Connecting to External Systems

EmpowerID provides connectors for a wide range of user directories and resource systems. As an administrator, you can use these connectors to quickly connect EmpowerID to your organization's identity-aware systems and applications. When you do so, you create an account store for that application in the EmpowerID Identity Warehouse and use that account store to configure how you want EmpowerID to manage the identity information in that system.

The below image and discussion provide a high-level depiction of the steps involved in connecting to external systems process and integration.

The below steps provide an explanation of the different steps in the process and integration capabilities.

1. EmpowerID receives authoritative identity and attribute information for employees typically from one or more HR systems. Connections to these systems are facilitated through our connector framework utilizing the most effective access methods for the connected system.

2. Automated processing jobs evaluate the incoming identity data.  The Account Inbox process evaluates the accounts to either join to a person or create a new person identity in the system.  Role/Location processes evaluate the attributes that are used to determine and set the business role and location that a person should be assigned to.  Attribute sync processes reconcile attribute changes that have been discovered and flow these changes from the account to the person identity based on configured attribute flow rules.

3. Various processes manipulate the person identity and set role assignments as attributes and role data from the source systems triggers role changes, status changes, terminations, and policy changes.  Exception requests are recorded and processed based on access and approval policies that enforce governance rules.  Compliance rules and policies provide for risk mitigation and recertification processing.  Role-Based, Policy-Based, and Attribute-Based, Access Control (RBAC, PBAC, ABAC) processes will determine target system group and role memberships that need to be provisioned or de-provisioned based on role assignments, whether birthright, exception requested, or compliance processing.

4. Provisioning policies within the EmpowerID system determine the target systems and scope of the identities to be provisioned or de-provisioned in target systems.  Membership reconciliation, projection, and enforcement jobs process group membership changes to target systems.  Dynamic Hierarchy policies create and populate dynamic groups and memberships based on policy definitions.

5. Changes processed by the outbound processes are written to the target systems via the connector framework using the methods defined in the connector libraries.  Failed writes are re-tried on the next update cycle to ensure data remains up to date. 

6. Inventory jobs read current state data from the target systems and reconcile it with the data in the identity warehouse to maintain synchronization with the external system. 

There are various prerequisites you need to complete before connecting to an external directory for the first time.

1. Prerequisites for SaaS Customers Connecting to On-Premise Systems

If you are an EmpowerID SaaS customer and you plan to connect EmpowerID to on-premise systems, you must install the EmpowerID Cloud Gateway Client for SaaS on at least one on-premise server.

2. Prerequisites for connecting EmpowerID to an external directory

Setting the server role for each of your EmpowerID servers — Server roles determine what EmpowerID jobs (back-end processes) and Web services are enabled on a particular server.

Reviewing the Join and Provision Rules – When you connect EmpowerID to an external directory or other identity-aware application and turn on inventory, EmpowerID evaluates the accounts in those external systems to determine whether EmpowerID People should be provisioned from those accounts.