Introduction
Unfortunately we do not have any integration option between IBM BAW on cloud to LDAP integration like before in onprem situation. So, if we would like to sync IBM BAW on cloud LDAP with internal LDAP, we have to create a custom solution. I will explain how to do this custom implementation.
In this custom implementation we need to call BAW and Azure services to get users and groups. After we get the users and groups, we need to get difference between source and target. And then we need to create/drop users and groups and also add/remove group members.
Login to BAW And Azure Environment for Calling Services
Before we call the BAW and Azure services, we need to login (retrieve token) to BAW and Azure.
BAW Login:
First we need to do a POST request to URL below:
https://HOSTNAME:443/bpm/services/csrf_token
Azure Login:
First we need to do a POST request to URL below:
https://login.microsoftonline.com/SERVICE_NAME/oauth2/token
Getting Users From BAW
For getting users from BAW we need to do a GET request to URL below
https://HOSTNAME:443/instance/services/users?sort=user_id%3Aasc&type=regular_users&optional_parts=groups
IBM-CSRF-TOKEN in header is the token which we got from BPM Login request
Getting Users From Azure AD
For getting users from Azure we need to do a GET request to URL below
https://graph.microsoft.com/v1.0/groups/id/members
Authorization parameter in header is the token which we got from Azure Login request.
ID parameter in the URL is the group id for BAW all users group. We need to create a group which has the users who has access to BAW environmet. We are doing this because we do not want to check all users in the organization whether they are present in BAW or not. Because most of them (maybe) are not related with BAW.
Note: This service is paging the result. So if NextLink variable in the response is not null then it should call the NextLink Url till the NextLink parameter returns null.
Create Users in BAW
Now we have all the users (from Azure) who needs to be present in BAW. We have also all users who are already present in BAW. Now we have to take differences between Azure to BPM (to find which users we need to create) and differences between BPM to Azure (to find which users we need to delete).
Once we find the users to be added, we need to call the service below
https://HOSTNAME:443/instance/services/bulk/users?activate_automatically=true&skip_email=true
Body:
{
"users": [
{
"user_id": "string",
"base_dn": "string",
"email": "string",
"given_name": "string",
"family_name": "string",
"groups": [
{
"name": "string",
"base_dn": "string"
}
],
"details": {
"preferred_language": "en"
}
}
]
}
Note: Before call this api, you need ask IBM and to set “activate_automatically” option to true. If you don’t do that, you will get an error.
Delete Users From BAW
We can find the removed users like below.
Once we find the users to be removed, we need to call the service below
https://HOSTNAME:443/instance/services/users/USERID
IBM-CSRF-TOKEN in header is the token which we got from BPM Login request
Getting Groups From BAW
For getting groups we need to do a GET request to URL below
https://HOSTNAME:443/instance/services/groups?optional_parts=members&size=1000000
IBM-CSRF-TOKEN in header is the token which we got from BPM Login request
Getting Groups From Azure AD
For getting groups from Azure we need to do a GET request to URL below
https://graph.microsoft.com/v1.0/groups?$filter=startswith(displayName,’XXXX-BPM’)
Note 1: Authorization parameter in header is the token which we got from Azure Login request
Note 2: We are sending filter parameter because we do not want to query all the groups in the organization. So before we begin, we need to create all BAW specific groups with special prefix in the display name.
Note 3: This service is paging the result. So if NextLink variable in the response is not null then it should call the NextLink Url till the NextLink parameter returns null.
Note 4: Groups can define under groups (nested groups) so we need to check if it is nested group we need to do recursive call.
Create Group In BAW
Now we have all the groups (from Azure) which needs to be present in BAW. We have also all groups which are defined in BAW. Now we have to take differences between Azure to BPM (to find which groups we need to create) and differences between BPM to Azure (to find which groups we need to delete).
Once we find the groups to be added, we need to call the service below
https://HOSTNAME:443/instance/services/groups?optional_parts=members
Body:
{
"name": "string",
"base_dn": "string",
"members": [
{
"member_id": "string",
"type": "user",
"base_dn": "string"
}
]
}
IBM-CSRF-TOKEN in header is the token which we got from BPM Login request
Delete Group From BAW
We can find the removed groups like below.
Once we find the groups to be removed, we need to call the service below
https://HOSTNAME:443/instance/services/groups/GROUPID
IBM-CSRF-TOKEN in header is the token which we got from BPM Login request
Add User to BAW Group
In this case we need to get users under groups. So if we call the service getUsers with parameter optional_parts=members it returns groups with users. So, you can take a look to Getting Groups From BAW section above.
For getting Azure group member we need to make a GET request to service below
https://graph.microsoft.com/v1.0/groups/GROUPID/members
Note : This service is paging the result. So if NextLink variable in the response is not null then it should call the NextLink Url till the NextLink parameter returns null.
Once we have all the groups with member for BAW and Azure. Now we need to find the groups which we have to add to BAW
We need to make a POST request to URL below
https://HOSTNAME:443/instance/services/groups/GROUPNAME/members?base_dn=BASEDN
Body:
{
"group_members": [
{
"member_id": "string",
"type": "user",
"base_dn": "string"
}
]
}
IBM-CSRF-TOKEN in header is the token which we got from BPM Login request
Remove User From BAW Group
We can find the removed group members like below.
Once we find the users to be removed from group, we need to call the service below
https://HOSTNAME:443/instance/services/groups/GROUPNAME/members?base_dn=BASEDN
Body:
{
"group_members": [
{
"member_id": "string",
"type": "user",
"base_dn": "string"
}
]
}
IBM-CSRF-TOKEN in header is the token which we got from BPM Login request
Conclusion
As a result we can do a integration between internal LDAP to IBM BAW on cloud by using a custom solution. Once we created this solution, we can schecudale it to execute once(or more) a day to synchronize all the users, groups and also group members.