OrbisID
Description
The OrbisID connector lets one OrbisID instance scan another OrbisID instance's own application users. Organisations that run multiple OrbisID deployments (e.g. one per region, business unit, or environment) can use this connector to centrally track which application accounts hold the ADMINISTRATOR role across every instance they own — the same way any other target system's privileged accounts are tracked. Authentication uses an SDK API key created on the target instance (Administration → API Keys); no OrbisID SDK installation or extra software is required.
System Type Classification
| Field | Value |
|---|---|
| System Type | Application |
| Default Scan Priority | 500 |
Version Support
| OrbisID Edition | Supported |
|---|---|
| Community | No |
| Pro | Yes |
| Enterprise | Yes |
OrbisID-to-OrbisID scanning requires a Pro or Enterprise licence.
Supported Protocol
| Protocol | Port | Notes |
|---|---|---|
| OrbisID REST API (HTTPS + SDK API key) | 443 TCP | X-API-Key header authentication |
What OrbisID Discovers
| Data | Source |
|---|---|
| Application user accounts | GET {baseUrl}/api/v1/sdk/users |
| Account status (enabled/disabled) | enabled field, derived from the target user's status and lock state |
| Application role | role field — the user's effective role (resolves an OIDC-inherited role to its mapped value) |
Privileged Role Detection
Each distinct role returned is discovered as its own Entitlement (type ORBISID_ROLE). Only ADMINISTRATOR is flagged privileged, matching that role's full-access scope in OrbisID's own RBAC model — IAM_GOVERNANCE_MANAGER and IAM_GOVERNANCE_ANALYST are discovered as non-privileged entitlements.
Connection Requirements
SDK API Key on the Target Instance
- On the target OrbisID instance (the one being scanned), sign in as an Administrator
- Navigate to Administration → API Keys
- Click Create API Key, give it a descriptive name (e.g.
scan-from-eu-prod), and copy the key immediately — it is shown only once - No additional role or scope configuration is needed; the key only grants access to the read-only
/api/v1/sdk/*endpoints
Credential Mapping
| OrbisID Field | Value |
|---|---|
credential.password | The SDK API key created on the target instance |
credential.username | Not used — leave blank or use a reference label |
System Attributes
None required.
Network Requirements
| Requirement | Detail |
|---|---|
| Outbound HTTPS | The scanning OrbisID instance (or its On-Premise Agent) must reach the target instance's hostname on port 443 |
Configuration Steps
- Create an SDK API key on the target instance (see above)
- Create a Credential in OrbisID:
- Username: (optional, e.g.
eu-prod-scan-keyfor reference) - Password: The SDK API key value
- Username: (optional, e.g.
- Navigate to Systems → Add System
- Fill in the fields:
| Field | Value |
|---|---|
| System Name (General tab) | Descriptive name (e.g., OrbisID – EU Prod) — an identifier only, not used to connect |
| IP Address / Hostname (Connection tab) | Base URL of the target instance (e.g., https://orbisid-eu.example.com) |
| OS Type | OrbisID |
| System Type | Application |
| Credential | The SDK API key credential created above |
- Click Test Connection — this calls the target instance's
/api/v1/sdk/validate-keyendpoint - Click Save
Add one Target System per OrbisID instance you want to track, each with its own dedicated API key credential — this mirrors how every other connector in OrbisID is configured.
Troubleshooting
| Symptom | Likely Cause | Resolution |
|---|---|---|
401 / "Invalid or expired API key" | Wrong or revoked API key | Re-create the API key on the target instance and update the credential |
401 / "This API key is not authorised for SDK operations" | A non-SDK API key was used (e.g. a Scan Agent or Endpoint Sensor key) | Create a dedicated key of type SDK via Administration → API Keys |
| Connection refused / timeout | Network path to the target instance blocked | Confirm outbound HTTPS access to the target instance's hostname on port 443; use an On-Premise Agent if the target is on a segmented network |
| No accounts returned | Target instance has no users, or the wrong field has the base URL | Verify the base URL is set in IP Address / Hostname on the Connection tab, not System Name on the General tab — System Name is a display-only identifier and is never used to connect |
| "OrbisID base URL is required" error even though a value was entered | The base URL was entered in System Name (General tab) instead of IP Address / Hostname (Connection tab) | Move the base URL to the IP Address / Hostname field on the Connection tab |