Chat now with support
Chat with Support

Starling Connect Hosted - One Identity Manager Administration Guide

About this guide One Identity Starling Connect overview One Identity Starling Supported cloud applications Working with connectors Connector versions Salesforce Facebook Workplace SAP Cloud Platform JIRA Server RSA Archer SuccessFactors AWS IAM ServiceNow Dropbox Crowd Atlassian JIRA Confluence Trello Box Pipedrive SuccessFactors HR NutShell Insightly Egnyte SugarCRM Oracle IDCS Statuspage Zendesk Sell Workbooks DocuSign Citrix ShareFile Zendesk Microsoft Entra ID Google Workspace Concur Tableau GoToMeeting Coupa AWS Cognito Okta DataDog Hideez Opsgenie Informatica Cloud Services AppDynamics Marketo Workday HR OneLogin PingOne Aha! SAP Litmos HackerRank Slack ActiveCampaign Webex Apigee Databricks Hive PagerDuty Dayforce Smartsheet Pingboard SAP Cloud for Customer Azure Infrastructure Oracle Fusion Cloud Majesco LuccaHR OpenText JFrog Artifactory xMatters Discourse Testrail ChipSoft PingOne Platform Azure DevOps UKG PRO Atlassian Cloud Appendix: Creating a service account in Google Workspace Appendix: Setting a trial account on Salesforce Registering the application, providing necessary permissions, retrieving Client Id and Client Secret from the Microsoft Entra ID tenant Generating a private key for service account in GoToMeeting Configuring AWS IAM connector to support entitlements for User and Group Configuring Box connector to support additional email IDs for users One Identity Manager E2E integration needs for Hideez connector Configuring custom attributes for ServiceNow v.1.0 Configuring custom attributes for Coupa v.1.0 Configuring custom attributes in connectors Disabling attributes Configuring a connector that uses the consent feature Synchronization and integration of Roles object type with One Identity Manager Synchronization and integration of Workspaces object type with One Identity Manager Synchronization and integration of Products object type with One Identity Manager User centric membership Creating multi-valued custom fields in One Identity Manager Synchronization and assignment of PermissionSets to Users with One Identity Manager Connectors that support password attribute in User object Connectors that do not support special characters in the object ID Creating an app for using SCIM on Slack Enterprise Grid Organization Creating a Webex integration application, providing necessary scopes, retrieving Client Id and Client Secret Retrieving the API key from Facebook Workplace Outbound IP addresses Values for customer-specific configuration parameters in Workday HR connector Initiate an OAuth connection to SuccessFactors Creating custom editable/upsertable attributes in Successfactors employee central Custom Foundation Objects in Successfactors HR connector Configuring additional datetime offset in connectors How to Create custom attribute for Users in SuccessFactors portal SAP Cloud for Customer - Steps to add custom fields at One Identity Manager attributes Creating a Service Principal for the Azure Infrastructure Connector Workday permissions needed to integrate via the Starling Connector Configuring integration application in DocuSign Creating integration Connect Client in Coupa Retrieving Azure DevOps Personal Access Token (PAT) Setup integration system and field override service in Workday Retrieving Atlassian Cloud API Key and Directory ID Retrieving Tableau Personal Access Token (PAT)

Creating a Service Principal for the Azure Infrastructure Connector

Use Azure CLI by accessing https://shell.azure.com , select "Bash" console.

Use the command

az ad sp create-for-rbac -n "{sp_name}" --role Reader --scopes /

to create a Service Principal with reader role for Root Scope.

Collect the values for "appId", "password" and "tenant" from the Azure CLI command response for "Client Id", "Client Secret" and "Tenant Id" respectively.

NOTE: To support Write operations, the service principal needs to have 'owner' role.

Workday permissions needed to integrate via the Starling Connector

If the admin account credentials cannot be used in the SCIM integration setup through Starling Connector, the alternative approach is using the credentials of integration system user configured in the Workday tenant. This section describes how to create an integration system user in Workday and to provide the necessary permissions based on the business use-cases.

Creating an integration system user

To create an integration user:

  1. Sign in to your Workday tenant using an administrator account. In the Workday Application, enter create user in the search box, and then click Create Integration System User.
  2. Complete the Create Integration System User task by supplying a user name and password for a new Integration System User.
    • Leave the Require New Password at Next Sign In option unchecked, because this user will be log on through programmed steps.
    • Leave the Session Timeout Minutes with its default value of 0, which will prevent the user's sessions from timing out prematurely.
    • Select the option Do Not Allow UI Sessions as it provides an added layer of security that prevents a user with the password of the integration system from logging into Workday.

Creating an integration security group

In this step, you will create an unconstrained or constrained integration system security group in Workday and assign the integration system user created in the previous step to this group.

To create a security group:

  1. Enter create security group in the search box, and then click Create Security Group.

  2. Complete the Create Security Group task

    • There are two types of security groups in Workday:

      • Unconstrained: All members of the security group can access all data instances secured by the security group.
      • Constrained: All security group members have contextual access to a subset of data instances (rows) that the security group can access.
    • Please check with your Workday integration partner to select the appropriate security group type for the integration.
    • Once you know the group type, select Integration System Security Group (Unconstrained) or Integration System Security Group (Constrained) from the Type of Tenanted Security Group dropdown.
    • After the Security Group creation is successful, you will see a page where you can assign members to the Security Group.
    • Add the new integration system user created in the previous step to this security group. If you are using constrained security group, you will also need to select the appropriate organization scope.

Configuring domain security policy permissions

In this step, you'll grant "domain security" policy permissions for the worker data to the security group.

To configure domain security policy permissions:

  1. Enter Security Group Membership and Access (or Who are the Members of a Security Group) in the search box and click on the report link.

  2. Search and select the security group created in the previous step.

  3. Click on the ellipsis (...) next to the group name and from the menu, select Security Group > Maintain Domain Permissions for Security Group.

  4. Under Integration Permissions, add the following domains to the list Domain Security Policies permitting Put access:

    • External Account Provisioning
    • Worker Data: Public Worker Reports
    • Person Data: Work Contact Information
    • Workday Accounts

  5. Under Integration Permissions, add the following domains to the list Domain Security Policies permitting Get access:

    • Worker Data: Workers
    • Worker Data: All Positions
    • Worker Data: Current Staffing Information
    • Worker Data: Business Title on Worker Profile
    • Worker Data: Qualified Workers (Optional - add this to retrieve worker qualification data for provisioning)
    • Worker Data: Skills and Experience (Optional - add this to retrieve worker skills data for provisioning)
    • Job Information
    • Manage: Location
    • Manage: Location Hierarchy
    • Manage: Organization Integration
    • Manage: Supervisory Organization
    • Person Data: Date of Birth
    • Person Data: Gender
    • Person Data: ID Information

  6. After completing above steps, the permissions screen will appear summarizing the selected PUT and GET access permissions.

  7. Click OK and Done on the next screen to complete the configuration.

Edit business process security policies

To edit the Business Process Security Policies for Functional Area report:

  1. Access the Business Process Security Policies for Functional Area report.
  2. Provide the needed “Functional Area” and the “Business Process”, click Edit Permissions in the bottom of the screen.
  3. Scroll and find the “Initiating Action” which has “(Web Service)” in it.
  4. Add the Security Group created above.
  5. Click OK and Done on the next screen to complete the configuration.
  6. Following are the use-cases where permissions are needed when using with Starling Connect for Workday:
Table 476: Use cases for permissions

Use case in the connector

Functional Area

Business Process

Initiating Action
Edit Other / Custom IDs for Worker Personal Data

Edit Other IDs

Change Other IDs (Web Service)

Modify home contact information Contact Information

Home Contact Change

Change Home Contact Information (Web Service)

Modify work contact information

Contact Information

Work Contact Change

Change Work Contact Information (Web Service)

Modify contact information using maintain contact information API

Contact Information

Contact Change

Maintain Contact Information (Web Service)

Activating security policy changes

To activate security policy changes:

  1. Enter activate in the search box, and then click on the link Activate Pending Security Policy Changes.
  2. Begin the Activate Pending Security Policy Changes task by entering a comment for auditing purposes, and then click OK.
  3. Complete the task on the next screen by checking the checkbox Confirm, and then click OK.

Configuring integration application in DocuSign

Follow the below steps in order to configure an integration application and gather the required information for authentication.

  1. Log in to the DocuSign eSignature Admin Dashboard. If demo instance is used, the admin dashboard can be accessed at eSignature Admin | DocuSign
  2. From main menu “Settings”, under side menu “Integrations”, access “Apps and Keys”.
  3. Under “My Account Information”, collect “User ID”, “API Account ID” and “Account Base URI”.
  4. Click on “Add App and Integration Key” button to create an integration application, provide the App name.
  5. Under “Authentication” section

    1. Select “Yes” for “User Application”

    2. Click “Add Secret Key” under “Authentication Method for your App“ → “Authorization Code Grant“ to add a secret key

  6. Under “Service Integration” section

    1. Click “Generate RSA” to generate a RSA keypair

    2. Copy and save the “Private Key”

  7. Under “Additional settings” section

    1. Click “Add URI” under “Redirect URIs” to add a redirect URI. For example: http://localhost/

  8. “Save” the integration application and collect the “Integration Key” for thus created application under the “Apps and Integration Keys“ list. The integration key acts as the Client Id in the authentication workflow.

  9. Complete the admin (integration account) consent flow:

    1. Construct an URI in the format https://<authentication_server>/oauth/auth?response_type=code&scope=impersonation%20signature&client_id=<integration_app’s_integration_key>&redirect_uri=<integration_app’s_configured_redirect_uri> and access the URI in the browser by authenticating using the admin credentials. Example value for the consent URL would be https://account-d.docusign.com/oauth/auth?response_type=code&scope=impersonation signature&client_id=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx&redirect_uri=http://localhost/

    2. The authentication server would follow the values:

      1. account-d.docusign.com for developer environments

      2. account.docusign.com for production environments

    3. Provide the consent by clicking the “Allow Access" button in the browser page

    4. Based on the redirect URI provided, the browser will redirect to the page with access code. This code can be ignored.

Creating integration Connect Client in Coupa

Follow the below steps in order to configure an integration application and gather the required information for authentication.

  1. Login to Coupa as an integrations enabled administrator to create an OAuth2/OIDC Client with a grant type Client Credentials. After configuration, the values of Client ID and Client Secret are used to gain access to the Coupa API.

  2. To set up your Coupa test instance with a new connection, go to Setup > Oauth2/OpenID Connect Clients.

    NOTE: Type "OAuth" in search box to find the client name quickly.

  3. Click Create.

  4. For Grant Type select: Client credentials.

  5. Specify a name for the Client, Login, Contact info, and Contact Email.

  6. Select the scopes from:

    • core.user_group.read

    • core.user_group.write

    • core.user.read

    • core.user.write

    • core.accounting.read

    • core.common.read

  7. Click Save.

    Saving the client gives you values of the client Identifier and Secret that reqired to gain access to the API scopes you have defined for it.

    NOTE: Coupa instance addresses take the form of

    https://{organization_name}.coupahost.com (for customer instances) or

    https://{organization_name}.coupacloud.com (for partner and demo instances)

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating