86
Provisioning Guide McAfee Cloud Identity Manager version 3.5

McAfee Cloud Identity Manager - Knowledge Center · McAfee® Cloud Identity Manager (Cloud Identity Manager, formerly Intel® Expressway Cloud Access 360-SSO) includes a policy-based

  • Upload
    vudien

  • View
    214

  • Download
    0

Embed Size (px)

Citation preview

Page 1: McAfee Cloud Identity Manager - Knowledge Center · McAfee® Cloud Identity Manager (Cloud Identity Manager, formerly Intel® Expressway Cloud Access 360-SSO) includes a policy-based

Provisioning Guide

McAfee Cloud Identity Managerversion 3.5

Page 2: McAfee Cloud Identity Manager - Knowledge Center · McAfee® Cloud Identity Manager (Cloud Identity Manager, formerly Intel® Expressway Cloud Access 360-SSO) includes a policy-based

2 McAfee Cloud Identity Manager Provisioning Guide

COPYRIGHTCopyright © 2013 McAfee, Inc. All Rights Reserved.

No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies.

TRADEMARK ATTRIBUTIONSMcAfee®, the McAfee logo, Avert, ePO, ePolicy Orchestrator, Foundstone, GroupShield, IntruShield, LinuxShield, MAX (McAfee SecurityAlliance Exchange), NetShield, PortalShield, Preventsys, SecureOS, SecurityAlliance, SiteAdvisor, SmartFilter, Total Protection, TrustedSource, Type Enforcement, VirusScan, and WebShield are registered trademarks or trademarks of McAfee, Inc. or its subsidiaries in the United States and other countries.

LICENSE INFORMATION

License AgreementNOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANTOR PURCHASE ORDER DOCUMENTS THAT ACCOMPANIES YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND.

Page 3: McAfee Cloud Identity Manager - Knowledge Center · McAfee® Cloud Identity Manager (Cloud Identity Manager, formerly Intel® Expressway Cloud Access 360-SSO) includes a policy-based

Contents

1.0 Introduction to McAfee Cloud Identity Manager ........................................................ 51.1 Identity Management Architecture ........................................................................ 61.2 Useful Terms and Acronyms ................................................................................. 7

2.0 Provisioning Overview .............................................................................................. 92.1 Policy Components.............................................................................................. 92.2 Session Objects and Attributes ............................................................................102.3 Policy Configuration ...........................................................................................11

2.3.1 Data Sources .........................................................................................122.3.2 Scheduler ..............................................................................................122.3.3 Actions..................................................................................................12

3.0 The Provisioning Studio ...........................................................................................133.1 The Navigation Tree ...........................................................................................13

3.1.1 General Configuration Category ................................................................143.1.2 Actions Configuration Category.................................................................153.1.3 Policies Configuration Category.................................................................153.1.4 Logs Configuration Category ....................................................................15

3.2 The Configuration Window ..................................................................................163.3 Menu Bar..........................................................................................................163.4 Mouse Operations ..............................................................................................163.5 Exit Button .......................................................................................................16

4.0 Policy Configuration.................................................................................................174.1 Data Sources ....................................................................................................17

4.1.1 Create an LDAP Database Object ..............................................................184.1.2 Create a SQL Database Object..................................................................204.1.3 Create a CSV File Database Object ............................................................224.1.4 Create an LDIF File Database Object .........................................................244.1.5 Web Services Database Objects ................................................................25

4.2 SMTP Settings ...................................................................................................284.3 Schedules.........................................................................................................29

4.3.1 Basic Schedule Settings...........................................................................294.3.2 Advanced Schedule Settings.....................................................................30

4.4 Actions.............................................................................................................314.4.1 Getters..................................................................................................314.4.2 Modifiers ...............................................................................................324.4.3 Setters..................................................................................................34

4.5 Log Settings......................................................................................................364.6 Alerts...............................................................................................................37

5.0 Policy Administration ...............................................................................................395.1 Create a Microsoft Active Directory Database for the Policy......................................405.2 Create a SQL Database for the Policy....................................................................425.3 Create a Schedule for the Policy ..........................................................................445.4 Create the Policy ...............................................................................................44

5.4.1 Configure General Policy Settings..............................................................455.4.2 Configure LDAP Search Settings................................................................475.4.3 Configure Policy Settings in the Actions Tab ...............................................485.4.4 Configure Policy Settings in the Other Tab..................................................495.4.5 Configure Policy Settings in the Log Tab.....................................................50

5.5 Creating Actions for the Policy .............................................................................515.5.1 Configure Action: Rename Attribute for SQL ...............................................515.5.2 Configure Action: Create a Random Password.............................................525.5.3 Configure Action: Create or Update SQL Database.......................................53

5.6 Add Actions to the Policy and Save the Configuration..............................................545.7 Test the Policy Configuration ...............................................................................55

McAfee Cloud Identity Manager Provisioning Guide 3

Page 4: McAfee Cloud Identity Manager - Knowledge Center · McAfee® Cloud Identity Manager (Cloud Identity Manager, formerly Intel® Expressway Cloud Access 360-SSO) includes a policy-based

6.0 Exporting and Importing Policies .............................................................................596.1 Export a Policy ..................................................................................................596.2 Import a Policy..................................................................................................60

7.0 How the Provisioning Service Is Started and Stopped ..............................................617.1 Manually Start and Stop the Provisioning Service on Windows..................................617.2 Back Up and Restore Data ..................................................................................61

8.0 Automatic User Provisioning to Google and Salesforce.............................................638.1 Configuring a Connection to an LDAP Server..........................................................638.2 Configuring the SMTP Settings.............................................................................658.3 Configuring Alerts ..............................................................................................658.4 Configuring Policies for Google Apps.....................................................................67

8.4.1 (DELETE) Group from GoogleApps.............................................................688.4.2 (ADD-MODIFY) Group Synchronization to GoogleApps .................................708.4.3 (ADD-MODIFY) Provision to GoogleApps-MailUsers ......................................718.4.4 (DELETE) Deprovision from GoogleApps-MailUsers ......................................73

8.5 Configuring the Policy: Provisioning to Salesforce...................................................748.5.1 Configure the Search Base .......................................................................758.5.2 Configure the Policy Action: Create random password value .........................768.5.3 Configure Policy Actions for Provisioning User Attributes in Salesforce............788.5.4 Configure the Policy Action: Salesforce Provisioning.....................................808.5.5 Configure the Policy Action: Salesforce New User Report - Excel....................82

8.6 Save the Google Apps and Salesforce Policies ........................................................838.7 Manually Start and Stop the Provisioning Service on Windows..................................83

4 McAfee Cloud Identity Manager Provisioning Guide

Page 5: McAfee Cloud Identity Manager - Knowledge Center · McAfee® Cloud Identity Manager (Cloud Identity Manager, formerly Intel® Expressway Cloud Access 360-SSO) includes a policy-based

1.0 Introduction to McAfee Cloud Identity Manager

McAfee® Cloud Identity Manager (Cloud Identity Manager, formerly Intel® Expressway Cloud Access 360-SSO) includes a policy-based provisioning service (formerly Nordic Edge® Automatic Account Manager) that lets you configure and apply corporate rules and policies about how electronic identity information is stored in databases. The provisioning service has functions that allow you to manage the distribution, synchronization, compilation, modification, and quality control of identity attributes and information. Two-way provisioning is supported, which means that a connected system can be both the source and target of identity information.

The provisioning service can communicate by a web service or directly with all modern databases and LDAP directories. The provisioning service works by constructing a virtual image of identity information integrated from one or more data sources. This virtual image can be configured and the information processed by one or more operations before it is distributed and stored in data repositories.

By using the provisioning service, companies and organizations can ensure the quality of the data flowing between systems that are essential to business processes. Data quality is especially important whenever you are planning to carry out extensive migration of information between systems.

Data migration often has a pre-defined workflow, which you can automate using the provisioning service. The powerful reporting features, included with the provisioning service, can increase the visibility of assets held by an organization. Assets can include everything from licensing information to access to corporate systems.

The provisioning service, which includes predefined reports that can be customized, can control and report whether information from different corporate data sources is consistent. The provisioning service supports systems and processes that follow best practices, including the Information Technology Infrastructure Library (ITIL) and Microsoft Operations Framework (MOF) frameworks.

The provisioning service is a powerful and flexible solution that works with existing infrastructure and resources. Thus, an investment in Cloud Identity Manager does not require additional investments or unanticipated costs.

McAfee Cloud Identity Manager Provisioning Guide 5

Page 6: McAfee Cloud Identity Manager - Knowledge Center · McAfee® Cloud Identity Manager (Cloud Identity Manager, formerly Intel® Expressway Cloud Access 360-SSO) includes a policy-based

1.1 Identity Management ArchitectureThe provisioning service consists of a server engine and components, such as policies, databases, actions, and a scheduler. The provisioning service is developed in Java and can be started as a service on Windows or as a daemon process on other operating systems. In addition, an internal database stores configuration information and handles transaction lines and time stamps.

The following diagram shows the provisioning service components and the Identity Manager (IDM) Engine in the Server Tier.

6 McAfee Cloud Identity Manager Provisioning Guide

Page 7: McAfee Cloud Identity Manager - Knowledge Center · McAfee® Cloud Identity Manager (Cloud Identity Manager, formerly Intel® Expressway Cloud Access 360-SSO) includes a policy-based

1.2 Useful Terms and AcronymsThe following terms and acronyms are referenced in the provisioning guide:

APIApplication Programming Interface

AuthenticationVerifying the identity of an individual user or other entity.

AuthorizationApplying policy rules to determine if an individual user or other entity is authorized to access a resource.

CSVComma Separated Values — A file format in which the fields are separated by a character, such as a comma.

JDBCJava Database Connectivity — An API specification for connecting programs written in Java to data in popular databases.

LDAPLightweight Directory Access Protocol — A software protocol that locates organizations, individuals, and resources on a network. The network can be the Internet and or a corporate intranet. Network resources include files and devices.

LDIFLDAP Data Interchange Format — File format used to represent LDAP directory content and update requests.

ODBCOpen Database Connectivity — An open standard API for accessing a database.

SMSShort Message Service — The service used for short text messages.

SMTPSimple Mail Transfer Protocol

SSLSecure Sockets Layer

TLSTransport Layer Security

Web ServiceA software system that supports machine-to-machine interaction over a network using WSDL.

WSDDWeb Services Deployment Descriptor — Java package that describes a web service.

WSDLWeb Services Description Language

McAfee Cloud Identity Manager Provisioning Guide 7

Page 8: McAfee Cloud Identity Manager - Knowledge Center · McAfee® Cloud Identity Manager (Cloud Identity Manager, formerly Intel® Expressway Cloud Access 360-SSO) includes a policy-based

8 McAfee Cloud Identity Manager Provisioning Guide

Page 9: McAfee Cloud Identity Manager - Knowledge Center · McAfee® Cloud Identity Manager (Cloud Identity Manager, formerly Intel® Expressway Cloud Access 360-SSO) includes a policy-based

2.0 Provisioning Overview

The provisioning service includes the following features:• Provisioning and Synchronization — Automatic updates in multiple data repositories can be

performed simultaneously.• Quality Control — You can verify that the syntax of user information, such as user IDs and cell

phone numbers, conforms to corporate and international standards.• Reports — You can create reports from one or more data sources, convert stored attributes to

meaningful values, and present the output in common formats, such as Microsoft Excel. You can save reports to a file or distribute them by email.

• Alerts — For an LDAP directory that supports Persistent Search or Microsoft Active Directory (AD) with DirSync control, the provisioning service can instantaneously notify an administrator when specified changes occur, such as:— Changes in high-security groups— Password changes in sensitive accounts— Account lockout after a specified number of failed log-in attempts

2.1 Policy ComponentsProvisioning policies contain all the business logic needed to determine how data is gathered and treated. Each policy is independent of all other policies.

Policies include the following components:• Database connectors• Rules specifying how to gather, modify, and save data• Actions to be performed• Scheduler (not shown)• Output to documents or email messages

McAfee Cloud Identity Manager Provisioning Guide 9

Page 10: McAfee Cloud Identity Manager - Knowledge Center · McAfee® Cloud Identity Manager (Cloud Identity Manager, formerly Intel® Expressway Cloud Access 360-SSO) includes a policy-based

2.2 Session Objects and AttributesAll data entering the provisioning service from a data source is converted to session objects. Session objects are created when LDAP and SQL databases are searched or LDIF and CSV text files are parsed. Session objects can be created and updated automatically by the provisioning service when a change occurs in an LDAP directory that supports Persistent Search or Microsoft Active Directory with DirSync control.

A provisioning session object contains information, such as the name of the database entry, the event type, and the data source. Session objects have one or more session attributes. Attributes also contain information, such as a name, a value, an event type, and boolean flags.

10 McAfee Cloud Identity Manager Provisioning Guide

Page 11: McAfee Cloud Identity Manager - Knowledge Center · McAfee® Cloud Identity Manager (Cloud Identity Manager, formerly Intel® Expressway Cloud Access 360-SSO) includes a policy-based

2.3 Policy ConfigurationWhen you configure a provisioning policy, you specify the following policy components.

• Where to collect the data — Each policy must include a data source.• When to run the policy — Each policy must include a scheduler.• What to do with the data — Each policy must include an action.

McAfee Cloud Identity Manager Provisioning Guide 11

Page 12: McAfee Cloud Identity Manager - Knowledge Center · McAfee® Cloud Identity Manager (Cloud Identity Manager, formerly Intel® Expressway Cloud Access 360-SSO) includes a policy-based

2.3.1 Data Sources

To gather data from a source, configure a database connector in the Provisioning Studio. Connectors are supported for the following databases and file formats:

• LDAP directory• ODBC or JDBC database connection• Imported LDIF or comma-separated file• Web services interface

Note: Supported LDAP directories include LDAP v3 Directory Services, Microsoft AD and ADLDS, Novell eDirectory, Siemens DirX, and OpenDS.

2.3.2 Scheduler

The scheduler defines when and how a policy is started. There are three types of schedulers. The type of scheduler determines the type of policy.

• Manual — Manual policies can only be executed in the administrative user interface or triggered by an action configured in the administrative user interface.

• Scheduled — Scheduled policies are configured in the administrative user interface to be executed at a specified time or interval.

• Persistent Search — Persistent Search policies can be configured for an LDAP directory that supports Persistent Search or a Microsoft Active Directory with DirSync control. Policies of this type start a separate thread that listens to the directory. When the thread notifies the policy of specified events, the policy automatically creates and updates session objects and attributes according to rules defined in the policy.

2.3.3 Actions

The provisioning service includes a menu of actions that can be used when building the logic to be applied to the information in the data source. In addition, the provisioning service includes an API that lets you develop custom actions as needed. There are three types of actions:

• Getters — Getters are actions that add data from one or more data sources to the virtual image of an object by creating new session objects and attributes.

• Modifiers — Modifiers are actions that update existing objects and their attributes.• Setters — Setters are actions that save data from existing objects and their attributes by writing to

one or more data repositories.

12 McAfee Cloud Identity Manager Provisioning Guide

Page 13: McAfee Cloud Identity Manager - Knowledge Center · McAfee® Cloud Identity Manager (Cloud Identity Manager, formerly Intel® Expressway Cloud Access 360-SSO) includes a policy-based

3.0 The Provisioning Studio

To start the Provisioning Studio, click the product icon created during installation. The console opens and consists of a navigation tree, a configuration window, and a menu bar. To perform administrative tasks, select a configuration category from the navigation tree. Configuration options corresponding to the selected category open in the configuration window. Some configuration categories include subcategories. To view these, expand the category by clicking the plus symbol.

3.1 The Navigation TreeThe navigation tree contains four configuration categories:

• General • Actions • Policies • Logs

McAfee Cloud Identity Manager Provisioning Guide 13

Page 14: McAfee Cloud Identity Manager - Knowledge Center · McAfee® Cloud Identity Manager (Cloud Identity Manager, formerly Intel® Expressway Cloud Access 360-SSO) includes a policy-based

3.1.1 General Configuration Category

The General configuration category consists of five subcategories:• Databases — To configure a database object, click the Databases category. Database objects

contain configuration information about how the provisioning server connects to user stores, including the user credentials required to authenticate to the user stores.

• SMTP Settings — To configure and enable the SMTP options, click the SMTP Settings category. Several actions can use the SMTP functionality when sending information. (SMTP is an acronym for Simple Mail Transfer Protocol.)

• Schedules — To configure a schedule for a policy, click the Schedules category. Multiple schedules can be defined, and each policy can be associated with more than one schedule.

• Log Settings — To configure a Log Settings object, click the Log Settings category. Configuration options include logging severity level and log file name.

• Alerts — To configure an alert, click the Alerts category. Alerts can be sent to administrators by SMS or email at the same time as the errors are occurring. (SMS is an acronym for Short Message Service, the service used for short text messages.)

14 McAfee Cloud Identity Manager Provisioning Guide

Page 15: McAfee Cloud Identity Manager - Knowledge Center · McAfee® Cloud Identity Manager (Cloud Identity Manager, formerly Intel® Expressway Cloud Access 360-SSO) includes a policy-based

3.1.2 Actions Configuration Category

The Provisioning Studio offers a large selection of actions. New actions are created and existing actions are updated on an ongoing basis. Each action is a small plug-in that only requires configuration parameters, which are set by an administrator. Developers can write custom actions by consulting the McAfee Cloud Identity Manager Developer’s Guide.

Note: We recommend that you check regularly for updates to the provisioning action plug-ins and core functionality.

3.1.3 Policies Configuration Category

When you click the Policies category in the navigation tree, it expands to include the subcategories, as shown in the following example. You can use the subcategories to group and sort policies.

3.1.4 Logs Configuration Category

To configure the name and size of the log file and the logging severity level, click the Logs configuration category. You can view and search existing log files in the Provisioning Studio, as shown in the following screenshot.

Note: On Microsoft Windows, log files are saved at the following default location:C:\Program Files\McAfee\CIM\SSO\current\provisioning\logs

McAfee Cloud Identity Manager Provisioning Guide 15

Page 16: McAfee Cloud Identity Manager - Knowledge Center · McAfee® Cloud Identity Manager (Cloud Identity Manager, formerly Intel® Expressway Cloud Access 360-SSO) includes a policy-based

3.2 The Configuration WindowThe configuration window shows the configuration options available for the category or sub-category selected in the navigation tree.

3.3 Menu BarThe menu bar includes shortcuts for creating configuration objects as well as shortcuts to the Help and Update functions.

3.4 Mouse OperationsThe following mouse operations are available in the Provisioning Studio. You can:

• Mouse over — View tool tips by holding the mouse over locations where you need more information.

• Left click — View and select options from the menu bar and the navigation tree.• Right click — View options available for selected configuration objects in the navigation tree. View

and select options from the menu bar.

3.5 Exit ButtonThe Exit button closes the Provisioning Studio. Before closing, the provisioning service checks for changes to the configuration. If there are unsaved changes, you are prompted to Save them or Cancel the close.

16 McAfee Cloud Identity Manager Provisioning Guide

Page 17: McAfee Cloud Identity Manager - Knowledge Center · McAfee® Cloud Identity Manager (Cloud Identity Manager, formerly Intel® Expressway Cloud Access 360-SSO) includes a policy-based

4.0 Policy Configuration

When you create and configure provisioning policies, you can use the following steps as a guideline.1. Create and configure a data source.2. Configure SMTP settings.3. Create one or more schedules.4. Create a policy and configure the actions used by the policy.5. Configure log settings.6. Configure alerts.

Note: Quick Start guides that show how to configure the provisioning service for different uses are available online.

4.1 Data SourcesThe provisioning service supports the following data sources.

• LDAP Databases• SQL Databases• CSV Files• LDIF Files• Web Services

Note: To configure a data source, you click the Databases category in the navigation tree, then select the database type in the configuration window.

McAfee Cloud Identity Manager Provisioning Guide 17

Page 18: McAfee Cloud Identity Manager - Knowledge Center · McAfee® Cloud Identity Manager (Cloud Identity Manager, formerly Intel® Expressway Cloud Access 360-SSO) includes a policy-based

4.1.1 Create an LDAP Database Object

You create and configure an LDAP database object in the Provisioning Studio, so that the provisioning service can connect to your LDAP data source.

To create an LDAP database object1. In the Provisioning Studio, click the Databases category in the navigation tree, then select the

LDAP Database type in the configuration window.The Database Configuration dialog box opens with the General tab selected.

2. Above the General tab, specify the following fields:Name

Specifies a name for the database object.Example: Microsoft Active Directory

TypeSpecifies the type of database.Value: LDAP

3. In the General tab, specify the following fields:Host IP/DNS

Specifies the IP address or DNS name of the computer hosting the LDAP directory.Example: localhost

PortnrSpecifies the port number of the computer hosting the LDAP directory.Note: Typical values are 389 and 636.

SSLSelecting this checkbox enables SSL when communicating with the LDAP host.Note: SSL is an acronym for Secure Socket Layer.

TLSSelecting this checkbox enables TLS when communicating with the LDAP host.Note: TLS is an acronym for Transport Layer Security.

Admin DNSpecifies the full DN of the administrative user account.Example: cn=Administrator,cn=users,DC=YourDomain,DC=local

PasswordSpecifies the password of the administrative user account.

18 McAfee Cloud Identity Manager Provisioning Guide

Page 19: McAfee Cloud Identity Manager - Knowledge Center · McAfee® Cloud Identity Manager (Cloud Identity Manager, formerly Intel® Expressway Cloud Access 360-SSO) includes a policy-based

4. In the Other tab, type a description of the LDAP database in the Description field.Example:

5. In the Usage tab, you can view associated policies.Example:

Note: You can double-click an associated policy to jump to the policy object.6. To test the LDAP database configuration, click Test LDAP Connection.

The following information is displayed: whether the LDAP directory supports Persistent Search and Paged Result and whether the LDAP directory connection is configured correctly.

7. (Optional) If the LDAP directory supports the Paged Result feature, you can select the Use Paged Result checkbox.

McAfee Cloud Identity Manager Provisioning Guide 19

Page 20: McAfee Cloud Identity Manager - Knowledge Center · McAfee® Cloud Identity Manager (Cloud Identity Manager, formerly Intel® Expressway Cloud Access 360-SSO) includes a policy-based

4.1.2 Create a SQL Database Object

You create and configure a SQL database object in the Provisioning Studio, so that the provisioning service can connect to your SQL data source.

To create a SQL database object1. In the Provisioning Studio, click the Databases category in the navigation tree, then select the

SQL Database type in the configuration window.The Database Configuration dialog box opens with the General tab selected.

2. Above the General tab, specify the following fields:Name

Specifies the name of the database.Example: Microsoft SQL Express 2005

TypeSpecifies the type of database.Value: JDBC/ODBC

3. In the General tab, specify the following fields:JDBC Driver

Specifies the driver to use when connecting to the SQL database.Example: com.microsoft.sqlserver.jdbc.SQLServerDriver

Database URLSpecifies the location of the SQL database.Example: jdbc:sqlserver://192.168.100.200:1433;DatabaseName=Employee

Admin nameSpecifies the full DN of the administrative user account.Example: sa

PasswordSpecifies the password of the administrative user account.

20 McAfee Cloud Identity Manager Provisioning Guide

Page 21: McAfee Cloud Identity Manager - Knowledge Center · McAfee® Cloud Identity Manager (Cloud Identity Manager, formerly Intel® Expressway Cloud Access 360-SSO) includes a policy-based

4. (Optional) To verify that data can be retrieved from the SQL database, run a test query by clicking View SQL.The SQL Query dialog box opens.Example: Type select * from person in the Enter SQL Query field in the SQL Query dialog box, then click OK. The Database Viewer opens and shows all objects in the person table in the Employee database.

5. In the Other tab, type a description of the SQL database in the Description field.6. In the Usage tab, you can view associated policies.

Note: You can double-click an associated policy to jump to the policy object.7. To test the SQL database configuration, click Test JDBC/ODBC Connection.

When the SQL connection is correctly configured, the following message is displayed:

McAfee Cloud Identity Manager Provisioning Guide 21

Page 22: McAfee Cloud Identity Manager - Knowledge Center · McAfee® Cloud Identity Manager (Cloud Identity Manager, formerly Intel® Expressway Cloud Access 360-SSO) includes a policy-based

4.1.3 Create a CSV File Database Object

You create and configure a CSV file database object in the Provisioning Studio, so that the provisioning service can connect to your CSV file data source.

To create a CSV file database object1. In the Provisioning Studio, click the Databases category in the navigation tree, then select the File

Database type in the configuration window.The Database Configuration dialog box opens with the General tab selected.

2. Above the General tab, specify the following fields:Name

Specifies a name for the database object.Example: Import from Text File

TypeSpecifies the type of database.Value: CSV File

3. In the General tab, select one of the following options to specify the Filename field:— Specific file — Select this option to type the name of the CSV file in the Filename field.— Scan file directory — Select this option to browse for the file and select the file name in a file

directory.

22 McAfee Cloud Identity Manager Provisioning Guide

Page 23: McAfee Cloud Identity Manager - Knowledge Center · McAfee® Cloud Identity Manager (Cloud Identity Manager, formerly Intel® Expressway Cloud Access 360-SSO) includes a policy-based

4. Specify the following fields and settings:a. Select the character that separates the fields in the CSV file from the Separator drop-down list.

Example: ;b. (Optional) Select an option from the Text separator drop-down list.c. Specify the record in the CSV file, where reading of the file is to start, in the Start record field.

Example: Use the setting 1 when the first row (row 0) specifies the field names.d. Select the CSV file encoding type from the Encoding drop-down list.

Example: ISO-8859-1

5. Use the following option buttons to specify the names in the Field names table:+

Click this option button to add a field name to the table.-

Click this option button to remove a field name from the table.i

Click this option button to populate the table with the names of the fields in the first record of the CSV file.

6. (Optional) To view the data in the CSV file, click View File.7. Select an option from the Post Process drop-down list.

Example: Do Nothing8. In the Other tab, type a description of the CSV file database in the Description field.9. In the Usage tab, you can view associated policies.

Note: You can double-click an associated policy to jump to the policy object.

McAfee Cloud Identity Manager Provisioning Guide 23

Page 24: McAfee Cloud Identity Manager - Knowledge Center · McAfee® Cloud Identity Manager (Cloud Identity Manager, formerly Intel® Expressway Cloud Access 360-SSO) includes a policy-based

4.1.4 Create an LDIF File Database Object

You create and configure an LDIF file database object in the Provisioning Studio, so that the provisioning service can connect to your LDIF file data source.

To create an LDIF file database object1. In the Provisioning Studio, click the Databases category in the navigation tree, then select the File

Database type in the configuration window.The Database Configuration dialog box opens with the General tab selected.

2. Above the General tab, specify the following fields:Name

Specifies a name for the database object.Example: Import from LDIF File

TypeSpecifies the type of database.Value: LDIF File

3. In the General tab, select one of the following options to specify the Filename field:— Specific file — Select this option to type the name of the CSV file in the Filename field.— Scan file directory — Select this option to browse for the file, then select the file name in a

file directory.

4. (Optional) To view the data in the LDIF file, click View File.5. Select an option from the Post Process drop-down list.

Example: Do Nothing6. In the Other tab, type a description of the LDIF file database in the Description field.7. In the Usage tab, you can view associated policies.

Note: You can double-click an associated policy to jump to the policy object.

24 McAfee Cloud Identity Manager Provisioning Guide

Page 25: McAfee Cloud Identity Manager - Knowledge Center · McAfee® Cloud Identity Manager (Cloud Identity Manager, formerly Intel® Expressway Cloud Access 360-SSO) includes a policy-based

4.1.5 Web Services Database Objects

The provisioning service includes two web services packages.• Two provisioning instances option — This package is for two provisioning instances, one acting as a

web service client and the other acting as a web service receiver. One instance is the Session Object Transmitter, and the other instance is the Web Service Receiver.

• Generic option — This package is for handling LDAP directory requests, including CREATE, MODIFY, MOVE, DELETE, and SEARCH object requests.

API support for custom web services is also available.

In the Provisioning Studio, configuring a web service as a data source is a three-step process:1. Configure a connection to the web service1. Create a receiver database object for the web service2. Enable the web service as a database

4.1.5.1 Configure a Connection to the Web Service

When you configure a web service as a data source, you first configure a connection to the web service.

To configure a connection to the web service1. In the Provisioning Studio, click Tools | Options.

The Options dialog box opens.

2. Specify a value in the PortNr field in the Web Service Listener area.3. (Optional) Select the Use SSL checkbox.

Note: If you are using SSL, specify HTTPS port 443 in the PortNr field.4. (Optional) If you are using SSL, click the Configure SSL button.

The SSL Keystore dialog box opens.

McAfee Cloud Identity Manager Provisioning Guide 25

Page 26: McAfee Cloud Identity Manager - Knowledge Center · McAfee® Cloud Identity Manager (Cloud Identity Manager, formerly Intel® Expressway Cloud Access 360-SSO) includes a policy-based

5. In the SSL Keystore dialog box, select an existing certificate or create a new self-signed certificate to use for SSL communication:— To select an existing certificate — Browse for an existing Keystore file, type the keystore’s

password in the Keystore password field, and click Test to verify the configuration.— To create a new self-signed certificate — Select the Create new Keystore (self signed)

checkbox, specify the fields that become active in the SSL Keystore dialog box, and click Save.

4.1.5.2 Create a Receiver Database Object for the Web Service

After you configure a connection to the web service, you need to configure a receiver database object.

To create a receiver database object for the web service1. In the Provisioning Studio, click the Databases category in the navigation tree, then select the

Webservices Database type in the configuration window.The Database Configuration dialog box opens with the General tab selected.

2. Above the Web Services tab, specify the following fields:Name

Specifies a name for the database object.Example: AAM Receiver

TypeSpecifies the type of database.Value: Web services

3. In the Web Services tab, specify the location of the deploy.wsdd file in the WSDD Package field. The WSDD file is the Java package that describes the web service.

4. In the Other tab, type a description of the web service receiver database in the Description field.5. In the Usage tab, you can view associated policies.

Note: You can double-click an associated policy to jump to the policy object.

26 McAfee Cloud Identity Manager Provisioning Guide

Page 27: McAfee Cloud Identity Manager - Knowledge Center · McAfee® Cloud Identity Manager (Cloud Identity Manager, formerly Intel® Expressway Cloud Access 360-SSO) includes a policy-based

4.1.5.3 Enable the Web Service as a Database

To use a web service as a database requires additional configuration. For each incoming web service client, you need to configure an administrative user account and password in the web service policy.

McAfee Cloud Identity Manager Provisioning Guide 27

Page 28: McAfee Cloud Identity Manager - Knowledge Center · McAfee® Cloud Identity Manager (Cloud Identity Manager, formerly Intel® Expressway Cloud Access 360-SSO) includes a policy-based

4.2 SMTP SettingsThe provisioning service supports many actions, including sending email. To send email, configure the SMTP settings. In the Provisioning Studio, click the SMTP Settings category in the navigation tree, then configure the SMTP settings in the configuration window.

SMTP HostSpecifies the IP address or DNS name of the SMTP server.Example: smtp.domain.com

SMTP PortSpecifies the port number of the SMTP server.Value: 25

SSL/TLSSelect this checkbox when the SMTP server requires SSL/TLS.Note: When the SMTP server requires SSL/TLS, assign the port number the value of 587.

Mime EncodeSpecifies the MIME encoding used by the SMTP server.Default: ISO-8859-1

SenderSpecifies the sender’s email address.Example: [email protected]

Master emailSpecifies the email address to use when none is configured in the action.Example: [email protected]

User nameSpecifies the user name to use when authenticating to the SMTP server.Example: eca360-service

PasswordSpecifies the password to use when authenticating to the SMTP server.

28 McAfee Cloud Identity Manager Provisioning Guide

Page 29: McAfee Cloud Identity Manager - Knowledge Center · McAfee® Cloud Identity Manager (Cloud Identity Manager, formerly Intel® Expressway Cloud Access 360-SSO) includes a policy-based

4.3 SchedulesPolicies use schedules to determine when to run. One policy can be associated with multiple schedules. To create a schedule, you can configure basic or advanced schedule settings and provide a description of the schedule. For a basic schedule, you can specify hours and dates to exclude.

4.3.1 Basic Schedule Settings

In the Provisioning Studio, click the Schedules category in the navigation tree, then configure the basic schedule settings in the configuration window.

NameSpecifies the name of the schedule.

TypeSpecifies the type of schedule that is being configured.Value: Basic

DaysSpecifies one or more days of the week on which the schedule is run.

TimeTo specify the time, select one of the following options:Fixed Hour

To specify a fixed hour, select this option and type the hour in the At field.Format: 24-hourExample: 18:00

IntervalTo specify a time interval, select this option and type the interval in the Every field.Unit: MinutesNote: To specify the interval in seconds, append an s to the value in the Every field.Example: To specify 10 seconds for the time interval, type 10s in the Every field.

Run OnceSelect this option to run the schedule once and then exit.

Shutdown on Next ScheduleSelect this checkbox to shut down the provisioning service the next time the schedule is run.

Exclude HoursClick this tab to configure one or more ranges of time during which the schedule is not run.Format: 24-hourExample: 01:00-05:00

Exclude DatesClick this tab to configure one or more dates on which the schedule is not run.

DescriptionClick this tab to provide a description of the schedule.

McAfee Cloud Identity Manager Provisioning Guide 29

Page 30: McAfee Cloud Identity Manager - Knowledge Center · McAfee® Cloud Identity Manager (Cloud Identity Manager, formerly Intel® Expressway Cloud Access 360-SSO) includes a policy-based

4.3.2 Advanced Schedule Settings

In the Provisioning Studio, you have the option of configuring the following advanced schedule settings:Run at time

Specifies a time at which the schedule is run.Format: 24-hourExample: 15:00

Repeated days every monthSpecifies one or more days of the month on which to run the schedule.

Specific datesSpecifies one or more dates on which to run the schedule.

30 McAfee Cloud Identity Manager Provisioning Guide

Page 31: McAfee Cloud Identity Manager - Knowledge Center · McAfee® Cloud Identity Manager (Cloud Identity Manager, formerly Intel® Expressway Cloud Access 360-SSO) includes a policy-based

4.4 ActionsTo configure a policy, specify the policy’s actions and the order in which the actions are applied. Actions are applied to session objects and can be one of three types:

• Getters — Create new session objects and their attributes.• Modifiers — Update existing session objects and their attributes.• Setters — Save data from session objects and their attributes to one or more targets, such as a

database, file, or a web service.

Note: An API is available for developing custom actions.

4.4.1 Getters

Getters are policy actions that create new session objects and their attributes. Getters can also add information from a data source to an existing session object in the form of new session attributes. To view the actions in the Getters category, click Actions | Getters in the navigation tree.

Available actions include both built-in and user-configured actions. To view all actions in the Getters category, click the sub-categories marked by the + symbol. The categories expand to show all actions of that type. The following screenshot shows some, but not all Getters actions available:

Table 1. Examples of Actions in the Getters Category

Icon Action Name Action Description

Add Data from SQL Adds data from a JDBC/ODBC database.

Add Static Attribute Adds a static attribute and attribute value. If the attribute is unicodePwd, the value is automatically converted to Microsoft Active Directory format.

Get Attributes from LDAP Gets one or more attribute values from an LDAP object.

Search LDAP Searches an LDAP database and creates session objects from the results of the search.

McAfee Cloud Identity Manager Provisioning Guide 31

Page 32: McAfee Cloud Identity Manager - Knowledge Center · McAfee® Cloud Identity Manager (Cloud Identity Manager, formerly Intel® Expressway Cloud Access 360-SSO) includes a policy-based

4.4.2 Modifiers

Modifiers are policy actions that update existing session objects and their attributes. Modifiers allow you to correct the format of session attributes or reformat attributes for export to an application. For example, you can correct the format of the mail attribute or reformat a time stamp for export to a Microsoft Excel spreadsheet. To view the actions in the Modifiers category, click Actions | Modifiers in the navigation tree.

Available actions include both built-in and user-configured actions. To view all actions in the Modifiers category, click the sub-categories marked by the + symbol. The categories expand to show all actions of that type. The following screenshot shows some, but not all Modifiers actions available:

32 McAfee Cloud Identity Manager Provisioning Guide

Page 33: McAfee Cloud Identity Manager - Knowledge Center · McAfee® Cloud Identity Manager (Cloud Identity Manager, formerly Intel® Expressway Cloud Access 360-SSO) includes a policy-based

Table 2. Examples of Actions in the Modifiers Category

Icon Action Name Action Description

Certificate Handler Manages certificate information.

Check Group Membership Checks whether a user belongs to a specified LDAP group. Nested groups are supported.

Convert Session Attribute to Session Object

Converts a session attribute to a session object. For example, all values in the members session attribute can be converted to session objects.

Create Password Value Generates a password attribute.

Date Handler Converts a date value from one format to another. Session objects that are older or younger than a specified date can be deleted.

Format Attribute Value Formats a session attribute value. If the attribute is unicodePwd, the value is automatically converted to Microsoft Active Directory format.

Match to LDAP Object Matches LDAP object.

Nested Group Extract Checks the members session attribute for group membership and extracts all members of a group.

String Replacer Replaces or removes characters in a string.

McAfee Cloud Identity Manager Provisioning Guide 33

Page 34: McAfee Cloud Identity Manager - Knowledge Center · McAfee® Cloud Identity Manager (Cloud Identity Manager, formerly Intel® Expressway Cloud Access 360-SSO) includes a policy-based

4.4.3 Setters

Setters are policy actions that save data from session objects and their attributes and write the data to one or more targets, such as a database, file, or a web service. For example, you can:

• Create a report in Microsoft Excel or PDF format and send it to a specified email address.• Synchronize session objects that are collected from an LDAP database and modified by actions and

save the objects to a SQL database.• Write modified session objects back to the database of origin.

To view the actions in the Setters category, click Actions | Setters in the navigation tree. Available actions include both built-in and user-configured actions. To view all actions in the Setters category, click the sub-categories marked by the + symbol. The categories expand to show all actions of that type. The following screenshot shows some, but not all Setters actions available:

34 McAfee Cloud Identity Manager Provisioning Guide

Page 35: McAfee Cloud Identity Manager - Knowledge Center · McAfee® Cloud Identity Manager (Cloud Identity Manager, formerly Intel® Expressway Cloud Access 360-SSO) includes a policy-based

Table 3. Examples of Actions in the Setters Category

Icon Action Name Action Description

Auto Attribute Populator Parses attribute values and creates a new or updates an existing session attribute. This action can be used to update group memberships and synchronize group memberships with another database.

Create LDAP Object Creates an LDAP object based on session objects and their attributes.

Excel Export Creates reports in Microsoft Excel format.

Google Apps User Integration

Provisions users in Google Apps user accounts, including creating, modifying, and deleting accounts.

Launch Application Launches an external application or script.

Send Mail Sends emails with information about one or more session objects. File attachments are supported.

Session Object Transmitter Sends session objects to another instance of the provisioning service through a web service.

Write to LDAP Writes session attribute values to an LDAP directory.

Write to SQL Writes session attribute values to a SQL database.

McAfee Cloud Identity Manager Provisioning Guide 35

Page 36: McAfee Cloud Identity Manager - Knowledge Center · McAfee® Cloud Identity Manager (Cloud Identity Manager, formerly Intel® Expressway Cloud Access 360-SSO) includes a policy-based

4.5 Log SettingsConfigure the following log settings:

Log to ConsoleSpecifies whether all logging is displayed in the Java Console.Value: Enabled

LevelSpecifies the log level.Default: Info

Max log file sizeSpecifies the maximum log file size in kilobytes. When this size is reached, the file is saved and a new log file is created.Value: 5000 KB

Max backup indexSpecifies the maximum backup file index number after which the oldest backup file is removed.Value: 500

36 McAfee Cloud Identity Manager Provisioning Guide

Page 37: McAfee Cloud Identity Manager - Knowledge Center · McAfee® Cloud Identity Manager (Cloud Identity Manager, formerly Intel® Expressway Cloud Access 360-SSO) includes a policy-based

4.6 AlertsYou can create an alert that notifies you when an unusual event occurs. To create an alert, configure the following settings:

Enable alertsEnables alerts.Value: Enabled

Notify recipientsAdds recipients to or removes them from the email address list.Example: [email protected]

Policy failureSends an alert if a policy fails.Value: Enabled

Preflight check failureSends an alert if a prerun check on a policy fails.Value: Enabled

Schedule failureSends an alert if a schedule does not complete in the specified number of minutes.Value: Enabled

Max minutes for schedulesSends an alert if a schedule runs longer than a specified maximum number of minutes.Value: 720

MailSends an alert by SMTP.Value: Enabled

Run policySpecifies a policy to run when an alert is generated. The policy creates a session object for each alert recipient. The session object contains two attributes: the recipient’s email address and the alert message.

McAfee Cloud Identity Manager Provisioning Guide 37

Page 38: McAfee Cloud Identity Manager - Knowledge Center · McAfee® Cloud Identity Manager (Cloud Identity Manager, formerly Intel® Expressway Cloud Access 360-SSO) includes a policy-based

38 McAfee Cloud Identity Manager Provisioning Guide

Page 39: McAfee Cloud Identity Manager - Knowledge Center · McAfee® Cloud Identity Manager (Cloud Identity Manager, formerly Intel® Expressway Cloud Access 360-SSO) includes a policy-based

5.0 Policy Administration

After you create a policy and its components, you can run the policy in test mode. In the following example, user information in a Microsoft Active Directory (AD) database is synchronized with information in a SQL database. Policy actions convert Active Directory user attributes to a form that matches the table layout of a SQL database.

To create and test the policy, you complete the following steps:1. Create a Microsoft Active Directory Database2. Create a SQL Database3. Create a Schedule4. Create the Policy5. Create Three Actions for the Policy6. Add the Actions to the Policy7. Save the Policy Configuration8. Run the Policy in Test Mode

McAfee Cloud Identity Manager Provisioning Guide 39

Page 40: McAfee Cloud Identity Manager - Knowledge Center · McAfee® Cloud Identity Manager (Cloud Identity Manager, formerly Intel® Expressway Cloud Access 360-SSO) includes a policy-based

5.1 Create a Microsoft Active Directory Database for the PolicyTo create an Active Directory database object, open the Provisioning Studio. In the General category in the navigation tree, click Databases. Database options open in the configuration window. Click LDAP Database.

The Database Configuration dialog box opens and shows three tabs:• General • Other • Usage

40 McAfee Cloud Identity Manager Provisioning Guide

Page 41: McAfee Cloud Identity Manager - Knowledge Center · McAfee® Cloud Identity Manager (Cloud Identity Manager, formerly Intel® Expressway Cloud Access 360-SSO) includes a policy-based

To create a Microsoft Active Directory database for the policy1. Above the tabs, configure the following fields and settings for an Active Directory database:

NameSpecifies a name for the database object.Example: Microsoft Active Directory

TypeSpecifies the type of database.Value: LDAP

2. In the General tab, configure the following fields and settings for an Active Directory database:Host IP/DNS

Specifies the IP address or DNS name of the computer hosting the LDAP directory.Value: localhost

PortnrSpecifies the port number of the computer hosting the LDAP directory.Value: 636

SSLSelecting this checkbox enables SSL when communicating with the LDAP host.Value: Enabled

TLSSelecting this checkbox enables TLS when communicating with the LDAP host.Value: Disabled

Admin DNSpecifies the full DN of the administrative user account.Example: cn=Administrator,cn=users,DC=YourDomain,DC=local

PasswordSpecifies the password of the administrative user account.

3. In the Other tab, you can type a description of the Active Directory database in the Description field.

4. In the Usage tab, you can view the associated policies and double-click a policy to jump to the policy object.

5. To test the configuration, click Test LDAP Connection.Testing the LDAP connection returns a success or failure result and information about whether the LDAP directory supports Persistent Search and Paged Result.

Note: For more information about how to configure an LDAP database, see section 4.1.1 Create an LDAP Database Object.

McAfee Cloud Identity Manager Provisioning Guide 41

Page 42: McAfee Cloud Identity Manager - Knowledge Center · McAfee® Cloud Identity Manager (Cloud Identity Manager, formerly Intel® Expressway Cloud Access 360-SSO) includes a policy-based

5.2 Create a SQL Database for the PolicyTo create SQL database object, open the Provisioning Studio. In the General category in the navigation tree, click Databases. Database options open in the configuration window. Click ODBC or JDBC (SQL) Database.

The Database Configuration dialog box opens and shows three tabs:• General • Other • Usage

42 McAfee Cloud Identity Manager Provisioning Guide

Page 43: McAfee Cloud Identity Manager - Knowledge Center · McAfee® Cloud Identity Manager (Cloud Identity Manager, formerly Intel® Expressway Cloud Access 360-SSO) includes a policy-based

To create a SQL database for the policy1. Above the tabs, configure the following fields and settings for a SQL database:

NameSpecifies the name of the database.Example: Microsoft SQL Express 2005

TypeSpecifies the type of database.Value: JDBC/ODBC

2. In the General tab, configure the following fields and settings for a SQL database:JDBC Driver

Specifies the driver to use when connecting to the SQL database.Example: com.microsoft.sqlserver.jdbc.SQLServerDriver

Database URLSpecifies the location of the SQL database.Example: jdbc:sqlserver://192.168.100.200:1433;DatabaseName=Employee

Admin nameSpecifies the full DN of the administrative user account.Example: sa

PasswordSpecifies the password of the administrative user account.

3. In the Other tab, you can type a description of the SQL database in the Description field.4. In the Usage tab, you can view the associated policies and double-click a policy to jump to the

policy object.5. To verify that data can be retrieved from the SQL database, you can run a test query by clicking

View SQL.

6. To test the configuration, click Test JDBC/ODBC Connection.Testing the SQL connection returns a success or failure result.

Note: For more information about how to configure a SQL database, see section 4.1.2 Create a SQL Database Object.

McAfee Cloud Identity Manager Provisioning Guide 43

Page 44: McAfee Cloud Identity Manager - Knowledge Center · McAfee® Cloud Identity Manager (Cloud Identity Manager, formerly Intel® Expressway Cloud Access 360-SSO) includes a policy-based

5.3 Create a Schedule for the PolicyCreate a schedule that runs the policy every 60 minutes, every day of the week. To create the schedule, open the Provisioning Studio. In the General category in the navigation tree, click Schedules, then select Run every 60 minutes. Configuration options open in the configuration window.

Note: For more information about how to create a schedule, see section 4.3 Schedules.

5.4 Create the PolicyTo create the policy, open the Provisioning Studio. In the navigation tree, click Policies. Configuration options open in the configuration window and include the following tabs:

• General • Actions • Other • Log

44 McAfee Cloud Identity Manager Provisioning Guide

Page 45: McAfee Cloud Identity Manager - Knowledge Center · McAfee® Cloud Identity Manager (Cloud Identity Manager, formerly Intel® Expressway Cloud Access 360-SSO) includes a policy-based

5.4.1 Configure General Policy Settings

The policy settings in the General tab include the policy’s name, category and type, the database, and the schedule.

To configure general policy settings1. Type a name for the policy in the Policy Name field.

Example: Synchronize Active Directory to SQL db2. Select a category for the policy from the Category drop-down list.

Value: Active Directory to SQL3. Select one of the following options from the Policy Type drop-down list:

— Manual — Scheduled — Persistent Search

Note: The policy type is based on the type of policy scheduler.4. To enable the policy, select the Enabled checkbox.5. To select a database, click Select.

The Select a database dialog box opens.6. Select Microsoft Active Directory, then click OK.

McAfee Cloud Identity Manager Provisioning Guide 45

Page 46: McAfee Cloud Identity Manager - Knowledge Center · McAfee® Cloud Identity Manager (Cloud Identity Manager, formerly Intel® Expressway Cloud Access 360-SSO) includes a policy-based

7. To select a schedule, click Select.The Add or remove Schedule dialog box opens.

8. Select Run every 60 minutes, then click Add.

46 McAfee Cloud Identity Manager Provisioning Guide

Page 47: McAfee Cloud Identity Manager - Knowledge Center · McAfee® Cloud Identity Manager (Cloud Identity Manager, formerly Intel® Expressway Cloud Access 360-SSO) includes a policy-based

5.4.2 Configure LDAP Search Settings

You configure LDAP search settings for the policy in the General tab.

To configure LDAP search settings1. To configure the LDAP search settings, specify the following fields:

Search BaseSpecifies where to start searching in the LDAP tree.Example: OU=InternalUsers,DC=mcafee,DC=local

Search ScopeSpecifies how many levels to search in the LDAP tree. Select one of three values:• SUB — Search the Base and the entire subtree.• ONE — Search the entries one level below the Base only.• BASE — Search the Base only.

Max Search ResultsSpecifies the maximum number of search results to return.Note: To return all results, specify 0.

Search FilterSpecifies an LDAP search filter. Type a filter in the field, or click the browse button to select an object class or attribute from the LDAP schema.Example: objectclass=user

Get AttributesSpecifies the attributes to fetch for each object. Use commas to separate attributes.Example: cn,sn,givenName,title,telephoneNumber,mail

McAfee Cloud Identity Manager Provisioning Guide 47

Page 48: McAfee Cloud Identity Manager - Knowledge Center · McAfee® Cloud Identity Manager (Cloud Identity Manager, formerly Intel® Expressway Cloud Access 360-SSO) includes a policy-based

2. (Optional) To verify that a search result is returned from the LDAP directory, click Test Search Result.The Matched Objects dialog box opens.

3. Click Execute LDAP Search.The Matched Objects dialog box expands to show the search result.

4. Click Close.The Matched Objects dialog box closes.

5.4.3 Configure Policy Settings in the Actions Tab

You configure settings for the policy in the Actions tab.

To configure policy settings in the Actions tab1. Select the Stop Policy if no session objects checkbox to enable this option.

Note: When this option is enabled, the policy is stopped if there are no session objects to process.2. Select the Stop policy if an action fails checkbox to enable this option.

Note: When this option is enabled, the policy is stopped when an action fails.

48 McAfee Cloud Identity Manager Provisioning Guide

Page 49: McAfee Cloud Identity Manager - Knowledge Center · McAfee® Cloud Identity Manager (Cloud Identity Manager, formerly Intel® Expressway Cloud Access 360-SSO) includes a policy-based

5.4.4 Configure Policy Settings in the Other Tab

You configure settings for the policy in the Other tab. The settings include a description field and prerun checks.

To configure policy settings in the Other tab1. Type a description of the policy in the Description field.2. Configure the following Prerun checks:

Verify primary database connectionSelecting this checkbox enables checking the database connection before the policy is run.Value: Enabled

Verify SMTP connectionSelecting this checkbox enables checking the mail server connection before the policy is run.Value: Disabled

Verify other database connectionsTo check other database connections for the policy, add the database names to this field.Example: Microsoft SQL Express 2005

3. Configure the following settings. The settings apply after the policy completes:Run Garbage Collector after completion

Selecting this checkbox frees memory after the policy completes.Value: Disabled

Clear Objects from memory after completionSelecting this checkbox clears session objects from memory after the policy completes.Value: Disabled

McAfee Cloud Identity Manager Provisioning Guide 49

Page 50: McAfee Cloud Identity Manager - Knowledge Center · McAfee® Cloud Identity Manager (Cloud Identity Manager, formerly Intel® Expressway Cloud Access 360-SSO) includes a policy-based

5.4.5 Configure Policy Settings in the Log Tab

You select the Enable Logging checkbox. Select this option to create an execution log when the policy is run. You can query the log and collect information about the run.

50 McAfee Cloud Identity Manager Provisioning Guide

Page 51: McAfee Cloud Identity Manager - Knowledge Center · McAfee® Cloud Identity Manager (Cloud Identity Manager, formerly Intel® Expressway Cloud Access 360-SSO) includes a policy-based

5.5 Creating Actions for the PolicyFor the policy named Synchronize Active Directory to SQL db, three actions are needed:

• Rename attribute for SQL — Renames Active Directory attributes to match the corresponding SQL table fields.

• Create a random password — Creates a random password and stores the value in a new attribute for each object.

• Create or update SQL database — Creates an entry if none exists when updating the SQL database.

To create the actions, open the Provisioning Studio. In the navigation tree, right-click Actions. A list of sort options opens. For this exercise, select Sorted Actiontypes.

5.5.1 Configure Action: Rename Attribute for SQL

In the navigation tree, locate and select the action type Rename Attribute. In the configuration window, the Rename Attribute configuration dialog box opens with the General tab selected. There are three tabs altogether:

• General • Other • Usage

To configure action: Rename Attribute for SQL1. Type a name for the action in the Action Name field.

Example: Rename attribute for SQL2. In the General tab, specify a one-to-one correspondence between the Active Directory attribute

names and SQL attribute names. Type the attribute names in the Value column that correspond to the following rows. Optionally, you can use the Browse buttons to select and search a database for attribute names.Org Attribute

Type a comma-separated list of Active Directory attributes to rename for the SQL database.Example: cn,sn,givenName

New AttributeType a comma-separated list of SQL attribute names that corresponds exactly to the Active Directory list.Example: Userid,Lastname,Firstname

3. In the Other tab, type a general description of the action in the in the Action description field.4. In the Usage tab, type a specific description of how this action is used in the Configuration notes

field.

McAfee Cloud Identity Manager Provisioning Guide 51

Page 52: McAfee Cloud Identity Manager - Knowledge Center · McAfee® Cloud Identity Manager (Cloud Identity Manager, formerly Intel® Expressway Cloud Access 360-SSO) includes a policy-based

5.5.2 Configure Action: Create a Random Password

In the navigation tree, locate and click the action type Create Password Value. In the configuration window, the Create Password Value configuration dialog box opens with the General tab selected. There are three tabs altogether:

• General • Other • Usage

To configure action: Create a Random Password1. Type a name for the action in the Action Name field.

Example: Create a random password2. In the General tab, configure the random password and a name for the new attribute created to

hold the password.Attribute Name

Specifies a name for the new attribute created to hold the random password.Example: password

Min LengthSpecifies the minimum password length.Example: 6

Max LengthSpecifies the maximum password length.Example: 10

Use these charactersSpecifies a string of characters that can be used to build the password.Example: 0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ

Copy to other attribute(Optional) Specifies whether to copy the generated random password to another session attribute.

Nr of Uppercase CharsSpecifies the number of uppercase characters required in the password.Example: 2

Nr of Lowercase CharsSpecifies the number of lowercase characters required in the password.Example: 2

Nr of DigitsSpecifies the number of digits required in the password.Example: 2

3. In the Other tab, type a general description of the action in the in the Action description field.4. In the Usage tab, type a specific description of how this action is used in the Configuration notes

field.

52 McAfee Cloud Identity Manager Provisioning Guide

Page 53: McAfee Cloud Identity Manager - Knowledge Center · McAfee® Cloud Identity Manager (Cloud Identity Manager, formerly Intel® Expressway Cloud Access 360-SSO) includes a policy-based

5.5.3 Configure Action: Create or Update SQL Database

In the navigation tree, locate and click the action type Write and Match to SQL. In the configuration window, the Write and Match to SQL configuration dialog box opens with the General tab selected. There are three tabs altogether:

• General • Other • Usage

To configure action: Create or Update SQL Database1. Type a name for the action in the Action Name field.

Example: Create or update SQL database entity2. In the General tab, configure the following action parameters:

Force user databaseSpecifies the name of the SQL database.Example: Microsoft SQL Express 2005

SQL Match querySpecifies the SQL query that searches for the session object and attribute name in the SQL database using the format SESSION(attributeName).Example: SELECT * From Person WHERE Userid='SESSION(Userid)'

SQL Update querySpecifies the SQL query that updates an entry in the SQL database. The SQL Update query is executed when the SQL Match query finds a match. When the query is blank, no update occurs.Example:UPDATE Person SET LastName='SESSION(LastName)',FirstName='SESSION(FirstName)' WHERE Userid='SESSION(Userid)'

SQL Create querySpecifies the SQL query that creates an entry in the SQL database. The SQL Create query is executed when the SQL Match query does not find a match.Example:INSERT INTO Person (Userid, LastName, FirstName, Password)VALUES ('SESSION(Userid)', 'SESSION(LastName)','SESSION(FirstName)','SESSION(Password)')

Set isNew flag (true/false)This flag is set to true by the system when the SQL Create query is executed.

3. In the Other tab, type a general description of the action in the in the Action description field.4. In the Usage tab, type a specific description of how this action is used in the Configuration notes

field.

McAfee Cloud Identity Manager Provisioning Guide 53

Page 54: McAfee Cloud Identity Manager - Knowledge Center · McAfee® Cloud Identity Manager (Cloud Identity Manager, formerly Intel® Expressway Cloud Access 360-SSO) includes a policy-based

5.6 Add Actions to the Policy and Save the ConfigurationTo add the actions to the policy, open the Provisioning Studio. In the navigation tree, expand the Policies category, then click the name of the policy that you created. Configuration options open in the configuration window and include the following tabs:

• General • Actions • Other • Log

1. Click the Actions tab.2. In the Available Actions list, expand each of the following action types:

— Rename Attribute — Create Password Value — Write and Match to SQL

3. For each action type, select the action created for the policy, then click the right-facing arrow to add it to the Assigned Actions list:— Rename Attribute — Select and add the action named: Rename attribute for SQL.— Create Password Value — Select and add the action named: Create a random password.— Write and Match to SQL — Select and add the action named: Create or update SQL

database entity.

4. In the menu bar, click File | Save Configuration.The actions are added to the policy, and the policy configuration is saved.

54 McAfee Cloud Identity Manager Provisioning Guide

Page 55: McAfee Cloud Identity Manager - Knowledge Center · McAfee® Cloud Identity Manager (Cloud Identity Manager, formerly Intel® Expressway Cloud Access 360-SSO) includes a policy-based

5.7 Test the Policy ConfigurationIn the Provisioning Studio, you can run policies in test mode. In this mode, you can step through each session object and each action and verify that the actions run as expected.

To test the policy configuration1. In the navigation tree, right-click Policies, then select the policy Synchronize Active Directory

to SQL db.The Run Policy dialog box opens for the specified policy in the configuration window.

2. To run the policy in test mode, verify that the checkboxes in the Options area are selected:— Confirm each object — Confirm each action

3. Click Start.The Rename attribute for SQL action runs and locates 94 matching session objects in the Active Directory database.

McAfee Cloud Identity Manager Provisioning Guide 55

Page 56: McAfee Cloud Identity Manager - Knowledge Center · McAfee® Cloud Identity Manager (Cloud Identity Manager, formerly Intel® Expressway Cloud Access 360-SSO) includes a policy-based

4. To view the matching session objects, click the Objects tab.The green arrow points to the session object on which the actions run next.Example: CN=alias,OU=InternalUsers,DC=mcafee,DC=local

5. In the Objects tab, select one of the matching session objects.The session attributes corresponding to the selected session object are displayed in the Attributes tab.Example: givenName, sn, mail, cn, telephoneNumber, title

56 McAfee Cloud Identity Manager Provisioning Guide

Page 57: McAfee Cloud Identity Manager - Knowledge Center · McAfee® Cloud Identity Manager (Cloud Identity Manager, formerly Intel® Expressway Cloud Access 360-SSO) includes a policy-based

6. Click the Actions tab to view the actions to be performed next, then click Next Step twice.The Rename attribute for SQL and Create a random password actions are performed on the next session object. Session attribute names are changed from Active Directory to SQL values. A password attribute and random value are added to the session object.

7. Click Next Step to run the action Create or update SQL database entity on the current session object.

McAfee Cloud Identity Manager Provisioning Guide 57

Page 58: McAfee Cloud Identity Manager - Knowledge Center · McAfee® Cloud Identity Manager (Cloud Identity Manager, formerly Intel® Expressway Cloud Access 360-SSO) includes a policy-based

8. To view the results, click the Log tab.The SQL Match query finds the session object in the database and updates it with the values from the Active Directory database.

9. When testing is complete, you can deselect the checkboxes in the Options area and run the policy.

58 McAfee Cloud Identity Manager Provisioning Guide

Page 59: McAfee Cloud Identity Manager - Knowledge Center · McAfee® Cloud Identity Manager (Cloud Identity Manager, formerly Intel® Expressway Cloud Access 360-SSO) includes a policy-based

6.0 Exporting and Importing Policies

Using the export and import functions of the provisioning service, you can build policies in a test environment, export them to a file, and import them from the file to a production environment. Exported and imported policies contain all policy components, including databases, schedules, and actions.

6.1 Export a PolicyYou can export a policy to an export file.

To export a policy1. Open the Provisioning Studio, expand the Policies category, then expand a policy sub-category in

the navigation tree.

2. Right-click a policy name, then select Export to file from the drop-down list.3. Specify a file name with the .aax extension for the exported policy.

McAfee Cloud Identity Manager Provisioning Guide 59

Page 60: McAfee Cloud Identity Manager - Knowledge Center · McAfee® Cloud Identity Manager (Cloud Identity Manager, formerly Intel® Expressway Cloud Access 360-SSO) includes a policy-based

6.2 Import a PolicyYou can import a policy from an export file to an import database. The default import database is the database that originally generated the export file. You can modify the import database, also. This option is useful when moving data from a test to a production database.

To import a policy1. Open the Provisioning Studio.2. In the menu bar, click File | Import AAM Objects, then select an exported policy.

The Import AAM Objects dialog box opens.

3. (Optional) To modify the default import database, select a different database from the drop-down list.

4. (Optional) For each import object, specify one of the following actions to take if the object already exists in the import database:— Keep current (skip import) — Import and overwrite current

5. Click Import Objects.If an object exists and no action is specified in the Object exists? column, an Overwrite Warning message is displayed.

60 McAfee Cloud Identity Manager Provisioning Guide

Page 61: McAfee Cloud Identity Manager - Knowledge Center · McAfee® Cloud Identity Manager (Cloud Identity Manager, formerly Intel® Expressway Cloud Access 360-SSO) includes a policy-based

7.0 How the Provisioning Service Is Started and Stopped

In addition to the configuration tasks in the Provisioning Studio, you need to know how to start and stop the provisioning service and back up and restore data.

7.1 Manually Start and Stop the Provisioning Service on WindowsYou can start and stop the provisioning service on Windows manually by starting and stopping Cloud Identity Manager. You can also open the Cloud Identity Manager Properties dialog box, where you can view and modify the Startup type.1. Go to Start | All Programs | McAfee | CIM | SSO.2. Click an option:

— Start Service — Starts Cloud Identity Manager— Stop Service — Stops Cloud Identity Manager— Provisioning Studio — Opens the provisioning administrative interface

3. To view and modify the Startup type, go to Start | Control Panel | Administrative Tools | Services, right-click McAfeeCIM-SSO Service, then click Properties. From the Startup type drop-down list, select an option. Click OK to save.— Automatic (Delayed Start) — Automatic — Manual — Disabled

7.2 Back Up and Restore DataThe provisioning service stores data in files. We recommend that you back up the files in the following location regularly:

C:\Program Files\McAfee

Configuration data is saved in the following file and location:

C:\Program Files\McAfee\CIM\SSO\current\configuration\template\config.aam

McAfee Cloud Identity Manager Provisioning Guide 61

Page 62: McAfee Cloud Identity Manager - Knowledge Center · McAfee® Cloud Identity Manager (Cloud Identity Manager, formerly Intel® Expressway Cloud Access 360-SSO) includes a policy-based

62 McAfee Cloud Identity Manager Provisioning Guide

Page 63: McAfee Cloud Identity Manager - Knowledge Center · McAfee® Cloud Identity Manager (Cloud Identity Manager, formerly Intel® Expressway Cloud Access 360-SSO) includes a policy-based

8.0 Automatic User Provisioning to Google and Salesforce

The steps for configuring user provisioning to Google and Salesforce in the Provisioning Studio provide a template for configuring provisioning to other cloud applications.

8.1 Configuring a Connection to an LDAP ServerWhen configuring a connection to an LDAP server, set up the account as a service account with rights to create, modify, and delete objects.1. Open the Provisioning Studio.2. In the navigation tree, click General | Databases | LDAP, then click Microsoft Active Directory.

McAfee Cloud Identity Manager Provisioning Guide 63

Page 64: McAfee Cloud Identity Manager - Knowledge Center · McAfee® Cloud Identity Manager (Cloud Identity Manager, formerly Intel® Expressway Cloud Access 360-SSO) includes a policy-based

The Database dialog box opens.

3. In the General tab, modify the fields for the Active Directory service. The following settings are recommended:Host IP/DNS

Specifies the IP address or domain name of the Active Directory domain controller.Example: YourDomainController.YourDomain.com

PortnrSpecifies the port number of the Active Directory domain controller.Value: 636 (LDAPS)

SSL | TLS(Optional) Select one of the following checkboxes:• SSL — Specifies the Secure Sockets Layer protocol.• TLS — Specifies the Transport Layer Security protocol.

Admin DNSpecifies the Active Directory domain administrator’s distinguished name (DN).

PasswordSpecifies the Active Directory domain administrator’s password.

64 McAfee Cloud Identity Manager Provisioning Guide

Page 65: McAfee Cloud Identity Manager - Knowledge Center · McAfee® Cloud Identity Manager (Cloud Identity Manager, formerly Intel® Expressway Cloud Access 360-SSO) includes a policy-based

8.2 Configuring the SMTP SettingsModify the SMTP settings so that the provisioning service can send email to your SMTP host and email address.1. Open the Provisioning Studio.2. In the navigation tree, click General | SMTP Settings.

The SMTP Settings dialog box opens.

3. Modify the SMTP Host and SMTP Port fields for your email server.4. Modify the Sender field to your email address.

8.3 Configuring AlertsYou can configure alerts that notify specified recipients when an unexpected or unusual event occurs.1. Open the Provisioning Studio.2. In the navigation tree, click General | Alerts.

McAfee Cloud Identity Manager Provisioning Guide 65

Page 66: McAfee Cloud Identity Manager - Knowledge Center · McAfee® Cloud Identity Manager (Cloud Identity Manager, formerly Intel® Expressway Cloud Access 360-SSO) includes a policy-based

The Alerts dialog box opens.

3. Modify the following fields and settings:Enable Alerts

Selecting this checkbox enables alerts.Notify Recipients

Specifies the email addresses of alert recipients.Note: We recommend that you use a distribution list.

Policy failureSelecting this checkbox sends an alert in the event a policy fails.

Preflight check failureSelecting this checkbox sends an alert in the event a policy’s preflight check fails.

Schedule failureSelecting this checkbox sends an alert in the event a scheduled process does not complete in the specified time.

Max minutes for SchedulesSpecifies the maximum number of minutes a scheduled process can run before triggering an alert.

MailSelecting this checkbox enables email alerts.

Run PolicySpecifies the policy to run when an alert occurs.Note: For each alert recipient, a session object containing the recipient’s address and the alert message is created.

66 McAfee Cloud Identity Manager Provisioning Guide

Page 67: McAfee Cloud Identity Manager - Knowledge Center · McAfee® Cloud Identity Manager (Cloud Identity Manager, formerly Intel® Expressway Cloud Access 360-SSO) includes a policy-based

8.4 Configuring Policies for Google AppsFor each of the following Google Apps policies, configure the policy actions. For more information about the policies, see the following sections.

• (DELETE) Group from GoogleApps — See section 8.4.1 (DELETE) Group from GoogleApps.• (ADD-MODIFY) Group synchronization to GoogleApps — See section 8.4.2 (ADD-MODIFY) Group

Synchronization to GoogleApps.• (ADD-MODIFY) Provision to GoogleApps-MailUsers — See section 8.4.3 (ADD-MODIFY) Provision to

GoogleApps-MailUsers.• (DELETE) Deprovision from GoogleApps-MailUsers — See section 8.4.4 (DELETE) Deprovision from

GoogleApps-MailUsers.

McAfee Cloud Identity Manager Provisioning Guide 67

Page 68: McAfee Cloud Identity Manager - Knowledge Center · McAfee® Cloud Identity Manager (Cloud Identity Manager, formerly Intel® Expressway Cloud Access 360-SSO) includes a policy-based

8.4.1 (DELETE) Group from GoogleApps

Configure the Google Apps policy: (DELETE) Group from GoogleApps.1. Open the Provisioning Studio.2. In the navigation tree, click Policies | GoogleApps | Groups | (DELETE) Group from

GoogleApps.The Policy dialog box opens.

3. In the General tab, specify the Search Base for groups.

68 McAfee Cloud Identity Manager Provisioning Guide

Page 69: McAfee Cloud Identity Manager - Knowledge Center · McAfee® Cloud Identity Manager (Cloud Identity Manager, formerly Intel® Expressway Cloud Access 360-SSO) includes a policy-based

4. In the Assigned Actions area in the Actions tab, right-click (DELETE) Group from GoogleApps, then click Edit this Action.

The Action dialog box opens for the selected action.

5. In the Action dialog box, configure the following settings for a Google Apps domain:GoogleApps Domain

Specifies the name of the Google Apps domain.GoogleApps Administrator mailid

Specifies the email address of the Google Apps administrator.GoogleApps Administrator password

Specifies the password of the Google Apps administrator.

McAfee Cloud Identity Manager Provisioning Guide 69

Page 70: McAfee Cloud Identity Manager - Knowledge Center · McAfee® Cloud Identity Manager (Cloud Identity Manager, formerly Intel® Expressway Cloud Access 360-SSO) includes a policy-based

8.4.2 (ADD-MODIFY) Group Synchronization to GoogleApps

Configure the Google Apps policy: (ADD-MODIFY) Group synchronization to GoogleApps.1. Open the Provisioning Studio.2. In the navigation tree, click Policies | GoogleApps | Groups | (ADD-MODIFY) Group

synchronization to GoogleApps.The Policy dialog box opens.

3. In the General tab, specify the Search Base for groups.4. In the Assigned Actions area in the Actions tab, right-click (ADD-MODIFY) Group

synchronization to GoogleApps, then click Edit this Action.The Action dialog box opens for the selected action.

5. In the Action dialog box, configure the settings.

70 McAfee Cloud Identity Manager Provisioning Guide

Page 71: McAfee Cloud Identity Manager - Knowledge Center · McAfee® Cloud Identity Manager (Cloud Identity Manager, formerly Intel® Expressway Cloud Access 360-SSO) includes a policy-based

8.4.3 (ADD-MODIFY) Provision to GoogleApps-MailUsers

Configure the Google Apps policy: (ADD-MODIFY) Provision to GoogleApps-MailUsers.1. Open the Provisioning Studio.2. In the navigation tree, click Policies | GoogleApps | Users | (ADD-MODIFY) Provision to

GoogleApps-MailUsers.The Policy dialog box opens.

3. In the General tab, specify the Search Base for users.4. In the Assigned Actions area in the Actions tab, right-click (ADD-MODIFY) Provision-

Deprovision users from AD to GoogleApps, then click Edit this Action.The Action dialog box opens for the selected action.

McAfee Cloud Identity Manager Provisioning Guide 71

Page 72: McAfee Cloud Identity Manager - Knowledge Center · McAfee® Cloud Identity Manager (Cloud Identity Manager, formerly Intel® Expressway Cloud Access 360-SSO) includes a policy-based

5. In the Action dialog box, configure the settings.6. In the Assigned Actions area in the Actions tab, right-click Google Apps New User Report -

Excel, then click Edit this Action.The Action dialog box opens for the selected action.

Mail(s)Specifies the email addresses of one or more email message recipients.

Select AttributesSpecifies the user attributes to include in the Excel spreadsheet.Example: givenName|First Name,sn|Last Name,password|PasswordNote: User attributes are separated by commas. Each user attribute is a pair of values separated by a vertical bar. The first value in the pair is the name of the user attribute in the user directory. The second value in the pair is the name assigned to the corresponding column in Excel.

Mail Options - SubjectSpecifies the subject of the email message.

Mail Options - MessageSpecifies the body of the email message.

Alternatively, you can save the Excel report in a file without the email notification.

72 McAfee Cloud Identity Manager Provisioning Guide

Page 73: McAfee Cloud Identity Manager - Knowledge Center · McAfee® Cloud Identity Manager (Cloud Identity Manager, formerly Intel® Expressway Cloud Access 360-SSO) includes a policy-based

8.4.4 (DELETE) Deprovision from GoogleApps-MailUsers

Configure the Google Apps policy: (DELETE) Deprovision from GoogleApps-MailUsers.1. Open the Provisioning Studio.2. In the navigation tree, click Policies | GoogleApps | Users | (DELETE) Deprovision from

GoogleApps-MailUsers.The Policy dialog box opens.

3. In the General tab, specify the Search Base for users.4. In the Assigned Actions area in the Actions tab, right-click (DELETE) Deprovision from

GoogleApps-MailUsers, then click Edit this Action.The Action dialog box opens for the selected action.

5. In the Action dialog box, configure the settings.6. In the Assigned Actions area in the Actions tab, right-click Deprovision users from AD to

GoogleApps, then click Edit this Action.The Action dialog box opens for the selected action.

7. In the Action dialog box, configure the settings.CAUTION: DELETING AN ACCOUNT IN GOOGLE APPS DELETES THE USER’S MAILBOX AND ALL OF THE USER’S

DOCUMENTS.

McAfee Cloud Identity Manager Provisioning Guide 73

Page 74: McAfee Cloud Identity Manager - Knowledge Center · McAfee® Cloud Identity Manager (Cloud Identity Manager, formerly Intel® Expressway Cloud Access 360-SSO) includes a policy-based

8.5 Configuring the Policy: Provisioning to SalesforceTo configure the policy, Provisioning to Salesforce, configure the search base in the General tab and the following policy actions in the Actions tab. For more information about the actions, see the following sections:

• Create random password value — See section 8.5.2 Configure the Policy Action: Create random password value.

• Copy attributes — See section 8.5.3 Configure Policy Actions for Provisioning User Attributes in Salesforce.

• Copy mail to username — See section 8.5.3 Configure Policy Actions for Provisioning User Attributes in Salesforce.

• Create alias — See section 8.5.3 Configure Policy Actions for Provisioning User Attributes in Salesforce.

• SF-TimeZoneSidKey — See section 8.5.3 Configure Policy Actions for Provisioning User Attributes in Salesforce.

• SF-LocaleSidKey — See section 8.5.3 Configure Policy Actions for Provisioning User Attributes in Salesforce.

• SF-EmailEncodingKey — See section 8.5.3 Configure Policy Actions for Provisioning User Attributes in Salesforce.

• SF-ProfileID — See section 8.5.3 Configure Policy Actions for Provisioning User Attributes in Salesforce.

• SF-LangaugeLocaleKey — See section 8.5.3 Configure Policy Actions for Provisioning User Attributes in Salesforce.

• Salesforce Provisioning — See section 8.5.4 Configure the Policy Action: Salesforce Provisioning.• Salesforce New User Report - Excel — See section 8.5.5 Configure the Policy Action: Salesforce New

User Report - Excel.

74 McAfee Cloud Identity Manager Provisioning Guide

Page 75: McAfee Cloud Identity Manager - Knowledge Center · McAfee® Cloud Identity Manager (Cloud Identity Manager, formerly Intel® Expressway Cloud Access 360-SSO) includes a policy-based

8.5.1 Configure the Search Base

You configure the DN to use as a base for searching the LDAP directory.1. Open the Provisioning Studio.

2. In the navigation tree, click Policies | Salesforce | Provisioning to Salesforce.The Policy dialog box opens.

3. In the General tab, specify the Search Base for groups.

McAfee Cloud Identity Manager Provisioning Guide 75

Page 76: McAfee Cloud Identity Manager - Knowledge Center · McAfee® Cloud Identity Manager (Cloud Identity Manager, formerly Intel® Expressway Cloud Access 360-SSO) includes a policy-based

8.5.2 Configure the Policy Action: Create random password value

You configure the password action to match the requirements of Salesforce.1. In the Assigned Actions area in the Actions tab, right-click Create random password value,

then click Edit this Action.

The Action dialog box opens for the selected action.

76 McAfee Cloud Identity Manager Provisioning Guide

Page 77: McAfee Cloud Identity Manager - Knowledge Center · McAfee® Cloud Identity Manager (Cloud Identity Manager, formerly Intel® Expressway Cloud Access 360-SSO) includes a policy-based

2. Configure the settings to match Salesforce.com.Note: To view the Salesforce settings, go to Administration Setup | Security Controls | Password Policies on Salesforce.com.

McAfee Cloud Identity Manager Provisioning Guide 77

Page 78: McAfee Cloud Identity Manager - Knowledge Center · McAfee® Cloud Identity Manager (Cloud Identity Manager, formerly Intel® Expressway Cloud Access 360-SSO) includes a policy-based

8.5.3 Configure Policy Actions for Provisioning User Attributes in Salesforce

The following assigned actions and associated user attributes are required when creating a user in Salesforce.com:

• Copy attributes• Copy mail to username• Create Alias• SF-TimeZoneSidKey• SF-LocaleSidKey• SF-EmailEncodingKey• SF-ProfileID• SF-LangaugeLocaleKey

To configure these actions, right-click each one in the Assigned Actions area in the Actions tab, then click Edit this Action:

Copy attributes(Action) Copies the following user attributes from the user directory to Salesforce.com:

UserNameSpecifies the user’s login name.

FirstNameSpecifies the user’s first name.

LastNameSpecifies the user’s last name.

EmailSpecifies the user’s email address.

Note: In Salesforce.com, the user name and email address are the same.

Copy mail to username(Action) Copies the user’s email address to the UserName field in Salesforce.com.

Create Alias(Action) Specifies an alternative name for the user.Limit: 8-character maximum

78 McAfee Cloud Identity Manager Provisioning Guide

Page 79: McAfee Cloud Identity Manager - Knowledge Center · McAfee® Cloud Identity Manager (Cloud Identity Manager, formerly Intel® Expressway Cloud Access 360-SSO) includes a policy-based

SF-TimeZoneSidKey(Action) Specifies the user’s time zone.Example time zone name: Pacific Daylight Time (America/Los_Angeles)Corresponding time zone code: GMT-08:00Note: For a list of supported time zones and codes, visit:https://login.salesforce.com/help/doc/en/admin_supported_timezone.htm.

SF-LocaleSidKey(Action) Specifies the user’s locale. Salesforce.com uses this setting when formatting date and time, user names, addresses, numbers, and optionally, a default currency.Note: For a list of supported locales, visit: https://login.salesforce.com/help/doc/en/admin_supported_locales.htm.

SF-EmailEncodingKey(Action) Specifies the email character encoding standard used.Value: ISO-8859-1

SF-ProfileId(Action) Specifies the user’s type.Value: Standard User

SF-LanguageLocaleKey(Action) Specifies the user’s language in one of two formats: a two-character language code or five-character locale code.Example language code: enExample locale code: en_USNote: For a list of supported languages, visit:https://login.salesforce.com/help/doc/en/faq_getstart_what_languages_does.htm.

McAfee Cloud Identity Manager Provisioning Guide 79

Page 80: McAfee Cloud Identity Manager - Knowledge Center · McAfee® Cloud Identity Manager (Cloud Identity Manager, formerly Intel® Expressway Cloud Access 360-SSO) includes a policy-based

8.5.4 Configure the Policy Action: Salesforce Provisioning

Edit the Salesforce Provisioning policy action to configure the Salesforce domain administrative user account settings, as follows:

Salesforce.com Administrator usernameSpecifies the administrator’s login name.Note: The administrator’s user name and email address are the same.

Salesforce.com Administrator passwordSpecifies the administrator’s password.Note: The administrator’s password must be the combination of a password value and a Salesforce Security Token. To obtain a Security Token value, log in to the administrative user account, and go to Personal Setup | My Personal Information | Reset My Security Token. The Reset Security Token page opens. Click Reset Security Token. A new Security Token value is emailed to the address associated with the administrative user account.

Create UsersSpecifies whether to create users in Salesforce. When this parameter is set to FALSE, the provisioning service checks whether user names exist in Salesforce.Required: UserName attributeDefault: TRUE

SessionAttributes to includeSpecifies the session attributes to include when creating users in Salesforce. The following session attributes are required: UserName, FirstName, LastName, Email, Alias, TimeZoneSidKey, LocaleSidKey, EmailEncodingKey, ProfileID, and LangaugeLocaleKey.Note: Rename session attributes to Salesforce attribute names.

SessionAttributes to excludeSpecifies the session attributes to exclude when creating users in Salesforce.Note: Use this parameter when not specifying session attributes to include.

Attribute to set if sync or check has occurredSpecifies the name of the attribute to set when the user exists in Salesforce or does not exist and can be added to Salesforce.Example: SF_STATUS

Set Password attributeSpecifies a new password setting for the password attribute. To keep the existing password setting, set this parameter to a null value.Note: Before updating the existing password setting, verify that the list of attributes to exclude includes the password attribute when SessionAttributes to exclude is used.

80 McAfee Cloud Identity Manager Provisioning Guide

Page 81: McAfee Cloud Identity Manager - Knowledge Center · McAfee® Cloud Identity Manager (Cloud Identity Manager, formerly Intel® Expressway Cloud Access 360-SSO) includes a policy-based

Disable UserSpecifies whether to disable users in session objects. When this parameter is set to TRUE, the setting overrides any create or check operation.Required: UserName attributeDefault: FALSE

Enable UserSpecifies whether to enable users in session objects. When this parameter is set to TRUE, the setting overrides any create or check operation.Required: UserName attributeDefault: FALSE

Update UserSpecifies whether to update users in SessionObjects. When this parameter is set to TRUE, the setting overrides any create or check operation. The update operation uses the Session Attributes to include or exclude setting.Required: UserName attributeDefault: FALSE

SOAP URL(Optional) Specifies an alternative URL for the web services call.

McAfee Cloud Identity Manager Provisioning Guide 81

Page 82: McAfee Cloud Identity Manager - Knowledge Center · McAfee® Cloud Identity Manager (Cloud Identity Manager, formerly Intel® Expressway Cloud Access 360-SSO) includes a policy-based

8.5.5 Configure the Policy Action: Salesforce New User Report - Excel

The Salesforce New User Report - Excel action allows you to configure the email message and attached Excel report of newly-created users and user information, including Salesforce passwords, as follows:

Mail(s)Specifies the email addresses of one or more email message recipients.

Select AttributesSpecifies the user attributes to include in the Excel spreadsheet.Example: givenName|First Name,sn|Last Name,password|PasswordNote: User attributes are separated by commas. Each user attribute is a pair of values separated by a vertical bar. The first value in the pair is the name of the user attribute in the user directory. The second value in the pair is the name assigned to the corresponding column in Excel.

Mail Options - SubjectSpecifies the subject of the email message.

Mail Options - MessageSpecifies the body of the email message.

Alternatively, you can save the Excel report in a file without the email notification.

82 McAfee Cloud Identity Manager Provisioning Guide

Page 83: McAfee Cloud Identity Manager - Knowledge Center · McAfee® Cloud Identity Manager (Cloud Identity Manager, formerly Intel® Expressway Cloud Access 360-SSO) includes a policy-based

8.6 Save the Google Apps and Salesforce PoliciesTo save the Google and Salesforce policies you configured, click File | Save Configuration:

8.7 Manually Start and Stop the Provisioning Service on WindowsYou can manually start and stop the provisioning service on Windows.

To manually start and stop the provisioning service on Windows1. In the Windows Start menu, click Administrative Tools | Services.2. In the Services dialog box, locate the provisioning service.3. Right-click the service, then click Properties.

The Properties dialog box opens.

4. In the Log On tab in the Properties dialog box, select This account, and specify the name of an administrative user in the corresponding field.Note: We recommend that you not select the setting Local System account.

5. To manually start the provisioning service, select it, then click Start the service in the Services dialog box.

6. To manually stop the provisioning service, select it, then click Stop the service in the Services dialog box.

7. Close the Services dialog box.

McAfee Cloud Identity Manager Provisioning Guide 83

Page 84: McAfee Cloud Identity Manager - Knowledge Center · McAfee® Cloud Identity Manager (Cloud Identity Manager, formerly Intel® Expressway Cloud Access 360-SSO) includes a policy-based

84 McAfee Cloud Identity Manager Provisioning Guide

Page 85: McAfee Cloud Identity Manager - Knowledge Center · McAfee® Cloud Identity Manager (Cloud Identity Manager, formerly Intel® Expressway Cloud Access 360-SSO) includes a policy-based
Page 86: McAfee Cloud Identity Manager - Knowledge Center · McAfee® Cloud Identity Manager (Cloud Identity Manager, formerly Intel® Expressway Cloud Access 360-SSO) includes a policy-based

Order Number: 325379-003US[Revision A]