ICF 1.5.20.25

Marketo connector

The Marketo connector lets you synchronize between IDM managed users and a Marketo leads database. You can synchronize any managed user to Marketo—those who have been added directly to the IDM repository, and those who have registered themselves through a Social Identity Provider.

The Marketo connector is an implementation of the Scripted Groovy Connector, and lets you interact with leads in a Marketo database, using Groovy scripts for the ICF operations.

To use the Marketo connector, you need:

  • A Marketo account

  • A client ID and client secret

  • The REST API URL for your IDM service

  • A custom list created in your Marketo leads database

To obtain these details from Marketo, refer to the Marketo documentation.

Install the Marketo connector

If you are looking for the Advanced Identity Cloud application for this connector, refer to:

You can download any connector from Backstage, but some are included in the default deployment for Advanced Identity Cloud, IDM, or RCS. When using an included connector, you can skip installing it and move directly to configuration.

Connector included in default deployment
Connector IDM RCS

Yes

No

Download the connector .jar file from Backstage.

  • If you are running the connector locally, place it in the /path/to/openidm/connectors directory, for example:

    mv ~/Downloads/marketo-connector-1.5.20.23.jar /path/to/openidm/connectors/
  • If you are using a remote connector server (RCS), place it in the /path/to/openicf/connectors directory on the RCS.

Configure the Marketo connector

Create a connector configuration using the IDM admin UI:

  1. From the navigation bar, click Configure > Connectors.

  2. On the Connectors page, click New Connector.

  3. On the New Connector page, type a Connector Name.

  4. From the Connector Type drop-down list, select Marketo Connector - 1.5.20.23.

  5. Complete the Base Connector Details.

    For a list of all configuration properties, refer to Marketo Connector Configuration
  6. Click Save.

When your connector is configured correctly, the connector displays as Active in the admin UI.

Refer to this procedure to create a connector configuration over REST.

Alternatively, configure the connector with a configuration file.

A sample connector configuration file is bundled with IDM, provided at /path/to/openidm/samples/example-configurations/provisioners/provisioner.openicf-marketo.json. Copy the sample connector configuration file to your project’s conf/ directory.

This sample connector configuration shows the mandatory properties:

Sample Marketo connector configuration
{
    "displayName" : "MarketoConnector",
    "description" : "Connector used to sync users to Marketo leads",
    "author" : "ForgeRock",
    "enabled" : true,
    "connectorRef" : {
        "bundleName" : "org.forgerock.openicf.connectors.marketo-connector",
        "bundleVersion" : "[1.5.0.0,1.6.0.0)",
        "connectorName" : "org.forgerock.openicf.connectors.marketo.MarketoConnector"
    },
    ...
    "configurationProperties" : {
        "instance" : "<INSTANCE_FQDN>",
        "clientId" : "<CLIENT_ID>",
        "clientSecret" : "<CLIENT_SECRET>",
        "leadFields" : null,
        "partitionName" : null,
        "listName" : "<LEAD_LIST_NAME>",
        "scriptRoots" : [
            "jar:file:connectors/marketo-connector-1.5.20.23.jar!/scripts/marketo/"
        ],
        ...
    },
    ...
}
instance

To locate the REST API endpoint URL in Marketo, select Admin > Web Services, scroll down to REST API, and find the endpoint. Use that REST endpoint as the value of the instance property in your connector configuration. Remove the protocol and /rest from the URL. For example, if the endpoint is https://some-number.mktorest.com/rest, the value of the instance property must be some-number.mktorest.com.

clientId

Locate the client ID in the details of your Marketo service LaunchPoint.

clientSecret

Locate the client secret in the details of your Marketo service LaunchPoint.

listName

The name of the custom list created in your Marketo Leads database.

scriptRoots

The path to the Groovy scripts that perform the ICF operations, relative to your installation directory. For the Marketo connector, the scripts are bundled in the connector .jar file, so the sample connector configuration uses the path jar:file:connectors/marketo-connector-1.5.20.23.jar!/scripts/marketo/.

For a complete list of configuration properties, refer to Marketo Connector Configuration.

Test the Marketo connector

When the connector is configured correctly, you can test its status by running the following command:

curl \
--header "X-OpenIDM-Username: openidm-admin" \
--header "X-OpenIDM-Password: openidm-admin" \
--header "Accept-API-Version: resource=1.0" \
--request POST \
"http://localhost:8080/openidm/system?_action=test"
[
  {
    "name": "marketo",
    "enabled": true,
    "config": "config/provisioner.openicf/marketo",
    "objectTypes": [
      "__ALL__",
      "account"
    ],
    "connectorRef": {
      "bundleName": "org.forgerock.openicf.connectors.marketo-connector",
      "connectorName": "org.forgerock.openicf.connectors.marketo.MarketoConnector",
      "bundleVersion": "[1.5.0.0,1.6.0.0)"
    },
    "displayName": "Marketo Connector",
    "ok": true
  }
]

A status of "ok": true indicates that the connector can reach your Marketo database.

Marketo remote connector

If you want to run this connector outside of PingOne Advanced Identity Cloud or IDM, you can configure the Marketo connector as a remote connector. Java Connectors installed remotely on a Java Connector Server function identically to those bundled locally within PingOne Advanced Identity Cloud or installed locally on IDM.

You can download the Marketo connector from here.

Refer to Remote connectors for configuring the Marketo remote connector.

Reconcile users with a Marketo leads database

The Marketo connector lets you reconcile IDM users (including managed users and users who have registered through a social identity provider) with a Marketo leads database. To set up reconciliation to a Marketo database, copy the following sample mapping file to your project’s conf directory:

/path/to/openidm/samples/example-configurations/marketo/sync.json

This file sets up a mapping from the managed user repository to Marketo user accounts. The file includes transformations for user accounts registered through Facebook and LinkedIn. You can use these transformations as a basis for transformations from other social identity providers.

If you have an existing mapping configuration, add the content of this sample sync.json to your existing mapping.

The sample mapping restricts reconciliation to users who have accepted the marketing preferences with the following validSource script:

"validSource" : {
    "type" : "text/javascript",
    "globals" : {
        "preferences" : [
            "marketing"
        ]
    },
    "file" : "ui/preferenceCheck.js"
}

When a user registers with IDM, they can choose to accept this condition. As a regular user, they can also select (or deselect) the condition in the End User UI by logging into IDM at http://localhost:8080/, and selecting Preferences.

If a user deselects the marketing preference after their account has been reconciled to Marketo, the next reconciliation run will remove the account from the Marketo database.

For more information on how preferences work in a mapping, refer to User preferences.

Implementation specifics

For PATCH requests, a connector can potentially add, remove, or replace an attribute value. The Marketo connector does not implement the add or remove operations, so a PATCH request always replaces the entire attribute value with the new value.

OpenICF Interfaces Implemented by the Marketo Connector

The Marketo Connector implements the following OpenICF interfaces. For additional details, see ICF interfaces:

Authenticate

Provides simple authentication with two parameters, presumed to be a user name and password.

Create

Creates an object and its uid.

Delete

Deletes an object, referenced by its uid.

Resolve Username

Resolves an object by its username and returns the uid of the object.

Schema

Describes the object types, operations, and options that the connector supports.

Script on Connector

Enables an application to run a script in the context of the connector.

Any script that runs on the connector has the following characteristics:

  • The script runs in the same execution environment as the connector and has access to all the classes to which the connector has access.

  • The script has access to a connector variable that is equivalent to an initialized instance of the connector. At a minimum, the script can access the connector configuration.

  • The script has access to any script arguments passed in by the application.

Script on Resource

Runs a script on the target resource that is managed by this connector.

Search

Searches the target resource for all objects that match the specified object class and filter.

Sync

Polls the target resource for synchronization events, that is, native changes to objects on the target resource.

Test

Tests the connector configuration.

Testing a configuration checks all elements of the environment that are referred to by the configuration are available. For example, the connector might make a physical connection to a host that is specified in the configuration to verify that it exists and that the credentials that are specified in the configuration are valid.

This operation might need to connect to a resource, and, as such, might take some time. Do not invoke this operation too often, such as before every provisioning operation. The test operation is not intended to check that the connector is alive (that is, that its physical connection to the resource has not timed out).

You can invoke the test operation before a connector configuration has been validated.

Update

Updates (modifies or replaces) objects on a target resource.

Marketo Connector Configuration

The Marketo Connector has the following configurable properties:

Configuration properties

Property Type Default Encrypted(1) Required(2)

instance

String

null

Yes

The Marketo-assigned FQDN for your instance.

clientId

String

null

Yes

Your OAuth2 client ID.

clientSecret

GuardedString

null

Yes

Yes

Your OAuth2 client secret.

leadFields

String

null

No

Comma-delimited list of lead fields to fetch; Leave empty for default set.

partitionName

String

null

No

Name of the partition in which to create and update leads; May be left empty.

listName

String

null

Yes

Name of the Marketo static list the connector will use to manage leads.

accessToken

String

null

Yes

The access token for the application.

tokenExpiration

Long

null

Yes

The expiration token for the application.

(1) Whether the property value is considered confidential, and is therefore encrypted in IDM.

(2) A list of operations in this column indicates that the property is required for those operations.

Groovy Engine configuration

Property Type Default Encrypted(1) Required(2)

scriptRoots

String[]

['bundle-file-path!/scripts/marketo/']

Yes

The root folder to load the scripts from. If the value is null or empty the classpath value is used.

classpath

String[]

[]

No

Classpath for use during compilation.

debug

boolean

false

No

If true, debugging code should be activated.

disabledGlobalASTTransformations

String[]

null

No

Sets a list of global AST transformations which should not be loaded even if they are defined in META-INF/org.codehaus.groovy.transform.ASTTransformation files. By default, none is disabled.

minimumRecompilationInterval

int

100

No

Sets the minimum of time after a script can be recompiled.

recompileGroovySource

boolean

false

No

If set to true recompilation is enabled.

scriptBaseClass

String

null

No

Base class name for scripts (must derive from Script).

scriptExtensions

String[]

['groovy']

No

Gets the extensions used to find groovy files.

sourceEncoding

String

UTF-8

No

Encoding for source files.

targetDirectory

File

null

No

Directory into which to write classes.

tolerance

int

10

No

The error tolerance, which is the number of non-fatal errors (per unit) that should be tolerated before compilation is aborted.

verbose

boolean

false

No

If true, the compiler should produce action information.

warningLevel

int

1

No

Warning Level of the compiler.

customConfiguration

String

null

No

Custom Configuration script for Groovy ConfigSlurper.

customSensitiveConfiguration

GuardedString

null

Yes

No

Custom Sensitive Configuration script for Groovy ConfigSlurper.

(1) Whether the property value is considered confidential, and is therefore encrypted in IDM.

(2) A list of operations in this column indicates that the property is required for those operations.

Operation Script Files

Property Type Default Encrypted(1) Required(2)

authenticateScriptFileName

String

null

The name of the file used to perform the AUTHENTICATE operation.

createScriptFileName

String

CreateMarketo.groovy

The name of the file used to perform the CREATE operation.

customizerScriptFileName

String

null

No

The script used to customize some function of the connector. Read the documentation for more details.

deleteScriptFileName

String

DeleteMarketo.groovy

The name of the file used to perform the DELETE operation.

resolveUsernameScriptFileName

String

null

The name of the file used to perform the RESOLVE_USERNAME operation.

schemaScriptFileName

String

SchemaMarketo.groovy

The name of the file used to perform the SCHEMA operation.

scriptOnResourceScriptFileName

String

null

The name of the file used to perform the RUNSCRIPTONRESOURCE operation.

searchScriptFileName

String

SearchMarketo.groovy

The name of the file used to perform the SEARCH operation.

syncScriptFileName

String

null

The name of the file used to perform the SYNC operation.

testScriptFileName

String

TestMarketo.groovy

The name of the file used to perform the TEST operation.

updateScriptFileName

String

UpdateMarketo.groovy

The name of the file used to perform the UPDATE operation.

(1) Whether the property value is considered confidential, and is therefore encrypted in IDM.

(2) A list of operations in this column indicates that the property is required for those operations.