IBM Security Verify Access Connector

EmpowerID IBM Security Verify Access connector allows organizations to bring the user data (user accounts, groups, group membership, and organizational units in their IBM Security Verify Access system to EmpowerID, where it can be managed and synchronized with data in any connected back-end user directories.

Connector Architecture Overview

The connector is a bi-directional connector that uses the SCIM 2.0 protocol to communicate with a microservice known as the “TAM SCIM Microservice” for inventory and write-back functionality of IBM Security Verify Access users, groups, group memberships, and organizational units. The connector authenticates to the microservice using one of the below options:

  • Azure Authentication – This option should be used when the SCIM Microservice is deployed to Azure.

  • EmpowerID Authentication

Communications model

The microservice makes the first call to LDAP to get the LDAP entries using the filter provided by the connector. The call to LDAP is made to support incremental inventory and custom LDAP filters. Once the LDAP entries are returned to the microservice, it uses Registry Direct API to get entries common to LDAP and IBM systems.

Inventory and CRUD operations for Users, Groups, Group Memberships, and Organizational Units

 

Inventory

The connector supports both full and incremental inventory. When inventory is first enabled, the connector completes a full inventory of IBM Security Verify Access to sync all accounts, groups, group memberships, and OUs. On subsequent runs, inventory brings in modified objects only.

Account Inventory

  • Inventory IBM Security Verify Access accounts as EmpowerID accounts. All user accounts are added to the account table in the EmpowerID Identity Warehouse.

  • The connector supports both full and incremental inventory for accounts.

  • Each time full inventory runs, the connector syncs all accounts in the external system to EmpowerID.

  • Full Inventory uses an LDAP filter with attribute uid to get all the accounts from IBM Security Verify Access. This attribute value is configurable and can be modified by modifying the setting 'FilterParameterForAccount' on the Configuration Parameters tab on Resource System page.

  • Incremental inventory uses an LDAP filter with attributes createTimestamp and modifyTimestamp to bring only the accounts modified after the last run.

  • Any updates made to the user on the external system are synced to the corresponding EmpowerID account.

  • If a user is disabled on the external system, EmpowerID marks the account as deleted and sets the deleted date on the account. The account is only marked as deleted when the CheckForDeletedObjectsEnabled setting is turned on.

  • ‘principalname’ attribute of the external system is used as the primary key and is synched to systemIdentifier column in the Account table.

  • The connector runs a full inventory after a configurable number of times for accounts. This allows the connector to be in sync with the external system even if something was missed during an incremental inventory. The name of the setting is ‘RunFullInventoryAfterXRuns’ and can be found on the Configuration Parameters tab on Resource System page. The default value is set to 20 meaning after 20 incremental inventory the connector will trigger a full inventory.

Inventoried User Account Attributes

The below table lists the LDAP/TAM attributes that are inventoried out of the box by the connector. Attributes in LDAP/TAM map to SCIM attributes, which then map to EmpowerID Person attributes.

LDAP/TAM Attributes

SCIM Atrributes

EmpowerID Attributes

carLicense

carLicense

carLicense

departmentNumber

departmentNumber

departmentNumber

description

description

description

displayName

displayName

Displayname

employeeNumber

['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User'].['EmployeeNumber']

EmployeeId

employeeType

userType

Usertype

facsimileTelephoneNumber

phoneNumbers [ Type : “fax”, value]

Fax

givenName

name.givenName

First Name

homePhone

phoneNumbers [ Type : “home”, value]

HomePhone

initials

initials

initials

l

city

City

mail

emails[?(@.type=='work')].value

Email

manager

['urn:ietf:params:scim:schemas:extension:enterprise:2.0:User'].['manager'].['value']

MANAGER DISTINGUISHED NAME

mobile

phoneNumbers [ Type : “mobile”, value]

MobileNumber

pager

pager

Pager

physicalDeliveryOfficeName

 addresses[?(@.type=='other')].formatted [street address]

Street address

postalCode

addresses[?(@.type=='work')].postalCode

PostalCode

preferredLanguage

preferredLanguage

preferredLanguage

roomNumber

roomNumber

Room number

st

state

State

street

street

street address2

streetAddress

 addresses[?(@.type=='work')].streetAddress

Street addess

telephoneNumber

phoneNumbers [ Type : “telephone”, value]

telephoneNumber

title

title

JobTilte

sn

name. familyName

Lastname

principleName

userName

LogonName

ObjectClass

ObjectClass

ObjectClass

principleName

Id

SystemIdentifier

Group Inventory

  • The IBM Security Verify Access groups are inventoried in the EmpowerID Group table by the inventory job.

  • The connector supports both full and incremental inventory for Groups.

  • Every time the full inventory runs, the connector syncs all the groups and group membership from the external system to EmpowerID.

  • Full Inventory uses an LDAP filter with attribute ‘cn’ to get all the groups and group membership from IBM Security Verify Access. This attribute value is configurable and can be modified by modifying the setting ‘FilterParameterForGroup’ on the Configuration Parameters tab on Resource System page

  • Incremental inventory uses an LDAP filter with attributes ‘createTimestamp’ and ‘modifyTimestamp’ to bring only the groups and memberships of those groups modified after the last run.

  • Any updates made to the group on the external system will be synced to EmpowerID group.

  • If a group is disabled on the external system, EmpowerID will mark the group as deleted and set the deleted date on the group. This group will only be marked as deleted if the CheckForDeletedObjectsEnabled setting is turned on.

  • ‘principalname’ attribute of the external system is used as the primary key and is synched to systemIdentifier column in the Group table.

  • The members attribute of each group is inventoried in the EmpowerID GroupAccount table. The group membership is always a full inventory i.e., all the members for a group will be synched when a group is inventoried. To view the membership on the UI, Navigate to Identity Administration -> Group. Click on the IBM group -> Scroll down and click on Group Members tab.

Inventoried Group Attributes

The below table lists the group attributes that are inventoried out of the box by the connector. Attributes in LDAP/TAM map to SCIM attributes, which then map to EmpowerID group attributes.

LDAP/TAM Group Attributes

SCIM Atrributes

EmpowerID Group Attributes

groupNativeId

groupNativeId

DistinguishedName

groupId

Id

SystemIdentifier

cn

cn

FriendlyName

description

description

Description

ObjectClass

ObjectClass

ObjectClass

members

members

Group Account Table

Organizational Unit Inventory

  • The IBM Security Verify Access Ous are inventoried in the EmpowerID ExternalOrgZone table by the inventory job.

  • The connector supports both full and incremental inventory for Organizational units.

  • Every time the full inventory runs, the connector syncs all the organizational units from the external system to EmpowerID. Internally the connector creates corresponding EmpowerID orgzones if ‘InventoryAutoProvisionOrgZones’ setting on the resource system is turned on.

  • Full Inventory uses an LDAP filter with attribute ‘cn’ to get all the organizational units from IBM Security Verify Access. This attribute value is configurable and can be modified by modifying the setting ‘FilterParameterForOU’ on the Configuration Parameters tab on Resource System page.

  • Incremental inventory uses an LDAP filter with attributes ‘createTimestamp’ and ‘modifyTimestamp’ to bring only the organizational units modified after the last run.

  • Any updates made to the ou on the external system will be synced to EmpowerID external org zone.

  • If an ou is disabled on the external system, EmpowerID will mark the external Org Zone as deleted and set the deleted date on the group. This ou will only be marked as deleted if the CheckForDeletedObjectsEnabled setting is turned on.

  • The full ou path of the external system is used as the primary key and is synched to systemIdentifier column in the External OrgZone table.

Inventoried OU Attributes

The below table lists the OU attributes that are inventoried out of the box by the connector. Attributes in LDAP/TAM map to SCIM attributes, which then map to EmpowerID OU attributes.

LDAP/TAM Attributes

SCIM Atrributes

EmpowerID Attributes

OU Path

Id

SystemIdentifier

ObjectClass

ObjectClass

ObjectClass

description

description

Description

l

city

City

st

state

StateProvince

postalCode

addresses[?(@.type=='work')].postalCode

PostalCode

postOfficeBox

postOfficeBox

ExtensionAttribute2

facsimileTelephoneNumber

phoneNumbers [ Type : “fax”, value]

ExtensionAttribute6

postalAddress

postalAddress

ExtensionAttribute4

postalCode

addresses[?(@.type=='work')].postalCode

PostalCode

registeredAddress

registeredAddress

ExtensionAttribute3

street

street

AddressLine1

streetAddress

addresses[?(@.type=='work')].streetAddress

ExtensionAttribute1

telephoneNumber

phoneNumbers[?(@.type=='telephone')].value

PhoneNumber

telexNumber

telexNumber

ExtensionAttribute5

ou

ou

Name

OU Path

dn

Path


Next Steps

Connect to IBM Security Verify Access