立即与支持人员聊天
与支持团队交流

Identity Manager 9.2 - Administration Guide for Integration with OneLogin Cloud Directory

Integration with OneLogin Cloud Directory Synchronizing a OneLogin domain
Setting up initial synchronization with a OneLogin domain Customizing the synchronization configuration Running synchronization Tasks following synchronization Troubleshooting Ignoring data error in synchronization Pausing handling of target system specific processes (Offline mode)
Managing OneLogin user accounts and identities Managing memberships in OneLogin roles Login credentials for OneLogin user accounts Mapping OneLogin objects in One Identity Manager
OneLogin domains OneLogin user accounts OneLogin applications OneLogin roles OneLogin authentication methods OneLogin service providers OneLogin clients OneLogin scopes OneLogin policies OneLogin groups OneLogin privileges OneLogin custom user fields Reports about OneLogin objects
Handling of OneLogin objects in the Web Portal Base data for OneLogin domains Configuration parameters for managing OneLogin domains Default template for OneLogin domains Editing OneLogin system objects OneLogin connector settings

Configuration parameters for managing OneLogin domains

The following configuration parameters are available in One Identity Manager after the module has been installed.

Table 29: Configuration parameters
Configuration parameters Description

TargetSystem | OneLogin

Preprocessor relevant configuration parameter to control component parts for OneLogin-based custom target system administration. If the parameter is set, the target system components are available. Changes to this parameter require the database to be recompiled.

If you disable the configuration parameter at a later date, model components and scripts that are no longer required, are disabled. SQL procedures and triggers are still carried out. For more information about the behavior of preprocessor relevant configuration parameters and conditional compiling, see the One Identity Manager Configuration Guide.

TargetSystem | OneLogin | Accounts

Allows configuration of user account data.

TargetSystem | OneLogin | Accounts |
InitialRandomPassword

Specifies whether a random password is generated when a new user account is added. The password must contain at least those character sets that are defined in the password policy.

TargetSystem | OneLogin | Accounts |
InitialRandomPassword | SendTo

Identity to receive an email with the random generated password (manager cost center/department/location/role, identity’s manager or XUserInserted). If no recipient can be found, the password is sent to the address stored in the TargetSystem | OneLogin | DefaultAddress configuration parameter.

TargetSystem | OneLogin | Accounts |
InitialRandomPassword | SendTo |
MailTemplateAccountName

Mail template name that is sent to supply users with the login credentials for the user account. The Identity - new user account created mail template is used.

TargetSystem | OneLogin | Accounts |
InitialRandomPassword | SendTo |
MailTemplatePassword

Mail template name that is sent to supply users with the initial password. The Identity - initial password for new user account mail template is used.

TargetSystem | OneLogin | Accounts |
MailTemplateDefaultValues

Mail template used to send notifications about whether default IT operating data mapping values are used for automatically creating a user account. The Identity - new user account with default properties created mail template is used.

TargetSystem | OneLogin | DefaultAddress

Default email address of the recipient for notifications about actions in the target system.

TargetSystem | OneLogin |
MaxFullsyncDuration

Maximum runtime of a synchronization in minutes. No recalculation of group memberships by the DBQueue Processor can take place during this time. If the maximum runtime is exceeded, group membership are recalculated.

TargetSystem | OneLogin |
PersonAutoDefault

Mode for automatic identity assignment for user accounts added to the database outside synchronization.

TargetSystem | OneLogin |
PersonAutoDisabledAccounts

Specifies whether identities are automatically assigned to disabled user accounts. User accounts are not given an account definition.

TargetSystem | OneLogin |
PersonAutoFullSync

Mode for automatic identity assignment for user accounts that are added to or updated in the database by synchronization.

TargetSystem | OneLogin |
PersonExcludeList

Listing of all user account without automatic identity assignment. Names are listed in a pipe (|) delimited list that is handled as a regular search pattern.

Example:

ADMINISTRATOR|GUEST|KRBTGT|TSINTERNETUSER|IUSR_.*|IWAM_.*|SUPPORT_.*|.* | $

QER | ITShop | AutoPublish | OLGRole

Preprocessor relevant configuration parameter for automatically adding OneLogin roles to the IT Shop. If the parameter is set, all roles are automatically assigned as products to the IT Shop. Changes to this parameter require the database to be recompiled.

If you disable the configuration parameter at a later date, model components and scripts that are no longer required, are disabled. SQL procedures and triggers are still carried out. For more information about the behavior of preprocessor relevant configuration parameters and conditional compiling, see the One Identity Manager Configuration Guide.

QER | ITShop | AutoPublish | OLGRole| ExcludeList

List of all OneLogin roles that must not be automatically assigned to the IT Shop. Each entry is part of a regular search pattern and supports regular expression notation.

Example:

.*Administrator.*|Exchange.*|.*Admins|.*Operators|IIS_IUSRS

Default template for OneLogin domains

A default project template ensures that all required information is added in One Identity Manager. This includes mappings, workflows, and the synchronization base object. If you do not use a default project template you must declare the synchronization base object in One Identity Manager yourself.

Use a default project template for initially setting up the synchronization project. For custom implementations, you can extend the synchronization project with the Synchronization Editor.

The project template uses mappings for the following schema types.

Table 30: Mapping OneLogin schema types to tables in the One Identity Manager schema
Schema type in OneLogin Table in the One Identity Manager schema

APIAuthorization

OLGAPIAuthorization

Application

OLGApplication

AuthFactor

OLGAuthFactor

Client

OLGClient, OLGClientHasOLGScope

CustomAttribute

OLGCustomAttribute

Event

OLGEvent

Group

OLGGroup

Policy

OLGPolicy

Privilege

OLGPrivilege

Role

OLGRole

RoleAdmin

OLGUserInOLGRoleAdmin

RoleApplication

OLGRoleApplication

Scope

OLGScope

User

OLGUser

UserApplication

OLGUserHasOLGApplication

UserAuthFactor

OLGUserHasOLGAuthFactor

UserCustomAttribute

OLGUserHasOLGCustomAttribute

UserPrivilege

OLGUserHasOLGPrivilege

Editing OneLogin system objects

The following table describes permitted editing methods of OneLogin schema types and names restrictions required by system object processing.

Table 31: Methods available for editing schema types
Type Read Add Delete Refresh

Service provider (APIAuthorization)

Yes

No

No

No

Applications (Application)

Yes

No

No

No

Authentication methods (AuthFactor)

Yes

No

No

No

Clients (Client)

Yes

No

No

No

Custom user fields (CustomAttribute)

Yes

No

No

No

Change history (Event)

Yes

No

No

No

Groups (Group)

Yes

No

No

No

Policies (Policy)

Yes

No

No

No

Privileges (Privilege)

Yes

No

No

No

Roles (Role)

Yes

No

No

No

Administrators for roles (RoleAdmin)

Yes

Yes

Yes

Yes

Role assignments to applications (RoleAppliocation)

Yes

Yes

Yes

Yes

Scopes (Scope)

Yes

No

No

No

User accounts (User)

Yes

Yes

Yes

Yes

Application assignments to user accounts (UserApplication)

Yes

No

No

No

Authentication method assignments to user accounts(UserAuthFactor)

Yes

Yes

Yes

Yes

Custom field assignments to user accounts (UserCustomAttribute)

Yes

No

No

Yes

Privilege assignments to user accounts (UserPrivilege)

Yes

Yes

Yes

Yes

OneLogin connector settings

The following settings are configured for the system connection with the OneLogin connector.

Table 32: OneLogin connector settings

Setting

Description

Authentication URI

Authentication endpoint or URL. URL available for authenticating. Only the part of the URL added to the common part, is required to reach the authentication endpoints. If authentication of another server or another root URL is used for authentication, the full URL must be entered here.

Variable: olgauthendpoint

Client secret (OAuth)

Security token for login.

Variable: olgauthoauthclientsecret

Domain

Full OneLogin domain name, <your domain>.onelogin.com, for example.

Variable: olgrootdn

Grant type (OAuth)

Access type for login.

Variable: olgauthoauthgranttype

HTTP KeepAlive

Specifies whether HTTP connections are kept open. If the option is not set, connections are closed immediately and cannot be used for further queries.

Default: True

Variable: olgkeepalive

Max. parallel queries

Number of target system data queries that can be carried out at simultaneously. Enter a value between 1 and 32.

Default: 0

Variable: olgparallelprocesses

Password (OAuth)

Login password if the client secret is not known.

Variable: olgauthoauthpassword

Read events created since

Used for revision filtering.

Variable: olgeventsincefilter

Scope (OAuth)

Scope parameter valid for target system login. If several parameter apply, separate them with spaces.

Variable: olgauthoauthscope

Service URI

URI of API without version.

Default: api

Variable: olgroot

Use client side cache

Specifies whether the OneLogin connector's local cache is used.

Local cache is used to speed up synchronization. Access to the cloud application is minimized during full synchronization. The option is ignored during provisioning. It does not make sense to use the cache during synchronization with revision filtering. If the target system supports revision filtering, disable the option after initial synchronization.

Default: True

Variable: olgusecache

User name (OAuth)

User name if the client secret is not known.

Variable: olgauthoauthusername

Application/Client ID

Client ID for the application.

相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级