Repository for HelloID Provisioning Target Connector to Zenya using the SCIM API
ℹ️ Information |
---|
This repository contains the connector and configuration code only. The implementer is responsible to acquire the connection details such as username, password, certificate, etc. You might even need to sign a contract or agreement with the supplier before implementing this connector. Please contact the client's application manager to coordinate the connector requirements. |
- SSO configured on Zenya environment
- A Registered Provider in Zenya. Please see the Zenya Documentation (step 3) for the "How To": Create Provider in Zenya.
- Service Address
- Client ID
- Client Secret
- Concurrent sessions in HelloID set to a maximum of 2! Exceeding this limit may result in timeout errors, as the Zenya SCIM API supports only a specific number of requests per minute.
For this connector we have the option to create and manage Zenya user accounts and groups.
SCIM stands for System for Cross-domain Identity Management. It is an open standard protocol that simplifies the management of user identities and related information across different systems and domains. For more information, please see: http://www.simplecloud.info
The HelloID connector uses the API endpoints listed in the table below.
Endpoint | Description |
---|---|
/scim/users | API docs for Get Request: https://identitymanagement.services.iprova.nl/swagger-ui/#!/scim/GetUsersRequest |
/scim/groups | API docs for Get Request: https://identitymanagement.services.iprova.nl/swagger-ui/#!/scim/GetgroupsRequest |
The HelloID connector consists of the template scripts shown in the following table.
Action | Action(s) Performed | Comment |
---|---|---|
create.ps1 | Create (or update) and correlate a user account. | |
enable.ps1 | Enable a user account | |
update.ps1 | Update a user account | |
disable.ps1 | Disable a user account | |
delete.ps1 | Delete a user account | Be careful when implementing this! There is no way to restore deleted users. |
permissions.ps1 | Retrieves all groups and provides them as entitlements | |
grantPermission.ps1 | Add a user account to a group | |
revokePermission.ps1 | Remove a user account from a group | |
dynamicPermissions.ps1 | Add/remove a user account to/from a group | |
resourceCreation.ps1 | Create a group for provided resource, e.g. department |
The mandatory and recommended field mapping is listed below.
Name | Type | Create | Enable | Update | Disable | Delete | Use in Notifications | Store in account data | Default mapping | Mandatory | Comment |
---|---|---|---|---|---|---|---|---|---|---|---|
Active | Text | X | X | X | No | Yes | For create: Fixed: False For enable: Fixed: True For disable: Fixed: False |
Yes | |||
Department | Text | X | X | No | Yes | Field: PrimaryContract.Department.DisplayName | No | Custom scripting in code to transform this to the corresponding scim object | |||
DisplayName | Text | X | X | No | Yes | Complex: displayName.js | Yes | ||||
Emails | Array | X | X | No | Yes | Complex: emails.js | Yes | Custom scripting in code to transform this to the corresponding scim object | |||
ExternalId | Text | X | X | No | Yes | Field: ExternalId | Yes | ||||
Manager | Text | X | X | No | Yes | None | No | Set within script, as the aRef of manager is used. Custom scripting in code to transform this to the corresponding scim object | |||
Title | Text | X | X | No | Yes | Field: PrimaryContract.Title.Name | No | ||||
Username | Text | X | X | No | Yes | Complex: username.js | Yes | Used for correlation |
Correlation field | Selection | Comment |
---|---|---|
Person Correlation field | None | No selection, as this isn't used. Only the Account correlation field is used. |
Account Correlation field | Username | ExternalId isn't available to query users on, therefore only username can be used as correlation field. |
Please follow the Zenya Documentation (step 3) to Create a Provider in Zenya
By default, ONLY groups and users created by the identity provider or linked to it are returned in the SCIM service. However, there is a setting that Infoland can enable per provider, allowing the users and groups created by Zenya to be returned as well. If users/groups come from multiple sources (ADs, created within Zenya itself), please contact Infoland to ensure that the SCIM service returns everything, not just the users/groups synchronized through this process. For more information, please see (step 7): https://webshare.zenya.work/DocumentResource/709a648d-6300-4e42-a2a6-54ae02201873/Document.pdf?webshareid=y491fqpfwxhoo0kd&showinlinepdf=1
The following settings are required to connect to the API.
Setting | Description | Mandatory |
---|---|---|
Service Address | The Service Address of the SCIM API | Yes |
Client ID | The OAuth2 Client ID to connect to the SCIM API | Yes |
Client Secret | The OAuth2 Client Secret to connect to the SCIM API | Yes |
Toggle debug logging | When toggled, extra logging is shown. Note that this is only meant for debugging, please switch this off when in production. | No |
- Infoland must define the current users within the synchronization scope. Failure to do so will result in every person being assigned a new user account.
- Since we use the SCIM API, we cannot create/set the password of users, so Single Sign-On (SSO) is required to manage the users using the SCIM API.
- Currently, we can only manage groups we actually created with HelloID. So only the groups we created through HelloID Resource Creation.
- Note that HelloID can only create groups. The groups will not be deleted by HelloID.
- Currently, we can only set a department that already exists in Zenya.
- For this, all departments must have a unique name (we can only match on name, so matching on code or any other field is not possible) within the entire tree (i.e., no duplicate names anywhere).
- In addition, maintenance of the departments (i.e., creating/deleting as well as setting the owner) will need to take place within Zenya.
- Currently, we can only set a manager that exists in Zenya and has been created by HelloID. For this, HelloID has to have granted the Account entitlement for the manager first.
For more information on how to configure a HelloID PowerShell connector, please refer to our documentation pages
If you need help, feel free to ask questions on our forum
The official HelloID documentation can be found at: https://docs.helloid.com/