Connectors

Synchronization Server Connectors

⏰ Getting started

Introduction

Soffid provides the connectors needed to provision accounts on the most widely used systems. To set up this connection it is necessary a specific connector addon that you must install and configure in the Soffid console.

First of all, yo must download the specific connector for your system, then install it in the Soffid console, and finally configure an agent in the Soffid console.

Download

The open-source connectors available for Soffid IAM can be found on the project website http://www.soffid.com/download in the Connectors section.

To download enterprise connectors from http://download.soffid.com/download/enterprise/ a Soffid user with authorization is required to access this functionality.

Installation

1. Once the connector is downloaded, please log in to IAM Console.

You need to be an administrator user of the Soffid console or a user with permission to upload addons.

2. In the Soffid console, please go to:

Main Menu > Administration > Configure Soffid > Global Settings > Plugins

3.  Then, click the add button (+) and pick the file and Soffild will upload the addon file.

4. Finally, when the addon is installed, it will be required to restart the Soffid Sync server.

5. Once the Sync server is restarted, you could check the plugin was uploaded properly on the plugins page:

Main Menu > Administration > Configure Soffid > Global Settings > Plugins

6. Now, you can set up the connector.

Configure Agent

Once the plugin has been uploaded and installed, the next step will be to set up the agent, this is the step where you establish a relation between Soffid and your managed system.

Main Menu > Administration > Configure Soffid > Integration engine > Agents

More information about how to configure agents can be found on the Agents page.

Connector List

Here you will find all the information needed about the available Soffid connectors to integrate external managed systems. If you miss something important, don't mind making suggestions using contact@soffid.com.

  1. AWS Connector
  2. CSV Connector
  3. Google Apps Connector
  4. JSON REST Web Services Connector
  5. LDAP Connector
  6. Oracle Connector
  7. Oracle EBS Connector
  8. SAP Connector
  9. SCIM Connector
  10. Shell Connector
  11. SQL Connector
  12. Windows Connector
  13. Zarafa Connector



AWS Connector

AWS Connector

AWS Connector

Introduction

Description

AWS Connector allows to manage the Amazon AWS IAM (Identity and Access Management)

Managed Systems

This connector is specific for integration with the Amazon AWS IAM (Identity and Access Management) through the CLI AWS IAM

For more information to check if your system may be synchronized with this connector you do not hesitate to contact us through our Contact form

Prerequisites

It is needed a AWS IAM user with access and privileges to the required operations.

It cannot detect password changes to be propagated to other systems.

Download and install

This addon is located in the Connectors section and its name is AWS plugin.

For more information about the installation process you can visit the Addons Getting started page.

Agent Configuration

Basic

Generic parameters

After the installation of the addon, you may create and configure agent instances.

To configure this AWS connector you must select "Amazon WS" in the attribute "Type" of the generic parameters section in the agents page configuration.

For more information about how you may configure the generic parameters of the agent, see the following link: Agents configuration

Custom parameters

Below there are the specific parameters for this agent implementation:

Parameter
Description
Access Key Access key provided by the AWS IAM account
Secret Key
Secret key provided by the AWS IAM account
AWS Endpoint AWS endpoint provided by the AWS IAM account
Enable debug Two options: [ Yes / No ]. When it is enabled more log traces are printed in the Synchronization Server log

Attribute mappings

This connector could manage Users and Roles 

Properties

The following properties are defined for each object type:

Property
Meaning
preventDeletion (optional)

Two options: [ True / False ].
If true, it will prevent the deletion of any object that is no longer needed.

Attributes

You can customize attribute mappings, you only need to select system objects and the Soffid objects related, manage their attributes, and make either inbound and outbound attribute mappings.

Users

The following attributes can be mapped on User objects

Attribute
Value
userName User name
path User path
arn AWS arn (read only)
createDate Creation date (read only)
passwordLastUsed Passsword last use (read only)
userId Internal user id
Groups

The following attributes can be mapped on Role (AWS Group) objects:

Attribute
Value
groupName Group name
path Group path
arn AWS arn (read only)
createDate Creation date (read only)
groupId Internal group id

For more information about how you may configure attribute mapping, see the following link: Soffid Attribute Mapping Reference

image-1641816933566.png

Triggers

You can define BeanShell scripts that will be triggered when data is loaded into the target system (outgoing triggers). The trigger result will be a boolean value, true to continue or false to stop.

Triggers can be used to validate or perform a specific action just before performing an operation or just after performing an operation into target objects. 

To view some examples, visit the Outgoing triggers examples page.

Load triggers

You can define BeanShell scripts that will be triggered when data is loaded into Soffid (incoming triggers). The trigger result will be a boolean value, true to continue or false to stop.

Triggers can be used to validate or perform a specific action just before performing an operation or just after performing an operation into Soffid objects.

To view some examples, visit the Incoming triggers examples page.

Account metadata

Agents allow you to create additional data, on the "Account metadata" tab, to customize the accounts created for that agent. This additional information will be loaded with the agent's information, or calculated as defined in the mappings.
The additional data can be used in both mappings and triggers.

The attributes which you define here will be shown when you click on the proper account, on the Accounts Tabs at user page.

Operational

Monitoring

After the agent configuration you could check on the monitoring page if the service is running in the Synchronization Server, please go to:

Tasks

Authoritative

If you are checked "Authorized identity source", an automatic task to load identities from the managed system to Soffid is available, please go to:

And you will something like "Import authoritative data from <AGENT_NAME>".

Reconcile

If you are configured the "Attribute Mapping" tab with some of our objects: "user or role", an automatic task to synchronize these objects from the managed system to Soffid is available, please go to:

And you will do something like "Reconcile all accounts from <AGENT_NAME>".

Synchronization

Regarding the synchronization of the objects, there are two possible options:

For more information about how you may configure the generic parameters of the agent, see the following link: Agents configuration


CSV Connector

CSV Connector

CSV Connector

Introduction

Description

The CSV Connector provides a way to load authoritative data from fixed record size files.

Managed System

This connector has been performed to charge authoritative data from files with CSV format or other format in other extension files.

For more information to check if your system may be synchronized with this connector you do not hesitate to contact us through our Contact form

Prerequisites

The file must be placed in the same Synchronization Server host.

The file must has the correct permissions to be readed for the Synchronization Server.

Download and Install

This addon is located in the Connectors section and its name is Flat file plugin.

For more information about the installation process you can visit the Addons Getting started page.

Agent Configuration

This connector could only be used as an identity source, no output file could be generated yet.

Usually, this connector is used the first time to charge manually the user information of the identities from the HR applications o database.

As example, this is the flow to shows how the "Customizable fixed-columns file v2.0" works.

CSV Connector.png

Basic

Generic parameters

After the installation of the addon, you may create and configure agent instances.

This addon has 5 available types:

To configure this CSV plugin, you could select one of the previous agent in the attribute "Type" of the generic parameters section in the agents page configuration.

For more information about how you may configure the generic parameters of the agent, see the following link: Agents configuration

Custom parameters

The main parameters for this connectors are:

Customizable fixed-columns file v2.0
Parameter
Description
Enable debug Two options: [ Yes / No ]. When it is enabled more log traces are printed in the Synchronization Server log
Character set (utf-8)
Charset used to load files. Despite it in uncommon, multi-byte character sets, as UTF-8, are allowed. Nevertheless, single byte character sets as ISO-8859-1 are recommended
Customizable CSV file
Parameter
Description
Enable debug Two options: [ Yes / No ]. When it is enabled more log traces are printed in the Synchronization Server log
CSV file test agent
Parameter
Description
User's file Directory where the CSV file is placed
Dummy password agent
Parameter
Description
Dummy Password
Dummy Password
Test
Parameter
Description
CSV file
Path of the CSV file

Attribute mapping

Only the "Customizable fixed-columns file v2.0" and the "Customizable CSV file" agents have this functionality implemented.

Properties

Customizable fixed-columns file v2.0

This agent requires two properties:

Property
Description
file Path where the file is placed in the directory system
recordSize

Total number of characters of the rows.

This property must have a number value.

The file will be split into records of this size in bytes. Mind the record size must include any line terminator character as "carriage return" or "line feed".

And after that you must specify the number of rows of every row as follow:

Property
Description
N-M

Where N is the position of the first character and M the position of the last character, both included.

Column numbers start with 1 (not 0).

And for instance, if the property is defined as "1-10" with the value "NAME", Soffid will extract characters from columns 1 to 10 (both inclusive) into a field named NAME in Soffid.

For instance for this file:

abernal   Antonio        Bernal         world      YES
jwayne2   John           Wayne          world      YES

These are its properties:

CSV Connector - properties.png

Customizable CSV file

This agent only needs the next properties:

Property
Description

file

Mandatory: Path where the file is placed in the directory system

key

Mandatory: The field to be used as key 

Attributes

Customizable fixed-columns file v2.0

The mapping in only available for USER object.

Now we could map the system attribute defined as property values agains Soffid attributes, for instance:

System attribute
Soffid attribute

USER

userName

FIRSTNAME

firstName

LASTNAME

lastName

GROUPNAME

primaryGroup

ACTIVE.equals("YES")

active

For instance:

image-1641824416700.png

For more information about how you may configure attribute mapping, see the following link: Soffid Attribute Mapping Reference

Customizable CSV file

The mapping in only available for USER object.

The first row of the file must include the name of the attribute.

USER,FIRSTNAME,LASTNAME,GROUPNAME,ACTIVE
abernal,Antonio,Bernal,world,YES
jwayne2,John,Wayne, world,YES

Now we could map the system attribute (file) with the Soffid attributes, for instance:

System attribute
Soffid attribute

USER

userName

FIRSTNAME

firstName

LASTNAME

lastName

GROUPNAME

primaryGroup

ACTIVE.equals("YES")

active

Load Triggers

You can define BeanShell scripts that will be triggered when data is loaded into Soffid (incoming triggers). The trigger result will be a boolean value, true to continue or false to stop.

Triggers can be used to validate or perform a specific action just before performing an operation or just after performing an operation into Soffid objects.

To view some examples, visit the Incoming triggers examples page.

Account metadata

Accounts are default objects in Soffid. Agents allow you to create additional custom data, on the "Account metadata" tab, to customize the accounts created only for that agent.

The attributes which you define here, will be shown when you click on the proper account, on the Accounts Tabs at user page.

At this tab you could add or delete custom attributes. You can visit the Metadata page for more information about the standard attributes.

Operational

Monitoring

After the agent configuration you could check in the monitoring page if the service is running in the Synchronization Server, please go to: 

Tasks

Authoritative

If you are checked "Authorized identity source", an automatic task to load identities from the managed system to Soffid is available, please go to 

And you will something like "Import authoritative data from <AGENT_NAME>".

Reconcile

If your are configured the "Attribute Mapping" tab with some of our objects: "user", an automatic task to synchronize these objects from the managed system to Soffid is available, please go to:

And you will do something like "Reconcile all accounts from <AGENT_NAME>".

Synchronization

Regarding the synchronization of the objects, there are two possible options:

For more information about how you may configure the generic parameters of the agent, see the following link: Agents configuration


CSV Connector

Customizable CSV file (CSV Connector type)

Introduction

Description

The CSV connector type allows users to load a collection of data stored into a plain CSV file.

In the following page, the process to complete the CSV connector setup will be explained.

To begin with,  address to the quick start section. 

Quick start

The core of Customizable CSV file connector is located under the 'Attribute Mapping'  tab.

There are two important sections:

Property

File information related configuration.

Property
Description
file Mandatory: Path where the file is placed in the directory system
key Mandatory: The field to be used as key 

 System attribute

Mapping between CSV fields and Soffid objects.

CSV Connector - customizable CSV file.png

Taking a look to the configuration used, we can see that:

To demonstrate Soffid flexibility in terms of agent customization, notice that:

USERNAME, NAME, LASTNAME fields, correspond to default fields from User object.

NDI is a custom field defined into the User object.

"I" is a 'char' literal that indicates the UserType.

Example

Type
File
data (file used in this configuration guide)

file.csv

attribute-mapping (file used in this configuration guide)

csv-agent-config.xml

Useful information

System objects
User
Account
Group
Role


Google Apps Connector

Google Apps Connector

Google Apps Connector

Introduction

Description

Google Apps Connector allows you to manage users and groups using the Google Directory API.

Managed System

This connector is specific for integration with the Google domain.

For more information to check if your system may be synchronized with this connector you do not hesitate to contact us through our Contact form

Prerequisites

To get a service account and a private key, please follow this link: Creating a service account. You must:

Furthermore, you will need to follow this guide to enable the recently created account to use directory API services. The scopes to grant are:

Download and Install

This addon is located in the Connectors section and its name is Google Apps plugin.

For more information about the installation process you can visit the Addons Getting started page.

Agent Configuration

Basic

Generic parameters

After the installation of the addon, you may create and configure agent instances.

To configure this Google Apps Connector you must select "GoogleApps" in the attribute "Type" of the generic parameters section in the agents page configuration.

For more information about how you may configure the generic parameters of the agent, see the following link: Agents configuration

Custom parameters

Below there are the specific parameters for this agent implementation:

Parameter
Description

Admin user

Administrator account name

Service account client email

Extract it from generated json file. It is tagged as client_email

Service account private key

Extract it from generated json file. It is tagged as private_key. As the private key is JSON encoded, mind to replace unicode escape chars by it's ASCII equivalents

Google domain

Base google domain

Attribute mapping

This connector could manage users and groups.

Properties

Nothing to configure.

Attributes

Users

Users and shared accounts can be customized. The next attributes are required:

Attribute
Value

suspended

"True" if the account is disabled. "False" otherwise

name{"givenName"}

User given name

name{"familyName"}

User last name

name{"fullName"}

User full name

primaryEmail

Account name

To get an extensive list of attributes supported by Google, browse to Google User API

Soffid groups can be mapped as OrgUnits.

Attribute
Value

name

Org Unit Name

Groups

Mails alias will be automatically bound to users without any further configuration.

Roles and Mail Lists will also be created and maintained as Google Apps groups.

For more information about how you may configure attribute mapping, see the following link: Soffid Attribute Mapping Reference

For instance:

image-1641828269243.png

Triggers

Nothing to configure. This option is not available to Google apps connector.

Load Triggers

You can define BeanShell scripts that will be triggered when data is loaded into Soffid (incoming triggers). The trigger result will be a boolean value, true to continue or false to stop.

Triggers can be used to validate or perform a specific action just before performing an operation or just after performing an operation into Soffid objects.

To view some examples, visit the Incoming triggers examples page.

Account metadata

Agents allow you to create additional data, on the "Account metadata" tab, to customize the accounts created for that agent. This additional information will be loaded with the agent's information, or calculated as defined in the mappings.
The additional data can be used in both mappings and triggers.

The attributes which you define here will be shown when you click on the proper account, on the Accounts Tabs at user page.

Operational

Monitoring

After the agent configuration you could check in the monitoring page if the service is running in the Synchronization Server, please go to:

Tasks

Authoritative

If you are checked "Authorized identity source", an automatic task to load identities from the managed system to Soffid is available, please go to:

And you will something like "Import authoritative data from <AGENT_NAME>".

Reconcile

If you are configured the "Attribute Mapping" tab with some of our objects: "user or group", an automatic task to synchronize these objects from the managed system to Soffid is available, please go to:

And you will do something like "Reconcile all accounts from <AGENT_NAME>".

Synchronization

Regarding the synchronization of the objects, there are two possible options:

For more information about how you may configure the generic parameters of the agent, see the following link: Agents configuration


JSON REST Web Services Connector

JSON REST Web Services Connector

JSON REST Web Services Connector

Introduction

Description

This connector allows the integration with any Web Service able to consume and generate JSON documents through REST communication.

Managed System

Every commercial product or custom web application allows REST communication with JSON documents.

There are a lot of products that use this standard, for instance:

If your system is not in the previous list, it's possible to include it easily!

For more information to check if your system may be synchronized with this connector you do not hesitate to contact us through our Contact form

Prerequisites

It is needed a user with access and permissions to the endpoints and operations required in the scope of the integration.

Also, the documentation, specification, or tutorial of the implementation of the JSON REST Web Service is required to apply the mapping configuration.

Download and Install

This addon is located in the Connectors section and its name is REST (json) plugin.

You can visit the Addons Getting started page for more information about the installation process.

Agent Configuration

Basic

Generic parameters

After the installation of the addon, you may create and configure agent instances.

To configure this JSON REST Web Service Connector you must select "JSON Rest Webservice" in the attribute "Type" of the generic parameters section in the agents' page configuration.

For more information about how you may configure the generic parameters of the agent, see the following link: Agents configuration

image-1658998971348.png

Custom parameters

Below there are the specific parameters for this agent implementation:

Parameter
Description

Server URL

URL of the REST web service.  

Base URL for making calls.

Authentication method

Available options:

  • None: no authentication (User and Password are not used).
  • Basic: it uses the User and Password to generate the authentication token.
  • Bearer token: it is provided by the application to which we are trying to connect.
  • Token: generate a token from a specific authentication URL. It is no longer used.
  • Token oAuth Client Credentials: authenticates based on a client ID and a client secret.
  • Token oAuth Password Grant:  authenticates based on a client ID and a client secret plus a user name and a password.

(*) You can find more information in the Authentication method section.

Enable debug

Two options: "Yes", "No": it enables or not more log traces in the Synchronization Server log

Proxy host

Only when the proxy is needed.

Proxy port

Only when the proxy is needed.

XML Templates

Allows you to add new XML templates with SOAP requests and then configure them at attribute mappings.


Authentication method

None: no authentication is needed. There are no parameters to configure.

image-1658916253736.png

Basic: the username and password are sent with each request.

image-1658916073500.png

Bearer token

image-1658916094610.png

Token: calls the authentication URL with the POST method and with the username and password, and the response will be the token. It is no longer used.

image-1658916132666.png

Token oAuth Client Credentials

image-1658916165066.png

Token oAuth Password Grant