立即与支持人员聊天
与支持团队交流

Starling Connect Hosted - One Identity Manager Administration Guide

About this guide One Identity Starling Connect overview One Identity Starling Supported cloud applications Working with connectors Connector versions Salesforce Facebook Workplace SAP Cloud Platform JIRA Server RSA Archer SuccessFactors AWS IAM ServiceNow Dropbox Crowd Atlassian JIRA Confluence Trello Box Pipedrive SuccessFactors HR NutShell Insightly Egnyte SugarCRM Oracle IDCS Statuspage Zendesk Sell Workbooks DocuSign Citrix ShareFile Zendesk Azure AD Google Workspace Concur Tableau GoToMeeting Coupa AWS Cognito Okta DataDog Hideez Opsgenie Informatica Cloud Services AppDynamics Marketo Workday HR OneLogin PingOne Aha! SAP Litmos HackerRank Slack ActiveCampaign Webex Apigee Databricks Hive PagerDuty Dayforce Smartsheet Pingboard SAP Cloud for Customer Azure Infrastructure Oracle Fusion Cloud Majesco LuccaHR OpenText JFrog Artifactory xMatters Discourse Testrail ChipSoft PingOne Platform Azure DevOps UKG PRO Atlassian Cloud Appendix: Creating a service account in Google Workspace Appendix: Setting a trial account on Salesforce Registering the application, providing necessary permissions, retrieving Client Id and Client Secret from the Azure AD tenant Generating a private key for service account in GoToMeeting Configuring AWS IAM connector to support entitlements for User and Group Configuring Box connector to support additional email IDs for users One Identity Manager E2E integration needs for Hideez connector Configuring custom attributes for ServiceNow v.1.0 Configuring custom attributes for Coupa v.1.0 Configuring custom attributes in connectors Disabling attributes Configuring a connector that uses the consent feature Synchronization and integration of Roles object type with One Identity Manager Synchronization and integration of Workspaces object type with One Identity Manager Synchronization and integration of Products object type with One Identity Manager User centric membership Creating multi-valued custom fields in One Identity Manager Synchronization and assignment of PermissionSets to Users with One Identity Manager Connectors that support password attribute in User object Connectors that do not support special characters in the object ID Creating an app for using SCIM on Slack Enterprise Grid Organization Creating a Webex integration application, providing necessary scopes, retrieving Client Id and Client Secret Retrieving the API key from Facebook Workplace Outbound IP addresses Values for customer-specific configuration parameters in Workday HR connector Initiate an OAuth connection to SuccessFactors Creating custom editable/upsertable attributes in Successfactors employee central Custom Foundation Objects in Successfactors HR connector Configuring additional datetime offset in connectors How to Create custom attribute for Users in SuccessFactors portal SAP Cloud for Customer - Steps to add custom fields at One Identity Manager attributes Creating a Service Principal for the Azure Infrastructure Connector Workday permissions needed to integrate via the Starling Connector Configuring integration application in DocuSign Creating integration Connect Client in Coupa Retrieving Azure DevOps Personal Access Token (PAT) Setup integration system and field override service in Workday Retrieving Atlassian Cloud API Key and Directory ID Retrieving Tableau Personal Access Token (PAT)

Supported objects and operations

Azure AD is a connector that gives users a cloud-based platform for their on-premises resources. Using single sign-on, companies have access to any number of network or web-based applications along with hosting access and identity management resources.

Azure AD connectors are available for use with One Identity Safeguard for Privileged Passwords.

NOTE: Update the synchronization shell or create a new synchronization shell in One Identity Manager as changes are introduced in the schema.

Connector Configuration

Azure AD connector requires customer consent to retrieve resource details using the REST APIs. The Azure AD connector supports the configuration of both single tenant and multi tenant connectors. You can switch from a single tenant connector to a multi tenant connector while configuring the connector in Starling Connect UI.

NOTE:

Supervisor configuration parameters for single tenant connector

To configure the single tenant connector, following parameters are required:

  • Connector name

  • Client Id for the app

  • Client Secret of the app

  • Directory Id of the Active Directory

  • Target URL (Cloud application's instance URL used as target URI in payload - For example, https://graph.microsoft.com/v1.0).

  • Instance DateTime Offset (refer Configuring additional datetime offset in connectors for more details).

Supervisor configuration parameters for multi tenant connector

To configure the multi tenant connector, following parameters are required:

  • Directory Id of the Active Directory
  • Target URL (Cloud application's instance URL used as target URI in payload - For example, https://graph.microsoft.com/v1.0).

  • Instance DateTime Offset (refer Configuring additional datetime offset in connectors for more details).

Users

Table 174: Supported operations for Users

Operation

VERB

Create User

POST

Update User

PATCH

Delete User

DELETE

Get User

GET

Get All Users

GET

Groups

Table 175: Supported operations for Groups

Operation

VERB

Create Group

POST

Update Group

PATCH

Delete Group

DELETE

Get Group

GET

Get All Groups

GET

Application

Table 176: Supported operations for Application

Operation

VERB

Get Application

GET

Get All Applications

GET

Mandatory fields

Create/Update User

  • email.value
  • userType
  • nickName

  • displayName

  • password

  • active

Groups

  • displayName
  • mailEnabled (value needs to be 'false')

  • mailNickname

  • securityEnabled (value needs to be 'true')

Invite User

  • redirectUrl
  • emails[].value
  • userType

User Group and Application mapping

The user, group and application mappings are listed in the tables below:

Table 177: User mapping
SCIM parameter Azure AD parameter

active

accountEnabled

addresses[0].country

country

addresses[0].locality city
addresses[0].postalCode postalcode
addresses[0].region state
addresses[0].streetAddress streetAddress
displayName displayName
emails[0].value userPrincipalName

groups[].display

memberOf[].displayName

groups[].value

memberOf[].id

Id id

meta.created

createdDateTime

name.familyName surname
name.givenName givenName
nickName mailNickname

phoneNumbers[0].value

businessPhones[0]

preferredLanguage

preferredLanguage

redemptionUrl

inviteRedeemUrl

redirectUrl

inviteRedirectUrl

title

jobTitle

userExtension.applications[].display

applications[].displayName

userExtension.applications[].principalId

applications[].principalId

userExtension.applications[].principalType

applications[].principalType

userExtension.applications[].value

applications[].appId

userExtension.department

department

userExtension.employeeNumber

employeeId

userExtension.manager.displayName

manager.displayName

userExtension.manager.value

manager.id

userExtension.organization

companyName

userName userPrincipalName

userType

userType

Groups

Table 178: Group mapping
SCIM parameter Azure AD parameter

enterpriseExtension.applications[].value

applications[].appId

enterpriseExtension.applications[].display

applications[].displayName

enterpriseExtension.applications[].principalId

applications[].principalId

enterpriseExtension.applications[].principalType

applications[].principalType

displayName displayName

enterpriseExtension.description

description

enterpriseExtension.mailNickname

mailNickname

Id id
members[].display members[].displayName
members[].value members[].id

meta.created

createdDateTime

Application

Table 179: Application Mapping
SCIM parameter Azure AD parameter
appId appId
displayName displayName
Id id

meta.created

createdDateTime

publisherDomain publisherDomain

Connector limitations

  • lastModified is not provided along with the Users, Groups and Applications.

  • Groups are of two types: Security groups and Office 365 groups. Azure AD supports users and groups as the members of groups. Security groups can have users and other Security groups as members. However, only users can be added as members for Office 365 groups.

  • With the trial Azure AD account, it is possible to create only Security groups through APIs. For information on mapping the appropriate properties, see User and Group section.

  • If an appRole is assigned to a group, then only the direct user members of that group will also have these appRoles assigned to them, but not group members of that group.

  • Azure AD resource Id's follow GUID formats. When trying to edit, retrieve, or delete a group by Id with an invalid GUID format, the connector displays 400 as the response code. However with invalid id and a proper GUID format, connector displays 404 as the response code.

  • Email value for the user should have only those domains which are verified in the selected Active Directory. To find out the verified domain, go to the Azure Active Directory in the Azure portal and in the Overview page above the directory name, the verified domain names are displayed.

  • You can create multiple groups with the same name.
  • For more information on password policy settings applied to user accounts that are created and managed in Azure AD, see, Password policies that only apply to cloud user accounts.

Azure AD connector for Safeguard for Privileged Passwords

  • For Safeguard for Privileged Passwords, you must assign at least the Helpdesk Administrator role for the application created, but should assign a higher role if you want to manage special accounts (for example, Billing Administrator or Global Administrator).

  • For Safeguard for Privileged Passwords, the Azure AD application registration must be public.

  • Safeguard for Privileged Passwords only allows for a single tenant connector configuration.

Mandatory fields

Azure AD is a connector that gives users a cloud-based platform for their on-premises resources. Using single sign-on, companies have access to any number of network or web-based applications along with hosting access and identity management resources.

Azure AD connectors are available for use with One Identity Safeguard for Privileged Passwords.

NOTE: Update the synchronization shell or create a new synchronization shell in One Identity Manager as changes are introduced in the schema.

Connector Configuration

Azure AD connector requires customer consent to retrieve resource details using the REST APIs. The Azure AD connector supports the configuration of both single tenant and multi tenant connectors. You can switch from a single tenant connector to a multi tenant connector while configuring the connector in Starling Connect UI.

NOTE:

Supervisor configuration parameters for single tenant connector

To configure the single tenant connector, following parameters are required:

  • Connector name

  • Client Id for the app

  • Client Secret of the app

  • Directory Id of the Active Directory

  • Target URL (Cloud application's instance URL used as target URI in payload - For example, https://graph.microsoft.com/v1.0).

  • Instance DateTime Offset (refer Configuring additional datetime offset in connectors for more details).

Supervisor configuration parameters for multi tenant connector

To configure the multi tenant connector, following parameters are required:

  • Directory Id of the Active Directory
  • Target URL (Cloud application's instance URL used as target URI in payload - For example, https://graph.microsoft.com/v1.0).

  • Instance DateTime Offset (refer Configuring additional datetime offset in connectors for more details).

Supported objects and operations

Users

Table 174: Supported operations for Users

Operation

VERB

Create User

POST

Update User

PATCH

Delete User

DELETE

Get User

GET

Get All Users

GET

Groups

Table 175: Supported operations for Groups

Operation

VERB

Create Group

POST

Update Group

PATCH

Delete Group

DELETE

Get Group

GET

Get All Groups

GET

Application

Table 176: Supported operations for Application

Operation

VERB

Get Application

GET

Get All Applications

GET

Create/Update User

  • email.value
  • userType
  • nickName

  • displayName

  • password

  • active

Groups

  • displayName
  • mailEnabled (value needs to be 'false')

  • mailNickname

  • securityEnabled (value needs to be 'true')

Invite User

  • redirectUrl
  • emails[].value
  • userType

User Group and Application mapping

The user, group and application mappings are listed in the tables below:

Table 177: User mapping
SCIM parameter Azure AD parameter

active

accountEnabled

addresses[0].country

country

addresses[0].locality city
addresses[0].postalCode postalcode
addresses[0].region state
addresses[0].streetAddress streetAddress
displayName displayName
emails[0].value userPrincipalName

groups[].display

memberOf[].displayName

groups[].value

memberOf[].id

Id id

meta.created

createdDateTime

name.familyName surname
name.givenName givenName
nickName mailNickname

phoneNumbers[0].value

businessPhones[0]

preferredLanguage

preferredLanguage

redemptionUrl

inviteRedeemUrl

redirectUrl

inviteRedirectUrl

title

jobTitle

userExtension.applications[].display

applications[].displayName

userExtension.applications[].principalId

applications[].principalId

userExtension.applications[].principalType

applications[].principalType

userExtension.applications[].value

applications[].appId

userExtension.department

department

userExtension.employeeNumber

employeeId

userExtension.manager.displayName

manager.displayName

userExtension.manager.value

manager.id

userExtension.organization

companyName

userName userPrincipalName

userType

userType

Groups

Table 178: Group mapping
SCIM parameter Azure AD parameter

enterpriseExtension.applications[].value

applications[].appId

enterpriseExtension.applications[].display

applications[].displayName

enterpriseExtension.applications[].principalId

applications[].principalId

enterpriseExtension.applications[].principalType

applications[].principalType

displayName displayName

enterpriseExtension.description

description

enterpriseExtension.mailNickname

mailNickname

Id id
members[].display members[].displayName
members[].value members[].id

meta.created

createdDateTime

Application

Table 179: Application Mapping
SCIM parameter Azure AD parameter
appId appId
displayName displayName
Id id

meta.created

createdDateTime

publisherDomain publisherDomain

Connector limitations

  • lastModified is not provided along with the Users, Groups and Applications.

  • Groups are of two types: Security groups and Office 365 groups. Azure AD supports users and groups as the members of groups. Security groups can have users and other Security groups as members. However, only users can be added as members for Office 365 groups.

  • With the trial Azure AD account, it is possible to create only Security groups through APIs. For information on mapping the appropriate properties, see User and Group section.

  • If an appRole is assigned to a group, then only the direct user members of that group will also have these appRoles assigned to them, but not group members of that group.

  • Azure AD resource Id's follow GUID formats. When trying to edit, retrieve, or delete a group by Id with an invalid GUID format, the connector displays 400 as the response code. However with invalid id and a proper GUID format, connector displays 404 as the response code.

  • Email value for the user should have only those domains which are verified in the selected Active Directory. To find out the verified domain, go to the Azure Active Directory in the Azure portal and in the Overview page above the directory name, the verified domain names are displayed.

  • You can create multiple groups with the same name.
  • For more information on password policy settings applied to user accounts that are created and managed in Azure AD, see, Password policies that only apply to cloud user accounts.

Azure AD connector for Safeguard for Privileged Passwords

  • For Safeguard for Privileged Passwords, you must assign at least the Helpdesk Administrator role for the application created, but should assign a higher role if you want to manage special accounts (for example, Billing Administrator or Global Administrator).

  • For Safeguard for Privileged Passwords, the Azure AD application registration must be public.

  • Safeguard for Privileged Passwords only allows for a single tenant connector configuration.

User Group and Application mapping

Azure AD is a connector that gives users a cloud-based platform for their on-premises resources. Using single sign-on, companies have access to any number of network or web-based applications along with hosting access and identity management resources.

Azure AD connectors are available for use with One Identity Safeguard for Privileged Passwords.

NOTE: Update the synchronization shell or create a new synchronization shell in One Identity Manager as changes are introduced in the schema.

Connector Configuration

Azure AD connector requires customer consent to retrieve resource details using the REST APIs. The Azure AD connector supports the configuration of both single tenant and multi tenant connectors. You can switch from a single tenant connector to a multi tenant connector while configuring the connector in Starling Connect UI.

NOTE:

Supervisor configuration parameters for single tenant connector

To configure the single tenant connector, following parameters are required:

  • Connector name

  • Client Id for the app

  • Client Secret of the app

  • Directory Id of the Active Directory

  • Target URL (Cloud application's instance URL used as target URI in payload - For example, https://graph.microsoft.com/v1.0).

  • Instance DateTime Offset (refer Configuring additional datetime offset in connectors for more details).

Supervisor configuration parameters for multi tenant connector

To configure the multi tenant connector, following parameters are required:

  • Directory Id of the Active Directory
  • Target URL (Cloud application's instance URL used as target URI in payload - For example, https://graph.microsoft.com/v1.0).

  • Instance DateTime Offset (refer Configuring additional datetime offset in connectors for more details).

Supported objects and operations

Users

Table 174: Supported operations for Users

Operation

VERB

Create User

POST

Update User

PATCH

Delete User

DELETE

Get User

GET

Get All Users

GET

Groups

Table 175: Supported operations for Groups

Operation

VERB

Create Group

POST

Update Group

PATCH

Delete Group

DELETE

Get Group

GET

Get All Groups

GET

Application

Table 176: Supported operations for Application

Operation

VERB

Get Application

GET

Get All Applications

GET

Mandatory fields

Create/Update User

  • email.value
  • userType
  • nickName

  • displayName

  • password

  • active

Groups

  • displayName
  • mailEnabled (value needs to be 'false')

  • mailNickname

  • securityEnabled (value needs to be 'true')

Invite User

  • redirectUrl
  • emails[].value
  • userType

The user, group and application mappings are listed in the tables below:

Table 177: User mapping
SCIM parameter Azure AD parameter

active

accountEnabled

addresses[0].country

country

addresses[0].locality city
addresses[0].postalCode postalcode
addresses[0].region state
addresses[0].streetAddress streetAddress
displayName displayName
emails[0].value userPrincipalName

groups[].display

memberOf[].displayName

groups[].value

memberOf[].id

Id id

meta.created

createdDateTime

name.familyName surname
name.givenName givenName
nickName mailNickname

phoneNumbers[0].value

businessPhones[0]

preferredLanguage

preferredLanguage

redemptionUrl

inviteRedeemUrl

redirectUrl

inviteRedirectUrl

title

jobTitle

userExtension.applications[].display

applications[].displayName

userExtension.applications[].principalId

applications[].principalId

userExtension.applications[].principalType

applications[].principalType

userExtension.applications[].value

applications[].appId

userExtension.department

department

userExtension.employeeNumber

employeeId

userExtension.manager.displayName

manager.displayName

userExtension.manager.value

manager.id

userExtension.organization

companyName

userName userPrincipalName

userType

userType

Groups

Table 178: Group mapping
SCIM parameter Azure AD parameter

enterpriseExtension.applications[].value

applications[].appId

enterpriseExtension.applications[].display

applications[].displayName

enterpriseExtension.applications[].principalId

applications[].principalId

enterpriseExtension.applications[].principalType

applications[].principalType

displayName displayName

enterpriseExtension.description

description

enterpriseExtension.mailNickname

mailNickname

Id id
members[].display members[].displayName
members[].value members[].id

meta.created

createdDateTime

Application

Table 179: Application Mapping
SCIM parameter Azure AD parameter
appId appId
displayName displayName
Id id

meta.created

createdDateTime

publisherDomain publisherDomain

Connector limitations

  • lastModified is not provided along with the Users, Groups and Applications.

  • Groups are of two types: Security groups and Office 365 groups. Azure AD supports users and groups as the members of groups. Security groups can have users and other Security groups as members. However, only users can be added as members for Office 365 groups.

  • With the trial Azure AD account, it is possible to create only Security groups through APIs. For information on mapping the appropriate properties, see User and Group section.

  • If an appRole is assigned to a group, then only the direct user members of that group will also have these appRoles assigned to them, but not group members of that group.

  • Azure AD resource Id's follow GUID formats. When trying to edit, retrieve, or delete a group by Id with an invalid GUID format, the connector displays 400 as the response code. However with invalid id and a proper GUID format, connector displays 404 as the response code.

  • Email value for the user should have only those domains which are verified in the selected Active Directory. To find out the verified domain, go to the Azure Active Directory in the Azure portal and in the Overview page above the directory name, the verified domain names are displayed.

  • You can create multiple groups with the same name.
  • For more information on password policy settings applied to user accounts that are created and managed in Azure AD, see, Password policies that only apply to cloud user accounts.

Azure AD connector for Safeguard for Privileged Passwords

  • For Safeguard for Privileged Passwords, you must assign at least the Helpdesk Administrator role for the application created, but should assign a higher role if you want to manage special accounts (for example, Billing Administrator or Global Administrator).

  • For Safeguard for Privileged Passwords, the Azure AD application registration must be public.

  • Safeguard for Privileged Passwords only allows for a single tenant connector configuration.

Connector limitations

Azure AD is a connector that gives users a cloud-based platform for their on-premises resources. Using single sign-on, companies have access to any number of network or web-based applications along with hosting access and identity management resources.

Azure AD connectors are available for use with One Identity Safeguard for Privileged Passwords.

NOTE: Update the synchronization shell or create a new synchronization shell in One Identity Manager as changes are introduced in the schema.

Connector Configuration

Azure AD connector requires customer consent to retrieve resource details using the REST APIs. The Azure AD connector supports the configuration of both single tenant and multi tenant connectors. You can switch from a single tenant connector to a multi tenant connector while configuring the connector in Starling Connect UI.

NOTE:

Supervisor configuration parameters for single tenant connector

To configure the single tenant connector, following parameters are required:

  • Connector name

  • Client Id for the app

  • Client Secret of the app

  • Directory Id of the Active Directory

  • Target URL (Cloud application's instance URL used as target URI in payload - For example, https://graph.microsoft.com/v1.0).

  • Instance DateTime Offset (refer Configuring additional datetime offset in connectors for more details).

Supervisor configuration parameters for multi tenant connector

To configure the multi tenant connector, following parameters are required:

  • Directory Id of the Active Directory
  • Target URL (Cloud application's instance URL used as target URI in payload - For example, https://graph.microsoft.com/v1.0).

  • Instance DateTime Offset (refer Configuring additional datetime offset in connectors for more details).

Supported objects and operations

Users

Table 174: Supported operations for Users

Operation

VERB

Create User

POST

Update User

PATCH

Delete User

DELETE

Get User

GET

Get All Users

GET

Groups

Table 175: Supported operations for Groups

Operation

VERB

Create Group

POST

Update Group

PATCH

Delete Group

DELETE

Get Group

GET

Get All Groups

GET

Application

Table 176: Supported operations for Application

Operation

VERB

Get Application

GET

Get All Applications

GET

Mandatory fields

Create/Update User

  • email.value
  • userType
  • nickName

  • displayName

  • password

  • active

Groups

  • displayName
  • mailEnabled (value needs to be 'false')

  • mailNickname

  • securityEnabled (value needs to be 'true')

Invite User

  • redirectUrl
  • emails[].value
  • userType

User Group and Application mapping

The user, group and application mappings are listed in the tables below:

Table 177: User mapping
SCIM parameter Azure AD parameter

active

accountEnabled

addresses[0].country

country

addresses[0].locality city
addresses[0].postalCode postalcode
addresses[0].region state
addresses[0].streetAddress streetAddress
displayName displayName
emails[0].value userPrincipalName

groups[].display

memberOf[].displayName

groups[].value

memberOf[].id

Id id

meta.created

createdDateTime

name.familyName surname
name.givenName givenName
nickName mailNickname

phoneNumbers[0].value

businessPhones[0]

preferredLanguage

preferredLanguage

redemptionUrl

inviteRedeemUrl

redirectUrl

inviteRedirectUrl

title

jobTitle

userExtension.applications[].display

applications[].displayName

userExtension.applications[].principalId

applications[].principalId

userExtension.applications[].principalType

applications[].principalType

userExtension.applications[].value

applications[].appId

userExtension.department

department

userExtension.employeeNumber

employeeId

userExtension.manager.displayName

manager.displayName

userExtension.manager.value

manager.id

userExtension.organization

companyName

userName userPrincipalName

userType

userType

Groups

Table 178: Group mapping
SCIM parameter Azure AD parameter

enterpriseExtension.applications[].value

applications[].appId

enterpriseExtension.applications[].display

applications[].displayName

enterpriseExtension.applications[].principalId

applications[].principalId

enterpriseExtension.applications[].principalType

applications[].principalType

displayName displayName

enterpriseExtension.description

description

enterpriseExtension.mailNickname

mailNickname

Id id
members[].display members[].displayName
members[].value members[].id

meta.created

createdDateTime

Application

Table 179: Application Mapping
SCIM parameter Azure AD parameter
appId appId
displayName displayName
Id id

meta.created

createdDateTime

publisherDomain publisherDomain
  • lastModified is not provided along with the Users, Groups and Applications.

  • Groups are of two types: Security groups and Office 365 groups. Azure AD supports users and groups as the members of groups. Security groups can have users and other Security groups as members. However, only users can be added as members for Office 365 groups.

  • With the trial Azure AD account, it is possible to create only Security groups through APIs. For information on mapping the appropriate properties, see User and Group section.

  • If an appRole is assigned to a group, then only the direct user members of that group will also have these appRoles assigned to them, but not group members of that group.

  • Azure AD resource Id's follow GUID formats. When trying to edit, retrieve, or delete a group by Id with an invalid GUID format, the connector displays 400 as the response code. However with invalid id and a proper GUID format, connector displays 404 as the response code.

  • Email value for the user should have only those domains which are verified in the selected Active Directory. To find out the verified domain, go to the Azure Active Directory in the Azure portal and in the Overview page above the directory name, the verified domain names are displayed.

  • You can create multiple groups with the same name.
  • For more information on password policy settings applied to user accounts that are created and managed in Azure AD, see, Password policies that only apply to cloud user accounts.

Azure AD connector for Safeguard for Privileged Passwords

  • For Safeguard for Privileged Passwords, you must assign at least the Helpdesk Administrator role for the application created, but should assign a higher role if you want to manage special accounts (for example, Billing Administrator or Global Administrator).

  • For Safeguard for Privileged Passwords, the Azure AD application registration must be public.

  • Safeguard for Privileged Passwords only allows for a single tenant connector configuration.

相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级