PARTNERS - Please join us for our upcoming webinar:
Leveraging Intelligent Recommendations for Operational Transformation.
AMS Partners click HERE | EMEA/APJ Partners click HERE
No ratings
Falcon
Saviynt Employee
Saviynt Employee

Disclaimer

The integration was either created by Saviynt or by Saviynt community users and verified by Saviynt. The integration is available “as is” and fall under standard connectors support for REST, SOAP, JDBC, LDAP, PowerShell, Jar, and Saviynt Connector Framework.

Contents

Preface

This guide describes the integration between Saviynt Enterprise Identity Cloud (EIC) and Confluent Cloud.

Audience

This guide is intended for administrators and target application integration teams responsible for implementing a secure integration service with Confluent Cloud.

Introduction

Confluent Cloud is a resilient, scalable, streaming data service based on Apache Kafka®, delivered as a fully managed service. Confluent Cloud has a web interface called the Confluent Cloud Console, a local command line interface, and REST APIs.

The Confluent Cloud connector enables you to seamlessly integrate with Confluent Cloud to manage the user lifecycle.

For more information about different connectors in EIC, see Saviynt Enterprise Identity Cloud Connectors..

Note: This guide provides information about using the Confluent Cloud(REST) connector for performing operations listed in the Supported Features

 

The Confluent Cloud integration supports the following features:

 
Full ImportIncremental ImportLifecycle ManagementAdd or Remove Access
 
Confluent Cloud_features.png

Supported Software Versions

 

Software

Version

EIC

Release v4.5 and later

 

Understanding the Integration between EIC and Confluent Cloud

You must create an integration between EIC and the collaboration platform hosted by the target application to perform import, provisioning, and de-provisioning tasks. The following components are involved in the integration:

  • Confluent Cloud is the target application for which EIC manages the identity lifecycle. Confluent Cloud integrates with EIC through the connector to manage accounts.

  • Objects are imported as entitlement types into EIC.

  • Security System represents the connection between EIC and the target application.

    • It comprises an endpoint, which is the target application for which you want EIC to manage the identity repository.

    • It provides application instance abstraction from connectivity including high-level metadata. For more information about creating a security system, see Creating a Security System.

  • Endpoint is an instance of an application within the context of a security system.

    • It is the target application or application from which the connector performs provisioning or de-provisioning of identity objects, such as users, accounts, and entitlements.

    • It is mandatory to create an endpoint after creating the security system.
      You can associate a single security system with multiple endpoints if the deployment involves modeling multiple isolated virtual applications (based on sets of specific entitlements according to certain categories) within a single application instance. For more information about creating an endpoint, see Creating an Endpoint for the Security System.

  • Connector is a software component that enables the communication between EIC and the target application. It provides a simplified integration mechanism where in some instances you only need to create a connection with minimal connectivity information for your target application. The (REST-based) Connector is used for provisioning accounts and access through the REST APIs. For more information about creating a connection, see Creating a Connection.

  • Job Scheduler is a software component that executes a job based on the configured schedule to perform provisioning operations from EIC.
    When a provisioning job is triggered, it creates provisioning tasks in EIC. When these tasks are completed, the provisioning action is performed on the target application through the configured connector. If you want to instantly provision requests for completing the tasks without running the provisioning job, you must enable Instant Provisioning at the security system level and the Instant Provisioning Tasks global configuration. For more information about the jobs used by the connectors in the Confluent Cloud integration.

Integration Architecture

EIC uses a REST connection for integrating with Confluent Cloud for importing data and for performing provisioning and de-provisioning tasks. The REST connection uses the REST protocol to communicate with the REST interface of Confluent Cloud. 

The following diagram illustrates the integration architecture and communication with the target application.  

 
 
Confluent.png

Setting Up the Integration

Prerequisites

Confluent uses API keys for integrating with Confluent Cloud. Perform the following steps to generate a Cloud API key.

  1. Log in to the Confluent Admin portal using administrator credentials.

  2. Select Administration > Cloud API Keys.

confluentapikey.png

Figure: Administration Configuration

3. Click Add key and select the scopes on the next page.

4. Copy the generated key and secret and click on download and continue.

downloadkey.png

Note: To use your API key, send it as an Authorization: Basic {key} header. Remember that HTTP Basic authorization requires you to colon-separate and base64 encode your key. For example, if your API Key ID is ABCDEFGH123456789 and the corresponding API Key Secret is XNCIW93I2L1SQPJSJ823K1LSSDS902KLDFMCZPWEO, then the authorization header will be

Authorization: Basic QUJDREVGR0gxMjM0NTY3ODk6WE5DSVc5Msd0kyTDFTUVBKU0o4MjNLMUxTOTAyS0xERk1DWlBXRU8=

For more information, see the Confluent Cloud documentation.

Creating a Connection

Connection refers to the configuration setup for connecting EIC to target applications. For more information about the procedure to create a connection, see Creating Connections.

Understanding the Configuration Parameters

While creating a connection, you must specify connection parameters that the connector uses to connect with the target application, define the type of operations to perform, the target application objects against which those operations are performed, and the frequency of performing them. In addition, you can view and edit attribute mappings between EIC and the target application, predefined correlation rules, and provisioning jobs and import jobs.

Configuration Parameters for Account and Access Import

The connector uses the following parameters for creating a connection and for importing account and access from the target application:

Connection Parameters
 

Parameter

Description

Example Configuration

Mandatory?

Connection Name 

Specify the name to identify the connection.

-

Yes

Connection Description

Specify the description for the connection.

-

No

Connection Type

Select the connection type as REST.

-

Yes

Default SAV Role 

Specify this parameter to assign the SAV role for the connection.

The SAV role is a role in EIC that assigns specific access to users.

This parameter is valid only for importing users.

Sample value: User assigned with the ROLE_ADMIN role, has access to all the sections of EIC.

-

No

Email Template

Specify this parameter to select an email template for sending notifications.

Email templates provide immediate trigger of emails to a user based on actions performed. Email informs user about the action performed and if critical, needs immediate action from the user.

-

No

ConnectionJSON

Specify this parameter to create a connection.

 

 

Use the following format to connect to the Confluent Cloud application:

 
{
"authentications": {
"acctAuth": {
"authType": "Basic",
"url": "https://api.confluent.cloud",
"httpMethod": "POST",
"properties": {
"userName": "@@USERNAME@@",
"password": "@@PASSWORD@@"
},
"expiryError": "ExpiredAuthenticationToken",
"authError": [
"InvalidAuthenticationToken",
"AuthenticationFailed"
],
"timeOutError": "Read timed out",
"errorPath": "error.code",
"maxRefreshTryCount": 5,
"tokenResponsePath": "access_token",
"tokenType": "Basic",
"accessToken": "Basic bmlzaGFyLmJhYnVAc2"
}
}
}

Yes

 
Import Parameters
 

Parameter

Description

 

Recommended Configuration

Mandatrory

AccountEntImport JSON

Specify this parameter to reconcile the accounts and entitlements

Use the following format to reconcile accounts and entitlements using the Confluent Cloud application:  

 
{
"accountParams": {
"connection": "acctAuth",
"processingType": "SequentialAndIterative",
"call": {
"call1": {
"callOrder": 0,
"stageNumber": 0,
"http": {
"url": "https://api.confluent.cloud/iam/v2/users",
"httpHeaders": {
"Authorization": "${access_token}",
"Accept": "application/json"
},
"httpContentType": "application/json",
"httpMethod": "GET"
},
"listField": "data",
"keyField": "accountID",
"colsToPropsMap": {
"accountID": "id~#~char",
"name": "full_name~#~char",
"displayName": "full_name~#~char",
"customproperty2": "email~#~char",
"customproperty3": "kind~#~char"
}
},
"call2": {
"callOrder": 1,
"stageNumber": 1,
"http": {
"url": "https://api.confluent.cloud/iam/v2/service-accounts",
"httpHeaders": {
"Authorization": "${access_token}"
},
"httpContentType": "application/json",
"httpMethod": "GET"
},
"inputParams": {
"dependentCall": false
},
"listField": "data",
"keyField": "accountID",
"colsToPropsMap": {
"accountID": "id~#~char",
"name": "display_name~#~char",
"displayName": "display_name~#~char",
"customproperty1": "description~#~char",
"customproperty3": "kind~#~char",
"customproperty4": "description~#~char"
}
}
}
},
"entitlementParams": {
"connection": "acctAuth",
"processingType": "SequentialAndIterative",
"entTypes": {
"organization": {
"entTypeOrder": 0,
"entTypeLabels": {
"customproperty1": "Deleted",
"customproperty2": "CreatedAt",
"customproperty3": "UpdatedAt"
},
"call": {
"call1": {
"callOrder": 0,
"stageNumber": 0,
"http": {
"url": "https://api.confluent.cloud/org/v2/organizations",
"httpHeaders": {
"Authorization": "${access_token}",
"Accept": "application/json"
},
"httpContentType": "application/json",
"httpMethod": "GET"
},
"listField": "data",
"keyField": "entitlementID",
"colsToPropsMap": {
"entitlementID": "id~#~char",
"entitlement_value": "display_name~#~char",
"customproperty1": "kind~#~char"
},
"disableDeletedEntitlements": true
}
}
},
"environment": {
"entTypeOrder": 1,
"call": {
"call1": {
"callOrder": 0,
"stageNumber": 0,
"http": {
"url": "https://api.confluent.cloud/org/v2/environments",
"httpHeaders": {
"Authorization": "${access_token}",
"Accept": "application/json"
},
"httpContentType": "application/json",
"httpMethod": "GET"
},
"listField": "data",
"keyField": "entitlementID",
"colsToPropsMap": {
"entitlementID": "id~#~char",
"entitlement_value": "display_name~#~char",
"customproperty1": "kind~#~char"
},
"disableDeletedEntitlements": true
}
}
}
}
},
"acctEntParams": {}
}

 

Yes

 
Configuration Parameter for Provisioning
 

Parameter

Description

 

Recommended Configuration

Support for Binding Variables?

Support for Java Ternary Operations?

CreateAccountJSON

Specify this parameter to create an service account in the target application.

 

Use the following format to create accounts using the Confluent Cloud application:

 
{
"accountIdPath": "call1.message.id",
"dateFormat": "yyyy-MM-dd'T'HH:mm:ssXXX",
"responseColsToPropsMap": {
"displayName": "call1.message.display_name~#~char",
"customproperty3": "call1.message.kind~#~char"
},
"call": [
{
"name": "call1",
"connection": "acctAuth",
"url": "https://api.confluent.cloud/iam/v2/service-accounts",
"httpMethod": "POST",
"httpParams": "{\"display_name\": \"${user.username}\",\"description\": \"${user.customproperty4}\"}",
"httpHeaders": {
"Authorization": "${access_token}",
"Accept": "application/json"
},
"httpContentType": "application/json",
"successResponses": {
"statusCode": [
200,
201
]
}
}
]
}

The bindings supported are:

  • ServiceAccountOwnerMap

  • endpoints

  • accountName

  • userManager

  • approvers

  • arsTasks/task

  • managerAccount

  • password

  • requestid

  • response

  • connection

  • userAccount

  • requestAccessAttributes/reqAttrs

  • businessJustification

  • user

Yes

UpdateAccountJSON

Specify this parameter to update an account.

 

Use the following format to update an service account using the Confluent Cloud application:

 
{
"dateFormat": "yyyy-MM-dd'T'HH:mm:ssXXX",
"responseColsToPropsMap": {
"displayName": "call1.message.display_name~#~char"
},
"call": [
{
"name": "call1",
"connection": "acctAuth",
"url": "https://api.confluent.cloud/iam/v2/service-accounts/${account.accountID}",
"httpMethod": "PATCH",
"httpParams": "{\"description\": \"${user.customproperty4}\"}",
"httpHeaders": {
"Authorization": "${access_token}",
"Accept": "application/json"
},
"httpContentType": "application/json",
"successResponses": {
"statusCode": [
200,
201
]
}
}
]
}

The bindings supported are:

  • ServiceAccountOwnerMap

  • endpoints

  • accountName

  • userManager

  • approvers

  • arsTasks/task

  • managerAccount

  • password

  • requestid

  • response

  • connection

  • userAccount

  • requestAccessAttributes/reqAttrs

  • businessJustification

  • user

  • Account

Yes

 

 

 

 

 

RemoveAccountJSON

Specify this parameter to remove a service account. 

 

Use the following format to remove an account using the Confluent Cloud application:

 
{
"call": [
{
"name": "call1",
"connection": "acctAuth",
"url": "https://api.confluent.cloud/iam/v2/service-accounts/${account.accountID}",
"httpMethod": "DELETE",
"httpHeaders": {
"Authorization": "${access_token}",
"Accept": "application/json"
},
"httpContentType": "application/json",
"successResponses": {
"statusCode": [
200,
201,
204
]
}
}
]
}

The bindings supported are:

  • ServiceAccountOwnerMap

  • endpoints

  • accountName

  • userManager

  • approvers

  • arsTasks/task

  • managerAccount

  • password

  • requestid

  • response

  • connection

  • userAccount

  • requestAccessAttributes/reqAttrs

  • businessJustification

  • user

Yes

 

 

Importing Connection Package

The connection package helps you build the connection with pre-defined JSONs, this can be used if your tenant does not already have out of the box connection templates available. Here are the steps to import the Confluent Cloud connection package.

  • Download the connection package.

  • Navigate to Admin → Transport → select Import Package.

  • Browse the downloaded package and Import.

  • Navigate to Admin → Connections → Select “Confluent Cloud” Connection.

  • Edit the connection with your Confluent Cloud tenant details.

Creating a Security System

The security system represents the connection between EIC and the target application. For more information on creating a security system, see Creating a Security System.

Creating an Endpoint for the Security System

Endpoint refers to the target application used to provision accounts and entitlements (access). For more information on creating an endpoint, see Creating Endpoints.

Using the Confluent Cloud Integration

You can use the Confluent Cloud integration for performing import and provisioning operations after configuring it to meet your requirements. 

Guidelines for Using the Integration

You must apply the following guidelines for configuring import: 

  • Run account import before running the access import.

  • Map all Confluent Cloud attributes to EIC account attributes using ImportAccountEntJSON.

You must apply the following guidelines for configuring provisioning:

  • Use Java ternary operators if you want to add conditions in the provisioning parameters. You can use Java operations to tweak any attributes by using if-else conditions, substrings, or operators in the JSON for provisioning.

Configuring Import Operations

  • Full account import: When configuring the connection for the first time, first perform full import to import all existing accounts from the target application to EIC. To perform full import, the invoke API gets response from the target application and maps the attributes in the target application with attributes in EIC. As part of this process, the deleted accounts are also identified and marked as suspended from import service.

  • Full Access import: When configuring the connection for the first time, first perform full import to import all existing access from the target application to EIC. To perform full import, the invoke API gets response from the target application and maps the attributes in the target application with attributes in EIC. As part of this process, the deleted entitlements are also identified and marked as inactive.

The import jobs are automatically created in EIC after you create a connection for the Confluent Cloud integration.

Importing Accounts and Accesses

You must import accounts after the users are available in EIC.

To import accounts: 

  1. Specify the connection and import parameters, see Configuration Parameters for Account and Access Import.
    Note: Ensure that the connection type is selected as REST.

  2. Configure the Application Data Import (Single Threaded) job to import accounts and access. For more information, see Data Jobs.

Configuring Provisioning and Deprovisioning

Provisioning is automatically enabled when a connection is configured. For detailed information about performing provisioning tasks, see Access Request System.

To provision objects to the target application:

  1. Specify the connection and provisioning parameters. 
    Note: Ensure that the connection type is selected as REST.

  2. Configure the Provisioning job (WSRETRY). For more information, see Provisioning Jobs.

When a provisioning job is triggered, it creates provisioning tasks in EIC. When these tasks are completed, the provisioning action is performed on the target application through the connector.

Troubleshooting

To troubleshoot common problems with connectors, answer frequently asked questions, and provide solutions to a few common issues you might encounter while configuring or working with connectors, see Common Troubleshooting Guide for Connectors.

To troubleshoot common problems or obtain answers for frequently asked questions for REST connectors, see the  REST Connector guide.

Note: Ensure that you record the token expiry duration during the initial token generation. The connection may fail, if the token is not refreshed.

 

Comments
Manu269
All-Star
All-Star

@Falcon Can you please check the AccountEntImport JSON section.

We are unable to fetch the association between account and entitlement

Screenshot from my env :

Manu269_0-1681386683482.png   

Manu269_1-1681386706735.png

Whereas upon using the jsons and account- entitlement status in Saviynt EIC

Manu269_2-1681386747130.png

 

 

Manu269
All-Star
All-Star

@Falcon Is there any update on this track?

Vedanth_BK
Saviynt Employee
Saviynt Employee

Hi @Manu269 ,

As I could not find the API(to map accounts and entitlements) while integrating the application, the AccountEntparams are not added in the above JSON. As a result, there is no import of the mapping between the accounts and entitlements.

If you hold the API containing the valid response to map the accounts and entitlements. Please share; I will construct the accountEntParams and update the above JSON.

Thank you
Vedanth B.K

Manu269
All-Star
All-Star

Thanks @Vedanth_BK for the information.

I am also looking at the API guide for the product, If I make any breakthrough I will share. 🙂

Version history
Last update:
‎05/03/2023 04:38 AM
Updated by: