지금 지원 담당자와 채팅
지원 담당자와 채팅

Starling Connect Hosted - One Identity Manager Administration Guide

About this guide One Identity Starling Connect overview One Identity Starling Supported cloud applications Working with connectors Connector versions Salesforce Facebook Workplace SAP Cloud Platform JIRA Server RSA Archer SuccessFactors Amazon S3 AWS ServiceNow Dropbox Crowd Atlassian JIRA Confluence Trello Box Pipedrive SuccessFactors HR NutShell Insightly Egnyte SugarCRM Oracle IDCS Statuspage Zendesk Sell Workbooks DocuSign Citrix ShareFile Zendesk Azure AD Google Workspace Concur Tableau GoToMeeting Coupa AWS Cognito Okta DataDog Hideez Opsgenie Informatica Cloud Services AppDynamics Marketo Workday HR OneLogin PingOne Aha! SAP Litmos HackerRank Slack ActiveCampaign Webex Apigee Databricks Hive PagerDuty Dayforce Smartsheet Pingboard SAP Cloud for Customer Azure Infrastructure Oracle Fusion Cloud Majesco LuccaHR OpenText Appendix: Creating a service account in Google Workspace Appendix: Setting a trial account on Salesforce Registering the application, providing necessary permissions, retrieving Client Id and Client Secret from the Azure AD tenant Generating a private key for service account in GoToMeeting Configuring Amazon S3 AWS connector to support entitlements for User and Group Configuring Box connector to support additional email IDs for users One Identity Manager E2E integration needs for Hideez connector Configuring custom attributes for ServiceNow v.1.0 Configuring custom attributes for Coupa v.1.0 Configuring custom attributes in connectors Disabling attributes Configuring a connector that uses the consent feature Synchronization and integration of Roles object type with One Identity Manager Synchronization and integration of Workspaces object type with One Identity Manager Synchronization and integration of Products object type with One Identity Manager User centric membership Creating multi-valued custom fields in One Identity Manager Synchronization and assignment of PermissionSets to Users with One Identity Manager Connectors that support password attribute in User object Connectors that do not support special characters in the object ID Creating an app for using SCIM on Slack Enterprise Grid Organization Creating a Webex integration application, providing necessary scopes, retrieving Client Id and Client Secret Retrieving the API key from Facebook Workplace Outbound IP addresses Values for customer-specific configuration parameters in Workday HR connector Initiate an OAuth connection to SuccessFactors Creating custom editable/upsertable attributes in Successfactors employee central Custom Foundation Objects in Successfactors HR connector Configuring additional datetime offset in connectors How to Create custom attribute for Users in SuccessFactors portal SAP Cloud for Customer - Steps to add custom fields at One Identity Manager attributes Creating Service Principal to authenticate the Azure resource management REST APIs for Azure Infrastructure connector

OpenText

OpenText provides a complete and integrated Information Management platform, allowing companies to organize, integrate and protect data and content as it flows through business processes inside and outside the organization.

Supervisor configuration parameters

To configure the connector, following parameters are required:

Supported objects and operations

Users

Table 370: Supported operations for Users

Operation

VERB

Create User

POST

Get a user

GET

Update a user

PUT

Get all Users

GET

Delete a User

DELETE

Group

Table 371: Supported operations for Groups

Operation

VERB

Create Group

POST

Get a Group

DELETE

Get all Group

GET

Update a Group

PUT

Delete a Group

DELETE

Mandatory fields

Users

  • userName

Groups

  • displayName

User and Groups mapping

The user and Groups mappings are listed in the tables below.

Table 372: User mapping
SCIM User OpenText User
id id
externalId externalId
userName userName
name.givenName name.givenName
name.formatted name.formatted
name.familyName name.familyName
displayName displayName
title title
userType userType
locale locale
timezone timezone
preferredLanguage preferredLanguage
emails[].value emails[].value
emails[].type emails[].type
phoneNumbers[].value phoneNumbers[].value
phoneNumbers[].type phoneNumbers[].type
addresses[].formatted addresses[].formatted
addresses[].streetAddress addresses[].streetAddress
addresses[].locality addresses[].locality
addresses[].region addresses[].region
addresses[].postalCode addresses[].postalCode
addresses[].country addresses[].country
addresses[].type addresses[].type
userExtension.employeeNumber userExtension.employeeNumber
userExtension.costCenter userExtension.costCenter
userExtension.organization userExtension.organization
userExtension.division userExtension.division
userExtension.department userExtension.department
userExtension.manager.value userExtension.manager.value
userExtension.manager.location userExtension.manager.$ref
password password
active active
meta.created meta.created
meta.lastModified meta.lastModified
Table 373: Group mapping
SCIM Group OpenText Group
id id
displayName displayName
GroupExtension.externalId externalId
GroupExtension.emails[].value emails[].value
GroupExtension.emails[].type emails[].type
members[].value members[].value
members[].type members[].type
members[].display members[].display
meta.created meta.created
meta.lastModified meta.lastModified

Connector limitations

  • Most of the attributes like phoneNumber, addresses, preferredLanguage, timezone, locale takes any junk value due to target API behavior.

Appendix: Creating a service account in Google Workspace

You must obtain a JSON file with Private Key to authorize the APIs to access data on Google Workspace domain. Create and enable the service account to obtain the private key (JSON file).

To create a project and enable the API

  1. Login to Google Cloud Platform.

  2. Click on the drop-down list next to the Google Cloud Platform label and select an organization.

    The Select a Project window is displayed.

  3. Click New Project.

    The New Project page is displayed.

  4. Enter the specific details in the relevant text field.

  5. Click Create.
  6. Click on the drop-down list next to the Google Cloud Platform label and select the project you created.

  7. Click APIs & Services tab.

  8. Click Library tab.
  9. Search for the phrase Admin SDK in the search bar and select Admin SDK from the results.

    The API Library page is displayed.

  10. Click Enable to enable the API.

To create a service account

  1. Click APIs & Services tab.

  2. Click Credentials.
  3. On the Credentials tab, click Manage Service Accounts available at the bottom right corner.

    The Service Accounts window is displayed.

  4. Click + CREATE SERVICE ACCOUNT.

    Create service account window is displayed.

  5. Enter the name of the service account in Service account name text field.

  6. Select Owner as the Role from the drop-down menu.
  7. Select the service JSON as an account Key type.

    IMPORTANT: A JSON file is required to generate an access token and it is downloaded automatically after selecting the above option.

  8. Click Create.

To select and authorize the API scopes

  1. Login to the Google workspace admin console with your domain.

  2. On the Admin console home page, click Security.

  3. Click Advanced settings.

  4. Click Managed API client access.

  5. Enter the client name and the description in the Name and Description text field respectively.

  6. Enter the email in the Email text field.

  7. Add the preferred API scopes that you want to use.

    For example, API scopes can be

    • https://www.googleapis.com/auth/admin.directory.user

    • https://www.googleapis.com/auth/admin.directory.group

    • https://www.googleapis.com/auth/admin.directory.group.member

    • https://www.googleapis.com/auth/admin.directory.domain

    • https://www.googleapis.com/auth/admin.directory.domain.readonly

    • https://www.googleapis.com/auth/admin.directory.rolemanagement

    For more information on API scopes, see https://developers.google.com/identity/protocols/googlescopes

  8. After adding the API scoes, click Authorize.

    The unique Id and the scopes added is displayed.

Appendix: Setting a trial account on Salesforce

To login to the Saleforce application, you must create a trial account. The sections below briefs about the process to create a trial account .

To setup a trial account

  1. Login to the Salesforce developer edition link: https://developer.salesforce.com/signup?d=70130000000td6N.

  2. Provide the relevant details and click Sign me up.

    A trial account is created and an instance is assigned.

  3. Switch the view to Saleforce classic view by clicking Switch to Salesforce Classic.
  4. Click the Setup tab.
  5. Click Build | Create | Apps.
  6. In the Connected Apps section, click New.
  7. In the Basic Information section, enter the relevant details.
  8. In the API (Enable OAuth Settings) section, select Enable OAuth Settings checkbox.
  9. Provide the url text https://app.getpostman.com/oauth2/callback in the Callback URL text field.

    NOTE: This url must be used just to configure the trial account and not as a browsing link.

  10. From the Selected OAuth Scopes drop-down menu, select Access and manage your data(api).
  11. Click Save.
  12. From the API (Enabel OAuth Settings) section, retrieve the Consumer Key and Consumer Secret.

To generate a security token

A security token is sent to the registered email address. If not received, follow the below steps to generate a token.

  1. On the home page, click My Settings.

  2. Click Personal | Reset My Security Token.
  3. Review the information displayed on the screen and click Reset Security Token.
  4. Provide the relevant information such as:

IMPORTANT:

Registering the application, providing necessary permissions, retrieving Client Id and Client Secret from the Azure AD tenant

This section provides the details about registering the application, providing necessary permissions, retrieving Client Id and Client Secret from the Azure AD tenant, for both single tenant and multi-tenant connector configuration.

NOTE: Safeguard for Privileged Passwords only allows for a single tenant connector configuration..

To register application, provide appropriate permissions, retrieve client ID, and client secret from the Azure AD tenant

  1. Login to Azure portal and select Azure Active Directory.

  2. Select App registrations.

    NOTE: For Safeguard for Privileged Passwords, the Azure AD application registration must be public.

  3. Click New registration and provide the necessary details.

    Provide the following details:

    • Application name
    • Redirect URL: https://connect-supervisor.cloud.oneidentity.com/v1/consent.
  4. Select the created application and click View API Permissions.
  5. From API permission, add the required permissions for Microsoft Graph API (delegated and application permissions).

    The registered application must have the following permissions:

    • Directory.ReadWrite.All
    • Group.ReadWrite.All
    • User.ManageIdentities. All
    • User.ReadWrite.All
  6. Create a user under Azure Active Directory and assign Privileged role administrator role under the user's Assigned roles.

    NOTE: A Global administrator would also be able to provide consent.

  7. For the Azure Active Directory, assign User administrator role for the application created.

    NOTE: For Safeguard for Privileged Passwords, you must assign at least the Helpdesk Administrator role for the application created, but should assign a higher role if you want to manage special accounts (for example, Billing Administrator or Global Administrator).

    To assign User administrator role for the application created:

    1. Select Roles and administrators.
    2. Click + Add Assignments, and search the name of the application created.

  8. Gather the following details from the corresponding pages of the application given in the table below.

    Table 374: Application details
    Details Page

    Application (client) ID

    Azure Active Directory's Directory (tenant) ID

    Overview
    Client Secret Certificates & secrets

More details on Azure AD

For more details on Azure AD, refer the following links:

Table 375: More details on Azure AD

More details on Azure AD

Link

To register an application
  • https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app
  • To configure an application to access web APIs
  • https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-configure-app-access-web-apis
  • To configure an application to expose web APIs
  • https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-configure-app-expose-web-apis
  • To modify the accounts supported by an application
  • https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-modify-supported-accounts
  • 관련 문서

    The document was helpful.

    평가 결과 선택

    I easily found the information I needed.

    평가 결과 선택