Warning
Breaking Change — Field Renaming Required
Fields in the SaltoSpace connector have been updated.
Please see the Migration section for instructions on how to upgrade safely.
Warning
This script is for the new PowerShell connector. Make sure to use the mapping and correlation keys as described in this readme. For more information, please read our documentation.
Important
This repository contains only the connector and configuration code. The implementer is responsible for acquiring connection details such as the username, password, certificate, etc. You may also need to sign a contract or agreement with the supplier before implementing this connector. Please contact the client's application manager to coordinate the connector requirements.
- HelloID-Conn-Prov-Target-SaltoSpace
This connector provisions accounts and permissions from HelloID into Salto ProAccess Space through a staging SQL database.
The connector handles:
- Account lifecycle management (create, update, enable, disable, delete, import)
- Permission management (grant, revoke, import)
- Synchronization via a staging table, consumed by the Salto import process
The following features are available:
| Feature | Supported | Actions | Remarks |
|---|---|---|---|
| Account Lifecycle | ✅ | Create, Update, Enable, Disable, Delete | Enable and Disable are managed by setting dtActivation and dtExpiration. |
| Permissions | ✅ | Retrieve, Grant, Revoke | Importing permissions requires adding the Permission Grant script in the 'Update action script' section. |
| Resources | ❌ | - | |
| Entitlement Import: Accounts | ✅ | - | After importing account entitlements, run Update Account first to prevent errors and dependency issues. |
| Entitlement Import: Permissions | ✅ | - | Importing permissions requires adding the Permission Grant script in the 'Update action script' section. |
| Governance Reconciliation Resolutions | ✅ | - | Direct reconciliation actions in Salto are not supported because HelloID only manages the staging database and not the Salto Database. |
- Salto Staging SQL Database:
- Create a dedicated SQL database (e.g.
Salto_STAGING) - Run the included script
createStagingDBTable.sqlto generate the staging table - Grant read/write access to the HelloID service account
- Windows Authentication recommended; SQL login possible if required.
- Salto Database Access:
- Ensure HelloID has at least read access to the Salto database
- Ideally via the HelloID service account with Windows Authentication
-
Salto Import Job:
- Configuration: The Salto import job needs to be set up. For detailed configuration steps, refer to the Salto Systems support guide: Salto Import Job Setup. At mapping configuration, use the same sequence as defined in (createStagingDBTable.sql).
-
HelloID Concurrent Sessions:
- Session Limit: Set the maximum number of concurrent sessions in HelloID to 1. Exceeding this limit can cause unexpected issues, such as permissions being overwritten or not properly assigned.
- The
namefield in Salto must be unique and is built from the combination ofTitle,FirstName, andLastName. - To ensure uniqueness, it is recommended to include the employee ID in one of these fields.
- Importing Account Access entitlements correctly may vary depending on your Salto configuration. For example, an empty
dtExpirationvalue in Salto might be stored as01/01/2000 00:00:00in the Salto database. Please validate the result and adjust accordingly.
# This setting may differ depending on your Salto configuration. Please adjust accordingly.
if ($account.dtExpiration -eq '01/01/2000 00:00:00') {
$account.dtExpiration = $null
$isActive = ($now -ge $dtActivation)
}- Do not manually change the values
dtExpirationanddtActivation, as activation and deactivation are managed through the Account Access entitlement.
- The
MobileAppTypefield is indexed starting at 0. This means the value in the staging table is always one less than the corresponding value in the Salto database. Make sure to account for this when mapping values.
- Since data is written to a staging database that Salto processes independently, HelloID is not informed of any errors that occur during Salto’s processing.
- Additionally, any manual changes made directly in the Salto database will be overwritten during the next synchronization with the staging database.
A Salto Staging database needs to be configured.
The Salto import job needs to be configured. For detailed setup instructions, please refer to the Salto Systems support guide: Salto Import Job Setup.
If you have any questions on this, please contact your Salto representative.
The correlation configuration specifies which properties are used to match accounts in Salto with users in HelloID.
To properly set up the correlation:
-
Open the
Correlationtab. -
Specify the following configuration:
Setting Value Person Correlation Field ExternalIdAccount Correlation Field Dummy2
Important
The Account Correlation Field (Dummy2) is just an example. Make sure to change this accordingly.
Tip
For more information on correlation, please refer to our correlation documentation pages.
The field mapping can be imported by using the fieldMapping.json file.
| Setting | Description | Mandatory |
|---|---|---|
| Salto Database Connection string | The connection string used to connect to the Salto SQL database. | Yes |
| Salto Staging Database Connection string | The connection string used to connect to the Salto Staging SQL database. | Yes |
| Salto staging table name | The name of the Salto staging table. | Yes |
| Username | Optional: The username of the SQL user to use in the connection string. Note: Not compatible with Trusted_Connection=True in the connection string as it requires Windows Authentication. |
No |
| Password | Optional: The password of the SQL user to use in the connection string. Note: Not compatible with Trusted_Connection=True in the connection string as it requires Windows Authentication. |
No |
If you are upgrading from an older version of this connector, the staging table must be updated to match the new field naming convention.
| Old field name | New field name |
|---|---|
ExtUserID |
ExtID |
UserActivation |
dtActivation |
UserExpiration.ExpDate |
dtExpiration |
GPF1 |
Dummy1 |
GPF2 |
Dummy2 |
GPF3 |
Dummy3 |
GPF4 |
Dummy4 |
GPF5 |
Dummy5 |
Antipassback |
AntipassbackEnabled |
Adjust the Salto import definition so that it matches the renamed fields in the staging table.
Do not change the column order in SQL during migration; the order must remain the same as before.
If the column order is changed, the Salto import job definition must also be updated.
During the migration, disable the Salto import job in Salto to prevent data inconsistencies.
Re-enable the job once the staging table and import definition are fully updated.
Important
Migration to this new version requires both a staging table update and import definition update.
Failing to do so will break connector functionality.
Tip
For more information on how to configure a HelloID PowerShell connector, please refer to our documentation pages.
Tip
If you need help, feel free to ask questions on our forum.
The official HelloID documentation can be found at: https://docs.helloid.com/