Repository for HelloID Provisioning Target Connector to SQL Blacklist
Important
This repository contains the connector and configuration code only. The implementer is responsible to acquire the connection details such as username, password, certificate, etc. You might even need to sign a contract or agreement with the supplier before implementing this connector. Please contact the client's application manager to coordinate the connector requirements.
This connector allows for the storage of attribute values that must remain unique, such as SamAccountName and/or UserPrincipalName, in a blacklist database. When a new account is created, this database is checked alongside the primary target system to verify the uniqueness of these account attributes.
- HelloID Provisioning agent (cloud or on-prem).
- Available MSSQL database (External server or local SQL(express) instance).
- SQL database setup containing a table created with the query in the createTableBlacklist.sql file.
- Rights to database for the agent's service account or use a SQL-authenticated account.
- (Optional) Database table is filled with the current AD data.
The HelloID connector consists of the template scripts shown in the following table.
Action | Action(s) Performed | Comment |
---|---|---|
create.ps1 | Write account data to SQL DB table | Uses account data from another system |
create.ps1 | Write account data to SQL DB table | Uses account data from another system |
delete.ps1 | Write whenDeleted date to SQL DB table | Uses account data from another system. Can also be used as an update script |
configuration.json | Default configuration file | |
fieldMapping.json | Default field mapping file | |
checkOnExternalSystemsAd.ps1 | Check mapped fields against the SQL database | This is configured in the built-in Active Directory connector |
createTableBlacklist.sql | Script to create the SQL table in the SQL database | Run this within the SQL Management Studio |
/GenerateUniqueData/example.create.ps1 | Generate unique value and write to SQL DB table | Checks the current data in SQL and generates a value that doesn't exist yet. Use this when generating a random number and use this as input for your AD or Azure AD system. Please be aware this is an example build for the legacy PowerShell connector. |
The following settings are required to connect to SQL DB.
Setting | Description | Mandatory |
---|---|---|
Connection string | String value of the connection string used to connect to the SQL database | Yes |
Table | String value of the table name in which the blacklist values reside | Yes |
Username | String value of the username of the SQL user to use in the connection string | No |
Password | String value of the password of the SQL user to use in the connection string | No |
The correlation configuration is not used or required in this connector
The following settings can and should be set in the AD uniqueness script
Setting | Description | Default value |
---|---|---|
$attributeNames | Array list of the attributes to check | @('SamAccountName', 'UserPrincipalName') |
$syncIterations | Raise iteration of all configured fields when one is not unique | $true |
$syncIterationsAttributeNames | Array list of the extra attributes to return when at least one attribute is not unique. Usually mirrors the AD field mapping configuration. Only active when $syncIterations = $true | @('SamAccountName', 'UserPrincipalName','commonName', 'mail',"proxyAddresses") |
$excludeSelf | Exclude the records bound to the externalId of the user from the query | $true |
- This connector is designed to connect to an MS-SQL DB. Optionally you can also configure this to use another DB, such as SQLite or Oracle. However, the connector currently isn't designed for this and requires additional configuration.
- Make sure the attribute names in the mapping correspond with the attribute names in the primary source system.
- If updating the values is not required, the account update script can be omitted. Ensure that the mapping is updated accordingly.
- The mapping field employeeId should only be configured to the create & update event.
- The mapping field whenDeleted should only be mapped to the delete event.
Tip
For more information on how to configure a HelloID PowerShell connector, please refer to our documentation pages. [!TIP] If you need help, feel free to ask questions on our forum.
The official HelloID documentation can be found at: https://docs.helloid.com/.