Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo
back

User Provisioning through Identity Management Framework

SafeNet Trusted Access IdM Connector

search

SafeNet Trusted Access IdM Connector

SafeNet Trusted Access IdM Connector

Identity Management (IdM) connector establishes a connection between user databases (such as CSV and Active Directory) and various applications. This connection is facilitated through the Identity Management Framework, serving as a bridge between the connectors.

SafeNet Trusted Access (STA) IdM Connector is a ConnId framework-based identity connector. It is developed to run along with the other identity connectors to synchronize users and groups with other systems.

Using Identity Management Framework, you can configure the STA IdM Connector to synchronize users and manage their associated groups between SafeNet Trusted Access (STA) and other third-party applications and directories (for example, Microsoft Entra ID, Active Directory, etc.).

Limitations

Following are the limitations encountered when you synchronize users and groups in Identity Management Framework to STA using STA IdM Connector:

  • Groups synchronized from Identity Management Framework to STA and containing a token provisioning rule set are not eligible for any further update. Refer to SafeNet Trusted Access API definition for Groups.

  • STA does not support Nested Group Synchronization.

  • STA IdM connector does not support live synchronization for Groups.

Prerequisites

To configure the STA IdM connector, ensure the following:

  • An Identity Management Framework instance is installed and running on your machine.

  • Import the SafeNet_Trusted_Access.xml file. Perform the following steps:

    1. Navigate to the GitHub URL.

    2. Download the SafeNet_Trusted_Access.xml file.

    3. In the left pane, under Configuration, click on the Import object alt_text icon to import an object in Identity Management Framework.

    4. In the right pane, perform the following steps:

      1. Under Options, select the Keep OID option.

      2. Under Get objects from, click Choose File to search and select the SafeNet_Trusted_Access.xml file that you downloaded earlier. Using this file, you will be able to add the pre-configured STA IdM Connector in the Identity Management Framework resource. In addition, you can change the settings as per your preferred configuration.

      3. Click Import object.

      alt_text

    5. In the left pane, under ADMINISTRATION, click Resources > All resources to verify that the newly created resource object is successfully added.

      alt_text

  • Add the STA certificate in the Identity Management Framework keystore. Perform the following steps:

    1. Navigate to your STA login URL, click on the Lock icon alt_text in the address bar to download the STA certificate in the .cer format, and save it in your local directory.

      alt_text

    2. Copy the STA certificate and paste it in the /<midpoint-installation-directory>/var directory,

    3. Open the terminal in the same directory and run the following command:

      keytool -import -keystore keystore.jceks -storetype jceks -alias <alias_name> -file <downloaded_STA_certificate> -trustcacerts

      For example,

      keytool -import -keystore keystore.jceks -storetype jceks -alias stacert -file stademo.cer -trustcacerts

Configuration

Configuring STA IdM Connector requires:

Getting an API key and REST API ENDPOINT URL for STA

The IdM connector needs credentials to connect to the APIs for STA. It needs an API key and REST API ENDPOINT URL, which you can get from the STA Access Management console.

Configuring SafeNet Trusted Access Connector in Identity Management Framework

Perform the following steps to configure the STA IdM Connector in Identity Management Framework:

  1. Log in to Identity Management Framework as an administrator.

  2. On the administrator console, in the left pane, click Resources > All resources.

    alt_text

  3. On the All resources window, click the SafeNet Trusted Access resource that you have created as a Prerequisite.

    alt_text

  4. On the SafeNet Trusted Access resource window, scroll down, and perform the following steps:

    1. In the left pane, click Basic and in the right pane, perform the following steps to configure the resource:

      1. In the Name field, modify the name of the resource as per your preferred configuration. This is for the identification purpose only.

      2. [Optional] In the Description field, enter a description of the resource.

      3. In the connectorRef field, ensure that the STA ldM Connector is selected (for example, Connld com.connid.sta.connector.STARestConnector v1.0.1: ConnectorType).

      alt_text

      Ignore the validation warnings at the top of the window. They will disappear once you complete all the configuration steps.

    2. In the left pane, click Connector configuration and in the right pane, perform the following steps to configure STA REST API Endpoint and its API key to connect with your STA tenant:

      1. [Optional] In the Page size field, modify the page size as per your preferred configuration.

      2. In the Api Key field, click Change and enter the API key that you downloaded earlier under Getting an API key and REST API ENDPOINT URL for STA.

      3. In the Repeat Password field, re-enter the API key.

      4. In the REST API Endpoint URL field, replace the value with the REST API ENDPOINT URL that you obtained earlier under Getting an API key and REST API ENDPOINT URL for STA.

      5. Click Save

      alt_text

    3. On the All resources window, click on the SafeNet Trusted Access connector, on the resource, click Test connection to verify the configuration, and then click OK.

      alt_text

      In case of an error while testing the connection, check your connector configuration. For any certificate related error, ensure that you have added the STA certificate in your Identity Management Framework keystore as a prerequisite.

    4. In the left pane, click Schema handling. Schema handling contains STA attributes mapping for both accounts (users) and groups for synchronization.

      The default set values are case-sensitive.

      You can configure Schema handling for,
      - Accounts
      - Groups

      Accounts

      Perform the following steps to view or edit attributes mapping for users:

      1. In the right pane, in the Display name column, click Account.

        2. alt_text

      2. On the Object type wizard window, select the Mappings tile.

        3. alt_text

      3. Go to the Outbound mappings (to Resources) tab, the users' attribute mapping is displayed. Ensure that mapping is done for all the attributes as shown in below screenshot.

        4. You can edit an attribute mapping as per your preferred configuration. Refer to the Adding or Modifying an Attribute Mapping section.

        alt_text

        Unlike standard attributes, the isSynchronized attribute's mapping involves a script. It serves the purpose of determining the synchronization behavior for users between the STA IdM Connector and other resources. The attribute's default mapped value is true. Its primary function is to facilitate the synchronization of users from an external user repository, distinguishing them from the internal users created within STA.

        Synchronized users,
        - Cannot be modified through the STA console.
        - Can be members of synchronized and internal groups.
        - Can have a 24-hour synchronization delay after removal to prevent accidental deletion.

        You must not delete the isSynchronized attribute's mapping, as this would result in the synchronization of external users as STA internal users.

        The isSynchronized attribute's value can only be set once in a user life cycle. By default, the Use Delayed Sync Removal option delays the removal of synchronized Identity Management Framework user records flagged for deletion from STA for 24 hours. Conversely, if this option is disabled, records deleted in the Identity Management Framework with all user/token associations are removed immediately and permanently from STA upon synchronization. On the SAS console, navigate to Comms > Authentication Processing > LDAP Sync Agent Settings to enable or disable this setting. alt_text

      4. Click Exit wizard else, click Save mappings to save the changes, if any.

      5. On the Object type wizard window, select the Synchronization tile.

        6. alt_text

      6. The Synchronization window displays the synchronization properties (configuration) of a resource object (user or group). It specifies the information regarding the Identity Management Framework action when a new synchronization event is detected. For example, when an event related to the account creation or deletion is detected, the Identity Management Framework action can be to create a new user, delete or disable existing user, to ignore the event, etc.

        7. On the Synchronization window, ensure that all the values are set, and then click Exit wizard.

        alt_text

      7. On the Object type wizard, click on the Back to object type link to exit from the window.

        8. alt_text

      Groups

      Perform the following steps to view or edit attribute mappings for groups:

      1. In the right pane, in the Display name column, click Group.

        2. alt_text

      2. On the Object type wizard window, select the Mappings tile.

        3. alt_text

      3. Go to the Outbound mappings (to Resources) tab, the groups' attribute mapping is displayed. Ensure that mapping is done for all the attributes as shown in below screenshot.

        4. You can edit an attribute mapping as per your preferred configuration. Refer to the Adding or Modifying an Attribute Mapping section.

        alt_text

      4. Click Exit wizard else, click Save mappings to save the changes, if any.

      5. On the Object type wizard window, select the Synchronization tile.

        alt_text

      6. The Synchronization window displays the synchronization properties (configuration) of a resource object (user or group). It specifies the information regarding the Identity Management Framework action when a new synchronization event is detected. For example, when an event related to the account creation or deletion is detected, the Identity Management Framework action can be to create a new user, delete or disable existing user, to ignore the event, etc.

        On the Synchronization window, ensure that all the values are set, and then click Exit wizard.

        alt_text

      7. On the Object type wizard window, click on the Back to object type link to exit from the window.

        alt_text

Adding or Modifying an Attribute Mapping

Perform the following steps to add or modify an attribute mapping:

  1. In the right pane, in the Display name column, click Accounts.

    alt_text

  2. On the Object type wizard window, select the Mappings tile.

  3. Go to the Outbound mappings (to Resources) tab, the attribute mapping is displayed. Next to Lifecycle state, click alt_text to edit an attribute or to add a new attribute.

    alt_text

  4. The Main configuration window is displayed. Perform the following steps:

    1. In the To resource attribute field, select an attribute.

    2. In the Source field, enter a name for the IdM attribute (for example, name) that you want to map with the name attribute of STA.

    alt_text

    Similarly, you can add or modify an attribute mapping for Groups.