> ## Documentation Index
> Fetch the complete documentation index at: https://www.c1.ai/docs/llms.txt
> Use this file to discover all available pages before exploring further.
# Set up an Ironclad connector
> C1 provides identity governance for Ironclad. Integrate your Ironclad instance with C1 to run user access reviews (UARs) and enable just-in-time access requests.
## Capabilities
| Resource | Sync | Provision |
| :------- | :------------------------------------------------------------ | :------------------------------------------------------------ |
| Accounts | | |
| Groups | | |
The Ironclad connector supports [automatic account provisioning](/product/admin/account-provisioning).
When a new account is created by C1, the account's password will be sent to a [vault](/product/admin/vaults).
This connector does not support account deprovisioning. You must deprovision accounts directly in Ironclad.
## Gather Ironclad credentials
Configuring the connector requires you to pass in credentials generated in Ironclad. Gather these credentials before you move on.
A user with the **Administrator** role in Ironclad must perform this task.
### Create an Ironclad OAuth client app
In Ironclad, navigate to your profile menu (located in the top right corner of the screen) > **Company settings** > **API**.
Select **Create new app**.
Give your OAuth client application a name, such as "C1" and click **Create app**.
Carefully copy and save the app's client ID and client secret, then click **Continue**.
In the **Grant Types** area, select the grant type that matches your authentication preference:
* **Client Credentials** (Recommended): The simplest setup. Does not require an interactive login. Required for self-hosted connectors.
* **Authorization Code**: Requires logging in and authorizing. Only available for cloud-hosted connectors.
If you selected **Authorization Code**, enter `https://accounts.conductor.one/oauth/callback` in the **Redirect URI** field.
In the **Scopes** area, give the app the following scopes:
* scim.users.readUsers
* scim.groups.readGroups
If you want to use C1 to provision Ironclad accounts and groups, add these scopes as well:
* scim.groups.updateGroups
* scim.users.createUsers
* scim.users.deleteUsers
Click **Save changes**.
**Done.** Next, move on to the connector configuration instructions.
## Configure the Ironclad connector
To complete this task, you'll need:
* The **Connector Administrator** or **Super Administrator** role in C1
* Access to the set of Ironclad credentials generated by following the instructions above
**Follow these instructions to use a built-in, no-code connector hosted by C1.**
In C1, navigate to **Integrations** > **Connectors** and click **Add connector**.
Search for **Ironclad** and click **Add**.
Choose how to set up the new Ironclad connector:
* Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren't yet managed with C1)
* Add the connector to a managed app (select from the list of existing managed apps)
* Create a new managed app
Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of C1 users. Setting multiple owners is allowed.
If you choose someone else, C1 will notify the new connector owner by email that their help is needed to complete the setup process.
Click **Next**.
Find the **Settings** area of the page and click **Edit**.
Select your authentication method:
* **OAuth Client Credentials** (Recommended): The simplest setup. Authenticate using client credentials without an interactive login.
* **OAuth Authorization Code**: Authenticate by logging in and authorizing C1 with your Ironclad instance.
Enter the client ID and client secret into their respective fields.
**If using OAuth Client Credentials:** Enter the email address of an Ironclad user in the **As User Email** field. API requests will be made on behalf of this user.
**Optional.** If you do not want the connector to provision access, click to enable **Read only**. When enabled, the connector requests a reduced set of OAuth permissions (read-only access to users and groups).
Click **Save**.
**If using OAuth Authorization Code:** Click **Login with OAuth**, then log in and authorize C1 with your Ironclad instance. After authorizing, you'll be redirected back to the C1 integrations page, where an "Authorized as" message is now printed.
The connector's label changes to **Syncing**, followed by **Connected**. You can view the logs to ensure that information is syncing.
**Done.** Your Ironclad connector is now pulling access data into C1.
**Follow these instructions to use the Ironclad connector, hosted and run in your own environment.**
When running in service mode on Kubernetes, a self-hosted connector maintains an ongoing connection with C1, automatically syncing and uploading data at regular intervals. This data is immediately available in the C1 UI for access reviews and access requests.
### Resources
* [Official download center](https://dist.conductorone.com/ConductorOne/baton-ironclad): For stable binaries (Windows/Linux/macOS) and container images.
### Step 1: Set up a new Ironclad connector
In C1, navigate to **Integrations** > **Connectors** > **Add connector**.
Search for **Baton** and click **Add**.
Choose how to set up the new Ironclad connector:
* Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren't yet managed with C1)
* Add the connector to a managed app (select from the list of existing managed apps)
* Create a new managed app
Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of C1 users. Setting multiple owners is allowed.
If you choose someone else, C1 will notify the new connector owner by email that their help is needed to complete the setup process.
Click **Next**.
In the **Settings** area of the page, click **Edit**.
Click **Rotate** to generate a new Client ID and Secret.
Carefully copy and save these credentials. We'll use them in Step 2.
### Step 2: Create Kubernetes configuration files
Create two Kubernetes manifest files for your Ironclad connector deployment:
#### Secrets configuration
```yaml expandable theme={"theme":{"light":"css-variables","dark":"css-variables"}}
# baton-ironclad-secrets.yaml
apiVersion: v1
kind: Secret
metadata:
name: baton-ironclad-secrets
type: Opaque
stringData:
# C1 credentials
BATON_CLIENT_ID:
BATON_CLIENT_SECRET:
# Ironclad credentials
BATON_IC_CLIENT_ID:
BATON_IC_CLIENT_SECRET:
# Optional: include if you use an Ironclad environment other than "na1"
BATON_ENVIRONMENT: eu1
# Optional: include if you want C1 to provision access using this connector
BATON_PROVISIONING: true
```
See the connector's README or run `--help` to see all available configuration flags and environment variables.
#### Deployment configuration
```yaml expandable theme={"theme":{"light":"css-variables","dark":"css-variables"}}
# baton-ironclad.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: baton-ironclad
labels:
app: baton-ironclad
spec:
selector:
matchLabels:
app: baton-ironclad
template:
metadata:
labels:
app: baton-ironclad
baton: true
baton-app: ironclad
spec:
containers:
- name: baton-ironclad
image: ghcr.io/conductorone/baton-ironclad:latest
imagePullPolicy: IfNotPresent
env:
- name: BATON_HOST_ID
value: baton-ironclad
envFrom:
- secretRef:
name: baton-ironclad-secrets
```
### Step 3: Deploy the connector
Create a namespace in which to run C1 connectors (if desired), then apply the secret config and deployment config files.
Check that the connector data uploaded correctly. In C1, click **Apps**. On the **Managed apps** tab, locate and click the name of the application you added the Ironclad connector to. Ironclad data should be found on the **Entitlements** and **Accounts** tabs.
**Done.** Your Ironclad connector is now pulling access data into C1.