Connecting to External Systems

EmpowerID provides connectors for a wide range of user directories and resource systems. As an administrator, you can use these connectors to quickly connect EmpowerID to your organization's identity-aware systems and applications. When you do so, you create an account store for that application in the EmpowerID Identity Warehouse and use that account store to configure how you want EmpowerID to manage the identity information in that system.

The below image and discussion provide a high-level depiction of the steps involved in connecting to external systems process and integration.

 

EmpowerID Process and Integration Solution Architecture

 

The below steps provide an explanation of the different steps in the process and integration capabilities.

  1. EmpowerID receives authoritative person’s identity and set role assignments as attributes and role data from the source systems triggers role changes, status changes, terminations, and policy changes.  Exception requests are recorded and processed based on access and approval policies that enforce governance rules.  Compliance rules and policies provide for risk mitigation and recertification processing.  Role-Based, Policy-Based, and Attribute-Based, Access Control (RBAC, PBAC, ABAC) processes will determine target system group and role memberships that need to be provisioned or de-provisioned based on role assignments, whether birthright, exception requested, or compliance processing.

  2. Provisioning policies within the EmpowerID system determine the target systems and scope of the identities to be provisioned or de-provisioned in target systems.  Membership reconciliation, projection, and enforcement jobs process group membership changes to target systems.  Dynamic Hierarchy policies create and populate dynamic groups and memberships based on policy definitions.

  3. Changes processed by the outbound processes are written to the target systems via the connector framework using the methods defined in the connector libraries.  Failed writes are re-tried on the next update cycle to ensure data remains up to date. 

  4. Inventory jobs read current state data from the target systems and reconcile it with the data in the identity warehouse to maintain synchronization with the external system. 

There are various prerequisites you need to complete before connecting to an external directory for the first time.

1. Prerequisites for SaaS Customers Connecting to On-Premise Systems

If you are an EmpowerID SaaS customer and you plan to connect EmpowerID to on-premise systems, you must install the EmpowerID Cloud Gateway Client for SaaS on at least one on-premise server.

2. Prerequisites for connecting EmpowerID to an external directory

Setting the server role for each of your EmpowerID servers — Server roles determine what EmpowerID jobs (back-end processes) and Web services are enabled on a particular server.

Reviewing the Join and Provision Rules – When you connect EmpowerID to an external directory or other identity-aware application and turn on inventory, EmpowerID evaluates the accounts in those external systems to determine whether EmpowerID People should be provisioned from those accounts.

Key Takeaways:

  1. EmpowerID ships with a large number of connectors for connecting to external systems.

  2. These connectors can be used to connect EmpowerID to other organizations' identity-aware systems and applications.

  3. When we connect EmpowerID to an external system using connectors, an account store is created for that application in the EmpowerID Identity Warehouse.

 

Related Docs Topics:

https://dotnetworkflow.jira.com/wiki/spaces/EAGV21/pages/1446545410