Chat now with support
Chat with Support

Starling Connect Hosted - Active Roles Administration Guide

OneLogin

OneLogin Inc. is a cloud-based identity and access management (IAM) provider that designs, develops, and sells a unified access management system (UAM) platform to enterprise-level businesses and organizations. Founded in 2009, by brothers Thomas Pedersen and Christian Pedersen, OneLogin is a late stage venture, privately held company. The OneLogin UAM platform is an access management system that uses single sign-on (SSO) and a cloud directory to enable organizations to manage user access to on-premises and cloud applications. The platform also includes user provisioning, lifecycle management, and multi-factor authentication (MFA).

Supervisor configuration parameters

To configure the connector, following parameters are required:

  • Connector name

  • Client Id

  • Client secret

  • SCIM URL (The base URL of the REST API of the Cloud application.)

Supported objects and operations

Users
Table 110: Supported operations for Users
Operation VERB
Create User POST
Update User PUT
Delete User DELETE
Get User by id GET
Get All Users GET

Get All Users with pagination

GET

Groups
Table 111: Supported operations for Groups

Operation

VERB
Get Group by id GET
Get All Groups GET
Get All Groups with pagination GET

Roles

Table 112: Supported operations for Roles

Operation

VERB
Get Role by id GET
Get All Roles GET
Get All Roles with pagination GET

Mandatory fields

This section lists the mandatory fields required to create a User or a Group:

Users - Create

  • userName

  • name.givenName

  • name.familyName

  • emails.value
Users - Update

userName or emails.value

Groups

Not Applicable

Mappings

The user and group mappings are listed in the tables below.

Table 113: User mapping
SCIM Parameter OneLogin parameter
Id Id
UserName username
ExternalId external_id
Name.GivenName firstname
Name.FamilyName lastname
Name.Formatted firstname +" " + lastname
DisplayName firstname +" " + lastname
Emails[0].Value email
PhoneNumbers[0].Value phone
Title title
Roles[].Value role_id[]

Groups[0].value

group_id

Active

status

Locale

locale_code

Extension.Manager.Value

manager_user_id

Extension.Organization

company

Extension.Department

department

Extension.OpenIdName

openid_name

Extension.DistinguishedName

distinguished_name

Extension.SamAccountName

samaccountname

Extension.UserPrincipalName

userprincipalname

Extension.MemberOf

member_of

Extension.DirectoryId

directory_id

Meta.Created

created_at

Meta.LastModified

updated_at

Groups
Table 114: Group mapping
SCIM parameter OneLogin parameter
Id id
DisplayName name
Roles
Table 115: Role mapping
SCIM parameter OneLogin parameter
Id id
Name name

Connector limitations

  • The target cloud application supports the below given integer values for Status field:

    • Unactivated: 0
    • Active: 1
    • Suspended: 2
    • Locked: 3
    • Password expired : 4
    • Awaiting password reset: 5
    • Pending password: 7
    • Security questions required: 8

    • NOTE: All these status cannot be considered in the connector.

  • Add Group and Remove Group can be achieved through the User update operation. Only one group can be assigned to a user.

Creating a service account in G Suite

You must obtain a JSON file with Private Key to authorize the APIs to access data on

G Suite domain. Create and enable the service account to obtain the private key (JSON file).

To create a project and enable the API

  1. Login to Google Cloud Platform.

  2. Click on the drop-down list next to the Google Cloud Platform label and select an organization.

    The Select a Project window is displayed.

  3. Click New Project.

    The New Project page is displayed.

  4. Enter the specific details in the relevant text field.

  5. Click Create.

  6. Click on the drop-down list next to the Google Cloud Platform label and select the project you created.

  7. Click APIs & Services tab.

  8. Click Library tab.

  9. Search for the phrase Admin SDK in the search bar and select Admin SDK from the results.

    The API Library page is displayed.

  10. Click Enable to enable the API.

To create a service account

  1. Click APIs & Services tab.

  2. Click Credentials.

  3. On the Credentials tab, click Manage Service Accounts available at the bottom right corner.

    The Service Accounts window is displayed.

  4. Click + CREATE SERVICE ACCOUNT.

    Create service account window is displayed.

  5. Enter the name of the service account in Service account name text field.

  6. Select Owner as the Role from the drop-down menu.

  7. Select the service JSON as an account Key type.

    IMPORTANT: A JSON file is required to generate an access token and it is downloaded automatically after selecting the above option.

  8. Click Create.

To select and authorize the API scopes

  1. Login to the G Suite admin console with your domain.

  2. On the Admin console home page, click Security.

  3. Click Advanced settings.

  4. Click Managed API client access.

  5. Enter the client name and the description in the Name and Description text field respectively.

  6. Enter the email in the Email text field.

  7. Add the preferred API scopes that you want to use.

    For example, API scopes can be https://www.googleapis.com/auth/admin.directory.user, https://www.googleapis.com/auth/admin.directory.group, or https://www.googleapis.com/auth/admin.directory.group.member.

    For more information on API scopes, see https://developers.google.com/identity/protocols/googlescopes

  8. After adding the API scoes, click Authorize.

    The unique Id and the scopes added is displayed.

Setting a trial account on Salesforce

To login to the Saleforce application, you must create a trail account. The sections below briefs about the process to create a trial account .

To setup a trial account

  1. Login to the Salesforce developer edition link: https://developer.salesforce.com/signup?d=70130000000td6N.

  2. Provide the relevant details and click Sign me up.

    A trail account is created and an instance is assigned.

  3. Switch the view to Saleforce classic view by clicking Switch to Salesforce Classic.
  4. Click the Setup tab.
  5. Click Build | Create | Apps.
  6. In the Connected Apps section, click New.
  7. In the Basic Information section, enter the relevant details.
  8. In the API (Enable OAuth Settings) section, select Enable OAuth Settings checkbox.
  9. Provide the https://app.getpostman.com/oauth2/callback URL in the Callback URL text field.
  10. From the Selected OAuth Scopes drop-down menu, select Full Access (full).
  11. Click Save.
  12. From the API (Enabel OAuth Settings) section, retrieve the Consumer Key and Consumer Secret.

To generate a security token

A security token is sent to the registered email address. If not received, follow the below steps to generate a token.

  1. On the home page, click My Settings.

  2. Click Personal | Reset My Security Token.
  3. Review the information displayed on the screen and click Reset Security Token.
  4. Provide the relevant information such as:

IMPORTANT: Replace this text with a notation that requires the reader's attention.

Working with Azure Active Directory

The following procedure briefs about the steps to register application, provide appropriate permissions, retrieve client ID, and client secret.

Working with Azure AD

  1. Login to the Microsoft Azure portal and select Azure Active Directory from FAVORITES.

  2. From Manage section, select App Registrations (Preview).

    NOTE: For Safeguard for Privileged Passwords, the Azure AD application registration must be public.

  3. Click New registration and provide the necessary details.

    Provide the following details:

  4. Select the created application and click View API Permissions.
  5. Add the required permissions for Microsoft Graph API (delegated and application permissions).

    The registered application must have User.ReadBasic.All, User.Read, User.ReadWrite, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All, Directory.AccessAsUser.All, Group.Read.All, and Group.ReadWrite.All permissions.

  6. Click Grant admin consent for Default Directory checkbox to grant necessary permissions.
  7. From the created application, click App Registrations (Preview) and note the Application (client) ID and Directory (tenant) ID.
  8. Select Certificates & secrets and click New client secret to generate the secret.
  9. Paste the following URL in the browser, https://login.microsoftonline.com/common/adminconsent?client_id={Client ID}&state=12345&redirect_uri=http://localhost/myapp/permissions.
  10. Click Accept.

Providing permission to update or delete users password

  1. Install the Azure AD PowerShell v1 module (MSOnline).

  2. Connect to your Azure AD B2C tenant.

  3. Use the Application(client) ID in the PowerShell script to assign the application the user account administrator role.

For more details on Azure AD, refer the following links:

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating