Amazon S3 AWS
Amazon S3 AWS offers a suite of cloud-computing services that make up an on-demand computing platform. The most central and best-known of these are Amazon Elastic Compute Cloud (EC2) and Amazon Simple Storage Service (S3). AWS offers more than 70 services, including computing, storage, networking, database, analytics, application services, deployment, management, mobile, developer tools, and tools for the Internet of Things.
For more information about configuring Amazon S3 AWS connector with One Identity Manager, see Configuring Amazon S3 AWS connector to support entitlements for User and Group.
Supervisor configuration parameters
To configure the connector, following parameters are required:
-
Connector Name
- Client Id of the cloud account
-
Client Secret of the cloud account
-
Region of the cloud account
-
SCIM URL (Cloud application's REST API's base URL)
Supported objects and operations
Users
|
Operation |
VERB |
|---|---|
|
Create |
POST |
|
Update |
PUT |
| Delete | DELETE |
| Get all users | GET |
| Get (Id) | GET |
| Pagination | GET |
Groups
|
Operation |
VERB |
|---|---|
| Create | POST |
| Update | PUT |
| Delete | DELETE |
| Get all groups | GET |
| Get (Id) | GET |
NOTE: Currently, addition or removal of entitlements for Groups is not supported by One Identity Manager.
Profiles
|
Operation |
VERB |
|---|---|
|
Get All Profiles |
GET |
|
Get Profile |
GET |
Mandatory fields
Users
- User Name
- Password - This is applicable only for the Create operation.
Groups
-
Group Name
User and Group mapping
The user and group mappings are listed in the tables below.
| SCIM parameter | Amazon S3 AWS parameter |
|---|---|
| Id | UserName |
| UserName | UserName |
| Password | password |
| DisplayName | Arn |
|
Active |
(true) |
|
Groups |
(ListGroupsForUserResult)Group |
|
Entitlements |
(ListAttachedUserPoliciesResult)AttachedPolicies |
| Created | CreateDate |
| LastModified | PasswordLastUsed |
| SCIM parameter | Amazon S3 AWS parameter |
|---|---|
| Id | GroupName |
| displayName | UserName |
| Entitlements | (ListAttachedGroupPoliciesResult)AttachedPolicies |
| Members | (GetGroupResult)Users |
| Created | CreateDate |
| LastModified | PasswordLastUsed |
Connector limitations
-
Signature generation is embedded within a data process. Hence, the performance of the application is affected.
-
The Last Modified date is not available. Hence, the field contains the value of the recently used Password.
-
While performing Delete User or Delete Group operation, users or groups that are part of the deleted users or groups get detached from the below mentioned services. However, some services must be detached manually.
- AccessKey
- Roles
- Groups
-
The task of assigning entitlements to groups is available with the connector. For successful working, certain changes must be made in One Identity Manager.
ServiceNow
ServiceNow is a service management platform that can be used for many different business units, including IT, human resources, facilities, and field services.
Supervisor configuration parameters
To configure the connector, following parameters are required:
-
Connector name
-
Username for the cloud account
-
Password for the cloud account
-
Custom Properties (List of custom properties, if any, to be mapped)
-
SCIM URL (Cloud application's REST API's base URL)
Supported objects and operations
Users
|
Operation |
VERB |
|---|---|
|
Create |
POST |
|
Update |
PUT |
|
Delete |
DELETE |
|
Get all users |
GET |
|
Get (Id) |
GET |
| Pagination | GET |
Groups
|
Operation |
VERB |
|---|---|
|
Create |
POST |
|
Update |
PUT |
|
Delete |
DELETE |
|
Get all groups |
GET |
|
Get (id) |
GET |
|
Get |
GET |
| Pagination | GET |
Roles
|
Operation |
VERB |
|---|---|
|
Get All Roles |
GET |
|
Get Role (Id) |
GET |
Mandatory fields
Users
- Username
Groups
- Group Name
User and Group mapping
The user and group mapping is listed in the table below.
| SCIM parameter | ServiceNow parameter |
|---|---|
| userName | user_name |
| name.familyName | last_name |
| name.givenName | first_name |
| name.middleName | middle_name |
| displayName | name |
| emails[0].value | |
| addresses[0].streetAddress | street |
| addresses[0].locality | city |
| addresses[0].region | state |
| addresses[0].postalCode | zip |
| addresses[0].country | country |
| phoneNumbers[0].value | phone |
| title | title |
| preferredLanguage | preferred_language |
| timeZone | time_zone |
| active | active |
| password | user_password |
| roles.value | {resource}.role.value |
| extension.organization | company |
| extension.department | department |
| extension.manager.value | manager.value |
| extension.employeeNumber | employee_number |
| id | sys_id |
| groups.value | {resource}.group.value |
|
extension.lastLogon |
last_login_time |
| SCIM parameter | ServiceNow parameter |
|---|---|
| id | sys_id |
| displayName | name |
| members.value | {resource}.user.value |
| extension.description | description |
| extension.email | |
|
extension.groupType |
type |
|
extension.manager.value |
manager.value |
Configuring custom attributes in ServiceNow
This feature allows you to configure custom attributes in Starling Connector during connector subscription. You can provide the list of custom attributes in a defined format with the name, type and allowed values of the attributes. The custom mappings in the One Identity Manager provide the values for these custom attributes.
To configure custom attributes in ServiceNow:
-
Create a Custom Attribute in ServiceNow.
NOTE: The Starling Platform currently supports only the types String, dateTime, True/False and Choice in the ServiceNow sys_user table.
-
To configure the custom attributes in Starling UI, enter the Custom Properties in the specified format in the Starling Platform.
-
On the One Identity Manager, map the created custom attributes that were specified in the Starling Platform.
-
Perform a synchronization and verify if the custom attributes are available in the One Identity Manager.
NOTE:
-
The Starling UI for registering a ServiceNow connector has an input field to provide the custom attributes to be mapped in the connector's User resource type apart from the default mapped attributes.
-
The custom attributes in the User resource type must be in the following format:
{field_name}|{data_type}|{choice_value1,choice_value2,etc};{field_name}|{data_type}|{choice_value1,choice_value2,etc};etc.
Example:
u_employee_status|string;u_date_of_termination_of_employments|DateTime;u_test_field_with_canonical_values|string|Choice 1,Choice 2,Choice 3
field_name = Column name in ServiceNow
data_type = string (or) boolean (or) datetime
-
All custom attributes are mapped in the enterprise user extensions.
-
The supported data types in the Starling Connect ServiceNow connector are string, boolean and dataTime.
Choice type in the ServiceNow will become string type in OneIM with Canonical Values.
-
Only simple json attributes are supported. Complex json attributes are not supported.
-
All custom user attributes have 'mutability': 'readWrite', 'returned': 'default', 'caseExact': 'false', 'required': 'false', 'multiValued': 'false','uniqueness': 'none'.
-
Connector limitations
-
ServiceProviderAuthority contains only the Id field with the value being same as the instance id of the ServiceNow instance, as there are no APIs to fetch the tenant details in ServiceNow.
-
If the department name and organization name is provided during user create or update operations, the user gets assigned to the department and organization if the department and organization with the same name exists in ServiceNow cloud application.
-
If the invalid manager id is used for user's manager fields while performing user create or update operations, ServiceNow does not display any error. Instead, it invalid id is returned as the manager id.
- In the request, if there are invalid values for timezone, language, and so on, ServiceNow does not display any error. Instead, the fields with invalid values would be blank.
-
GET Roles operation might not fetch all the roles. Some roles must be retrieved based on ServiceNow Access Control List (ACL).
- If an invalid role id is used for user create or update operation, no error is displayed. Instead, the same invalid id in the role list is returned.
-
If an invalid member id is used for group create or update, no error is displayed. Instead, the same invalid id as the member id is returned.
-
Create User operation with existing user details shows the status code as 403 instead 409. The status code and the status message cannot be interpreted.
Dropbox
Dropbox offers secure file sharing and storage. It helps users manage sharing capabilities with groups and external collaborators through central folders with granular permissions.
Supervisor configuration parameters
To configure the connector, following parameters are required:
-
Connector name
-
API key (access token) for the cloud account
Supported objects and operations
Users
|
Operation |
VERB |
|---|---|
|
Create |
POST |
|
Update |
PUT |
|
Delete |
DELETE |
|
Get all users |
GET |
|
Get user by Id |
GET |
| Get users with pagination | GET |
Groups
|
Operation |
VERB |
|---|---|
|
Create |
POST |
|
Update |
PUT |
|
Delete |
DELETE |
|
Get all groups |
GET |
|
Get group by Id |
GET |
|
Get groups with pagination |
GET |
Roles
|
Operation |
VERB |
|---|---|
|
Get all roles |
GET |
|
Get role by Id |
GET |
Mandatory fields
Users
- emails.value
Groups
- displayName
User and Group mapping
The user and group mappings are listed in the tables below.
| SCIM parameter | Dropbox parameter |
|---|---|
| id | profile.team_member_id |
| externalId | profile.external_id |
| userName | profile.email |
| name.familyName | profile.name.surname |
|
name.givenName |
profile.name.given_name |
| name.formatted | profile.name.display_name |
| displayName | profile.name.display_name |
| emails[0].value | profile.email |
| active | profile.status[".tag"] |
| groups | profile.groups |
|
roles |
role[".tag"] |
|
meta.created |
profile.joined_on |
| SCIM parameter | Dropbox parameter |
|---|---|
| id | group_id |
| displayName | group_name |
| members[].value | members[].profile.team_member_id |
| members[].display | members[].profile.name.display_name |
| enterpriseExtension.externalId | group_external_id |
| meta.created | created |
Connector limitations
-
The LastModified date is not applicable for Groups.
- Both created and lastModified dates are not applicable for Users.
-
Invalid Target URL returns the below mentioned status code and error message.
- Status code: 500
- Error message: There was an issue processing this request error.
-
User's role cannot be updated.
-
The user cannot be set as active while performing create or update.
-
The information about groups will not be present in the Create user response.
-
The Dropbox user statuses active and invited are considered as active in the connector.
-
APIs are not available to retrieve roles from Dropbox. Hence, the endpoints of the connector's roles provide predefined set of roles.
-
Deleted members cannot be added to a group. In a request to add multiple members to a group, if any user is deleted (members_not_in_team), then the entire request is not executed.
-
The userName property for user is read-only. However, this can be updated by updating the emails → value. The emails → value has been mapped against userName.
-
Dropbox returns error 500 without any message being shown, on cursor pagination with cursor length equal to 1. The same is observed when trying to update a deleted group. In this case, the connector returns the following error code and message:
- Error Code: 400
- Error message: Error occurred.
Crowd
Crowd is a single sign-on software that lets your system administrator connect multiple applications to one user login and password. Users only need one user ID and password to access any connected platform.
Supervisor configuration parameters
To configure the connector, following parameters are required:
-
Connector Name
-
Username
-
Password
-
SCIM URL
Supported objects and operations
Users
|
Operation |
VERB |
|---|---|
|
Create |
POST |
|
Update |
PUT |
|
Delete |
DELETE |
|
Get All Users |
GET |
| Get User by Id |
GET |
| Get All Users with pagination | GET |
Groups
|
Operation |
VERB |
|---|---|
|
Create |
POST |
|
Update |
PUT |
|
Delete |
DELETE |
|
Get All Groups |
GET |
| Get Group by Id |
GET |
| Get All Groups with pagination | GET |
Mandatory fields
Users
- Username
- Password
Groups
- DisplayName
User and Group mapping
The user and group mapping is listed in the table below.
| SCIM parameter | Crowd parameter |
|---|---|
| Id | name |
| userName | name |
| password | password |
| active | active |
| givenName | first-name |
| familyName | last-name |
| displayName | display-name |
| Formatted | display-name |
| email.value | |
| Created | createdDate |
| LastModified | lastModified |
| SCIM parameter | Crowd parameter |
|---|---|
| Id | name |
| GroupName | name |
| Active | active |
| Description | description |
| members.value | members.name |
Connector limitations
-
Crowd application does not have the ID field for Users and Groups. User name is considered as the userId, and the group name is considered as groupId.
-
Crowd cloud application does not have a created date and modified date for Groups.
-
UserName and GroupName must be used as a single term as the usage is same for userId and groupId.
-
UserName cannot be updated because it is used as an Id in cloud application.
-
DisplayName of Groups cannot be updated as required by the cloud application.