McAfee Cloud Identity Manager

ServiceNow Provisioning Connector Guide McAfee Cloud Identity Manager version 3.5 and later COPYRIGHT Copyright © 2013 McAfee, Inc. All Rights Rese...
Author: Dayna Grant
2 downloads 2 Views 191KB Size
Report
Download PDF
ServiceNow Provisioning Connector Guide

McAfee Cloud Identity Manager version 3.5 and later

COPYRIGHT Copyright © 2013 McAfee, Inc. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies. TRADEMARK ATTRIBUTIONS McAfee , the McAfee logo, Avert, ePO, ePolicy Orchestrator, Foundstone, GroupShield, IntruShield, LinuxShield, MAX (McAfee SecurityAlliance Exchange), NetShield, PortalShield, Preventsys, SecureOS, SecurityAlliance, SiteAdvisor, SmartFilter, Total Protection, TrustedSource, Type Enforcement, VirusScan, and WebShield are registered trademarks or trademarks of McAfee, Inc. or its subsidiaries in the United States and other countries. ®

LICENSE INFORMATION License Agreement NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANTOR PURCHASE ORDER DOCUMENTS THAT ACCOMPANIES YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND.

2

McAfee Cloud Identity Manager 3.5 ServiceNow Provisioning Connector Guide

Contents 1.0

Introduction to McAfee Cloud Identity Manager ........................................................ 5 1.1 Supported environments...................................................................................... 6 1.2 Supported browsers ............................................................................................ 6 1.2.1 Application portal..................................................................................... 6 1.2.2 Management Console ............................................................................... 6 1.3 Available documentation ...................................................................................... 7 1.4 Technical support ............................................................................................... 7

2.0

Provisioning users to a ServiceNow application ........................................................ 9 2.1 Configure a connection to your data source: LDAP example .....................................10 2.2 Configure provisioning actions for the ServiceNow application ..................................11 2.2.1 Create an action .....................................................................................12 2.3 Configure provisioning policies for the ServiceNow application..................................12 2.3.1 Create a policy .......................................................................................15

McAfee Cloud Identity Manager 3.5 ServiceNow Provisioning Connector Guide

3

4

McAfee Cloud Identity Manager 3.5 ServiceNow Provisioning Connector Guide

1.0

Introduction to McAfee Cloud Identity Manager McAfee® Cloud Identity Manager (Cloud Identity Manager, formerly Intel® Expressway Cloud Access 360-SSO) simplifies the management and secures the use of cloud, Software as a Service (SaaS), and web applications for companies and large organizations. Service and application providers can also use Cloud Identity Manager to simplify and improve the authentication process for their customers. Cloud Identity Manager provides support for the following features: • Extensible framework • Web single sign on (SSO) • Multiple authentication methods • Credential mapping and user provisioning • Authorization policies and access control enforcement • Event auditing and monitoring • Connectors for popular cloud services and applications • Web-based Management Console Cloud Identity Manager runs as a stand-alone server and is configured by an administrator using a webbased Management Console accessible from a web browser. For information about installing Cloud Identity Manager as a standalone server or as a cluster of servers, see the McAfee Cloud Identity Manager Installation Guide. For information about configuring Cloud Identity Manager in the Management Console, see the McAfee Cloud Identity Manager Product Guide. Cloud Identity Manager provides connectors for many popular cloud services and applications, including Google Apps and Salesforce.com. These connectors are built in to Cloud Identity Manager and simplify the deployment of the cloud service or application in an organization. Web SSO requires configuration in the Management Console and in the cloud application’s user interface. Instructions for configuring SSO on the cloud application side are included in the documentation set. For customers who have Java-based or .NET web applications that do not support SAML2 authentication, Cloud Identity Manager provides a custom connector. For information about integrating Java-based and .NET web applications with Cloud Identity Manager, see the McAfee Cloud Identity Manager Integration Guide. For software developers who want to write their own cloud service connectors or authentication modules, Cloud Identity Manager provides an SDK. For more information about the SDK, see the McAfee Cloud Identity Manager Developer’s Guide.

McAfee Cloud Identity Manager 3.5 ServiceNow Provisioning Connector Guide

5

1.1

Supported environments Cloud Identity Manager supports these environments. Version

Architecture IA-32

Intel® 64

Yes

Yes

Yes

Yes

Linux Operating System Red Hat Enterprise Linux Server and Advanced Platform 5.0 Windows Operating System Windows Server 2003 Standard Edition

1.2

Windows Server 2003 DataCenter Edition

Yes

Yes

Windows Server 2003 Enterprise Edition

Yes

Yes

Windows Server 2008

Yes

Yes

Supported browsers Cloud Identity Manager supports different browsers for the application portal and the Management Console.

1.2.1

Application portal For end users who seek access to SaaS and web applications through a portal using Cloud Identity Manager identity services, Cloud Identity Manager supports the following desktop and mobile web browsers. Note that Cloud Identity Manager services are running in the background and are not visible to the end user. • Desktop browsers — Google Chrome 16 — Mozilla Firefox 9 — Microsoft Internet Explorer 7, 8, and 9 — Safari 5.1.2 • Mobile browsers — Android 2.0 devices and WebKit browser — iOS devices and Safari browser

1.2.2

Management Console The Cloud Identity Manager Management Console is a web-based user interface that provides administrators with a single, central point of management and control through a web browser on a local computer. For Management Console administrators, Cloud Identity Manager supports the following desktop and mobile web browsers. • Desktop browsers — Firefox 9 — Internet Explorer 7, 8, and 9 • Mobile browsers — None are currently supported.

6

McAfee Cloud Identity Manager 3.5 ServiceNow Provisioning Connector Guide

1.3

Available documentation The Cloud Identity Manager documentation set includes the following guides: • McAfee Cloud Identity Manager Product Guide — A complete guide to the Management Console and the configuration tasks needed to administer Cloud Identity Manager • McAfee Cloud Identity Manager Developer’s Guide — Provides information for software developers who want to write custom Java code that extends Cloud Identity Manager functionality • McAfee Cloud Identity Manager Installation Guide — Includes the tasks and procedures that you need to install and remove Cloud Identity Manager as a standalone server on Microsoft Windows and Linux operating system platforms • McAfee Cloud Identity Manager Integration Guide — Provides instructions on how to integrate Javabased and .NET web applications that do not support SAML2 authentication with Cloud Identity Manager Note: In addition to these guides, there are separate guides that document how to configure the different Cloud Connectors. For more information, see the McAfee Cloud Identity Manager Product Guide.

1.4

Technical support For technical assistance, contact McAfee support by one of the following options: Support portal: https://mysupport.mcafee.com Phone number: 1-800-937-2237

McAfee Cloud Identity Manager 3.5 ServiceNow Provisioning Connector Guide

7

8

McAfee Cloud Identity Manager 3.5 ServiceNow Provisioning Connector Guide

2.0

Provisioning users to a ServiceNow application ServiceNow offers IT management software as a SaaS (Software as a Service) application. The ServiceNow application and Cloud Identity Manager service support Identity Provider (IdP)-initiated and Service Provider (SP)-initiated single sign-on (SSO) in addition to provisioning. For more information about configuring SSO for a ServiceNow application, see the McAfee Cloud Identity Manager ServiceNow Cloud Connector Guide. The Cloud Identity Manager provisioning service synchronizes identity information in the ServiceNow application with the identity information in your user store. In this document, the user store is referred to as the data source. ServiceNow supports the following provisioning operations: • Create user — Creates accounts for users in your data source who do not exist in the ServiceNow application • Update user — Updates user information in the ServiceNow application when the information has changed in your data source • Delete user — Deletes user accounts in the ServiceNow application for users who do not exist in your data source Cloud Identity Manager comes with preconfigured policies and policy actions for provisioning to a ServiceNow application. In the Provisioning Studio that comes with Cloud Identity Manager, you can review, modify, and test these policies and actions and configure a connection to your data source. You can also create new provisioning policies and actions as needed. Provisioning policies consist of one or more provisioning actions. The overall process for configuring provisioning in the Provisioning Studio is as follows: 1. Open the Provisioning Studio: From the Start menu, select All Programs | McAfee | CIM | SSO | Provisioning Studio 2. Configure a connection to your data source, for example, Active Directory or an LDAP directory. 3. Review and update the provisioning actions for the ServiceNow application as needed. 4. Review and update the provisioning policies for the ServiceNow application as needed. Note: For information about importing a custom provisioning plug-in, see the McAfee Cloud Identity Manager Provisioning Guide.

McAfee Cloud Identity Manager 3.5 ServiceNow Provisioning Connector Guide

9

2.1

Configure a connection to your data source: LDAP example When provisioning users, Cloud Identity Manager uses the information you provide in the Provisioning Studio to connect to your data source. Note: For information about configuring other data source types, see the McAfee Cloud Identity Manager Provisioning Guide. 1. In the Provisioning Studio: In the navigation tree, expand General | Data Sources, then select LDAP. LDAP settings open in the Data Source window. 2. In the Name field, type the name used by Cloud Identity Manager to identify your data source in the system. Example: MyLDAP 3. Select the LDAP option for the data source type. 4. In the General tab, provide values for the settings in the following table. Note: For information about configuring the Other and Usage tabs for an LDAP data source, see the McAfee Cloud Identity Manager Provisioning Guide. Table 1.

Configuration settings for connecting to an LDAP data source

Setting

Description

Host IP/DNS

Specifies the IP address or DNS name of the computer hosting the LDAP directory.

Port SSL TLS

Specifies the port number of the computer hosting the LDAP directory. Note: Typical values are 389 and 636.

When selected, enables SSL communication with the LDAP host. Note: SSL is an acronym for Secure Socket Layer.

When selected, enables TLS communication with the LDAP host. Note: TLS is an acronym for Transport Layer Security.

Admin DN

Specifies the full DN of the administrative user account. Example: cn=administrator,cn=users,dc=YourDomain,dc=local

Password

Specifies the password of the administrative user account.

Test LDAP Connection

Tests the connection to the LDAP data source.

Use Paged Result

When selected, enables the paged results feature of the LDAP directory.

5. From the File drop-down list, select Save Configuration. The configured data source is added to the LDAP node in the navigation tree.

10

McAfee Cloud Identity Manager 3.5 ServiceNow Provisioning Connector Guide

2.2

Configure provisioning actions for the ServiceNow application The ServiceNow provisioning service comes with actions that you can view, modify, and duplicate in the Provisioning Studio. Provisioning actions are grouped by type: ServiceNow Get Users and ServiceNow. Table 2.

ServiceNow provisioning action types and supported actions

Action Type

Supported Actions

Description

ServiceNow Get Users

ServiceNow Get All Users

This action reads the data source. You can then compare the information in the data source with the information in the application and output the results to Excel for compliance and reporting.

ServiceNow

ServiceNow Provisioning ServiceNow Update User ServiceNow Delete User

Actions of this type update identity information in the ServiceNow application.

Note: You can create and assign names to new actions and rename existing actions. Therefore, the action list and action names shown here might differ from what you see in the Provisioning Studio. 1. In the Provisioning Studio: In the navigation tree, expand Actions, then expand ServiceNow Get Users and ServiceNow. 2. In the navigation tree, select the ServiceNow Get All Users action. Note: If the action does not exist, you can create it. See section 2.2.1 Create an action. 3. In the configuration window, click the General tab. 4. Using the following table as a guide, review the labels and corresponding values, and modify them as needed for the ServiceNow Get All Users action. Table 3.

Configuration settings for actions of type: ServiceNow Get Users

Label

Description

ServiceNow Instance URL

Specifies the URL of the ServiceNow application instance.

ServiceNow Administrator username

Specifies the user name of the ServiceNow administrator.

ServiceNow Administrator password

Specifies the password of the ServiceNow administrator.

Include inactive users (true/false)

A true value enables provisioning of users who are disabled in Cloud Identity Manager.

Get User Details (true/false)

When true, the provisioning service reads the data source and retrieves information for all users.

Session Attributes to Copy

Specifies a comma-separated list of attributes to copy from Cloud Identity Manager. Example: name,mail,mobile,telephoneNumber

5. For each action of type ServiceNow: a.

If the action does not exist, create it using one of the methods described in section 2.2.1 Create an action.

b.

In the navigation tree, select the action.

c.

In the configuration window, click the General tab.

McAfee Cloud Identity Manager 3.5 ServiceNow Provisioning Connector Guide

11

d.

Using the following table as a guide, review the labels and corresponding values, and modify them as needed for the selected action.

Table 4.

Configuration settings for actions of type: ServiceNow

Label

Description

ServiceNow Instance URL

Specifies the URL of the ServiceNow application instance.

ServiceNow Administrator username Specifies the user name of the ServiceNow administrator. ServiceNow Administrator password

Specifies the password of the ServiceNow administrator.

Create Users (true/false)

Set this value to true for the ServiceNow Create User action only.

Enable User Password (true/false)

Set this value to true for the ServiceNow Create User action only. Note: If true, the default password value is: password.

Delete Users (true/false)

Set this value to true for the ServiceNow Delete User action only.

Update Users (true/false)

Set this value to true for the ServiceNow Update User action only.

Session Attributes to include

Specifies a comma-separated list of attributes to request from Cloud Identity Manager. Example: name,mail,mobile,telephoneNumber

SOAP URL

(Optional) Specifies the URL of the ServiceNow SOAP web service.

Event types

Specifies a comma-separated list of provisioning event types. Default: Create,Delete,Update

6. From the File drop-down list, select Save Configuration.

2.2.1

Create an action When an action group exists in the navigation tree, but is missing one or more required actions, you can create the required actions by one of the following methods. 1. In the navigation tree: — Select the action group, and specify a name for the action you are creating in the Action Name field in the configuration window. — Right-click an existing action in the action group, and select Duplicate Action. Select the new action, and change the name in the Action Name field in the configuration window to the name of the action that you are creating. 2. From the File drop-down list, select Save Configuration.

2.3

Configure provisioning policies for the ServiceNow application The ServiceNow provisioning service comes with policies that you can view, modify, and duplicate in the Provisioning Studio. Policies consist of actions that are executed in the order that they are listed in the policy. You can add actions to, remove actions from, and change the order of the actions in each policy. ServiceNow supports the following provisioning policies: • Provisioning to ServiceNow • ServiceNow - Update User • ServiceNow - Delete User

12

McAfee Cloud Identity Manager 3.5 ServiceNow Provisioning Connector Guide

1. In the Provisioning Studio: In the navigation tree, expand Policies | ServiceNow. 2. For each ServiceNow policy: a.

If the policy does not exist, create it using one of the methods described in section 2.3.1 Create a policy.

b.

In the navigation tree, select the policy.

c.

In the configuration window, review the Policy Name and Category settings, and update them if needed.

d.

In the configuration window: In the General tab, configure the following policy settings.

Table 5.

Configuration settings for ServiceNow policies

Setting

Policy Type

Description Select an option from the drop-down list: • Manual — Manual policies are executed in the Provisioning Studio or triggered by an action configured in the Provisioning Studio. • Scheduled — Scheduled policies are configured in the Provisioning Studio and executed at the specified time or interval. • Persistent Search — Persistent Search policies are configured for an LDAP directory that supports Persistent Search or a Microsoft Active Directory with DirSync control. Policies of this type start a separate thread that listens to the directory. When the thread notifies the policy of specified events, the policy automatically creates and updates session objects and attributes according to rules defined in the policy. Note: Different settings open for each policy type.

Enabled Data Source

When selected, enables the ServiceNow policy. Specifies the data source to which this policy applies. Note: The remaining settings depend on the data source selected.

Select

Opens the Select a Data Source dialog box, where you can select a new data source.

Search Type

(Manual and Scheduled policy types, LDAP data source) Select an option: • Manual — LDAP searches are initiated manually by the ServiceNow administrator in the Provisioning Studio. • Timestamp — LDAP searches are run according to a timestamp attribute and a time interval configured in the LDAP Search Settings area.

Schedules

(Scheduled policy type) Specifies when this policy is run. (Scheduled policy type) Opens the Add or remove Schedule dialog box, where you can select schedules to add to or remove from the policy.

Select

Note: To configure another schedule: In the navigation pane, expand General, select Schedules, complete the settings in the tabs in the configuration window, and select Save Configuration from the File drop-down list.

Run on Startup

(Scheduled policy type) When this checkbox is selected, the policy is run on start-up.

Run on Reconfiguration

(Scheduled policy type) When this checkbox is selected, the policy is run each time its configuration is updated.

Run Once then Disable

(Scheduled policy type) When this checkbox is selected, the policy is run once and then disabled.

Persistent Options

(LDAP Persistent policy type) Opens the Persistent Search Options dialog box, where you can select the events that when they occur, trigger the listening thread to notify the policy.

McAfee Cloud Identity Manager 3.5 ServiceNow Provisioning Connector Guide

13

e.

In the General tab: In the LDAP Search Settings area, configure the following settings.

Note: For information about configuring other data source types, see the McAfee Cloud Identity Manager Provisioning Guide. Table 6.

Configuration Settings for an LDAP Search

Setting

Description

Search Base

Specifies the Distinguished Name (DN) of the entry in the LDAP tree, where the search for users begins. Example: ou=users,dc=YourDomain,dc=local Note: To view the LDAP directory tree, click the ellipsis button.

Search Scope

Select an option from the drop-down list: • SUB — Search the Base DN and the entire subtree. • ONE — Search the entries one level below the Base DN only. • BASE — Search the Base DN only.

Max Search Results

Specifies the maximum number of results returned by the LDAP search. Default: A zero value returns all search results.

Timestamp Attribute

Specifies the attribute to use when storing the timestamp. To open the Schema Selector dialog box and select an attribute, click the ellipsis button. The timestamp value determines when LDAP searches are run.

Is Generalized Time

When this checkbox is selected, the timestamp is saved in the ISO time format known as GeneralizedTime.

Minimum Days

Specifies the minimum number of days on which to run the LDAP search.

Maximum Days

Specifies the maximum number of days on which to run the LDAP search. (Optional) Specifies an LDAP filter that narrows a long list of search results.

Search Filter

Get Attributes

Note: To view and select attributes and objectclasses in the LDAP directory, click the ellipsis button.

Specifies a comma-separated list of user attributes returned by the LDAP search. Example: name,mail,mobile,telephoneNumber Note: To view and select user attributes, click the ellipsis button.

Test Search Result

14

Displays the results of the LDAP search, allowing you to test the LDAP search that you configured.

McAfee Cloud Identity Manager 3.5 ServiceNow Provisioning Connector Guide

f.

In the configuration window, click the Actions tab.

g.

In the Actions tab: In the Assigned Actions area, add, remove, or change the order of the actions assigned to each policy, as needed, using the following examples as a guide.

Policy example: Provisioning to ServiceNow Table 7.

Actions assigned to policy: ServiceNow - Create User

Nr

Name

Description

1

ServiceNow Provisioning

Creates accounts for users in the data source who do not exist in the ServiceNow application.

Policy example: ServiceNow - Update User Table 8.

Actions assigned to policy: ServiceNow - Update User

Nr

Name

Description

1

ServiceNow Update User

Updates user information in the ServiceNow application when the information has changed in the data source.

Policy example: ServiceNow - Delete User Table 9.

Actions assigned to policy: ServiceNow - Delete User

Nr

Name

Description

1

ServiceNow Delete User

Deletes accounts in the ServiceNow application for users who do not exist in the data source.

h.

To step through the actions in the policy, click Run Policy.

3. From the File drop-down list, select Save Configuration.

2.3.1

Create a policy When a policy group exists in the navigation tree, but is missing one or more required policies, you can create the required policies by one of the following methods. 1. In the navigation tree: — Select the policy group, and specify a name for the policy you are creating in the Policy Name field in the configuration window. — Right-click an existing policy in the policy group, and select Duplicate Policy. Select the new policy, and change the name in the Policy Name field in the configuration window to the name of the policy that you are creating. 2. From the File drop-down list, select Save Configuration.

McAfee Cloud Identity Manager 3.5 ServiceNow Provisioning Connector Guide

15

16

McAfee Cloud Identity Manager 3.5 ServiceNow Provisioning Connector Guide

Order Number: 327037-001US [Revision A]

Suggest Documents

McAfee Cloud Identity Manager

McAfee Cloud Identity Manager
Read more
McAfee Cloud-Dienste-Vertrag

McAfee Cloud-Dienste-Vertrag
Read more
McAfee Web Gateway Cloud Service

McAfee Web Gateway Cloud Service
Read more
McAfee Web Gateway Cloud Service

McAfee Web Gateway Cloud Service
Read more
McAfee Enterprise Security Manager Hardwarehandbuch

McAfee Enterprise Security Manager Hardwarehandbuch
Read more
Integration Guide. McAfee Policy Auditor and McAfee Vulnerability Manager

Integration Guide. McAfee Policy Auditor and McAfee Vulnerability Manager
Read more
IBM Cloud Identity Service

IBM Cloud Identity Service
Read more
Migrationshandbuch. McAfee Web Gateway Cloud Service

Migrationshandbuch. McAfee Web Gateway Cloud Service
Read more
OnCommand Cloud Manager 2.0

OnCommand Cloud Manager 2.0
Read more
Validator for Identity Manager

Validator for Identity Manager
Read more
VMware Identity Manager Administration

VMware Identity Manager Administration
Read more
Novell Identity Manager

Novell Identity Manager
Read more
Tivoli Identity Manager

Tivoli Identity Manager
Read more
Oracle Identity Manager

Oracle Identity Manager
Read more
Oracle Identity Manager

Oracle Identity Manager
Read more
CA Identity Manager. Konfigurationshandbuch

CA Identity Manager. Konfigurationshandbuch
Read more
NetIQ Identity Manager

NetIQ Identity Manager
Read more
Installationshandbuch. McAfee Enterprise Security Manager 9.6.0

Installationshandbuch. McAfee Enterprise Security Manager 9.6.0
Read more
Identity Manager. Visitor Manager. Client User Manual

Identity Manager. Visitor Manager. Client User Manual
Read more
vcloud Air - Hybrid Cloud Manager

vcloud Air - Hybrid Cloud Manager
Read more
CA Identity Manager. Benutzerkonsolendesign-Handbuch

CA Identity Manager. Benutzerkonsolendesign-Handbuch
Read more
Dell One Identity Cloud Access Manager How to Configure Single Sign-On for Native Android Applications

Dell One Identity Cloud Access Manager How to Configure Single Sign-On for Native Android Applications
Read more
Identity-Based Authentication for Cloud Computing

Identity-Based Authentication for Cloud Computing
Read more
Privacy in Cloud Computing Through Identity Management

Privacy in Cloud Computing Through Identity Management
Read more