Chat now with support
Chat with Support

Identity Manager 8.0 - Administration Guide for Connecting to Cloud Applications

Synchronizing Cloud Applications through the Universal Cloud Interface Setting up Synchronization with a Cloud Application Base Data for Managing Cloud Applications Cloud Applications Container Structures in a Cloud Application User Accounts in a Cloud Application Groups in a Cloud Application Permissions Controls in a Cloud Application Provisioning Object Changes Managing Provisioning Processes in the Web Portal Additional Information for Experts Appendix: Default Project Template for Cloud Applications

Users and Permissions for Synchronizing with a Cloud Application

Users and Permissions for Synchronizing with a Cloud Application

The following users are involved in synchronizing One Identity Manager with a cloud application.

Table 2: Users for synchronization
User Authorizations
One Identity Manager Service user account

The user account for the One Identity Manager Service requires access rights to carry out operations at file level (issuing user rights, adding directories and files to be edited).

The user account must belong to the group "Domain Users".

The user account must have the extended access right "Log on as a service".

The user account requires access rights to the internal web service.

NOTE: If the One Identity Manager Service runs under the network service (NT Authority\NetworkService), you can issue access rights for the internal web service with the following command line call:

netsh http add urlacl url=http://<IP address>:<port number>/ user="NT AUTHORITY\NETWORKSERVICE"

The user account needs full access to the One Identity Manager Service installation directory in order to automatically update the One Identity Manager.

In the default installation the One Identity Manager is installed under:

  • %ProgramFiles(x86)%\One Identity (on 32-bit operating systems)
  • %ProgramFiles%\One Identity (on 64-bit operating systems)
Security tokens or users for accessing the cloud application Security tokens or user name and password for use as authentication in the cloud application.

User for accessing the One Identity Manager database

The default system user "SynchronizationClosed" is available to run synchronization over an application server.

Setting Up a Synchronization Server

Setting Up a Synchronization Server

To setup synchronization with a cloud application, a server has to be available that has the following software installed on it:

  • Windows operating system

    Following versions are supported:

    • Windows Server 2008 (non-Itanium based 64-bit) Service Pack 2 or later
    • Windows Server 2008 R2 (non-Itanium based 64-bit) Service Pack 1 or later
    • Windows Server 2012
    • Windows Server 2012 R2
    • Windows Server 2016
  • Microsoft .NET Framework Version 4.5.2 or later

    NOTE: Microsoft .NET Framework version 4.6 is not supported.

    NOTE: Take the target system manufacturer's recommendations into account.
  • Windows Installer
  • One Identity Manager Service, Synchronization EditorClosed, SCIM connector
    • Install One Identity Manager components with the installation wizard.
      1. Select the option Select installation modules with existing database.
      2. Select the machine role Server | Job serverClosed | SCIM.

All One Identity Manager Service actions are executed against the target system environment on the synchronization server. Entries which are necessary for synchronization and administration with the One Identity Manager database are processed by the synchronization server. The synchronization server must be declared as a Job server in One Identity Manager.

Use the Server Installer to install the One Identity Manager Service. This program executes the following steps.

  • Setting up a Job server.
  • Specifying machine roles and server function for the Job server.
  • Remote installation of One Identity Manager Service components corresponding to the machine roles.
  • Configures the One Identity Manager Service.
  • Starts the One Identity Manager Service.

NOTE: The program executes remote installation of the One Identity Manager Service. Local installation of the service is not possible with this program. Remote installation is only supported within a domain or a trusted domain.

To install and configure the One Identity Manager Service remotely on a server

  1. Start the program Server Installer on your administrative workstation.
  2. Enter valid data for connecting to One Identity Manager on the Database connection page and click Next.
  3. Specify on which server you want to install the One Identity Manager Service on the Server properties page.
    1. Select a job server in the Server menu.

      - OR -

      Click Add to add a new job server.

    2. Enter the following data for the Job server.
      Table 3: Job Servers Properties
      Property Description
      Server Name of the Job servers.
      Queue

      Name of queue to handle the process steps. Each One Identity Manager Service within the network must have a unique queue identifier. The process steps are requested by the job queue using exactly this queue name. The queue identifier is entered in the One Identity Manager Service configuration file.

      Full server name

      Full name of the server in DNS syntax.

      Example:

      <name of server>.<fully qualified domain name>

      NOTE: Use the Advanced option to edit other Job server properties. You can use the Designer to change properties at a later date.
  4. Specify which job server roles to include in One Identity Manager on the Machine role page. Installation packages to be installed on the Job server are found depending on the selected machine role.
    • SCIM
  5. Specify the server's functions in One Identity Manager on the Server functions page. One Identity Manager processes are handled depending on the server function.

    The server's functions depend on which machine roles you have selected. You can limit the server's functionality further here.

    • SCIM connectorWindows PowerShell
  6. Check the One Identity Manager Service configuration on the Service settings page.

    NOTE: The initial service configuration is already predefined. If further changes need to be made to the configuration, you can do this later with the Designer. For more detailed information about configuring the service, see One Identity Manager Configuration Guide.
  7. To configure remote installations, click Next.
  8. Confirm the security prompt with Yes.
  9. Select the directory with the install files on the Select installation source page.
  10. Select the file with the private key on the page Select private key file.

    NOTE: This page is only displayed when the database is encrypted.
  11. Enter the service's installation data on the Service access page.
    Table 4: Installation Data
    Data Description
    Computer Server on which to install and start the service from.

    To select a server

    • Enter the server name.

      - OR -

    • Select a entry from the list.
    Service account One Identity Manager Service user account data.

    To enter a user account for the One Identity Manager Service

    • Set the option Local system account.

      This starts the One Identity Manager Service under the account "NT AUTHORITY\SYSTEM".

      - OR -

    • Enter user account, password and password confirmation.
    Installation account Data for the administrative user account to install the service.

    To enter an administrative user account for installation

      Enable Advanced
    • .
    • Enable the option Current user.

      This uses the user account of the current user.

      - OR -

    • Enter user account, password and password confirmation.
  12. Click Next to start installing the service.

    Installation of the service occurs automatically and may take some time.

  13. Click Finish on the last page of the Server Installer.

    NOTE: The is entered with the name "One Identity Manager Service" in the server's service administration.

Creating a Synchronization Project for Initial Synchronization of a Cloud Application

Creating a Synchronization Project for Initial Synchronization of a Cloud Application

Use the Synchronization EditorClosed to set up synchronization between the One Identity Manager database and cloud application. The following describes the steps for initial configuration of a synchronization project.

After the initial configuration, you can customize and configure workflows within the synchronization project. Use the workflow wizard in the SynchronizationClosed Editor for this. The Synchronization Editor also provides different configuration options for a synchronization project.

Have the following information available for setting up a synchronization project.

NOTE: Be aware of case sensitive parts of the URL during configuration.
Table 5: Information Required for Setting up a Synchronization Project
Data Explanation
Servers DNS name / URL DNS name of the server that provides the SCIM interface or URL for connecting to the server.
Port Port for accessing the cloud application.
URI service URL for reaching the SCIM service.
Authentication endpoint or URL URL available for authenticating. If authentication of another server or another root URL is used for authentication, the full URL must be entered here.
Authentication type Permitted type of authentication for logging into the cloud application.
User account and password User name and password for logging into the cloud application with the authentication types "Basic authentication", "OAuth authentication" and "Negotiated authentication".
Client secret Security token for logging into the cloud application with the authentication type "OAuth authentication".
SCIM endpoint Endpoint URIs or URLs for accessing the cloud application's schema, resource and service provider data.

Synchronization serverClosed

All One Identity Manager Service actions are executed against the target system environment on the synchronization server. Entries which are necessary for synchronization and administration with the One Identity Manager database are processed by the synchronization server.

The One Identity Manager Service with the SCIM connector must be installed on the synchronization server.

The synchronization server must be declared as a Job server in One Identity Manager. Use the following properties when you set up the Job server.

Table 6: Additional Properties for the Job Server
Property Value
Server Function SCIM connector
Machine role Server/Job server/SCIM

For more information, see Setting Up a Synchronization Server.

One Identity Manager Database ConnectionClosed Data

SQL Server:

  • Database server
  • Database
  • Database user and password
  • Specifies whether Windows authentication is used.

    This type of authentication is not recommended. If you decide to use it anyway, ensure that your environment supports Windows authentication.

Oracle:

  • Species whether access is direct or through the Oracle client

    Which connection data is required, depends on how this option is set.

  • Database server
  • Oracle instance port
  • Service name
  • Oracle database user and password
  • Data source (TNS alias name from TNSNames.ora)

Remote connection serverClosed

To configure synchronization with a target system, One Identity Manager must load the data from the target system. One Identity Manager communicates directly with target system to do this. If you do not have direct access on the workstation on which the Synchronization Editor is installed, because of the firewall configuration, for example, you can set up a remote connection.

The remote connection server and the workstation must be in the same Active Directory domain.

Remote connection server configuration:

  • One Identity Manager Service is started
  • RemoteConnectPlugin is installed
  • SCIM connector is installed

The remote connection server must be declared as a Job server in One Identity Manager. The Job server name is required.

For more detailed information about setting up a remote connection, see the One Identity Manager Target System Synchronization Reference Guide.

NOTE: The following sequence describes how you configure a synchronization project if the Synchronization Editor is both:
  • In default mode
  • Started from the launchpad

Additional settings can be made if the project wizard is run in expert mode or is started directly from the Synchronization Editor. Follow the project wizard instructions through these steps.

To set up initial synchronization project for a cloud application

  1. Start the Launchpad and log on to the One Identity Manager database.

    NOTE: If synchronization is executed by an application server, connect the database through the application server.
  2. Select the entry SCIM interface. Click Run.

    This starts the Synchronization Editor's project wizard.

  1. Specify how the One Identity Manager can access the target system on the System access page.
    • If you have access from the workstation from which you started the Synchronization Editor, do not set anything.
    • If you do not have access from the workstation from which you started the Synchronization Editor, you can set up a remote connection.

      In this case, set the option Connect using remote connection server and select, under Job server, the server you want to use for the connection.

  1. Enter the connection parameters required by the SCIM connector to log in on the cloud application on the Configuration data page.
    Table 7: Server parameters
    Property Description
    Servers DNS name / URL DNS of the server, which provided by the SCIM interface or the URL for connecting to the server.
    Port Port for accessing the cloud application.
    Service URI

    URI for reaching the SCIM service. Only the part of the URL used in common by all endpoints to be called, is required. The SCIM connector take the URL from the server URL, the port and URI together.

    For example, if the full URL is "https://identities.example.net:8080/scim/v2", then enter "scim/v2" as the URI.

    Table 8: Authentication type
    Property Description
    Basic authentication Authentication using user name and password.
    OAuth authentication Authentication using OAuth protocol 2.0.
    Negotiated authentication Authentication using Windows authentication methods like NTLM or Kerberos.
    Authentication endpoint/URL

    URI, under which authentication is possible. Only the part of the URL added to the common part, is required to reach the authentication endpoints. If authentication of another server or another root URL is used for authentication, the full URL must be entered here.

    Example: If the full URI is "https://identities.example.net:8080/scim/v2/auth/token", enter "auth/token" in this case. If the base URL or the server is different to the resource URL, enter the full URL, for example "https://authserver.example.net/token".

    • Enter the user name and password for the authentication type "Basic authentication" on the page Basic Authentication.
    • Enter the client secret for the authentication type "OAuth authentication" on the OAuth Authentication page.

      If the client secret is not known, enter the user name and password.

    • Enter the user name and password for the authentication type "Negotiated authentication (NTLM/Kerberos)" on the Negotiated authentication page.
  2. You can test the connection on Verify connection settings page. Click Test.

    One Identity Manager tries to connect to the cloud application.

    TIP: One Identity Manager saves the test result. When you reopen the page and the connection data has not changed, the result of the test is displayed. You do not have to run the connection test again if it was successful.

  3. Enter the URIs of the SCIM endpoints on the Endpoint Configuration page. The SCIM default is used there is no URI.
    Table 9: Endpoint Configuration
    Property Description
    SchemaClosed Endpoin for accessing the cloud application's schema information.
    Resources Endpoint for accessing cloud application resource data, for example, groups or user accounts.
    Supported service options Endpoint for accessing cloud application service provider data.
    • To test the endpoint connections, click Test.

      TIP: One Identity Manager saves the test result. When you reopen the page and the endpoint configuration has not changed, the result of the test is displayed.
  4. On the Target product selection page, you can customize how the SCIM connector behaves with the singularities of special target products, for example HTTP request formats.
    Table 10: Target Products
    Property Description
    SCIM Core V 2.0 Product for synchronizing a default SCIM environment.
    One Identity Connect For Cloud Product for synchronizing a One Identity Connect For Cloud system
  5. Enter a unique display name for the cloud application on the Display name page.

    You can use display names to differentiate between the cloud application in One Identity Manager tools. Display names cannot be changed later.

  6. On the last page of the system connection wizard you can save the connection data locally and finish the system connection configuration.
    • Set the option Save connection data on local computer to save the connection data. This can be reused when you set up other synchronization projects.
    • Click Finish, to end the system connection wizard and return to the project wizard.
  1. Verify the One Identity Manager database connection data on the One Identity Manager connection page. The data is loaded from the connected database. Reenter the password.

    NOTE: Reenter all the connection data if you are not working with an encrypted One Identity Manager database and no synchronization project has been saved yet in the database. This page is not shown if a synchronization project already exists.
  2. The wizard loads the target system schema. This may take a few minutes depending on the type of target system access and the size of the target system.
  1. Select a project template on the Select project template page to use for setting up the synchronization configuration.
    Table 11: Default Project Templates
    Project template Description
    SCIM synchronization

    Use this project template for initially setting up the synchronization project for synchronizing a System for Cross-domain Identity Management environment.

    Synchronizing a One Identity Connect For Cloud environment

    Use this project template for initially setting up the synchronization project for synchronizing a SCIM environment using the One Identity Connect For Cloud infrastructure.

    NOTE: A default project template ensures that all required information is added in the One Identity Manager. This includes mappings, workflows and the synchronization base object. If you do not use a default project template you must declare the synchronization base object in One Identity Manager yourself.Use a default project template for initially setting up the synchronization project. For custom implementations, you can extend the synchronization project with the .Synchronization Editor
  1. Specify how system access should work on the page Restrict target system access. You have the following options:
    Table 12: Specifying Target System Access
    Option Meaning

    Read-only access to target system.

    Specifies whether a synchronization workflow should be set up to initially load the target system into the One Identity Manager database.

    The synchronization workflow has the following characteristics:

    • Synchronization is in the direction of "One Identity Manager".
    • Processing methods in the synchronization steps are only defined in synchronization direction "One Identity Manager".

    Changes are also made to the target system.

    Specifies whether a provisioning workflow should be set up in addition to the synchronization workflow to initially load the target system.

    The provisioning workflow displays the following characteristics:

    • Synchronization in the direction of the "target system"
    • Processing methods are only defined in the synchronization steps in synchronization direction "target system".
    • Synchronization steps are only created for such schema classes whose schema types have write access.
  2. Select the synchronization server to execute synchronization on the Synchronization server page.

    If the synchronization server is not declare as a job server in the One Identity Manager database yet, you can add a new job server.

    • Click to add a new job server.
    • Enter a name for the job server and the full server name conforming to DNS syntax.
    • Click OK.

      The synchronization server is declared as job server for the target system in the One Identity Manager database.

      NOTE: Ensure that this server is set up as the synchronization server after saving the synchronization project.
  1. Click Finish to complete the project wizard.

    This creates and allocates a default schedule for regular synchronization. Enable the schedule for regular synchronization.

    The synchronization project is created, saved and enabled immediately.

    NOTE: If the synchronization project is not going to be executed immediately, disable the option Activate and save the new synchronization project automatically.

    In this case, save the synchronization project manually before closing the Synchronization Editor.

    NOTE: The target system connection data is saved in a variable set, which you can change in the Synchronization Editor under Configuration | Variables if necessary.

To configure the content of the synchronization log

  1. To configure the synchronization log for target system connection, select the category Configuration | Target system.
  2. To configure the synchronization log for the database connection, select the category Configuration | One Identity Manager connection.
  3. Select General view and click Configure....
  4. Select the Synchronization log view and set Create synchronization log.
  5. Enable the data to be logged.

    NOTE: Certain content create a lot of log data.

    The synchronization log should only contain the data necessary for error analysis and other evaluations.

  6. Click OK.

To synchronize on a regular basis

  1. Select the category Configuration | Start up configurations.
  2. Select a start up configuration in the document view and click Edit schedule....
  3. Edit the schedule properties.
  4. To enable the schedule, click Activate.
  5. Click OK.

To start initial synchronization manually

  1. Select the category Configuration | Start up configurations.
  2. Select a start up configuration in the document view and click Execute.
  3. Confirm the security prompt with Yes.
Detailed information about this topic
  • One Identity Manager Target System Synchronization Reference Guide
Related Topics

Show Synchronization Results

Show Synchronization Results

SynchronizationClosed results are summarized in the synchronization log. You can specify the extent of the synchronization log for each system connection individually. One Identity Manager provides several reports in which the synchronization results are organized under different criteria.

To display a synchronization log

  1. Select the category Logs.
  2. Click in the navigation view toolbar.

    Logs for all completed synchronization runs are displayed in the navigation view.

  3. Select a log by double-clicking on it.

    An analysis of the synchronization is shown as a report. You can save this report.

To display a provisioning log.

  1. Select the category Logs.
  2. Click in the navigation view toolbar.

    Logs for all completed provisioning processes are displayed in the navigation view.

  3. Select a log by double-clicking on it.

    An analysis of the provisioning is show as a report. You can save this report.

The log is marked in color in the navigation view. This mark shows you the execution status of the synchronization/provisioning.

Synchronization logs are stored for a fixed length of time. The retention period is set in the configuration parameter "DPR\Journal\LifeTime" and its sub parameters.

To modify the retention period for synchronization logs

  • Set the configuration parameter "Common\Journal\LifeTime" in the Designer and enter the maximum retention time for entries in the database journal. Use the configuration sub parameters to specify the retention period for each warning level.
  • If there is a large amount of data, you can specify the number of objects to delete per DBQueue Processor operation and run in order to improve performance. Use the configuration parameters "Common\Journal\Delete\BulkCount" and "Common\Journal\Delete\TotalCount" to do this.
  • Configure and set the schedule "Delete journal" in the Designer.
Related Documents