Shine a light on shadow apps

ConductorOne Docs

Host a Baton connector in service mode

Connect your self-hosted conductor to ConductorOne to run the connector as a service and automate data syncs.

How does service mode work and why should I use it?

Integrating your self-hosted connector with ConductorOne creates the most seamless and fully automated method of uploading your application’s data. Once the integration is set up, Baton runs as a service in your environment. The service maintains contact with ConductorOne, syncs and uploads data at regular intervals, and passes that data to the ConductorOne UI, where you and your colleagues can use it to run access reviews and facilitate access requests for the application.

Step 1: Locate or generate connector credentials

  1. Navigate to the GitHub repo for the Baton open-source connector you’re using. Go to Baton connectors for links to the GitHub repos for all available open-source connectors.

  2. In the Prerequisites section of the GitHub repo’s README file, find the list of credentials you’ll need to set up the Baton connector.

  3. Locate or create and save the necessary credentials. We’ll use them in Step 2.

    Need help locating the necessary credentials? See the Integrate your (application’s name) instance section of the corresponding ConductorOne-managed integration documentation.

Step 2: Install the connector

  1. Use the commands shown in the connector’s README file to install the connector, passing in the credentials generated in Step 1 as appropriate. Brew, Docker, and source command options are available.

Run baton-<APP> --help to see the list of flags to be used when passing your credentials to the connector.

Step 3: Set up the Baton integration

  1. In ConductorOne, open Admin and click Integrations > Baton.

  2. Choose whether to add the Baton connector to an existing application in ConductorOne (and select the app of your choice) or to create a new application.

    Once configuration is complete, the application’s name will change from Baton to the name of the Baton connector you’ve integrated.

  3. Set the integration owner for this connector. You can manage the integration yourself, or choose someone else from the list of ConductorOne users. Setting multiple integration owners is allowed. You can change the integration owner later, if necessary.

  4. Click Create and add details.

    If you selected someone else as the integration owner, that person will be notified to take over this process from this point.

  5. Find the Settings area of the page and click Edit.

  6. Click Rotate to generate a new set of credentials. Carefully copy the Client ID and Secret. You’ll use them in Step 2.

Step 4: Add credentials to your self-hosted connector

In this section we’ll use the baton-okta connector as an example, but you can sub in the connector of your choice.

  1. On the server or VM where your self-hosted connector is running, pass in the Client ID and Secret generated in Step 3 by running --client-id <CLIENT ID> --client-secret <SECRET>.

    Run baton-okta --help to see the list of flags to be used when passing your credentials to the connector.

  2. The connector syncs current data, uploads it to ConductorOne, and prints a Task complete! message when finished.

  3. Check that the connector data uploaded correctly. In ConductorOne, open Apps and click Applications, then locate and click the name of the application you added the Baton connector to. The data should be found on the Groups, Roles, Resources, and Accounts tabs, as appropriate.