Refresh Token

  1. Select Refresh Token as the Grant Type.

  2. Enter the Token URL. The format is:

    https://{your domain}/token

    Web Services SaaS supports the replacement of attributes in the OAuth 2.0 token URL. For example, if you want to prepare a token URL with sensitive information such as client_secret, the $application.client_secret$ can be used. So, the corresponding value will be determined from the replaced location in the token URL.

  3. Enter the Client ID and the associated Client Secret for OAuth 2.0 authentication.

  4. Enter the Refresh Token used to generate the access token.

    Web Services supports OAuth 2.0 Refresh Tokens for the managed target system. The refresh tokens either don't expire or come with a long validity period.

  5. For OAuth Headers, set up the custom headers as part of the access token. The Web Services SaaS source adheres to the generalized specifications of the OAuth 2.0 grant types. For some managed target systems, however, custom headers may be required to be part of the access token generation request. You can add the custom headers as an attribute.

  6. In OAuth Headers to Exclude, enter the headers that you want to exclude. By default, an Authorization BASIC header with Base64-encoded client ID and client secret are a part of the access token generation request. Some managed target systems do not support this header. If there is no Authorization BASIC header required for such managed target systems, it can be excluded from the request.

  7. For OAuth Request Parameters, set up the custom parameters for an access token. For some managed target systems, custom request parameters may be required to be part of the access token generation request. You can add the custom request parameter as an attribute.

  8. For OAuth Body Attributes to Exclude, enter the attributes that you want to exclude. To remove any of the standard request parameters that are not supported by managed systems access token generation requests you must configure the request parameters to exclude them from the access token request.

  9. Enable Delta Aggregation to aggregate accounts that have changed since the last execution.

    Note

    Delta aggregation based on "account object type" is only applicable for managed systems that support the delta aggregation operation.

  10. Enter the Date Format to use for the date and time data sent for delta aggregation.

  11. Enter the Server Timezone for the source’s server.

  12. Enter the value for Connection Timeout (in seconds).

  13. Enter the valid details for Client Certificate and Client Private Key.Important

    Important

    The connector only supports the PEM format for the Client Certificate and the private key. Additionally, the Web Services connector expects the PEM private key to be an RSA PEM private key. The following process enables you to convert the private key to an RSA private key on a Windows computer:

    1. Download openssl-1.0.2q-x64_86-win64.zip and extract it.

    2. Open cmd to OpenSSL path.

    3. Copy the Private_ADP_Key.key file to the extracted/openSSL path.

    4. Run the following command:

    5. openssl rsa -in Private_ADP_Key.key -out rsa_private_key.pem

    6. Use this rsa_private_key.pem file in the connector.

  14. In the Account Enable Status Attribute field, enter the attribute name and value to set the account status while loading accounts. The status of accounts with the specified attribute and value will be marked as Enabled; the status for all other accounts will be Disabled.

    For example, if you enter status=Active, the status of all accounts with the status attribute set to the value Active will be enabled.

    Note

    The Account Enable Status Attribute field supports multiple values for status attribute.

    If you need to enter multiple values for the Account Enable Status Attribute, separate them by using a comma(,) as displayed in the following example:

    status=Active,Pending

  15. In the Account Lock Status Attribute field, provide the value required to check the account lock status. For example, if you enter status=inactive, the account schema status attribute will determine whether the account is locked or not. In this case, all accounts with their status attribute set to inactive will be considered locked by the connector, and they will not be included in provisioning.

    Note

    The Account Lock Status Attribute field supports multiple values for status attribute.

    If you need to enter multiple values for Account Lock Status Attribute, separate them by using a comma(,) as displayed in the following example:

    status=Locked,Inactive

  16. Select Save.