Chat now with support
Chat with Support

Starling Connect Hosted - One Identity Manager Administration Guide

About this guide One Identity Starling Connect overview One Identity Starling Supported cloud applications Working with connectors Connector versions Salesforce Facebook Workplace SAP Cloud Platform JIRA Server RSA Archer SuccessFactors AWS IAM ServiceNow Dropbox Crowd Atlassian JIRA Confluence Trello Box Pipedrive SuccessFactors HR NutShell Insightly Egnyte SugarCRM Oracle IDCS Statuspage Zendesk Sell Workbooks DocuSign Citrix ShareFile Zendesk Azure AD Google Workspace Concur Tableau GoToMeeting Coupa AWS Cognito Okta DataDog Hideez Opsgenie Informatica Cloud Services AppDynamics Marketo Workday HR OneLogin PingOne Aha! SAP Litmos HackerRank Slack ActiveCampaign Webex Apigee Databricks Hive PagerDuty Dayforce Smartsheet Pingboard SAP Cloud for Customer Azure Infrastructure Oracle Fusion Cloud Majesco LuccaHR OpenText JFrog Artifactory xMatters Discourse Testrail ChipSoft PingOne Platform Azure DevOps UKG PRO Atlassian Cloud Appendix: Creating a service account in Google Workspace Appendix: Setting a trial account on Salesforce Registering the application, providing necessary permissions, retrieving Client Id and Client Secret from the Azure AD tenant Generating a private key for service account in GoToMeeting Configuring AWS IAM connector to support entitlements for User and Group Configuring Box connector to support additional email IDs for users One Identity Manager E2E integration needs for Hideez connector Configuring custom attributes for ServiceNow v.1.0 Configuring custom attributes for Coupa v.1.0 Configuring custom attributes in connectors Disabling attributes Configuring a connector that uses the consent feature Synchronization and integration of Roles object type with One Identity Manager Synchronization and integration of Workspaces object type with One Identity Manager Synchronization and integration of Products object type with One Identity Manager User centric membership Creating multi-valued custom fields in One Identity Manager Synchronization and assignment of PermissionSets to Users with One Identity Manager Connectors that support password attribute in User object Connectors that do not support special characters in the object ID Creating an app for using SCIM on Slack Enterprise Grid Organization Creating a Webex integration application, providing necessary scopes, retrieving Client Id and Client Secret Retrieving the API key from Facebook Workplace Outbound IP addresses Values for customer-specific configuration parameters in Workday HR connector Initiate an OAuth connection to SuccessFactors Creating custom editable/upsertable attributes in Successfactors employee central Custom Foundation Objects in Successfactors HR connector Configuring additional datetime offset in connectors How to Create custom attribute for Users in SuccessFactors portal SAP Cloud for Customer - Steps to add custom fields at One Identity Manager attributes Creating a Service Principal for the Azure Infrastructure Connector Workday permissions needed to integrate via the Starling Connector Configuring integration application in DocuSign Creating integration Connect Client in Coupa Retrieving Azure DevOps Personal Access Token (PAT) Setup integration system and field override service in Workday Retrieving Atlassian Cloud API Key and Directory ID Retrieving Tableau Personal Access Token (PAT)

Connector versions and features

AWS IAM (formerly AWS IAM S3) offers a suite of cloud-computing services that make up an on-demand computing platform. The most central and best-known of these are Amazon Elastic Compute Cloud (EC2) and Amazon Simple Storage Service (S3). AWS offers more than 70 services, including computing, storage, networking, database, analytics, application services, deployment, management, mobile, developer tools, and tools for the Internet of Things.

AWS IAM connectors are available for use with One Identity Safeguard for Privileged Passwords.

For more information about configuring AWS IAM connector with One Identity Manager, see Configuring AWS IAM connector to support entitlements for User and Group.

Supervisor configuration parameters

To configure the connector, following parameters are required:

  • Connector Name

  • Client Id of the cloud account
  • Client Secret of the cloud account

  • Region of the cloud account

  • SCIM URL (Cloud application's REST API's base URL)

  • Instance DateTime Offset (refer Configuring additional datetime offset in connectors for more details).

Supported objects and operations

Users

Table 41: Supported operations and objects for Users

Operation

VERB

Create

POST

Update

PUT

Delete DELETE
Get all users GET
Get (Id) GET
Pagination GET

Groups

Table 42: Supported operations and objects for Groups

Operation

VERB

Create POST
Update PUT
Delete DELETE
Get all groups GET
Get (Id) GET

NOTE: Currently, addition or removal of entitlements for Groups is not supported by One Identity Manager.

Profiles

Table 43: Supported operations for Profiles

Operation

VERB

Get All Profiles

GET

Get Profile

GET

Roles

Table 44: Supported operations for Roles

Operation

VERB

Get Role

GET

Get All Roles

GET

Mandatory fields

Users

  • User Name
  • Password - This is applicable only for the Create operation.

Groups

  • Group Name

Mappings

The user and group mappings are listed in the tables below.

Table 45: User mapping
SCIM parameter AWS IAM parameter
Id UserName
UserName UserName
Password password
DisplayName Arn

Active

(true)

Groups

(ListGroupsForUserResult)Group

Entitlements

(ListAttachedUserPoliciesResult)AttachedPolicies

Created CreateDate
LastModified PasswordLastUsed

 

Table 46: Group mapping
SCIM parameter AWS IAM parameter
Id GroupName
displayName UserName
Entitlements (ListAttachedGroupPoliciesResult)AttachedPolicies
Members (GetGroupResult)Users
Created CreateDate
LastModified PasswordLastUsed
Table 47: Profile mapping
SCIM parameter AWS IAM parameter
Id Arn
displayName PolicyName
Created CreateDate
LastModified UpdateDate
Table 48: Roles mapping
SCIM parameter AWS IAM parameter
Id RoleName
Name RoleName
Entitlements (ListAttachedGroupPoliciesResult)AttachedPolicies
description Description
Created CreateDate
Table 49: Mappings for v2.0
SCIM parameter AWS IAM parameter
Id Base64encoded(id)
targetId id

NOTE:Applicable for all object types.

Connector limitations

  • Signature generation is embedded within a data process. Hence, the performance of the application is affected.

  • The Last Modified date is not available. Hence, the field contains the value of the recently used Password.

  • While performing Delete User or Delete Group operation, users or groups that are part of the deleted users or groups get detached from the below mentioned services. However, some services must be detached manually.

    • AccessKey
    • Roles
    • Groups
  • The task of assigning entitlements to groups is available with the connector. For successful working, certain changes must be made in One Identity Manager.

  • Roles has no assignment relations with Users and Groups object types. Entitlements is the only object type associated with Roles.

The following subsections describe the different connector version(s) and features available with them.

Features available exclusively in AWS IAM v.2.0

Following are the features that are available exclusively in AWS IAM v.2.0:

  • All the endpoints return one new attribute “targetId”.
  • The "id" in the SCIM response will be base64 encoded in all the endpoints.

AWS IAM connector for Safeguard for Privileged Passwords

  • The service account must have the following minimum IAM permissions:

    • GetUser

    • GetGroup

    • ListAttachedUserPolicies

    • ListEntitiesForPolicy

    • ListGroups

    • ListGroupsForUser

    • ListUsers

    • ListUserPolicies

    • SimulatePrincipalPolicy

    • UpdateLoginProfile

  • If manually adding an account to an AWS asset, the username to enter is the simple account username (not the ARN).

  • Users must have a manually set password in AWS prior to management by Safeguard for Privileged Passwords. You cannot call "ChangePassword" on an account that has never had a password set.

  • Safeguard for Privileged Password "Roles" are used for account discovery map to AWS Policies (not AWS "Roles").

  • When a "Roles" filter is used in account discovery it only captures accounts for which a matching policy is directly assigned to the user (not policies it inherits through a group).

AWS IAM connector for Safeguard for Privileged Passwords

AWS IAM (formerly AWS IAM S3) offers a suite of cloud-computing services that make up an on-demand computing platform. The most central and best-known of these are Amazon Elastic Compute Cloud (EC2) and Amazon Simple Storage Service (S3). AWS offers more than 70 services, including computing, storage, networking, database, analytics, application services, deployment, management, mobile, developer tools, and tools for the Internet of Things.

AWS IAM connectors are available for use with One Identity Safeguard for Privileged Passwords.

For more information about configuring AWS IAM connector with One Identity Manager, see Configuring AWS IAM connector to support entitlements for User and Group.

Supervisor configuration parameters

To configure the connector, following parameters are required:

  • Connector Name

  • Client Id of the cloud account
  • Client Secret of the cloud account

  • Region of the cloud account

  • SCIM URL (Cloud application's REST API's base URL)

  • Instance DateTime Offset (refer Configuring additional datetime offset in connectors for more details).

Supported objects and operations

Users

Table 41: Supported operations and objects for Users

Operation

VERB

Create

POST

Update

PUT

Delete DELETE
Get all users GET
Get (Id) GET
Pagination GET

Groups

Table 42: Supported operations and objects for Groups

Operation

VERB

Create POST
Update PUT
Delete DELETE
Get all groups GET
Get (Id) GET

NOTE: Currently, addition or removal of entitlements for Groups is not supported by One Identity Manager.

Profiles

Table 43: Supported operations for Profiles

Operation

VERB

Get All Profiles

GET

Get Profile

GET

Roles

Table 44: Supported operations for Roles

Operation

VERB

Get Role

GET

Get All Roles

GET

Mandatory fields

Users

  • User Name
  • Password - This is applicable only for the Create operation.

Groups

  • Group Name

Mappings

The user and group mappings are listed in the tables below.

Table 45: User mapping
SCIM parameter AWS IAM parameter
Id UserName
UserName UserName
Password password
DisplayName Arn

Active

(true)

Groups

(ListGroupsForUserResult)Group

Entitlements

(ListAttachedUserPoliciesResult)AttachedPolicies

Created CreateDate
LastModified PasswordLastUsed

 

Table 46: Group mapping
SCIM parameter AWS IAM parameter
Id GroupName
displayName UserName
Entitlements (ListAttachedGroupPoliciesResult)AttachedPolicies
Members (GetGroupResult)Users
Created CreateDate
LastModified PasswordLastUsed
Table 47: Profile mapping
SCIM parameter AWS IAM parameter
Id Arn
displayName PolicyName
Created CreateDate
LastModified UpdateDate
Table 48: Roles mapping
SCIM parameter AWS IAM parameter
Id RoleName
Name RoleName
Entitlements (ListAttachedGroupPoliciesResult)AttachedPolicies
description Description
Created CreateDate
Table 49: Mappings for v2.0
SCIM parameter AWS IAM parameter
Id Base64encoded(id)
targetId id

NOTE:Applicable for all object types.

Connector limitations

  • Signature generation is embedded within a data process. Hence, the performance of the application is affected.

  • The Last Modified date is not available. Hence, the field contains the value of the recently used Password.

  • While performing Delete User or Delete Group operation, users or groups that are part of the deleted users or groups get detached from the below mentioned services. However, some services must be detached manually.

    • AccessKey
    • Roles
    • Groups
  • The task of assigning entitlements to groups is available with the connector. For successful working, certain changes must be made in One Identity Manager.

  • Roles has no assignment relations with Users and Groups object types. Entitlements is the only object type associated with Roles.

Connector versions and features

The following subsections describe the different connector version(s) and features available with them.

Features available exclusively in AWS IAM v.2.0

Following are the features that are available exclusively in AWS IAM v.2.0:

  • All the endpoints return one new attribute “targetId”.
  • The "id" in the SCIM response will be base64 encoded in all the endpoints.
  • The service account must have the following minimum IAM permissions:

    • GetUser

    • GetGroup

    • ListAttachedUserPolicies

    • ListEntitiesForPolicy

    • ListGroups

    • ListGroupsForUser

    • ListUsers

    • ListUserPolicies

    • SimulatePrincipalPolicy

    • UpdateLoginProfile

  • If manually adding an account to an AWS asset, the username to enter is the simple account username (not the ARN).

  • Users must have a manually set password in AWS prior to management by Safeguard for Privileged Passwords. You cannot call "ChangePassword" on an account that has never had a password set.

  • Safeguard for Privileged Password "Roles" are used for account discovery map to AWS Policies (not AWS "Roles").

  • When a "Roles" filter is used in account discovery it only captures accounts for which a matching policy is directly assigned to the user (not policies it inherits through a group).

ServiceNow

ServiceNow is a service management platform that can be used for many different business units, including IT, human resources, facilities, and field services.

ServiceNow connectors are available for use with One Identity Safeguard for Privileged Passwords.

Supervisor configuration parameters for ServiceNow v.1.0

To configure the connector, following parameters are required:

  • Connector name

  • Username for the cloud account

  • Password for the cloud account

  • Custom Properties (List of custom properties, if any, to be mapped)
    For more information, see Configuring custom attributes for ServiceNow v.1.0.

  • SCIM URL (Cloud application's REST API's base URL)

Configuring custom attributes for ServiceNow v.1.0

You can configure custom attributes for the ServiceNow v.1.0 connector when you configure the connector in Starling Connect by adding the custom attributes in the Custom Properties field in the defined format.

NOTE:For more information about how to configure custom attributes in ServiceNow v.1.0 , see Configuring custom attributes for ServiceNow v.1.0.

Supervisor configuration parameters for ServiceNow v.2.0

To configure the connector, following parameters are required:

  • Connector name

  • Username for the cloud account

  • Password for the cloud account

  • SCIM URL (Cloud application's REST API's base URL)

Configuring custom attributes for ServiceNow v.2.0

You can configure custom attributes for the ServiceNow v.2.0 SCIM connector in Starling Connect for Users, Groups and Roles in the Custom Attributes section in Schema Configuration.

NOTE:

  • For more information about how to configure custom attributes in ServiceNowv.2.0, see Configuring custom attributes in connectors.
  • As the ServiceNow target system does not support disabling of attributes, the ServiceNow connector is enhanced only to support the configuration of custom attributes in the SCIM connector.
  • If a custom attribute is a complex attribute, then you must enter it in the following format in Starling Connect:

    <custom_attribute>$$<nested_attribute>.

    For example,

    "parent": {

    "link": "https://dev60043.service-now.com/api/now/table/sys_user_group/b85d44954a3623120004689b2d5dd60a",

    "value": "b85d44954a3623120004689b2d5dd60a"

    }

    you must enter as parent$$value in Starling Connect.

  • The connector supports single level of navigation only.

Supported objects and operations

Users
Table 50: Supported operations for Users

Operation

VERB

Create

POST

Update

PUT

Delete

DELETE

Get all users

GET

Get (Id)

GET

Pagination GET
Groups
Table 51: Supported operations for Groups

Operation

VERB

Create

POST

Update

PUT

Delete 

DELETE

Get all groups

GET

Get (id)

GET

Get

GET

Pagination GET
Roles
Table 52: Supported operations for Roles

Operation

VERB

Get All Roles

GET

Get Role (Id)

GET

Mandatory fields

Users

  • Username

Groups

  • Group Name

User and Group mapping

The user and group mapping is listed in the table below.

Table 53: User mapping
SCIM parameter ServiceNow parameter
userName user_name
name.familyName last_name
name.givenName first_name
name.middleName middle_name
displayName name
emails[0].value email
addresses[0].streetAddress street
addresses[0].locality city
addresses[0].region state
addresses[0].postalCode zip
addresses[0].country country
phoneNumbers[0].value(type=work) phone
title title
preferredLanguage preferred_language
timeZone time_zone
active active
password user_password
roles.value {resource}.role.value
extension.organization company
extension.department department
extension.manager.value manager.value
extension.employeeNumber employee_number
id sys_id
groups.value {resource}.group.value

extension.lastLogon

last_login_time

PhoneNumbers[0].value(type=mobile)

mobile_phone

Table 54: Group mapping
SCIM parameter ServiceNow parameter
id sys_id
displayName name
members.value {resource}.user.value
extension.description description
extension.email email

extension.groupType

type

extension.manager.value

manager.value

Connector versions and features

The following subsections describe the different connector version(s) and features available with them.

Supported Versions

The supported versions of ServiceNow connector are:

  • v.1.0
  • v.2.0

NOTE: For more information, see Connector versions.

Connector limitations

  • ServiceProviderAuthority contains only the Id field with the value being same as the instance id of the ServiceNow instance, as there are no APIs to fetch the tenant details in ServiceNow.

  • If the department name and organization name is provided during user create or update operations, the user gets assigned to the department and organization if the department and organization with the same name exists in ServiceNow cloud application.

  • If the invalid manager id is used for user's manager fields while performing user create or update operations, ServiceNow does not display any error. Instead, it invalid id is returned as the manager id.

  • In the request, if there are invalid values for timezone, language, and so on, ServiceNow does not display any error. Instead, the fields with invalid values would be blank.
  • GET Roles operation might not fetch all the roles. Some roles must be retrieved based on ServiceNow Access Control List (ACL).

  • If an invalid role id is used for user create or update operation, no error is displayed. Instead, the same invalid id in the role list is returned.
  • If an invalid member id is used for group create or update, no error is displayed. Instead, the same invalid id as the member id is returned.

  • Create User operation with existing user details shows the status code as 403 instead 409. The status code and the status message cannot be interpreted.

Supervisor configuration parameters for ServiceNow v.1.0

ServiceNow is a service management platform that can be used for many different business units, including IT, human resources, facilities, and field services.

ServiceNow connectors are available for use with One Identity Safeguard for Privileged Passwords.

To configure the connector, following parameters are required:

  • Connector name

  • Username for the cloud account

  • Password for the cloud account

  • Custom Properties (List of custom properties, if any, to be mapped)
    For more information, see Configuring custom attributes for ServiceNow v.1.0.

  • SCIM URL (Cloud application's REST API's base URL)

Configuring custom attributes for ServiceNow v.1.0

You can configure custom attributes for the ServiceNow v.1.0 connector when you configure the connector in Starling Connect by adding the custom attributes in the Custom Properties field in the defined format.

NOTE:For more information about how to configure custom attributes in ServiceNow v.1.0 , see Configuring custom attributes for ServiceNow v.1.0.

Supervisor configuration parameters for ServiceNow v.2.0

To configure the connector, following parameters are required:

  • Connector name

  • Username for the cloud account

  • Password for the cloud account

  • SCIM URL (Cloud application's REST API's base URL)

Configuring custom attributes for ServiceNow v.2.0

You can configure custom attributes for the ServiceNow v.2.0 SCIM connector in Starling Connect for Users, Groups and Roles in the Custom Attributes section in Schema Configuration.

NOTE:

  • For more information about how to configure custom attributes in ServiceNowv.2.0, see Configuring custom attributes in connectors.
  • As the ServiceNow target system does not support disabling of attributes, the ServiceNow connector is enhanced only to support the configuration of custom attributes in the SCIM connector.
  • If a custom attribute is a complex attribute, then you must enter it in the following format in Starling Connect:

    <custom_attribute>$$<nested_attribute>.

    For example,

    "parent": {

    "link": "https://dev60043.service-now.com/api/now/table/sys_user_group/b85d44954a3623120004689b2d5dd60a",

    "value": "b85d44954a3623120004689b2d5dd60a"

    }

    you must enter as parent$$value in Starling Connect.

  • The connector supports single level of navigation only.

Supported objects and operations

Users
Table 50: Supported operations for Users

Operation

VERB

Create

POST

Update

PUT

Delete

DELETE

Get all users

GET

Get (Id)

GET

Pagination GET
Groups
Table 51: Supported operations for Groups

Operation

VERB

Create

POST

Update

PUT

Delete 

DELETE

Get all groups

GET

Get (id)

GET

Get

GET

Pagination GET
Roles
Table 52: Supported operations for Roles

Operation

VERB

Get All Roles

GET

Get Role (Id)

GET

Mandatory fields

Users

  • Username

Groups

  • Group Name

User and Group mapping

The user and group mapping is listed in the table below.

Table 53: User mapping
SCIM parameter ServiceNow parameter
userName user_name
name.familyName last_name
name.givenName first_name
name.middleName middle_name
displayName name
emails[0].value email
addresses[0].streetAddress street
addresses[0].locality city
addresses[0].region state
addresses[0].postalCode zip
addresses[0].country country
phoneNumbers[0].value(type=work) phone
title title
preferredLanguage preferred_language
timeZone time_zone
active active
password user_password
roles.value {resource}.role.value
extension.organization company
extension.department department
extension.manager.value manager.value
extension.employeeNumber employee_number
id sys_id
groups.value {resource}.group.value

extension.lastLogon

last_login_time

PhoneNumbers[0].value(type=mobile)

mobile_phone

Table 54: Group mapping
SCIM parameter ServiceNow parameter
id sys_id
displayName name
members.value {resource}.user.value
extension.description description
extension.email email

extension.groupType

type

extension.manager.value

manager.value

Connector versions and features

The following subsections describe the different connector version(s) and features available with them.

Supported Versions

The supported versions of ServiceNow connector are:

  • v.1.0
  • v.2.0

NOTE: For more information, see Connector versions.

Connector limitations

  • ServiceProviderAuthority contains only the Id field with the value being same as the instance id of the ServiceNow instance, as there are no APIs to fetch the tenant details in ServiceNow.

  • If the department name and organization name is provided during user create or update operations, the user gets assigned to the department and organization if the department and organization with the same name exists in ServiceNow cloud application.

  • If the invalid manager id is used for user's manager fields while performing user create or update operations, ServiceNow does not display any error. Instead, it invalid id is returned as the manager id.

  • In the request, if there are invalid values for timezone, language, and so on, ServiceNow does not display any error. Instead, the fields with invalid values would be blank.
  • GET Roles operation might not fetch all the roles. Some roles must be retrieved based on ServiceNow Access Control List (ACL).

  • If an invalid role id is used for user create or update operation, no error is displayed. Instead, the same invalid id in the role list is returned.
  • If an invalid member id is used for group create or update, no error is displayed. Instead, the same invalid id as the member id is returned.

  • Create User operation with existing user details shows the status code as 403 instead 409. The status code and the status message cannot be interpreted.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating