Deployment Guide
Notice
We would like to note here that the IDSync support team (support@idsync.com) usually handles the installation of the IDSync® Security Gateway, our APS Package and its' resources, as well as the APS-Controller scripts upon a license agreement with a provider. It is highly recommended that you contact us before attempting to deploy the software yourself as it is non-traditional from other APS Packages. With that said, we will provide cursory documentation below on how to get it to a usable point to shorten the amount of time it may take to implement our software in your systems.
Chapter 1
Preface
Documentation Conventions
Before you start using this guide, it is important to understand the documentation conventions used in it.
Typographical Conventions
The following kinds of formatting in the text identify special information.
Formatting convention | Type of Information | Example |
---|---|---|
Special Bold | Items you must select, such as menu options, command buttons, or items in a list. | Navigate to the QoS tab. |
Titles of modules, sections, and subsections. | Read the Basic Administration module. | |
Italics | Used to emphasize the importance of a point, to introduce a term or to designate a command line placeholder, which is to be replaced with a real name or value. | These are the so-called shared VEs. |
Important | An important note provides information that is essential to the completion of a task. Users can disregard information in a note and still complete a task, but they should not disregard an important note. | Important: The device drivers installed automatically during Setup are required by your system. If you remove one of these drivers, your system may not work properly. |
Note | A note with the heading "Note" indicates neutral or positive information that emphasizes or supplements important points of the main text. A note supplies information that may apply only in special cases—for example, memory limitations, equipment configurations, or details that apply to specific versions of a program. | Note: If Windows prompts you for a network password at startup, your network is already set up and you can skip this section. |
Monospace | The names of commands, files, and directories. | Use vzctl start to start a VE. |
Preformatted | On-screen computer output in your command-line sessions; source code in XML, C++, or other programming languages. | Saved |
Preformatted Bold | What you type, contrasted with on-screen computer output. |
|
CAPITALS | Names of keys on the keyboard. | SHIFT, CTRL, ALT |
KEY+KEY | Key combinations for which the user must press and hold down one key and then press another. | CTRL+P, ALT+F4 |
General Conventions
Be aware of the following conventions used in this book.
- Modules in this guide are divided into sections, which, in turn, are subdivided into subsections. For example, Documentation Conventions is a section, and General Conventions is a subsection.
- When following steps or using examples, be sure to type double-quotes ("), left single-quotes (`), and right single-quotes (') exactly as shown.
- The key referred to as RETURN is labeled ENTER on some keyboards.
Commands in the directories included into the PATH variable are used without absolute path names. Steps that use commands in other, less common, directories show the absolute paths in the examples.
Feedback
If you have found a mistake in this guide, or if you have suggestions or ideas on how to improve this guide, please send your feedback using www.idsync.com/aps/feedback/. Please include in your report the guide's title, chapter and section titles, and the fragment of text in which you have found an error.
Chapter 2
Introduction
About This Guide
This guide describes the integration of Odin Automation with IDSync®.
This document was developed by IDSync®. For additional information, please contact support@idsync.com.
Audience
This guide is intended for:
- Providers that use Odin Automation and want to sell IDSync® services to customers.
- Technical support engineers that configure IDSync® services.
Terms and Abbreviations
- APS ‒ Application Packaging Standard, an open standard that was designed to simplify the delivery of SaaS applications in the cloud-computing industry.
- OSA – Odin Service Automation, the combination of both Odin Billing (Billing) and Odin Operations (Operations).
- Odin Billing (also just called "Billing") – The Billing portion of the Odin Platform.
- Odin Operations ‒ The operations portion of the Odin platform.
- IDSync® – Contraction for Identity Syncronizer
- AD – Active Directory
Chapter 3
Business Model Overview
In our new APS 2.0 version of the IDSync® APS Package, we've enabled end-users to the ability to access (read) the different entity types in their Active Directory (AD). Provided the IDSync® client application installed; this new package will give the Odin APS Bus scope regarding an AD user-based client by providing key pieces of information on virtually all of the different entities in active directory.
Eventually we will extend these abilities beyond just reading the entity information, but creating, updating and deleting it as well.
IDSync® Services Provided
IDSync® provides a way to synchronize the Odin Service users with Active Directory counter-parts that effectively keep the metadata and permissions relevant to the other endpoint. While this service is aids the end-user in extending their company's users into Odin, another benefit is what other packages will be able to do with the data.
As a part of that synchronization, the IDSync® client will enable Enterprise Administrators to make changes to Odin Packages from AD.
Below is a table of price offerings for IDSync®.
Attribute | Type | Period |
Seats | Item count | Per Active Directory User/Per Month |
Service Hierarchy Exposed by IDSync®
- IDSync® Global Settings
Set by the provider, contains Gateway and API information
- IDSync® Tenant/Application
Makes the IDSync® API endpoints available on the APS Bus
Contains Seat Count
- Users
Service Users that have been synced via their AD user counterpart, made available on the APS
- Groups
Synced Groups made available on the APS Bus
- Contacts
Synced Contacts made available on the APS Bus
Customer's Workflow
The integration workflow looks as follows:
- Log into PA Customer Control Panel
- Go to IDSync® tab
- View synchronized entities
(Next Steps are Optional)
- Go to Configuration tab
- Enabled Advanced UI
- Click IDSync® on the main navigation
- View all entities from Active Directory
Customer's Life-cycle
IDSync® allows the customer to use the service after the initial setup work flow is complete. If the customer wishes to upgrade their seat counts they can do so at any time in the billing cycle.
Service Hierarchy Subscription Modification Options
- Identity Syncronizer Application Service (main service)
- AD User/Service User
- User Registration/Provisioning
- Download Entry-point
- AD User/Service User
Chapter 4
Localization List
IDSync® has been localized in the following languages for each category
Customer Interface
en_US
- PA task manager error logging
- en_US
- IDSync® API error messaging
- en_US
- IDSync® external communication to customer
- (Only in en_US/Linked to the customer's CCP locale)
Revision History
3.0 Build 1
- Initial release for the IDSync® APS 2.0 package
- Addition of resource types to support multiple integration points / features
Contractual contact information for IDSync®
Service Providers using Odin Automation should contact the following to initiate the reseller account creation process by executing the required contracts before Identity Syncronizer can be resold. Contact us using http://www.idsync.com/contact.
Support Expectations
Partners that have active commercial terms and in need of general support on topics such as installation, service package configuration and/or general Q&A can contact IDSync® via their support form at http://www.idsync.com/contact.
For additional support on Odin products, please visit http://www.odin.com/support/.
For questions on the Application Package Standard (APS), please visit http://apsstandard.org/contact.
Technical Integration Overview
The integration workflow looks as follows:
IDSync® Services Provided
The Identity Syncronizer Service is to count seats used by a subscription for the end-use or being able to use the count as a billable entity.
Integration Prerequisites
Before you start integrating IDSync® into PA, learn about necessary preparations to the process.
Prerequisites for the IDSync® Endpoint Host
Prerequisites | Notes |
Description | Specific node with Apache and PHP to install APS Package script files |
OS |
|
Type of OS Installation | Basic server installation |
Software |
|
RAM/CPU |
|
Disk |
|
Network | This endpoint will need to be able to communicate with the IDSync® Gateway on a configurable port (see below) |
Prerequisites for the IDSync® Gateway
General criteria:
Description | IDSync® Gateway is a secure way to transmit Odin Operations and PBA XML-RPC payloads, by Account ID (required) and/or Subscription ID (optional) |
Quantity | This service is a small stand-alone Windows Service, if you intend to have allot of traffic, it is recommended that you use a load balancer. |
OS |
|
CPU | At least quad-core @ ~3.0Ghz+ (if Virtual Machine, should be set to 100% allocation) |
RAM | At least 4GB of statically allocated RAM on the [virtual] machine |
Disks | Logs take up some space; sub-routines designed to remove excess log files. |
Network |
|
Open Ports |
|
Note: It is highly recommended using recommendations of the PA Application Module (application hosting guide).
Also there are some additional software requirements to your Provisioning Host.
After registering the host in Odin Operations, the software specified in the following table must be installed on it:
Software Name | |
Microsoft® .NET 4.6 | Required for the Gateway to function. |
Chapter 5
Deploying the IDSync® Application
The IDSync® application is deployed at the client level and the installation guide for that item can be found by clicking the document below.
Identity Syncronizer - AD Cloud Portal - Installation Guide - v2.1
Chapter 6
Deploying IDSync® APS Package
To deploy the IDSync® APS package on the Provisioning Host, you need to prepare the host and then import your IDSync® APS package in PA. Find information about how to do it in this section.
Preparing the Endpoint Host Server
The IDSync® APS Package requires an application host server to be setup before it can be successfully imported and used in OSA. This endpoint server can be provisioned as Virtual Private Server or as a Virtual Machine via a hyper-visor among the same infrastructure as the OSA systems.
Please make sure you have a full OSA (Odin Operations + PBA) instance setup properly before continuing.
Please verify that the endpoint machine is compliant with the aforementioned prerequisites found above under Prerequisites for the IDSync® Endpoint Host.
These deployment instructions are based on a pre-existing installation of CentOS version 6 or 7 and all required web-daemon packages are installed and managed via the "yum" package manager built-in to CentOS. While the PHP files we're aiming to deploy may work on other Linux distributions and Operation Systems, IDSync® currently officially supports CentOS/RHEL 6/7.
Please use the endpoint utilities found on the Odin Documentation site (found here: https://doc.apsstandard.org/7.4/api/rest/application/deployment/index.html).
Importing IDSync® Application
To Import the IDSync® application to Odin Operations:
- In the control panel, go to Top > Service Director > Application Manager > Applications. The list of the applications appears.
- Click the Import Package button.
- Import the application from the local workstation, select the local file option, and specify the path to the application file using the Browse... button.
- Select the Enabled (available in subscriptions) checkbox.
- Click the Submit button.
Chapter 7
Configuring Services for Selling - Odin Operations
Learn about how to configure the service templates that are necessary to form IDSync® APS subscriptions for sale.
General Resource Creation
The IDSync® APS package requires that a base IDSync® service template be created and that any user who wishes to use IDSync® subscribe to that base IDSync® service template. The base IDSync® service template requires a number of resources. These general resources are as follows:
- IDSync® - App Reference
- IDSync® - Tenant
- [Optional] IDSync® - Users
- [Optional] IDSync® - Contacts
- [Optional] IDSync® - Groups
- Automatically generated features via the Gateway's Odin page.
- Open this document on the machine the Security Gateway is installed onto, and navigate to https://localhost/odin (you may have to input configured port if using something other than 443)
- Click here, to continue installing the additional Feature Resources.
- Open this document on the machine the Security Gateway is installed onto, and navigate to https://localhost/odin (you may have to input configured port if using something other than 443)
After you've successfully imported the package, go to the Resource Types tab off of the "IDSync®" application.
- Click the [+ Create] button to begin creating a new resource type.
- Proceed by click "Application Service"
- The name of the first resource should reflect the Tenant resource. (ex: IDSync® Tenant)
- Next you will be provided with a list of Resource types, select "IDSync® Tenant"
- If unsure, leave "Priority" blank.
- Make sure the "Automatically provision service" is filled in, as this is the only resource that will provision.
- Continue, then press Finish after reviewing and approving the displayed values.
- Now you can progress by repeating steps 2 thru 8 for IDSync® Users, IDSync® Groups, and IDSync® Contacts, with the only difference being that you do not check "automatically provision service on any other resource but the Tenant.
- After those resource types have been added, go to the Applications page, click the Instances tab.
- Click the [+ Install] button.
- Input the Application API endpoint URI (ex: http://endpoint.idsync.apsdemorg.org/)
- At this point you will be asked to provide the General Setup Global Setting.
- Provider Name – Your Company name, case and space sensitive to your IDSync® license
- Provider License – Your Provider IDSync® license. This license should have been provided during the license agreement process, however should you not have one, or misplaced it feel free to contact IDSync® Support (support@idsync.com).
- IDSync® API Gateway URL – Leave blank if unsure. Acts as an override for testing.
- IDSync® Gateway URL – The URL configured in the Gateway Agent Configuration utility, under the "client" section. (Ex: https://10.3.3.2:8440/)
- IDSync® Provision URL – The URL to the API portion of the Gateway. Out-of-the-box it will be the same URL and port+1 that was configured in the Gateway Agent Configuration utility, (Example: If Gateway URL https://idsgateway:8448/ than API Gateway is https://idsgateway:8449/)
- AD Tab Label – The label that will be applied to the tabs in the Window's Active Directory Utility at the client level.
- IDSync® Plugin Name – This is ALWAYS Syncronizer.Target.Parallels, if not filled in please use said value. Acts as override should a custom plugin need-be created for a provider.
- IDSync® Gateway Subscription Auto-license Flag – Default setting dictate that the automatic license generate a secure Gateway Username and Password tied to making transactions for the ACCOUNT ID it was created under, checking this box will force the Account ID and Subscription ID, which in the case would always be the IDSync subscription. This is legacy setting designed for APS 1.2 backward compatibility. Leave unchecked unless otherwise directed by an IDSync support representative.
- Review and Approve the settings displayed.
- Jump back to the Resource Types tab in the IDSync® Application page.
- Click the [+ Create] button, then click "Application Service Reference".
- Give it a name that reflects IDSync®, (ex: IDSync® App).
- Click "General Setup".
- Click the Resource UUID for the global settings you just configured.
- Review and Approve the settings displayed.
Automatic Additional Resource Creation
In addition to the base package functionality of IDSync®, it is possible to extend IDSync® through separate subscriptions to enable users to synchronize identity information from their Active Directory environments to a number of other third party systems as well as to a number of APS packages hosted on the ODIN platform.
In order to expose these additional subscription options to the customer, the service provider must populate the Odin Operations system with additional resource types.
There are presently in excess of 15 unique resources types that extend the IDSync® platform. This number is expected to increase over time as IDSync® is extended to additional systems.
Due to the large number of resources and the time that it takes to manually create these resources in the Odin Operations system, IDSync® has provided an application for automatically generating these resources on a Odin Operations system.
The tool can be found on the service provider's gateway at the following address:
https://localhost:XXXX/odin where XXXX is the port number of the service provider's gateway service.
It will bring up a screen similar to the following:
While this system is a time saver, the system comes with a few important caveats:
- This process can only be run from the gateway machine itself for security reasons.
- This tool is primarily for onboarding new service provider environments to utilize the IDSync® APS package. The process automatically generates all of the "additional resources" that the IDSync® system knows about at the time of running the process. THIS PROCESS SHOULD NOT BE RUN MORE THAN ONCE in a given Odin Operations environment. If it is run multiple times, it will generate duplicate resource types in Odin Operations and that will lead to confusion when setting up service templates.
- NOTE: This process cannot be run until the IDSync® App Resource has been configured within the Odin Operations environment.
Manual Additional Resource Creation
In addition-to or instead-of using the automatic method for additional resource creation, you may create the additional resources as needed to enable IDSync® features as follows:
Go to the Resource Types tab off of the "IDSync®" application.
- Click the [+ Create] button to begin creating a new resource type.
- Proceed by clicking "Application Service"
- Enter the name for the first resource you wish to add (ex: IDSync® Autotask Contacts)
- Next you will be provided with a list of Resource types, select the resource type that corresponds to the feature you are adding. For example: "IDSync® Autotask Contacts PID2001"
- Make sure the "Automatically provision service" is filled in.
- Continue, then press Finish after reviewing and approving the displayed values.
- Return to the Resource Types tab off of the "IDSync®" application
- Click the [+ Create] button to begin creating a new resource type.
- Proceed by clicking "Application Counter (unit)"
- The name of the resource counter should reflect the desired resource counter. (ex: IDSync® Autotask Contacts Counter)
- Next you will be provided with a list of Resource types, select the resource counter type that corresponds with the feature you wish to create. For example for Autotask Contacts, the counter resource is "PID2001_COUNT" which is described as "A count of the usage of the Autotask Contacts feature."
- Make sure the "Automatically provision service" is filled in.
- Continue, then press Finish after reviewing and approving the displayed values.
- Now you can progress by repeating steps 1 thru 14 for any additional resources/features that you wish to enable in your Odin Operations system for IDSync®.
NOTE: As additional features / resource mapping become available for provisioning, IDSync® will publish the resource type information on its wiki pages at: Idsync.atlasian.com/wiki/ODIN.
Base Service Template Creation
- On the Odin Control Panel, click "Service Templates".
- On the Service Templates page, click [+ Add New Service Template].
- Name the service template IDSync® Base (or something that reflects the application).
- Make sure the "Auto-Provisioning" check is on, and Type set to "Custom", click Next.
- Using the search at the top of the page; type in the name of the resources you created in the Resource Creation walk-through. * is a wildcard (ex: idsync will return anything that contains the word idsync.
- Add IDSync® App, IDSync® Tenant, IDSync® Users, IDSync® Contacts, and IDSync® Groups by checking the corresponding box to the far left.
- Click Next.
- On this screen you will need to uncheck the Tenant resource's Unlimited checkbox, and set the limit to 1.
- You'll also need to uncheck the Unlimited checkbox on IDSync® "Users" resource and set the limit to the maximum number of IDSync seats you will be hosting through this service template, then check the Home Visibility check to ON for the IDSync® "Users" resource.
- Review and approving, click finish.
Feature Service Template Creation
For each and every IDSync® feature that the service provider wishes to offer through its ODIN platform, a service template will need to be configured. The following describes the steps for configuring a service template. This process may be repeated for each IDSync® feature:
- On the Odin Control Panel, click "Service Templates".
- On the Service Templates page, click [+ Add New Service Template].
- Name the IDSync® feature service template IDSync® Autotask Contact (or something that reflects the application).
- Make sure the "Autoprovisioning" check is on, and Type set to "Custom", click Next.
- Using the search at the top of the page; type in the name of the resources you created in the Resource Creation walk-through. * is a wildcard (ex: idsync will return anything that contains the word idsync.Using the search at the top of the page; type in the name of the resources you created in the Resource Creation walk through. * is a wildcard (ex: will return anything that contains the word idsync.
- Add the Base IDSync® App resource type and add the resources that are specific to that feature. For instance: for IDSync® Autotask Contacts, select IDSync® Autotask Contacts and IDSync® Autotask Contacts Counter by checking the corresponding box to the far left.
- Click Next.
- You will want to set the limit to 1 on the feature resource (i.e. the Autotask Contact resource)
- You'll also need to uncheck the Unlimited checkbox on IDSync® counter resource to set the limit to the maximum number of seats you will be hosting through this service template, then check the Home Visibility check to ON for the IDSync® counter resource.
- Review and approving, click finish.
Branding Options
There currently is not any branding options, outside of the Tab Label in the aforementioned Global settings.
Localization
- Meta file localization
- en_US
- Error handling localization
- en_US
- Localization limitations
- en_US
To request additional languages, please contact support@idsync.com.
Configuring Services for Selling - Billing
Learn about how to configure the service templates that are necessary to form IDSync® APS subscriptions for sale.
Service Plans
It is beyond the scope of this document to provide this information since it is part of the license agreement set between the provider and IDSync® on how billing should be achieved on their own system.