You are viewing an earlier version of the admin guide. For the latest version, please visit EmpowerID Admin Guide v7.211.0.0.
Skip to end of banner
Go to start of banner

Connect to SCIM Applications

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Current »

EmpowerID provides connectors for a wide range of user directories and resource systems. As an administrator, you can use these connectors to quickly connect EmpowerID to your organization's identity-aware systems and applications. When you do so, you create an account store for that application in the EmpowerID Identity Warehouse and use that account store to configure how you want EmpowerID to manage the identity information in that system.

Prerequisites

Before connecting EmpowerID to an external directory, please review the Getting Started with Directory Systems topic. The topic walks you through the prerequisites you need to complete before connecting to an external directory for the first time. These prerequisites include:

  • Configuring the appropriate server roles for your EmpowerID servers

  • Reviewing the Join and Provision Rules for your environment

  • Reviewing the Join and Provision Filters for your environment

If you have already connected EmpowerID to another external directory, you can skip the above prerequisites.

Step 1 – Create an account store in EmpowerID

  1. From the navbar of the EmpowerID Web interface, expand Admin > Applications and Directories and select Account Stores and Systems.

  2. Select the Actions tab and then click Create Account Store.


    This opens the System Types look up.

  3. Search for SCIM Connector.

  4. Click the SCIM Connector record to select it, and then click Submit.

     
    This opens the SCIM connector form.

  5. Enter the following information in the SCIM connector form:

    • Name – Name of the connector

    • Base URL – URL for the site hosting the SCIM microservice. For example, enter the URL for the app service if the microservice is hosted in an Azure app service.

    • Client Secret – If using OAuth authentication, enter the Client Secret for the app.

    • Client ID – If using OAuth authentication, enter the Client ID for the app.

    • Certificate – If using certificate-based authentication, enter the thumbprint of the certificate.

  6. When ready, click Submit.

Step 2 – Verify resource system parameters

  1. Navigate to the Find Account Store page (Admin > Applications and Directories > Account Stores and Systems) and search for the SCIM account store you just created.

  2. Click the Account Store link to navigate to the details page for the account store.

  3. Click the Resource System tab and then expand the Configuration Parameters accordion.

    The accordion contains the following parameters, some of which may not pertain to your specific implementation.

    Name

    Value

    Description

    AccessTokenUrl

    {Your Base SCIM Url}/oauth/v2/token

    Endpoint for retrieving an access token for the application after authorization

    AuthorizationUrl

    {Your Base SCIM Url}/oauth/v2/authorize

    Authorization endpoint for accessing the application

    certificateThumprint

    Thumbprint of the authentication certificate, if used

    Certificate thumbprint

    ClientKey

    OAuth Client Key

    Client key of the microservice when using OAuth

    ClientSecret

    OAuth Client Secret (value is encrypted and not visible in the UI)

    Client Secret of the microservice when using OAuth

    CreateUserUrl

    {Your Base SCIM Url}/users

    Endpoint of the microservice to create users

    EnableGroupInventory

    True if inventorying group data from the SCIM application; otherwise, false

    Specifies whether to inventory groups

    EnableOrgZonesInventory

    True if inventorying location data from the SCIM application; otherwise, false

    Specifies whether to inventory locations

    GetDeleteorUpdateGroupByIdURL

    {Your Base SCIM Url}/groups/{0}

    Endpoint of the microservice for executing group operations

    GetDeleteorUpdateUserByIdURL

    {Your Base SCIM Url}/users/{0}

    Endpoint of the microservice for executing user operations

    GetGroupMemberURL

    {Your Base SCIM Url}/groups/members

    Endpoint of the microservice for retrieving group membership

    IsIncrementalInventory

    True if running incremental inventory after the initial full inventory; false if always running full inventory

    Specifies whether to run incremental inventory of the SCIM application after the initial full inventory. When running incremental inventory, the system compares the delta from the last inventory and brings those changes in.

    QueryGroupsUrl

    {Your Base SCIM Url}/groups

    Endpoint of the microservice for querying groups

    QueryUsersUrl

    {Your Base SCIM Url}/url

    Endpoint of the microservice for querying users

    QueryZonesUrl

    {Your Base SCIM Url}/locations

    Endpoint of the microservice for querying locations

    ServiceURl

    Your Base SCIM URL

    Endpoint for accessing the microservice

  4. Edit the parameters as needed. To do so, click the Edit button for the parameter to be updated, as shown below.

     

  5. Enter the appropriate value for the parameter in the Value field and click Save

  6. Repeat for each parameter that needs to be updated.

Step 2 – Configure attribute flow

EmpowerID supports the configuration of attribute synchronization rules for flowing attribute changes between directories and the EmpowerID Identity Warehouse. Attribute Flow rules are visually configured and are always relative to the relationship between an attribute in a directory and the corresponding attribute in the EmpowerID Identity Warehouse. Attribute Flow rules define the specific fields and attributes that are synchronized between the EmpowerID Identity Warehouse person objects and the external user accounts to which they are linked. Additionally, Attribute Flow rules can be weighted by account store. For example, if you have connected EmpowerID to an HR system as well as Active Directory, and you want any changes made to an attribute in the HR system to take priority over changes made in Active Directory or EmpowerID (while allowing changes to be made in any system), you would give a higher score for each CRUD operation originating from the HR account store and correspondingly lower scores for the Active Directory account store.

The following flow rules are available:

  • No Sync 🔴 – When this option is selected, no information flows between EmpowerID and the native system.

  • Bidirectional Flow (blue star) – When this option is selected, changes made within EmpowerID update the native system and vice-versa. For most attributes, this is the default setting.

  • Account Store Changes Only (blue star) – When this option is selected, changes can only be made in the native system and are then passed to EmpowerID.

  • EmpowerID Changes Only (blue star) – When this option is selected, changes can only be made in EmpowerID and are then passed to the native system.

The following CRUD operations are available:

  • Create – This operation is used to create an attribute value for an existing attribute when the value of that attribute is null.

  • Update – This operation is used to update the value of an attribute.

  • Delete – This operation is used to delete the value of an attribute.

  1. On the Account Store Details page for the SCIM app account store, select the Attribute Flow Rules tab.

  2. To change the flow for an attribute, click the Attribute Flow drop-down located between the Person Attribute column and the External Directory Attribute column, and select the desired flow direction from the context menu.

  3. To change the score for any of the available CRUD operations (Create, Update and Delete), enter the new score in the appropriate field. By default, scores are weighted evenly, which means that a change to an attribute originating in one connected external directory has the same authority as a change to an attribute occurring in another connected external directory.

EmpowerID only considers scores for attribute CRUD operations when multiple account stores with the same user records are connected to EmpowerID, such as would be the case if an HR System and this account store were being inventoried by EmpowerID.

Now that the attribute flow has been set, the next steps include configuring the account store and enabling EmpowerID to inventory it.

Step 3 – Configure account store settings

  1. On the Account Store and Resource System page, click the Account Store tab and then click the pencil icon to put the account store in edit mode.


    This opens the edit page for the account store. This page allows you to specify how you want EmpowerID to handle the user information it discovers during inventory. Settings that can be edited are described in the below table.

    Account Store Settings

    Setting

    Description

    General Settings

    IT Environment Type

    Allows you to specify the type of environment in which you are creating the account store.

    Account Store Type

    Allows you to specify the type of account store you are creating.

    Option 1 Specify an Account Proxy

    Allows you to change the credentials for the account that EmpowerID uses to connect to and manage the account store.

    Option 2 Select a Vaulted Credential as Account Proxy

    Allows you to use a credential that you have vaulted in EmpowerID as the account that EmpowerID uses to connect to and manage the account store.

    Inventoried Directory Server

    Allows you to select a connected server as the directory server for the account store.

    Is Remote (Cloud Gateway Connection Required)

    This setting appears for account stores with local directories, such as Active Directory, LDAP, SAP, etc. When enabled, this tells EmpowerID to use the Cloud Gateway Connection for that account store. The Cloud Gateway Connection must be installed on an on-premise machine. For installation information, please see Installing the EmpowerID Cloud Gateway Client.

    Is Visible in IAM Shop

    Specifies whether the account store can be used to filter objects relative to the account store, such as groups, to users searching for resources in the IAM Shop.

    Authentication and Password Settings

    Allow Password Sync

    Enables or disables the synchronization of password changes to user accounts in the domain based on password changes for the owning person object or another account owned by the person. This setting does not prevent password changes by users running the reset user account password workflows.

    Queue Password Changes

    Specifies whether EmpowerID sends password changes to the Account Password Reset Inbox for batch processing.

    Password Manager Policy for Accounts without Person

    Specifies the Password Manager Policy to be used for user accounts not joined to an EmpowerID Person.

    Provisioning Settings

    Allow Person Provisioning (Joiner Source)

    Specifies whether EmpowerID Persons can be provisioned from user accounts in the account store.

    Allow Attribute Flow

    Specifies whether attribute changes should flow between EmpowerID and the account store.

    Allow Provisioning (By RET)

    Allows or disallows the Resource Entitlement (RET) Inbox process to auto-provision accounts for this domain for users who receive RET policy-assigned user accounts, but have not yet had them provisioned.

    Allow Deprovisioning (By RET)

    Allows or disallows the Resource Entitlement Inbox process to auto de-provision accounts for this domain for users who still have RET policy-assigned user accounts, but no longer receive a policy that grants them a user account in the domain. De-provisioning only occurs if the de-provision action on the Resource Entitlement policy is set to De-Provision.

    Max Accounts per Person

    This specifies the maximum number of user accounts from this domain that an EmpowerID Person can have linked to them. This prevents the possibility of a runaway error caused by a wrongly configured Join rule. It is recommended that this value be set to 1 unless users will have more than 1 account and you wish them to be joined to the same person.

    Business Role Settings

    Allow Business Role and Location Re-Evaluation

    Specifies whether Business Role and Location re-evaluation should occur for the account store

    Business Role and Location Re-Evaluation Order

    Specifies the order of the account store for re-evaluating Business Roles and locations

    Inventory Auto Provision OUs as IT System Locations

    Specifies whether EmpowerID should automatically provision external OUs as IT System locations

    Inventory Auto Provision External Roles as Business Roles

    Specifies whether EmpowerID should provision Business roles for external account store roles

    Default Person Business Role

    Specifies the default EmpowerID Business Role to be assigned to each EmpowerID Person provisioned from the user accounts in the account store.

    Default Person Location (leave blank to use account container)

    Specifies the default EmpowerID Location to be assigned to each EmpowerID Person provisioned from the user accounts in the account store.

    Group Settings

    Allow Account Creation on Membership Request

    Specifies whether EmpowerID creates user accounts in the account store when an EmpowerID Person without one requests membership within a group belonging to the account store.

    Recertify External Group Changes as Detected

    Specifies whether detected group changes should trigger recertification.

    SetGroup of Groups to Monitor for Real-Time Recertification

    Specifies the SetGroup or Query-Based Collection with groups that need to be recertified when changes to the membership of one or more of those groups occurs. The setting must be set to the GUID of the target SetGroup. If the GUID for a specific SetGroup is not set and Recertify External Group Changes as Detected is enabled for the account store, EmpowerID processes all security group memberships for recertification.

    Group recertification is processed by the Continuous Group Membership Recertification permanent workflow. This workflow must be enabled for recertification to occur.

    Directory Clean Up Enabled

    Directory Clean Up Enabled

    Specifies whether the SubmitAccountTermination permanent workflow should claim the account store for processing account terminations. When enabled, accounts in the account store that meet the qualifications to be marked for deletion are moved into a special OU within the external directory, disabled and finally deleted after going through an automated approval process. This process involves setting a number of system settings in EmpowerID and requires multiple approvals by designated personnel before an account is finally removed from the account store.

    Report Only Mode (No Changes)

    When enabled, a report of what the Directory Clean Up process would do is written to the log. The process itself is ignored and all accounts are set to Termination Pending,

    Special Use Settings

    Automatically Join Account to a Person on Inventory (Skip Account Inbox)

    Specifies whether EmpowerID should attempt to join user accounts in the account store to an existing EmpowerID Person during the inventory process. When enabled, the Account Inbox is bypassed.

    Automatically Create a Person on Inventory (Skip Account Inbox)

    Specifies whether EmpowerID should create new EmpowerID Persons from the user accounts discovered in the account store during the inventory process. When enabled, the Account Inbox is bypassed.

    Queue Password Changes on Failure

    Specifies whether EmpowerID should send password changes to the Account Password Reset Inbox only when the change fails.

    Inventory Settings

    Inventory Schedule Interval

    Specifies the time span that occurs before EmpowerID performs a complete inventory of the account store. The default value is 10 minutes.

    Inventory Enabled

    Allows EmpowerID to inventory the user information in the account store.

    Membership Settings

    Membership Schedule Interval

    Specifies the time span in minutes that occurs before EmpowerID runs the Group Membership Reconciliation job. The default value is 10 minutes.

    Enable Group Membership Reconciliation

    Allows EmpowerID to manage the membership of the account store’s groups, adding and removing user to and from groups based on policy-based assignment rules.


  2. Edit the account store as needed and then click Save to save your changes.

Next, enable the Account Inbox permanent workflow to allow the Account Inbox to provision or join the user accounts in ServiceNow to EmpowerID Persons as demonstrated below.

EmpowerID recommends using the Account Inbox for provisioning and joining.

Step 4 – Enable the Account Inbox Permanent Workflow

  1. On the navbar, expand Infrastructure Admin > EmpowerID Server and Settings and select Permanent Workflows.

  2. On the Permanent Workflows page, click the Display Name link for Account Inbox.


  3. On the Permanent Workflow Details page that appears, click the pencil icon to put the workflow in edit mode.

  4. Check Enabled.

  5. Click Save to save your changes.

Step 5 – Monitor Inventory

  1. On the navbar, expand Identity Lifecycle and select Account Inbox.

    The Account Inbox page appears. This page provides tabbed views of all information related to processing new user accounts discovered in a connected account store during inventory. An explanation of these tabs follows.

    • All – This tab displays a grid view of all user accounts and the status of those accounts in relation to the Account Inbox.

    • Proposed – This tab displays a grid view of how the system would process user accounts if person provisioning is enabled for the account store containing the user accounts.

    • Dashboard – This tab provides a quick summary of account inbox activity.

    • Orphans – This tab displays a grid view of all user accounts without an EmpowerID Person.

IN THIS ARTICLE

  • No labels