Hybrid On-Premise Docker Agent¶
Your application, database, or identity server deployed within your data center cannot be accessed directly. Hire2Retire's “On-Premise Docker Agent” provides a secure way to access the identity management server located behind your firewall without the need to open ports in the firewall or establish a VPN tunnel. On-Premise Docker Agent can be installed easily behind the firewall after which it can communicate with the workflow deployed in secure and encrypted manner.
Hybrid On-Premise Service Connection¶
Hire2Retire requires the following details to create a OnPremise Service Connection
- Connection Name - A user defined nomenclature for your connection. By default, the connection name is "Connection-OnPremise Service", you can change the name as per your preferences.
- Host - The host name is the IP address of your Active Directory Server. If you are configuring a connection with a multi-domain controller setup, you can provide host values for each domain controller. You can also provide comma separated list of IP/host addresses for each domain controller.
- Port - The TCP/IP port on which the Active Directory server is listening. Hire2Retire will only establish the LDAP connection with the SSL port. (The default is 636)
- Base DN - It is a collection of objects that Hire2Retire will access within an Active Directory network.
- Public key of RSA key pair - RSA public key which will be used to encrypt the config file. To know the detailed steps to generate RSA key pair, click here.
- Entra ID sync interval - This setting defines the frequency at which synchronization occurs between Entra ID and your on-premises Active Directory. The sync interval dictates how often user data is updated between Entra ID and your on-premises Active Directory.
By checking the 'Use Global Catalog' checkbox, you can enable the Global Catalog (GC) for your Active Directory connection, which facilitates efficient searches for user and group information across multiple domains.
After filling in the credentials you need to clicks on the "link account" button. After account is successfully linked, follow the Instructions given below to setup Active Directory On-Prem Docker Agent.
The Hire2Retire platform further provides two connection types for Hybrid applications:
- Service Provider Application - In this option, you'll be require to sign-up and delegating the accesses to the RoboMQ application on your behalf
- Customer Owned Application - This option is recommended if you prefer employing your registered application for automation purposes.
Service Provider Application¶
Hybrid application on hire2retire uses OAuth authorization. By linking your Hybrid account with hire2retire, you can authorise the RoboMQ application to have delegated access on your behalf, for which you will be provided with a consent window whenever new resource access permission is required by hire2retire. RoboMQ needs the following permissions on your account to provide a seamless integration experience:
| Scopes | Explanation |
|---|---|
| User.ReadWrite.All | Read and write all user's full profiles |
| Group.ReadWrite.All | Read and write all groups |
| Directory.AccessAsUser.All | Application requires this scope to reset their password. |
| offline_access | Maintain access to data you have given it access to. When a user approves the offline_access scope, your app can receive refresh tokens from the Microsoft identity platform token endpoint. Refresh tokens are long-lived. Your app can get new access tokens as older ones expire. |
Customer Owned Application¶
Hire2Retire does not require the user to sign-in for this connection. Instead, for automation purposes, it will use your application service principal as a service account. Choosing this connection requires you to manage your service account's Application Permission in your Hybrid instance.
Create a Connection¶
You need to have application registered on your tenant & provide necessary permission required by Hire2Retire. Hire2Retire requires the following details to create a connection.
- Entra ID National cloud - Select the specific national or regional instance of a cloud service, such as Microsoft Entra ID National Cloud, tailored to meet local regulatory and compliance needs.
- Client ID - Application ID
- Tenant ID - Unique identifier of the Entra ID instance.
OnPremise Docker Agent Setup Guide¶
After following the above instruction. Read the Setup Guide for Hire2Retire OnPrem Docker Based Agent to Setup the Hire2Retire OnPrem Docker Based Agent..
How to stop the running On-Premise agent docker container¶
When the flow is paused or deleted, user can stop the docker container using command given below
$ docker ps
$ docker container stop CONTAINER ID [CONTAINER...]
Example: docker stop 733e33bfe48b
Delegate Control on Active Directory¶
You can set up the delegated controls (manage user or group) under a specific OU for the service account.
Set up the delegated control on Active Directory
Hybrid with Exchange Online¶
By linking your Hybrid and Exchange Online account with Hire2Retire, you can authorize RoboMQ to have a delegated access on your behalf to both applications.
Hybrid with Exchange Online Connection set up
Hybrid with Entra ID Services¶
By linking your Hybrid and Entra ID account with hire2retire, you can authorize RoboMQ to have a delegated access on your behalf to both applications.
Hybrid with Entra ID Connection set up
Hybrid with SharePoint Online¶
Hybrid with SharePoint Online application on Hire2Retire uses certificate based authorization for authenticating SharePoint Online.
By linking your Hybrid and SharePoint Online account with Hire2Retire, you can authorize RoboMQ to have a delegated access on your behalf to both applications.
Hybrid with SharePoint Online Connection set up
Application Permission¶
Set up application permissions for any application that needs to authenticate itself without the user's help or consent. To authorize a registered application to access the Microsoft Graph API, navigate to API permissions > Add a permission > Microsoft APIs > Microsoft Graph > Application permissions.
RoboMQ needs the following permissions on your registered application to provide a seamless integration eperience:
| Scopes | Explanation |
|---|---|
| User.ReadWrite.All | Allows the user to read and update the user profiles without a signed in user. |
| Group.ReadWrite.All | Allows the app to create groups, read all group properties and memberships, update group properties and memberships, and delete groups. Also allows the app to read and write conversations. All of these operations can be performed by the app without a signed-in user. |
| Directory.ReadWrite.All | Application requires this scope to reset their password. |
| User.EnableDisableAccount.All | Grants the ability to enable or disable any user account within the Entra ID tenant. |
After giving the User.EnableDisableAccount.All permission, you will be required to give your application a User Administrator role by navigating to Microsoft Entra ID > Roles and administrators and search for user administrator, then Add assignments and search for your application name.
