Before connecting EmpowerID to an external directory, please review the Getting Started with Directory Systems topic. The topic walks you through the prerequisites you need to complete before connecting to an external directory for the first time. These prerequisites include: Configuring the appropriate server roles for your EmpowerID servers Reviewing the Join and Provision Rules for your environment Reviewing the Join and Provision Filters for your environment If you have already connected EmpowerID to another external directory, you can skip the above prerequisites. EmpowerID provides connectors for a wide range of user directories and resource systems. As an administrator, you can use these connectors to quickly connect EmpowerID to your organization's identity-aware systems and applications. When you do so, you create an account store for that application in the EmpowerID Identity Warehouse and use that account store to configure how you want EmpowerID to manage the identity information in that system.
Before connecting EmpowerID to an external directory, please review the Getting Started with Directory Systems topic. The topic walks you through the prerequisites you need to complete before connecting to an external directory for the first time. These prerequisites include:
configuring the appropriate server roles for your EmpowerID servers
Reviewing the Join and Provision Rules for your environment
Reviewin the Join and Provision Filters for your environment
Additionally, to connect EmpowerID to Azure AD, the following prerequisites need to be met:
Your organization must have an Azure subscription with Azure Active Directory.
You need to register an application for EmpowerID in Azure Active Directory in the Registering an application for EmpowerID in Azure AD topic.
You need to create an App Service in EmpowerID by following the instructions outlined in the Creating an App Service in Azure topic.
You need to publish the EmpowerID SCIM Microservice to your Azure tenant by following the instructions outlined in the Publishing the EmpowerID SCIM Microservice to Azure topic.
You need to give the connection account EmpowerID uses to manage your Azure tenant permissions outlined in the Post-publishing Steps topic.
EmpowerID “Proxy” or Connection Account Requirements
EmpowerID uses highly privileged user accounts when connecting to user directories such as Azure Active Directory, LDAP or database systems. These user "account stores" use saved proxy accounts for connecting to these systems and performing user account management operations. EmpowerID requires one privileged account per tenant, domain or directory. This account requires all of the privileges matching the functions that EmpowerID may perform (user creation, deletion, password reset, group creation, etc). For Azure permission details, see Post-publishing Steps.
To create an Azure AD SCIM account store in EmpowerID
On the navbar, expand Admin > Applications and Directories and then click Account Stores and Systems.
On the Account Stores page, click Create Account Store.
Under System Types, search for Azure AD SCIM.
Click Azure AD SCIM to select the type and then click Submit.
On the Azure AD SCIM settings page that appears, fill in the following information:
Account Store Name — Enter a name for the Azure AD SCIM account store.
App Service Url — Enter the URL for the Azure App Service. This is the base URL on the App service on the portal. EmpowerID uses this URL to make all calls to the EmpowerID SCIM microservice.
Name Format — This field is not required for Azure AD systems.
Friendly Name Format — This field is not required for Azure AD systems.
Group Logon Name Format — This field is not required for Azure AD systems.
ExternalSysSupportGetDeleted — Select this option to inventory deleted objects from the external system. This flag is used during inventory to get all deleted accounts and groups. If set to false (not selected), no deleted objects will be inventoried.
ExternalSystemSupportIncrementalMember — Select this option to allow EmpowerID to inventory incremental membership of groups.
Application ID — Enter the Application ID for the EmpowerID application you registered for EmpowerID in Azure AD.
Tenant ID — Enter the ID of your Tenant. EmpowerID uses this to get the context for the submitting the access token that is used to inventory the resources in Azure and perform authorized CRUD operations against those resources.
Auth Certificate Thumbprint — Enter the thumbprint of the certificate you uploaded for the application you registered for EmpowerID in Azure AD and added to the EmpowerID Identity Warehouse. The thumbprint ensures that whenever EmpowerID SCIM microservice calls are made for the account store, the handshake with Azure completes and an access token is granted.
When ready, click Submit to create the account store.
EmpowerID creates the account store and the associated resource system. The next step is to configure attribute flow between the account store and EmpowerID.
Now that the account store has been created, the next steps include configuring the account store and enabling EmpowerID to inventory it.
To configure account store settings
From the Account Stores tab of the Account Stores and Systems page, search for the account store you just created and click the Account Store link for it.
On the Account Store and Resource System page, click the Account Store tab and then click the pencil icon to put the account store in edit mode.
This opens the edit page for the account store. This page allows you to specify the account proxy used to connect EmpowerID to your Azure AD as well as how you want EmpowerID to handle the user information it discovers during inventory. Settings that can be edited are described in the table below the image.
Account Store Settings
Setting
Description
General Settings
Option 1 Specify an Account Proxy
Allows you to change the credentials for the account that EmpowerID uses to connect to and manage the account store.
Option 2 Select a Vaulted Credential as Account Proxy
Allows you to use a credential that you have vaulted in EmpowerID as the account that EmpowerID uses to connect to and manage the account store.
Inventoried Directory Server
Allows you to select a connected server as the directory server for the account store.
Authentication and Password Settings
Allow Password Sync
Enables or disables the synchronization of password changes to user accounts in the domain based on password changes for the owning person object or another account owned by the person. This setting does not prevent password changes by users running the reset user account password workflows.
Queue Password Changes
Specifies whether EmpowerID sends password changes to the Account Password Reset Inbox for batch processing.
Password Manager Policy for Accounts without Person
Specifies the Password Manager Policy to be used for user accounts not joined to an EmpowerID Person.
Provisioning Settings
Allow Person Provisioning (Joiner Source)
Specifies whether EmpowerID Persons can be provisioned from user accounts in the account store.
Allow Attribute Flow
Specifies whether attribute changes should flow between EmpowerID and the account store.
Allow Provisioning (By RET)
Allows or disallows the Resource Entitlement (RET) Inbox process to auto-provision accounts for this domain for users who receive RET policy-assigned user accounts, but have not yet had them provisioned.
Allow Deprovisioning (By RET)
Allows or disallows the Resource Entitlement Inbox process to auto de-provision accounts for this domain for users who still have RET policy-assigned user accounts, but no longer receive a policy that grants them a user account in the domain. De-provisioning only occurs if the de-provision action on the Resource Entitlement policy is set to De-Provision.
Max Accounts per Person
This specifies the maximum number of user accounts from this domain that an EmpowerID Person can have linked to them. This prevents the possibility of a runaway error caused by a wrongly configured Join rule. It is recommended that this value be set to 1 unless users will have more than 1 account and you wish them to be joined to the same person.
Allow Account Creation on Membership Request
Specifies whether EmpowerID creates user accounts in the account store when an EmpowerID Person without one requests membership within a group belonging to the account store.
Default Person Business Role
Specifies the default EmpowerID Business Role to be assigned to each EmpowerID Person provisioned from the user accounts in the account store.
Default Person Location (leave blank to use account container)
Specifies the default EmpowerID Location to be assigned to each EmpowerID Person provisioned from the user accounts in the account store.
Directory Clean Up Enabled
Directory Clean Up Enabled
Specifies whether the SubmitAccountTermination permanent workflow should claim the account store for processing account terminations. When enabled, accounts in the account store that meet the qualifications to be marked for deletion are moved into a special OU within the external directory, disabled and finally deleted after going through an automated approval process. This process involves setting a number of system settings in EmpowerID and requires multiple approvals by designated personnel before an account is finally removed from the account store.
Report Only Mode (No Changes)
When enabled, a report of what the Directory Clean Up process would do is written to the log. The process itself is ignored and all accounts are set to Termination Pending,
Special Use Settings
RBAC Assign Group Members On First Inventory
Converts each user account in an group to a Access Level assignment for the EmpowerID Person who owns the user account. Enabling this function is not recommended in most cases as it removes the ability to manage groups in the account store. A consequence of this is that if a user account is removed from a native system, EmpowerID puts the account back in the group.
Automatically Join Account to a Person on Inventory (Skip Account Inbox)
Specifies whether EmpowerID should attempt to join user accounts in the account store to an existing EmpowerID Person during the inventory process. When enabled, the Account Inbox is bypassed.
Automatically Create a Person on Inventory (Skip Account Inbox)
Specifies whether EmpowerID should create new EmpowerID Persons from the user accounts discovered in the account store during the inventory process. When enabled, the Account Inbox is bypassed.
Show in Location Tree
Specifies whether the account store shows in the Location Tree within the EmpowerID UI.
Queue Password Changes on Failure
Specifies whether EmpowerID should send password changes to the Account Password Reset Inbox only when the change fails.
Use Secure LDAPS Binding
Specifies whether to use secure LDAPS binding (for LDAP directories).
Inventory Settings
Inventory Schedule Interval
Specifies the time span that occurs before EmpowerID performs a complete inventory of the account store. The default value is 10 minutes.
Inventory Enabled
Allows EmpowerID to inventory the user information in the account store.
Membership Settings
Membership Schedule Interval
Specifies the time span that occurs before EmpowerID runs the Group Membership Reconciliation job. The default value is 10 minutes.
Enable Group Membership Reconciliation
Allows EmpowerID to manage the membership of the account store’s groups, adding and removing user to and from groups based on policy-based assignment rules.
Now that everything is configured, you can enable the Account Inbox Permanent Workflow and monitor inventory. Be sure inventory is enabled on the account store settings page.
|
|
Monitor inventory
On the navbar, expand System Logs > Policy Inbox Logs and click Account Inbox.
The Account Inbox page appears. This page provides tabbed views of all information related to processing new user accounts discovered in a connected account store during inventory. An explanation of these tabs follows.
Dashboard — This tab provides a quick summary of account inbox activity.
Not Processed — This tab displays a grid view of all inventoried user accounts not yet used to provision a new EmpowerID Person or joined to an existing Person. Any accounts that fail to meet the Join and Provision rules are displayed here as well.
Failed — This tab displays a grid view of any account joining or provisioning failures.
Ignored — This tab displays a grid view of all accounts ignored by the account inbox. Accounts are ignored if they do not qualify as user accounts.
Joined — This tab displays a grid view of all accounts joined to an EmpowerID Person. Joins occur based on the Join rules applied to the account store.
Processed — This tab displays a grid view of all accounts that have been used to either provision a new EmpowerID Person or joined to an existing EmpowerID Person.
Provisioned — This tab displays a grid view of all accounts that have been used to provision an EmpowerID Person. Provisioning occurs based on the Provision rules applied to the account store.
Orphans — This tab displays a grid view of all user accounts without an EmpowerID Person.
All — This tab displays a grid view of all user accounts and the status of those accounts in relation to the Account Inbox.
IN THIS ARTICLE