API - Requirements for a system to be connected

This tutorial is intended as a guide for an administrator/architect planning to connect a system to CzechIdM. In order to connect a system to CzechIdM, there are some minimal requirements on the system's API.

CzechIdM supports many connectors and many others can be developed. Thus one can connect virtually any system to CzechIdM. In general, if a system's API supports operations described below, it can be connected to CzechIdM.

The requirements naturally differ for source systems (synchronization to CzechIdM) and managed systems (data provisioning from CzechIdM). These are the operations that a system's API must support in order to be able to connect it:

a) Source systems - Synchronization

Clearly, for fetching data into CzechIdM, the connected system must be able to provide it. As a minimum, it must provide the list of all items and one item by its ID:

Operation Description Operation parameters Output
List All Operation should provide list of all objects in your system, at least their IDs List of all objects, e.g. Identities
Get Object When CzechIdM want to load one specific user id - identifier of user needed One specific object

The following operation is not a must, but it's useful when synchronizing the Czech IdM data with outside data, but only the data that has changed since the last synchronization run. It is typically based on the value of some special attribute like LastUpdateTime. It is especially useful in cases when there are many objects to be synchronized (over thousands) and/or the connected system is somewhat slow.

Operation Description Operation parameters Output
Search objects When one needs to synchronize object only specific objects, e.g. only those that have been changed since the last synchronization run. List of objects filter parameter - the token which is compared to some object attribute value - typically last update time

b) Managed systems - Provisioning

To be able to provide data to a connected system, its API must support the CRUD operations:

Operation Description Operation parameters Output
Get Object When CzechIdM wants to load one specific object id of the object One specific object
Delete Object Delete object in a system id of the object we want to delete id of the deleted object
Update Object After changing some attribute of an identity in CzechIdM, we want to provide the change into the managed system. If you also want to update the user's permissions in the managed system (e.g. user's AD Groups), the operation should support it too or provide an operation that does the job on its own id of the user we want to update id - identifier of the updated object
Create Object Having created a new identity in CzechIdM, we want it in the managed system, too. This operation should work both with one input parameter (id) and without it id of the object id - if no input parameter has been given

If still in doubt, look at the example below. It might give you a better clue of what it should look like.

If you want to connect your system via REST, just prepare the endpoint as described and we can use our REST connector. It supports both provisioning and synchronization.

Endpoint Operation type Corresponding operation Input Parameters Description Output
/users Get List All This endpoints returns information about all identities in the system. list of all users
/users/{id} Delete Delete Object ID This endpoint is used for deleting the existing users.
/users/{id} Get Get Object ID This endpoint returns information about a user with a specific identifier. one specific user
/users/{id} Put Create/Update Object ID This endpoint is used for updating existing users and creating new users with a known identifier in the system. ID (TODO check)
/users Post Create Object This endpoint is used for creating new users in the system. ID (TODO check)

As you can see, the operations in this example fully correspond to the generic API description presented in the previous chapters.

If you want to connect one DB table to CzechIdM, your DBMS must support CRUD operations (which it does, naturally :-)). So your main concern is to set the appropriate rights for the user that CzechIdM will use for the connection to DB.

SQL operation Corresponding operation Input Parameters Output
SELECT * FROM <TABLE> List All list of all users
DELETE FROM <TABLE> WHERE <ID> = {userID} Delete userID
SELECT * FROM <TABLE> WHERE <ID> = {userID} Get Object userID one specific user
INSERT INTO <TABLE> VALUES «ID>={userID},…> Create userID
UPDATE <TABLE> SET {attributes} WHERE <ID>={userID} Update attributes with values, userID

<TABLE> - connected DB Table <ID> - the name of the column with the unique identifier - e.g. primary key

As you can see, the operations in this example fully correspond to the generic API description presented in the previous chapters.

Each source system must contain some information based on the type of the connected system no matter the way in which the system is connected (REST, DB, CSV…). There three basic types of connected source systems: source of identities, source of contracts, and source of organizations.

Source of identities

An identity is a set of information describing one person. In general, this information should be independent of the user's position within the organization so it shouldn't contain information about e. g. superiors or work positions.

Must contain:

  • ID - a unique identifier of the identity
  • User name - a user name (or login) used to log in to CzechIdM

Can contain (often contains):

  • Personal number
  • First name
  • Surname
  • Phone
  • Email
  • Title before name
  • Title after name

Cannot contain:

  • Information about the user's position (belongs to contracts)
  • Information about the user's superiors (belongs to contracts)

Source of contracts

A contract represents the relation of an identity to the company or organization. One identity can have multiple contracts and, as a result, different sets of permissions.

Must contain:

  • Contract ID - a unique identifier of the contract
  • Identity ID - an identifier of the identity to which to contract belongs

Can contain (often contains):

  • Valid from - the start of the validity of the contract
  • Valid till - the end of the validity of the contract
  • Name of the position
  • Department ID - the position within the organization, see below
  • Department name
  • Superior - either by Identity ID or Login

Source of organizations

IdM can use tree structures to represent the organizational structure of the company.

Must contain:

  • Code - a unique identifier of the tree node

Can contain:

  • Name of the tree node
  • Superior element - can be null in which case it is considered to be the root element by default