Chat now with support
Chat with Support

Starling Connect Hosted - One Identity Manager Administration Guide

About this guide One Identity Starling Connect overview One Identity Starling Supported cloud applications Working with connectors Connector versions Salesforce Facebook Workplace SAP Cloud Platform JIRA Server RSA Archer SuccessFactors AWS IAM S3 ServiceNow Dropbox Crowd Atlassian JIRA Confluence Trello Box Pipedrive SuccessFactors HR NutShell Insightly Egnyte SugarCRM Oracle IDCS Statuspage Zendesk Sell Workbooks DocuSign Citrix ShareFile Zendesk Azure AD Google Workspace Concur Tableau GoToMeeting Coupa AWS Cognito Okta DataDog Hideez Opsgenie Informatica Cloud Services AppDynamics Marketo Workday HR OneLogin PingOne Aha! SAP Litmos HackerRank Slack ActiveCampaign Webex Apigee Databricks Hive PagerDuty Dayforce Smartsheet Pingboard SAP Cloud for Customer Azure Infrastructure Oracle Fusion Cloud Majesco LuccaHR OpenText JFrog Artifactory xMatters Discourse Testrail ChipSoft PingOne Platform Azure DevOps UKG PRO Atlassian Cloud Appendix: Creating a service account in Google Workspace Appendix: Setting a trial account on Salesforce Registering the application, providing necessary permissions, retrieving Client Id and Client Secret from the Azure AD tenant Generating a private key for service account in GoToMeeting Configuring Amazon S3 AWS connector to support entitlements for User and Group Configuring Box connector to support additional email IDs for users One Identity Manager E2E integration needs for Hideez connector Configuring custom attributes for ServiceNow v.1.0 Configuring custom attributes for Coupa v.1.0 Configuring custom attributes in connectors Disabling attributes Configuring a connector that uses the consent feature Synchronization and integration of Roles object type with One Identity Manager Synchronization and integration of Workspaces object type with One Identity Manager Synchronization and integration of Products object type with One Identity Manager User centric membership Creating multi-valued custom fields in One Identity Manager Synchronization and assignment of PermissionSets to Users with One Identity Manager Connectors that support password attribute in User object Connectors that do not support special characters in the object ID Creating an app for using SCIM on Slack Enterprise Grid Organization Creating a Webex integration application, providing necessary scopes, retrieving Client Id and Client Secret Retrieving the API key from Facebook Workplace Outbound IP addresses Values for customer-specific configuration parameters in Workday HR connector Initiate an OAuth connection to SuccessFactors Creating custom editable/upsertable attributes in Successfactors employee central Custom Foundation Objects in Successfactors HR connector Configuring additional datetime offset in connectors How to Create custom attribute for Users in SuccessFactors portal SAP Cloud for Customer - Steps to add custom fields at One Identity Manager attributes Creating a Service Principal for the Azure Infrastructure Connector Workday permissions needed to integrate via the Starling Connector Configuring integration application in DocuSign Creating integration Connect Client in Coupa Retrieving Azure DevOps Personal Access Token (PAT) Setup integration system and field override service in Workday Retrieving Atlassian Cloud API Key and Directory ID

Connector limitations

Google Workspace (formerly GSuite) is a cloud computing, productivity, and collaboration tool. It includes the Google web applications Gmail, Drive, Hangouts, Calendar, and Docs. It also includes an interactive whiteboard. The enterprise version offers custom-domain email addresses, additional storage, and 24/7 phone and email support.

You must create a service account to access the Google Workspace services. For information on creating a service account, see Creating a service account in Google Workspace.

Supervisor configuration parameters

To configure the connector, following parameters are required:

  • Connector name

  • UserName

  • Private Key (Whole JSON content of private key file created for service account)

  • Target URL (Cloud application's instance URL used as targetURI in payload, for example: https://www.googleapis.com/admin/directory/v1)

  • Customer Id

  • Instance DateTime Offset (refer Configuring additional datetime offset in connectors for more details).

Supported objects and operations

Users

Table 178: Supported operations for Users

Operation

VERB

Create User

POST

Update User

PUT

Delete User

DELETE

Get User

GET

Get All Users

GET

Get All Users with Pagination

GET

Groups

Table 179: Supported operations for Groups

Operation

VERB

Create Group

POST

Update Group

PUT

Delete Group

DELETE

Get Group

GET

Get All Groups

GET

Get All Groups with Pagination

GET

Mandatory fields

Users

  • FirstName

  • LastName

  • Password

Groups

Email

User and Group mapping

The user and group mappings are listed in the tables below.

Table 180: User mapping
SCIM parameter

Google Workspace parameter

Id id
userName primaryEmail
Name.GivenName name.givenName
Name.FamilyName name.familyName
Name.Formatted name.fullName
DisplayName name.fullName
Emails[0].value primaryEmail
Addresses[0].StreetAddress streetAddress
Addresses[0].Locality locality
Addresses[0].Region region
Addresses[0].PostalCode postalcode
PhoneNumbers[0].Value

phones[0].value

PhoneNumbers[0].Type phones[0].type
Active suspended
ExternalId externalIds.value
Extension.Organization organizations.name
Extension.Department organizations.department
Extension.Division organizations.location
Created creationTime

Groups

Table 181: User mapping
SCIM parameter

Google Workspace parameter

Id id
displayName name
members.value groupMembers.id
members.type groupMembers.type
groupExtension.Email

email

groupExtension.Description

description

  • Connector supports cursor based pagination even with any change at count in subsequent requests.

  • Created date is displayed for Users. Created date and Modified date are not displayed for Groups.

  • Group information of user is not displayed in user details.

  • The Email ID of Users and Groups to be created should be provided along with the domain name of target instance.

Google Workspace connector for Safeguard for Privileged Passwords

Google Workspace connector for Safeguard for Privileged Passwords

Google Workspace (formerly GSuite) is a cloud computing, productivity, and collaboration tool. It includes the Google web applications Gmail, Drive, Hangouts, Calendar, and Docs. It also includes an interactive whiteboard. The enterprise version offers custom-domain email addresses, additional storage, and 24/7 phone and email support.

You must create a service account to access the Google Workspace services. For information on creating a service account, see Creating a service account in Google Workspace.

Supervisor configuration parameters

To configure the connector, following parameters are required:

  • Connector name

  • UserName

  • Private Key (Whole JSON content of private key file created for service account)

  • Target URL (Cloud application's instance URL used as targetURI in payload, for example: https://www.googleapis.com/admin/directory/v1)

  • Customer Id

  • Instance DateTime Offset (refer Configuring additional datetime offset in connectors for more details).

Supported objects and operations

Users

Table 178: Supported operations for Users

Operation

VERB

Create User

POST

Update User

PUT

Delete User

DELETE

Get User

GET

Get All Users

GET

Get All Users with Pagination

GET

Groups

Table 179: Supported operations for Groups

Operation

VERB

Create Group

POST

Update Group

PUT

Delete Group

DELETE

Get Group

GET

Get All Groups

GET

Get All Groups with Pagination

GET

Mandatory fields

Users

  • FirstName

  • LastName

  • Password

Groups

Email

User and Group mapping

The user and group mappings are listed in the tables below.

Table 180: User mapping
SCIM parameter

Google Workspace parameter

Id id
userName primaryEmail
Name.GivenName name.givenName
Name.FamilyName name.familyName
Name.Formatted name.fullName
DisplayName name.fullName
Emails[0].value primaryEmail
Addresses[0].StreetAddress streetAddress
Addresses[0].Locality locality
Addresses[0].Region region
Addresses[0].PostalCode postalcode
PhoneNumbers[0].Value

phones[0].value

PhoneNumbers[0].Type phones[0].type
Active suspended
ExternalId externalIds.value
Extension.Organization organizations.name
Extension.Department organizations.department
Extension.Division organizations.location
Created creationTime

Groups

Table 181: User mapping
SCIM parameter

Google Workspace parameter

Id id
displayName name
members.value groupMembers.id
members.type groupMembers.type
groupExtension.Email

email

groupExtension.Description

description

Connector limitations

  • Connector supports cursor based pagination even with any change at count in subsequent requests.

  • Created date is displayed for Users. Created date and Modified date are not displayed for Groups.

  • Group information of user is not displayed in user details.

  • The Email ID of Users and Groups to be created should be provided along with the domain name of target instance.

Concur

Concur offers two on-demand Software as a Service (SaaS) products to help manage travel. Concur Travel & Expense gives you web and mobile solutions for travel and expense management, and TripIt is a mobile travel organizer for individuals.

Supervisor configuration parameters

To configure the connector, following parameters are required:

  • Connector name

  • Client Id

  • Client Secret

  • Username (in v.1.0)

  • Password (in v.1.0)

  • Geolocation (in v.1.0)

  • RefreshToken (in v.2.0)

  • Target URL (Cloud application's instance URL used as targetURI in payload)

  • Instance DateTime Offset (refer Configuring additional datetime offset in connectors for more details).

Supported objects and operations

Users

Table 182: Supported operations for Users (for v1.0)

Operation

VERB

Create User

POST

Update User

POST

Delete User

DELETE

Get User

GET

Get All Users

GET

Get All Users with Pagination

GET

Table 183: Supported operations for Users (for v2.0)

Operation

VERB

Get User

GET

Get All Users

GET

Get All Users with Pagination

GET

Create User

POST

Update User

PUT

Groups

NA

Mandatory fields

Users (v1.0)

  • userName

  • name.givenName

  • name.familyName

  • enterpriseUserExtension.empId

  • emails.value

  • password

  • scimUser.locale

  • enterpriseUserExtension.ctryCode

  • enterpriseUserExtension.crnKey

  • enterpriseUserExtension.ledgerKey

Users (v2.0)

  • userName

  • name.givenName

  • name.familyName

  • emails[].value

  • emails[].type

  • active

  • enterpriseUserExtension.companyId

  • enterpriseUserExtension.startDate

  • entitlements[].value

  • roles[].value

  • enterpriseUserExtension.employeeNumber

Groups

NA

User and Group mapping

The user and group mappings are listed in the tables below.

Table 184: User mapping
SCIM parameter Concur parameter
Id LoginId
userName LoginId
Name.GivenName FirstName
name.MiddleName Mi
Name.FamilyName LastName
DisplayName FirstName+LastName
Emails[0].value EmailAddress
Active Active
Locale LocaleName
Extension.EmpId EmpId
Extension.LedgerKe LedgerName
Extension.CtryCode CtryCode
Extension.CrnKey CrnKey
Extension.ExpenseApprover ExpenseApprover
Extension.Custom1 Custom1
Extension.Custom2

Custom2

Extension.Custom3

 Custom3

Extension.Custom4

 Custom4

Extension.Custom5

 Custom5

Extension.Custom6

 Custom6

Extension.Custom7

 Custom7

Extension.Custom8

 Custom8

Extension.Custom9

 Custom9

Extension.Custom10

 Custom10

Extension.Custom11

 Custom11

Extension.Custom12

 Custom12

Extension.Custom13

 Custom13

Extension.Custom14

 Custom14

Extension.Custom15

 Custom15

Extension.Custom16

 Custom16

Extension.Custom17

 Custom17

Extension.Custom18

 Custom18

Extension.Custom19

 Custom19

Extension.Custom20

 Custom20

Extension.Custom21

 Custom21

Extension.OrgUnit1

 OrgUnit1

Extension.OrgUnit2

 OrgUnit2
Extension.OrgUnit3 OrgUnit3
Extension.OrgUnit4 OrgUnit4
Extension.OrgUnit5 OrgUnit5
Extension.OrgUnit6 OrgUnit6
Table 185: User v2 mapping
SCIM parameter Concur parameter
Active active
Addresses addresses
DisplayName displayName
Emails[].value emails[].value
Extension.CompanyId extension.companyId
Extension.CostCenter extension.costCenter
Extension.Department extension.department
Extension.Division extension.division
Extension.EmployeeNumber extension.employeeNumber
Extension.Manager.value extension.manager.value
Extension.Organization extension.organization
Extension.StartDate extension.startDate
Extension.TerminationDate extension.terminationDate

externalId

externalId

Id id
Meta.Created meta.created
Meta.LastModified meta.lastModified
Name.FamilyName name.familyName
Name.GivenName name.givenName
name.MiddleName name.middleName

NickName

nickName

PhoneNumbers phoneNumbers
PreferredLanguage preferredLanguage
TimeZone timezone
Title title
UserName userName

Roles[].value

spendExtensionRole.roles[].roleName

Roles[].display

spendExtensionRole.roles[].roleName

Entitlements[].value

entitlements[]

Entitlements[].display

entitlements[]

Extension.SpendReimbursementCurrency

spendExtensionUser.reimbursementCurrency

Extension.SpendLocale

spendExtensionUser.locale

Extension.SpendCountry

spendExtensionUser.country

Extension.SpendLedgerCode

spendExtensionUser.ledgerCode

extension.primaryApprover.id

SpendApprover.report[].approver.value

extension.primaryApprover.userName

UserName

extension.primaryApprover.employeeNumber

Extension.EmployeeNumber

NOTE: Attributes extension.primaryApprover.userName and extension.primaryApprover.employeeNumber are mapped from a different Get API.

Groups

NA

Connector limitations

  • Connector will not return inactive users in the Get All Users response and return 404 Not Found for Get User by Id. (returned in version v.2.0)

  • Meta data information with created and lastModified dates are not supported. (Supported in version v.2.0)

  • Create User with the details of an existing User will return the same User details with ‘201 Created’. (returns 409 conflict in version v.2.0)

  • Update of givenName and familyName are not supported. (Supported in version v.2.0)

  • It is required to pass the values in specific format for the custom fields which depends on the target instance.

  • To perform a successful integration, the enabled mandatory custom attributes need to be configured in One IM and all the values should be passed accordingly.

NOTE:

  • As the connector does not support PATCH, it will accept all the write-able attributes in update request. If attributes are not specified in the request, system default values will be provisioned.

  • Default values for some attributes used in connectors are: Under "urn:ietf:params:scim:schemas:extension:spend:2.0:User" :

    • reimbursement Currency: USD

    • country: US

    • locale: en-US

Connector versions and features

The following subsections describe the different connector version(s) and features available with them.

Features available exclusively in Concur v.2.0

Following are the features that are available exclusively in Concur v.2.0:

  • v.2.0 of Concur connector leverages v4 APIs of target system.

Connector SCIM configuration

  • The Concur connector is enhanced to support the configuration of SCIM connector with custom attributes.

  • Disabling the attributes is not supported as this feature is not available in Concur.

  • The supported custom attributes are custom 1 through 21 and orgUnit 1 through 6, which are string types.

  • Only the "Users" resource type has support for configuring custom attributes via SCIM configuration.

NOTE: Supported only for v.2.0.

Support for filter condition

  • The connector supports filter condition on externalId, companyId, employeeNumber and userName.
  • The only filter operator supported is eq.
  • Supports AND logical operator only with the attribute combination employeeNumber + companyId and externalId + companyId.
  • For OR logical operator, and for any other combination of attributes, the target API returns error message.
  • The connector supports only the double quotes in the filter value (ex. userName eq "testUser").

NOTE: Filter is supported only for v.2.0.

Supervisor configuration parameters

Concur offers two on-demand Software as a Service (SaaS) products to help manage travel. Concur Travel & Expense gives you web and mobile solutions for travel and expense management, and TripIt is a mobile travel organizer for individuals.

To configure the connector, following parameters are required:

  • Connector name

  • Client Id

  • Client Secret

  • Username (in v.1.0)

  • Password (in v.1.0)

  • Geolocation (in v.1.0)

  • RefreshToken (in v.2.0)

  • Target URL (Cloud application's instance URL used as targetURI in payload)

  • Instance DateTime Offset (refer Configuring additional datetime offset in connectors for more details).

Supported objects and operations

Users

Table 182: Supported operations for Users (for v1.0)

Operation

VERB

Create User

POST

Update User

POST

Delete User

DELETE

Get User

GET

Get All Users

GET

Get All Users with Pagination

GET

Table 183: Supported operations for Users (for v2.0)

Operation

VERB

Get User

GET

Get All Users

GET

Get All Users with Pagination

GET

Create User

POST

Update User

PUT

Groups

NA

Mandatory fields

Users (v1.0)

  • userName

  • name.givenName

  • name.familyName

  • enterpriseUserExtension.empId

  • emails.value

  • password

  • scimUser.locale

  • enterpriseUserExtension.ctryCode

  • enterpriseUserExtension.crnKey

  • enterpriseUserExtension.ledgerKey

Users (v2.0)

  • userName

  • name.givenName

  • name.familyName

  • emails[].value

  • emails[].type

  • active

  • enterpriseUserExtension.companyId

  • enterpriseUserExtension.startDate

  • entitlements[].value

  • roles[].value

  • enterpriseUserExtension.employeeNumber

Groups

NA

User and Group mapping

The user and group mappings are listed in the tables below.

Table 184: User mapping
SCIM parameter Concur parameter
Id LoginId
userName LoginId
Name.GivenName FirstName
name.MiddleName Mi
Name.FamilyName LastName
DisplayName FirstName+LastName
Emails[0].value EmailAddress
Active Active
Locale LocaleName
Extension.EmpId EmpId
Extension.LedgerKe LedgerName
Extension.CtryCode CtryCode
Extension.CrnKey CrnKey
Extension.ExpenseApprover ExpenseApprover
Extension.Custom1 Custom1
Extension.Custom2

Custom2

Extension.Custom3

 Custom3

Extension.Custom4

 Custom4

Extension.Custom5

 Custom5

Extension.Custom6

 Custom6

Extension.Custom7

 Custom7

Extension.Custom8

 Custom8

Extension.Custom9

 Custom9

Extension.Custom10

 Custom10

Extension.Custom11

 Custom11

Extension.Custom12

 Custom12

Extension.Custom13

 Custom13

Extension.Custom14

 Custom14

Extension.Custom15

 Custom15

Extension.Custom16

 Custom16

Extension.Custom17

 Custom17

Extension.Custom18

 Custom18

Extension.Custom19

 Custom19

Extension.Custom20

 Custom20

Extension.Custom21

 Custom21

Extension.OrgUnit1

 OrgUnit1

Extension.OrgUnit2

 OrgUnit2
Extension.OrgUnit3 OrgUnit3
Extension.OrgUnit4 OrgUnit4
Extension.OrgUnit5 OrgUnit5
Extension.OrgUnit6 OrgUnit6
Table 185: User v2 mapping
SCIM parameter Concur parameter
Active active
Addresses addresses
DisplayName displayName
Emails[].value emails[].value
Extension.CompanyId extension.companyId
Extension.CostCenter extension.costCenter
Extension.Department extension.department
Extension.Division extension.division
Extension.EmployeeNumber extension.employeeNumber
Extension.Manager.value extension.manager.value
Extension.Organization extension.organization
Extension.StartDate extension.startDate
Extension.TerminationDate extension.terminationDate

externalId

externalId

Id id
Meta.Created meta.created
Meta.LastModified meta.lastModified
Name.FamilyName name.familyName
Name.GivenName name.givenName
name.MiddleName name.middleName

NickName

nickName

PhoneNumbers phoneNumbers
PreferredLanguage preferredLanguage
TimeZone timezone
Title title
UserName userName

Roles[].value

spendExtensionRole.roles[].roleName

Roles[].display

spendExtensionRole.roles[].roleName

Entitlements[].value

entitlements[]

Entitlements[].display

entitlements[]

Extension.SpendReimbursementCurrency

spendExtensionUser.reimbursementCurrency

Extension.SpendLocale

spendExtensionUser.locale

Extension.SpendCountry

spendExtensionUser.country

Extension.SpendLedgerCode

spendExtensionUser.ledgerCode

extension.primaryApprover.id

SpendApprover.report[].approver.value

extension.primaryApprover.userName

UserName

extension.primaryApprover.employeeNumber

Extension.EmployeeNumber

NOTE: Attributes extension.primaryApprover.userName and extension.primaryApprover.employeeNumber are mapped from a different Get API.

Groups

NA

Connector limitations

  • Connector will not return inactive users in the Get All Users response and return 404 Not Found for Get User by Id. (returned in version v.2.0)

  • Meta data information with created and lastModified dates are not supported. (Supported in version v.2.0)

  • Create User with the details of an existing User will return the same User details with ‘201 Created’. (returns 409 conflict in version v.2.0)

  • Update of givenName and familyName are not supported. (Supported in version v.2.0)

  • It is required to pass the values in specific format for the custom fields which depends on the target instance.

  • To perform a successful integration, the enabled mandatory custom attributes need to be configured in One IM and all the values should be passed accordingly.

NOTE:

  • As the connector does not support PATCH, it will accept all the write-able attributes in update request. If attributes are not specified in the request, system default values will be provisioned.

  • Default values for some attributes used in connectors are: Under "urn:ietf:params:scim:schemas:extension:spend:2.0:User" :

    • reimbursement Currency: USD

    • country: US

    • locale: en-US

Connector versions and features

The following subsections describe the different connector version(s) and features available with them.

Features available exclusively in Concur v.2.0

Following are the features that are available exclusively in Concur v.2.0:

  • v.2.0 of Concur connector leverages v4 APIs of target system.

Connector SCIM configuration

  • The Concur connector is enhanced to support the configuration of SCIM connector with custom attributes.

  • Disabling the attributes is not supported as this feature is not available in Concur.

  • The supported custom attributes are custom 1 through 21 and orgUnit 1 through 6, which are string types.

  • Only the "Users" resource type has support for configuring custom attributes via SCIM configuration.

NOTE: Supported only for v.2.0.

Support for filter condition

  • The connector supports filter condition on externalId, companyId, employeeNumber and userName.
  • The only filter operator supported is eq.
  • Supports AND logical operator only with the attribute combination employeeNumber + companyId and externalId + companyId.
  • For OR logical operator, and for any other combination of attributes, the target API returns error message.
  • The connector supports only the double quotes in the filter value (ex. userName eq "testUser").

NOTE: Filter is supported only for v.2.0.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating