지금 지원 담당자와 채팅
지원 담당자와 채팅

Starling Connect Hosted - One Identity Manager Administration Guide

About this guide One Identity Starling Connect overview One Identity Starling Supported cloud applications Working with connectors Connector versions Salesforce Facebook Workplace SAP Cloud Platform JIRA Server RSA Archer SuccessFactors Amazon S3 AWS ServiceNow Dropbox Crowd Atlassian JIRA Confluence Trello Box Pipedrive SuccessFactors HR NutShell Insightly Egnyte SugarCRM Oracle IDCS Statuspage Zendesk Sell Workbooks DocuSign Citrix ShareFile Zendesk Azure AD Google Workspace Concur Tableau GoToMeeting Coupa AWS Cognito Okta DataDog Hideez Opsgenie Informatica Cloud Services AppDynamics Marketo Workday HR OneLogin PingOne Aha! SAP Litmos HackerRank Slack ActiveCampaign Webex Apigee Databricks Hive PagerDuty Dayforce Smartsheet Pingboard SAP Cloud for Customer Azure Infrastructure Oracle Fusion Cloud Majesco LuccaHR OpenText Appendix: Creating a service account in Google Workspace Appendix: Setting a trial account on Salesforce Registering the application, providing necessary permissions, retrieving Client Id and Client Secret from the Azure AD tenant Generating a private key for service account in GoToMeeting Configuring Amazon S3 AWS connector to support entitlements for User and Group Configuring Box connector to support additional email IDs for users One Identity Manager E2E integration needs for Hideez connector Configuring custom attributes for ServiceNow v.1.0 Configuring custom attributes for Coupa v.1.0 Configuring custom attributes in connectors Disabling attributes Configuring a connector that uses the consent feature Synchronization and integration of Roles object type with One Identity Manager Synchronization and integration of Workspaces object type with One Identity Manager Synchronization and integration of Products object type with One Identity Manager User centric membership Creating multi-valued custom fields in One Identity Manager Synchronization and assignment of PermissionSets to Users with One Identity Manager Connectors that support password attribute in User object Connectors that do not support special characters in the object ID Creating an app for using SCIM on Slack Enterprise Grid Organization Creating a Webex integration application, providing necessary scopes, retrieving Client Id and Client Secret Retrieving the API key from Facebook Workplace Outbound IP addresses Values for customer-specific configuration parameters in Workday HR connector Initiate an OAuth connection to SuccessFactors Creating custom editable/upsertable attributes in Successfactors employee central Custom Foundation Objects in Successfactors HR connector Configuring additional datetime offset in connectors How to Create custom attribute for Users in SuccessFactors portal SAP Cloud for Customer - Steps to add custom fields at One Identity Manager attributes Creating Service Principal to authenticate the Azure resource management REST APIs for Azure Infrastructure connector

Initiate an OAuth connection to SuccessFactors

Detailed steps to configure an OAuth client are described in this SAP Blog.

The brief notes of the steps to be followed are:

  1. Create an interface User ID

  2. Grant the necessary permissions to the User ID

    1. Create Permission Role

    2. Create Permission Group

    • If necessary access rights are not available for steps 1 and / or 2, the alternative steps are:

      • Use the default admin account "sfadmin" to configure the OAuth authentication.

      • Find the permission role "sfapi". By default, "sfadmin" would have the needed permission mapped already to this role.

      • Add "sfadmin" under the permission group "sfapi" following the step 2 (refer SAP Blog).

      • Similarly provide the linkage between the permission role "sfapi" and permission group "sfapi" and vice versa following the detailed information provided under step 2 (refer SAP Blog).

  3. Register the OAuth2 Client

    1. Go to "Admin Centre", under Company Settings, click the link – "Manage OAuth2 Client Applications".

    2. Click on "Register Client Application".

    3. Generate X.509 certificate and download a copy of the X.509 certificate on your machine.

    4. Open the certificate file using text editor. The X.509 certificate has 2 parts – the private key and the certificate. Get the characters between —–BEGIN ENCRYPTED PRIVATE KEY—– and —–END ENCRYPTED PRIVATE KEY—– in the step for Registering the OAuth client.

    5. Go to the OAuth application and take the API key.

    6. Use the API Key (for Client Id configuration parameter) and Private Key from the X.509 certificate (for Client Secret configuration parameter) while configuring the Starling Connector.

 

Creating custom editable/upsertable attributes in Successfactors employee central

NOTE: As a prerequisite, the SuccessFactors Instance should be enabled for the Employee Central Module which is a part of the HCM suite for SAP SuccessFactors.

  1. Go to Admin Center on SuccessFactors Portal, select Manage Business Configuration under tools as following:

    Portal | AdminCenter | Tools | Manage Business Configuration

  2. Select any of the object table from left side and add new custom attribute to it.

    Make sure the visibility of the newly added custom attribute is set to "Edit", only then it will be upsertable.

    "Visibility": "Edit"

Making the custom attribute upsertable

  1. To check the upsertable status of any attribute, follow below path:

    Portal | Admin Center | Tools | OData API Data Dictionary

  2. Filter the entity by name

    The Name to be used for filtering some of the entity types are:

    • employmentInfo → EmpEmployment

    • jobInfo → EmpJob

    • personalInfo → PerPersonal

    • personRelationshipInfo → PerPersonRelationship

  3. Find the custom attribute and set "sap:upsertable" to True.

 

Managing the custom attribute's visibility in the Employee Data

  1. Go to Admin Center | Manage Security | Manage Permission Roles.

  2. Select the role Employee Self Service, click on Permission under "Permission settings".

  3. Scroll down to get Employee Data, find the newly added custom attributes and provide the needed access levels (View / Edit).

  4. Save the changes.

Custom Foundation Objects in Successfactors HR connector

With Employee Central, there are a pre-defined set of Foundation Objects that are delivered such as Legal Entity, Business Unit, Cost Center, etc. There may be a business requirement to use more Foundation Objects in the Organization, Pay or Jobs Structure in the system. Using the Metadata Framework, you can create Custom Foundation Objects, which can be used in Employee Central > Job Information, to accommodate specific requirements which the pre-delivered set of Foundation objects may not cover.

Example Custom FO Configuration

  1. Log into the Test/Sandbox instance as a System Administrator - one that has access to Configure Object Definitions, Manage Business Configuration (BCUI), Manage Data and Test Users

  2. Navigate to Admin Center | Configure Object Definitions | Create New | Object Definition.

  3. Complete all the required fields.

    For example, you will need to provide a unique Code value which you will need later on. Also, provide a value if the Object should use Effective Dating or not, and what Status the object should have.

    1. Code: Typically the Code is entirely up to you, but you should try and use a Code that identifies the object easily (as the Code will be used in other area's of the EC configuration - which we will touch on later in this article).

    2. Effective Dating: It is a good idea to select Basic as Effective Dating (in line with the MDF Foundation Objects configuration). Please do not use the Multiple Changes per Day option.

    3. Status: This should always be set to Active (always)

  4. Once these options have been set, click Save at the bottom of the page.

    The Security, Business Rules and adding new fields can be done later.

  5. Click "Take Action" button in the top right can be used to edit the values if required.

Custom attributes with needed data types can be added.

If Security is set to Yes, then to access this object, it is needed to grant the necessary role-based permissions as this object is an role-based permission secured object.

Implementation in the Starling Connect Connector

New version

Successfactors HR connector has enhanced with a new version v9.0 to support the custom object types dynamically. Customer can input the names of the custom objects to be supported in the connector in the configuration parameter "Custom Object Types" separating each type name by semi colon (;).

NOTE: All schema attributes are considered to be read-only, single valued, non-mandatory, not case-exact and not unique.

Mapping

Table 403: Employee mapping
SCIM properties Successfactors properties

id

Base 64 encoded Composite Key or Simple Key of the object

meta.created

createdDateTime

meta.lastModified

lastModifiedDateTime

All other non-navigational attribute will have same names at both sides

Limitations

  • The connector implementation does not support navigation attributes for custom object types. Only simple valued attribute are considered in the mappings and schemas under a custom type object.

    NOTE:

    While parsing the schemas for a custom object entity, a new entity metadata to be requested to get the custom object's navigation attribute's schemas.

    For example: "cust_ObjectA" has a navigational attribute which is mentioned under "navigationProperties" in the metadata. Under "toRole" of the navigational attribute information there would be a property called "EntitySet" which gives the information to which entity it navigates. However, there would be some entities of which the schemas / metadata could not be retrieved. As an example, if the custom object has an association to "Employee Profile User Info", then the entity set as per the "navigationProperties/toRole/EntitySet" value is "EPUserInfoConfig". An error "Entity Entity with the given key is not found." would be returned if the Entity API is triggered to get the schemas of this object type. Even though it is possible to expand the navigation attributes under custom object types using OData API, it is not possible to expand the metadata or schemas for the navigation attributes using Entity API as well.

    Hence the connector does not support the navigational attributes under custom object types.

  • The connector does not support multi-valued attributes under the custom object types.

    NOTE: The only possible attributes which can have multiple values (one-to-many) are "Associations" under the custom objects. As the associations come under navigation attributes and in some scenarios it is not possible to get the metadata / schemas for navigation attributes.

  • Even though the Starling Connector for Successfactors HR supports disabling attributes and adding custom attributes across all resource types, these features are not supported in custom object types as the schemas and mappings are always constructed dynamically.

  • The connector currently supports only READ operations on the custom objects.

Configuring additional datetime offset in connectors

  • Customer can configure additional datetime offset values for the connectors in order to help in synchronizing the objects in the Identity Manager where the objects found missing due to time zone differences between the target and the Identity Manager.

  • If the target returned data has offset included with datetime values and if a customer configures any valid offset value in the connector, then the target returned offset value will be replaced with the configured offset value.

  • The connector returns the datetimes in UTC format (yyyy-MM-ddTHH:mm:ssZ).

  • The datetime offset takes the format +/- HH:mm and the range offset values are -14:00 to +14:00, both inclusive.

  • The default value for the offset is 'Z' which is the UTC offset of 00:00.

관련 문서

The document was helpful.

평가 결과 선택

I easily found the information I needed.

평가 결과 선택