Chat now with support
Chat with Support

Starling Connect Identity Manager Integrated - Starling Connect for Active Roles Administration Guide

Amazon (S3 and AWS)

Amazon (S3 and AWS) offers a suite of cloud-computing services that make up an on-demand computing platform. The most central and best-known of these are Amazon Elastic Compute Cloud (EC2) and Amazon Simple Storage Service (S3). AWS offers more than 70 services, including computing, storage, networking, database, analytics, application services, deployment, management, mobile, developer tools, and tools for the Internet of Things.

Supervisor Configuration Parameters

To configure the connector, following parameters are required:

  • Connector Name

  • Client Id of the cloud account

  • Client Secret of the cloud account

  • Region of the cloud account

  • SCIM URL (Cloud application's REST API's base URL)

Supported Objects and Operations

Users
Table 15: Supported operations and objects for Users

Operation

VERB

Create

POST

Update

PUT

Delete DELETE
Deprovision PUT
Undo Deprovision PUT
Groups
Table 16: Supported operations and objects for Groups

Operation

VERB
Create POST
Update PUT
Delete DELETE
Deprovision PUT
Undo Deprovision PUT

Group Membership

PUT

Mandatory Fields

Users
  • User Name
  • Password - This is applicable only for the Create operation.
Groups

  • Group Name

User and Group Mapping

The user and group mappings are listed in the tables below.

Table 17: User Mapping
SCIM Parameter Amazon Web Services (AWS) Parameter
Id UserName
UserName UserName
Password password
DisplayName Arn

Active

(true)

Groups

(ListGroupsForUserResult)Group

Entitlements

(ListAttachedUserPoliciesResult)AttachedPolicies

Created CreateDate
LastModified PasswordLastUsed

 

Table 18: Group Mapping
SCIM Parameter Amazon Web Services (AWS) Parameter
Id GroupName
displayName UserName
Entitlements (ListAttachedGroupPoliciesResult)AttachedPolicies
Members (GetGroupResult)Users
Created CreateDate
LastModified PasswordLastUsed

Connector Limitations

  • Signature generation is embedded within a data process. Hence, the application performance is affected.

  • The Last Modified date is not available. Hence, the field contains the value of recently used Password.

  • While performing Delete User or Delete Group operation, users or groups that are part of the deleted users or groups get detached from the below mentioned services. However, some services must be detached manually.

    • AccessKey
    • Roles
    • Groups

  • The task of assigning entitlements to groups is available with the connector. For successful working, certain changes must be made in Active Roles.

ServiceNow

ServiceNow is a service management platform that can be used for many different business units, including IT, human resources, facilities, and field services.

Supervisor Configuration Parameters

To configure the connector, following parameters are required:

  • Connector Name

  • Username

  • Password

  • SCIM URL (cloud application's REST API's base URL)

Supported Objects and Operations

Users
Table 19: Supported operations for Users

Operation

VERB

Create

POST

Update

PUT

Delete

DELETE

Deprovision PUT
Undo Deprovision PUT
Groups
Table 20: Supported operations for Groups

Operation

VERB

Create

POST

Update

PUT

Delete 

DELETE

Deprovision PUT
Undo Deprovision PUT

Group Membership

PUT

Mandatory Fields

Users
  • Username
Groups
  • Group Name

Configuring custom attributes in ServiceNow

This feature allows you to configure custom attributes in Starling Connector during connector subscription. You can provide the list of custom attributes in a defined format with the name, type and allowed values of the attributes. The custom mappings in Active Roles provides the values for these custom attributes.

To configure custom attributes in ServiceNow:

  1. Create a Custom Attribute in ServiceNow.

    NOTE: The Starling Platform currently supports only the string types dateTime, True/False and Choice.

  2. To configure the custom attributes in Starling UI, enter the Custom Properties in the specified format in the Starling Platform.

  3. Map the created custom attributes that were specified in the Starling Platform.

  4. Perform a synchronization and verify if the custom attributes are available.

    NOTE:

    • The Starling UI for registering a ServiceNow connector has an input field to provide the custom attributes to be mapped in the connector's User resource type apart from the default mapped attributes.

    • The custom attributes in the User resource type must be in the following format:

      {field_name}|{data_type}|{choice_value1,choice_value2,etc};{field_name}|{data_type}|{choice_value1,choice_value2,etc};etc.

      Example:

      u_employee_status|string;u_date_of_termination_of_employments|DateTime;u_test_field_with_canonical_values|string|Choice 1,Choice 2,Choice 3

    • All custom attributes are mapped in the enterprise user extensions.

    • The supported data types are string, boolean and dateTime.

      Choice type in the ServiceNow will become string type in OneIM with Canonical Values.

    • Only simple attributes are supported.

    • All custom user attributes have 'mutability': 'readWrite', 'returned': 'default', 'caseExact': 'false', 'required': 'false', 'multiValued': 'false', 'uniqueness': 'none'.

    • The Starling Platform currently supports only the string types dateTime, True/False and Choice.

User and Group Mapping

The user and group mapping is listed in the table below.

Table 21: User Mapping
SCIM Parameter ServiceNow Parameter
userName user_name
name.familyName last_name
name.givenName first_name
name.middleName middle_name
displayName name
emails[0].value email
addresses[0].streetAddress street
addresses[0].locality city
addresses[0].region state
addresses[0].postalCode zip
addresses[0].country country
phoneNumbers[0].value phone
title title
preferredLanguage preferred_language
timeZone time_zone
active active
password user_password
roles.value {resource}.role.value
extension.organization company
extension.department department
extension.manager.value manager.value
extension.employeeNumber employee_number
id sys_id
groups.value {resource}.group.value

extension.lastLogon

last_login_time

Table 22: Group Mapping
SCIM Parameter ServiceNow Parameter
id sys_id
displayName name
members.value {resource}.user.value
extension.description description
extension.email email

extension.groupType

type

extension.manager.value

manager.value

Connector Limitations

  • ServiceProviderAuthority contains only the Id field with the value being same as the instance id of the ServiceNow instance, as there are no APIs to fetch the tenant details in ServiceNow.

  • If the department name and organization name is provided during user create or update operations, the user gets assigned to the department and organization if the department and organization with the same name exists in ServiceNow cloud application.

  • If the invalid manager id is used for user's manager fields while performing user create or update operations, ServiceNow does not display any error. Instead, it invalid id is returned as the manager id.

  • In the request, if there are invalid values for timezone, language, and so on, ServiceNow does not display any error. Instead, the fields with invalid values would be blank.

  • GET Roles operation might not fetch all the roles. Some roles must be retrieved based on ServiceNow Access Control List (ACL).

  • If an invalid role id is used for user create or update operation, no error is displayed. Instead, the same invalid id in the role list is returned.

  • If an invalid member id is used for group create or update, no error is displayed. Instead, the same invalid id as the member id is returned.

  • Create User operation with existing user details shows the status code as 403 instead 409. The status code and the status message cannot be interpreted.

Azure Active Directory

Azure Active Directory is a connector that gives users a cloud-based platform for their on-premises resources. Using single sign-on, companies have access to any number of network or web-based applications along with hosting access and identity management resources.

For more information on registering the application, providing permissions, retrieving client ID or client secret, see Working with Azure Active Directory.

Supervisor Configuration Parameters

To configure the connector, following parameters are required:

  • Connector name

  • Client Id for the app

  • Client Secret of the app

  • Directory Id of the Active Directory

  • Target URL (Cloud application's instance URL used as target URI in payload - For example, https://graph.microsoft.com/v1.0).

Supported Objects and Operations

Users
Table 23: Supported operations for Users

Operation

VERB

Create User

POST

Update User

PATCH

Deprovision PUT
Undo Deprovision PUT

Mandatory Fields

Users
  • email.value

  • nickName

  • displayName

  • password

  • active
Groups
  • displayName

  • mailEnabled (value needs to be 'false')

  • mailNickname

  • securityEnabled (value needs to be 'true')

User and Group Mapping

The user and group mappings are listed in the tables below.

Table 24: User Mapping
SCIM Parameter Azure AD Parameter
Id id
userName userPrincipalName
name.familyName surname
name.givenName givenName
displayName displayName
nickName mailNickname
emails[0].value userPrincipalName
addresses[0].streetAddress streetAddress
addresses[0].locality city
addresses[0].region state
addresses[0].postalCode postalcode

addresses[0].country

couontry

phoneNumbers[0].value

businessPhones[0]

title

jobTitle

active

accountEnabled

preferredLanguage

preferredLanguage

userType

userType

groups[].value

memberOf[].id

groups[].display

memberOf[].displayName

userExtension.organization

companyName

userExtension.department

department

userExtension.employeeNumber

employeeId

userExtension.manager.value

manager.id

userExtension.manager.displayName

manager.displayName

meta.created

createdDateTime

Groups
Table 25: User Mapping
SCIM Parameter Azure AD Parameter
Id id
displayName displayName
members[].value members[].id
members[].display members[].displayName

enterpriseExtension.description

description

enterpriseExtension.mailNickname

mailNickname

meta.created

createdDateTime

Connector Limitations

  • lastModified is not provided along with the Users and Groups.

  • Groups are of two types: Security groups and Office 365 groups. Azure AD supports users and groups as the members of groups. Security groups can have users and other Security groups as members. However, only users can be added as members for Office 365 groups.

  • With the trial Azure AD account, it is possible to create only Security groups through APIs. For information on mapping the appropriate properties, see User and Group section.

  • Azure AD resource Id's follow GUID formats. When trying to edit, retrieve, or delete a group by Id with an invalid GUID format, the connector displays 400 as the response code. However with invalid id and a proper GUID format, connector displays 404 as the response code.

  • Email value for the user should have only those domains which are verified in the selected Active Directory. To find out the verified domain, go to the Azure Active Directory in the Azure portal and in the Overview page above the directory name, the verified domain names are displayed.

  • You can create multiple groups with the same name.

  • For more information on password policy settings applied to user accounts that are created and managed in Azure AD, see, Password policies that only apply to cloud user accounts.

Box

Box lets users securely store, access, share, and collaboratively work on files across devices. It is accessible through web and mobile applications and REST APIs. It features functions such as search, metadata, granular permission models, enterprise-grade security, retention policies, and preview capabilities.

Supervisor Configuration Parameters

To configure the connector, following parameters are required:

  • Connector name

  • Client Id

  • Client Secret

  • Public Key

  • Private Key
  • Pass Phrase
  • Enterprise Id

To get the Box credentials

  1. Create an account in Box.

  2. Log in to the Box account . The URL will be similar to https://{Business_Name}.app.box.com/folder/0.

  3. Navigate to the Developer console.

  4. Create a new custom application.

  5. Select OAuth 2.0 with JWT (server authentication) as the authentication method.

  6. Enter a relevant name for the application that is to be created.

  7. Click View App and navigate to the Configuration section.

  8. Set the value of Application Access to Enterprise.

  9. Enable the advanced features by selecting the following options:

    • Perform action as Users
    • Generate User access token

  10. In the Add and manage public keys section, click generate Public/Private Key pair button. A config JSON file gets downloaded and it includes the credentials, that are required to get the access token for authentication.

Supported Objects and Operations

Users
Table 26: Supported operations for Users

Operation

VERB

Create

POST

Update

PUT

Delete

DELETE

Deprovision  
Undo Deprovision  
Groups
Table 27: Supported operations for Groups

Operation

VERB
Create POST

Mandatory Fields

Users
  • DisplayName
  • Email ID
Groups

  • DisplayName

User and Group Mapping

The user and group mappings are listed in the tables below.

Table 28: User Mapping
SCIM Parameter Box Parameter
id id
email[0].value login

userName

 login
name.formatted name
displayName name
active status
address[0].formatted address
userType type
PhoneNumbers[0].Value phone
active status
title job_title

preferredLanguage

 language

timezone

 timezone

meta.created

created_at

meta.astModified

modified_at

 

Table 29: Group Mapping
SCIM Parameter Box Parameter
id id
name displayName
created created_at
lastModified modified_at

members[].value

user[].id

members[].display

user[].name

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating