Nexus' software components have new names:

Nexus PRIME -> Smart ID Identity Manager
Nexus Certificate Manager -> Smart ID Certificate Manager
Nexus Hybrid Access Gateway -> Smart ID Digital Access component
Nexus Personal -> Smart ID clients

Go to Nexus homepage for overviews of Nexus' solutions, customer cases, news and more.


This article describes how to configure the Salto Service, to enable integration between Smart ID Identity Manager, Physical Access and Salto. 

The Access Control System Salto is managed by a GUI. The Salto Service interacts with Salto through a web-based API. After integration, all administration of Users, Access Token and Entitlements (besides defining them) should be done in Identity Manager, never in Salto.

For details on which data can be imported and exported from Salto, see About import and export to Physical Access.


Expand/Collapse All

Prerequisites

The following prerequisites apply:

  • Physical Access and Salto Docker container/service are installed. See Deploy Smart ID.
  • Salto client version 4.1 is required.
  • The message queue server must be running.
  • If MIFARE card technology is used, the PACS MIFARE number must be available as raw data (not encrypted, truncated, or similar). 
  • A working network connection to the connected physical access control systems (PACS) must be in place. 

Configure Salto Service data fields

The Salto data is configured in the configuration table in the Physical Access database. All configuration is cached when the service starts so any configuration changes will require the service to be restarted in order to take effect.

To change the database configuration:

  1. Log in to Physical Access admin panel as an admin user.
    All configured PACS connector services are listed, as well as Generic configurations to define the messaging queue. 
  2. Click on a system to do updates.
    All database entries are listed. 
  3. To update an entry, click on the icon. Edit as needed and then click Update
  4. To create an entry, click on +Create. Select Group, enter Key, Value and Index, and then click Create

group: messagingqueue

keyData typeRequired or OptionalDescription
serverstringRequired

IP Address of Message Queue Server. If it is installed on the local server then we can use localhost. If we are accessing this server remotely then need to mention IP address.

usernamestringRequired

Username of message queue server.

Default value: “guest”

passwordstringRequired

Password of message queue server.

Default value: “guest”

systemstringRequired

Defines which messaging queue to be used, either "rabbitmq" or "azureservicebus".

Default value: "rabbitmq"

group: general

keyData typeRequired or OptionalDescription
deleteUserOnNoEntitlementstringOptional

Defines if the user shall be deleted if no active entitlement assignment are present for that user.

Valid values: true or false.

Default: true

deleteUserOnNoAccessTokenstringOptional

Defines if the user shall be deleted if no active access tokens are present for that user.

Valid values: true or false.

Default: true 

heartbeatInterval

intOptional

Heartbeat interval is the time difference between two successive heartbeats, and it is used to know if the system is in active (running) or in inactive (stopped) state.

Default value and minimum value: 60 seconds. If it is set less than 60 seconds, it will be considered as 60 seconds to update the status.

group: general

keyData typeRequired or OptionalDescription
updatesPerPollintOptional

The maximum number of messages read from the message queue.

Default: 100

group: Salto.import

keyData typeRequired or OptionalDescription
DbNamestringRequiredThe name of the database to be used by Salto.
connectionstring stringRequiredThe connection string to the Salto database.
departmentFilterstringOptional

Makes it possible to filter departments with the help of a department name available in Salto database, for example "Admnistration".

Default: NULL.

groupNameTemplatestringRequired

This string will separate the access group name and the department name if useSaltoDepartment is set to true.

Default: “{DepartmentName} – {Name}”.

useUpgradedVersionboolRequired

If set to true, the upgraded version of Salto will be used. If set to false, the old version of Salto will be used. 

The table that was called tb_departments in the old version changed name to tb_partitions in the upgraded version.

group: Salto.export

keyData typeRequired or OptionalDescription
inactiveCardPrefixboolOptional

This is a string prefix to append with card number in case of access token is Inactive. It is used only when removeInactiveCard is false. In that case the title of the user will be inactiveCardPrefix followed by unique card number in such a way that the Title length will be 10. If prefix length is more than 10 characters, then all inactive access tokens of same person will have same title.

Default: "IN"

removeInactiveCardboolOptional

Set this to true if users should be deleted when the card becomes inactive. If it is false, the user will remain in the Salto system, and all the accesses and rom code will be removed, and Title will have the prefix followed by unique card number.

Default: false

importPathstringRequired

The path to the import folder, that the Salto connector can write files to, so that the Salto system can read them. 

Default: “C:\Salto”

For docker version, follow these steps:

  1. Mount the Salto Import directory on the host machine:

    apt install -y cifs-utils
    mkdir /mnt/salto_share
    mount -t cifs //<Salto_IP>/<import_path> /mnt/salto_share -o username=<Salto_Windows_Admin_User>,password=<Admin_User_Password>
  2. Update the same path in the docker-compose file by adding new volume mapping for the Salto service:

    volumes:
    - "./mnt/salto_share:/mnt/salto_share:rw"
  3. Update the same path (/mnt/salto_share) in the ‘importPath’ configuration setting for the Salto service using the Physical Access Admin Panel, see Log in to Physical Access admin panel.

importFolderstringOptional

The import folder, that the Salto connector can write files to, so that the Salto system can read them. 

Default: “General”

defaultValidationPerioduintOptional

The default validation period in days for cards that do not have this property set.

Default: 8

exportRowSuffixstringOptional

This value will be added to the end of a row in the files exported, for example "," or ";". 

Default: “”

accessGroupSeparatorstringRequired

This value defines the separator when printing out multiple access group IDs for a person. This value must be the same as the secondary separator in Salto when importing/syncing.

Default: “|”

allowMultipleDepartmentsboolOptional

If set to true, users are allowed to belong to multiple departments. For this scenario, the option Can insert external users into internal access levels in Salto Options > Departments must also be checked. 

Default: false

cardNumberLengthintOptional

The required length of the card number.

Default: 9

cardNumberIdentifierTypestringRequired

This setting indicates which type of identifier can be used for the card number.

Default: mifare

enableAuditOpeningsboolOptional

Set this to true if users should be logged in Audit Openings. This means that whenever there is any ‘key swapping’ / ‘card swapping’, the system should log that in the audit log and shown it in the Audit trail. The flag Audit openings in the key in Salto PACS Users > Key Options must be checked if users can be part of Audit Openings.

Default: true

layoutIdentifierTypestringRequired

This setting indicates which type of identifier can be used for the card layout.

Default: layout

ignoreCardsWithLayoutstringOptional

A “|”-separated string of card layouts that will be ignored when exporting.

Default: “”

useCardNumberAsTitle

bool

Optional

If set to true, the card number is exported into the title field in the user interface.

Default: “true”

userfieldmappingsstringOptional

This setting is the combination of additional fields which can be transferred to Salto. Five general purpose fields can be configured. They can be found in Tools > Scheduled Job

These fields can be shown in the UI by enabling them, using either of the following options:

  • In Salto Space: System > General > Users
  • In Salto: Tools > Configuration > General Options > Users

Set the value as follows: 

Value of userfieldmappings
table_name.value_of_type_column, sequence number of General Purpose fields

where table_name can be: user, email, phone, address or useradditionalfield.

Examples

  • To send the value of a specific column from the user table:
    • user.column,sequence_number
  • To send the value of a specific column from the email table:

    • email.type, sequence_number

See configuration examples in the table below. 

The sequence number added in userfieldmappings must match the sequence number which is configured in the scheduled job in Salto.

Example

Example configuration for userfieldmappings:

IdGroupIndexKeySystemValue
1salto.export0userfieldmappingsSaltouseradditionalfield.Department,1
2salto.export0userfieldmappingsSaltoemail.Work,2
3salto.export0userfieldmappingsSaltouseradditionalfield.Description,3

Make sure that the import fields in Salto are configured in the following order. All bullets are static fields, except General Purpose fields which are dynamic and can be configured as user additional fields, as mentioned above.

  1. (Action)
  2. User ID
  3. Title
  4. First Name
  5. Last name
  6. Access Level ID List
  7. ROM code
  8. PIN code
  9. User expiration date
  10. Extended opening time
  11. General Purpose fields

The service mainly transfers user data including related access tokens and entitlement assignments. The tables below show the default field mapping.

If needed, additional fields can be configured, using the SCIM API and useradditionalfield in the database configuration. 

User field mapping

By default, the following data is mapped between the USER table in the Physical Access and the Salto service: 

SR NoPhysical Access field (Web API)Salto field (UI)
1givenName Cardholder > Users > First Name
2familyName Cardholder > Users > Last Name
3PinPin code

Access token field mapping

By default, the following data is mapped between the ACCESSTOKEN and ACCESSTOKENIDENTIFIER tables in the Physical Access and the Salto service: 

SR NoPhysical Access field (Web API)Salto field (UI)
1Card number of IDC
See more details in group: Salto.export above. 
Cardholder > Users > Title
2Card number of IDC in hexadecimal formatCardholder > Users > ROM code

Entitlement assignment field mapping

By default, the following data is mapped between the ENTITLEMENTASSIGNMENT table in the Physical Access and the Salto service: 

SR NoPhysical Access field (Web API)Salto field (UI)
1DisplayName (entitlement-DisplayName)Cardholder > Users > User Access Level

Restart service

  1. Restart the Salto connector service:

    Restart Physical Access Salto connector
    cd <SMARTIDHOME>/compose/physicalaccess
    docker-compose restart smartid-pa-salto

This article is valid for Smart ID 21.04.1 and later.

Related information