Tchater maintenant avec le support
Tchattez avec un ingénieur du support

Starling Connect Hosted - One Identity Manager Administration Guide

About this guide One Identity Starling Connect overview One Identity Starling Supported cloud applications Working with connectors Connector versions Salesforce Facebook Workplace SAP Cloud Platform JIRA Server RSA Archer SuccessFactors AWS IAM S3 ServiceNow Dropbox Crowd Atlassian JIRA Confluence Trello Box Pipedrive SuccessFactors HR NutShell Insightly Egnyte SugarCRM Oracle IDCS Statuspage Zendesk Sell Workbooks DocuSign Citrix ShareFile Zendesk Azure AD Google Workspace Concur Tableau GoToMeeting Coupa AWS Cognito Okta DataDog Hideez Opsgenie Informatica Cloud Services AppDynamics Marketo Workday HR OneLogin PingOne Aha! SAP Litmos HackerRank Slack ActiveCampaign Webex Apigee Databricks Hive PagerDuty Dayforce Smartsheet Pingboard SAP Cloud for Customer Azure Infrastructure Oracle Fusion Cloud Majesco LuccaHR OpenText JFrog Artifactory xMatters Discourse Testrail ChipSoft PingOne Platform Azure DevOps UKG PRO Atlassian Cloud Appendix: Creating a service account in Google Workspace Appendix: Setting a trial account on Salesforce Registering the application, providing necessary permissions, retrieving Client Id and Client Secret from the Azure AD tenant Generating a private key for service account in GoToMeeting Configuring Amazon S3 AWS connector to support entitlements for User and Group Configuring Box connector to support additional email IDs for users One Identity Manager E2E integration needs for Hideez connector Configuring custom attributes for ServiceNow v.1.0 Configuring custom attributes for Coupa v.1.0 Configuring custom attributes in connectors Disabling attributes Configuring a connector that uses the consent feature Synchronization and integration of Roles object type with One Identity Manager Synchronization and integration of Workspaces object type with One Identity Manager Synchronization and integration of Products object type with One Identity Manager User centric membership Creating multi-valued custom fields in One Identity Manager Synchronization and assignment of PermissionSets to Users with One Identity Manager Connectors that support password attribute in User object Connectors that do not support special characters in the object ID Creating an app for using SCIM on Slack Enterprise Grid Organization Creating a Webex integration application, providing necessary scopes, retrieving Client Id and Client Secret Retrieving the API key from Facebook Workplace Outbound IP addresses Values for customer-specific configuration parameters in Workday HR connector Initiate an OAuth connection to SuccessFactors Creating custom editable/upsertable attributes in Successfactors employee central Custom Foundation Objects in Successfactors HR connector Configuring additional datetime offset in connectors How to Create custom attribute for Users in SuccessFactors portal SAP Cloud for Customer - Steps to add custom fields at One Identity Manager attributes Creating a Service Principal for the Azure Infrastructure Connector Workday permissions needed to integrate via the Starling Connector Configuring integration application in DocuSign Creating integration Connect Client in Coupa Retrieving Azure DevOps Personal Access Token (PAT) Setup integration system and field override service in Workday Retrieving Atlassian Cloud API Key and Directory ID

Synchronization and integration of Roles object type with One Identity Manager

Coupa connector allows users to move data in and out of Coupa. It lets you manage spend more efficiently by being able to integrate and access spend management and data for expenses, and integrate with other cloud applications.

Supervisor configuration parameters for Coupa v.1.0

To configure the connector, the following parameters are required:

Configuring custom attributes for Coupa v.1.0

You can configure custom attributes for the Coupa v.1.0 connector when you configure the connector in Starling Connect by adding the custom attributes in the Custom Properties field in the defined format.

NOTE:For more information about how to configure custom attributes in Coupa v.1.0 , see Configuring custom attributes for Coupa v.1.0.

Supervisor configuration parameters for Coupa v.1.1

For more information, refer Refer Creating integration Connect Client in Coupa.

You can configure custom attributes for the Coupa v.1.1 connector similar to configuring the Coupa v1.0, in Starling Connect by adding the custom attributes in the Custom Properties field in the defined format.

NOTE:For more information about how to configure custom attributes in Coupa v.1.1 , see Configuring custom attributes for Coupa v.1.0.

Supervisor configuration parameters for Coupa v.2.0

To configure the connector, the following parameters are required:

Configuring custom attributes for Coupa v.2.0

You can configure custom attributes for the Coupav.2.0 connector in Starling Connect for the User object in the Custom Attributes section in Schema Configuration.

NOTE:

  • Coupa cloud application allows you to create custom attributes only for User objects.
  • For more information about how to configure custom attributes in Coupa v.2.0 , see Configuring custom attributes in connectors.

Supported objects and operations

Users

Table 194: Supported operations for Users

Operation

VERB

Create User

POST

Update User

PUT

Get User by id

GET

Get All Users

GET

Get All Users with Pagination

GET

Update Role Membership

PUT

Update Group Membership

PUT

Update UserGroups Membership

PUT

Update AccountGroups Membership

PUT

NOTE: The membership operations are user based operations according to target system behavior from Coupa.

Groups

Table 195: Supported operations for Groups

Operation

VERB

Get Group by id

GET

Get All Groups

GET

Get All Groups with Pagination

GET

Roles

Table 196: Supported operations for Roles

Operation

VERB

Get Roles by id

GET

Get All Roles

GET

Get All Roles with Pagination

GET

UserGroups

Table 197:  

Operation

 VERB
Get UserGroups by id GET
Get All UserGroups GET
Get All UserGroups with pagination GET

AccountGroups

Table 198:  

Operation

 VERB
Get AccountGroups by id GET
Get All AccountGroups GET
Get All AccountGroups with pagination GET

Mandatory fields

Users

  • Username

  • Email

  • FirstName

  • LastName

Groups

NA

User and Group mapping

The user and group mappings are listed in the tables below.

Table 199: User mapping
SCIM parameter Coupa parameter
Id id
UserName login
Name.GivenName firstname
Name.FamilyName lastame
Name.Formatted fullname
DisplayName fullname
Emails[0].value email
Photos avatar-thumb-url
Addresses.StreetAddress default-address[0].street1
Addresses.Locality default-address[0].city
Addresses.Region default-address[0].state

Addresses.PostalCode

default-address[0].postal-code

Addresses.Country

default-address[0].country[0].name

Groups.value

content-groups[x].id

Groups.display

content-groups[x].name

Roles.value

roles.id

Roles.display

roles.name

Active

active

Locale

default-locale

PreferredLanguage

default-locale

Extension.Manager.value

manager.id

Extension.EmployeeNumber

employee-number

Extension.CostCenter

custom-fields.default-user-cost-center

Extension.AuthenticationMethod

authentication-method

Extension.SsoIdentifier

sso-identifier

Extension.PurchasingUser

purchasing-user

Extension.ExpenseUser

expense-user

Extension.SourcingUser

sourcing-user

Extension.InventoryUser

inventory-user

Extension.ContractsUser

contracts-user

Extension.AnalyticsUser

analytics-user

Extension.invoiceApprovalLimit

invoice-approval-limit

Extension.invoiceSelfApprovalLimit

invoice-self-approval-limit

Extension.requisitionApprovalLimit

Requisition-approval-limit

Extension.requisitionSelfApprovalLimit

Requisition-self-approval-limit

Extension.contractApprovalLimit

Contract-approval-limit

Extension.contractSelfApprovalLimit

Contract-self-approval-limit

Extension.workConfirmationApprovalLimit

work-confirmation-approval-

limit

Extension.defaultChartOfAccountsName

default-account.name

Extension.defaultAccountCode

default-account.code

Extension.defaultAccountCodeSegment1

default-account.segment1

Extension.defaultAccountCodeSegment2

default-account.segment2

Extension.defaultCurrency

default-currency

Extension.defaultAddressLocationCode

default-address.location-code

Extension.accountSecurityType

account-security-type

Extension.businessGroupSecurityType

business-group-security-type

Extension.mentionName

mention-name

Extension.AccountGroups

account-groups[]

Extension.ApprovalGroups

approval-groups[]

Created

created-at

LastModified

updated-at

Extension.expenseSelfApprovalLimit

expense-self-approval-limit

Extension.expenseApprovalLimit

expense-approval-limit

Groups

Table 200: Group mapping
SCIM parameter Coupa parameter
Id id
DisplayName name
Created created-at

LastModified

updated-at

Roles

Table 201: Roles mapping
SCIM parameter Coupa parameter
Id id
DisplayName name
Created created-at

LastModified

updated-at

UserGroups

Table 202: UserGroups (or ApprovalGroups) mapping
SCIM parameter Coupa parameter
Id id
DisplayName name
Created created-at

LastModified

updated-at

AccountGroups

Table 203: AccountGroups mapping
SCIM parameter Coupa parameter
Id id
DisplayName name
Created created-at

LastModified

updated-at

Coupa Connector has the capability of performing granular data update of Users object type and it is available exclusively with version 3.0. This allows customers to modify the User object by passing only the selected attribute and the value to be modified. This has been implemented by enabling the PATCH operation recommended by SCIM standard. This change can be witnessed on One Identity Manager by using any debug tool to capture the request sent. However, the prior versions of the connector continue to work with PUT without any change.

Connector versions and features

The following subsections describe the different connector version(s) and features available with them.

Supported Versions

The supported versions of Coupa connector are:

  • v.1.0
  • v.1.1
  • v.2.0

NOTE: For more information, see Connector versions.

Features available exclusively in Coupa v.1.1

  • Support for Oauth Authentication that is based out of v.1.0.

Features available exclusively in Coupa v.2.0

  • Support for OAuth Authentication

  • Support for schema configuration by adding custom attributes

Connector limitations

  • The SCIM Pagination Parameter ( rfc: https://tools.ietf.org/html/rfc7644#section-3.4.2.4 ) Total Results is not returned due to the GetAllUsers API Limitation of COUPA target system, which returns only 50 objects per request. The impact of this is that One Identity Manager SCIM synchronization works on INDEX based logic for the pagination.

  • COUPA target system supports only Soft Delete of the User Object type. Because of this the GET All Users API returns both active and inactive users objects.

  • Starling COUPA connector facilitates two new SCIM endpoints namely Account-Groups and User-Groups. These endpoints support GET and GETALL operations only. This is in line with COUPA target API behavior where the CREATE, UPDATE, and DELETE operations are not allowed.

  • To accommodate modification of COUPA user object attributes default-account.segment-1 and default-account.segment-2, the User object type update operation is carried out in two steps:

    • Step -1: Updates values for all the attributes except default-account.segment-1 and default-account.segment-2.
    • Step -2: Updates values for default-account.segment-1 and default-account.segment-2 attributes.

    NOTE: As per the COUPA documentation, to set the attribute values of default-account.segment-1 and default-account.segment-2, values of account-security-type and default-account-type.name attributes should already be set.

  • While Provisioning or Update USER object, the value of attribute account-security-type of User Object is calculated using the values of default-account-type.name and account-groups attributes. This is inline with the COUPA target system documentation and per the customer requirements.

    For example:

    • account-security-type would be modified to value 2 if default-account-type.name has value and account-groups is not empty.
    • account-security-type would be modified to value 1 if default-account-type.name has value and account-groups is empty.
    • account-security-type would not be modified if default-account-type.name does not have value.

For more information, see Synchronization and integration of Roles object type with One Identity Manager

User centric membership configuration for Coupa

For more information, see User centric membershipUser centric membership configuration

User centric membership configuration for Coupa

Coupa connector allows users to move data in and out of Coupa. It lets you manage spend more efficiently by being able to integrate and access spend management and data for expenses, and integrate with other cloud applications.

Supervisor configuration parameters for Coupa v.1.0

To configure the connector, the following parameters are required:

Configuring custom attributes for Coupa v.1.0

You can configure custom attributes for the Coupa v.1.0 connector when you configure the connector in Starling Connect by adding the custom attributes in the Custom Properties field in the defined format.

NOTE:For more information about how to configure custom attributes in Coupa v.1.0 , see Configuring custom attributes for Coupa v.1.0.

Supervisor configuration parameters for Coupa v.1.1

For more information, refer Refer Creating integration Connect Client in Coupa.

You can configure custom attributes for the Coupa v.1.1 connector similar to configuring the Coupa v1.0, in Starling Connect by adding the custom attributes in the Custom Properties field in the defined format.

NOTE:For more information about how to configure custom attributes in Coupa v.1.1 , see Configuring custom attributes for Coupa v.1.0.

Supervisor configuration parameters for Coupa v.2.0

To configure the connector, the following parameters are required:

Configuring custom attributes for Coupa v.2.0

You can configure custom attributes for the Coupav.2.0 connector in Starling Connect for the User object in the Custom Attributes section in Schema Configuration.

NOTE:

  • Coupa cloud application allows you to create custom attributes only for User objects.
  • For more information about how to configure custom attributes in Coupa v.2.0 , see Configuring custom attributes in connectors.

Supported objects and operations

Users

Table 194: Supported operations for Users

Operation

VERB

Create User

POST

Update User

PUT

Get User by id

GET

Get All Users

GET

Get All Users with Pagination

GET

Update Role Membership

PUT

Update Group Membership

PUT

Update UserGroups Membership

PUT

Update AccountGroups Membership

PUT

NOTE: The membership operations are user based operations according to target system behavior from Coupa.

Groups

Table 195: Supported operations for Groups

Operation

VERB

Get Group by id

GET

Get All Groups

GET

Get All Groups with Pagination

GET

Roles

Table 196: Supported operations for Roles

Operation

VERB

Get Roles by id

GET

Get All Roles

GET

Get All Roles with Pagination

GET

UserGroups

Table 197:  

Operation

 VERB
Get UserGroups by id GET
Get All UserGroups GET
Get All UserGroups with pagination GET

AccountGroups

Table 198:  

Operation

 VERB
Get AccountGroups by id GET
Get All AccountGroups GET
Get All AccountGroups with pagination GET

Mandatory fields

Users

  • Username

  • Email

  • FirstName

  • LastName

Groups

NA

User and Group mapping

The user and group mappings are listed in the tables below.

Table 199: User mapping
SCIM parameter Coupa parameter
Id id
UserName login
Name.GivenName firstname
Name.FamilyName lastame
Name.Formatted fullname
DisplayName fullname
Emails[0].value email
Photos avatar-thumb-url
Addresses.StreetAddress default-address[0].street1
Addresses.Locality default-address[0].city
Addresses.Region default-address[0].state

Addresses.PostalCode

default-address[0].postal-code

Addresses.Country

default-address[0].country[0].name

Groups.value

content-groups[x].id

Groups.display

content-groups[x].name

Roles.value

roles.id

Roles.display

roles.name

Active

active

Locale

default-locale

PreferredLanguage

default-locale

Extension.Manager.value

manager.id

Extension.EmployeeNumber

employee-number

Extension.CostCenter

custom-fields.default-user-cost-center

Extension.AuthenticationMethod

authentication-method

Extension.SsoIdentifier

sso-identifier

Extension.PurchasingUser

purchasing-user

Extension.ExpenseUser

expense-user

Extension.SourcingUser

sourcing-user

Extension.InventoryUser

inventory-user

Extension.ContractsUser

contracts-user

Extension.AnalyticsUser

analytics-user

Extension.invoiceApprovalLimit

invoice-approval-limit

Extension.invoiceSelfApprovalLimit

invoice-self-approval-limit

Extension.requisitionApprovalLimit

Requisition-approval-limit

Extension.requisitionSelfApprovalLimit

Requisition-self-approval-limit

Extension.contractApprovalLimit

Contract-approval-limit

Extension.contractSelfApprovalLimit

Contract-self-approval-limit

Extension.workConfirmationApprovalLimit

work-confirmation-approval-

limit

Extension.defaultChartOfAccountsName

default-account.name

Extension.defaultAccountCode

default-account.code

Extension.defaultAccountCodeSegment1

default-account.segment1

Extension.defaultAccountCodeSegment2

default-account.segment2

Extension.defaultCurrency

default-currency

Extension.defaultAddressLocationCode

default-address.location-code

Extension.accountSecurityType

account-security-type

Extension.businessGroupSecurityType

business-group-security-type

Extension.mentionName

mention-name

Extension.AccountGroups

account-groups[]

Extension.ApprovalGroups

approval-groups[]

Created

created-at

LastModified

updated-at

Extension.expenseSelfApprovalLimit

expense-self-approval-limit

Extension.expenseApprovalLimit

expense-approval-limit

Groups

Table 200: Group mapping
SCIM parameter Coupa parameter
Id id
DisplayName name
Created created-at

LastModified

updated-at

Roles

Table 201: Roles mapping
SCIM parameter Coupa parameter
Id id
DisplayName name
Created created-at

LastModified

updated-at

UserGroups

Table 202: UserGroups (or ApprovalGroups) mapping
SCIM parameter Coupa parameter
Id id
DisplayName name
Created created-at

LastModified

updated-at

AccountGroups

Table 203: AccountGroups mapping
SCIM parameter Coupa parameter
Id id
DisplayName name
Created created-at

LastModified

updated-at

Coupa Connector has the capability of performing granular data update of Users object type and it is available exclusively with version 3.0. This allows customers to modify the User object by passing only the selected attribute and the value to be modified. This has been implemented by enabling the PATCH operation recommended by SCIM standard. This change can be witnessed on One Identity Manager by using any debug tool to capture the request sent. However, the prior versions of the connector continue to work with PUT without any change.

Connector versions and features

The following subsections describe the different connector version(s) and features available with them.

Supported Versions

The supported versions of Coupa connector are:

  • v.1.0
  • v.1.1
  • v.2.0

NOTE: For more information, see Connector versions.

Features available exclusively in Coupa v.1.1

  • Support for Oauth Authentication that is based out of v.1.0.

Features available exclusively in Coupa v.2.0

  • Support for OAuth Authentication

  • Support for schema configuration by adding custom attributes

Connector limitations

  • The SCIM Pagination Parameter ( rfc: https://tools.ietf.org/html/rfc7644#section-3.4.2.4 ) Total Results is not returned due to the GetAllUsers API Limitation of COUPA target system, which returns only 50 objects per request. The impact of this is that One Identity Manager SCIM synchronization works on INDEX based logic for the pagination.

  • COUPA target system supports only Soft Delete of the User Object type. Because of this the GET All Users API returns both active and inactive users objects.

  • Starling COUPA connector facilitates two new SCIM endpoints namely Account-Groups and User-Groups. These endpoints support GET and GETALL operations only. This is in line with COUPA target API behavior where the CREATE, UPDATE, and DELETE operations are not allowed.

  • To accommodate modification of COUPA user object attributes default-account.segment-1 and default-account.segment-2, the User object type update operation is carried out in two steps:

    • Step -1: Updates values for all the attributes except default-account.segment-1 and default-account.segment-2.
    • Step -2: Updates values for default-account.segment-1 and default-account.segment-2 attributes.

    NOTE: As per the COUPA documentation, to set the attribute values of default-account.segment-1 and default-account.segment-2, values of account-security-type and default-account-type.name attributes should already be set.

  • While Provisioning or Update USER object, the value of attribute account-security-type of User Object is calculated using the values of default-account-type.name and account-groups attributes. This is inline with the COUPA target system documentation and per the customer requirements.

    For example:

    • account-security-type would be modified to value 2 if default-account-type.name has value and account-groups is not empty.
    • account-security-type would be modified to value 1 if default-account-type.name has value and account-groups is empty.
    • account-security-type would not be modified if default-account-type.name does not have value.

Synchronization and integration of Roles object type with One Identity Manager

For more information, see Synchronization and integration of Roles object type with One Identity Manager

For more information, see User centric membershipUser centric membership configuration

AWS Cognito

AWS Cognito is a connector from Amazon Web Services that helps developers build web and mobile apps that are more secure. It helps to better authenticate users. It also handles user data, including passwords, token-based authentication, scalability, permissions, and so on.

Supervisor configuration parameters

To configure the connector, following parameters are required:

Supported objects and operations

Users

Table 204: Supported operations for Users

Operation

VERB

Create User

POST

Update User

PUT

Delete User

DELETE

Get User

GET

Get All Users

GET

Get All Users with Pagination

GET

Groups

Table 205: Supported operations for Groups

Operation

VERB

Create Group

POST

Update Group

PUT

Delete Group

DELETE

Get Group

GET

Get All Groups

GET

Get All Users with Pagination

GET

Update Membership

PUT

Mandatory fields

Users

  • Username

  • Email

Groups

DisplayName

User and Group mapping

The user and group mappings are listed in the tables below.

Table 206: User mapping
SCIM parameter AWS Cognito parameter
Id Username
userName Username
Name.Formatted Username
DisplayName Username
Emails[0].value UserAttributes.email
Active UserStatus.CONFIRMED
PhoneNumbers[0].Value phone_number
Password Password
Extension.IsPasswordPermanent Permanent
Extension.DesiredDeliveryMediums DesiredDeliveryMediums
Extension.email_verified UserAttributes.email_verified
Extension.phone_number_verified UserAttributes.phone_number_verified
Created_at UserCreateDate
lastModified_at UserLastModifiedDate

Groups

Table 207: Group mapping
SCIM parameter AWS Cognito parameter
Id GroupName
displayName GroupName
members[].value Users[].Username

members[].display

Users[].Username

Extension.Precedence

Precedence

Extension.RoleArn

RoleArn

Created_at

CreationDate

lastModified_at

LastModifiedDate

Connector limitations

  • Creating or updating the User or a Group happens in multiple steps. Failure in any step is reported as a complete failure of operation. However, the record is persisted until succeeded steps.

  • Noncompliance to password policy returns an error. However, an User is created.

  • DesiredDeliveredMedium is write only property. By default, SMS is the default option and it is not returned in Get specific user response.

  • A User can be a member of a maximum of 25 groups.

Supervisor configuration parameters

AWS Cognito is a connector from Amazon Web Services that helps developers build web and mobile apps that are more secure. It helps to better authenticate users. It also handles user data, including passwords, token-based authentication, scalability, permissions, and so on.

To configure the connector, following parameters are required:

Supported objects and operations

Users

Table 204: Supported operations for Users

Operation

VERB

Create User

POST

Update User

PUT

Delete User

DELETE

Get User

GET

Get All Users

GET

Get All Users with Pagination

GET

Groups

Table 205: Supported operations for Groups

Operation

VERB

Create Group

POST

Update Group

PUT

Delete Group

DELETE

Get Group

GET

Get All Groups

GET

Get All Users with Pagination

GET

Update Membership

PUT

Mandatory fields

Users

  • Username

  • Email

Groups

DisplayName

User and Group mapping

The user and group mappings are listed in the tables below.

Table 206: User mapping
SCIM parameter AWS Cognito parameter
Id Username
userName Username
Name.Formatted Username
DisplayName Username
Emails[0].value UserAttributes.email
Active UserStatus.CONFIRMED
PhoneNumbers[0].Value phone_number
Password Password
Extension.IsPasswordPermanent Permanent
Extension.DesiredDeliveryMediums DesiredDeliveryMediums
Extension.email_verified UserAttributes.email_verified
Extension.phone_number_verified UserAttributes.phone_number_verified
Created_at UserCreateDate
lastModified_at UserLastModifiedDate

Groups

Table 207: Group mapping
SCIM parameter AWS Cognito parameter
Id GroupName
displayName GroupName
members[].value Users[].Username

members[].display

Users[].Username

Extension.Precedence

Precedence

Extension.RoleArn

RoleArn

Created_at

CreationDate

lastModified_at

LastModifiedDate

Connector limitations

  • Creating or updating the User or a Group happens in multiple steps. Failure in any step is reported as a complete failure of operation. However, the record is persisted until succeeded steps.

  • Noncompliance to password policy returns an error. However, an User is created.

  • DesiredDeliveredMedium is write only property. By default, SMS is the default option and it is not returned in Get specific user response.

  • A User can be a member of a maximum of 25 groups.
Documents connexes

The document was helpful.

Sélectionner une évaluation

I easily found the information I needed.

Sélectionner une évaluation