Meet ConductorOne at Black Hat

Set up an Ironclad connector

ConductorOne provides identity governance for Ironclad. Integrate your Ironclad instance with ConductorOne to run user access reviews (UARs) and enable just-in-time access requests.

Capabilities

ResourceSyncProvision
Accounts
Groups

The Ironclad connector supports automatic account provisioning.

Gather Ironclad credentials

Configuring the connector requires you to pass in credentials generated in Ironclad. Gather these credentials before you move on.

A user with the Administrator role in Ironclad must perform this task.

Create an Ironclad OAuth client app

  1. In Ironclad, navigate to your profile menu (located in the top right corner of the screen) > Company Settings > API.

  2. Select Create new app.

  3. Give your OAuth client application a name, such as “ConductorOne” and click Create app.

  4. Carefully copy and save the app’s client ID and client secret, then click Continue.

  5. In the Grant Types area, select Authorization Code.

  6. Enter a Redirect URI such as http://localhost in the relevant field.

  7. In the Scopes area, give the app the following scopes:

    • scim.users.readUsers
    • scim.groups.readGroups

    If you want to use ConductorOne to provision Ironclad accounts and groups, add these scopes as well:

    • scim.groups.updateGroups
    • scim.users.createUsers
    • scim.users.deleteUsers

  8. Click Save Changes.

Generate a refresh token

  1. Send an authorization request to the authorize endpoint URL, filling in the required info from the client app you created:

    GET https://na1.ironcladapp.com/oauth/authorize?
  response_type=code
  &client_id=CLIENT_ID_HERE
  &redirect_uri=REDIRECT_URI_HERE
  &scope=SCOPES_HERE

    If you’re in Europe, make sure to swap in the eu1.ironcladapp.com environment in your request.

  2. The authorization server will respond with an authorization code. Use this code to construct a token request:

    POST https://na1.ironcladapp.com/oauth/token
    grant_type=authorization_code
    code=AUTHORIZATION_CODE_HERE
    redirect_uri=REDIRECT_URI_HERE
    client_id=CLIENT_ID_HERE
    client_secret=CLIENT_SECRET_HERE

  3. The server will respond with an access token and refresh token. Carefully copy and save the refresh token.

That’s it! Next, move on to the connector configuration instructions.

Configure the Ironclad connector

To complete this task, you’ll need:

  • The Connector Administrator or Super Administrator role in ConductorOne
  • Access to the set of Ironclad credentials generated by following the instructions above

Follow these instructions to use a built-in, no-code connector hosted by ConductorOne.

  1. In ConductorOne, navigate to Admin > Connectors and click Add connector.

  2. Search for Ironclad and click Add.

  3. Choose how to set up the new Ironclad connector:

    • Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren’t yet managed with ConductorOne)

    • Add the connector to a managed app (select from the list of existing managed apps)

    • Create a new managed app

  4. Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of ConductorOne users. Setting multiple owners is allowed.

    If you choose someone else, ConductorOne will notify the new connector owner by email that their help is needed to complete the setup process.

  5. Click Next.

  6. Find the Settings area of the page and click Login with OAuth.

  7. Log in and authorize ConductorOne with your Docusign instance.

  8. After authorizing, you’ll be redirected back to the ConductorOne integrations page, where an “Authorized as” message is now printed.

  9. The connector’s label changes to Syncing, followed by Connected. You can view the logs to ensure that information is syncing.

That’s it! Your Ironclad connector is now pulling access data into ConductorOne.

Follow these instructions to use the Ironclad connector, hosted and run in your own environment.

When running in service mode on Kubernetes, a self-hosted connector maintains an ongoing connection with ConductorOne, automatically syncing and uploading data at regular intervals. This data is immediately available in the ConductorOne UI for access reviews and access requests.

Step 1: Set up a new Ironclad connector

  1. In ConductorOne, navigate to Connectors > Add connector.

  2. Search for Baton and click Add.

  3. Choose how to set up the new Ironclad connector:

    • Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren’t yet managed with ConductorOne)

    • Add the connector to a managed app (select from the list of existing managed apps)

    • Create a new managed app

  4. Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of ConductorOne users. Setting multiple owners is allowed.

    If you choose someone else, ConductorOne will notify the new connector owner by email that their help is needed to complete the setup process.

  5. Click Next.

  6. In the Settings area of the page, click Edit.

  7. Click Rotate to generate a new Client ID and Secret.

    Carefully copy and save these credentials. We’ll use them in Step 2.

Step 2: Create Kubernetes configuration files

Create two Kubernetes manifest files for your Ironclad connector deployment:

Secrets configuration 

# baton-ironclad-secrets.yaml
apiVersion: v1
kind: Secret
metadata:
  name: baton-ironclad-secrets
type: Opaque
stringData:
  # ConductorOne credentials
  BATON_CLIENT_ID: <ConductorOne client ID>
  BATON_CLIENT_SECRET: <ConductorOne client secret>
  
  # Ironclad credentials
  BATON_REFRESH_TOKEN: <Ironclad refresh token>
  BATON_IC_CLIENT_ID: <Ironclad OAuth app client ID>
  BATON_IC_CLIENT_SECRET: <Ironclad OAuth app client secret>

  # Optional: include if you use an Ironclad environment other than "na1"
  BATON_PROVISIONING: eu1

  # Optional: include if you want ConductorOne to provision access using this connector
  BATON_PROVISIONING: true

See the connector’s README or run --help to see all available configuration flags and environment variables.

Deployment configuration 

# baton-ironclad.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: baton-ironclad
  labels:
    app: baton-ironclad
spec:
  selector:
    matchLabels:
      app: baton-ironclad
  template:
    metadata:
      labels:
        app: baton-ironclad
        baton: true
        baton-app: ironclad
    spec:
      containers:
      - name: baton-ironclad
        image: ghcr.io/conductorone/baton-ironclad:latest
        imagePullPolicy: IfNotPresent
        envFrom:
        - secretRef:
            name: baton-ironclad-secrets

Step 3: Deploy the connector

  1. Create a namespace in which to run ConductorOne connectors (if desired), then apply the secret config and deployment config files.

  2. Check that the connector data uploaded correctly. In ConductorOne, click Applications. On the Managed apps tab, locate and click the name of the application you added the Ironclad connector to. Ironclad data should be found on the Entitlements and Accounts tabs.

That’s it! Your Ironclad connector is now pulling access data into ConductorOne.