Connector team, specialists in smart integrations
HelloID serves as a central hub across the applications in your network. Connecting applications to HelloID is easy thanks to our extensive catalog of connectors. Those connectors are developed by our 'connector team'. We spoke with the product owner of that team, Michiel.
What is your role as product owner?
First, I should explain what these connectors are. A connector is an integration between HelloID and a specific application. The strength of our connectors is that you can configure them relatively easily for a specific customer. What also makes us unique as an IAM provider is that we already have over 200 connectors in our catalog so all common applications can be connected easily. And if a customer wants to connect an application for which we do not yet have a connector, then we can usually develop and deliver it quickly. We develop such a new integration at no cost. There is usually a fee for implementation and support if we or a partner handle this for the customer.
'Our philosophy is to make HelloID integration transparent and easy to adopt.'
Our connector team develops these new connectors, and together with our consulting team we also handle maintenance and updates for existing connectors. We do this with several developers, and as product owner I act as the link between customers, vendors, and the development team. When a customer requests a new connector or an expansion of an existing one, I elaborate the request and assess whether it is technically feasible. I then create a functional design and a technical design that I hand over to the development team. They then build the integration.
So you build custom solutions?
Yes and no. Many applications that we connect to HelloID are generic business applications used by many customers. Think of widely used office suites, HR applications, healthcare systems, and IT Service Management systems. When we develop a connector for such an application it can usually be used by multiple customers. The connector therefore has a generic application, but its development is of course custom. We take a pragmatic, customer-driven approach. In the first development of an integration, we base it on the customer’s functional requirements. By keeping the scope small, exactly fit for purpose, we reduce the lead time and complexity of the integration. In subsequent customer intakes and implementations the integration may be expanded because there are additional requirements. This allows the connector to be further developed over time.
With HelloID we generally manage accounts and access rights, but because every application has a different structure, the interaction with HelloID will differ for each application. Even in comparable applications, vendors have usually made different technical choices for communication protocols, message types, and data formats. The API of every application therefore looks different, there is always significant research, and the development of each connector involves custom work. That also makes the work enjoyable.
Do you also distinguish different types of connectors?
Yes, we distinguish source systems and target systems. Connectors with source systems are relatively simpler because we mainly read data. In HR systems, for example, you register information about employees’ names, roles, departments, and work locations. HelloID reads that data but does not perform operations on the HR data in the source system. The challenge is mainly mapping the data formats of different source systems into HelloID to our own internal data structure.
'The difference is querying versus performing actions.'
Target systems are more complex for HelloID because we perform various actions in them. For example, we must be able to create, update, activate, deactivate, and delete accounts. You must also be able to assign or revoke specific permissions. That means we usually spend a bit more time developing such a target connector.
Depending on the complexity, the circumstances, and the parties involved, the development lead time can vary from two weeks to two months.
How does requesting a connector work? Is it easy?
Every customer can simply submit a request for a new connector through a TOPdesk form. In it, you provide all relevant details such as the type of application, functionality, number of users, API documentation, etc. Based on that, a colleague from our sales team makes an initial assessment, including checking whether a connector is already available. If that is not the case, then I determine the impact and feasibility. Often a standard API is available from the vendor and we can develop the integration quickly. If such an interface is missing, then more research is needed and I will, for example, talk to the vendor to make such an interface possible.
Do you spend much time on the security of a connector like that?
Absolutely! Many security measures are already standard parts of the HelloID platform, but there are items we always check. Some vendors provide integration partners like us by default with only one set of credentials to secure data exchange for all customers. We, however, want unique usernames, passwords, or tokens per customer so that every customer retains control of their own data. That first needs to be resolved.
We also use relatively innocuous source data such as a person’s name, role, and department. Some HR systems, however, use a standard API that directly shares many other personal data, such as salary data and the national identification number (BSN). We do not want to receive that sensitive data at all, and we need to address this first to remain compliant with the GDPR.
'We check security in three steps: product owner, developers, and consultants with the customer.'
In practice we work with a three-step check to cover all security risks. I check all relevant items during the initial assessment. If I overlook something, the developers will flag it. And the implementation consultants with the customer also review the exchanged data once more.
What tools do you use for development?
We build our connectors using PowerShell and Visual Studio. We publish the developed code in GitHub, which we also use for version control and further documentation. This is a deliberate choice. By using PowerShell, our consultants, partners, and customers’ IT staff can also develop and implement the connector if needed. This prevents a lock-in where the customer depends on the availability of our developers or consultants. Our entire development is organized to be as open and transparent as possible so that everyone can work with the connectors themselves as much as possible.
So your connector team does not install the connectors at the customer site?
Correct, we only build the integration. Once it is ready and tested, others roll it out at a customer. That can be one of our own HelloID consultants or a colleague at an implementation partner. And some connectors can be installed by the customer’s HelloID administrators themselves. That is less likely with complex healthcare applications, but with a simpler connector that can sometimes be an option.
It is important to plan that customer implementation in time. I am often asked how quickly a connector can be developed, but we are rarely the bottleneck. Our development times are relatively short; the preliminary phase usually takes more time and you mainly need to plan the rollout project well. You usually need an implementation consultant, the customer’s administrators must be available, and various items must still be prepared at the customer. So account for that in your planning.