Set up an Ironclad connector

Capabilities

Resource	Sync	Provision
Accounts
Groups

The Ironclad connector supports automatic account provisioning. When a new account is created by ConductorOne, the account’s password will be sent to a vault. This connector does not support account deprovisioning. You must deprovision accounts directly in Ironclad.

Gather Ironclad credentials

Configuring the connector requires you to pass in credentials generated in Ironclad. Gather these credentials before you move on.

A user with the Administrator role in Ironclad must perform this task.

Create an Ironclad OAuth client app

In Ironclad, navigate to your profile menu (located in the top right corner of the screen) > Company settings > API.

Select Create new app.

Give your OAuth client application a name, such as “ConductorOne” and click Create app.

Carefully copy and save the app’s client ID and client secret, then click Continue.

In the Grant Types area, select the grant type that matches your authentication preference:

Client Credentials (Recommended): The simplest setup. Does not require an interactive login. Required for self-hosted connectors.
Authorization Code: Requires logging in and authorizing. Only available for cloud-hosted connectors.

If you selected Authorization Code, enter https://accounts.conductor.one/oauth/callback in the Redirect URI field.

In the Scopes area, give the app the following scopes:

scim.users.readUsers
scim.groups.readGroups

If you want to use ConductorOne to provision Ironclad accounts and groups, add these scopes as well:

scim.groups.updateGroups
scim.users.createUsers
scim.users.deleteUsers

Click Save changes.

That’s it! Next, move on to the connector configuration instructions.

Configure the Ironclad connector

To complete this task, you’ll need:

The Connector Administrator or Super Administrator role in ConductorOne
Access to the set of Ironclad credentials generated by following the instructions above

Cloud-hosted
Self-hosted

Follow these instructions to use a built-in, no-code connector hosted by ConductorOne.

In ConductorOne, navigate to Admin > Connectors and click Add connector.

Search for Ironclad and click Add.

Choose how to set up the new Ironclad connector:

Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren’t yet managed with ConductorOne)
Add the connector to a managed app (select from the list of existing managed apps)
Create a new managed app

Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of ConductorOne users. Setting multiple owners is allowed.If you choose someone else, ConductorOne will notify the new connector owner by email that their help is needed to complete the setup process.

Click Next.

Find the Settings area of the page and click Edit.

Select your authentication method:

OAuth Client Credentials (Recommended): The simplest setup. Authenticate using client credentials without an interactive login.
OAuth Authorization Code: Authenticate by logging in and authorizing ConductorOne with your Ironclad instance.

Enter the client ID and client secret into their respective fields.

If using OAuth Client Credentials: Enter the email address of an Ironclad user in the As User Email field. API requests will be made on behalf of this user.

Optional. If you do not want the connector to provision access, click to enable Read only. When enabled, the connector requests a reduced set of OAuth permissions (read-only access to users and groups).

Click Save.

If using OAuth Authorization Code: Click Login with OAuth, then log in and authorize ConductorOne with your Ironclad instance. After authorizing, you’ll be redirected back to the ConductorOne integrations page, where an “Authorized as” message is now printed.

The connector’s label changes to Syncing, followed by Connected. You can view the logs to ensure that information is syncing.

That’s it! Your Ironclad connector is now pulling access data into ConductorOne.

Follow these instructions to use the Ironclad connector, hosted and run in your own environment.When running in service mode on Kubernetes, a self-hosted connector maintains an ongoing connection with ConductorOne, automatically syncing and uploading data at regular intervals. This data is immediately available in the ConductorOne UI for access reviews and access requests.

Step 1: Set up a new Ironclad connector

In ConductorOne, navigate to Connectors > Add connector.

Search for Baton and click Add.

Choose how to set up the new Ironclad connector:

Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren’t yet managed with ConductorOne)
Add the connector to a managed app (select from the list of existing managed apps)
Create a new managed app

Click Next.

In the Settings area of the page, click Edit.

Click Rotate to generate a new Client ID and Secret.Carefully copy and save these credentials. We’ll use them in Step 2.

Step 2: Create Kubernetes configuration files

Create two Kubernetes manifest files for your Ironclad connector deployment:

Secrets configuration

# baton-ironclad-secrets.yaml
apiVersion: v1
kind: Secret
metadata:
  name: baton-ironclad-secrets
type: Opaque
stringData:
  # ConductorOne credentials
  BATON_CLIENT_ID: <ConductorOne client ID>
  BATON_CLIENT_SECRET: <ConductorOne client secret>
  
  # Ironclad credentials
  BATON_IC_CLIENT_ID: <Ironclad OAuth app client ID>
  BATON_IC_CLIENT_SECRET: <Ironclad OAuth app client secret>

  # Optional: include if you use an Ironclad environment other than "na1"
  BATON_ENVIRONMENT: eu1

  # Optional: include if you want ConductorOne to provision access using this connector
  BATON_PROVISIONING: true

See the connector’s README or run --help to see all available configuration flags and environment variables.

Deployment configuration

# baton-ironclad.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: baton-ironclad
  labels:
    app: baton-ironclad
spec:
  selector:
    matchLabels:
      app: baton-ironclad
  template:
    metadata:
      labels:
        app: baton-ironclad
        baton: true
        baton-app: ironclad
    spec:
      containers:
      - name: baton-ironclad
        image: ghcr.io/conductorone/baton-ironclad:latest
        imagePullPolicy: IfNotPresent
        env:
        - name: BATON_HOST_ID
          value: baton-ironclad
        envFrom:
        - secretRef:
            name: baton-ironclad-secrets

Step 3: Deploy the connector

Create a namespace in which to run ConductorOne connectors (if desired), then apply the secret config and deployment config files.

Check that the connector data uploaded correctly. In ConductorOne, click Applications. On the Managed apps tab, locate and click the name of the application you added the Ironclad connector to. Ironclad data should be found on the Entitlements and Accounts tabs.

That’s it! Your Ironclad connector is now pulling access data into ConductorOne.

Welcome

Build connectors

Configure connectors

Deploy connectors

Upload connector data

Connector library

Set up an Ironclad connector

Capabilities

Gather Ironclad credentials

Create an Ironclad OAuth client app

Configure the Ironclad connector

Step 1: Set up a new Ironclad connector

Step 2: Create Kubernetes configuration files

Secrets configuration

Deployment configuration

Step 3: Deploy the connector

Welcome

Build connectors

Configure connectors

Deploy connectors

Upload connector data

Connector library

​Capabilities

​Gather Ironclad credentials

​Create an Ironclad OAuth client app

​Configure the Ironclad connector

​Step 1: Set up a new Ironclad connector

​Step 2: Create Kubernetes configuration files

​Secrets configuration

​Deployment configuration

​Step 3: Deploy the connector

Capabilities

Gather Ironclad credentials

Create an Ironclad OAuth client app

Configure the Ironclad connector

Step 1: Set up a new Ironclad connector

Step 2: Create Kubernetes configuration files

Secrets configuration

Deployment configuration

Step 3: Deploy the connector