Overview:

This document is for setting up the connector configuration for any connected target system specific splice.

Prerequisite:

  • The Form attributes and their datatype are known to the configurator.
  • TargetSystem service account-specific connection detail  
  • Authentication Type
  • There should be a configurations folder present in the same directory where the connector application jar has been deployed/copied

Configuration Directory Structure

/<Deployable Directory>

          /<Deployable Directory>/configurations

                    /<Deployable Directory>/configurations/scim 

                    /<Deployable Directory>/configurations/schemas

Configuration Detail:

Every connector requires 2 types of configuration one is scim configuration and schema configuration for a different type of resources.

There is 2 YAML file one for specific to IDHUB connector application and another for splice related configuration.

Resource Configuration:

All resource-specific configuration is kept under directory  /<Deployable Directory>/configurations/schemas . 

There is a file for each type of resource. For example for resource Account, there will be a file Account.json

Each resource file will have a JSON object with the following attribute

id:

id of the resource in a specific format "urn:sath:params:scim:schemas:core:<compatible core version number>:<Resource Name>"

e.g. urn:sath:params:scim:schemas:core:1.0:Account

name:

This is referring to Resource name as string i.e Account

description:

Description of the resource as a string

attributes:

An array of JSON Object for different Resource specific attributes of IDHUB system.

Each object will have 3 attributes 

name 

This is the name of IDHUB form attribute as a string

type

This is the datatype of the IDHUB attribute as a string. This is optional. The default value is a string.

required

This defines whether the attribute is required or not. The value is a boolean.  This is optional. The default value is true.

meta

This is a JSON object which has 2 attributes. This doesn't need to change until asked by the Service provider on IDHUB new version release.

resourceType

location

schema

Same as the id attribute mentioned above.

matching-attributes

This is a list of attribute names which will be used by splice to determine unique resource in the target system.

i.e.

"matching-attributes": [
"uid",
"mail"
]

attribute-map

This is a mapping of the IDHUB Resource attribute with the TargetSystem Resource corresponding attribute.

"attribute-map": {
             "<TargetSystem Attribute Name>": {
                                      "type": "string",
                                      "attribute": "<IDHUB Attribute Name>"
                                        },

......

}

Check the sample below.

scripts

This is a JSON object which holds  LDAP scripts for CRUD operation and the TargetSystem response mapping.

This has the following attributes

insert

List of Insert script as a string.  The attributes in the query should be the LDAP attribute.

e.g.

"dn: cn=${this.uid},ou=${this.ou},dc=iamsath,dc=com\nobjectClass: top\n#person\nobjectClass: person\nsn: ${scim.givenName}\ncn: ${scim.uid}\ntelephoneNumber: ${scim.phone}\nseeAlsodescription:\n#org person\nobjectClass: organizationalPerson\nx121Address:\nregisteredAddress:\ndestinationIndicator:\npreferredDeliveryMethod:\ntelexNumber:\nteletexTerminalIdentifier:\ninternationaliSDNNumber:\nfacsimileTelephoneNumber:\nphysicalDeliveryOfficeName:\nou: People\n# inet org person\nobjectClass: inetorgperson\naudio:\nbusinessCategory:\ncarLicense:\ndisplayName: ${scim.displayName}\ngivenName: ${scim.givenName}\nhomePhone: ${scim.phone}\ninitials:\nlabeledURI:\nmail: ${scim.email}\no: ${scim.organization}\npager:\nroomNumber:\nsecretary:\nuid: ${scim.uid}"

update

List of update script as a string. The attributes in the query should be the LDAP attribute.

delete

List of delete script as a string. Keep empty array []

select

List of select/search script as a string. Keep empty array []

mappingToExistingToResponse

This is list of JSON object.

Check sample doc for format and reference for setup

"mappingToExistingToResponse": [
      {
        "id": "cn=${ldif.cn}, ou=${ldif.ou}, dc=iamsath, dc=com",
        "externalId": "${ldif.dn}",
        "UserLogin": "${ldif.uid}",
        "givenName": "${ldif.givenName}",
        "DisplayName": "${ldif.displayName}",
        "email": "${ldif.mail}",
        "PhoneNumber": "${ldif.telephoneNumber}",
        "manager": "${ldif.manager}",
        "lastReconTimestamp": "${ldif.modifyTimestamp}",
        "entitlements": "${ldif.memberOf}"

      }
    ]
CODE


configs

This is a JSON object which holds LDAPconfig for search resource. This config may vary for the different resource types.

e.g.

"configs": {
    "OBJECT_CLASS_PRESENT": "(objectClass=person)"
  }
CODE


Check the sample below for Account Resource schema reference. 

{
  "id": "urn:sath:params:scim:schemas:core:1.0:Account",
  "name": "Account",
  "description": "User Account",
  "schemas": "urn:sath:params:scim:schemas:core:1.0:Account",
  "attributes": [
    {
      "name": "DisplayName",
      "type": "string",
      "required": true
    },
    {
      "name": "UserLogin",
      "type": "string",
      "required": true
    },
    {
      "name": "PhoneNumber",
      "type": "string",
      "required": true
    },
    {
      "name": "email",
      "type": "string",
      "required": true
    },
    {
      "name": "entitlements",
      "type": "array",
      "required": true
    }
  ],
  "meta": {
    "resourceType": "Schema",
    "location": "/v2/Schemas/urn:sath:params:scim:schemas:core:1.0:Account"
  },
  "matching-attributes": [
    "uid",
    "mail"
  ],
  "attribute-map": {
    "givenName": {
      "attribute": "DisplayName",
      "type": ""
    },
    "sn": {
      "type": "",
      "query": ".displayName"
    },
    "displayName": {
      "attribute": "DisplayName"
    },
    "uid": {
      "attribute": "UserLogin"
    },
    "email": {
      "attribute": "email",
      "type": "",
      "query": "{mail: .emails[].value}"
    },
    "phone": {
      "attribute": "PhoneNumber",
      "type": ""
    },
    "memberOf": {
      "attribute": "entitlements",
      "type": "array"
    },
    "modifyTimestamp": {
      "attribute": "lastReconTimestamp",
      "type": ""
    },
    "manager": {
      "attribute": "manager",
      "type": ""
    }
  },
  "scripts": {
    "insert": [
      "dn: cn=${this.uid},ou=${this.ou},dc=iamsath,dc=com\nobjectClass: top\n#person\nobjectClass: person\nsn: ${scim.givenName}\ncn: ${scim.uid}\ntelephoneNumber: ${scim.phone}\nseeAlsodescription:\n#org person\nobjectClass: organizationalPerson\nx121Address:\nregisteredAddress:\ndestinationIndicator:\npreferredDeliveryMethod:\ntelexNumber:\nteletexTerminalIdentifier:\ninternationaliSDNNumber:\nfacsimileTelephoneNumber:\nphysicalDeliveryOfficeName:\nou: People\n# inet org person\nobjectClass: inetorgperson\naudio:\nbusinessCategory:\ncarLicense:\ndisplayName: ${scim.displayName}\ngivenName: ${scim.givenName}\nhomePhone: ${scim.phone}\ninitials:\nlabeledURI:\nmail: ${scim.email}\no: ${scim.organization}\npager:\nroomNumber:\nsecretary:\nuid: ${scim.uid}"
    ],
    "update": [
      "dn: cn=${this.uid},ou=${this.ou},dc=iamsath,dc=com\nobjectClass: top\n#person\nobjectClass: person\nsn: ${scim.givenName}\ncn: ${scim.uid}\ntelephoneNumber: ${scim.phone}\nseeAlsodescription:\n#org person\nobjectClass: organizationalPerson\nx121Address:\nregisteredAddress:\ndestinationIndicator:\npreferredDeliveryMethod:\ntelexNumber:\nteletexTerminalIdentifier:\ninternationaliSDNNumber:\nfacsimileTelephoneNumber:\nphysicalDeliveryOfficeName:\nou: People\n# inet org person\nobjectClass: inetorgperson\naudio:\nbusinessCategory:\ncarLicense:\ndisplayName: ${scim.displayName}\ngivenName: ${scim.givenName}\nhomePhone: ${scim.phone}\ninitials:\nlabeledURI:\nmail: ${scim.email}\no: ${scim.organization}\npager:\nroomNumber:\nsecretary:\nuid: ${scim.uid}"
    ],
    "delete": [],
    "select": [],
    "mappingToExistingToResponse": [
      {
        "id": "cn=${ldif.cn}, ou=${ldif.ou}, dc=iamsath, dc=com",
        "externalId": "${ldif.dn}",
        "UserLogin": "${ldif.uid}",
        "givenName": "${ldif.givenName}",
        "DisplayName": "${ldif.displayName}",
        "email": "${ldif.mail}",
        "PhoneNumber": "${ldif.telephoneNumber}",
        "manager": "${ldif.manager}",
        "lastReconTimestamp": "${ldif.modifyTimestamp}",
        "entitlements": "${ldif.memberOf}"

      }
    ]
  },
  "configs": {
    "OBJECT_CLASS_PRESENT": "(objectClass=person)"
  }
}
CODE


SCIM Configuration

SCIM configuration is the place to define the scope of what connector can support and some metadata related to the connector. This needs to be updated by the service provider.

The ServiceProfiderConfig.json file looks like this.

{
  "schemas": [
    "urn:ietf:params:scim:schemas:core:2.0:ServiceProviderConfig"
  ],
  "documentationUri": "https://www.sath.com/idhub/documentation",
  "patch": {
    "supported": false
  },
  "bulk": {
    "supported": false,
    "maxOperations": 0,
    "maxPayloadSize": 0
  },
  "filter": {
    "supported": false,
    "maxResults": 0
  },
  "changePassword": {
    "supported": false
  },
  "sort": {
    "supported": false
  },
  "etag": {
    "supported": false
  },
  "authenticationSchemes": [
    {
      "name": "OAuth Bearer Token",
      "description": "Authentication scheme using the OAuth Bearer Token Standard",
      "specUri": "http://www.rfc-editor.org/info/rfc6750",
      "documentationUri": "no documentation",
      "type": "oauthbearertoken",
      "primary": true
    },
    {
      "name": "HTTP Basic",
      "description": "Authentication scheme using the HTTP Basic Standard",
      "specUri": "http://www.rfc-editor.org/info/rfc2617",
      "documentationUri": "no documentation",
      "type": "httpbasic"
    }
  ],
  "meta": {
    "location": "scim/v2/ServiceProviderConfig",
    "resourceType": "ServiceProviderConfig",
    "created": "2019-09-03T00:00:00Z",
    "lastModified": "2019-09-03T00:00:00Z",
    "version": "W\/\"3694e05e9dff594\""
  }
}
CODE


Application Configuration:

This YAML file has Core Compatibility version, IDHUB services, and security configurations.

This should be placed under /<Deployable Directory>

application.yml

info:
  app:
    name: Connector API Application
    description: IDHUB Connector Application
    version: <IDHUB connector version>
    compatible-core-version: <Compatible version of Core service>
security:
  oauth2:
    client:
      client-id: <IDHUB Service Cient Id>
      client-secret: <service auth token>
      grant_type: client_credentials
      access-token-uri : https://<IDHUB Base URL>/auth/realms/IDHub/protocol/openid-connect/token
management:
  endpoints:
    web:
      exposure:
        include: info,health,httptrace
idhub-core:
  url: https://<IDHUB Base URL>/api/core
target-system:
  name: <Target System Name>
server:
  port: <Connector Application Running PORT>
spring:
  security:
    user:
      name: <Service Account ID>
      password: <Service Accpunt Password>
CODE


splice.yml

This YAML file has an LDAP based target system connection detail.      

The sample content of splice.yml is given below for LDAP based target system

spring:
  profile: splice
  name: <Splice Display Name>
  environment: test
  version: <splice-version>
target-system:
  name: ldap
  host: <hostname/IP>
  port: 389
  username: cn=Directory Manager
  password: <Encrypted password>
  searchbase: dc=iamsath,dc=com
  


CODE

     -