Warning
This connector has been tested on a ChipSoft-HiX environment in combination with HelloID. Although it can be implemented, implementations differ per organisation. Also various fixes will be implemented by the supplier in the near future. Therefore, changes will have to be made accordingly.
Warning
At this point, the security configuration for ChipSoft-HiX is not clear. The API connection itself has no security settings apart from an EV certificate that appears to be a server certificate only. This will need to be addressed before implementing this connector
Warning
When creating accounts in HIX, automatic logon is disabled. For now this should be activated manually. In ChipSoft HiX release HF86 this should be resolved and new accounts will be enabled for automatic logon.
Warning
When an usertype is set in HiX and the usertype will be changed during the employment to a empty usertype (mostly used for default employees), this cannot be done through the HiX API. An empty value cannot be set on an usertype that already has a value.
Warning
Current SSO state of users can't be retrieved from the API. Therefore SSO can only be set for all users or none of the users. Furthermore when setting the SSO-loginname (AzureUPN) send from HelloID to HIX and this does not correspond with the current value, the HIX API will remove the current SSO user and creates a new one. The comparison between the values will be processed in the HIX API and includes case-sensitivity (user@domain.com isn't the same as User@Domain.com). Be aware that deletion of the SSO user and the creation of the SSO can result in an error due timing-issues and can result in losing all current permissions in HIX.
Important
This repository contains the connector and configuration code only. The implementer is responsible to acquire the connection details such as username, password, certificate, etc. You might even need to sign a contract or agreement with the supplier before implementing this connector. Please contact the client's application manager to coordinate the connector requirements.
Important
When not using a mapping for translation of HR departmentcodes or jobtitlecodes to the corresponding HiX codes, the connector will use the existing HR codes. These codes should than exist in HiX.
- HelloID-Conn-Prov-Target-ChipSoft-HiX
HelloID-Conn-Prov-Target-ChipSoft-HiX is a target connector. ChipSoft-HiX provides a SOAP WSDL interface that allow you to programmatically interact with its data. The HelloID connector uses the methods endpoints listed in the table below.
| Message type | Description |
|---|---|
| /nieuwegebruiker.gegevens | Create a new user account. |
| /wijzigengebruiker.gegevens | Modify a user account. |
| /blokkerengebruiker.gegevens | Disable a user account. |
| /deblokkerengebruiker.gegevens | Enable a user account. |
| /aanvraag.zisgebruikers | Retrieve a user account. |
The following lifecycle actions are available:
| Action | Description |
|---|---|
| create.ps1 | PowerShell create lifecycle action |
| delete.ps1 | PowerShell delete lifecycle action |
| disable.ps1 | PowerShell disable lifecycle action |
| enable.ps1 | PowerShell enable lifecycle action |
| update.ps1 | PowerShell update lifecycle action |
| permissions/groups/grantPermission.ps1 | PowerShell groups grant lifecycle action |
| permissions/groups/revokePermission.ps1 | PowerShell groups revoke lifecycle action |
| permissions/groups/permissions.ps1 | PowerShell groups permissions lifecycle action |
| permissions/groups/subpermissions.ps1 | PowerShell groups subpermissions lifecycle action |
| permissions/logingroups/grantPermission.ps1 | PowerShell loginGroups grant lifecycle action |
| permissions/logingroups/revokePermission.ps1 | PowerShell loginGroups revoke lifecycle action |
| permissions/logingroups/permissions.ps1 | PowerShell loginGroups permissions lifecycle action |
| permissions/logingroups/subpermissions.ps1 | PowerShell loginGroups subpermissions lifecycle action |
| configuration.json | Default configuration.json |
| fieldMapping.json | Default fieldMapping.json |
| assets/hix_department_codes.csv | Example of HR department - HiX department translation mapping |
| assets/hix_jobtitle_codes.csv | Example of HR jobtitle - HiX title translation mapping |
| assets/hix_logingroups.csv | Example of mapped logingroups based on HR jobtitle and department |
| assets/hix_groups_codes.csv | Example of mapped groups based on HR jobtitle and department |
The correlation configuration is used to specify which properties will be used to match an existing account within ChipSoft-HiX* to a person in _HelloID*.
To properly setup the correlation:
-
Open the
Correlationtab. -
Specify the following configuration:
Setting Value Enable correlation TruePerson correlation field PersonContext.Person.UserNameAccount correlation field ldap
[!TIP] > For more information on correlation, please refer to our correlation documentation pages.
The field mapping can be imported by using the fieldMapping.json file.
The following settings are required to connect to the API.
| Setting | Description | Mandatory | Example |
|---|---|---|---|
| BaseUrl | The URL of the ChipSoft Gomez application server. (This address must also include a port number.) | Yes | http://127.0.0.1:12345 |
Because ChipSoft HiX is an application that runs on-premises, the HelloID agent is required in order to use this connector.
At this point, the security configuration for ChipSoft-HiX is not clear. The API connection itself has no security settings apart from an EV certificate that appears to be a server certificate only. This will need to be addressed before implementing this connector.
If a user is updated, the complete object must be send the API. The same applies to groups and loginGroups.
-
The
titlefield can only contain a maximum of 5 characters. -
departmentfield can only contain a maximum of 6 characters.
Tip
For both fields, this is being handled within the fieldMapping by using a complex mapping.
Currently we made the assumption that the gebruikersnaam and ldap properties will both be mapped to the same value. E.g. $personContext.Person.UserName.
Tip
The ldap field is being used by ChipSoft HiX to actually retrieve a user account. This is also the value that's being used for correlation.
To ensure that the grant for groups and the grant for login groups do not interfere with each other, it's necessary to set concurrent actions to 1 for the connector. Otherwise, permissions may be overwritten or not properly assigned. This will also prevent actions in HIX will be executed while previous actions are not finished yet.
All requests sent to the ChipSoft-HiX Gomez application server must include a unique identifier. Currently, this identifier is a combination of a GUID and the current timestamp. This will guarantee the id is always unique. This unique identifier will be verified within ChipSoft-HiX. If the numbers match, a response will be send back containing the same number. This number will be verified within the connector.
[!TIP] > For more information on how to configure a HelloID PowerShell connector, please refer to our documentation pages.
[!TIP] > If you need help, feel free to ask questions on our forum.
The official HelloID documentation can be found at: https://docs.helloid.com/