立即与支持人员聊天
与支持团队交流

Starling Connect Hosted - One Identity Manager Administration Guide

About this guide One Identity Starling Connect overview One Identity Starling Supported cloud applications Working with connectors Connector versions Salesforce Facebook Workplace SAP Cloud Platform JIRA Server RSA Archer SuccessFactors AWS IAM ServiceNow Dropbox Crowd Atlassian JIRA Confluence Trello Box Pipedrive SuccessFactors HR NutShell Insightly Egnyte SugarCRM Oracle IDCS Statuspage Zendesk Sell Workbooks DocuSign Citrix ShareFile Zendesk Azure AD Google Workspace Concur Tableau GoToMeeting Coupa AWS Cognito Okta DataDog Hideez Opsgenie Informatica Cloud Services AppDynamics Marketo Workday HR OneLogin PingOne Aha! SAP Litmos HackerRank Slack ActiveCampaign Webex Apigee Databricks Hive PagerDuty Dayforce Smartsheet Pingboard SAP Cloud for Customer Azure Infrastructure Oracle Fusion Cloud Majesco LuccaHR OpenText JFrog Artifactory xMatters Discourse Testrail ChipSoft PingOne Platform Azure DevOps UKG PRO Atlassian Cloud Appendix: Creating a service account in Google Workspace Appendix: Setting a trial account on Salesforce Registering the application, providing necessary permissions, retrieving Client Id and Client Secret from the Azure AD tenant Generating a private key for service account in GoToMeeting Configuring AWS IAM connector to support entitlements for User and Group Configuring Box connector to support additional email IDs for users One Identity Manager E2E integration needs for Hideez connector Configuring custom attributes for ServiceNow v.1.0 Configuring custom attributes for Coupa v.1.0 Configuring custom attributes in connectors Disabling attributes Configuring a connector that uses the consent feature Synchronization and integration of Roles object type with One Identity Manager Synchronization and integration of Workspaces object type with One Identity Manager Synchronization and integration of Products object type with One Identity Manager User centric membership Creating multi-valued custom fields in One Identity Manager Synchronization and assignment of PermissionSets to Users with One Identity Manager Connectors that support password attribute in User object Connectors that do not support special characters in the object ID Creating an app for using SCIM on Slack Enterprise Grid Organization Creating a Webex integration application, providing necessary scopes, retrieving Client Id and Client Secret Retrieving the API key from Facebook Workplace Outbound IP addresses Values for customer-specific configuration parameters in Workday HR connector Initiate an OAuth connection to SuccessFactors Creating custom editable/upsertable attributes in Successfactors employee central Custom Foundation Objects in Successfactors HR connector Configuring additional datetime offset in connectors How to Create custom attribute for Users in SuccessFactors portal SAP Cloud for Customer - Steps to add custom fields at One Identity Manager attributes Creating a Service Principal for the Azure Infrastructure Connector Workday permissions needed to integrate via the Starling Connector Configuring integration application in DocuSign Creating integration Connect Client in Coupa Retrieving Azure DevOps Personal Access Token (PAT) Setup integration system and field override service in Workday Retrieving Atlassian Cloud API Key and Directory ID Retrieving Tableau Personal Access Token (PAT)

Supervisor configuration parameters

AWS IAM (formerly AWS IAM S3) offers a suite of cloud-computing services that make up an on-demand computing platform. The most central and best-known of these are Amazon Elastic Compute Cloud (EC2) and Amazon Simple Storage Service (S3). AWS offers more than 70 services, including computing, storage, networking, database, analytics, application services, deployment, management, mobile, developer tools, and tools for the Internet of Things.

AWS IAM connectors are available for use with One Identity Safeguard for Privileged Passwords.

For more information about configuring AWS IAM connector with One Identity Manager, see Configuring AWS IAM connector to support entitlements for User and Group.

To configure the connector, following parameters are required:

  • Connector Name

  • Client Id of the cloud account
  • Client Secret of the cloud account

  • Region of the cloud account

  • SCIM URL (Cloud application's REST API's base URL)

  • Instance DateTime Offset (refer Configuring additional datetime offset in connectors for more details).

Supported objects and operations

Users

Table 41: Supported operations and objects for Users

Operation

VERB

Create

POST

Update

PUT

Delete DELETE
Get all users GET
Get (Id) GET
Pagination GET

Groups

Table 42: Supported operations and objects for Groups

Operation

VERB

Create POST
Update PUT
Delete DELETE
Get all groups GET
Get (Id) GET

NOTE: Currently, addition or removal of entitlements for Groups is not supported by One Identity Manager.

Profiles

Table 43: Supported operations for Profiles

Operation

VERB

Get All Profiles

GET

Get Profile

GET

Roles

Table 44: Supported operations for Roles

Operation

VERB

Get Role

GET

Get All Roles

GET

Mandatory fields

Users

  • User Name
  • Password - This is applicable only for the Create operation.

Groups

  • Group Name

Mappings

The user and group mappings are listed in the tables below.

Table 45: User mapping
SCIM parameter AWS IAM parameter
Id UserName
UserName UserName
Password password
DisplayName Arn

Active

(true)

Groups

(ListGroupsForUserResult)Group

Entitlements

(ListAttachedUserPoliciesResult)AttachedPolicies

Created CreateDate
LastModified PasswordLastUsed

 

Table 46: Group mapping
SCIM parameter AWS IAM parameter
Id GroupName
displayName UserName
Entitlements (ListAttachedGroupPoliciesResult)AttachedPolicies
Members (GetGroupResult)Users
Created CreateDate
LastModified PasswordLastUsed
Table 47: Profile mapping
SCIM parameter AWS IAM parameter
Id Arn
displayName PolicyName
Created CreateDate
LastModified UpdateDate
Table 48: Roles mapping
SCIM parameter AWS IAM parameter
Id RoleName
Name RoleName
Entitlements (ListAttachedGroupPoliciesResult)AttachedPolicies
description Description
Created CreateDate
Table 49: Mappings for v2.0
SCIM parameter AWS IAM parameter
Id Base64encoded(id)
targetId id

NOTE:Applicable for all object types.

Connector limitations

  • Signature generation is embedded within a data process. Hence, the performance of the application is affected.

  • The Last Modified date is not available. Hence, the field contains the value of the recently used Password.

  • While performing Delete User or Delete Group operation, users or groups that are part of the deleted users or groups get detached from the below mentioned services. However, some services must be detached manually.

    • AccessKey
    • Roles
    • Groups
  • The task of assigning entitlements to groups is available with the connector. For successful working, certain changes must be made in One Identity Manager.

  • Roles has no assignment relations with Users and Groups object types. Entitlements is the only object type associated with Roles.

Connector versions and features

The following subsections describe the different connector version(s) and features available with them.

Features available exclusively in AWS IAM v.2.0

Following are the features that are available exclusively in AWS IAM v.2.0:

  • All the endpoints return one new attribute “targetId”.
  • The "id" in the SCIM response will be base64 encoded in all the endpoints.

AWS IAM connector for Safeguard for Privileged Passwords

  • The service account must have the following minimum IAM permissions:

    • GetUser

    • GetGroup

    • ListAttachedUserPolicies

    • ListEntitiesForPolicy

    • ListGroups

    • ListGroupsForUser

    • ListUsers

    • ListUserPolicies

    • SimulatePrincipalPolicy

    • UpdateLoginProfile

  • If manually adding an account to an AWS asset, the username to enter is the simple account username (not the ARN).

  • Users must have a manually set password in AWS prior to management by Safeguard for Privileged Passwords. You cannot call "ChangePassword" on an account that has never had a password set.

  • Safeguard for Privileged Password "Roles" are used for account discovery map to AWS Policies (not AWS "Roles").

  • When a "Roles" filter is used in account discovery it only captures accounts for which a matching policy is directly assigned to the user (not policies it inherits through a group).

Supported objects and operations

AWS IAM (formerly AWS IAM S3) offers a suite of cloud-computing services that make up an on-demand computing platform. The most central and best-known of these are Amazon Elastic Compute Cloud (EC2) and Amazon Simple Storage Service (S3). AWS offers more than 70 services, including computing, storage, networking, database, analytics, application services, deployment, management, mobile, developer tools, and tools for the Internet of Things.

AWS IAM connectors are available for use with One Identity Safeguard for Privileged Passwords.

For more information about configuring AWS IAM connector with One Identity Manager, see Configuring AWS IAM connector to support entitlements for User and Group.

Supervisor configuration parameters

To configure the connector, following parameters are required:

  • Connector Name

  • Client Id of the cloud account
  • Client Secret of the cloud account

  • Region of the cloud account

  • SCIM URL (Cloud application's REST API's base URL)

  • Instance DateTime Offset (refer Configuring additional datetime offset in connectors for more details).

Users

Table 41: Supported operations and objects for Users

Operation

VERB

Create

POST

Update

PUT

Delete DELETE
Get all users GET
Get (Id) GET
Pagination GET

Groups

Table 42: Supported operations and objects for Groups

Operation

VERB

Create POST
Update PUT
Delete DELETE
Get all groups GET
Get (Id) GET

NOTE: Currently, addition or removal of entitlements for Groups is not supported by One Identity Manager.

Profiles

Table 43: Supported operations for Profiles

Operation

VERB

Get All Profiles

GET

Get Profile

GET

Roles

Table 44: Supported operations for Roles

Operation

VERB

Get Role

GET

Get All Roles

GET

Mandatory fields

Users

  • User Name
  • Password - This is applicable only for the Create operation.

Groups

  • Group Name

Mappings

The user and group mappings are listed in the tables below.

Table 45: User mapping
SCIM parameter AWS IAM parameter
Id UserName
UserName UserName
Password password
DisplayName Arn

Active

(true)

Groups

(ListGroupsForUserResult)Group

Entitlements

(ListAttachedUserPoliciesResult)AttachedPolicies

Created CreateDate
LastModified PasswordLastUsed

 

Table 46: Group mapping
SCIM parameter AWS IAM parameter
Id GroupName
displayName UserName
Entitlements (ListAttachedGroupPoliciesResult)AttachedPolicies
Members (GetGroupResult)Users
Created CreateDate
LastModified PasswordLastUsed
Table 47: Profile mapping
SCIM parameter AWS IAM parameter
Id Arn
displayName PolicyName
Created CreateDate
LastModified UpdateDate
Table 48: Roles mapping
SCIM parameter AWS IAM parameter
Id RoleName
Name RoleName
Entitlements (ListAttachedGroupPoliciesResult)AttachedPolicies
description Description
Created CreateDate
Table 49: Mappings for v2.0
SCIM parameter AWS IAM parameter
Id Base64encoded(id)
targetId id

NOTE:Applicable for all object types.

Connector limitations

  • Signature generation is embedded within a data process. Hence, the performance of the application is affected.

  • The Last Modified date is not available. Hence, the field contains the value of the recently used Password.

  • While performing Delete User or Delete Group operation, users or groups that are part of the deleted users or groups get detached from the below mentioned services. However, some services must be detached manually.

    • AccessKey
    • Roles
    • Groups
  • The task of assigning entitlements to groups is available with the connector. For successful working, certain changes must be made in One Identity Manager.

  • Roles has no assignment relations with Users and Groups object types. Entitlements is the only object type associated with Roles.

Connector versions and features

The following subsections describe the different connector version(s) and features available with them.

Features available exclusively in AWS IAM v.2.0

Following are the features that are available exclusively in AWS IAM v.2.0:

  • All the endpoints return one new attribute “targetId”.
  • The "id" in the SCIM response will be base64 encoded in all the endpoints.

AWS IAM connector for Safeguard for Privileged Passwords

  • The service account must have the following minimum IAM permissions:

    • GetUser

    • GetGroup

    • ListAttachedUserPolicies

    • ListEntitiesForPolicy

    • ListGroups

    • ListGroupsForUser

    • ListUsers

    • ListUserPolicies

    • SimulatePrincipalPolicy

    • UpdateLoginProfile

  • If manually adding an account to an AWS asset, the username to enter is the simple account username (not the ARN).

  • Users must have a manually set password in AWS prior to management by Safeguard for Privileged Passwords. You cannot call "ChangePassword" on an account that has never had a password set.

  • Safeguard for Privileged Password "Roles" are used for account discovery map to AWS Policies (not AWS "Roles").

  • When a "Roles" filter is used in account discovery it only captures accounts for which a matching policy is directly assigned to the user (not policies it inherits through a group).

Mandatory fields

AWS IAM (formerly AWS IAM S3) offers a suite of cloud-computing services that make up an on-demand computing platform. The most central and best-known of these are Amazon Elastic Compute Cloud (EC2) and Amazon Simple Storage Service (S3). AWS offers more than 70 services, including computing, storage, networking, database, analytics, application services, deployment, management, mobile, developer tools, and tools for the Internet of Things.

AWS IAM connectors are available for use with One Identity Safeguard for Privileged Passwords.

For more information about configuring AWS IAM connector with One Identity Manager, see Configuring AWS IAM connector to support entitlements for User and Group.

Supervisor configuration parameters

To configure the connector, following parameters are required:

  • Connector Name

  • Client Id of the cloud account
  • Client Secret of the cloud account

  • Region of the cloud account

  • SCIM URL (Cloud application's REST API's base URL)

  • Instance DateTime Offset (refer Configuring additional datetime offset in connectors for more details).

Supported objects and operations

Users

Table 41: Supported operations and objects for Users

Operation

VERB

Create

POST

Update

PUT

Delete DELETE
Get all users GET
Get (Id) GET
Pagination GET

Groups

Table 42: Supported operations and objects for Groups

Operation

VERB

Create POST
Update PUT
Delete DELETE
Get all groups GET
Get (Id) GET

NOTE: Currently, addition or removal of entitlements for Groups is not supported by One Identity Manager.

Profiles

Table 43: Supported operations for Profiles

Operation

VERB

Get All Profiles

GET

Get Profile

GET

Roles

Table 44: Supported operations for Roles

Operation

VERB

Get Role

GET

Get All Roles

GET

Users

  • User Name
  • Password - This is applicable only for the Create operation.

Groups

  • Group Name

Mappings

The user and group mappings are listed in the tables below.

Table 45: User mapping
SCIM parameter AWS IAM parameter
Id UserName
UserName UserName
Password password
DisplayName Arn

Active

(true)

Groups

(ListGroupsForUserResult)Group

Entitlements

(ListAttachedUserPoliciesResult)AttachedPolicies

Created CreateDate
LastModified PasswordLastUsed

 

Table 46: Group mapping
SCIM parameter AWS IAM parameter
Id GroupName
displayName UserName
Entitlements (ListAttachedGroupPoliciesResult)AttachedPolicies
Members (GetGroupResult)Users
Created CreateDate
LastModified PasswordLastUsed
Table 47: Profile mapping
SCIM parameter AWS IAM parameter
Id Arn
displayName PolicyName
Created CreateDate
LastModified UpdateDate
Table 48: Roles mapping
SCIM parameter AWS IAM parameter
Id RoleName
Name RoleName
Entitlements (ListAttachedGroupPoliciesResult)AttachedPolicies
description Description
Created CreateDate
Table 49: Mappings for v2.0
SCIM parameter AWS IAM parameter
Id Base64encoded(id)
targetId id

NOTE:Applicable for all object types.

Connector limitations

  • Signature generation is embedded within a data process. Hence, the performance of the application is affected.

  • The Last Modified date is not available. Hence, the field contains the value of the recently used Password.

  • While performing Delete User or Delete Group operation, users or groups that are part of the deleted users or groups get detached from the below mentioned services. However, some services must be detached manually.

    • AccessKey
    • Roles
    • Groups
  • The task of assigning entitlements to groups is available with the connector. For successful working, certain changes must be made in One Identity Manager.

  • Roles has no assignment relations with Users and Groups object types. Entitlements is the only object type associated with Roles.

Connector versions and features

The following subsections describe the different connector version(s) and features available with them.

Features available exclusively in AWS IAM v.2.0

Following are the features that are available exclusively in AWS IAM v.2.0:

  • All the endpoints return one new attribute “targetId”.
  • The "id" in the SCIM response will be base64 encoded in all the endpoints.

AWS IAM connector for Safeguard for Privileged Passwords

  • The service account must have the following minimum IAM permissions:

    • GetUser

    • GetGroup

    • ListAttachedUserPolicies

    • ListEntitiesForPolicy

    • ListGroups

    • ListGroupsForUser

    • ListUsers

    • ListUserPolicies

    • SimulatePrincipalPolicy

    • UpdateLoginProfile

  • If manually adding an account to an AWS asset, the username to enter is the simple account username (not the ARN).

  • Users must have a manually set password in AWS prior to management by Safeguard for Privileged Passwords. You cannot call "ChangePassword" on an account that has never had a password set.

  • Safeguard for Privileged Password "Roles" are used for account discovery map to AWS Policies (not AWS "Roles").

  • When a "Roles" filter is used in account discovery it only captures accounts for which a matching policy is directly assigned to the user (not policies it inherits through a group).

Connector limitations

AWS IAM (formerly AWS IAM S3) offers a suite of cloud-computing services that make up an on-demand computing platform. The most central and best-known of these are Amazon Elastic Compute Cloud (EC2) and Amazon Simple Storage Service (S3). AWS offers more than 70 services, including computing, storage, networking, database, analytics, application services, deployment, management, mobile, developer tools, and tools for the Internet of Things.

AWS IAM connectors are available for use with One Identity Safeguard for Privileged Passwords.

For more information about configuring AWS IAM connector with One Identity Manager, see Configuring AWS IAM connector to support entitlements for User and Group.

Supervisor configuration parameters

To configure the connector, following parameters are required:

  • Connector Name

  • Client Id of the cloud account
  • Client Secret of the cloud account

  • Region of the cloud account

  • SCIM URL (Cloud application's REST API's base URL)

  • Instance DateTime Offset (refer Configuring additional datetime offset in connectors for more details).

Supported objects and operations

Users

Table 41: Supported operations and objects for Users

Operation

VERB

Create

POST

Update

PUT

Delete DELETE
Get all users GET
Get (Id) GET
Pagination GET

Groups

Table 42: Supported operations and objects for Groups

Operation

VERB

Create POST
Update PUT
Delete DELETE
Get all groups GET
Get (Id) GET

NOTE: Currently, addition or removal of entitlements for Groups is not supported by One Identity Manager.

Profiles

Table 43: Supported operations for Profiles

Operation

VERB

Get All Profiles

GET

Get Profile

GET

Roles

Table 44: Supported operations for Roles

Operation

VERB

Get Role

GET

Get All Roles

GET

Mandatory fields

Users

  • User Name
  • Password - This is applicable only for the Create operation.

Groups

  • Group Name

Mappings

The user and group mappings are listed in the tables below.

Table 45: User mapping
SCIM parameter AWS IAM parameter
Id UserName
UserName UserName
Password password
DisplayName Arn

Active

(true)

Groups

(ListGroupsForUserResult)Group

Entitlements

(ListAttachedUserPoliciesResult)AttachedPolicies

Created CreateDate
LastModified PasswordLastUsed

 

Table 46: Group mapping
SCIM parameter AWS IAM parameter
Id GroupName
displayName UserName
Entitlements (ListAttachedGroupPoliciesResult)AttachedPolicies
Members (GetGroupResult)Users
Created CreateDate
LastModified PasswordLastUsed
Table 47: Profile mapping
SCIM parameter AWS IAM parameter
Id Arn
displayName PolicyName
Created CreateDate
LastModified UpdateDate
Table 48: Roles mapping
SCIM parameter AWS IAM parameter
Id RoleName
Name RoleName
Entitlements (ListAttachedGroupPoliciesResult)AttachedPolicies
description Description
Created CreateDate
Table 49: Mappings for v2.0
SCIM parameter AWS IAM parameter
Id Base64encoded(id)
targetId id

NOTE:Applicable for all object types.

  • Signature generation is embedded within a data process. Hence, the performance of the application is affected.

  • The Last Modified date is not available. Hence, the field contains the value of the recently used Password.

  • While performing Delete User or Delete Group operation, users or groups that are part of the deleted users or groups get detached from the below mentioned services. However, some services must be detached manually.

    • AccessKey
    • Roles
    • Groups
  • The task of assigning entitlements to groups is available with the connector. For successful working, certain changes must be made in One Identity Manager.

  • Roles has no assignment relations with Users and Groups object types. Entitlements is the only object type associated with Roles.

Connector versions and features

The following subsections describe the different connector version(s) and features available with them.

Features available exclusively in AWS IAM v.2.0

Following are the features that are available exclusively in AWS IAM v.2.0:

  • All the endpoints return one new attribute “targetId”.
  • The "id" in the SCIM response will be base64 encoded in all the endpoints.

AWS IAM connector for Safeguard for Privileged Passwords

  • The service account must have the following minimum IAM permissions:

    • GetUser

    • GetGroup

    • ListAttachedUserPolicies

    • ListEntitiesForPolicy

    • ListGroups

    • ListGroupsForUser

    • ListUsers

    • ListUserPolicies

    • SimulatePrincipalPolicy

    • UpdateLoginProfile

  • If manually adding an account to an AWS asset, the username to enter is the simple account username (not the ARN).

  • Users must have a manually set password in AWS prior to management by Safeguard for Privileged Passwords. You cannot call "ChangePassword" on an account that has never had a password set.

  • Safeguard for Privileged Password "Roles" are used for account discovery map to AWS Policies (not AWS "Roles").

  • When a "Roles" filter is used in account discovery it only captures accounts for which a matching policy is directly assigned to the user (not policies it inherits through a group).

相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级