1.2 Creating SCIM Driver Object for Connecting to Keeper Password Manager and Digital Vault in Designer

To begin with the configuration, you need to set up the SCIM driver object in the designer, and configure the SCIM driver with the specific parameters to connect to Keeper application.

The procedure to set up the SCIM driver in designer is similar for any connected application. The generic steps to set up a driver object in designer is shown from step 1 to step 20, and the configuration parameters specific to Keeper application is mentioned in step 22. If you are familiar with the generic driver object set up, you can choose to skip to Step 22 to see the configuration parameters specific to Keeper application.

  1. Open Designer.

  2. In the toolbar, click Help > Check for Package Updates.

  3. Select the required package to download and click OK. The designer is updated with the selected packages. For the packages that need to be selected for Keeper, see Installing the Driver Packages in Designer.

  4. In the Outline view, right-click the Package Catalog.

  5. Click Import Package and install the SCIM KeeperSecurity Configuration Package.

  6. By default, only the base packages are displayed. Deselect Show Base Packages Only to display all packages.

  7. Scroll to find the required package and select it.

  8. Click OK to import the selected packages, then click OK in the successfully imported packages message.

  9. In Designer > Outline view, open your project.

  10. Right click project > New > Identity Vault, or drag and drop Identity Vault from the Palette to Modeler window.

  11. In the Add Server Association screen, select the following field values and click OK.

    • Server DN

    • Identity Manager Version

    • Identity Manager Edition

    The Identity Vault Credentials window appears.

  12. In Identity Vault Credentials window, enter:

    Field

    Description

    Host

    The identity vault hosting machine's IP address

    Username

    The name of the user, for example, Admin, if the user is an administrator.

    Password

    The password of the user to login to the identity vault

  13. Select Save Password, if you want to save your password for easy logins in the future.

  14. Click OK.

    The Identity Vault with the Driver Set appears in the Modeler window.

  15. In the right pane, drag and drop the SCIM driver icon from Palette > Tool tab to the Modeler window.

  16. In the Driver Configuration Wizard, select SCIM Base (Contains the base functionality for a driver. You must install a driver base configuration package first).

    NOTE:You can only select one base package.

  17. Click Next.

  18. In the Select Mandatory Features page, select the SCIM Default Package, and click Next.

  19. In the Select Optional Features page, select the SCIM KeeperSecurity Configuration Package, and if required select SCIM JSON Package, and click Next.

    IMPORTANT:Though the SCIM KeeperSecurity Configuration Package appears in the Select Optional Features page, to configure the SCIM driver for Keeper you must select this package mandatorily.

  20. Verify if the required Important Note items are met, and click Next.

  21. On the Driver Information page, specify a name for the driver, then click Next. The Connection Parameters page appears.

  22. Select OAuth 2.0 in the Authentication Method field, it is recommended to use OAuth2.0 since it is the most secure authentication method.

  23. In the OAuth2.0 Token Management field, select Manual, as the other options JWT and Bearer, are not supported by Keeper application.

    The following fields appear:

    Field

    Field Value

    Token: Specify the token generated from the Keeper application.

    The procedure to generate a token is shown below:

    1. Login to Keeper application and navigate to the Root node.

    2. Select the User Defined node.

    3. Click Provisioning tab.

    4. Click Add Method and from the options that appear select SCIM.

    5. Click Next, the URL appears.

    6. Click Create Provisioning Token, the token is generated.

    <9xdQQZzVwvmfe+gIGab0z8VnqlejRDgPgxYtR3bPW7o=>

    Query Options: You can add your query options as per requirement to suit your environment.

    Not Applicable for Keeper application.

    NOTE:It is applicable only if new bearer token needs to be generated, and generating a new bearer token is not supported by Keeper application.

    Secret Query Options: You can add your query options as per requirement to suit your environment. The values specified in these options are hidden for security purposes.

    Not Applicable for Keeper application.

    NOTE:It is applicable only if new bearer token needs to be generated, and generating a new bearer token is not supported by Keeper application.

    Application Truststore File: The path and the name of the keystore file, that contains the trusted certificates for the application server or connected system to achieve SSL handshake.

    </root/scim_configuration/trustKeeperSec/KeeperSec>

    For more information on how to create the truststore file, see Configuring the Subscriber Channel in NetIQ Identity Manager Driver Administration Guide.

    Mutual Authentication

    Mutual Authentication is not supported by Keeper application.

    Proxy Authentication: Defaults to Hide. Select Show if you want to set proxy authentication parameters. Specify the host address and the host post when a proxy host and port are used.

    • Proxy host name and port: <192.168.0.0:port>. Choose an unused port number on the proxy server.

    • Username: <user name for proxy authentication>

    • Enter Password: <password for proxy authentication>

    • Re-enter Password: <password for proxy authentication>

    HTTPS Connection Timeout: Specify the HTTP connection time out value.

    The timeout value must be greater than 0.

    NOTE:The driver waits for the time specified (in minutes) and terminates the HTTPS connection displaying the error codes that are configured in the Subscriber Options > HTTPS error codes for retry field.

    SCIM 2.0 URL: Enter the URL for the SCIM Application. SCIM Resources like User, Group etc. will be appended to this URL.

    <https://keepersecurity.com/api/rest/scim/v2/345074852429829/>

  24. In the Install SCIM Base page, specify the Subscriber Options and Publisher Options, and click Next.

    Field

    Description and Sample Values

    Subscriber Options

    HTTPS error codes for retry: Specify the HTTPS errors that must return a retry status. Error codes must be a list of integers separated by spaces. For example: <307 408 503 504>

    NOTE:The operation will be retried if these errors are encountered.

    Publisher Options

    • Enable Publisher Channel: Select Yes to enable the Publisher channel.

    • Polling interval in minutes: Specify the polling interval in minutes

      For example: <10>

    • Heartbeat interval in minutes: This option is used to configure the driver shim to send a periodic status message on the Publisher channel. By default, this is set to 10 minutes.

    IMPORTANT:Polling Resource Options: This field does not appear when you are setting up the driver for the first time. These options are to be specified once the driver is configured. Once the driver is configured, double click the connector line in the modeler window and navigate to Driver Configuration > Publisher Options tab.

    • Select the Configured Resources option to poll on all resources that are configured as part of the schema settings.

    • Select the Custom Resources option and click to configure customized polling Resource ID and Resource URL.

      • For User:

        • Resource ID: Example, urn:ietf:params:scim:schemas:core:2.0:User

        • Resource URL: Example, https://keepersecurity.com/api/rest/scim/v2/345074852429829/Users?startIndex=1&count=100

          NOTE:In the above URL’s The startIndex refers to the resource from where the poll must start and count refers to the number of resources from the startIndex for polling.

      • For Group:

        • Resource ID: Example, urn:ietf:params:scim:schemas:core:2.0:Group

        • Resource URL: Example, https://keepersecurity.com/api/rest/scim/v2/345074852429829/Groups?startIndex=1&count=100

  25. In the Schema Settings page, enter the values as shown in the following table:

    Table 1-1 Schema Settings

    Field

    Description with Sample Values

    Refresh Schema on Driver Startup

    Specify Yes, to refresh the schema.

    IMPORTANT:You must select Yes only for the first time to load the application schema or if the application schema has changed. It is recommended to change it to No after you load the application schema and if the schema mapping’s are completed. For more information see, Refreshing the Fetched Connected Application’s Schema in NetIQ SCIM Driver Implementation Guide.

    Schema Options

    The available options are:

    • SCIM 2.0: SCIM 2.0 Schema for User and Group, as defined in RFC7643.

    • Application URL: Application SCIM Endpoint providing SCIM JSON Schema for Resources like User, Groups, Roles etc. For example, https://keepersecurity.com/api/rest/scim/v2/345074852429829/Schemas.

    • Import JSON File: Import the User Defined Schema JSON file from the local file system. This file must comply to SCIM JSON format as per RFC7643. Example, NIdM_Driver_SCIM\schema\scim_default_schemas

    Resource Type

    Specify the Resource ID and Resource EndPoint’s for resources like Users, Groups, Roles, Entitlements etc. in Uniform Resource Name (URN) Format.

    • Resource ID: Resource ID in URN Format. For example, urn:ietf:params:scim:schemas:core:2.0:Users

    • Resource Endpoint: The resource endpoint for the Resource ID. For example, Users.

    • Modify Method Operation: Select PATCH, this option is used to make partial updates of the resource at Keeper.

    Similarly for Groups:

    • Resource ID: For example, urn:ietf:params:scim:schemas:core:2.0:Group

    • Resource Endpoint: Groups

    • Modify Method Operation: Select PATCH.

    Table 1-2 Modifier Settings

    Field

    Description with Sample Values

    Custom Java Class

    The custom Java class which is used to extend the driver's functionality. Defaults to Hide, select Show to configure Modifiers.

    Document Handling: Defaults to No, select Yes. The Class and Init Parameter fields appear.

    • Class: Specify the class using a full package identifier, as shown below, com.novell.docmodifier.KeeperSecurityDocumentModifiers.

      NOTE:Ensure the KSDocMod.jar file is available in /opt/novell/eDirectory/lib/dirxml/classes in Identity Manager.

    • Init Parameter: Specify the parameters that you want to pass to the init() method of your class, in string format. The init method of your class is responsible for parsing the information contained in this string. Leave this field blank if your class does not require a configuration string to be passed to init method.

  26. Review the summary of tasks that will be completed to create the driver, then click Finish. The configured driver appears in the designer screen.