Set up integration with Salto

This article includes updates for Smart ID 23.04.

This article describes how to configure the Salto Service, to enable integration between Smart ID Identity Manager, Smart ID Physical Access component and Salto.

The Access Control System Salto is managed by a GUI. The Salto Service interacts with Salto through a web-based API. After integration, all administration of Users, Access Token and Entitlements (besides defining them) should be done in Identity Manager, never in Salto.

For details on which data can be imported and exported from Salto, see About import and export to Physical Access.

Prerequisites

The following prerequisites apply:

Physical Access and Salto Docker container/service are installed. See Deploy Smart ID.
Supported Salto client version must be installed. Check the supported versions in Supported PACS connectors in Identity Manager.
The message queue server must be running.
If MIFARE card technology is used, the PACS MIFARE number must be available as raw data (not encrypted, truncated, or similar).
A working network connection to the connected physical access control systems (PACS) must be in place.

Configure Salto Service data fields

The Salto data is configured in the configuration table in the Physical Access database. All configuration is cached when the service starts so any configuration changes will require the service to be restarted in order to take effect.

Configure database

For information about how to connect to a PACS system, see Connect to a PACS system in PACS admin panel.

For information about group: messagingqueue, see Physical Access database - common parameters.

group: general

key

Data type

Required or Optional

Description

updatesPerPoll

int

Optional

The maximum number of messages read from the message queue.

Default: 100

group: Salto.import

key	Data type	Required or Optional	Description
DbName	string	Required	The name of the database to be used by Salto.
connectionstring	string	Required	The connection string to the Salto database.
departmentFilter	string	Optional	Makes it possible to filter departments with the help of a department name available in Salto database, for example `"Admnistration"`. Default: NULL.
groupNameTemplate	string	Required	This string will separate the access group name and the department name if `useSaltoDepartment` is set to `true`. Default: “{DepartmentName} – {Name}”.
useUpgradedVersion	bool	Required	If set to `true`, the upgraded version of Salto (Salto Pro-Access Space) will be used. If set to `false`, the old version of Salto (Salto Pro-Access RW) will be used. The table that was called `tb_departments` in the old version changed name to `tb_partitions` in the upgraded version and added full supports for Zones, Rooms etc.
EntitlementType	string	Required	EntitlementType is used to set which type of access elements Physical Access should import and export in Salto Pro-Access Space. To have support for two types, add it like “ACCESSLEVEL,ZONE”. Default: “ACCESSLEVEL”. Salto Pro-Access RW supports only "ACCESSLEVEL". The system will automatically override types configured with other than "ACCESSLEVEL".

These EntitlementTypes are supported:

EntitlementType	Description
ACCESSLEVEL	If EntitlementType is set to ACCESSLEVEL, only User access levels type access element are imported to Physical Access.
ZONE	If EntitlementType is set to ZONE, only Zones type access element are imported to Physical Access.
STANDARD	If EntitlementType is set to STANDARD, only Doors type access element are imported to Physical Access.
ROOM	If EntitlementType is set to ROOM, only Rooms type access element are imported to Physical Access.
LOCKER	If EntitlementType is set to LOCKER, only Lockers type access element are imported to Physical Access.
SUBSUITE	If EntitlementType is set to SUBSUITE, only SUBSUITE type access element are imported to Physical Access.
ASSOCIATED	If EntitlementType is set to ASSOCIATED, only ASSOCIATED type access element are imported to Physical Access.
SUITE	If EntitlementType is set to SUITE, only SUITE type access element are imported to Physical Access.

group: Salto.export

key	Data type	Required or Optional	Description
inactiveCardPrefix	bool	Optional	This is a string prefix to append with card number in case of access token is Inactive. It is used only when removeInactiveCard is false. In that case the title of the user will be inactiveCardPrefix followed by unique card number in such a way that the Title length will be 10. If prefix length is more than 10 characters, then all inactive access tokens of same person will have same title. Default: "IN"
removeInactiveCard	bool	Optional	Set this to `true` if users should be deleted when the card becomes inactive. If it is `false`, the user will remain in the Salto system, and all the accesses and rom code will be removed, and Title will have the prefix followed by unique card number. Default: false
importPath	string	Required	The path to the import folder, that the Salto connector can write files to, so that the Salto system can read them. Default: “C:\Salto” For docker version, follow these steps: Mount the Salto Import directory on the host machine, see Mount Salto CIFS between Linux and Windows Update the same path in the docker-compose file by adding new volume mapping for the Salto service: CODE `volumes: - "<Mount path of host machine>:<Mount path for Docker container>:rw" example: - "./mnt/salto_share:/mnt/salto_share:rw"` Update the same path (/mnt/salto_share/) in the ‘importPath’ configuration setting for the Salto service using the Physical Access Admin Panel, see Log in to Physical Access admin panel. If Salto connector service(container) is in running condition then restart it to reload updated changes.
importFolder	string	Optional	The import folder, that the Salto connector can write files to, so that the Salto system can read them. Default: “General”
defaultValidationPeriod	uint	Optional	The default validation period in days for cards that do not have this property set. Default: 8
exportRowSuffix	string	Optional	This value will be added to the end of a row in the files exported, for example "," or ";". Default: “”
accessGroupSeparator	string	Required	This value defines the separator when printing out multiple access group IDs for a person. This value must be the same as the secondary separator in Salto when importing/syncing. Default: “\|”
allowMultipleDepartments	bool	Optional	If set to `true`, users are allowed to belong to multiple departments. For this scenario, the option Can insert external users into internal access levels in Salto Options > Departments must also be checked. Default: false
cardNumberLength	int	Optional	The required length of the card number. Default: 9
cardNumberIdentifierType	string	Required	This setting indicates which type of identifier can be used for the card number. Default: mifare
enableAuditOpenings	bool	Optional	Set this to true if users should be logged in Audit Openings. This means that whenever there is any ‘key swapping’ / ‘card swapping’, the system should log that in the audit log and shown it in the Audit trail. The flag Audit openings in the key in Salto PACS Users > Key Options must be checked if users can be part of Audit Openings. Default: true
layoutIdentifierType	string	Required	This setting indicates which type of identifier can be used for the card layout. Default: layout
ignoreCardsWithLayout	string	Optional	A “\|”-separated string of card layouts that will be ignored when exporting. Default: “”
useCardNumberAsTitle	bool	Optional	If set to `true`, the card number is exported into the title field in the user interface. Default: “true”
userfieldmappings	string	Optional	This setting is the combination of additional fields which can be transferred to Salto. Five general purpose fields can be configured. They can be found in Tools > Scheduled Job. These fields can be shown in the UI by enabling them, using either of the following options: In Salto Space: System > General > Users In Salto: Tools > Configuration > General Options > Users Set the value as follows: Value of userfieldmappings CODE `table_name.value_of_type_column, sequence number of General Purpose fields` where `table_name` can be: `user`, `email`, `phone`, `address` or `useradditionalfield`. Examples To send the value of a specific column from the user table: `user.column,sequence_number` To send the value of a specific column from the email table: `email.type, sequence_number` See configuration examples in the table below. The sequence number added in `userfieldmappings` must match the sequence number which is configured in the scheduled job in Salto.
useDummyFieldAsCardNumber	bool	Optional	This setting indicates whether to populate card number in dummy field or not. If you want to populate data in dummy field, you must add field mapping in Salto using mapping configuration settings in Salto (System > Tools > Scheduled Jobs > PACS Import > Mapping Configuration > General Purpose Field 1 [GPF1]) Default: false

Example

Example configuration for userfieldmappings:

Id	Group	Key	System	Value
1	salto.export	userfieldmappings	Salto	useradditionalfield.Department,1
2	salto.export	userfieldmappings	Salto	email.Work,2
3	salto.export	userfieldmappings	Salto	useradditionalfield.Description,3

Set up import fields in Salto

Make sure that the import fields in Salto(Salto System->Tools->Scheduled Jobs->PACS Import->Mapping Configuration) are configured in the following order. All bullets are static fields, except General Purpose fields which are dynamic and can be configured as user additional fields and tp populate card number data, as mentioned above.

(Action)
User ID
Title
First Name
Last name
Access Level ID List
ROM code
PIN code
User expiration date
Extended opening time
Enable auditor in the key[AuditOpenings]
Zone ID list[ExtZoneIDList] - Supported on Salto Pro-Access Space
Access point ID list[ExtDoorIDList] - Supported on Salto Pro-Access Space
General Purpose fields

Salto field mapping

The service mainly transfers user data including related access tokens and entitlement assignments. The tables below show the default field mapping.

If needed, additional fields can be configured, using the SCIM API and useradditionalfield in the database configuration.

User field mapping

By default, the following data is mapped between the USER table in the Physical Access and the Salto service:

SR No	Physical Access field (Web API)	Salto field (UI)
1	givenName	Cardholder > Users > First Name
2	familyName	Cardholder > Users > Last Name
3	Pin	Pin code

Access token field mapping

By default, the following data is mapped between the ACCESSTOKEN and ACCESSTOKENIDENTIFIER tables in the Physical Access and the Salto service:

SR No	Physical Access field (Web API)	Salto field (UI)
1	Card number of IDC See more details in group: Salto.export above.	Cardholder > Users > Title
2	Card number of IDC in hexadecimal format	Cardholder > Users > ROM code

Entitlement assignment field mapping

By default, the following data is mapped between the ENTITLEMENTASSIGNMENT table in the Physical Access and the Salto service:

SR No

Physical Access field (Web API)

Salto field (UI)

1

DisplayName (entitlement-DisplayName)

[EntitlementType : AccessLevel] Cardholder > Users > User Access Level

[EntitlementType : Zone] Cardholder > Users > Zones

[EntitlementType : STANDARD ,ROOM ,SUITE ,SUBSUITE ,ASSOCIATED ,LOCKER] Cardholder > Users > Access Point

Restart service

Restart the Salto connector service:

Restart Physical Access Salto connector

CODE

cd <SMARTIDHOME>/compose/physicalaccess
docker-compose restart smartid-pa-salto