Chat now with support
Chat with Support

Starling Connect Hosted - One Identity Manager Administration Guide

About this guide One Identity Starling Connect overview One Identity Starling Supported cloud applications Working with connectors Connector versions Salesforce Facebook Workplace SAP Cloud Platform JIRA Server RSA Archer SuccessFactors AWS IAM ServiceNow Dropbox Crowd Atlassian JIRA Confluence Trello Box Pipedrive SuccessFactors HR NutShell Insightly Egnyte SugarCRM Oracle IDCS Statuspage Zendesk Sell Workbooks DocuSign Citrix ShareFile Zendesk Azure AD Google Workspace Concur Tableau GoToMeeting Coupa AWS Cognito Okta DataDog Hideez Opsgenie Informatica Cloud Services AppDynamics Marketo Workday HR OneLogin PingOne Aha! SAP Litmos HackerRank Slack ActiveCampaign Webex Apigee Databricks Hive PagerDuty Dayforce Smartsheet Pingboard SAP Cloud for Customer Azure Infrastructure Oracle Fusion Cloud Majesco LuccaHR OpenText JFrog Artifactory xMatters Discourse Testrail ChipSoft PingOne Platform Azure DevOps UKG PRO Atlassian Cloud Appendix: Creating a service account in Google Workspace Appendix: Setting a trial account on Salesforce Registering the application, providing necessary permissions, retrieving Client Id and Client Secret from the Azure AD tenant Generating a private key for service account in GoToMeeting Configuring AWS IAM connector to support entitlements for User and Group Configuring Box connector to support additional email IDs for users One Identity Manager E2E integration needs for Hideez connector Configuring custom attributes for ServiceNow v.1.0 Configuring custom attributes for Coupa v.1.0 Configuring custom attributes in connectors Disabling attributes Configuring a connector that uses the consent feature Synchronization and integration of Roles object type with One Identity Manager Synchronization and integration of Workspaces object type with One Identity Manager Synchronization and integration of Products object type with One Identity Manager User centric membership Creating multi-valued custom fields in One Identity Manager Synchronization and assignment of PermissionSets to Users with One Identity Manager Connectors that support password attribute in User object Connectors that do not support special characters in the object ID Creating an app for using SCIM on Slack Enterprise Grid Organization Creating a Webex integration application, providing necessary scopes, retrieving Client Id and Client Secret Retrieving the API key from Facebook Workplace Outbound IP addresses Values for customer-specific configuration parameters in Workday HR connector Initiate an OAuth connection to SuccessFactors Creating custom editable/upsertable attributes in Successfactors employee central Custom Foundation Objects in Successfactors HR connector Configuring additional datetime offset in connectors How to Create custom attribute for Users in SuccessFactors portal SAP Cloud for Customer - Steps to add custom fields at One Identity Manager attributes Creating a Service Principal for the Azure Infrastructure Connector Workday permissions needed to integrate via the Starling Connector Configuring integration application in DocuSign Creating integration Connect Client in Coupa Retrieving Azure DevOps Personal Access Token (PAT) Setup integration system and field override service in Workday Retrieving Atlassian Cloud API Key and Directory ID

Connector limitations

The OneLogin connector allows you to connect OneLogin with One Identity Starling enabling you to take advantage of the features and products available with Starling Connect that complement and enhance the services provided by OneLogin.

OneLogin is a Unified Access Management (UAM) platform that provides several products and solutions, such as single sign-on, user provisioning and management and multi-factor authentication to manage identities.

OneLogin connectors are available for use with One Identity Safeguard for Privileged Passwords.

Supervisor configuration parameters

To configure the connector, following parameters are required:

  • Connector name

  • Client Id

  • Client secret

  • SCIM URL (The base URL of the REST API of the Cloud application.)

  • Instance DateTime Offset (refer Configuring additional datetime offset in connectors for more details)

  • Request Delay (in ms)

    NOTE: To handle the OneLogin rate limit issue, the OneLogin connector has been enabled with user configurable delay in milliseconds so that the each request to the target API would wait for the specific amount of time to help the connector to prevent the throttling of the OneLogin APIs. The default value for the configuration is 500(milliseconds) and OneIdentity recommends to keep the value below 2000 (milliseconds).

Supported objects and operations

Users

Table 274: Supported operations for Users
Operation VERB
Create User POST
Update User PUT
Delete User DELETE
Get User by id GET
Get All Users GET

Get All Users with pagination

GET

Groups

Table 275: Supported operations for Groups

Operation

VERB

Get Group by id GET
Get All Groups GET
Get All Groups with pagination GET

Roles

Table 276: Supported operations for Roles

Operation

VERB

Get Role by id GET
Get All Roles GET
Get All Roles with pagination GET

Update Role

PUT

Application

Table 277: Supported operations for Application

Operation

VERB

Get an App GET
List Apps GET
List Apps with pagination GET

Mandatory fields

This section lists the mandatory fields required to create a User or a Group:

Users - Create (in v.1.0)

  • userName

  • name.givenName

  • name.familyName

  • emails.value

Users - Create (in v.2.0)

  • userName

  • emails.value

Users - Update

userName or emails.value

Roles - Update

roleName

Set Role Apps - update

application id

Mappings

The user and group mappings are listed in the tables below.

Table 278: User mapping
SCIM Parameter OneLogin parameter
Id Id
UserName username
ExternalId external_id
Name.GivenName firstname
Name.FamilyName lastname
Name.Formatted firstname +" " + lastname
DisplayName firstname +" " + lastname
Emails[0].Value email
PhoneNumbers[0].Value phone
Title title
Roles[].Value role_id[]

Groups[0].value

group_id

Locale

locale_code(in v1),preferred_locale_code(in v2)

Password (only in v2.0)

password

Extension.Manager.Value

manager_user_id

Extension.Organization

company

Extension.Department

department

Extension.OpenIdName

openid_name

Extension.DistinguishedName

distinguished_name

Extension.SamAccountName

samaccountname

Extension.UserPrincipalName

userprincipalname

Extension.MemberOf

member_of

Extension.DirectoryId

directory_id

Extension.UserStatus

status

Extension.LastLogin

last_login

Meta.Created

created_at

Meta.LastModified

updated_at

Groups

Table 279: Group mapping
SCIM parameter OneLogin parameter
Id id
DisplayName name

Roles

Table 280: Role mapping
SCIM parameter OneLogin parameter
Id id
Name name

Applications[].value

apps[].id

Applications[].name

apps[].name

users[].value

users[].id

users[].name

users[].name

Application

Table 281: Role mapping
SCIM parameter OneLogin parameter
Id id
Name name

Description

description

Auth_Method

auth_method

Visible

visible

Meta.Created

created_at

Meta.LastModified

updated_at

NOTE: OneLogin API for Users accepts two letter values for locale, for example: "en", "es" and so on.

Connector SCIM configuration

You can configure custom attributes for the OneLogin SCIM connector in Starling Connect for Users in the Custom Attributes section in Schema Configuration.

NOTE:

  • For more information about how to configure custom attributes in OneLogin, see Configuring custom attributes in connectors.

  • As the OneLogin target system does not support disabling of attributes, the OneLogin connector is enhanced only to support the configuration of custom attributes in the SCIM connector.

  • The target supports only simple attributes that are grouped under the object custom_attributes in the target API response. Hence, the connector supports only simple custom attributes.
  • Target cloud application supports below given integer value for Status field. OneIdentity has created 'userStatus' integer type attribute in User extension schema and mapped with 'status' and it needs to be taken care in OneIM mapping:
    • (in v.1.0):

      • Can set through Api → Unactivated: 0, Active: 1, Suspended: 2, Locked: 3, Password expired: 4

      • Cannot set through Api → Awaiting password reset: 5, Pending password: 7, Security questions required: 8

    • (in v.2.0):

      • Can set through Api → Unactivated: 0, Active: 1, Suspended: 2, Locked: 3, Password expired: 4, Awaiting password reset: 5, Pending password: 7

      • Cannot set through Api → Security questions required: 8

  • Adding or removing a Group can be achieved by using the User update operation. Only one group can be assigned to a User.

  • For the User object, when NULL value is updated to openid_name, the cloud application considers the first part of the email Id as openid_name. For example, for the email id, email123@test.com , openIdname value will be email123.
  • API does not support the assignment of applications under users what it support is assigning application under roles and assigning roles under user.

  • In pagination, records are returned in multiples of 50 only.

Connector versions and features

The following subsections describe the different connector version(s) and features available with them.

Features available exclusively in OneLogin v.2.0

Following are the features that are available exclusively in OneLogin v.2.0:

  • Creation and updation of user password.
  • v.2.0 of OneLogin connector leverages v2 APIs of target system.

  • Support for filter condition

    • The filter is supported in Users, Roles and Applications.

    • The filter supported is eq.

    • For attributes meta.Created, meta.LastModified and lastLogin the filter supported is ge,le,gt and lt, but in lt and gt the response will be similar to ge and le.

    • The AND logical operator is supported in the target system.

    • The OR logical operator neither returns any data nor returns any error message.

    • In some cases of roles endpoint, the partial match of data is also working.

  • List of attributes supported for filter condition.

    Table 282: List of attributes supported for filter condition
    Users Applications Roles
    userName, emails.Value, givenName, familyName, directoryId, externalId, meta.LastModified, meta.Created, lastLogin, CustomAttributes name name
    auth_method applications.Value
    applications.name

 

OneLogin connector for Safeguard for Privileged Passwords

When creating a OneLogin connector for use with Safeguard for Privileged Passwords, you need to use the following OneLogin API credentials configuration:

  • Client Id
  • Client secret
  • SCIM URL (The base URL of the REST API of the Cloud application.)
  • Manage All type of client id/secret must be selected.

In addition, the default URL needs to be changed in order to support check/change/discover (for example, <domain>.onelogin.com).

For more information, see https://developers.onelogin.com/api-docs/1/getting-started/working-with-api-credentials.

User centric membership configuration for OneLogin

For more information, see only the following sections in User centric membership:

Connector versions and features

The OneLogin connector allows you to connect OneLogin with One Identity Starling enabling you to take advantage of the features and products available with Starling Connect that complement and enhance the services provided by OneLogin.

OneLogin is a Unified Access Management (UAM) platform that provides several products and solutions, such as single sign-on, user provisioning and management and multi-factor authentication to manage identities.

OneLogin connectors are available for use with One Identity Safeguard for Privileged Passwords.

Supervisor configuration parameters

To configure the connector, following parameters are required:

  • Connector name

  • Client Id

  • Client secret

  • SCIM URL (The base URL of the REST API of the Cloud application.)

  • Instance DateTime Offset (refer Configuring additional datetime offset in connectors for more details)

  • Request Delay (in ms)

    NOTE: To handle the OneLogin rate limit issue, the OneLogin connector has been enabled with user configurable delay in milliseconds so that the each request to the target API would wait for the specific amount of time to help the connector to prevent the throttling of the OneLogin APIs. The default value for the configuration is 500(milliseconds) and OneIdentity recommends to keep the value below 2000 (milliseconds).

Supported objects and operations

Users

Table 274: Supported operations for Users
Operation VERB
Create User POST
Update User PUT
Delete User DELETE
Get User by id GET
Get All Users GET

Get All Users with pagination

GET

Groups

Table 275: Supported operations for Groups

Operation

VERB

Get Group by id GET
Get All Groups GET
Get All Groups with pagination GET

Roles

Table 276: Supported operations for Roles

Operation

VERB

Get Role by id GET
Get All Roles GET
Get All Roles with pagination GET

Update Role

PUT

Application

Table 277: Supported operations for Application

Operation

VERB

Get an App GET
List Apps GET
List Apps with pagination GET

Mandatory fields

This section lists the mandatory fields required to create a User or a Group:

Users - Create (in v.1.0)

  • userName

  • name.givenName

  • name.familyName

  • emails.value

Users - Create (in v.2.0)

  • userName

  • emails.value

Users - Update

userName or emails.value

Roles - Update

roleName

Set Role Apps - update

application id

Mappings

The user and group mappings are listed in the tables below.

Table 278: User mapping
SCIM Parameter OneLogin parameter
Id Id
UserName username
ExternalId external_id
Name.GivenName firstname
Name.FamilyName lastname
Name.Formatted firstname +" " + lastname
DisplayName firstname +" " + lastname
Emails[0].Value email
PhoneNumbers[0].Value phone
Title title
Roles[].Value role_id[]

Groups[0].value

group_id

Locale

locale_code(in v1),preferred_locale_code(in v2)

Password (only in v2.0)

password

Extension.Manager.Value

manager_user_id

Extension.Organization

company

Extension.Department

department

Extension.OpenIdName

openid_name

Extension.DistinguishedName

distinguished_name

Extension.SamAccountName

samaccountname

Extension.UserPrincipalName

userprincipalname

Extension.MemberOf

member_of

Extension.DirectoryId

directory_id

Extension.UserStatus

status

Extension.LastLogin

last_login

Meta.Created

created_at

Meta.LastModified

updated_at

Groups

Table 279: Group mapping
SCIM parameter OneLogin parameter
Id id
DisplayName name

Roles

Table 280: Role mapping
SCIM parameter OneLogin parameter
Id id
Name name

Applications[].value

apps[].id

Applications[].name

apps[].name

users[].value

users[].id

users[].name

users[].name

Application

Table 281: Role mapping
SCIM parameter OneLogin parameter
Id id
Name name

Description

description

Auth_Method

auth_method

Visible

visible

Meta.Created

created_at

Meta.LastModified

updated_at

NOTE: OneLogin API for Users accepts two letter values for locale, for example: "en", "es" and so on.

Connector SCIM configuration

You can configure custom attributes for the OneLogin SCIM connector in Starling Connect for Users in the Custom Attributes section in Schema Configuration.

NOTE:

  • For more information about how to configure custom attributes in OneLogin, see Configuring custom attributes in connectors.

  • As the OneLogin target system does not support disabling of attributes, the OneLogin connector is enhanced only to support the configuration of custom attributes in the SCIM connector.

  • The target supports only simple attributes that are grouped under the object custom_attributes in the target API response. Hence, the connector supports only simple custom attributes.

Connector limitations

  • Target cloud application supports below given integer value for Status field. OneIdentity has created 'userStatus' integer type attribute in User extension schema and mapped with 'status' and it needs to be taken care in OneIM mapping:
    • (in v.1.0):

      • Can set through Api → Unactivated: 0, Active: 1, Suspended: 2, Locked: 3, Password expired: 4

      • Cannot set through Api → Awaiting password reset: 5, Pending password: 7, Security questions required: 8

    • (in v.2.0):

      • Can set through Api → Unactivated: 0, Active: 1, Suspended: 2, Locked: 3, Password expired: 4, Awaiting password reset: 5, Pending password: 7

      • Cannot set through Api → Security questions required: 8

  • Adding or removing a Group can be achieved by using the User update operation. Only one group can be assigned to a User.

  • For the User object, when NULL value is updated to openid_name, the cloud application considers the first part of the email Id as openid_name. For example, for the email id, email123@test.com , openIdname value will be email123.
  • API does not support the assignment of applications under users what it support is assigning application under roles and assigning roles under user.

  • In pagination, records are returned in multiples of 50 only.

The following subsections describe the different connector version(s) and features available with them.

Features available exclusively in OneLogin v.2.0

Following are the features that are available exclusively in OneLogin v.2.0:

  • Creation and updation of user password.
  • v.2.0 of OneLogin connector leverages v2 APIs of target system.

  • Support for filter condition

    • The filter is supported in Users, Roles and Applications.

    • The filter supported is eq.

    • For attributes meta.Created, meta.LastModified and lastLogin the filter supported is ge,le,gt and lt, but in lt and gt the response will be similar to ge and le.

    • The AND logical operator is supported in the target system.

    • The OR logical operator neither returns any data nor returns any error message.

    • In some cases of roles endpoint, the partial match of data is also working.

  • List of attributes supported for filter condition.

    Table 282: List of attributes supported for filter condition
    Users Applications Roles
    userName, emails.Value, givenName, familyName, directoryId, externalId, meta.LastModified, meta.Created, lastLogin, CustomAttributes name name
    auth_method applications.Value
    applications.name

 

OneLogin connector for Safeguard for Privileged Passwords

When creating a OneLogin connector for use with Safeguard for Privileged Passwords, you need to use the following OneLogin API credentials configuration:

  • Client Id
  • Client secret
  • SCIM URL (The base URL of the REST API of the Cloud application.)
  • Manage All type of client id/secret must be selected.

In addition, the default URL needs to be changed in order to support check/change/discover (for example, <domain>.onelogin.com).

For more information, see https://developers.onelogin.com/api-docs/1/getting-started/working-with-api-credentials.

User centric membership configuration for OneLogin

For more information, see only the following sections in User centric membership:

OneLogin connector for Safeguard for Privileged Passwords

The OneLogin connector allows you to connect OneLogin with One Identity Starling enabling you to take advantage of the features and products available with Starling Connect that complement and enhance the services provided by OneLogin.

OneLogin is a Unified Access Management (UAM) platform that provides several products and solutions, such as single sign-on, user provisioning and management and multi-factor authentication to manage identities.

OneLogin connectors are available for use with One Identity Safeguard for Privileged Passwords.

Supervisor configuration parameters

To configure the connector, following parameters are required:

  • Connector name

  • Client Id

  • Client secret

  • SCIM URL (The base URL of the REST API of the Cloud application.)

  • Instance DateTime Offset (refer Configuring additional datetime offset in connectors for more details)

  • Request Delay (in ms)

    NOTE: To handle the OneLogin rate limit issue, the OneLogin connector has been enabled with user configurable delay in milliseconds so that the each request to the target API would wait for the specific amount of time to help the connector to prevent the throttling of the OneLogin APIs. The default value for the configuration is 500(milliseconds) and OneIdentity recommends to keep the value below 2000 (milliseconds).

Supported objects and operations

Users

Table 274: Supported operations for Users
Operation VERB
Create User POST
Update User PUT
Delete User DELETE
Get User by id GET
Get All Users GET

Get All Users with pagination

GET

Groups

Table 275: Supported operations for Groups

Operation

VERB

Get Group by id GET
Get All Groups GET
Get All Groups with pagination GET

Roles

Table 276: Supported operations for Roles

Operation

VERB

Get Role by id GET
Get All Roles GET
Get All Roles with pagination GET

Update Role

PUT

Application

Table 277: Supported operations for Application

Operation

VERB

Get an App GET
List Apps GET
List Apps with pagination GET

Mandatory fields

This section lists the mandatory fields required to create a User or a Group:

Users - Create (in v.1.0)

  • userName

  • name.givenName

  • name.familyName

  • emails.value

Users - Create (in v.2.0)

  • userName

  • emails.value

Users - Update

userName or emails.value

Roles - Update

roleName

Set Role Apps - update

application id

Mappings

The user and group mappings are listed in the tables below.

Table 278: User mapping
SCIM Parameter OneLogin parameter
Id Id
UserName username
ExternalId external_id
Name.GivenName firstname
Name.FamilyName lastname
Name.Formatted firstname +" " + lastname
DisplayName firstname +" " + lastname
Emails[0].Value email
PhoneNumbers[0].Value phone
Title title
Roles[].Value role_id[]

Groups[0].value

group_id

Locale

locale_code(in v1),preferred_locale_code(in v2)

Password (only in v2.0)

password

Extension.Manager.Value

manager_user_id

Extension.Organization

company

Extension.Department

department

Extension.OpenIdName

openid_name

Extension.DistinguishedName

distinguished_name

Extension.SamAccountName

samaccountname

Extension.UserPrincipalName

userprincipalname

Extension.MemberOf

member_of

Extension.DirectoryId

directory_id

Extension.UserStatus

status

Extension.LastLogin

last_login

Meta.Created

created_at

Meta.LastModified

updated_at

Groups

Table 279: Group mapping
SCIM parameter OneLogin parameter
Id id
DisplayName name

Roles

Table 280: Role mapping
SCIM parameter OneLogin parameter
Id id
Name name

Applications[].value

apps[].id

Applications[].name

apps[].name

users[].value

users[].id

users[].name

users[].name

Application

Table 281: Role mapping
SCIM parameter OneLogin parameter
Id id
Name name

Description

description

Auth_Method

auth_method

Visible

visible

Meta.Created

created_at

Meta.LastModified

updated_at

NOTE: OneLogin API for Users accepts two letter values for locale, for example: "en", "es" and so on.

Connector SCIM configuration

You can configure custom attributes for the OneLogin SCIM connector in Starling Connect for Users in the Custom Attributes section in Schema Configuration.

NOTE:

  • For more information about how to configure custom attributes in OneLogin, see Configuring custom attributes in connectors.

  • As the OneLogin target system does not support disabling of attributes, the OneLogin connector is enhanced only to support the configuration of custom attributes in the SCIM connector.

  • The target supports only simple attributes that are grouped under the object custom_attributes in the target API response. Hence, the connector supports only simple custom attributes.

Connector limitations

  • Target cloud application supports below given integer value for Status field. OneIdentity has created 'userStatus' integer type attribute in User extension schema and mapped with 'status' and it needs to be taken care in OneIM mapping:
    • (in v.1.0):

      • Can set through Api → Unactivated: 0, Active: 1, Suspended: 2, Locked: 3, Password expired: 4

      • Cannot set through Api → Awaiting password reset: 5, Pending password: 7, Security questions required: 8

    • (in v.2.0):

      • Can set through Api → Unactivated: 0, Active: 1, Suspended: 2, Locked: 3, Password expired: 4, Awaiting password reset: 5, Pending password: 7

      • Cannot set through Api → Security questions required: 8

  • Adding or removing a Group can be achieved by using the User update operation. Only one group can be assigned to a User.

  • For the User object, when NULL value is updated to openid_name, the cloud application considers the first part of the email Id as openid_name. For example, for the email id, email123@test.com , openIdname value will be email123.
  • API does not support the assignment of applications under users what it support is assigning application under roles and assigning roles under user.

  • In pagination, records are returned in multiples of 50 only.

Connector versions and features

The following subsections describe the different connector version(s) and features available with them.

Features available exclusively in OneLogin v.2.0

Following are the features that are available exclusively in OneLogin v.2.0:

  • Creation and updation of user password.
  • v.2.0 of OneLogin connector leverages v2 APIs of target system.

  • Support for filter condition

    • The filter is supported in Users, Roles and Applications.

    • The filter supported is eq.

    • For attributes meta.Created, meta.LastModified and lastLogin the filter supported is ge,le,gt and lt, but in lt and gt the response will be similar to ge and le.

    • The AND logical operator is supported in the target system.

    • The OR logical operator neither returns any data nor returns any error message.

    • In some cases of roles endpoint, the partial match of data is also working.

  • List of attributes supported for filter condition.

    Table 282: List of attributes supported for filter condition
    Users Applications Roles
    userName, emails.Value, givenName, familyName, directoryId, externalId, meta.LastModified, meta.Created, lastLogin, CustomAttributes name name
    auth_method applications.Value
    applications.name

 

When creating a OneLogin connector for use with Safeguard for Privileged Passwords, you need to use the following OneLogin API credentials configuration:

  • Client Id
  • Client secret
  • SCIM URL (The base URL of the REST API of the Cloud application.)
  • Manage All type of client id/secret must be selected.

In addition, the default URL needs to be changed in order to support check/change/discover (for example, <domain>.onelogin.com).

For more information, see https://developers.onelogin.com/api-docs/1/getting-started/working-with-api-credentials.

User centric membership configuration for OneLogin

For more information, see only the following sections in User centric membership:

User centric membership configuration for OneLogin

The OneLogin connector allows you to connect OneLogin with One Identity Starling enabling you to take advantage of the features and products available with Starling Connect that complement and enhance the services provided by OneLogin.

OneLogin is a Unified Access Management (UAM) platform that provides several products and solutions, such as single sign-on, user provisioning and management and multi-factor authentication to manage identities.

OneLogin connectors are available for use with One Identity Safeguard for Privileged Passwords.

Supervisor configuration parameters

To configure the connector, following parameters are required:

  • Connector name

  • Client Id

  • Client secret

  • SCIM URL (The base URL of the REST API of the Cloud application.)

  • Instance DateTime Offset (refer Configuring additional datetime offset in connectors for more details)

  • Request Delay (in ms)

    NOTE: To handle the OneLogin rate limit issue, the OneLogin connector has been enabled with user configurable delay in milliseconds so that the each request to the target API would wait for the specific amount of time to help the connector to prevent the throttling of the OneLogin APIs. The default value for the configuration is 500(milliseconds) and OneIdentity recommends to keep the value below 2000 (milliseconds).

Supported objects and operations

Users

Table 274: Supported operations for Users
Operation VERB
Create User POST
Update User PUT
Delete User DELETE
Get User by id GET
Get All Users GET

Get All Users with pagination

GET

Groups

Table 275: Supported operations for Groups

Operation

VERB

Get Group by id GET
Get All Groups GET
Get All Groups with pagination GET

Roles

Table 276: Supported operations for Roles

Operation

VERB

Get Role by id GET
Get All Roles GET
Get All Roles with pagination GET

Update Role

PUT

Application

Table 277: Supported operations for Application

Operation

VERB

Get an App GET
List Apps GET
List Apps with pagination GET

Mandatory fields

This section lists the mandatory fields required to create a User or a Group:

Users - Create (in v.1.0)

  • userName

  • name.givenName

  • name.familyName

  • emails.value

Users - Create (in v.2.0)

  • userName

  • emails.value

Users - Update

userName or emails.value

Roles - Update

roleName

Set Role Apps - update

application id

Mappings

The user and group mappings are listed in the tables below.

Table 278: User mapping
SCIM Parameter OneLogin parameter
Id Id
UserName username
ExternalId external_id
Name.GivenName firstname
Name.FamilyName lastname
Name.Formatted firstname +" " + lastname
DisplayName firstname +" " + lastname
Emails[0].Value email
PhoneNumbers[0].Value phone
Title title
Roles[].Value role_id[]

Groups[0].value

group_id

Locale

locale_code(in v1),preferred_locale_code(in v2)

Password (only in v2.0)

password

Extension.Manager.Value

manager_user_id

Extension.Organization

company

Extension.Department

department

Extension.OpenIdName

openid_name

Extension.DistinguishedName

distinguished_name

Extension.SamAccountName

samaccountname

Extension.UserPrincipalName

userprincipalname

Extension.MemberOf

member_of

Extension.DirectoryId

directory_id

Extension.UserStatus

status

Extension.LastLogin

last_login

Meta.Created

created_at

Meta.LastModified

updated_at

Groups

Table 279: Group mapping
SCIM parameter OneLogin parameter
Id id
DisplayName name

Roles

Table 280: Role mapping
SCIM parameter OneLogin parameter
Id id
Name name

Applications[].value

apps[].id

Applications[].name

apps[].name

users[].value

users[].id

users[].name

users[].name

Application

Table 281: Role mapping
SCIM parameter OneLogin parameter
Id id
Name name

Description

description

Auth_Method

auth_method

Visible

visible

Meta.Created

created_at

Meta.LastModified

updated_at

NOTE: OneLogin API for Users accepts two letter values for locale, for example: "en", "es" and so on.

Connector SCIM configuration

You can configure custom attributes for the OneLogin SCIM connector in Starling Connect for Users in the Custom Attributes section in Schema Configuration.

NOTE:

  • For more information about how to configure custom attributes in OneLogin, see Configuring custom attributes in connectors.

  • As the OneLogin target system does not support disabling of attributes, the OneLogin connector is enhanced only to support the configuration of custom attributes in the SCIM connector.

  • The target supports only simple attributes that are grouped under the object custom_attributes in the target API response. Hence, the connector supports only simple custom attributes.

Connector limitations

  • Target cloud application supports below given integer value for Status field. OneIdentity has created 'userStatus' integer type attribute in User extension schema and mapped with 'status' and it needs to be taken care in OneIM mapping:
    • (in v.1.0):

      • Can set through Api → Unactivated: 0, Active: 1, Suspended: 2, Locked: 3, Password expired: 4

      • Cannot set through Api → Awaiting password reset: 5, Pending password: 7, Security questions required: 8

    • (in v.2.0):

      • Can set through Api → Unactivated: 0, Active: 1, Suspended: 2, Locked: 3, Password expired: 4, Awaiting password reset: 5, Pending password: 7

      • Cannot set through Api → Security questions required: 8

  • Adding or removing a Group can be achieved by using the User update operation. Only one group can be assigned to a User.

  • For the User object, when NULL value is updated to openid_name, the cloud application considers the first part of the email Id as openid_name. For example, for the email id, email123@test.com , openIdname value will be email123.
  • API does not support the assignment of applications under users what it support is assigning application under roles and assigning roles under user.

  • In pagination, records are returned in multiples of 50 only.

Connector versions and features

The following subsections describe the different connector version(s) and features available with them.

Features available exclusively in OneLogin v.2.0

Following are the features that are available exclusively in OneLogin v.2.0:

  • Creation and updation of user password.
  • v.2.0 of OneLogin connector leverages v2 APIs of target system.

  • Support for filter condition

    • The filter is supported in Users, Roles and Applications.

    • The filter supported is eq.

    • For attributes meta.Created, meta.LastModified and lastLogin the filter supported is ge,le,gt and lt, but in lt and gt the response will be similar to ge and le.

    • The AND logical operator is supported in the target system.

    • The OR logical operator neither returns any data nor returns any error message.

    • In some cases of roles endpoint, the partial match of data is also working.

  • List of attributes supported for filter condition.

    Table 282: List of attributes supported for filter condition
    Users Applications Roles
    userName, emails.Value, givenName, familyName, directoryId, externalId, meta.LastModified, meta.Created, lastLogin, CustomAttributes name name
    auth_method applications.Value
    applications.name

 

OneLogin connector for Safeguard for Privileged Passwords

When creating a OneLogin connector for use with Safeguard for Privileged Passwords, you need to use the following OneLogin API credentials configuration:

  • Client Id
  • Client secret
  • SCIM URL (The base URL of the REST API of the Cloud application.)
  • Manage All type of client id/secret must be selected.

In addition, the default URL needs to be changed in order to support check/change/discover (for example, <domain>.onelogin.com).

For more information, see https://developers.onelogin.com/api-docs/1/getting-started/working-with-api-credentials.

For more information, see only the following sections in User centric membership:

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating