netsuite provisioning connector guide -...

NetSuite Provisioning Connector Guide

McAfee Cloud Identity Managerversion 3.5 and later

2 McAfee Cloud Identity Manager 3.5 NetSuite Provisioning Connector Guide

COPYRIGHTCopyright © 2013 McAfee, Inc. All Rights Reserved.

No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies.

TRADEMARK ATTRIBUTIONSMcAfee®, the McAfee logo, Avert, ePO, ePolicy Orchestrator, Foundstone, GroupShield, IntruShield, LinuxShield, MAX (McAfee SecurityAlliance Exchange), NetShield, PortalShield, Preventsys, SecureOS, SecurityAlliance, SiteAdvisor, SmartFilter, Total Protection, TrustedSource, Type Enforcement, VirusScan, and WebShield are registered trademarks or trademarks of McAfee, Inc. or its subsidiaries in the United States and other countries.

LICENSE INFORMATION

License AgreementNOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANTOR PURCHASE ORDER DOCUMENTS THAT ACCOMPANIES YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND.

Contents

1.0 Introduction to McAfee Cloud Identity Manager ........................................................ 51.1 Supported environments...................................................................................... 61.2 Supported browsers ............................................................................................ 6

1.2.1 Application portal..................................................................................... 61.2.2 Management Console ............................................................................... 6

1.3 Available documentation...................................................................................... 71.4 Technical support ............................................................................................... 7

2.0 Provisioning users to a NetSuite application ............................................................. 92.1 Configure a connection to your data source: LDAP example .....................................102.2 Create action: Create Password Value for NetSuite .................................................112.3 Create Send Mail action and configure SMTP settings..............................................122.4 Configure provisioning actions for the NetSuite application ......................................14

2.4.1 Create an action .....................................................................................162.5 Configure provisioning policies for the NetSuite application......................................16

2.5.1 Create a policy .......................................................................................19

McAfee Cloud Identity Manager 3.5 NetSuite Provisioning Connector Guide 3

1.0 Introduction to McAfee Cloud Identity Manager

McAfee® Cloud Identity Manager (Cloud Identity Manager, formerly Intel® Expressway Cloud Access 360-SSO) simplifies the management and secures the use of cloud, Software as a Service (SaaS), and web applications for companies and large organizations. Service and application providers can also use Cloud Identity Manager to simplify and improve the authentication process for their customers.

Cloud Identity Manager provides support for the following features:• Extensible framework• Web single sign on (SSO)• Multiple authentication methods• Credential mapping and user provisioning• Authorization policies and access control enforcement• Event auditing and monitoring• Connectors for popular cloud services and applications• Web-based Management Console

Cloud Identity Manager runs as a stand-alone server and is configured by an administrator using a web-based Management Console accessible from a web browser. For information about installing Cloud Identity Manager as a standalone server or as a cluster of servers, see the McAfee Cloud Identity Manager Installation Guide. For information about configuring Cloud Identity Manager in the Management Console, see the McAfee Cloud Identity Manager Product Guide.

Cloud Identity Manager provides connectors for many popular cloud services and applications, including Google Apps and Salesforce.com. These connectors are built in to Cloud Identity Manager and simplify the deployment of the cloud service or application in an organization. Web SSO requires configuration in the Management Console and in the cloud application’s user interface. Instructions for configuring SSO on the cloud application side are included in the documentation set.

For customers who have Java-based or .NET web applications that do not support SAML2 authentication, Cloud Identity Manager provides a custom connector. For information about integrating Java-based and .NET web applications with Cloud Identity Manager, see the McAfee Cloud Identity Manager Integration Guide.

For software developers who want to write their own cloud service connectors or authentication modules, Cloud Identity Manager provides an SDK. For more information about the SDK, see the McAfee Cloud Identity Manager Developer’s Guide.


1.1 Supported environmentsCloud Identity Manager supports these environments.

1.2 Supported browsersCloud Identity Manager supports different browsers for the application portal and the Management Console.

1.2.1 Application portal

For end users who seek access to SaaS and web applications through a portal using Cloud Identity Manager identity services, Cloud Identity Manager supports the following desktop and mobile web browsers. Note that Cloud Identity Manager services are running in the background and are not visible to the end user.

• Desktop browsers— Google Chrome 16— Mozilla Firefox 9— Microsoft Internet Explorer 7, 8, and 9— Safari 5.1.2

• Mobile browsers— Android 2.0 devices and WebKit browser— iOS devices and Safari browser

1.2.2 Management Console

The Cloud Identity Manager Management Console is a web-based user interface that provides administrators with a single, central point of management and control through a web browser on a local computer. For Management Console administrators, Cloud Identity Manager supports the following desktop and mobile web browsers.

• Desktop browsers— Firefox 9— Internet Explorer 7, 8, and 9

• Mobile browsers — None are currently supported.

Version Architecture

IA-32 Intel® 64

Linux Operating System

Red Hat Enterprise Linux Serverand Advanced Platform 5.0

Yes Yes

Windows Operating System

Windows Server 2003 Standard Edition Yes Yes

Windows Server 2003 DataCenter Edition Yes Yes

Windows Server 2003 Enterprise Edition Yes Yes

Windows Server 2008 Yes Yes


1.3 Available documentationThe Cloud Identity Manager documentation set includes the following guides:

• McAfee Cloud Identity Manager Product Guide — A complete guide to the Management Console and the configuration tasks needed to administer Cloud Identity Manager

• McAfee Cloud Identity Manager Developer’s Guide — Provides information for software developers who want to write custom Java code that extends Cloud Identity Manager functionality

• McAfee Cloud Identity Manager Installation Guide — Includes the tasks and procedures that you need to install and remove Cloud Identity Manager as a standalone server on Microsoft Windows and Linux operating system platforms

• McAfee Cloud Identity Manager Integration Guide — Provides instructions on how to integrate Java-based and .NET web applications that do not support SAML2 authentication with Cloud Identity Manager

Note: In addition to these guides, there are separate guides that document how to configure the different Cloud Connectors. For more information, see the McAfee Cloud Identity Manager Product Guide.

1.4 Technical supportFor technical assistance, contact McAfee support by one of the following options:

Support portal: https://mysupport.mcafee.com

Phone number: 1-800-937-2237


https://mysupport.mcafee.com

https://mysupport.mcafee.com

2.0 Provisioning users to a NetSuite application

NetSuite offers an integrated business software suite as a SaaS (Software as a Service) application. The NetSuite application and Cloud Identity Manager service support Identity Provider (IdP)-initiated single sign-on (SSO) in addition to provisioning. For more information about configuring SSO for a NetSuite application, see the McAfee Cloud Identity Manager NetSuite Cloud Connector Guide.

The Cloud Identity Manager provisioning service synchronizes identity information in the NetSuite application with the identity information in your user store. In this document, the user store is referred to as the data source.

NetSuite supports the following provisioning operations:• Create User — Creates accounts for users in your data source who do not exist in the NetSuite

application• Update User — Updates the user information in the NetSuite application when the information has

changed in your data source• Delete User — Deletes accounts in the NetSuite application for users who do not exist in your data

source• Change User Status — Sets the NetSuite user account status to inactive when the account is

disabled in your data source and to active when the account is enabled in your data source• Get User Details — Reads the data source and retrieves user information for all users

Cloud Identity Manager comes with preconfigured policies and policy actions for provisioning to a NetSuite application. In the Provisioning Studio that comes with Cloud Identity Manager, you can review, modify, and test these policies and actions and configure a connection to your data source. You can also create new provisioning policies and actions as needed.

Provisioning policies consist of one or more provisioning actions. The overall process for configuring provisioning in the Provisioning Studio is as follows:1. Open the Provisioning Studio: From the Start menu, select

All Programs | McAfee | CIM | SSO | Provisioning Studio2. Configure a connection to your data source, for example, Active Directory or an LDAP directory.3. Review and update the provisioning actions for the NetSuite application as needed.4. Review and update the provisioning policies for the NetSuite application as needed.

Note: For information about importing a custom provisioning plug-in, see the McAfee Cloud Identity Manager Provisioning Guide.


2.1 Configure a connection to your data source: LDAP exampleWhen provisioning users, Cloud Identity Manager uses the information you provide in the Provisioning Studio to connect to your data source.

Note: For information about configuring other data source types, see the McAfee Cloud Identity Manager Provisioning Guide.1. In the Provisioning Studio: In the navigation tree, expand General | Data Sources, then select

LDAP.LDAP settings open in the Data Source window.

2. In the Name field, type the name used by Cloud Identity Manager to identify your data source in the system.Example: MyLDAP

3. Select the LDAP option for the data source type.4. In the General tab, provide values for the settings in the following table.

Note: For information about configuring the Other and Usage tabs for an LDAP data source, see the McAfee Cloud Identity Manager Provisioning Guide.

5. From the File drop-down list, select Save Configuration.The configured data source is added to the LDAP node in the navigation tree.

Table 1. Configuration settings for connecting to an LDAP data source

Setting Description

Host IP/DNS Specifies the IP address or DNS name of the computer hosting the LDAP directory.

PortSpecifies the port number of the computer hosting the LDAP directory.

Note: Typical values are 389 and 636.

SSLWhen selected, enables SSL communication with the LDAP host.

Note: SSL is an acronym for Secure Socket Layer.

TLSWhen selected, enables TLS communication with the LDAP host.

Note: TLS is an acronym for Transport Layer Security.

Admin DNSpecifies the full DN of the administrative user account.Example: cn=administrator,cn=users,dc=YourDomain,dc=local

Password Specifies the password of the administrative user account.

Test LDAP Connection Tests the connection to the LDAP data source.

Use Paged Result When selected, enables the paged results feature of the LDAP directory.


2.2 Create action: Create Password Value for NetSuiteNetSuite supports strong password policies through password configuration options. To configure these options for the NetSuite provisioning connector, you create an action in the Provisioning Studio and provide the values shown in the table below.1. In the Provisioning Studio: In the navigation tree, expand Actions, then select Create Password

Value.2. In the configuration window, type the following name in the Action Name field: Create Password

Value for NetSuite.3. In the configuration window, click the General tab.4. Specify the values shown in the following table for the Create Password Value for NetSuite

action.

5. From the File drop-down list, select Save Configuration.

Table 2. Configuration values for action: Create Password Value for NetSuite

Label Value

Attribute Name password

Min Length 12

Max Length 20

Use These Characters 0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ

Copy to Other Attribute

Nr of Uppercase Characters 4

Nr of Lowercase Characters 4

Nr of Digits 4


2.3 Create Send Mail action and configure SMTP settingsYou create an action of type Send Mail and configure SMTP settings, so that the provisioning service can send an email to the NetSuite application when a provisioning policy is complete.1. In the Provisioning Studio: In the navigation tree, expand Actions, then select Send Mail.2. In the configuration window, type the following name in the Action Name field: Send Mail to

NetSuite.3. In the configuration window, click the General tab.4. In the General tab, provide values for the settings in the following table.

Table 3. Configuration settings for action: Send Mail to NetSuite

Label Value

Mail To Specifies a comma-separated list of recipients’ email addresses.

Subject Specifies the subject of the email message.

Body Specifies the body of the email message.

File Attachment 1 (Optional) Specifies the name of a file to attach to the email message.




Mime Type

To specify the message content type as text or HTML, respectively, provide the following values. Text is the default content type.• text/html; charset=iso-8859-1

• text/html; charset=iso-8859-1

Mail From Specifies the sender’s email address if not using the default.


5. In the navigation tree, expand General, then select SMTP Settings.6. Provide values for the settings in the following table.


Table 4. SMTP settings

Setting Description

SMTP HostSpecifies the IP address or DNS name of the SMTP server.Example: smtp.domain.com

SMTP PortSpecifies the port number of the SMTP server.Value: 25

SSLWhen selected, enables SSL communication with the SMTP server.

Note: To support SSL or TLS, assign the port number the value of 587.

TLSWhen selected, enables TLS communication with the SMTP server.

Note: To support SSL or TLS, assign the port number the value of 587.

Mime EncodeSpecifies the MIME encoding used by the SMTP server.Default: ISO-8859-1

Sender EmailSpecifies the sender’s email address.Example: [email protected]

Sender Name Specifies the sender’s name.

Master EmailSpecifies the default email address to use when none is configured in the action.Example: [email protected]

UsernameSpecifies the user name to use when authenticating to the SMTP server.Example: cloudsso-service

Password Specifies the password to use when authenticating to the SMTP server.

Test Mail Tests the connection to the SMTP server.


2.4 Configure provisioning actions for the NetSuite applicationThe NetSuite provisioning service comes with actions that you can view, modify, and duplicate in the Provisioning Studio. Provisioning actions are grouped by type: NetSuite Get Users and NetSuite Provisioning.

Note: You can create and assign names to new actions and rename existing actions. Therefore, the action list and action names shown here might differ from what you see in the Provisioning Studio.1. In the Provisioning Studio: In the navigation tree, expand Actions, then expand NetSuite Get

Users and NetSuite Provisioning.2. In the navigation tree, select the NetSuite Get All Users action.

Note: If the action does not exist, you can create it. See section 2.4.1 Create an action.3. In the configuration window, click the General tab.4. Using the following table as a guide, review the labels and corresponding values, and modify them

as needed for the NetSuite Get All Users action.

5. For each action of type NetSuite Provisioning:a. If the action does not exist, create it using one of the methods described in section 2.4.1 Create

an action.b. In the navigation tree, select the action.c. In the configuration window, click the General tab.

Table 5. NetSuite provisioning action types and supported actions

Action Type Supported Actions Description

NetSuite Get Users NetSuite Get All Users

This action reads the data source. You can then compare the information in the data source with the information in the application and output the results to Excel for compliance and reporting.

NetSuite Provisioning

NetSuite Create UserNetSuite Update UserNetSuite Delete UserNetSuite Change User Status

Actions of this type update identity information in the NetSuite application.

Table 6. Configuration settings for actions of type: NetSuite Get Users

Label Description

NetSuite Administrator Username Specifies the user name of the NetSuite administrator.

NetSuite Administrator Account ID Specifies the ID of the NetSuite administrator account.

NetSuite Administrator Password Specifies the password of the NetSuite administrator.

Get User Details (true/false) When true, the provisioning service reads the data source and retrieves information for all users.

Session Attributes to CopySpecifies a comma-separated list of attributes to copy from Cloud Identity Manager.Example: name,mail,mobile,telephoneNumber


d. Using the following table as a guide, review the labels and corresponding values, and modify them as needed for the selected action.


Table 7. Configuration settings for actions of type: NetSuite Provisioning

Label Description

NetSuite Administrator Username Specifies the user name of the NetSuite administrator.

NetSuite Administrator Account ID Specifies the ID of the NetSuite administrator account.

NetSuite Administrator Password Specifies the password of the NetSuite administrator.

Create User (true/false) Set this value to true for the NetSuite Create User action only.

Delete User (true/false) Set this value to true for the NetSuite Delete User action only.

Update User (true/false) Set this value to true for the NetSuite Update User action only.

Change User Status (true/false)

Set this value to true for the following actions:• NetSuite Create User • NetSuite Update User • NetSuite Change User Status

Give Access to User (true/false)Set this value to true for the following actions:• NetSuite Create User • NetSuite Update User

Enter Status of User (true/false) Set this value to true for the NetSuite Create User action only.

Enter Internal ID of the Corresponding Role

Specifies the NetSuite ID that corresponds to the user’s role.

Note: For more information, see your NetSuite administrator account.

Attribute with Password Specifies the name of the attribute that stores the password.

Session Attributes to includeSpecifies a comma-separated list of attributes to request from Cloud Identity Manager.Example: name,mail,mobile,telephoneNumber


2.4.1 Create an action

When an action group exists in the navigation tree, but is missing one or more required actions, you can create the required actions by one of the following methods.1. In the navigation tree:

— Select the action group, and specify a name for the action you are creating in the Action Name field in the configuration window.

— Right-click an existing action in the action group, and select Duplicate Action. Select the new action, and change the name in the Action Name field in the configuration window to the name of the action that you are creating.


2.5 Configure provisioning policies for the NetSuite applicationThe NetSuite provisioning service comes with policies that you can view, modify, and duplicate in the Provisioning Studio. Policies consist of actions that are executed in the order that they are listed in the policy. You can add actions to, remove actions from, and change the order of the actions in each policy.

NetSuite supports the following provisioning policies:• Provisioning to NetSuite • NetSuite - Update User • NetSuite - Delete User • NetSuite - Change User Status 1. In the Provisioning Studio: In the navigation tree, expand Policies | NetSuite.2. For each NetSuite policy:

a. If the policy does not exist, create it using one of the methods described in section 2.5.1 Create a policy.

b. In the navigation tree, select the policy.c. In the configuration window, review the Policy Name and Category settings, and update them

if needed.


d. In the configuration window: In the General tab, configure the following policy settings.

Table 8. Configuration settings for NetSuite policies

Setting Description

Policy Type

Select an option from the drop-down list:• Manual — Manual policies are executed in the Provisioning Studio or triggered

by an action configured in the Provisioning Studio.• Scheduled — Scheduled policies are configured in the Provisioning Studio and

executed at the specified time or interval.• Persistent Search — Persistent Search policies are configured for an LDAP

directory that supports Persistent Search or a Microsoft Active Directory with DirSync control. Policies of this type start a separate thread that listens to the directory. When the thread notifies the policy of specified events, the policy automatically creates and updates session objects and attributes according to rules defined in the policy.

Note: Different settings open for each policy type.

Enabled When selected, enables the NetSuite policy.

Data SourceSpecifies the data source to which this policy applies.

Note: The remaining settings depend on the data source selected.

Select Opens the Select a Data Source dialog box, where you can select a new data source.

Search Type

(Manual and Scheduled policy types, LDAP data source) Select an option:• Manual — LDAP searches are initiated manually by the NetSuite administrator

in the Provisioning Studio.• Timestamp — LDAP searches are run according to a timestamp attribute and

a time interval configured in the LDAP Search Settings area.

Schedules (Scheduled policy type) Specifies when this policy is run.

Select

(Scheduled policy type) Opens the Add or remove Schedule dialog box, where you can select schedules to add to or remove from the policy.

Note: To configure another schedule: In the navigation pane, expand General, select Schedules, complete the settings in the tabs in the configuration window, and select Save Configuration from the File drop-down list.

Run on Startup (Scheduled policy type) When this checkbox is selected, the policy is run on start-up.

Run on Reconfiguration

(Scheduled policy type) When this checkbox is selected, the policy is run each time its configuration is updated.

Run Once then Disable

(Scheduled policy type) When this checkbox is selected, the policy is run once and then disabled.

Persistent Options(LDAP Persistent policy type) Opens the Persistent Search Options dialog box, where you can select the events that when they occur, trigger the listening thread to notify the policy.


e. In the General tab: In the LDAP Search Settings area, configure the following settings.

Note: For information about configuring other data source types, see the McAfee Cloud Identity Manager Provisioning Guide.

Table 9. Configuration Settings for an LDAP Search

Setting Description

Search Base

Specifies the Distinguished Name (DN) of the entry in the LDAP tree, where the search for users begins.Example: ou=users,dc=YourDomain,dc=local

Note: To view the LDAP directory tree, click the ellipsis button.

Search Scope

Select an option from the drop-down list:• SUB — Search the Base DN and the entire subtree.• ONE — Search the entries one level below the Base DN only.• BASE — Search the Base DN only.

Max Search Results

Specifies the maximum number of results returned by the LDAP search.Default: A zero value returns all search results.

Timestamp Attribute

Specifies the attribute to use when storing the timestamp. To open the Schema Selector dialog box and select an attribute, click the ellipsis button. The timestamp value determines when LDAP searches are run.

Is Generalized Time

When this checkbox is selected, the timestamp is saved in the ISO time format known as GeneralizedTime.

Minimum Days Specifies the minimum number of days on which to run the LDAP search.

Maximum Days Specifies the maximum number of days on which to run the LDAP search.

Search Filter(Optional) Specifies an LDAP filter that narrows a long list of search results.

Note: To view and select attributes and objectclasses in the LDAP directory, click the ellipsis button.

Get AttributesSpecifies a comma-separated list of user attributes returned by the LDAP search.Example: name,mail,mobile,telephoneNumber

Note: To view and select user attributes, click the ellipsis button.

Test Search Result

Displays the results of the LDAP search, allowing you to test the LDAP search that you configured.


f. In the configuration window, click the Actions tab.g. In the Actions tab: In the Assigned Actions area, add, remove, or change the order of the

actions assigned to each policy, as needed, using the following examples as a guide.

Policy example: Provisioning to NetSuite

Policy example: NetSuite - Update User

Policy example: NetSuite - Delete User

Policy example: NetSuite - Change User Status

h. To step through the actions in the policy, click Run Policy.3. From the File drop-down list, select Save Configuration.

2.5.1 Create a policy

When a policy group exists in the navigation tree, but is missing one or more required policies, you can create the required policies by one of the following methods.1. In the navigation tree:

— Select the policy group, and specify a name for the policy you are creating in the Policy Name field in the configuration window.

— Right-click an existing policy in the policy group, and select Duplicate Policy. Select the new policy, and change the name in the Policy Name field in the configuration window to the name of the policy that you are creating.


Table 10. Actions assigned to policy: Provisioning to NetSuite

Nr Name Description

1 Create Password Value for NetSuite

Specifies configuration values for NetSuite password options.

2 Create User Creates accounts for users in the data source who do not exist in the NetSuite application.

Send Mail to NetSuite Sends an email message to NetSuite.

Table 11. Actions assigned to policy: NetSuite - Update User

Nr Name Description

1 NetSuite Update User Updates the user information in the NetSuite application when the information has changed in the data source.

Table 12. Actions assigned to policy: NetSuite - Delete User

Nr Name Description

1 NetSuite Delete User Deletes accounts in the NetSuite application for users who do not exist in the data source.

Table 13. Actions assigned to policy: NetSuite - Change User Status

Nr Name Description

1 NetSuite Change User StatusSets the NetSuite user account status to inactive when the account is disabled in the data source and to active when the account is enabled in the data source.


Order Number: 327036-001US[Revision A]

netsuite provisioning connector guide -...

Documents