Before connecting EmpowerID to an external directory, please review the Getting Started with Directory Systems topic. The topic walks you through the prerequisites you need to complete before connecting to an external directory for the first time. These prerequisites include: Configuring the appropriate server roles for your EmpowerID servers Reviewing the Join and Provision Rules for your environment Reviewing the Join and Provision Filters for your environment If you have already connected EmpowerID to another external directory, you can skip the above prerequisites. EmpowerID provides connectors for a wide range of user directories and resource systems. As an administrator, you can use these connectors to quickly connect EmpowerID to your organization's identity-aware systems and applications. When you do so, you create an account store for that application in the EmpowerID Identity Warehouse and use that account store to configure how you want EmpowerID to manage the identity information in that system.
Step 1 – Create an IBM Security Verify Access account store
On the navbar, expand Admin > Applications and Directories and select Account Stores and Systems.
On the Account Stores page, select the Actions tab and then click Create Account Store.
Under System Types, search for IBM Security.
Click the IBM Security Verify Access record to select the type and then click Submit.
This opens the IBM Security Verify Access Settings form, which is where you enter information that allows EmpowerID to connect to the system.
On the IBM Security Verify Access Settings form, fill in the following information according to your authentication scenario:
EmpowerID creates the account store and the associated resource system. The next step is to verify the resource system parameters.
Step 2 – Verify Resource System Configuration Parameters
On the navbar, expand Admin > Applications and Directories and select Account Stores and Systems.
On the Find Account Store page, select the Account Stores tab and search for the IBM Security Verify Access account store you just created.
Click the Account Store link for the account store.
This directs you to the Account Store and Resource System page for the account store. This page contains several tabs related to the account store that you can access to view and manage the account store and resource system.
Select the Resource System tab and then expand the Configuration Parameters accordion on the page.
Verify the following parameters are correct for your system:
Please note that the values for
ApplicationIDandTenantIDare encrypted and that you will not see the values in the user interface.Name
Value
Description
AppServiceUrl
{Your Base SCIM Url}
URL for the SCIM app service. The base URL should include the version
AuthorizationProviderFullAssemblyName
SCIMConnector, Version=4.0.180.1, Culture=neutral, PublicKeyToken=2d2253f74d4496ef
The Provider assembly that will be used to retrieve EmpowerID token
AuthorizationProviderType
TheDotNetFactory.Framework.ClassLibrary.EmpowerIDAccessTokenProvider
The Provider type that will be used to retrieve EmpowerID token
BaseDn
dc=ibm,dc=com
The base distinguished name of LDAP
ChangeUserPasswordUrl
{Your Base SCIM Url}changepassword
The microservice url to change password of a user
CreateGroupUrl
{Your Base SCIM Url}groups
The microservice url to create a group
CreateHighestTokenAttributeName
createTimestamp
The attribute used by the incremental inventory to get objects create after a certain datetime
CreateOrUpdateGroupJsonTemplate
{ "secHasPolicy": "", "groupNativeId": "", "secAuthority": "Default", "schemas": [ "urn:ietf:params:scim:schemas:core:2.0:Group" ], "members": [], "isSecEntity": "", "secDN": "", "objectClass": [], "description": "", "id": "", "cn": "", "secUUID": "" }
The template used to set the ou attributes when creating/updating a ou
CreateOrUpdateOUJsonTemplate
{ "st": "", "telephoneNumber": "", "physicalDeliveryOfficeName": "", "ou": "", "postalCode": "", "objectClass": ["top", "organizationalUnit"], "description": "", "dn": "", "facsimileTelephoneNumber": "", "l": "", "destinationIndicator": "", "telexNumber": "", "postOfficeBox": "", "registeredAddress": "", "postalAddress": "", "street": "", "businessCategory": "", "id": "" }
The template used to set the user attributes when creating/updating a user
CreateOrUpdateUserJsonTemplate
{ "schemas": [ "urn:ietf:params:scim:schemas:core:2.0:User", "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User" ], "businessCategory": "", "carLicense": "", "cn": "", "departmentNumber": "", "description": "", "destinationIndicator": "", "displayName": "", "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User": { "EmployeeNumber": "", "manager": { "value": "" }, "SchemaIdentifier": "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User" }, "meta": { "resourceType": "User", "created": "" }, "userType": "", "facsimileTelephoneNumber": "", "phoneNumbers": [ { "type": "home", "value": "" }, { "type": "fax", "value": "" }, { "type": "mobile", "value": "" }, { "type": "telephone", "value": "" }, { "type": "work", "value": "" } ], "name": { "familyName": "", "givenName": "" }, "homePostalAddress": "", "initials": "", "internationaliSDNNumber": "", "city": "", "labeledURI": "", "o": "", "ou": "", "pager": "", "addresses": [ { "streetAddress": "", "postalCode": "", "type": "work" } ], "postOfficeBox": "", "postalAddress": "", "preferredLanguage": "", "registeredAddress": "", "roomNumber": "", "state": "", "street": "", "title": "", "dn": "", "emails": [ { "type": "work", "value": "" } ], "groups": [], "password": "", "secDN": "", "isByPassPasswordPolicy": true }
The template used to set the group attributes when creating/updating a group
CreateOUUrl
{Your Base SCIM Url}ou
The microservice url to create an organisational unit
CreateUserUrl
{Your Base SCIM Url}users
The microservice url to create a user
DateTimeCulture
en-US
DateTime format used by the connector to store in EmpowerID
DeleteBatchSize
1000
Number of active objects returned per call when processing delete
DeleteGroupJsonTemplate
{ "schemas":["urn:ietf:params:scim:schemas:core:2.0:Group"], "deleteNativeGroup":true }
The template used to set the group attributes when deleting a group
DeleteUserJsonTemplate
{ "schemas":["urn:ietf:params:scim:schemas:core:2.0:User"], "userName":"", "deleteNativeUser":true }
The template used to set the group attributes when deleting a user
filter
-,.,/,0,1,2,3,4,5,6,7,8,9,:,;,<,=,>,?,@,A,B,C,D,E,F,G,H,I,J,K,L,M,N,O,P,Q,R,S,T,U,V,W,X,Y,Z,[,\,],^,_,`
filter used by full inventory
FilterParameterForAccount
uid
Ldap attribute name used to retrieve users
FilterParameterForGroup
cn
Ldap attribute name used to retrieve groups
FilterParameterForOU
Ou
Ldap attribute name used to retrieve ous
GetAllActiveObjectsUrl
{Your Base SCIM Url}entity
The microservice url to get all the active objects
GetDeleteorUpdateGroupByIdUrl
{Your Base SCIM Url}groups/{0}
The microservice url to get a group
GetDeleteorUpdateOUByIdUrl
{Your Base SCIM Url}ou/{0}
The microservice url to get an ou
GetDeleteorUpdateUserByIdUrl
{Your Base SCIM Url}users/{0}
The microservice url to get a user
GetNewOrUpdatedGroupsUrl
{Your Base SCIM Url}groups{0}
The microservice url to get groups
GetNewOrUpdatedUsersUrl
{Your Base SCIM Url}users{0}
The microservice url to get ous
GetNewOrUpdatedZonesUrl
{Your Base SCIM Url}ou{0}
The microservice url to get users
ModifyHighestTokenAttributeName
modifyTimestamp
The attribute used by the incremental inventory to get objects create after a certain datetime
NameFormat
{0}/FirstName
setting to derive how the Name attribute will be constructed, for eg "LastName FirstName" or "FirstName_LastName"
OAuthProviderApplicationID
{Your Oauth Application ID} - only when using EmpowerID authentication
OAuthProviderApplicationID used to retrieve ClientID and ClientSecret
PageSize
500
Number of objects returned per call when processing inventory
PasswordManagerPolicy
Default Password Manager Policy
Policy with specifications that the TAM system expects
ResetUserPasswordUrl
{Your Base SCIM Url}resetpassword
The microservice url to reset password of a user
RunFullInventoryAfterXRuns
20
Full inventory runs after X runs to sync data from external system
UrlForAccessToken
{Url} - only when using EmpowerID authentication
url used to retrieve access token
To edit the value of a parameter, click the Edit button for the parameter you want edit.
Enter the new value in the Value field and click Save.
Repeat as needed.
The next step is to configure attribute flow.
Step 3 – Configure Attribute Flow
EmpowerID supports the configuration of attribute synchronization rules for flowing attribute changes between directories and the EmpowerID Identity Warehouse. Attribute Flow rules are visually configured and are always relative to the relationship between an attribute in a directory and the corresponding attribute in the EmpowerID Identity Warehouse. Attribute Flow rules define the specific fields and attributes that are synchronized between the EmpowerID Identity Warehouse person objects and the external user accounts to which they are linked. Additionally, Attribute Flow rules can be weighted by account store. For example, if you have connected EmpowerID to an HR system as well as Active Directory, and you want any changes made to an attribute in the HR system to take priority over changes made in Active Directory or EmpowerID (while allowing changes to be made in any system), you would give a higher score for each CRUD operation originating from the HR account store and correspondingly lower scores for the Active Directory account store. The following flow rules are available: No Sync 🔴 – When this option is selected, no information flows between EmpowerID and the native system. Bidirectional Flow Account Store Changes Only EmpowerID Changes Only The following CRUD operations are available: Create – This operation is used to create an attribute value for an existing attribute when the value of that attribute is null. Update – This operation is used to update the value of an attribute. Delete – This operation is used to delete the value of an attribute. From the Account Stores tab of the Account Stores and Systems page, search for the account store you just created and click the Account Store link for it. Click the Attribute Flow Rules tab to view the current rules for the account store. Please note that the attributes available depend on the account store. To change the flow for an attribute, click the Attribute Flow drop-down located between the Person Attribute column and the External Directory Attribute column, and select the desired flow direction from the context menu. To change the score for any of the available CRUD operations (Create, Update and Delete), enter the new score in the appropriate field. By default, scores are weighted evenly, which means that a change to an attribute originating in one connected external directory has the same authority as a change to an attribute occurring in another connected external directory. EmpowerID only considers scores for attribute CRUD operations when multiple account stores with the same user records are connected to EmpowerID, such as would be the case if an HR System and this account store were being inventoried by EmpowerID.
– When this option is selected, changes made within EmpowerID update the native system and vice-versa. For most attributes, this is the default setting. – When this option is selected, changes can only be made in the native system and are then passed to EmpowerID. – When this option is selected, changes can only be made in EmpowerID and are then passed to the native system.
Now that the attribute flow has been set, you can configure the mapping between the SCIM microservice attribute and the EmpowerID account/group/OU table attribute if needed. Please follow the steps below if this is the case. the next steps include configuring the account store and enabling EmpowerID to inventory it.
Step 4 – Schema Mapping (Optional)
On the navbar, expand Admin > Applications and Directories and select Manage Schema.
Select the Security Boundary Object Attributes tab and search for user as Object Type ID and IBMTAMScim as Security Boundary Type.
Click the Edit button beside the Security Boundary Object Attribute you want to modify.
Change the RBACObject Attribute you want to use in the mapping and save your change.
Repeat for each mapping you want to change.
Step 4 – Configure account store settings
On the Account Store and Resource System page, select the Account Store tab and then click the pencil icon to put the account store in edit mode.
This opens the edit page for the account store. This page allows you to specify the account proxy used to connect EmpowerID to your IBM Security Verify Access system as well as how you want EmpowerID to handle the user information it discovers during inventory. Settings that can be edited are described in the table below the image.
Account Store Settings
Setting
Description
General Settings
IT Environment Type
Allows you to specify the type of environment in which you are creating the account store.
Account Store Type
Allows you to specify the type for the account store.
Option 1 Specify an Account Proxy
Allows you to change the credentials for the account that EmpowerID uses to connect to and manage the account store.
Option 2 Select a Vaulted Credential as Account Proxy
Allows you to use a credential that you have vaulted in EmpowerID as the account that EmpowerID uses to connect to and manage the account store.
Inventoried Directory Server
Allows you to select a connected server as the directory server for the account store.
Is Visible in ITShop
Specifies whether the account store can be used to filter IT Shop resources to show resources, such as groups, contained in the account store.
Authentication and Password Settings
Allow Password Sync
Enables or disables the synchronization of password changes to user accounts in the domain based on password changes for the owning person object or another account owned by the person. This setting does not prevent password changes by users running the reset user account password workflows.
Queue Password Changes
Specifies whether EmpowerID sends password changes to the Account Password Reset Inbox for batch processing.
Password Manager Policy for Accounts without Person
Specifies the Password Manager Policy to be used for user accounts not joined to an EmpowerID Person.
Provisioning Settings
Allow Person Provisioning (Joiner Source)
Specifies whether EmpowerID Persons can be provisioned from user accounts in the account store.
Allow Attribute Flow
Specifies whether attribute changes should flow between the account store and EmpowerID.
Allow Provisioning (By RET)
Allows or disallows the Resource Entitlement (RET) Inbox process to auto-provision accounts for this domain for users who receive RET policy-assigned user accounts, but have not yet had them provisioned.
Allow Deprovisioning (By RET)
Allows or disallows the Resource Entitlement Inbox process to auto de-provision accounts for this domain for users who still have RET policy-assigned user accounts, but no longer receive a policy that grants them a user account in the domain. De-provisioning only occurs if the de-provision action on the Resource Entitlement policy is set to De-Provision.
Business Role Settings
Allow Business Role and Location Re-Evaluation
Specifies whether Business Role and Location re-evaluation should occur for the account store
Business Role and Location Re-Evaluation Order
Specifies the order of the account store for re-evaluating Business Roles and locations
Inventory Auto Provision OUs as IT System Locations
Specifies whether EmpowerID should automatically provision external OUs as IT System locations
Inventory Auto Provision External Roles as Business Roles
Specifies whether EmpowerID should provision Business roles for external account store roles
Default Person Business Role
Specifies the default EmpowerID Business Role to be assigned to each EmpowerID Person provisioned from the user accounts in the account store.
Default Person Location (leave blank to use account container)
Specifies the default EmpowerID Location to be assigned to each EmpowerID Person provisioned from the user accounts in the account store.
Group Settings
Allow Account Creation on Membership Request
Specifies whether EmpowerID creates user accounts in the account store when an EmpowerID Person without one requests membership within a group belonging to the account store.
Recertify External Group Changes as Detected
Specifies whether detected group changes should trigger recertification.
SetGroup of Groups to Monitor for Real-Time Recertification
Specifies the SetGroup to be used for monitoring group membership changes.
Directory Clean Up Enabled
Directory Clean Up Enabled
Specifies whether the SubmitAccountTermination permanent workflow should claim the account store for processing account terminations. When enabled, accounts in the account store that meet the qualifications to be marked for deletion are moved into a special location within the external directory, disabled and finally deleted after going through an automated approval process. This process involves setting a number of system settings in EmpowerID and requires multiple approvals by designated personnel before an account is finally removed from the account store.
Report Only Mode (No Changes)
When enabled, a report of what the Directory Clean Up process would do is written to the log. The process itself is ignored and all accounts are set to Termination Pending,
Special Use Settings
Automatically Join Account to a Person on Inventory (Skip Account Inbox)
Specifies whether EmpowerID should attempt to join user accounts in the account store to an existing EmpowerID Person during the inventory process. When enabled, the Account Inbox is bypassed.
Automatically Create a Person on Inventory (Skip Account Inbox)
Specifies whether EmpowerID should create new EmpowerID Persons from the user accounts discovered in the account store during the inventory process. When enabled, the Account Inbox is bypassed.
Queue Password Changes on Failure
Specifies whether EmpowerID should send password changes to the Account Password Reset Inbox only when the change fails.
Inventory Settings
Inventory Enabled
Allows EmpowerID to inventory the user information in the account store.
Inventory Schedule Interval
Specifies the time span that occurs before EmpowerID performs a complete inventory of the account store. The default value is 10 minutes.
Membership Settings
Enable Group Membership Reconciliation
Allows EmpowerID to manage the membership of the account store’s groups, adding and removing user to and from groups based on policy-based assignment rules.
Membership Schedule Interval
Specifies the time span that occurs before EmpowerID runs the Group Membership Reconciliation job. The default value is 10 minutes.
Edit the account store as needed and then click Save to save your changes.
IN THIS ARTICLE