Evidian ESSO Connector
The Evidian Enterprise Single SignOn (ESSO) connector is a Java-based connector that is built with the Identity Java Connector Integration Framework and uses the Evidian Web API.
The Evidian ESSO connector implements the API methods "add(…)", "modify(…)", "delete(…)" and "search(…)". These methods represent the corresponding SPML requests "AddRequest", "ModifyRequest", "DeleteRequest" and "SearchRequest".
The connector currently only supports accounts in Evidian ESSO. One account represents the tuple user - application - role.
The SPML identifier consists of the user(DN), application and role: userDN,application=appname,role=rolename. The role part is optional; if it is omitted, the role “ ”(empty string) is assumed.
Every account has the fixed attributes login and secret. An account represents the possibility for the Active Directory user with the given userDN to log in to the given application automatically as the user specified in login with the password specified by secret. The role is necessary to specify access to the same application as a different login user.
The Evidian ESSO connector offers the following functionality:
-
Add an account to Evidian ESSO
-
Delete an account from Evidian ESSO
-
Modify accounts and profiles
-
Search for accounts in the Evidian ESSO system
Prerequisites and Limitations
The Evidian ESSO connector has the following limitations:
-
You can only search for accounts of a given Active Directory user.
-
Filters and scopes are not supported in searches.
Request and Response Handling
This section describes the supported requests and attributes for the Evidian ESSO connector.
Parameters are handled as extra attributes: every attribute that is not in the list of fixed attributes is treated as a parameter Sample:
Id: userdn,application=SAPGUI Login=testuser Secret=test Mandant=1122
In this example, Mandant is treated as a parameter Mandant with the value 1122.
Add Request
The (account) add request creates a new account in Evidian ESSO. The following attributes are supported:
-
The complete SPML identifier
-
role
-
login
-
secret
All other attribute names are treated as parameters.
Here is an example request:
<spml:addRequest requestID="add-1"> <spml:identifier type="urn:oasis:names:tc:SPML:1:0#DN"> <spml:id>cn=Ben Hamm,cn=users,dc=esso,dc=iam,dc=my-it-solutions,dc=net,application=ANW ServerAdmin,role=DirXIdentity</spml:id> </spml:identifier> <spml:attributes> <dsml:attr name="role" xmlns="urn:oasis:names:tc:DSML:2:0:core"> <dsml:value></dsml:value> </dsml:attr> <dsml:attr name="login" xmlns="urn:oasis:names:tc:DSML:2:0:core"> <dsml:value >DomainAdmin</dsml:value> </dsml:attr> <dsml:attr name="secret" xmlns="urn:oasis:names:tc:DSML:2:0:core"> <dsml:value >dirx</dsml:value> </dsml:attr> </spml:attributes> </spml:addRequest>
Modify Request
The (account) modify request modifies a Evidian ESSO account. The same attributes as in Add Request are supported.
Here is an example request:
<!-- Modify login name for user Ben Hamm, Role DirXIdentity and ServerAdmin application -->
<spml:modifyRequest requestID="mod-1">
<spml:identifier
type = "urn:oasis:names:tc:SPML:1:0#DN">
<spml:id>cn=Ben Hamm,cn=users,dc=esso,dc=iam,dc=my-it-solutions,dc=net,application=ANW ServerAdmin,role=DirXIdentity</spml:id>
</spml:identifier>
<spml:modifications>
<spml:modification name="login" operation="replace">
<dsml:value>Taspatch Nik</dsml:value>
</spml:modification>
</spml:modifications>
</spml:modifyRequest>
Delete Request
The delete request is used to delete an account. Here is an example request:
<!-- delete ServerAdmin for Ben Hamm with role DirXIdentity -->
<spml:deleteRequest requestID="del-1">
<spml:identifier
type = "urn:oasis:names:tc:SPML:1:0#DN">
<spml:id>cn=Ben Hamm,cn=users,dc=esso,dc=iam,dc=my-it-solutions,dc=net,application=ANW ServerAdmin,role=DirXIdentity</spml:id>
</spml:identifier>
</spml:deleteRequest>
Search Request
The search request is used to retrieve group data such as owner information, members and roles. The search can either be restricted to one specific group or return all groups in the current site. Only searches per user are supported
The base node is the user DN or identifier as in Add Request. The available attributes are:
-
userDN
-
application
-
role
-
log
-
secret encrypted value
All other names are treated as parameter names.
The search filter is not evaluated. The userDN gives all accounts for this user. The complete identifier filters for application and role of the given user.
Here is an example request:
<!-- search entry for ad user Ben Hamm app Web Center no role given -->
<spml:searchRequest xmlns="urn:oasis:names:tc:SPML:1:0" xmlns:spml="urn:oasis:names:tc:SPML:1:0" xmlns:dsml="urn:oasis:names:tc:DSML:2:0:core" requestID="search_003">
<spml:searchBase type="urn:oasis:names:tc:SPML:1:0#DN">
<spml:id>cn=Ben Hamm,cn=users,dc=esso,dc=iam,dc=my-it-solutions,dc=net,application=ANW WebCenter</spml:id>
</spml:searchBase>
<spml:attributes>
<dsml:attribute name="userDN"/>
<dsml:attribute name="application"/>
<dsml:attribute name="role"/>
<dsml:attribute name="login"/>
<dsml:attribute name="secret"/>
</spml:attributes>
</spml:searchRequest>
Configuration
Here is a sample configuration snippet for the Evidian ESSO connector:
<connector name="ESSO connector"
role="connector"
version="1.02"
className="net.atos.dirx.dxi.connector.evd.esso.EvidianEssoConnector">
<connection name="ESSOconnector"
url="https://<essohost>:9765/soap"
user="<Administrator>"
password="<pw>">
</connection>
</connector>
The Evidian ESSO connector supports the following standard properties of the XML configuration file’s <connection> element:
url (mandatory) - the URL for the Evidian User Access Web Service port - not used.
user (mandatory) - the user name to access the Web service.
password (mandatory) - the password.