
Create User |
POST |
Update User |
PUT |
Delete User |
DELETE |
Get User |
GET |
Get All Users |
GET |
Get All Users with Pagination |
GET |
Groups
Table 171: Supported operations for Users
Create Group |
POST |
Update Group |
PUT |
Delete Group |
DELETE |
Get Groups |
GET |
Get All Groups |
GET |
Get All Users with Pagination |
GET |
Update Membership |
PUT |
Mandatory fields
Users
Groups
DisplayName
NOTE: Additional features supported: Zendesk connector supports attribute selection for the response based on the attributes mentioned in the query parameters ?attributes=.
The user and group mappings are listed in the tables below.
Table 172: User mapping
Id |
id |
UserName |
email |
DisplayName |
name |
Timezone |
time_zone |
Locale |
locale |
PhoneNumbers[].Value |
phone |
Emails[].Value |
email |
Active |
active |
Meta.Created |
created_at |
Meta.LastModified |
updated_at |
Groups
Table 173: Groups mapping
Id |
id |
DisplayName |
name |
Meta.Created |
created_at |
Meta.LastModified |
updated_at |
Connector limitations
-
A user with Agent role only can be added to group membership.
-
Get resource by pagination will always return the resources in multiples of hundred. For example, if the count is specified as 126, 200 records are returned.
-
If any value for startIndex is passed when using get resources by pagination parameter, the result from the connector is always the nearest 100 records from the requested number.
-
Users can be deleted multiple times as the cloud application supports soft delete.
-
APIs are rate limited and for more details refer Usage limits.
Connector limitations
Zendesk is a unified customer service platform. It features a common user interface, single login, and a platform for sharing customer data.
Supervisor configuration parameters
To configure the connector, following parameters are required:
Supported objects and operations
Users
Table 170: Supported operations for Users
Create User |
POST |
Update User |
PUT |
Delete User |
DELETE |
Get User |
GET |
Get All Users |
GET |
Get All Users with Pagination |
GET |
Groups
Table 171: Supported operations for Users
Create Group |
POST |
Update Group |
PUT |
Delete Group |
DELETE |
Get Groups |
GET |
Get All Groups |
GET |
Get All Users with Pagination |
GET |
Update Membership |
PUT |
Mandatory fields
Users
Groups
DisplayName
NOTE: Additional features supported: Zendesk connector supports attribute selection for the response based on the attributes mentioned in the query parameters ?attributes=.
User and Group mapping
The user and group mappings are listed in the tables below.
Table 172: User mapping
Id |
id |
UserName |
email |
DisplayName |
name |
Timezone |
time_zone |
Locale |
locale |
PhoneNumbers[].Value |
phone |
Emails[].Value |
email |
Active |
active |
Meta.Created |
created_at |
Meta.LastModified |
updated_at |
Groups
Table 173: Groups mapping
Id |
id |
DisplayName |
name |
Meta.Created |
created_at |
Meta.LastModified |
updated_at |
-
A user with Agent role only can be added to group membership.
-
Get resource by pagination will always return the resources in multiples of hundred. For example, if the count is specified as 126, 200 records are returned.
-
If any value for startIndex is passed when using get resources by pagination parameter, the result from the connector is always the nearest 100 records from the requested number.
-
Users can be deleted multiple times as the cloud application supports soft delete.
-
APIs are rate limited and for more details refer Usage limits.
Azure AD
Azure AD is a connector that gives users a cloud-based platform for their on-premises resources. Using single sign-on, companies have access to any number of network or web-based applications along with hosting access and identity management resources.
Azure AD connectors are available for use with One Identity Safeguard for Privileged Passwords.
NOTE: Update the synchronization shell or create a new synchronization shell in One Identity Manager as changes are introduced in the schema.
Connector Configuration
Azure AD connector requires customer consent to retrieve resource details using the REST APIs. The Azure AD connector supports the configuration of both single tenant and multi tenant connectors. You can switch from a single tenant connector to a multi tenant connector while configuring the connector in Starling Connect UI.
Supervisor configuration parameters for single tenant connector
To configure the single tenant connector, following parameters are required:
-
Connector name
-
Client Id for the app
-
Client Secret of the app
-
Directory Id of the Active Directory
-
Target URL (Cloud application's instance URL used as target URI in payload - For example, https://graph.microsoft.com/v1.0).
-
Instance DateTime Offset (refer Configuring additional datetime offset in connectors for more details).
Supervisor configuration parameters for multi tenant connector
To configure the multi tenant connector, following parameters are required:
- Directory Id of the Active Directory
-
Target URL (Cloud application's instance URL used as target URI in payload - For example, https://graph.microsoft.com/v1.0).
-
Instance DateTime Offset (refer Configuring additional datetime offset in connectors for more details).
Supported objects and operations
Users
Table 174: Supported operations for Users
Create User |
POST |
Update User |
PATCH |
Delete User |
DELETE |
Get User |
GET |
Get All Users |
GET |
Groups
Table 175: Supported operations for Groups
Create Group |
POST |
Update Group |
PATCH |
Delete Group |
DELETE |
Get Group |
GET |
Get All Groups |
GET |
Application
Table 176: Supported operations for Application
Get Application |
GET |
Get All Applications |
GET |
Mandatory fields
Create/Update User
- email.value
- userType
-
nickName
-
displayName
-
password
- active
Groups
Invite User
- redirectUrl
- emails[].value
- userType
User Group and Application mapping
The user, group and application mappings are listed in the tables below:
Table 177: User mapping
active |
accountEnabled |
addresses[0].country |
country |
addresses[0].locality |
city |
addresses[0].postalCode |
postalcode |
addresses[0].region |
state |
addresses[0].streetAddress |
streetAddress |
displayName |
displayName |
emails[0].value |
userPrincipalName |
groups[].display |
memberOf[].displayName |
groups[].value |
memberOf[].id |
Id |
id |
meta.created |
createdDateTime |
name.familyName |
surname |
name.givenName |
givenName |
nickName |
mailNickname |
phoneNumbers[0].value |
businessPhones[0] |
preferredLanguage |
preferredLanguage |
redemptionUrl |
inviteRedeemUrl |
redirectUrl |
inviteRedirectUrl |
title |
jobTitle |
userExtension.applications[].display |
applications[].displayName |
userExtension.applications[].principalId |
applications[].principalId |
userExtension.applications[].principalType |
applications[].principalType |
userExtension.applications[].value |
applications[].appId |
userExtension.department |
department |
userExtension.employeeNumber |
employeeId |
userExtension.manager.displayName |
manager.displayName |
userExtension.manager.value |
manager.id |
userExtension.organization |
companyName |
userName |
userPrincipalName |
userType |
userType |
Groups
Table 178: Group mapping
enterpriseExtension.applications[].value |
applications[].appId |
enterpriseExtension.applications[].display |
applications[].displayName |
enterpriseExtension.applications[].principalId |
applications[].principalId |
enterpriseExtension.applications[].principalType |
applications[].principalType |
displayName |
displayName |
enterpriseExtension.description |
description |
enterpriseExtension.mailNickname |
mailNickname |
Id |
id |
members[].display |
members[].displayName |
members[].value |
members[].id |
meta.created |
createdDateTime |
Application
Table 179: Application Mapping
appId |
appId |
displayName |
displayName |
Id |
id |
meta.created |
createdDateTime |
publisherDomain |
publisherDomain |
Connector limitations
-
lastModified is not provided along with the Users, Groups and Applications.
-
Groups are of two types: Security groups and Office 365 groups. Azure AD supports users and groups as the members of groups. Security groups can have users and other Security groups as members. However, only users can be added as members for Office 365 groups.
-
With the trial Azure AD account, it is possible to create only Security groups through APIs. For information on mapping the appropriate properties, see User and Group section.
-
If an appRole is assigned to a group, then only the direct user members of that group will also have these appRoles assigned to them, but not group members of that group.
-
Azure AD resource Id's follow GUID formats. When trying to edit, retrieve, or delete a group by Id with an invalid GUID format, the connector displays 400 as the response code. However with invalid id and a proper GUID format, connector displays 404 as the response code.
-
Email value for the user should have only those domains which are verified in the selected Active Directory. To find out the verified domain, go to the Azure Active Directory in the Azure portal and in the Overview page above the directory name, the verified domain names are displayed.
- You can create multiple groups with the same name.
-
For more information on password policy settings applied to user accounts that are created and managed in Azure AD, see, Password policies that only apply to cloud user accounts.
Azure AD connector for Safeguard for Privileged Passwords
-
For Safeguard for Privileged Passwords, you must assign at least the Helpdesk Administrator role for the application created, but should assign a higher role if you want to manage special accounts (for example, Billing Administrator or Global Administrator).
-
For Safeguard for Privileged Passwords, the Azure AD application registration must be public.
-
Safeguard for Privileged Passwords only allows for a single tenant connector configuration.
Connector Configuration
Azure AD is a connector that gives users a cloud-based platform for their on-premises resources. Using single sign-on, companies have access to any number of network or web-based applications along with hosting access and identity management resources.
Azure AD connectors are available for use with One Identity Safeguard for Privileged Passwords.
NOTE: Update the synchronization shell or create a new synchronization shell in One Identity Manager as changes are introduced in the schema.
Azure AD connector requires customer consent to retrieve resource details using the REST APIs. The Azure AD connector supports the configuration of both single tenant and multi tenant connectors. You can switch from a single tenant connector to a multi tenant connector while configuring the connector in Starling Connect UI.
Supervisor configuration parameters for single tenant connector
To configure the single tenant connector, following parameters are required:
-
Connector name
-
Client Id for the app
-
Client Secret of the app
-
Directory Id of the Active Directory
-
Target URL (Cloud application's instance URL used as target URI in payload - For example, https://graph.microsoft.com/v1.0).
-
Instance DateTime Offset (refer Configuring additional datetime offset in connectors for more details).
Supervisor configuration parameters for multi tenant connector
To configure the multi tenant connector, following parameters are required:
- Directory Id of the Active Directory
-
Target URL (Cloud application's instance URL used as target URI in payload - For example, https://graph.microsoft.com/v1.0).
-
Instance DateTime Offset (refer Configuring additional datetime offset in connectors for more details).
Supported objects and operations
Users
Table 174: Supported operations for Users
Create User |
POST |
Update User |
PATCH |
Delete User |
DELETE |
Get User |
GET |
Get All Users |
GET |
Groups
Table 175: Supported operations for Groups
Create Group |
POST |
Update Group |
PATCH |
Delete Group |
DELETE |
Get Group |
GET |
Get All Groups |
GET |
Application
Table 176: Supported operations for Application
Get Application |
GET |
Get All Applications |
GET |
Mandatory fields
Create/Update User
- email.value
- userType
-
nickName
-
displayName
-
password
- active
Groups
Invite User
- redirectUrl
- emails[].value
- userType
User Group and Application mapping
The user, group and application mappings are listed in the tables below:
Table 177: User mapping
active |
accountEnabled |
addresses[0].country |
country |
addresses[0].locality |
city |
addresses[0].postalCode |
postalcode |
addresses[0].region |
state |
addresses[0].streetAddress |
streetAddress |
displayName |
displayName |
emails[0].value |
userPrincipalName |
groups[].display |
memberOf[].displayName |
groups[].value |
memberOf[].id |
Id |
id |
meta.created |
createdDateTime |
name.familyName |
surname |
name.givenName |
givenName |
nickName |
mailNickname |
phoneNumbers[0].value |
businessPhones[0] |
preferredLanguage |
preferredLanguage |
redemptionUrl |
inviteRedeemUrl |
redirectUrl |
inviteRedirectUrl |
title |
jobTitle |
userExtension.applications[].display |
applications[].displayName |
userExtension.applications[].principalId |
applications[].principalId |
userExtension.applications[].principalType |
applications[].principalType |
userExtension.applications[].value |
applications[].appId |
userExtension.department |
department |
userExtension.employeeNumber |
employeeId |
userExtension.manager.displayName |
manager.displayName |
userExtension.manager.value |
manager.id |
userExtension.organization |
companyName |
userName |
userPrincipalName |
userType |
userType |
Groups
Table 178: Group mapping
enterpriseExtension.applications[].value |
applications[].appId |
enterpriseExtension.applications[].display |
applications[].displayName |
enterpriseExtension.applications[].principalId |
applications[].principalId |
enterpriseExtension.applications[].principalType |
applications[].principalType |
displayName |
displayName |
enterpriseExtension.description |
description |
enterpriseExtension.mailNickname |
mailNickname |
Id |
id |
members[].display |
members[].displayName |
members[].value |
members[].id |
meta.created |
createdDateTime |
Application
Table 179: Application Mapping
appId |
appId |
displayName |
displayName |
Id |
id |
meta.created |
createdDateTime |
publisherDomain |
publisherDomain |
Connector limitations
-
lastModified is not provided along with the Users, Groups and Applications.
-
Groups are of two types: Security groups and Office 365 groups. Azure AD supports users and groups as the members of groups. Security groups can have users and other Security groups as members. However, only users can be added as members for Office 365 groups.
-
With the trial Azure AD account, it is possible to create only Security groups through APIs. For information on mapping the appropriate properties, see User and Group section.
-
If an appRole is assigned to a group, then only the direct user members of that group will also have these appRoles assigned to them, but not group members of that group.
-
Azure AD resource Id's follow GUID formats. When trying to edit, retrieve, or delete a group by Id with an invalid GUID format, the connector displays 400 as the response code. However with invalid id and a proper GUID format, connector displays 404 as the response code.
-
Email value for the user should have only those domains which are verified in the selected Active Directory. To find out the verified domain, go to the Azure Active Directory in the Azure portal and in the Overview page above the directory name, the verified domain names are displayed.
- You can create multiple groups with the same name.
-
For more information on password policy settings applied to user accounts that are created and managed in Azure AD, see, Password policies that only apply to cloud user accounts.
Azure AD connector for Safeguard for Privileged Passwords
-
For Safeguard for Privileged Passwords, you must assign at least the Helpdesk Administrator role for the application created, but should assign a higher role if you want to manage special accounts (for example, Billing Administrator or Global Administrator).
-
For Safeguard for Privileged Passwords, the Azure AD application registration must be public.
-
Safeguard for Privileged Passwords only allows for a single tenant connector configuration.