Integration with Powershell

1. For the powershell connector we need a windows server machine with a connId server on it.

2. Configure powershell connector with following properties
3. Must configure powershell script with valid data using the reference below

Reference: https://drive.google.com/drive/folders/1XHt6aNmPzs7V7OKesk31FwqLxGf3u2ST?usp=sharing

Configuration on Cymmetri Identity Platform for Active Directory

For active directory configuration we need AD server with 636 port (ldaps protocol should be enabled).

Ensure that all your object classes are included here in the Entry object classes.

Configure the root suffix, which is the base DC and configure the Principal password.

Base Contexts for group entry searches is the base DN for searching for groups in the AD. Change the server hostname and use the domain name instead of IP address.

Enter the principal as the manager’s principal name, the principal is the user account that will be used for making LDAP queries to the Active Directory. SSL must always be true.

Test AD configuration before assigning an application to any user.

After testing AD configuration, Active Directory account will created for the user being provisioned into the Active Directory.

1. The Cymmetri Identity platform Active Directory provisioning supports the following functions -

   1. Create user

   2. Update user

   3. Delete user

Server hostname needs to be configured for public access

Cymmetri Platform allows for pre-configured provisioning settings for Azure Portal.

For Azure integration we need an azure enterprise account with its own domain configured in the Azure AD.

1. Refer following document to configure azure application

2. Azure Document https://connid.atlassian.net/wiki/spaces/BASE/pages/308674561/Azure [ConnID]
3. Create a new OAuth2 Application and provide the following configuration in Azure OAuth2 application.

4. Application will be created and now we will be able to configure.
5. Let us now click on Authentication tab on the left-hand side menu. We can choose account either in a single Organization Directory or multiple directory.
6. Click on Add a platform and we can add a new Redirect URI as “http://localhost”.
7. Further we can allow the Public Client flows.
8. Create a new Secret by first, clicking on Certificate and Secrets on the left-hand side menu, and then click on the “+ New Client secret” link, Enter Description and select the Expires option.
9. Provide the right permissions for the Connector to work by clicking on API Permissions tab on the left-hand side menu, then click on Add, then click on Microsoft Graph and then click on Application Permission and Delegated.
10. Search and select the following permissions/scopes in OpenID

    1. APIConnectors.Read.All

    2. Directory.ReadWrite.All

    3. OpenID

    4. PrivilegedAccess.Read.AzureAD

    5. User.ReadWrite.All

11. We need to take consent from admin for getting access to Microsoft Graph API, Click on add permission, Click on “Grant Admin content for Unotech Software”, and finally Click on Yes.
12. Click on Expose an API and Click on Set to expose the API to be used by the Azure API client on the connector.

Configuration on Cymmetri Identity Platform for Azure provisioning

1. Configure Azure user and server config as follows:
2. Configure the User Configurations

   1. Copy the application authority from the User Configure.

   2. Configure the Client ID.

   3. Configure the Client Secret.

   4. Configure the Domain from Azure Active Directory.
   5. Configure the Redirect URI exposed from the Azure AD.

   6. Graph API base endpoint (User Config Resource URI)

   7. Add the Azure Tenant ID

   8. Choose the base username.

Click on Save, and test the connection.

1. Any application which supports SCIM v2.0 with bearer token is workable for application.
2. Following are configuration which is used for SCIM with bearer.

   1. Base address - It is the endpoint of the target system which supports SCIM v2 API’s.

   2. Username - Username to authenticate SCIM API endpoint.

   3. Password - Password to authenticate SCIM API endpoint.

   4. Security Token - It is a token which is used to authenticate.

   5. Grant Type - It is grant type which is used to grant access for API’s.

   6. Client Id - client id for authentication

   7. Client Secret - client secret for authentication

   8. Authentication type - It is Fixed Bearer compulsory.

   9. Update method - Patch or Put method.

   10. Accept - Http header which accepts (application/json etc).

   11. Content Type - Http header which accepts (application/json etc).

   12. Access Token Base Address - base address for access token

   13. Access Token Node Id - node id for access token

   14. Access Token Content Type - content type for access token.

Integration SCIM v2.0 with Basic

1. Any application which supports SCIM v2.0 with basic authentication is workable for application.

2. Following are configuration which is used for SCIM with basic authenticator.

1. Base address - It is the endpoint of the target system which supports SCIM v2 API’s.

2. Username - Username to authenticate SCIM API endpoint.

3. Password - Password to authenticate SCIM API endpoint.

4. Authentication type - It is Fixed Bearer compulsory.

5. Update method - Patch or Put method.

6. Accept - Http header which accepts (application/json etc).

7. Content Type - Http header which accepts (application/json etc).

Integration with LDAP

1. For LDAP connector integration we need an LDAP server with the following detail sample.

   Host/IP

   LDAP Base Context

   service user (Manager Username)

   password (Manager User password)

2. After configure LDAP server we need to configure the Ldap application into the Cymmetri.
3. Check policy map to add proper attributes as needed by LDAP schema.

1. Any application which supports SCIM v2.0 with fixed bearer is workable for application.

2. Following are configuration which is used for SCIM with fixed bearer

1. Base address - It is the endpoint of the target system which supports SCIM v2 API’s.

2. Username - Username to authenticate SCIM API endpoint.

3. Password - Password to authenticate SCIM API endpoint.

4. Authentication type - It is Fixed Bearer compulsory.

5. Fixed Bearer Value - The value for fixed bearer.

6. Update method - Patch or Put method.

7. Accept - Http header which accepts (application/json etc).

8. Content Type - Http header which accepts (application/json etc).

Github Enterprise provides provisioning using SCIM 2.0

Pre-requisites

1. Create an account in Github (Enterprise).

2. Enable SAML for the Github tenant to be used with Cymmetri.

Step 1. Configure SSO in Cymmetri

Note the application URL received from the Git SAML configuration

Continue the configuration by logging into Cymmetri using at least Application Administrator role

Note: Public certificate gets from SSO metadata(cymmetri) and format it using following

Note: Make sure when you test SAML then in cymmetri login with github admin users loginid which is added in cymmetri.

Configure Profile Mapping

Create User in Cymmetri and make sure login id of Cymmetri is same as gitHub Admin user login id.

Test SSO with the Cymmetri user.

1. Configure SCIM v2.0 (Github) application from master (cymmetri).

2. Basic provisioning policy attribute and policy map already aaded in default schema.

3. Github Application is run using Fixed Bearer token.

4. To get Fixed bearer token following steps used.

Step 1: Go to user settings in github

Step 2: Go to developer settings

Step 3: Go to personal access token and generate new token

Step4: Click on Configure SSO

Step 5: Click on Authorize

1. Use following cymmetri provision configuration and change according to github account.

2. Fixed Bearer Value copy from personal access token

3. Click on save

4. Click on Test Configuration with success message.

5. Check Policy map

6. Disable default for the respective attribute

Integration REST Application

1. The REST connector is designed to manage provisioning by relying on RESTful service.

2. For REST applications we need target applications which support REST API’s.

3. Following configuration is tested for felicity application.

4. We need REST API’s to integrate with cymmetri.

5. Following are the cymmetri configuration which need to configure in user configuration in cymmetri.

6. It is Basic REST configuration which need to configure in application.

1. We need to provide Groovy code to run create user, update user, delete user and also recon pull and push (for recon pull we need to add sync script and for recon push we need to add search script)

2. For sample script please validate following link

Note: Please Configure script step by step

1. Configure test script at initial step and then test configuration for provided script (If configure successfully then only go for step b).

2. Configure create script and test configuration (If successfully configured then only go for step c).

3. Configure update script and test configuration (If successfully configured then only go for step d).

4. Configure delete script and test configuration (If successfully configured then only go for step e).

5. Configure sync(pull) script and test configuration (If successfully configured then only go for step f).

6. Configure search(push) script and test configuration (If successfully configured then only go to the next step).

Google Apps is a software-as-a-service platform (SAAS) that provides email, calendar, documents and other services. This connector uses the Google Apps provisioning APIs to create, add, delete and modify user accounts and email aliases.

Note: 1. Only the Premium (paid) or Educational versions of Google Apps provide access to the provisioning APIs. 2. Connector will not work on the free Google Apps Domain

Configuration

1. First obtain the client_secret.json file from your Google Apps instance -

   1. Log in to your Google Apps Admin Console (at ) and verify that Security > Enable API access is checked (For more information on these APIs, navigate to the Google Developers interface, and search for these APIs).

   2. In the OAuth 2.0 application of choice (at ), create credential of type Oauth Client ID / Other, then download the related client_secrets.json file.

Enter

1. Create New Project
2. Click on Enabled API & Services
3. Search for Admin SDK API
4. Click on Admin SDK API and then click on the Enable button
5. Once enabled, Click on CREDENTIALS tab
6. Now click on Create Credentials
7. And select OAuth client ID option
8. Select Desktop app as Application type, provide a name for the OAuth 2.0 client and then click on the CREATE button
9. A response screen is visible that shows that the "OAuth client created" It also displays Your Client ID and Your Client Secret. You may download the JSON here using the DOWNLOAD JSON option.
10. Click on OAuth consent screen and then Click on edit app

11. Enter the required details and Click on save and update

1. Select Internal as User Type if you want to restrict access only to the users of your organization.

   Click on SAVE AND CONTINUE button on the Scopes screen
2. Search for Admin SDK API and select
3. Select for group
4. Click on credential

5. Download OAuth client

6. Change to the directory where you have downloaded the bundle and run the following command on the client_secrets.json file that you obtained earlier in this procedure:

This command opens the default browser, and loads a screen on which you authorize consent to access the Google Apps account.

When you have authorized consent, the browser returns a code. Copy and paste the code into the terminal from which you ran the original command

A response similar to the following is returned.

Once the above information is obtained we need to configure the Google App in Cymmetri with Server Configuration and User Configuration as shown below: