Data provisioning
The Entrust connector is an extended version of the generic SOAP connector. The following options are supplied and native to the Entrust connector:
- Authentication using session auth cookies.
- Possibility to call several services from one provisioning task.
When you select the Entrust Connector (Template), enter a unique name for the new connector. If you selected and configured a template connector, the configured template is stored in Omada Identity. When Omada rolls out changes to the template connectors, your configurations remain intact in your own version. To use default preconfigured Task mappings, select the Use default configuration option while enabling provisioning.
Provisioning configuration
| Parameter | Description |
|---|---|
| Endpoint address | Specify the endpoint address, for example: https://prod.yourcorp.com/IdentityGuardAdminService/services/AdminServiceV11 |
| Timeout in seconds | Specify the preferred connection timeout for one web service call. It is recommended that timeout is not lower than 100 seconds. |
| User | Type the username for the target system user used to authenticate connectivity. |
| Password | Type the password for the user to authenticate with the service.Each time you make a change to any of the settings in the Connection details dialog box, you must enter the password again. |
| Security protocol | Select the name of the security protocol supported by the external server.It should match the security protocol used in the Entrust system. |
| Test connection | This field is optional.You can check this field to force the connector to test the defined connection before moving froward. |
Data model
The data model for Entrust is extensible and consists of two sections: properties and objects.
Properties
The section serves as a repository of properties of all objects in the remote system that are subject to provisioning. Property names consist of a prefix that specifies the operation (add:, update:, or delete:), followed by the xPath to the element/attribute. Property names must match the ones used in task mappings.
A single property consists of the following attributes:
-
displayName: Unique name of the property.
-
name: Property names contain several elements separated by the ‘:’ character:
- (optional, in square brackets) – comma-separated list of service methods, where parameter should be added. If a specific OPS operation has only one method to call, you can skip this part.
- Operation – value from range: add/update/delete.
- Xpath in the request to set the value.
Here, you can see the XML configuration for properties:
<connectorDataModel xmlns="http://schemas.omada.net/ops/2015/ConnectorDataModelML" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" modelNamespace="Entrust">
<properties>
<property displayName="createUserIdKey" name="[userCreate]:add:/*[local-name() = 'Envelope']/*[local-name() = 'Body']/*[local-name() = 'userCreateCallParms']/*[local-name() = 'userid']" />
<property displayName="createUserId" name="[userCreate]:add:/*[local-name() = 'Envelope']/*[local-name() = 'Body']/*[local-name() = 'userCreateCallParms']/*[local-name() = 'parms']/*[local-name() = 'Userid']" />
<property displayName="createGroup" name="[userCreate]:add:/*[local-name() = 'Envelope']/*[local-name() = 'Body']/*[local-name() = 'userCreateCallParms']/*[local-name() = 'parms']/*[local-name() = 'Group']" />
<property displayName="createUserState" name="[userCreate]:add:/*[local-name() = 'Envelope']/*[local-name() = 'Body']/*[local-name() = 'userCreateCallParms']/*[local-name() = 'parms']/*[local-name() = 'UserState']" />
<property displayName="createFullName" name="[userCreate]:add:/*[local-name() = 'Envelope']/*[local-name() = 'Body']/*[local-name() = 'userCreateCallParms']/*[local-name() = 'parms']/*[local-name() = 'FullName']" />
<property displayName="createPassUserIdKey" name="[userPasswordCreate]:add:/*[local-name() = 'Envelope']/*[local-name() = 'Body']/*[local-name() = 'userPasswordCreateCallParms']/*[local-name() = 'userid']" />
<property displayName="createPassPassword" name="[userPasswordCreate]:add:/*[local-name() = 'Envelope']/*[local-name() = 'Body']/*[local-name() = 'userPasswordCreateCallParms']/*[local-name() = 'parms']/*[local-name() = 'Password']" dataType="secureStringType" />
<property displayName="createPassDaysToExpiry" name="[userPasswordCreate]:add:/*[local-name() = 'Envelope']/*[local-name() = 'Body']/*[local-name() = 'userPasswordCreateCallParms']/*[local-name() = 'parms']/*[local-name() = 'DaysToExpiry']" dataType="intType" />
<property displayName="createPassChangeRequired" name="[userPasswordCreate]:add:/*[local-name() = 'Envelope']/*[local-name() = 'Body']/*[local-name() = 'userPasswordCreateCallParms']/*[local-name() = 'parms']/*[local-name() = 'ChangeRequired']" dataType="booleanType" />
<property displayName="updateUserIdKey" name="[userSet]:update:/*[local-name() = 'Envelope']/*[local-name() = 'Body']/*[local-name() = 'userSetCallParms']/*[local-name() = 'userid']" />
<property displayName="updateUserId" name="[userSet]:update:/*[local-name() = 'Envelope']/*[local-name() = 'Body']/*[local-name() = 'userSetCallParms']/*[local-name() = 'parms']/*[local-name() = 'Userid']" />
<property displayName="updateGroup" name="[userSet]:update:/*[local-name() = 'Envelope']/*[local-name() = 'Body']/*[local-name() = 'userSetCallParms']/*[local-name() = 'parms']/*[local-name() = 'Group']" />
<property displayName="updateUserState" name="[userSet]:update:/*[local-name() = 'Envelope']/*[local-name() = 'Body']/*[local-name() = 'userSetCallParms']/*[local-name() = 'parms']/*[local-name() = 'UserState']" />
<property displayName="updateFullName" name="[userSet]:update:/*[local-name() = 'Envelope']/*[local-name() = 'Body']/*[local-name() = 'userSetCallParms']/*[local-name() = 'parms']/*[local-name() = 'FullName']" />
<property displayName="deleteUserIdKey" name="[userDelete]:delete:/*[local-name() = 'Envelope']/*[local-name() = 'Body']/*[local-name() = 'userDeleteCallParms']/*[local-name() = 'userid']" />
</properties>
Objects
Here, objects refers to a set of objects. Each object has a name property that must match one of the names in task mappings. For more about task mappings, see the Task mappings subchapter of the Omada Identity - Import and Onboarding Guide.
Inside an object, there are two sub nodes: objectDetails and objectProperties. For more information about each, see the following two subchapters.
objectDetails
ObjectDetails are used to provide details about how an object is treated.
In contrast to the generic SOAP collector, objectDetails for specific operations can store several methods. In addition, WSDL detail is optional – if not provided, the connectivity will use WSDL from the default endpoint. Detail names remain the same.
The** Entrust Connector** issues HTTP requests to the SOAP endpoints of the remote system.
If the remote system has a custom SOAP implementation, you can use the objectDetails to define the custom properties in the Entrust connector:
- nsPrefix: this property specifies the prefix for the names of the subfields.
- AddMethod: this property specifies the method for properties that add objects.
- UpdateMethod: this property specifies the method for properties that update objects.
- DeleteMethod: this property specifies the method for properties that delete objects.
objectProperty
The objectProperty element is used to determine a set of properties for an object.
Task mappings
The Omada Entrust Connectivity provides the following mappings out of the box:
| Parameter | Description |
|---|---|
| Entrust Account | Contains mappings of account assignments to Entrust user assignments |
Entrust users
| Destination | Operator | Source |
|---|---|---|
| Object Id | Map | ObjectId |
| Object type | Constant | Users |
| Operation | Map | Operation |
| createUserIdKey | Expression | string.Format("Omada/0", ROPE_AccountName) |
| createUserId | Expression | string.Format("Omada/0", ROPE_AccountName) |
| createGroup | Constant | Omada |
| createUserState | Expression | ROPE_Disabled ? "SUSPENDED" : "ACTIVE" |
| createFullName | Map | ROPE_Identity |
| createPassUserIdKey | Expression | string.Format("Omada/0", ROPE_AccountName) |
| createPassPassword | Constant | Omada12345 |
| createPassDaysToExpiry | Constant | 90 |
| createPassChangeRequired | Constant | true |
| updateUserIdKey | Map | ROPE_AccountName |
| updateUserId | Expression | string.Format("Omada/0", ROPE_AccountName) |
| updateGroup | Constant | Omada |
| updateUserState | Expression | ROPE_Disabled ? "SUSPENDED" : "ACTIVE" |
| updateFullName | Map | ROPE_Identity |
| deleteUserIdKey | Expression | string.Format("Omada/0", ROPE_AccountName) |
Entrust system only supports Suspended, Locked, and Active statuses. If an account is not needed anymore, it is deleted from Entrust.