For more information to check if your system may be synchronized with this connector, do not hesitate to contact us through our [Contact form](http://www.soffid.com/contactform/)
### Prerequisites It is needed a AWS IAM user with access and privileges to the required operations. It cannot detect password changes to be propagated to other systems. ## Download and install This addon is located in the Connectors section and its name is **AWS plugin**.For more information about the installation process you can visit the [Addons Getting started](https://bookstack.soffid.com/books/addons-getting-started/page/getting-started "Addons installation") page.
## Agent Configuration ### Basic #### Generic parameters After the installation of the addon, you may create and configure agent instances. To configure this AWS connector you must select "Amazon WS" in the attribute "Type" of the generic parameters section in the agents page configuration.For more information about how you may configure the generic parameters of the agent, see the following link: [Agents configuration](https://bookstack.soffid.com/books/soffid-3-reference-guide/page/agents "Agents")
#### Custom parameters Below there are the specific parameters for this agent implementation:**Parameter** | **Description** |
|---|---|
| Access Key | Access key provided by the AWS IAM account |
Secret Key | Secret key provided by the AWS IAM account |
| AWS Endpoint | AWS endpoint provided by the AWS IAM account |
| Enable debug | Two options: \[ Yes / No \]. When it is enabled more log traces are printed in the Synchronization Server log |
**Property** | **Meaning** |
|---|---|
| preventDeletion (optional) | Two options: \[ True / False \]. If true, it will prevent the deletion of any object that is no longer needed. |
**Attribute** | **Value** |
|---|---|
| userName | User name |
| path | User path |
| arn | AWS arn (read only) |
| createDate | Creation date (read only) |
| passwordLastUsed | Passsword last use (read only) |
| userId | Internal user id |
**Attribute** | **Value** |
|---|---|
| groupName | Group name |
| path | Group path |
| arn | AWS arn (read only) |
| createDate | Creation date (read only) |
| groupId | Internal group id |
For more information about how you may configure attribute mapping, see the following link: [Soffid Attribute Mapping Reference](https://bookstack.soffid.com/link/72#bkmrk-soffid-attributes)
[](https://bookstack.soffid.com/uploads/images/gallery/2022-01/image-1641816933566.png) #### Triggers You can define BeanShell scripts that will be triggered when data is loaded into the target system (outgoing triggers). The trigger result will be a boolean value, true to continue or false to stop. Triggers can be used to validate or perform a specific action just before performing an operation or just after performing an operation into target objects.To view some examples, visit the [Outgoing triggers examples page](https://bookstack.soffid.com/books/connectors/page/outgoing-triggers-examples "Outgoing triggers examples").
### Load triggers You can define BeanShell scripts that will be triggered when data is loaded into Soffid (incoming triggers). The trigger result will be a boolean value, true to continue or false to stop. Triggers can be used to validate or perform a specific action just before performing an operation or just after performing an operation into Soffid objects.To view some examples, visit the [Incoming triggers examples page.](https://bookstack.soffid.com/books/connectors/page/incoming-triggers-examples "Incoming triggers examples")
### Account metadata Agents allow you to create additional data, on the "Account metadata" tab, to customize the accounts created for that agent. This additional information will be loaded with the agent's information, or calculated as defined in the mappings. The additional data can be used in both mappings and triggers. The attributes which you define here will be shown when you click on the proper account, on the Accounts Tabs at user page. ## Operational ### Monitoring After the agent configuration you could check on the monitoring page if the service is running in the Synchronization Server, please go to: - Start Menu > Administration > Monitoring and reporting > Syscserver monitoring ### Tasks #### Authoritative If you are checked "Authorized identity source", an automatic task to load identities from the managed system to Soffid is available, please go to: - Start Menu > Administration > Monitoring and reporting > Scheduled tasks And you will something like "Import authoritative data from <AGENT\_NAME>". #### Reconcile If you are configured the "Attribute Mapping" tab with some of our objects: "user or role", an automatic task to synchronize these objects from the managed system to Soffid is available, please go to: - Start Menu > Administration > Monitoring and reporting > Scheduled tasks And you will do something like "Reconcile all accounts from <AGENT\_NAME>". ### Synchronization Regarding the synchronization of the objects, there are two possible options: - If you are checked the generic attribute "Read Only" in the "Basics" tab, only the changes in the managed systems will be updated in Soffid. We recommend these options until the global configuration of Soffid will be tested. - If you are not checked the generic attribute "Read Only" in the "Basics" tab, all the changes in Soffid or the managed system will be updated in the other. Note that this synchronization must be configured in the "Attribute mapping" tab correctly.For more information about how you may configure the generic parameters of the agent, see the following link: [Agents configuration](https://bookstack.soffid.com/books/soffid-3-reference-guide/page/agents "Agents")
# CSV Connector # CSV Connector ## Introduction ### Description The CSV Connector provides a way to load authoritative data from fixed record size files. ### Managed System This connector has been performed to charge authoritative data from files with CSV format or other format in other extension files.For more information to check if your system may be synchronized with this connector you do not hesitate to contact us through our [Contact form](http://www.soffid.com/contactform/)
### Prerequisites The file must be placed in the same Synchronization Server host. The file must has the correct permissions to be readed for the Synchronization Server. ## Download and Install This addon is located in the Connectors section and its name is **Flat file plugin**.For more information about the installation process you can visit the [Addons Getting started](https://bookstack.soffid.com/books/addons-getting-started/page/getting-started "Addons installation") page.
## Agent Configuration This connector could only be used as an identity source, no output file could be generated yet. Usually, this connector is used the first time to charge manually the user information of the identities from the HR applications o database. As example, this is the flow to shows how the "Customizable fixed-columns file v2.0" works. [](https://bookstack.soffid.com/uploads/images/gallery/2021-04/csv-connector.png) ### Basic #### Generic parameters After the installation of the addon, you may create and configure agent instances. This addon has 5 available types: - Customizable fixed-columns file v2.0: it is used to charge a table where each column has a fixed number of characters. - Customizable CSV file: it is used to charge a standard CSV file (comma-separated values), where all the columns are separated by a comma. - CSV file test agent. - Dummy password agent. - Test. To configure this CSV plugin, you could select one of the previous agent in the attribute "Type" of the generic parameters section in the agents page configuration.For more information about how you may configure the generic parameters of the agent, see the following link: [Agents configuration](https://bookstack.soffid.com/books/soffid-3-reference-guide/page/agents "Agents")
#### Custom parameters The main parameters for this connectors are: ##### Customizable fixed-columns file v2.0**Parameter** | **Description** |
|---|---|
| Enable debug | Two options: \[ Yes / No \]. When it is enabled more log traces are printed in the Synchronization Server log |
Character set (utf-8) | Charset used to load files. Despite it in uncommon, multi-byte character sets, as UTF-8, are allowed. Nevertheless, single byte character sets as ISO-8859-1 are recommended |
**Parameter** | **Description** |
|---|---|
| Enable debug | Two options: \[ Yes / No \]. When it is enabled more log traces are printed in the Synchronization Server log |
**Parameter** | **Description** |
|---|---|
| User's file | Directory where the CSV file is placed |
**Parameter** | **Description** |
|---|---|
Dummy Password | Dummy Password |
**Parameter** | **Description** |
|---|---|
CSV file | Path of the CSV file |
**Property** | **Description** |
|---|---|
| file | Path where the file is placed in the directory system |
| recordSize | Total number of characters of the rows. This property must have a number value. The file will be split into records of this size in bytes. Mind the record size must include any line terminator character as "carriage return" or "line feed". |
**Property** | **Description** |
|---|---|
| N-M | Where N is the position of the first character and M the position of the last character, both included. Column numbers start with 1 (not 0). And for instance, if the property is defined as "1-10" with the value "NAME", Soffid will extract characters from columns 1 to 10 (both inclusive) into a field named NAME in Soffid. |
**Property** | **Description** |
|---|---|
| file | Mandatory: Path where the file is placed in the directory system |
| key | Mandatory: The field to be used as key |
**System attribute** | **Soffid attribute** |
|---|---|
| USER | userName |
| FIRSTNAME | firstName |
| LASTNAME | lastName |
| GROUPNAME | primaryGroup |
| ACTIVE.equals("YES") | active |
For more information about how you may configure attribute mapping, see the following link: [Soffid Attribute Mapping Reference](https://bookstack.soffid.com/link/72#bkmrk-soffid-attributes)
##### Customizable CSV file The mapping in only available for USER object. The first row of the file must include the name of the attribute. ``` USER,FIRSTNAME,LASTNAME,GROUPNAME,ACTIVE abernal,Antonio,Bernal,world,YES jwayne2,John,Wayne, world,YES ``` Now we could map the system attribute (file) with the Soffid attributes, for instance:**System attribute** | **Soffid attribute** |
|---|---|
| USER | userName |
| FIRSTNAME | firstName |
| LASTNAME | lastName |
| GROUPNAME | primaryGroup |
| ACTIVE.equals("YES") | active |
To view some examples, visit the [Incoming triggers examples page.](https://bookstack.soffid.com/books/connectors/page/incoming-triggers-examples "Incoming triggers examples")
### Account metadata Accounts are default objects in Soffid. Agents allow you to create additional custom data, on the "Account metadata" tab, to customize the accounts created only for that agent. The attributes which you define here, will be shown when you click on the proper account, on the Accounts Tabs at user page. At this tab you could add or delete custom attributes. You can visit the [Metadata page](https://bookstack.soffid.com/books/soffid-3-reference-guide/page/metadata "Metadata") for more information about the standard attributes. ## Operational ### Monitoring After the agent configuration you could check in the monitoring page if the service is running in the Synchronization Server, please go to: - Start Menu > Administration > Monitoring and reporting > Syscserver monitoring ### Tasks #### Authoritative If you are checked "Authorized identity source", an automatic task to load identities from the managed system to Soffid is available, please go to - Start Menu > Administration > Monitoring and reporting > Scheduled tasks And you will something like "Import authoritative data from <AGENT\_NAME>". #### Reconcile If your are configured the "Attribute Mapping" tab with some of our objects: "user", an automatic task to synchronize these objects from the managed system to Soffid is available, please go to: - Start Menu > Administration > Monitoring and reporting > Scheduled tasks And you will do something like "Reconcile all accounts from <AGENT\_NAME>". ### Synchronization Regarding the synchronization of the objects, there are two possible options: - If you are checked the generic attribute "Read Only" in the "Basics" tab, only the changes in the managed systems will be updated in Soffid. We recommend these options until the global configuration of Soffid will be tested. - If you are not checked the generic attribute "Read Only" in the "Basics" tab, all the changes in Soffid or the managed system will be updated in the other. Note that this synchronization must be configured in the "Attribute mapping" tab correctly.For more information about how you may configure the generic parameters of the agent, see the following link: [Agents configuration](https://bookstack.soffid.com/books/soffid-3-reference-guide/page/agents "Agents")
# Customizable CSV file (CSV Connector type) ## Introduction ### Description The CSV connector type allows users to load a collection of data stored into a plain CSV file. In the following page, the process to complete the CSV connector setup will be explained. To begin with, address to the quick start section. ### Quick start The core of Customizable CSV file connector is located under the 'Attribute Mapping' tab. There are two important sections: #### Property File information related configuration.Property | Description |
|---|---|
| file | Mandatory: Path where the file is placed in the directory system |
| key | Mandatory: The field to be used as key |
**Type** | **File** |
|---|---|
| data (file used in this configuration guide) | [file.csv](https://bookstack.soffid.com/attachments/5) |
| attribute-mapping (file used in this configuration guide) | [csv-agent-config.xml](https://bookstack.soffid.com/attachments/6) |
**System objects** |
|---|
| [User](http://www.soffid.org/doc/console/2.5.0/iam-common/apidocs/com/soffid/iam/api/User.html) |
| [Account](http://www.soffid.org/doc/console/2.5.0/iam-common/apidocs/com/soffid/iam/api/Account.html) |
| [Group](http://www.soffid.org/doc/console/2.5.0/iam-common/apidocs/com/soffid/iam/api/Group.html) |
| [Role](http://www.soffid.org/doc/console/2.5.0/iam-common/apidocs/com/soffid/iam/api/Role.html) |
For more information to check if your system may be synchronized with this connector do not hesitate to contact us through our [Contact form](http://www.soffid.com/contactform/)
### Prerequisites To get a service account and a private key, please follow this link: [Creating a service account](https://developers.google.com/identity/protocols/OAuth2ServiceAccount#creatinganaccount). You must: - Register a new project - Enable AdminSDK API - Register a new OAuth service account. Store the JSON generated file in a secure place. Furthermore, you will need to follow [this guide](https://developers.google.com/identity/protocols/OAuth2ServiceAccount#delegatingauthority) to enable the recently created account to use directory API services. The scopes to grant are: - View and manage the provisioning of groups on your domain: [https://www.googleapis.com/auth/admin.directory.group](https://www.googleapis.com/auth/admin.directory.group) - View and manage group subscriptions on your domain: [https://www.googleapis.com/auth/admin.directory.group.member](https://www.googleapis.com/auth/admin.directory.group.member) - View and manage organization units on your domain: [https://www.googleapis.com/auth/admin.directory.orgunit](https://www.googleapis.com/auth/admin.directory.orgunit) - View and manage the provisioning of users on your domain: [https://www.googleapis.com/auth/admin.directory.user](https://www.googleapis.com/auth/admin.directory.user) ## Download and Install This addon is located in the Connectors section and its name is **Google Apps plugin**.For more information about the installation process you can visit the [Addons Getting started](https://bookstack.soffid.com/books/addons-getting-started/page/getting-started "Addons installation") page.
## Agent Configuration ### Basic #### Generic parameters After the installation of the addon, you may create and configure agent instances. To configure this Google Apps Connector you must select "GoogleApps" in the attribute "Type" of the generic parameters section in the agents page configuration.For more information about how you may configure the generic parameters of the agent, see the following link: [Agents configuration](https://bookstack.soffid.com/books/soffid-3-reference-guide/page/agents "Agents")
#### Custom parameters Below there are the specific parameters for this agent implementation:**Parameter** | **Description** |
|---|---|
| Admin user | Administrator account name |
| Service account client email | Extract it from generated json file. It is tagged as client\_email |
| Service account private key | Extract it from generated json file. It is tagged as private\_key. As the private key is JSON encoded, mind to replace unicode escape chars by it's ASCII equivalents |
| Google domain | Base google domain |
**Attribute** | **Value** |
|---|---|
| suspended | "True" if the account is disabled. "False" otherwise |
| name{"givenName"} | User given name |
| name{"familyName"} | User last name |
| name{"fullName"} | User full name |
| primaryEmail | Account name |
**Attribute** | **Value** |
|---|---|
| name | Org Unit Name |
For more information about how you may configure attribute mapping, see the following link: [Soffid Attribute Mapping Reference](https://bookstack.soffid.com/link/72#bkmrk-soffid-attributes)
For instance: [](https://bookstack.soffid.com/uploads/images/gallery/2022-01/image-1641828269243.png) #### Triggers Nothing to configure. This option is not available to Google apps connector. ### Load Triggers You can define BeanShell scripts that will be triggered when data is loaded into Soffid (incoming triggers). The trigger result will be a boolean value, true to continue or false to stop. Triggers can be used to validate or perform a specific action just before performing an operation or just after performing an operation into Soffid objects.To view some examples, visit the [Incoming triggers examples page.](https://bookstack.soffid.com/books/connectors/page/incoming-triggers-examples "Incoming triggers examples")
### Account metadata Agents allow you to create additional data, on the "Account metadata" tab, to customize the accounts created for that agent. This additional information will be loaded with the agent's information, or calculated as defined in the mappings. The additional data can be used in both mappings and triggers. The attributes which you define here will be shown when you click on the proper account, on the Accounts Tabs at user page. ## Operational ### Monitoring After the agent configuration you could check in the monitoring page if the service is running in the Synchronization Server, please go to: - Start Menu > Administration > Monitoring and reporting > Syscserver monitoring ### Tasks #### Authoritative If you are checked "Authorized identity source", an automatic task to load identities from the managed system to Soffid is available, please go to: - Start Menu > Administration > Monitoring and reporting > Scheduled tasks And you will something like "Import authoritative data from <AGENT\_NAME>". #### Reconcile If you are configured the "Attribute Mapping" tab with some of our objects: "user or group", an automatic task to synchronize these objects from the managed system to Soffid is available, please go to: - Start Menu > Administration > Monitoring and reporting > Scheduled tasks And you will do something like "Reconcile all accounts from <AGENT\_NAME>". ### Synchronization Regarding the synchronization of the objects, there are two possible options: - If you are checked the generic attribute "Read Only" in the "Basics" tab, only the changes in the managed systems will be updated in Soffid. We recommend these options until the global configuration of Soffid will be tested. - If you are not checked the generic attribute "Read Only" in the "Basics" tab, all the changes in Soffid or the managed system will be updated in the other. Note that this synchronization must be configured in the "Attribute mapping" tab correctly.For more information about how you may configure the generic parameters of the agent, see the following link: [Agents configuration](https://bookstack.soffid.com/books/soffid-3-reference-guide/page/agents "Agents")
# JSON REST Web Services Connector # JSON REST Web Services Connector ## Introduction ### Description This connector allows the integration with any Web Service able to consume and generate JSON documents through REST communication. ### Managed System Every commercial product or custom web application allows REST communication with JSON documents. There are a lot of products that use this standard, for instance: - JIRA. - Oracle Field Service Cloud (OFSC). - Office 365. - AWS. - Google Cloud.If your system is not in the previous list, it's possible to include it easily! For more information to check if your system may be synchronized with this connector you do not hesitate to contact us through our [Contact form](http://www.soffid.com/contactform/)
### Prerequisites It is needed a user with access and permissions to the endpoints and operations required in the scope of the integration. Also, the documentation, specification, or tutorial of the implementation of the JSON REST Web Service is required to apply the mapping configuration. ## Download and Install This addon is located in the Connectors section and its name is **REST (json) plugin**.You can visit the [Addons Getting started page](https://bookstack.soffid.com/books/addons-getting-started/page/getting-started) for more information about the installation process.
## Agent Configuration ### Basic #### Generic parameters After the installation of the addon, you may create and configure agent instances. To configure this JSON REST Web Service Connector you must select "JSON Rest Webservice" in the attribute "Type" of the generic parameters section in the agents' page configuration.For more information about how you may configure the generic parameters of the agent, see the following link: [Agents configuration](https://bookstack.soffid.com/books/soffid-3-reference-guide/page/agents "Agents")
[](https://bookstack.soffid.com/uploads/images/gallery/2022-07/image-1658998971348.png) #### Custom parameters Below there are the specific parameters for this agent implementation:**Parameter** | **Description** |
|---|---|
| Server URL | URL of the REST web service. Base URL for making calls. |
| Authentication method | Available options: - **None**: no authentication (User and Password are not used). - **Basic**: it uses the User and Password to generate the authentication token. - **Bearer token**: it is provided by the application to which we are trying to connect. - **Token**: generate a token from a specific authentication URL. It is no longer used. - **Token oAuth Client Credentials**: authenticates based on a client ID and a client secret. - **Token oAuth Password Grant**: authenticates based on a client ID and a client secret plus a user name and a password. *(\*) You can find more information in the [Authentication method](#bkmrk-%28%2A%29-authentication-m) section.* |
| Enable debug | Two options: "Yes", "No": it enables or not more log traces in the Synchronization Server log |
| Proxy host | Only when the proxy is needed. |
| Proxy port | Only when the proxy is needed. |
| XML Templates | Allows you to add new XML templates with SOAP requests and then configure them at attribute mappings. |
Note that any changes made to the methods will affect the properties and vice versa.
#### Methods This agent allows you to define methods to be called using the defined properties. There are some default methods, but you can customize your own methods. Default methods: - load - delete - update - insert - select **For each method**, the properties to set up are as follows:**Properties** | **Description** |
|---|---|
| Path | A valid URL to call. This path must be the continuation of the Server URL for making calls. |
| Method | Available methods to call a Rest API (GET, POST, PUT, DELETE, PATCH) |
| Encoding | The specific type of encoded data that will be used. There are three supported types: - application/x-www-form-urlencoded - application/json - text/xml |
| XML Template | Applies only if it is *text/xml*. You need to write the name of the corresponding template defined on the XML Templates. |
| Parameters | Applies with *application/x-www-form-urlencoded* and *application/json* - You must type which attributes, defined on the System attributes, will be sent. - If none are to be sent, you must write the hyphen character "-". - If nothing is typed, all parameters are sent. |
| Success HTTP Codes | HTTP codes that should be interpreted as OK. If no code is entered, Soffid will take as valid codes the following: 200, 201, 204 and 404. If you type the Success HTTP codes, it will be not necessary to type the Failure HTTP codes. ```JavaScript 204 201 200 ``` ```JavaScript 200,212 ``` You can use blanks or commas to separate the codes. |
| Failure HTTP Codes | Soffid will take by default as failure all codes not indicated in Success HTTP Codes. If you type the Failure HTTP codes, it will be not necessary to type the Success HTTP codes. ```JavaScript 400 403 ``` ```JavaScript 403,405, 400 ``` You can use blanks or commas to separate the codes. |
| Results | Gets the object or object list from the response received. You need to indicate a JSON attribute name to check and get the data. If this element is not present, or empty, the connector will conclude the user does not exist yet. You can type simple attribute names or even complex scripts. |
| Pagination URL | Often, the response from the API Rest service does not contain all the data because the data is too large. In these cases, you can use the paging options to request the data in blocks. When the response gives us the URL of the next page to fetch, you must type the tag name of this attribute. ```JavaScript return links{"next"}; ``` You have to choose one of the paging methods, using both is not compatible. |
| Pagination script | Often, the response from the API Rest service does not contain all the data because the data is too large. In these cases, you can use the paging options to request the data in blocks. You can type a complex script to get the next call that has to be done. There are two available objects: - response: JSON response as received - request: allows you to update the attributes and return true if you want to make a new call or false in another case ```Java o = response{"paging"}; if (o{"has_next_page"}) { nextPage = o{"page_number"} + 1; request.put("page", nextPage); return true; } else { return false; } ``` You have to choose one of the paging methods, using both is not compatible. |
| Condition script | Return false if you want to prevent a call. |
| Optional header | Use this property to send HTTP header(s). More than one header can be sent by adding multiple properties Optional Header1. The value of the header is "HEADER:VALUE", for instance, "Accept:application/json". |
**Family** | **Description** |
|---|---|
| Load | Used to retrieve all the objects in the target system |
| Select | Used to retrieve an object in the target system |
| Insert | Used to create an object in the target system |
| Update | Used to update an object in the target system |
| Delete | Used to remove an object in the target system |
**Process** | **Families** |
|---|---|
| Reconcile automatic task | Load + select |
| Authoritative automatic task | Load + select |
| Sync new object | Select + Insert |
| Sync updated object | Select + Update |
| Sync deleted object | Select + Delete |
You can find more information by visiting the [Properties attributes page](https://bookstack.soffid.com/books/connectors/page/json-rest-web-services-connector-properties).
#### Attributes You can customize attribute mappings, you only need to select system objects and the Soffid objects related, manage their attributes, and make either inbound and outbound attribute mappings. You may map the attributes of the target system with the Soffid available attributes. - For the target system attributes is required to be access to its specification. - For the Soffid attributes, you may follow the next link.For more information about how you may configure attribute mapping, see the following link: [Soffid Attribute Mapping Reference](https://bookstack.soffid.com/link/72#bkmrk-soffid-attributes)
For instance: As an example, below is how JSON connector will look like in order to manage JIRA accounts: [](https://bookstack.soffid.com/uploads/images/gallery/2022-07/image-1658843268020.png) #### Triggers You can define BeanShell scripts that will be triggered when data is loaded into the target system (outgoing triggers). The trigger result will be a boolean value, true to continue or false to stop. Triggers can be used to validate or perform a specific action just before performing an operation or just after performing an operation on target objects.To view some examples, visit the [Outgoing triggers examples page](https://bookstack.soffid.com/books/connectors/page/outgoing-triggers-examples "Outgoing triggers examples").
# JSON REST Web Services Connector - Properties In this agent, the configuration of the properties attributes is very important due to they define the functionality of the integration: This agent has five families of properties:**Family** | **Description** |
|---|---|
| Load | Used to retrieve all the objects in the target system |
| Select | Used to retrieve an object in the target system |
| Insert | Used to create an object in the target system |
| Update | Used to update an object in the target system |
| Delete | Used to remove an object in the target system |
**Process** | **Families** |
|---|---|
| Reconcile automatic task | Load + select |
| Authoritative automatic task | Load + select |
| Sync new object | Select + Insert |
| Sync updated object | Select + Update |
| Sync deleted object | Select + Delete |
| **Property** | **Description** |
|---|---|
| **loadPath** (required) | Denotes the path (relative to webserver root) where the WebService is located. It can contain variable names in the form of **${variableName}**. JSON connector will replace that name for the actual value. Eventually, complex expressions can be written in, but it's discouraged |
| **loadMethod** (required) | Denotes the HTTP method to use: PUT, POST, GET and DELETE are allowed |
| **loadEncoding** (required) | Type of encoded data that will be used. |
| **loadParams** (optional) | Put the character '-' in case you would avoid its value |
| **loadTemplate** (optional) | Name of the corresponding template defined on the XML Templates. |
| **loadResults** (optional) | But highly recommended) denotes the JSON portion that contains current data for the object. If this element is not present, or empty, the connector will conclude the object does not exist yet. This property will contain a simple JSON attribute name, but complex scripts are also allowed. |
| **loadSuccessCodes** (optional) | The HTTP codes to be interpreted as OK. |
| **loadFailureCodes** (optional) | The HTTP codes to be interpreted as Error. |
| **loadNext** (optional) | Next page to fetch. When the response gives us the URL of the next page to fetch, you must type the tag name of this attribute. |
| **loadPagination** (optional) | Complex script to get the next call that has to be done. |
| **loadCondition** (optional) | Script to prevent a call. To prevent the call must return false. |
| **loadHeader** (optional) | Use this property to send HTTP header(s). More than one header can be sent by adding multiple properties loadHeader1, loadHeader2, and so on. The value of the header is "HEADER:VALUE", for example "Accept:application/json". |
| **Property** | **Description** |
|---|---|
| **selectPath** (required) | Denotes the path (relative to webserver root) where the WebService is located. It can contain variable names in the form of **${variableName}**. JSON connector will replace that name for the actual value. Eventually, complex expressions can be written in, but it's discouraged |
| **selectMethod** (required) | Denotes the HTTP method to use: PUT, POST, GET and DELETE are allowed |
| **selectEncoding** (required) | Denotes the encoding used to send to the target webservice. **application/json** and **application/x-www-form-urlencoded** are supported. The first one is used by default to POST and PUT requests. The second one is used by default for GET and DELETE requests |
| **selectParams** (optional) | Put the character '-' in case you would avoid its value |
| **selectTemplate** (optional) | Name of the corresponding template defined on the XML Templates. |
| **selectResults** (optional) | Denotes the JSON portion that contains current data for the object. If this element is not present, or empty, the connector will conclude the object does not exist yet. This property will contain a simple JSON attribute name, but complex scripts are also allowed |
| **selectSuccessCodes** (optional) | The HTTP codes to be interpreted as OK. |
| **selectFailureCodes** (optional) | The HTTP codes to be interpreted as Error. |
| **selectNext** (optional) | Next page to fetch. When the response gives us the URL of the next page to fetch, you must type the tag name of this attribute. |
| **selectPagination** (optional) | Complex script to get the next call that has to be done. |
| **selectCondition** (optional) | Script to prevent a call. To prevent the call must return false. |
| **selectHeader** (optional) | Use this property to send HTTP header(s). More than one header can be sent by adding multiple properties selectHeader1, selectHeader2, and so on. The value of the header is "HEADER:VALUE", for instance, "Accept:application/json". |
**Property** | **Description** |
|---|---|
| **insertPath** (required) | Denotes the path (relative to webserver root) where the webservice is located. |
| **insertMethod** (required) | Denotes the HTTP method to use: PUT, POST, GET and DELETE are allowed |
| **insertEncoding** (required) | Denotes the encoding used to send to the target webservice. **application/json** and **application/x-www-form-urlencoded** are supported. The first one is used by default to POST and PUT requests. The second one is used by default for GET and DELETE requests |
| **insertTemplate** (optional) | Name of the corresponding template defined on the XML Templates. |
| **insertParams** (optional) | Type in the attributes that will be sent to the rest server. If this property is not set, all attributes will be sent. |
| **insertResults** (optional) | Denotes the JSON portion that contains current data for the object. If this element is not present, or empty, the connector will conclude the object does not exist yet. This property will contain a simple JSON attribute name, but complex scripts are also allowed |
| **insertSuccessCodes** (optional) | The HTTP codes to be interpreted as OK. |
| **insertFailureCodes** (optional) | The HTTP codes to be interpreted as Error. |
| **insertCondition** (optional) | Script to prevent a call. To prevent the call must return false. |
| **insertHeader** (optional) | Use this property to send HTTP header(s). More than one header can be sent by adding multiple properties insertHeader1, insertHeader2, and so on. The value of the header is "HEADER:VALUE", for example "Accept:application/json". |
**Property** | **Description** |
|---|---|
| **updatePath** (required) | Denotes the path (relative to webserver root) where the webservice is located |
| **updateMethod** (required) | Denotes the HTTP method to use: PUT, POST, GET and DELETE are allowed |
| **updateEncoding** (required) | Denotes the encoding used to send to the target webservice. **application/json** and **application/x-www-form-urlencoded** are supported. The first one is used by default to POST and PUT requests. The second one is used by default for GET and DELETE requests |
| **updateParams** (optional) | Type in the attributes that will be sent to the rest server. If this property is not set, all attributes will be sent. |
| **updateResults** (optional) | Denotes the JSON portion that contains current data for the object. If this element is not present, or empty, the connector will conclude the object does not exist yet. This property will contain a simple JSON attribute name, but complex scripts are also allowed |
| **updateSuccessCodes** (optional) | The HTTP codes to be interpreted as OK. |
| **updateFailureCodes** (optional) | The HTTP codes to be interpreted as Error. |
| **updateCondition** (optional) | Script to prevent a call. To prevent the call must return false. |
| **updateHeader** (optional) | Use this property to send HTTP header(s). More than one header can be sent by adding multiple properties updateHeader1, updateHeader2, and so on. The value of the header is "HEADER:VALUE", for example "Accept:application/json". |
**Property** | **Description** |
|---|---|
| **deletePath** (required) | Denotes the path (relative to webserver root) where the webservice is located |
| **deleteMethod** (required) | Denotes the HTTP method to use: PUT, POST, GET and DELETE are allowed |
| **deleteEncoding** (required) | Denotes the encoding used to send to the target webservice. **application/json** and **application/x-www-form-urlencoded** are supported. The first one is used by default to POST and PUT requests. The second one is used by default for GET and DELETE requests |
| **deleteParams** (optional) | Type in the attributes that will be sent to the rest server. If this property is not set, all attributes will be sent. |
| **deleteResults** (optional) | Denotes the JSON portion that contains current data for the object. If this element is not present, or empty, the connector will conclude the object does not exist yet. This property will contain a simple JSON attribute name, but complex scripts are also allowed |
| **deleteSuccessCodes** (optional) | The HTTP codes to be interpreted as OK. |
| **deleteFailureCodes** (optional) | The HTTP codes to be interpreted as Error. |
| **deleteCondition** (optional) | Script to prevent a call. To prevent the call must return false. |
| **deleteHeader** (optional) | Use this property to send HTTP header(s). More than one header can be sent by adding multiple properties deleteHeader1, deleteHeader2, and so on. The value of the header is "HEADER:VALUE", for example "Accept:application/json". |
Soffid provides you versions of the attribute mappings to import into the agent configuration:
- *Basic* attribute mappings: [agent-config-Office365-Basic.xml](https://bookstack.soffid.com/attachments/52) - Attribute mappings with *immutable ID and Azure groups*: [agent-config-Office365-MoreComplex.xml](https://bookstack.soffid.com/attachments/53) # How to configure the Jira Atlassian agent? ## Jira integration ### Prerequisites - You need to install the last version of JSON Rest Connector. ### Configuration Configure the Basic data to establish the connection [](https://bookstack.soffid.com/uploads/images/gallery/2022-07/image-1658994257906.png) Then, configure the attribute mappings [](https://bookstack.soffid.com/uploads/images/gallery/2022-07/image-1658994301791.png)Soffid provides you an XML file with the basic attribute mappings to import into the agent configuration [JIRA Soffid agent-config.xml](https://bookstack.soffid.com/attachments/54)
# LDAP Connector # LDAP Connector ## Introduction ### Description This connector implements the [LDAP](https://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol) standard and it is used to connect the Sync-Server with every server that allows this communication protocol. ### Managed System There are a lot of servers and products that use this standard, for instance, the most known systems are: - 389 Directory Server. - Apache Directory Server. - OpenLDAP. - OpenDJ. - Active Directory. - Oracle Directory Server. For more information: [List of LDAP software.](https://en.wikipedia.org/wiki/List_of_LDAP_software)If your system is not in the previous list, it's possible to include it easily! For more information to check if your system may be synchronized with this connector you do not hesitate to contact us through our [Contact form](http://www.soffid.com/contactform/)
### Prerequisites It is needed a user with full administrator access. ## Download and Install This addon is located in the Connectors section and its name is **LDAP plugin.**For more information about the installation process you can visit the [Addons Getting started](https://bookstack.soffid.com/books/addons-getting-started/page/getting-started "Addons installation") page.
## Agent Configuration ### Basic #### Generic parameters After the installation of the addon, you may create and configure agent instances. To configure this LDAP Connector you must select "LDAP-Custom (with triggers)" in the attribute "Type" of the generic parameters section in the agent's page configuration.For more information about how you may configure the generic parameters of the agent, see the following link: [Agents configuration](https://bookstack.soffid.com/books/soffid-3-reference-guide/page/agents "Agents")
[](https://bookstack.soffid.com/uploads/images/gallery/2024-05/image-1715077578477.png) #### Custom parameters Below there are the specific parameters for this agent implementation:| **Parameter** | **Description** |
|---|---|
| User name | User name in DN format, including base name if needed |
| Password | Password |
| Host name | Host name of the server |
| Enable SSL | |
| Base DN | LDAP Base name |
| PasswordAttribute | |
| Password hash algorithm | The algorithm is used to encrypt the password. For instance SHA-1, SHA-256, MD5, etc |
| Password hash prefix | |
| LDAP Query page size | |
| Enable debug | Two options: Yes, No. When it is enabled more log traces are printed in the Synchronization Server log |
As a limitation, it cannot detect password changes to be propagated to other systems.
#### Properties Some agents require to configure some custom attributes, you will use the properties section to do that.**Property** | **Value** |
|---|---|
| rename | true |
| key | LDAP attribute where Soffid account name is stored. If the property is not present, object will be searched by its distinguishedName |
| modificationTimestamp | LDAP attribute |
| removeDisabledAccounts | Set to true to remove disabled accounts from LDAP server |
**Property** | **Value** |
|---|---|
| rename | true |
**System attribute** | **Value** |
|---|---|
| objectClass | LDAP Object Class. It can evaluate to an array of objects |
| dn | Full qualified object name |
For more information about how you may configure attribute mapping, see the following link: [Soffid Attribute Mapping Reference](https://bookstack.soffid.com/link/72#bkmrk-soffid-attributes)
For instance: [](https://bookstack.soffid.com/uploads/images/gallery/2022-07/image-1659087931478.png) #### Triggers You can define BeanShell scripts that will be triggered when data is loaded into the target system (outgoing triggers). The trigger result will be a boolean value, true to continue or false to stop. Triggers can be used to validate or perform a specific action just before performing an operation or just after performing an operation on target objects.To view some examples, visit the [Outgoing triggers examples page](https://bookstack.soffid.com/books/connectors/page/outgoing-triggers-examples "Outgoing triggers examples").
# Oracle Connectors # Oracle Connector ## Introduction ### Description Oracle Connector could manage an Oracle database.Soffid's Oracle connector supports Profiles since version 2.2.6.14
### Managed System This connector is specific for integration with an Oracle database, if you want to connect a generic SQL database, please visit the following page: [SQL Connector](https://bookstack.soffid.com/books/connectors/page/sql-connector "SQL Connector").For more information to check if your system may be synchronized with this connector you do not hesitate to contact us through our [Contact form](http://www.soffid.com/contactform/)
### Prerequisites It is needed a user with sysdba access and permissions. ##### User management Criteria: - Any user or account created will be granted the CREATE SESSION privilege. - Default tablespace for each user will be the USERS tablespace. It won't be changed for existing users. - Soffid passwords expiration date will be managed by Soffid. So, Oracle won't be notified about when those passwords need to be expired. - Roles and groups are automatically created when a user belonging to it is updated. Exceptions: - Error SQL: ….There was an error executing an SQL statement. - Contact with the administrator of the database. It may be a problem of user authorizations, administrator password validity, availability of space in the database, or saturation of it. ## Download and Install This addon is located in the Connectors section and its name is **Oracle Connector**.For more information about the installation process you can visit the [Addons Getting started](https://bookstack.soffid.com/books/addons-getting-started/page/getting-started "Addons installation") page.
## Agent Configuration This connector could manage User and Role objects. ### Basic #### Generic parameters After the installation of the addon, you may create and configure agent instances. To configure this Oracle Connector you must select "OracleAgent" in the attribute "Type" of the generic parameters section in the agents' page configuration.For more information about how you may configure the generic parameters of the agent, see the following link: [Agents configuration](https://bookstack.soffid.com/books/soffid-3-reference-guide/page/agents "Agents")
[](https://bookstack.soffid.com/uploads/images/gallery/2024-01/image-1704283498429.png) #### Custom parameters Below there are the specific parameters for this agent implementation:| **Parameter** | **Description** |
|---|---|
| User | Sysdba user name to authenticate |
| Oracle password | Password of the user to authenticate |
| Connection string to database | Database URL. Use something like [jdbc:oracle:thin:@host:port:sid](http://jdbcoraclethin@hostportsid/) |
| Password to protect roles | Optional password to use on password protected roles |
| Default user profile | Optional profile to set limits on the database resources and the user password |
| Default tablespace | Optional tablespace for user creation |
| Temporary tablespace | Optional temporary tablespace for user creation |
| Enable debug | Two options: \[ Yes / No \]. When it is enabled more log traces are printed in the Synchronization Server log |
To view some examples, visit the [Incoming triggers examples page.](https://bookstack.soffid.com/books/connectors/page/incoming-triggers-examples "Incoming triggers examples")
### Access Control Oracle connector can establish an access control for Oracle Users. If the access control checkbox is enabled, only the users and applications that are listed on the access control page will be allowed to log in. So, you can restrict the IP address and application a user can connect from. This restriction does not apply to DBA users. [](https://bookstack.soffid.com/uploads/images/gallery/2024-01/image-1706003656568.png)Check that the user/account is not unmanaged.
When the Enable access control to the database check box is checked, the UpdateAccessControl task will be launched. The following tables will be created on the SQL Server: - **SC\_OR\_ACCLOG**: access log - **SC\_OR\_CONACC**: rule access control - **SC\_OR\_ROLE**: user roles. - **SC\_OR\_VERSION**: connector versions. When you try to connect to SQL Server, the logon\_audit\_trigger is launched to check if you have access or not. You can check the Access Logs page for access controls. ### Account metadata Agents allow you to create additional data, on the "Account metadata" tab, to customize the accounts created for that agent. This additional information will be loaded with the agent's information, or calculated as defined in the mappings. The additional data can be used in both mappings and triggers. The attributes that you define here will be shown when you click on the proper account, on the Accounts Tabs at user page. Operational ### Monitoring After the agent configuration you can check on the monitoring page if the service is running in the Synchronization Server, please go to: - Start Menu > Administration > Monitoring and reporting > Syscserver monitoring ### Tasks #### Authoritative If you checked "Authorized identity source", an automatic task to load identities from the managed system to Soffid is available, please go to: - Start Menu > Administration > Monitoring and reporting > Scheduled tasks And you will do something like "Import authoritative data from <AGENT\_NAME>". #### Reconcile To manage an automatic task to synchronize user objects from the managed system to Soffid is available, please go to: - Start Menu > Administration > Monitoring and reporting > Scheduled tasks And you will do something like "Reconcile all accounts from <AGENT\_NAME>". ### Synchronization Regarding the synchronization of the objects, there are two possible options: - If you check the generic attribute "Read Only" in the "Basics" tab, only the changes in the managed systems will be updated in Soffid. We recommend these options until the global configuration of Soffid is tested. - If you do not check the generic attribute "Read Only" in the "Basics" tab, all the changes in Soffid or the managed system will be updated in the other. Note that this synchronization must be configured in the "Attribute mapping" tab correctly.For more information about how you may configure the generic parameters of the agent, see the following link: [Agents configuration](https://bookstack.soffid.com/books/soffid-3-reference-guide/page/agents "Agents")
# Oracle EBS Connector ## Introduction ### Description Oracle Connector could manage an Oracle E-Business Suite. ### Managed System This connector is specific for integration with an Oracle E-Business Suite, if you want to connect a generic SQL database, please visit the following page: [SQL Connector](https://bookstack.soffid.com/books/connectors/page/sql-connector "SQL Connector"). For more information about the Oracle E-Business Suite, please visit the following page: [Oracle E-Business Suite](https://www.oracle.com/es/products/applications/ebusiness/overview/index.html)For more information to check if your system may be synchronized with this connector you do not hesitate to contact us through our [Contact form](http://www.soffid.com/contactform/)
### Prerequisites It is needed a user with access and permissions to the database. ## Download and Install This addon is located in the Connectors section and its name is **Oracle EBS Connector.**For more information about the installation process you can visit the [Addons Getting started](https://bookstack.soffid.com/books/addons-getting-started/page/getting-started "Addons installation") page.
## Agent Configuration This connector could manage only User objects. Users created on Soffid will be created on EBS, in the same way disabled users on Soffid will be disabled on EBS. The responsibilities that exist in EBS can be assigned to the users. They must be created like roles on Soffid System previously, with the same name that the responsibility has on EBS. For instance: FND\_RESP | CSF | CSF\_FS\_PDA\_REP | STANDARD. ### Basic #### Generic parameters After the installation of the addon, you may create and configure agent instances. To configure this Oracle EBS Connector you must select "OracleEBudsinessAgent" in the attribute "Type" of the generic parameters section in the agents' page configuration.For more information about how you may configure the generic parameters of the agent, see the following link: [Agents configuration](https://bookstack.soffid.com/books/soffid-3-reference-guide/page/agents "Agents")
#### Custom parameters Below there are the specific parameters for this agent implementation:| **Parameter** | **Description** |
|---|---|
| User | User name to authenticate |
| Oracle password | Password of the user to authenticate |
| Connection string to database | Database URL. Use something like [jdbc:oracle:thin:@host:port:sid](http://jdbcoraclethin@hostportsid/) |
To view some examples, visit the [Incoming triggers examples page.](https://bookstack.soffid.com/books/connectors/page/incoming-triggers-examples "Incoming triggers examples")
### Account metadata Agents allow you to create additional data, on the "Account metadata" tab, to customize the accounts created for that agent. This additional information will be loaded with the agent's information, or calculated as defined in the mappings. The additional data can be used in both mappings and triggers. The attributes which you define here will be shown when you click on the proper account, on the Accounts Tabs at user page. Operational ### Monitoring After the agent configuration you could check on the monitoring page if the service is running in the Synchronization Server, please go to: - Start Menu > Administration > Monitoring and reporting > Syscserver monitoring ### Tasks #### Authoritative If you are checked "Authorized identity source", an automatic task to load identities from the managed system to Soffid is available, please go to: - Start Menu > Administration > Monitoring and reporting > Scheduled tasks And you will something like "Import authoritative data from <AGENT\_NAME>". #### Reconcile To manage an automatic task to synchronize user objects from the managed system to Soffid is available, please go to: - Start Menu > Administration > Monitoring and reporting > Scheduled tasks And you will do something like "Reconcile all accounts from <AGENT\_NAME>". ### Synchronization Regarding the synchronization of the objects, there are two possible options: - If you are checked the generic attribute "Read Only" in the "Basics" tab, only the changes in the managed systems will be updated in Soffid. We recommend these options until the global configuration of Soffid will be tested. - If you are not checked the generic attribute "Read Only" in the "Basics" tab, all the changes in Soffid or the managed system will be updated in the other. Note that this synchronization must be configured in the "Attribute mapping" tab correctly.For more information about how you may configure the generic parameters of the agent, see the following link: [Agents configuration](https://bookstack.soffid.com/books/soffid-3-reference-guide/page/agents "Agents")
# SAP Connector # SAP Connector ## Introduction ### Description SAP Connector could manage an SAP system. ### Managed System This connector is specific for integration with a SAP system through its interface BAPIs under the RFC standard. For more information about SAP, please visit the following page: [SAP](https://www.sap.com/spain/index.html)For more information to check if your system may be synchronized with this connector you do not hesitate to contact us through our [Contact form](http://www.soffid.com/contactform/)
### Prerequisites 1. The SAP Java Connector (JCO) must be installed in the host where the syncserver is running. 2. A SAP account must be created with permission to execute user administration BAPIs using RFC. Additionally, the attached SAP Role definition [Y\_SOFFID.SAP](https://bookstack.soffid.com/attachments/2) can be used to assign permissions to SOFFID RFC user. 3. The following transport order should be applied in order to synchronize passwords: [K953376.de1](https://bookstack.soffid.com/attachments/3) [R953376.de1](https://bookstack.soffid.com/attachments/4) ## Download and Install This addon is located in the Connectors section and its name is **SAP Connector.**For more information about the installation process you can visit the [Addons Getting started](https://bookstack.soffid.com/books/addons-getting-started/page/getting-started "Addons installation") page.
## Agent Configuration This connector could manage User, Account and Role objects. - All active users included in agent configuration will be added to SAP. - All inactive users on Soffid will be deleted from SAP. - Roles granted to a user will be added to ACTIVITY GROUPS on SAP. ### Basic #### Generic parameters After the installation of the addon, you may create and configure agent instances. This addon has2 available agents: - SAP (Complete) - SAP (Light)For more information about how you may configure the generic parameters of the agent, see the following link: [Agents configuration](https://bookstack.soffid.com/books/soffid-3-reference-guide/page/agents "Agents")
#### Custom parameters Below there are the specific parameters for this agent implementation:| **Parameter** | **Description** |
|---|---|
| User Name | User name to authenticate |
| Password | Password of the user to authenticate |
| Host | Host of the instance of the SAP |
| System Type | \- Standar SAP R/3 \- Central User Administration (CUA) |
| Systen Number | System number of the server |
| Message server name | |
| Message server port | |
| Message server logon group | |
| Message server system id | |
| SAP Router string | |
| Client number | Client number of the server |
Language | Language of the server |
Unlock users | Values \[ YES | NO \]. If "YES" allows to Soffid to unblock blocked users |
Method to set productive passwords | \- Z\_SOFFID\_UPDATE\_PASSWORD \- BAPI\_USER\_CHANGE \- SUSR\_USER\_CHANGE\_PASSWORD\_RFC \- Z\_SOFFID\_SET\_PWD\_CHILD\_SYSTEMS (CUA only) |
| Manage SAP roles | Values \[ YES | NO \]. If "YES" allows to Soffid manage Roles |
| SAP Payroll to get employee data | SAP payroll to get employee data |
| Enable debug | Values \[ YES | NO \]. |
For more information about how you may configure attribute mapping, see the following link: [Soffid Attribute Mapping Reference](https://bookstack.soffid.com/link/72#bkmrk-soffid-attributes)
### Load triggers You can define BeanShell scripts that will be triggered when data is loaded into Soffid (incoming triggers). The trigger result will be a boolean value, true to continue or false to stop. Triggers can be used to validate or perform a specific action just before performing an operation or just after performing an operation into Soffid objects.To view some examples, visit the [Incoming triggers examples page.](https://bookstack.soffid.com/books/connectors/page/incoming-triggers-examples "Incoming triggers examples")
### Account metadata Agents allow you to create additional data, on the "Account metadata" tab, to customize the accounts created for that agent. This additional information will be loaded with the agent's information, or calculated as defined in the mappings. The additional data can be used in both mappings and triggers. The attributes which you define here will be shown when you click on the proper account, on the Accounts Tabs at user page. ## Operational ### Monitoring After the agent configuration you could check in the monitoring page if the service is running in the Synchronization Server, please go to: - Start Menu > Administration > Monitoring and reporting > Syscserver monitoring ### Tasks #### Authoritative If you are checked "Authorized identity source", an automatic task to load identities from the managed system to Soffid is available, please go to: - Start Menu > Administration > Monitoring and reporting > Scheduled tasks And you will something like "Import authoritative data from <AGENT\_NAME>". #### Reconcile If you are configured the "Attribute Mapping" tab with some of our objects: "user, account or role,", an automatic task to synchronize these objects from the managed system to Soffid is available, please go to: - Start Menu > Administration > Monitoring and reporting > Scheduled tasks And you will do something like "Reconcile all accounts from <AGENT\_NAME>". ### Synchronization Regarding the synchronization of the objects, there are two possible options: - If you are checked the generic attribute "Read Only" in the "Basics" tab, only the changes in the managed systems will be updated in Soffid. We recommend these options until the global configuration of Soffid will be tested. - If you are not checked the generic attribute "Read Only" in the "Basics" tab, all the changes in Soffid or the managed system will be updated in the other. Note that this synchronization must be configured in the "Attribute mapping" tab correctly.For more information about how you may configure the generic parameters of the agent, see the following link: [Agents configuration](https://bookstack.soffid.com/books/soffid-3-reference-guide/page/agents "Agents")
# SCIM Connector # SCIM Connector ## Introduction ### Description SCIM connector can manage every target system with a published API that allows the SCIM protocol for communication. SCIM is basically a REST JSON web service with specific HTTP requests and responses, and also a specific JSON format for attributes and values.For more information about SCIM protocol you could visit its home page: [SCIM protocol,](http://www.simplecloud.info/) or to visit the introduction page of our SCIM addon: [Introduction to SCIM](https://bookstack.soffid.com/books/addons/page/introduction-to-scim "Introduction to SCIM")
### Managed System The official web of SCIM shows all the possible target systems that allow SCIM protocol: [SCIM implementations](http://www.simplecloud.info/#Implementations2) Some of the most popular implementations: - Soffid IAM - Active Directory SCIM Provisioning - Oracle Identity Manager - WSO2 Charo - Salesforce - Trello - SlackFor more information to check if your system may be synchronized with this connector, you do not hesitate to contact us through our [Contact form](http://www.soffid.com/contactform/)
### Prerequisites t is needed a user with access and permissions to the endpoints and operations required in the scope of the integration. Also, the documentation, specification or tutorial of the web service, despite SCIM defining a schema for the objects, most applications or servers use to implement extended or customized versions of it. ## Download and Install This addon is located in the Connectors section and its name is **SICM connector.**For more information about the installation process, you can visit the [Addons Getting started](https://bookstack.soffid.com/books/addons-getting-started/page/getting-started "Addons installation") page.
## Agent Configuration ### Basic #### Generic parameters After the installation of the addon, you may create and configure agent instances. To configure this SCIM Connector you must select "SCIM" in the attribute "Type" of the generic parameters section in the agents page configuration.For more information about how you may configure the generic parameters of the agent, see the following link: [Agents configuration](https://bookstack.soffid.com/books/soffid-3-reference-guide/page/agents "Agents")
#### Custom parameters Below there are the specific parameters for this agent implementation:| **Parameter** | **Description** |
|---|---|
| Server URL | URL of the SCIM web service. It is used as the basis of the URL mapped to call the operations. |
| Authentication method | Options: - "None": no authentication. - "Basic": it uses "User name" and "Password" parameters to generate a basic authentication token to connect with the "Server URL" - "Token": it uses a token bearer generated from a specific "Authentication URL" using "username" and "password" in a GET HTTP request. The token bearer is used in the next requests to connect with the "Server URL" - "TokenBasic": it uses a token bearer generated from a specific "Authentication URL" using "User name" and "Password" as a basic authentication token. The token bearer is used in the next requests to connect with the "Server URL" |
| User name | User to authenticate |
| Password | Password of the user to authenticate |
| Authentication URL | URL to retrieve the token bearer used to authenticate with the "Server URL" |
| Enable debug | Two options: "Yes", "No": it enables or not more log traces in the Synchronization Server log |
| **Property** | **Meaning** |
|---|---|
| path (required) | Path relative to main service URL where this type of object is to be managed |
| keyAttribute (required) | The SCIM attribute is used to find objects on SCIM repository |
| changeProperty (optional) | For authoritative identity sources that support delta changes, this property sets the SCIM attribute used to identify the change number of any object |
| preventDeletion (optional) | Set to true to prevent Soffid from removing objects |
For more information about how you may configure attribute mapping, see the following link: [Soffid Attribute Mapping Reference](https://bookstack.soffid.com/link/72#bkmrk-soffid-attributes)
If you are trying to connect to WSO2IS server, you must enable the WSO2 workaround setting, in order to bypass some WSO2 buggy implementations. You can get default mappings for WSO2IS here: [wso2is-config.xml](https://bookstack.soffid.com/attachments/1). Download it and import it into the Soffid agent attribute mappings form.
For example: [](https://bookstack.soffid.com/uploads/images/gallery/2021-04/scim-connector-example.png) #### Triggers ### Load triggers ### Account metadata Agents allow you to create additional data, on the "Account metadata" tab, to customize the accounts created for that agent. This additional information will be loaded with the agent's information, or calculated as defined in the mappings. The additional data can be used in both mappings and triggers. The attributes which you define here will be shown when you click on the proper account, on the Accounts Tabs on the users' page. ## Operational ### Monitoring After the agent configuration you could check on the monitoring page if the service is running in the Synchronization Server, please go to: - Start Menu > Administration > Monitoring and reporting > Syscserver monitoring ### Tasks #### Authoritative If you are checked "Authorized identity source", an automatic task to load identities from the managed system to Soffid is available, please go to: - Start Menu > Administration > Monitoring and reporting > Scheduled tasks And you will something like "Import authoritative data from <AGENT\_NAME>". #### Reconcile If you are configured the "Attribute Mapping" tab with some of our objects: "user, account, role, group or grant", an automatic task to synchronize these objects from the managed system to Soffid is available, please go to: - Start Menu > Administration > Monitoring and reporting > Scheduled tasks And you will do something like "Reconcile all accounts from <AGENT\_NAME>". ### Synchronization Regarding the synchronization of the objects, there are two possible options: - If you are checked the generic attribute "Read Only" in the "Basics" tab, only the changes in the managed systems will be updated in Soffid. We recommend these options until the global configuration of Soffid will be tested. - If you are not checked the generic attribute "Read Only" in the "Basics" tab, all the changes in Soffid or the managed system will be updated in the other. Note that this synchronization must be configured in the "Attribute mapping" tab correctly.For more information about how you may configure the generic parameters of the agent, see the following link: [Agents configuration](https://bookstack.soffid.com/books/soffid-3-reference-guide/page/agents "Agents")
# Shell Connector # Shell Connector ## Introduction ### Description Linux Connector could manage a lot of services running on Linux systems (either 32 or 64 bits). ### Managed System This connector has implemented several ways to communicate with services on Linux, below, the list of those services: - Shell - SSH - Cisco ASA - Exchange - Power ShellIf your system is not in the previous list, it's possible to include it easily! For more information to check if your system may be synchronized with this connector you do not hesitate to contact us through our [Contact form](http://www.soffid.com/contactform/)
### Prerequisites A Soffid Synchronization Server must be installed on the managed Linux system. ## Download and Install This addon is located in the Connectors section and its name is **Shell Connector.**For more information about the installation process you can visit the [Addons Getting started](https://bookstack.soffid.com/books/addons-getting-started/page/getting-started "Addons installation") page.
## Agent Configuration ### Basic #### Generic parameters After the installation of the addon, you may create and configure agent instances. To configure this Shell Connector you could select one agent, from the next list of available agents, in the attribute "Type" of the generic parameters section in the agents' page configuration. - Shell Agent - SSH Agent - Cisco ASA Agent - Exchange Agent - Power Shell AgentFor more information about how you may configure the generic parameters of the agent, see the following link: [Agents configuration](https://bookstack.soffid.com/books/soffid-3-reference-guide/page/agents "Agents")
#### Custom parameters Below, there are the specific parameters for each agent implementation. ##### Shell Agent| **Parameter** | **Description** |
|---|---|
| Shell | Shell to assign to new users |
| Persistent | Two options \[ Yes , No \]. |
| Prompt | |
| Password hash algorithm | For instance SHA1, SHA-256 |
| Password hash prefix | For instance SHA |
| Enable debug | Two options: \[ Yes / No \]. When it is enabled more log traces are printed in the Synchronization Server log |
| **Parameter** | **Description** |
|---|---|
| User name | User Linux for the SSH connection |
| SSH Key file (optional) | |
| SSH Key (optional) | |
| Password | The password of the user Linux |
| Server | Host or IP of the server for the SSH connection |
| Password hash algorithm | For instance SHA1, SHA-256 |
| Password hash prefix | For instance SHA |
| Charset | For instance: UTF-8 |
| Enable debug | Two options: \[ Yes / No \]. When it is enabled more log traces are printed in the Synchronization Server log |
| **Parameter** | **Description** |
|---|---|
| User name | User Linux |
| Key file (optional) | |
| Password | The password of the user Linux |
| Privileged password | |
| Server | Host or IP of the server |
| Charset | For instance: UTF-8 |
| Enable debug | Two options: \[ Yes / No \]. When it is enabled more log traces are printed in the Synchronization Server log |
| **Parameter** | **Description** |
|---|---|
| User name | Exchange user (with administrator permissions) |
| Password | The password of the exchange user |
| Exchange server PS script (RemoteExchange.ps1 / exshell.psc1) | For instance "E:\\Microsoft\\Exchange Server\\V15\\Bin\\exshell.psc1" |
| Enable debug | Two options: \[ Yes / No \]. When it is enabled more log traces are printed in the Synchronization Server log |
| Exchange version | Options: \[ 2007 | 2010+ \] |
| **Parameter** | **Description** |
|---|---|
| Startup script | |
| Password hash algorithm | For instance SHA1, SHA-256 |
| Password hash prefix | For instance SHA |
| Enable debug | Two options: \[ Yes / No \]. When it is enabled more log traces are printed in the Synchronization Server log |
| **Property** | **Description** |
|---|---|
| check | fgrep $user /etc/passwd |
| delete | userdel $user |
| insert | useradd $user |
| selectAll | cat /etc/passwd |
| selectAllParse | (\[^:\]\*):\[^\\n\]\* |
| selectByAccountName | fgrep $user /etc/passwd |
| selectByAccountNameParse | (\[^:\]\*):\[^\\n\]\* |
| update | usermod $user |
| updatePassword | - |
| validatePassword | - |
| **Property** | **Description** |
|---|---|
| check | show run user $user |
| checkAttributes | user level |
| checkParse | username (\[^ \]+) password.\*privilege (\\d+)\\r\\n |
| delete | no username $user |
| insert | username $user password $password encrypted privilege $level |
| selectAll | show run user |
| selectAllAttributes | user level |
| selectAllParse | username (\[^ \]+) password.\*privilege (\\d+)\\r\\n |
| selectByAccountName | show run user |
| selectByAccountNameParse | username (\[^ \]+) password.\*privilege (\\d+)\\r\\n |
| selectByAccountNamelAttributes | user level |
| update | username $user password $password encrypted privilege $level |
| updatePassword | username $user password $password encrypted privilege $level |
| **Property** | **Description** |
|---|---|
| check | fgrep $user /etc/passwd |
| delete | userdel $user |
| insert | New-Mailbox -UserPrincipalName "${UserPrincipalName}" -Name "Shell plugin" -Alias "${Alias}" -Room |
| selectAll | Get-Mailbox |
| selectByAccountName | Get-Mailbox "Shell plugin" |
| update | usermod $user |
| updatePassword | - |
| validatePassword | - |
| **System attribute** | **Description** |
|---|---|
| user | accountName |
| this{"1"} | accountName |
| **System attribute** | **Description** |
|---|---|
| level | attributes{"level"} |
| user | accountName |
| password | password |
For more information about how you may configure attribute mapping, see the following link: [Soffid Attribute Mapping Reference](https://bookstack.soffid.com/link/72#bkmrk-soffid-attributes)
For instance: [](https://bookstack.soffid.com/uploads/images/gallery/2021-04/shell-connector-example.png) #### Triggers You can define BeanShell scripts that will be triggered when data is loaded into the target system (outgoing triggers). The trigger result will be a boolean value, true to continue or false to stop. Triggers can be used to validate or perform a specific action just before performing an operation or just after performing an operation on target objects. "Cisco ASA Agent" has not implemented this feature.To view some examples, visit the [Outgoing triggers examples page](https://bookstack.soffid.com/books/connectors/page/outgoing-triggers-examples "Outgoing triggers examples").
### Load triggers You can define BeanShell scripts that will be triggered when data is loaded into Soffid (incoming triggers). The trigger result will be a boolean value, true to continue or false to stop. Triggers can be used to validate or perform a specific action just before performing an operation or just after performing an operation into Soffid objects.To view some examples, visit the [Incoming triggers examples page.](https://bookstack.soffid.com/books/connectors/page/incoming-triggers-examples "Incoming triggers examples")
### Account metadata Agents allow you to create additional data, on the "Account metadata" tab, to customize the accounts created for that agent. This additional information will be loaded with the agent's information, or calculated as defined in the mappings. The additional data can be used in both mappings and triggers. The attributes which you define here will be shown when you click on the proper account, on the Accounts Tabs at user page. ## Operational ### Monitoring After the agent configuration you could check in the monitoring page if the service is running in the Synchronization Server, please go to: - Start Menu > Administration > Monitoring and reporting > Syscserver monitoring ### Tasks #### Authoritative If you are checked "Authorized identity source", an automatic task to load identities from the managed system to Soffid is available, please go to: - Start Menu > Administration > Monitoring and reporting > Scheduled tasks And you will something like "Import authoritative data from <AGENT\_NAME>". #### Reconcile If you are configured the "Attribute Mapping" tab with some of our objects: "user, account, role, group or grant", an automatic task to synchronize these objects from the managed system to Soffid is available, please go to: - Start Menu > Administration > Monitoring and reporting > Scheduled tasks And you will do something like "Reconcile all accounts from <AGENT\_NAME>". ### Synchronization Regarding the synchronization of the objects, there are two possible options: - If you are checked the generic attribute "Read Only" in the "Basics" tab, only the changes in the managed systems will be updated in Soffid. We recommend these options until the global configuration of Soffid will be tested. - If you are not checked the generic attribute "Read Only" in the "Basics" tab, all the changes in Soffid or the managed system will be updated in the other. Note that this synchronization must be configured in the "Attribute mapping" tab correctly.For more information about how you may configure the generic parameters of the agent, see the following link: [Agents configuration](https://bookstack.soffid.com/books/soffid-3-reference-guide/page/agents "Agents")
# Invoker interface Any agent, trigger or mapping can use the invoker method for the ActiveDirectory agent. The invoker method is available in the dispatcherService class as well as the in the serverService. The invoker method is not specific of the Shell agent. Many other connectors support this method. The expected arguments are: - Action - Object name - Parameters Here you have an example of a post-update trigger to create the home server for a user: ```Java map = new HashMap(); map.put("user", source{"accountName"}); // Create folder dispatcherService.invoke("invoke", "mkdir /home/${user}", map); dispatcherService.invoke("invoke", "mkdir /home/${user}/Desktop", map); ``` There is a chance to execute operation across agents. For instance, if the system has an ActiveDirectory agent and an Exchange agent, here is a post-insert trigger to place in the post-insert trigger of the ActiveDirectory agent to execute a command in the Exchange one. ```Java map = new HashMap(); map.put("user", source{"accountName"}); // Create folder serverService.invoke("Exchange", "invoke", "EnableMailbox ${user}", map); ``` The list of allowed commands are:| **Command** | **Object name** | **Parameters** | **Comments** |
|---|---|---|---|
| invoke | Sentence to execute | Sentence parameters | Executes the command and return the results |
If your system is not in the previous list, it's possible to include it easily! For more information to check if your system may be synchronized with this connector you do not hesitate to contact us through our [Contact form](http://www.soffid.com/contactform/)
### Prerequisites It is needed a user with access and permissions to the schemes and tables required in the scope of the integration. To configure DB2/400 or Sybase it is mandatory to install the drivers in the lib directory of the Sync Server. The Java-ODBC bridge is deprecated in Java, and the support will be removed shortly. ## Download and Install The SQL is part of the default connectors, you do not need to install it, but you can upgrade it from the download management section.You can visit the [Connector Getting started page](https://bookstack.soffid.com/books/connectors/page/getting-started) for more information about the installation process.
## Agent Configuration ### Basic #### Generic parameters After the installation of the addon, you may create and configure agent instances. To configure this SQL connector you must select "Customizable SQL agent" in the attribute "Type" of the generic parameters section in the agent's page configuration.For more information about how you may configure the generic parameters of the agent, see the following link: [Agents configuration](https://bookstack.soffid.com/books/soffid-3-reference-guide/page/agents "Agents")
[](https://bookstack.soffid.com/uploads/images/gallery/2022-07/image-1658999019877.png) #### Custom parameters Below there are the specific parameters for this agent implementation:| **Parameter** | **Description** |
|---|---|
| User name | Database user name to authenticate |
| Password | The password of the database user |
| Driver | Identifies the driver of the relational database to use. Currently, these are the supported databases: MySQL (& MariaDB), PostgreSQL, Oracle, MS SQL Server, Informix, DB2/400, DB2 Universal, Sybase, ODBC |
| DB URL | URL that identifies the connection properties. Please refer to the specific database vendor documentation to build this URL.
```
jdbc:mariadb:// |
| SQL Sentence to execute at startup | Each time the connection to the agent is established, this SQL statement will be executed. |
| Password hash algorithm | The algorithm is used to encrypt the password. For instance SHA1, SHA256, MD5, etc |
| Password hash prefix | Prefix to add it to the password. ``` {SHA1}BzE/DjIPIsv6Nc/CIFCOs/9FfH4= ``` ``` {SHA256}AIEM+LlNb8ucXeSE077EGHYgs+KHblmquQ2FL+Dxj7Y= ``` |
| Enable debug | Two options: **Yes**, and **No**. It enables or not more log traces in the Synchronization Server log |
| Synchronization method | - **Full synchronization**: persists the changes made in Soffid, regardless of the possible changes made in the final system. - **Incremental synchronization**: this type of synchronization is used to avoid losing changes that have been made to the target system. First, Soffid's changes will be propagated to the target system, and then the changes on the target system will be made in the Soffid system. If the changes are in the same attribute, the Soffid value is the one that will persist. *(\*\*)* |
| **Property** | **Value** |
|---|---|
| selectAll | SQL sentence that needs to be executed to retrieve all the objects that currently exist on the database. - Applies to authoritative identity sources. - On non-authoritative identity sources, only the columns needed to calculate the **name** soffid attribute are needed. You can use this property with the following objects: **user**, **account**, **role**, and **authoritative change**. ```SQL SELECT * FROM USERS ``` ```SQL SELECT * FROM ROLES ``` |
| check | SQL sentence that will return when a single object already exists on the database. You can use this property with **all the Soffid objects**. ```SQL SELECT ID FROM USERS WHERE USER=:USER ``` ```SQL SELECT ID FROM ROLES WHERE ROLE=:ROLE ``` |
| insert | SQL sentence to create a new object. You can use this property with **all the Soffid objects**. ```SQL INSERT INTO USERS VALUES (:USER, :FIRST_NAME, :LAST_NAME, :MAIL, :GROUP) ``` ```SQL INSERT INTO USER_ROLES (USETNAME, ROLNAME) VALUES (:USERNAME, :ROLNAME) ``` |
| update | SQL sentence to update an existing object. You can use this property with **all the Soffid objects**. ```SQL UPDATE USERS SET FIRST_NAME=:FIRST_NAME, LAST_NAME=:LAST_NAME, MAIL=:MAIL, GROUP=:GROUP WHERE ID=:ID ``` ```SQL UPDATE ROLES SET DESCRIPTION=:DESCRIPTION WHERE ROLE=:ROLE ``` |
| delete | SQL sentence to remove (or disable) an existing object. You can use this property with **all the Soffid objects**. ```SQL DELETE FROM USERS WHERE ID=:ID ``` ```SQL DELETE FROM USER_ROLES WHERE ID=:ID ``` |
| selectByAccount | SQL sentence to retrieve all the role grants made to an account (for single account information). You can use this property with the following objects: **grant.** ```SQL SELECT * FROM USER_ROLES WHERE USERNAME=:USER ``` |
| selectByName | SQL sentence to fetch role information based on its name (for single role information). You can use this property with the following objects: **role.** ```SQL SELECT * FROM ROLES WHERE ROLE=:ROLE ``` |
| updatePassword | SQL sentence to update the user password. You can use this property with the following objects: **user** and **account.** ```SQL UPDATE USERS SET PASS=:PASS WHERE USER=:USER ``` |
| validatePassword | SQL sentence to check the user password. You can use this property with the following objects: **user** and **account.** ```shell SELET 1 FROM USERS WHERE PASS=:PASS AND USER=:USER ``` |
For more information about how you may configure attribute mapping, see the following link: [Soffid Attribute Mapping Reference](https://bookstack.soffid.com/link/72#bkmrk-soffid-attributes)
Example for roles: [](https://bookstack.soffid.com/uploads/images/gallery/2022-07/image-1659003794802.png) Example for accounts: [](https://bookstack.soffid.com/uploads/images/gallery/2022-07/image-1659003867652.png) #### Triggers You can define BeanShell scripts that will be triggered when data is loaded into the target system (outgoing triggers). The trigger result will be a boolean value, true to continue or false to stop. Triggers can be used to validate or perform a specific action just before performing an operation or just after performing an operation on target objects.To view some examples, visit the [Outgoing triggers examples page](https://bookstack.soffid.com/books/connectors/page/outgoing-triggers-examples "Outgoing triggers examples").
### Integration flows #### Update UserVisit the [Integration flows Update user page](https://bookstack.soffid.com/books/connectors/page/integration-flows-update-user) for more information
#### Update AccountVisit the [Integration flows Update account page](https://bookstack.soffid.com/books/connectors/page/integration-flows-update-account-XIv) for more information
--- *(\*)* [*https://mariadb.com/kb/en/about-mariadb-connector-j/*](https://mariadb.com/kb/en/about-mariadb-connector-j/) [*https://docs.microsoft.com/es-es/sql/connect/jdbc/building-the-connection-url?view=sql-server-ver16*](https://docs.microsoft.com/es-es/sql/connect/jdbc/building-the-connection-url?view=sql-server-ver16) --- *(\*\*) Soffid provides two synchronization types:* - *Full synchronization* - *Incremental synchronization* *The first type, the **full synchronization** method, persists the changes made in Soffid, regardless of the possible changes made in the target system.* *For the second type, the **incremental synchronization** method, Soffid has developed a synchronization system, using custom internal attributes, to check what changes have been made to the different attributes of an object. Thus, it tries to avoid losing the changes that have been made in the target system. First, Soffid's changes will be propagated to the target system, and then the changes on the target system will be made in the Soffid system. If the changes are in the same attribute, the Soffid value is the one that will persist.* # SQL Integration flows - Update user ## Update user ### Introduction Soffid provides a workflow to create, modify, and delete a user in the final system. One can see the steps of the process in the following diagram. This process only applies to account type single users. ### Diagram [](https://bookstack.soffid.com/uploads/images/gallery/2022-08/image-1659448091093.png) ### Step by Step In this document, we will explain the process that Soffid performs to modify a user for the SQL connector. #### 1. Initial step First of all, Soffid checks if the user exists in Soffid and then checks the operation to perform, update or delete. **1.1.** If the **user does not exist in Soffid**, then Soffid asks to delete the user in the target System.❓ Warning message
📌 By clicking on the User to remove? step,...
You can configure all the properties related to the user object for this step. [](https://bookstack.soffid.com/uploads/images/gallery/2022-08/image-1660224430017.png)❓ Warning message
📊 Diagram
📌 By clicking on the User exists? step,...
You can configure all the properties related to the user object for this step. [](https://bookstack.soffid.com/uploads/images/gallery/2022-08/image-1660294676813.png)📌 By clicking on the Pre-delete triggers step,...
You can configure all the pre-delete triggers related to the user object for this step. [](https://bookstack.soffid.com/uploads/images/gallery/2022-08/image-1660295438225.png)📌 By clicking on the Remove user step,...
You can configure the properties related to the user object for this step. [](https://bookstack.soffid.com/uploads/images/gallery/2022-08/image-1660297226512.png)📌 By clicking on the Post-delete triggers step,...
You can configure the post-delete triggers related to the user object for this step. 📌 By clicking on the generate column values step,...
You can configure the attributes related to the user object for this step. 📌 By clicking on the User exists? step,...
You can configure the properties related to the user object for this step. 📊 Diagram
📌 By clicking on the Create user step,...
You can configure the properties related to the user object for this step. 📌 By clicking on the Post-insert triggers step,...
You can configure the Post-insert triggers related to the user object for this step. [](https://bookstack.soffid.com/uploads/images/gallery/2022-08/image-1660290613568.png)📊 Diagram
📌 By clicking on the Pre-update triggers step,...
You can configure the Pre-update triggers related to the user object for this step. [](https://bookstack.soffid.com/uploads/images/gallery/2022-08/image-1660305125794.png)📌 By clicking on the update user step,...
You can configure the properties related to the user object for this step. [](https://bookstack.soffid.com/uploads/images/gallery/2022-08/image-1660305271649.png)📌 By clicking on the Post-update triggers step,...
You can configure the Post-update triggers related to the user object for this step. [](https://bookstack.soffid.com/uploads/images/gallery/2022-08/image-1660305556302.png)📌 By clicking on the generates account columns values step,...
You can configure the attribute mappings related to the grant object for this step. [](https://bookstack.soffid.com/uploads/images/gallery/2022-08/image-1660297529635.png)📌 By clicking on the fetch current grants step,...
You can configure the properties related to the grant object for this step. [](https://bookstack.soffid.com/uploads/images/gallery/2022-08/image-1660298601931.png)📌 By clicking on the parse grant rows step,...
You can configure the attribute mappings related to the grant object for this step. [](https://bookstack.soffid.com/uploads/images/gallery/2022-08/image-1660298660328.png)📊 Diagram
📌 By clicking on the generate grant column values step,...
You can configure the attribute mappings related to the grant object for this step. [](https://bookstack.soffid.com/uploads/images/gallery/2022-08/image-1660306333224.png)📌 By clicking on the Pre-insert triggers step,...
You can configure the Pre-insert triggers related to the grant object for this step. [](https://bookstack.soffid.com/uploads/images/gallery/2022-08/image-1660651106043.png)📌 By clicking on the create grant step,...
You can configure the properties related to the grant object for this step. [](https://bookstack.soffid.com/uploads/images/gallery/2022-08/image-1660306637374.png)📌 By clicking on the Post-insert triggers column values step,...
You can configure the Post-Update related to the grant object for this step. [](https://bookstack.soffid.com/uploads/images/gallery/2022-08/image-1660651171773.png)📊 Diagram
📌 By clicking on the pre-delete trigger step,...
You can configure the Pre-delete triggers related to the grant object for this step. [](https://bookstack.soffid.com/uploads/images/gallery/2022-08/image-1660651495130.png)📌 By clicking on the delete grant step,...
You can configure the properties related to the grant object for this step. [](https://bookstack.soffid.com/uploads/images/gallery/2022-08/image-1660651418301.png)📌 By clicking on the post-delete trigger step,...
You can configure the Post-delete triggers related to the grant object for this step. [](https://bookstack.soffid.com/uploads/images/gallery/2022-08/image-1660661955749.png)📑 Log detail
❓ Warning message
📌 By clicking on the User to remove? step,...
You can configure all the properties related to the user object for this step. [](https://bookstack.soffid.com/uploads/images/gallery/2022-08/image-1660224430017.png)❓ Warning message
📊 Diagram
📌 By clicking on the User exists? step,...
You can configure all the properties related to the user object for this step. [](https://bookstack.soffid.com/uploads/images/gallery/2022-08/image-1660294676813.png)📌 By clicking on the Pre-delete triggers step,...
You can configure all the pre-delete triggers related to the user object for this step. [](https://bookstack.soffid.com/uploads/images/gallery/2022-08/image-1660295438225.png)📌 By clicking on the Remove user step,...
You can configure the properties related to the user object for this step. [](https://bookstack.soffid.com/uploads/images/gallery/2022-08/image-1660297226512.png)📌 By clicking on the Post-delete triggers step,...
You can configure the post-delete triggers related to the user object for this step. 📌 By clicking on the generate column values step,...
You can configure the attributes related to the user object for this step. 📌 By clicking on the User exists? step,...
You can configure the properties related to the user object for this step. 📊 Diagram
📌 By clicking on the Create user step,...
You can configure the properties related to the user object for this step. 📌 By clicking on the Post-insert triggers step,...
You can configure the Post-insert triggers related to the user object for this step. [](https://bookstack.soffid.com/uploads/images/gallery/2022-08/image-1660290613568.png)📊 Diagram
📌 By clicking on the Pre-update triggers step,...
You can configure the Pre-update triggers related to the user object for this step. [](https://bookstack.soffid.com/uploads/images/gallery/2022-08/image-1660305125794.png)📌 By clicking on the update user step,...
You can configure the properties related to the user object for this step. [](https://bookstack.soffid.com/uploads/images/gallery/2022-08/image-1660305271649.png)📌 By clicking on the Post-update triggers step,...
You can configure the Post-update triggers related to the user object for this step. [](https://bookstack.soffid.com/uploads/images/gallery/2022-08/image-1660305556302.png)📌 By clicking on the generates account columns values step,...
You can configure the attribute mappings related to the grant object for this step. [](https://bookstack.soffid.com/uploads/images/gallery/2022-08/image-1660297529635.png)📌 By clicking on the fetch current grants step,...
You can configure the properties related to the grant object for this step. [](https://bookstack.soffid.com/uploads/images/gallery/2022-08/image-1660298601931.png)📌 By clicking on the parse grant rows step,...
You can configure the attribute mappings related to the grant object for this step. [](https://bookstack.soffid.com/uploads/images/gallery/2022-08/image-1660298660328.png)📊 Diagram
📌 By clicking on the generate grant column values step,...
You can configure the attribute mappings related to the grant object for this step. [](https://bookstack.soffid.com/uploads/images/gallery/2022-08/image-1660306333224.png)📌 By clicking on the Pre-insert triggers step,...
You can configure the Pre-insert triggers related to the grant object for this step. [](https://bookstack.soffid.com/uploads/images/gallery/2022-08/image-1660651106043.png)📌 By clicking on the create grant step,...
You can configure the properties related to the grant object for this step. [](https://bookstack.soffid.com/uploads/images/gallery/2022-08/image-1660306637374.png)📌 By clicking on the Post-insert triggers column values step,...
You can configure the Post-Update related to the grant object for this step. [](https://bookstack.soffid.com/uploads/images/gallery/2022-08/image-1660651171773.png)📊 Diagram
📌 By clicking on the pre-delete trigger step,...
You can configure the Pre-delete triggers related to the grant object for this step. [](https://bookstack.soffid.com/uploads/images/gallery/2022-08/image-1660651495130.png)📌 By clicking on the delete grant step,...
You can configure the properties related to the grant object for this step. [](https://bookstack.soffid.com/uploads/images/gallery/2022-08/image-1660651418301.png)📌 By clicking on the post-delete trigger step,...
You can configure the Post-delete triggers related to the grant object for this step. [](https://bookstack.soffid.com/uploads/images/gallery/2022-08/image-1660661955749.png)📑 Log detail
For more information to check if your system may be synchronized with this connector you do not hesitate to contact us through our [Contact form](http://www.soffid.com/contactform/)
### Prerequisites To enable LDAPS in your Active Directory, please read the following guide: [SSL access to Active Directory](https://bookstack.soffid.com/books/connectors/page/howto-ssl-access-to-active-directory "HOWTO SSL access to Active Directory"). It is needed an Active Directory user with full administrator access. ## Download and Install This addon is located in the Connectors section and its name is **Windows (including Active Directory)**.For more information about the installation process you can visit the [Addons Getting started](https://bookstack.soffid.com/books/addons-getting-started/page/getting-started "Addons installation") page.
## Agent Configuration ### Basic #### Generic parameters After the installation of the addon, you may create and configure agent instances. This addon has 5 available agents: - Active Directory - Active Directory Only Passwords - Simple Windows AgentFor more information about how you may configure the generic parameters of the agent, see the following link: [Agents configuration](https://bookstack.soffid.com/books/soffid-3-reference-guide/page/agents "Agents")
#### Custom parameters Below there are the specific parameters for this agent implementation, "Active Directory" - Host name of the domain controller. - Active Directory distingished name in X500 format. e.g.: dc=soffid,dc=local - Administrator principal name in X500 format, relative to A.D name. e.g.: cn=Administrator,cn=Users - Administrator password| **Parameter** | **Description** |
|---|---|
| Hostname | Host name of the server |
| LDAP base DN | LDAP Base name |
| Principal name | User name in DN format, including base name if needed |
| Password | Password for the user to connect. |
| Enable debug | Two options: \[ Yes / No \]. When it is enabled more log traces are printed in the Synchronization Server log |
| Accepted certificates | Two options: \[ Only trusted certificates / Any (insecure) \] |
| Follow referrals | Two options: \[ Don't / Yes \] If you select the Yes option, Soffid could follow the references to other systems if Soffid has the proper permissions. |
| Manage child domains | Two options: \[ No / Yes \] If you select the Yes option, Soffid will manage the domain referrals. |
| Create OUs when needed | Two options: \[ No / Yes \] If you select the Yes option and the OUs do not exist, these OUs will be created in the Active Directory. |
| Real time load last login attribute | Two options: \[ No / Yes \] |
| Real time load identity changes | Two options: \[ No / Yes \] You can check this option to synchronize the identities when Soffid is the authoritative data source. You must enable periodic synchronization. |
| **Property** | **Description** |
|---|---|
| rename | AD agent will always map account and group names to the SAMAccount attribute. BaseDN and cn can be calculated based on user attributes. AD agent is able to move and rename AD objects. If you don't desire users or groups to be renamed or moved, an object property named "**rename**" with the value "**false**" can be added to some object mappings. |
| searchBase | You can configure it if you want the reconciliation process to search accounts on a directory subtree other than AD root, put a searchBase property with the relative tree to look for. |
| key | The AD attribute works as the primary key. Usually, it's the sAMAccountName and can be omitted. |
| createDisabledAccounts | Set to true if you want the connector to create disabled accounts in the active directory. By default, disabled accounts are not created until enabled. |
| **System attribute** | **Description** |
|---|---|
| objectClass | Active Directory object class. The following values mostly used "user", "group" or "organizationalUnit" |
| baseDn | Active Directory container where user or group should be created. Its value should be absolute, containing Active Directory DC parts |
| relativeBaseDn | Active Directory container where user or group should be created. Its value should be relative to Active Directory DC parts. |
| cn | Object name |
| **System attribute** | **Description** |
|---|---|
| sAMAccontName | Is automatically mapped. It is internally mapped to role name or account name, without further customization |
| accountExpires | Sets the last date (in nanoseconds since 1600) in which the account will be valid. A common mapping expression is: ```Java if ( attributes {"expirationDate"} == null) return 9223372036854775807L; else return attributes{"expirationDate"}.getTime() * 10000L + 116445528000000000L; ``` |
| samAccountType | Can be used to identify distribution lists. A value of 268435457 or 268435456 means the AD group is a distribution list group rather than a security group. |
| lastLogon | The attribute can be used to get the last time an account was used. Soffid attribute is named **lastLogin** and the right mapping could be the following one. Mind when you make a reference to lastLogon attribute, every domain controller is queried about this attribute, as its value is not replicated across AD controllers: ```Java if ( lastLogon == null || lastLogon == void) return null; Long v = Long.decode(lastLogon); v = v / 10000000L; v-=11644473600L; return new Date(v*1000); => lastLogin ``` |
| userCannotChangePassword | true/false This is a virtual attribute that can be used to indicate if a user can or cannot change the password. You can't assign this permission by directly modifying the UserAccountControl attribute. |
For more information about how you may configure attribute mapping, see the following link: [Soffid Attribute Mapping Reference](https://bookstack.soffid.com/link/72#bkmrk-soffid-attributes)
For instance: [](https://bookstack.soffid.com/uploads/images/gallery/2022-06/image-1654785419948.png) [](https://bookstack.soffid.com/uploads/images/gallery/2022-06/image-1654785472665.png) #### Triggers You can define BeanShell scripts that will be triggered when data is loaded into the target system (outgoing triggers). The trigger result will be a boolean value, true to continue or false to stop. Triggers can be used to validate or perform a specific action just before performing an operation or just after performing an operation on target objects.To view some examples, visit the [Outgoing triggers examples page](https://bookstack.soffid.com/books/connectors/page/outgoing-triggers-examples "Outgoing triggers examples").
## Avoid incremental load authoritative The Customizable Active Directory connector has an incremental load authoritative process. When this process is executed, it requests the changes to Active Directory after the **uSNChanged**. The value of this field is saved in Soffid in the parameter **soffid.sync.authoritative.change.NAME\_OF\_THE\_AGENT**If you want to launch a complete load authoritative process, remove this parameter first. At the end of the process, the parameter will be generated automatically.
For more information, go to the [Soffid Parameters page](https://bookstack.soffid.com/books/soffid-3-reference-guide/page/soffid-parameters "Soffid parameters"). ## Password Rotation When you are configuring password rotation using Windows Connector, it could be necessary to make some changes in the local computar policies. The Local Computer Policies on the target Windows server mentioned below: - **User Account Control: Admin Approval Mode for Built-in Administrator Account** - **User Account Control: Run All Administrator in Admin Approval Mode** Need to be disabled for PAM application to connect target server and reset password of privilege accounts. If the Policies are originally in ‘Enabled’ mode, then after disabling them a system restart may required for the Policies to get applied on target servers properly. To check the User Access Policies on servers, follow below mentioned path: Open group policy editor **Run > gpedit.msc > Local Computer Policy > Windows Settings > Security Settings > Local Policies > Security Options > select policy ‘User Account Control: Run all administrators in Admin Approval Mode’ and ‘User Account Control: Run All Administrator in Admin Approval Mode’ and select Disabled and apply > OK**. # HOWTO SSL access to Active Directory Table of Contents - [Introduction](#bkmrk-introduction). - [Installing the Certificate Services](#bkmrk-installing-the-certi). - [Configuring Automatic Certificate Request for Domain Controllers.](#bkmrk-configuring-automati) - [Check for Issued Certificate](#bkmrk-check-for-issued-cer). - [Import certificate](#bkmrk-import-certificate). ## Introduction This howto will show you how to install the Certificate Services in Windows Acive Directory Servers. Before beginning, make sure the Internet Information Server (IIS) is installed in your server. ## Installing the Certificate Services 1\. Click Start, select Control Panel and click Add or Remove Programs. [](https://bookstack.soffid.com/uploads/images/gallery/2021-04/win-connector-installing-1.png) 2\. In the Add or Remove Programs window, click Add/Remove Windows Components, check the Certificate Services and click Next. [](https://bookstack.soffid.com/uploads/images/gallery/2021-04/win-connector-installing-2.png) 3\. Click Next in the CA Type page. [](https://bookstack.soffid.com/uploads/images/gallery/2021-04/win-connector-installing-3.png) 4\. Fill up the Common name for this CA and click Next. [](https://bookstack.soffid.com/uploads/images/gallery/2021-04/win-connector-installing-4.png) 5\. Click Next in the Certificate Database Settings page. [](https://bookstack.soffid.com/uploads/images/gallery/2021-04/win-connector-installing-5.png) 6\. The Certificate Services will now be installed. [](https://bookstack.soffid.com/uploads/images/gallery/2021-04/win-connector-installing-6.png) 7\. Click Finish and restart your server. [](https://bookstack.soffid.com/uploads/images/gallery/2021-04/win-connector-installing-7.png) ## Configuring Automatic Certificate Request for Domain Controllers 1\. Click Start, select Administrative Tools and click Domain Controller Security Policy. [](https://bookstack.soffid.com/uploads/images/gallery/2021-04/win-connector-configuring-1.png) 2\. In the Default Domain Controller Security Settings window, click the Public Key Policies folder. [](https://bookstack.soffid.com/uploads/images/gallery/2021-04/win-connector-configuring-2.png) 3\. Right click Automatic Certificate Request Settings, select New and click Automatic Certificate Request. [](https://bookstack.soffid.com/uploads/images/gallery/2021-04/win-connector-configuring-3.png) 4\. Click Next in the Automatic Certificate Request Setup Wizard [](https://bookstack.soffid.com/uploads/images/gallery/2021-04/win-connector-configuring-4.png) 5\. Select Domain Controller in the Certificate Template page and click Next [](https://bookstack.soffid.com/uploads/images/gallery/2021-04/win-connector-configuring-5.png) 6\. Click Finish and reboot your server. [](https://bookstack.soffid.com/uploads/images/gallery/2021-04/win-connector-configuring-6.png) ## Check for Issued Certificate 1\. Click Start, select Administrative Tools and click Certification Authority. This will launch the Certification Authority application. [](https://bookstack.soffid.com/uploads/images/gallery/2021-04/win-connector-check-1.png) 2\. In Certification Authority, click the + sign and check the Issued Certificates folder if your server has been issued a certificate. [](https://bookstack.soffid.com/uploads/images/gallery/2021-04/win-connector-check-2.png) ## Import certificate 1\. Select the certificate and open it. Select the "Certification Path" tab and select the root certificate. [](https://bookstack.soffid.com/uploads/images/gallery/2021-04/win-connector-import-1.png) 2\. Click on "View Certificate" button and navigate to "Details" tab. [](https://bookstack.soffid.com/uploads/images/gallery/2021-04/win-connector-import-2.png) 3\. Click on "Copy to File..." button and follow the export steps to obtain the certificate. [](https://bookstack.soffid.com/uploads/images/gallery/2021-04/win-connector-import-3.png) 4\. Open cmd and go to the soffid-iam-sync instalation directory and execute: ```shell jre\bin\keytool -import -file “file” -keystore conf\cacerts -alias AD_CERT ``` Afterwards, the console will ask you for a password. Type the default password: changeit and press enter. # Invoker interface for Active Directory Any agent, trigger or mapping can use the invoker method for the ActiveDirectory agent. The invoker method is available in the dispatcherService class. The invoker method is not specific of the Active Directory agent. Many other connectors support this method. The expected arguments are: - Action - Object name - Parameters Here you have an example of a post-update trigger to create the home server for a user: ```Java map = new HashMap(); String server = "//"+source{"homeServer"}+"/"+source{"accountName"}; // Create folder f = dispatcherService.invoke("smb:mkdir", server, map); // Add administrator ACL map.put("user", "soffid_admin"); map.put("permission", "GENERIC_ALL"); map.put("flags", "CONTAINER_INHERIT_ACE OBJECT_INHERIT_ACE"); f = dispatcherService.invoke("smb:addacl", path, map); // Add user ACL map.put("user", source{"accountName"}); f = dispatcherService.invoke("smb:addacl", path, map); // Change folder ownership using a domain admin account map.put("_auth_user", "user1"); map.put("_auth_domain", "domain1"); map.put("_auth_password", "SuperSecret"); f = dispatcherService.invoke("smb:setOwner", path, map); ``` The example above uses the smb:mkdir action to create the folder, the smb:addacl to add a new access control list entry. Other commands allow the query and modification of Active Directory objects like users and groups. The list of allowed commands are:| **Command** | **Object name** | **Parameters** | **Comments** |
|---|---|---|---|
| insert | Object distinguished name | Object attributes | Creates a new active directory object |
| update | Object distinguished name | Object attributes | Modifies an existing active directory object. Only the attributes present in the map will be updated |
| delete | Object distinguished name | - | Removes an existing active directory object. |
| select | Base distinguished name | Object criteria attribute | Search for any object with the values specified in the parameters map, starting in the specified base DN. The return value is a list of maps. Each element in the list is an Active Directory object |
| get | Object distinguished name | - | Returns the object with the specified object DN. The return value is a list containing one or no maps. The map, if exists, contain the object attributes |
| smb:mkdir | Shared file | Optionally: - \_auth\_user - \_auth\_password - \_auth\_domain | Creates the shared folder. The shared folder name should follow the syntax //server/sharedFolder/Path or \\\\server\\\\sharedFolder\\Path It is recommended to use the first syntax because the second one requires the script to escape any backslash character, leading to a harder to read script |
| smb:exist | Shared file | Optionally: - \_auth\_user - \_auth\_password - \_auth\_domain | Returns a list with a single map. The map has the attribute exist with a boolean value indicating whether the file exists or not |
| smb:rmdir | Shared file | Optionally: - \_auth\_user - \_auth\_password - \_auth\_domain | Removes the full directory and any file or directory within |
| smb:rm | Shared file | Optionally: - \_auth\_user - \_auth\_password - \_auth\_domain | Removes the file or directory. The command will fail if the directory is not empty. |
| smb:getacl | Shared file | Optionally: - \_auth\_user - \_auth\_password - \_auth\_domain | Returns a list of maps representing each access control list entry for that file or folder. Each map has three values: - user: The user or group name. When the user or group is unknown, the user or group SID is used. - permission: A text string with the permissions granted with that ACE. The string contains one or more of these values concatenated: - FILE\_READ\_DATA - FILE\_WRITE\_DATA - FILE\_APPEND\_DATA - FILE\_EXECUTE - FILE\_LIST\_DIRECTORY - FILE\_ADD\_FILE - FILE\_ADD\_SUBDIRECTORY - FILE\_TRAVERSE - FILE\_DELETE\_CHILD - FILE\_READ\_ATTRIBUTES - FILE\_WRITE\_ATTRIBUTES - FILE\_READ\_EA - FILE\_WRITE\_EA - DELETE - READ\_CONTROL - WRITE\_DAC - WRITE\_OWNER - SYNCHRONIZE - ACCESS\_SYSTEM\_SECURITY - MAXIMUM\_ALLOWED - GENERIC\_ALL - GENERIC\_EXECUTE - GENERIC\_WRITE - GENERIC\_READ - flags: A text string with the inheritance flags for that ACE. The string contains one or more of these values concatenated: - CONTAINER\_INHERIT\_ACE - FAILED\_ACCESS\_ACE\_FLAG - INHERIT\_ONLY\_ACE - INHERITED\_ACE - NO\_PROPAGATE\_INHERIT\_ACE - OBJECT\_INHERIT\_ACE - SUCCESSFUL\_ACCESS\_ACE\_FLAG |
| smb:addacl | Shared file | Map with these three values: - user - permission - flags And optionally, these ones: - \_auth\_user - \_auth\_password - \_auth\_domain | Adds an access control list with the specified permission and flags |
| smb:removeacl | Shared file | Map with these three values: - user - permission - flags And optionally, these ones: - \_auth\_user - \_auth\_password - \_auth\_domain | Remove the access control list entry that matches the map. If the permission or flag is missing, the connector will remove any access control list entry for the specified user |
| smb:setowner | Shared file | Map with the value: - user And optionally, these ones: - \_auth\_user - \_auth\_password - \_auth\_domain | Sets the directory owner to the one specified in the map |
💻 Image
[](https://bookstack.soffid.com/uploads/images/gallery/2024-09/1yGT7TjizrUrCvmT-image.png)💻 Image
[](https://bookstack.soffid.com/uploads/images/gallery/2024-09/aclMeSvWytJZzE76-image.png)💻 Image
[](https://bookstack.soffid.com/uploads/images/gallery/2024-09/gJVyMEX84ypmdODw-image.png) Generated Task in the AD agent [](https://bookstack.soffid.com/uploads/images/gallery/2024-09/6sSpHMs3QIR6QySu-image.png)❓ Warning message
📌 By clicking on the User to remove? step,...
You can configure all the properties related to the user object for this step [](https://bookstack.soffid.com/uploads/images/gallery/2022-08/image-1661421084985.png)❓ Warning message
📊 Diagram
[](https://bookstack.soffid.com/uploads/images/gallery/2022-08/image-1661440073073.png)📌 By clicking on the Pre-delete triggers step,...
You can configure all the pre-delete triggers related to the user object for this step. [](https://bookstack.soffid.com/uploads/images/gallery/2022-08/image-1661427702845.png)📌 By clicking on the Post-delete triggers step,...
You can configure the post-delete triggers related to the user object for this step. [](https://bookstack.soffid.com/uploads/images/gallery/2022-08/image-1661427821300.png)📌 By clicking on the generate AD user step,...
You can configure the attributes related to the user object for this step. [](https://bookstack.soffid.com/uploads/images/gallery/2022-08/image-1661430867005.png)📊 Diagram
[](https://bookstack.soffid.com/uploads/images/gallery/2022-08/image-1661440189859.png)📌 By clicking on the Post-insert triggers step,...
You can configure the Post-insert triggers related to the user object for this step. [](https://bookstack.soffid.com/uploads/images/gallery/2022-08/image-1660290613568.png)📊 Diagram
[](https://bookstack.soffid.com/uploads/images/gallery/2022-08/image-1661440155417.png)📌 By clicking on the Pre-update triggers step,...
You can configure the Pre-update triggers related to the user object for this step. [](https://bookstack.soffid.com/uploads/images/gallery/2022-08/image-1660305125794.png)📌 By clicking on the update user step,...
You can configure the properties related to the user object for this step. [](https://bookstack.soffid.com/uploads/images/gallery/2022-08/image-1661431455021.png)📌 By clicking on the Post-update triggers step,...
You can configure the Post-update triggers related to the user object for this step. [](https://bookstack.soffid.com/uploads/images/gallery/2022-08/image-1661500966301.png)📊 Diagram
[](https://bookstack.soffid.com/uploads/images/gallery/2022-08/image-1661440287892.png)📌 By clicking on the Pre-delete triggers step,...
You can configure the Pre-delete triggers related to the grant object for this step. [](https://bookstack.soffid.com/uploads/images/gallery/2022-08/image-1661497389637.png)📌 By clicking on the Post-delete triggers column values step,...
You can configure the Post-Update related to the grant object for this step. [](https://bookstack.soffid.com/uploads/images/gallery/2022-08/image-1661497647604.png)📊 Diagram
[](https://bookstack.soffid.com/uploads/images/gallery/2022-08/image-1661440333930.png)📌 By clicking on the pre-delete trigger step,...
You can configure the Pre-delete triggers related to the grant object for this step. [](https://bookstack.soffid.com/uploads/images/gallery/2022-08/image-1660651495130.png)📌 By clicking on the post-insert trigger step,...
You can configure the Post-insert triggers related to the grant object for this step. [](https://bookstack.soffid.com/uploads/images/gallery/2022-08/image-1660661955749.png)📑 Log detail
[](https://bookstack.soffid.com/uploads/images/gallery/2022-08/image-1661500002798.png)❓ Warning message
📌 By clicking on the Account to remove? step,...
You can configure all the properties related to the account object for this step [](https://bookstack.soffid.com/uploads/images/gallery/2022-08/image-1661507222061.png)❓ Warning message
📊 Diagram
[](https://bookstack.soffid.com/uploads/images/gallery/2022-08/image-1661508089980.png)📌 By clicking on the Pre-delete triggers step,...
You can configure all the pre-delete triggers related to the user object for this step. [](https://bookstack.soffid.com/uploads/images/gallery/2022-08/image-1661427702845.png)📌 By clicking on the Post-delete triggers step,...
You can configure the post-delete triggers related to the user object for this step. [](https://bookstack.soffid.com/uploads/images/gallery/2022-08/image-1661427821300.png)📌 By clicking on the generate AD user step,...
You can configure the attributes related to the user object for this step. [](https://bookstack.soffid.com/uploads/images/gallery/2022-08/image-1661430867005.png)📊 Diagram
[](https://bookstack.soffid.com/uploads/images/gallery/2022-08/image-1661508113071.png)📌 By clicking on the Post-insert triggers step,...
You can configure the Post-insert triggers related to the user object for this step. [](https://bookstack.soffid.com/uploads/images/gallery/2022-08/image-1660290613568.png)📊 Diagram
[](https://bookstack.soffid.com/uploads/images/gallery/2022-08/image-1661508149332.png)📌 By clicking on the Pre-update triggers step,...
You can configure the Pre-update triggers related to the user object for this step. [](https://bookstack.soffid.com/uploads/images/gallery/2022-08/image-1660305125794.png)📌 By clicking on the update user step,...
You can configure the properties related to the user object for this step. [](https://bookstack.soffid.com/uploads/images/gallery/2022-08/image-1661431455021.png)📌 By clicking on the Post-update triggers step,...
You can configure the Post-update triggers related to the user object for this step. [](https://bookstack.soffid.com/uploads/images/gallery/2022-08/image-1661500966301.png)📊 Diagram
[](https://bookstack.soffid.com/uploads/images/gallery/2022-08/image-1661508169038.png)📌 By clicking on the Pre-delete triggers step,...
You can configure the Pre-delete triggers related to the grant object for this step. [](https://bookstack.soffid.com/uploads/images/gallery/2022-08/image-1661497389637.png)📌 By clicking on the Post-delete triggers column values step,...
You can configure the Post-Update related to the grant object for this step. [](https://bookstack.soffid.com/uploads/images/gallery/2022-08/image-1661497647604.png)📊 Diagram
[](https://bookstack.soffid.com/uploads/images/gallery/2022-08/image-1661508179273.png)📌 By clicking on the pre-delete trigger step,...
You can configure the Pre-delete triggers related to the grant object for this step. [](https://bookstack.soffid.com/uploads/images/gallery/2022-08/image-1660651495130.png)📌 By clicking on the post-insert trigger step,...
You can configure the Post-insert triggers related to the grant object for this step. [](https://bookstack.soffid.com/uploads/images/gallery/2022-08/image-1660661955749.png)📑 Log detail
[](https://bookstack.soffid.com/uploads/images/gallery/2022-08/image-1661508404245.png)For more information to check if your system may be synchronized with this connector you do not hesitate to contact us through our [Contact form](http://www.soffid.com/contactform/)
### Prerequisites A Soffid Synchronization Server must be installed on the Zarafa server. ## Download and Install This addon is located in the Connectors section and its name is **Zarafa Connector**.For more information about the installation process you can visit the [Addons Getting started](https://bookstack.soffid.com/books/addons-getting-started/page/getting-started "Addons installation") page.
## Agent Configuration ### Basic #### Generic parameters After the installation of the addon, you may create and configure agent instances. To configure this Zarafa Connector you could select "Zimbra Agent" or the "Customizable Zimbra Agent" in the attribute "Type" of the generic parameters section in the agent's page configuration. The difference between both agents is that "Customizable Zimbra Agent" allows "Attribute mapping" and includes "Account metadata".For more information about how you may configure the generic parameters of the agent, see the following link: [Agents configuration](https://bookstack.soffid.com/books/soffid-3-reference-guide/page/agents "Agents")
#### Custom parameters Below there are the specific parameters for this agent implementation:| **Parameter** | **Description** |
|---|---|
| Zimbra admin tool (zmprov) | Zarafa command line tool (this uses to be zarafa-admin) |
| Zimbra mailbox tool (zmmailxbox) | Existing role in Soffid to be mapped with the Zarafa administrator role. Every user who has this role granted will be created in Zarafa with the administrator flag on |
| Create alias profile | Values \[ true , false \]. |
| Fullname expression (*only for Zimbra Agent*) | |
| Delete accounts (*only for Customizable Zimbra Agent*) | Values \[ true , false \]. If "true" it allows deleting account in Zarafa when the account is deleted in Soffid. |
| **System attribute** | **Description** |
|---|---|
| zimbraAccountStatus | accountDisabled ? "closed": "active" |
| givenName | firstName |
| displayName | fullName |
| sn | lastName |
| zimbraAccount | accountName |
For more information about how you may configure attribute mapping, see the following link: [Soffid Attribute Mapping Reference](https://bookstack.soffid.com/link/72#bkmrk-soffid-attributes)
For instance: [](https://bookstack.soffid.com/uploads/images/gallery/2021-04/zafara-connector-example.png) #### Triggers ### Load triggers ### Account metadata Accounts are default objects in Soffid. Agents allow you to create additional custom data, on the "Account metadata" tab, to customize the accounts created only for that agent. The attributes which you define here will be shown when you click on the proper account, on the Accounts Tabs on the users' page. At this tab, you could add or delete custom attributes. You can visit the [Metadata page](https://bookstack.soffid.com/books/soffid-3-reference-guide/page/metadata "Metadata") for more information about the standard attributes. ## Operational ### Monitoring After the agent configuration you could check on the monitoring page if the service is running in the Synchronization Server, please go to: - Start Menu > Administration > Monitoring and reporting > Syscserver monitoring ### Tasks #### Authoritative If you are checked "Authorized identity source", an automatic task to load identities from the managed system to Soffid is available, please go to: - Start Menu > Administration > Monitoring and reporting > Scheduled tasks And you will something like "Import authoritative data from <AGENT\_NAME>". #### Reconcile If you are configured the "Attribute Mapping" tab with some of our objects: "user, account, role, group or grant", an automatic task to synchronize these objects from the managed system to Soffid is available, please go to: - Start Menu > Administration > Monitoring and reporting > Scheduled tasks And you will do something like "Reconcile all accounts from <AGENT\_NAME>". ### Synchronization Regarding the synchronization of the objects, there are two possible options: - If you are checked the generic attribute "Read Only" in the "Basics" tab, only the changes in the managed systems will be updated in Soffid. We recommend these options until the global configuration of Soffid will be tested. - If you are not checked the generic attribute "Read Only" in the "Basics" tab, all the changes in Soffid or the managed system will be updated in the other. Note that this synchronization must be configured in the "Attribute mapping" tab correctly.For more information about how you may configure the generic parameters of the agent, see the following link: [Agents configuration](https://bookstack.soffid.com/books/soffid-3-reference-guide/page/agents "Agents")
# SQL Server # SQL Server Connector ## Introduction ### Description The SQL Server connector allows an easy way to configure and manage Microsoft SQL Server relational databases. ### Managed System This connector is specific for integration with the Microsoft SQL Server.For more information to check if your system may be synchronized with this connector, do not hesitate to contact us through our [Contact form](http://www.soffid.com/contactform/)
We can also manage more relational databases, for more information you can check the [List of relational databases](https://en.wikipedia.org/wiki/List_of_relational_database_management_systems). ### Prerequisites It is needed a user with access and permissions to the schemes and tables required in the scope of the integration. ## Download and Install This addon is located in the Connectors section and its name is **SQLServer**.For more information about the installation process, you can visit the [Addons Getting started](https://bookstack.soffid.com/books/addons-getting-started/page/getting-started "Addons installation") page.
## Agent Configuration This connector could manage User and Role objects. ### Basic #### Generic parameters After the installation of the addon, you may create and configure agent instances. To configure this SQL Server connector you must select "SQLServer agent" in the attribute "Type" of the generic parameters section in the agent's page configuration.For more information about how you may configure the generic parameters of the agent, see the following link: [Agents configuration](https://bookstack.soffid.com/books/soffid-3-reference-guide/page/agents "Agents")
[](https://bookstack.soffid.com/uploads/images/gallery/2024-01/image-1704443217219.png) #### Custom parameters Below there are the specific parameters for this agent implementation:| **Parameter** | **Description** |
|---|---|
| User | Database user name to authenticate |
| Password | The password of the database user |
| Connection string to database | URL that identifies the connection properties. Please refer to the specific database vendor documentation to build this URL.
```
jdbc:sqlserver:// |
| Create agents for each database | Select the Yes value if you want to create an agent for each database found by the Reconcile process. |
| Enable debug | Two options: **Yes**, and **No**. It enables or not more log traces in the Synchronization Server log |
To view some examples, visit the [Incoming triggers examples page.](https://bookstack.soffid.com/books/connectors/page/incoming-triggers-examples "Incoming triggers examples")
### Access Control SQL Server connector can establish an access control for SQL Server Users. If the access control checkbox is enabled, only the users and applications that are listed on the access control page will be allowed to log in. So, you can restrict the IP address, the user roles, and the applications a user can connect from. This restriction does not apply to DBA users. [](https://bookstack.soffid.com/uploads/images/gallery/2024-01/image-1706004218812.png)Check that the user/account is not unmanaged.
When the Enable access control to the database check box is checked, the UpdateAccessControl task will be launched. The following tables will be created on the SQL Server: - **SC\_OR\_ACCLOG**: access log - **SC\_OR\_CONACC**: rule access control - **SC\_OR\_ROLE**: user roles. - **SC\_OR\_VERSION**: connector versions. When you try to connect to SQL Server, the logon\_audit\_trigger is launched to check if you have access or not. You can check the Access Logs page for access controls. ### Account metadata Agents allow you to create additional data, on the "Account metadata" tab, to customize the accounts created for that agent. This additional information will be loaded with the agent's information, or calculated as defined in the mappings. The additional data can be used in both mappings and triggers. The attributes that you define here will be shown when you click on the proper account, on the Accounts Tabs on the user page. Operational ### Monitoring After the agent configuration you can check on the monitoring page if the service is running in the Synchronization Server, please go to: - Start Menu > Administration > Monitoring and reporting > Syscserver monitoring ### Tasks #### Authoritative If you checked "Authorized identity source", an automatic task to load identities from the managed system to Soffid is available, please go to: - Start Menu > Administration > Monitoring and reporting > Scheduled tasks And you will do something like "Import authoritative data from <AGENT\_NAME>". #### Reconcile To manage an automatic task to synchronize user objects from the managed system to Soffid is available, please go to: - Start Menu > Administration > Monitoring and reporting > Scheduled tasks And you will do something like "Reconcile all accounts from <AGENT\_NAME>". ### Synchronization Regarding the synchronization of the objects, there are two possible options: - If you check the generic attribute "Read Only" in the "Basics" tab, only the changes in the managed systems will be updated in Soffid. We recommend these options until the global configuration of Soffid is tested. - If you do not check the generic attribute "Read Only" in the "Basics" tab, all the changes in Soffid or the managed system will be updated in the other. Note that this synchronization must be configured in the "Attribute mapping" tab correctly.For more information about how you may configure the generic parameters of the agent, see the following link: [Agents configuration](https://bookstack.soffid.com/books/soffid-3-reference-guide/page/agents "Agents")