> ## Documentation Index
> Fetch the complete documentation index at: https://conductorone-lee-google-cloud-project-mcp-setup.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# Set up a Seismic connector

> C1 provides identity governance and just-in-time provisioning for Seismic. Integrate your Seismic instance with C1 to run user access reviews (UARs), enable just-in-time access requests, and automatically provision and deprovision access.

## Capabilities

The Seismic connector syncs the following resources:

| Resource | Sync                                                          | Provision                                                     |
| :------- | :------------------------------------------------------------ | :------------------------------------------------------------ |
| Users    | <Icon icon="square-check" iconType="solid" color="#c937ae" /> | <Icon icon="square-check" iconType="solid" color="#c937ae" /> |
| Groups   | <Icon icon="square-check" iconType="solid" color="#c937ae" /> | <Icon icon="square-check" iconType="solid" color="#c937ae" /> |
| Roles    | <Icon icon="square-check" iconType="solid" color="#c937ae" /> | <Icon icon="square-check" iconType="solid" color="#c937ae" /> |
| Licenses | <Icon icon="square-check" iconType="solid" color="#c937ae" /> | <Icon icon="xmark" iconType="solid" color="#888" />           |

<Note>
  Content licenses (`Business`, `Premium`, `Partner`) are derived from the SCIM
  `userType` field on each user, not from a dedicated API endpoint. License
  assignment is read-only — license changes typically require admin action in
  the Seismic console. Users with `userType="NonSeismic"` (e.g. system or
  external accounts) hold no content license and receive no license grant.
</Note>

## Gather Seismic credentials

<Warning>
  To configure the Seismic connector, you need **System Administrator**
  permissions in Seismic.
</Warning>

<Steps>
  <Step>
    Go to the [Seismic App Registration Portal](https://apps.seismic.com) and log in with your tenant admin credentials.
  </Step>

  <Step>
    Click **+ Create an App**, enter an app name, then click **Create app**.
  </Step>

  <Step>
    On the app details page, toggle **Authentication** on (it is disabled by
    default). Select **OAuth2 - Client Credentials** as the authentication flow.
    Seismic implements this as the [Client Credentials with User Delegation
    flow](https://developer.seismic.com/seismicsoftware/reference/login-with-client-credentials-user-delegation-flow) —
    it is the only client-credentials variant Seismic documents.
  </Step>

  <Step>
    In the **Delegation user selected callback** field, enter an HTTPS URL that
    can receive a one-time POST from Seismic. The connector itself does **not**
    run a callback server — this URL is triggered only once, when a tenant admin
    enables the app and selects the delegated user. Seismic POSTs a JSON payload
    containing `delegationUserId` to it at that moment.

    <Note>
      **Seismic requires a valid HTTPS callback URL before it will generate your
      Client ID and Client Secret.**

      The script below starts a local receiver and exposes it over HTTPS with no
      account or deployment required. Requirements: **Python 3** and **SSH**
      (both available by default on macOS and Linux; on Windows use WSL or Git
      Bash).

      **Terminal 1 — start the local receiver:**

      ```python callback_receiver.py theme={null}
      import http.server, json, sys

      class Handler(http.server.BaseHTTPRequestHandler):
          def do_POST(self):
              length = int(self.headers.get("Content-Length", 0))
              body = json.loads(self.rfile.read(length))
              user_id = body.get("delegationUserId", "(not found)")
              print(f"\n  delegationUserId: {user_id}\n")
              print("  Copy the value above into the Seismic Delegation User ID field.")
              self.send_response(202)
              self.end_headers()
              sys.exit(0)

          def log_message(self, *args):
              pass

      print("Waiting for Seismic callback on port 8080 ...")
      http.server.HTTPServer(("", 8080), Handler).serve_forever()
      ```

      ```bash theme={null}
      python3 callback_receiver.py
      ```

      **Terminal 2 — expose it over HTTPS:**

      ```bash theme={null}
      ssh -R 80:localhost:8080 nokey@localhost.run
      ```

      `localhost.run` prints an HTTPS URL such as
      `https://xxxxxxxx.lhr.life`. Paste that URL into the Seismic callback
      field and proceed to the next step. When Seismic fires the callback,
      Terminal 1 prints the `delegationUserId` and exits.

      <Warning>
        Do **not** use public webhook inspection services (e.g. webhook.site,
        requestbin.com). The `delegationUserId` is a credential — combined with
        your client ID and secret it can be used to generate API tokens.
        Sending it to a service that stores and displays payloads publicly
        exposes it to anyone who obtains the URL.

        Note that `localhost.run` is a third-party SSH tunnel: traffic transits
        their servers in transit but is not stored or displayed publicly.
        For security-sensitive environments, use a self-hosted endpoint (e.g.
        an AWS Lambda function URL or Cloudflare Worker on infrastructure you
        control) instead.
      </Warning>
    </Note>
  </Step>

  <Step>
    Assign the following scopes to the app registration:

    * `seismic.user.view` — required for syncing users, groups, and group members
    * `seismic.user.manage` — required for provisioning (create/delete users, grant/revoke group membership and role assignments)
    * `seismic.reporting` — required for syncing platform roles

    For **sync-only** deployments, assign `seismic.user.view` and `seismic.reporting`.
    For **sync + provisioning** deployments, assign all three scopes.

    <Warning>
      Adding or removing scopes after saving generates a new app version with a
      new **Client ID**. Finalize your scope selection before copying credentials.
    </Warning>
  </Step>

  <Step>
    Click **Generate** in the credentials section to create the **Client
    Secret**. Copy both the **Client ID** and **Client Secret** and store them
    securely. The Client Secret cannot be retrieved again after you leave this
    page.
  </Step>

  <Step>
    In the Seismic web app, navigate to **Admin Settings** > **My Apps**,
    locate your app, and click **Enable App in Seismic**. A consent modal
    appears — select the user who will act as the delegated user, then confirm.
    Seismic will POST a JSON payload to the callback URL you entered earlier.

    Check the endpoint you set up — the incoming POST body contains
    `delegationUserId`. Copy that exact value; it becomes the connector's
    **Seismic Delegation User ID** configuration field.
  </Step>

  <Step>
    Identify your **Seismic tenant** name (the subdomain from your login URL,
    e.g., `acme` if you access `acme.seismic.com`). The connector uses this to
    build the OAuth2 token endpoint URL automatically:
    `https://auth.seismic.com/tenants/{tenant}/connect/token`.
  </Step>
</Steps>

## Configure the Seismic connector

<Tabs>
  <Tab title="Cloud-hosted">
    Follow these instructions to use a built-in, no-code connector hosted by C1.

    <Steps>
      <Step>
        In C1, navigate to **Integrations** > **Connectors** and click **Add connector**.
      </Step>

      <Step>
        Search for **Seismic** and click **Add**.
      </Step>

      <Step>
        Choose how to set up the new Seismic connector:

        * Add the connector to a currently unmanaged app
        * Add the connector to a managed app
        * Create a new managed app
      </Step>

      <Step>
        Set the owner for this connector.
      </Step>

      <Step>
        Click **Next**.
      </Step>

      <Step>
        Find the **Settings** area of the page and click **Edit**.
      </Step>

      <Step>
        Enter the required configuration:

        * **Seismic Client ID**: OAuth2 Client ID from the app registration
        * **Seismic Client Secret**: OAuth2 Client Secret from the app registration
        * **Seismic Tenant**: Your Seismic tenant identifier (used to build the OAuth2 token endpoint URL `https://auth.seismic.com/tenants/TENANT/connect/token`)
        * **Seismic Delegation User ID**: the `delegationUserId` your app received on the Delegation user selected callback when the tenant admin assigned the delegated user
      </Step>

      <Step>
        Click **Save**.
      </Step>

      <Step>
        The connector's label changes to **Syncing**, followed by **Connected**. You can view the logs to ensure that information is syncing.
      </Step>
    </Steps>

    **Done.** Your Seismic connector is now pulling access data into C1.
  </Tab>

  <Tab title="Self-hosted">
    Follow these instructions to use the [Seismic](https://github.com/conductorone/baton-seismic) connector, hosted and run in your own environment.

    When running in service mode on Kubernetes, a self-hosted connector maintains an ongoing connection with C1, automatically syncing and uploading data at regular intervals.

    ### Resources

    * [Official download center](https://dist.conductorone.com/ConductorOne/baton-seismic): For stable binaries (Windows/Linux/macOS) and container images.

    * [GitHub repository](https://github.com/conductorone/baton-seismic): Access the source code, report issues, or contribute to the project.

    ### Step 1: Set up a new Seismic connector

    <Steps>
      <Step>
        In C1, navigate to **Integrations** > **Connectors** > **Add connector**.
      </Step>

      <Step>
        Search for **Baton** and click **Add**.
      </Step>

      <Step>
        Choose how to set up the new Seismic connector:

        * Add the connector to a currently unmanaged app
        * Add the connector to a managed app
        * Create a new managed app
      </Step>

      <Step>
        Set the owner for this connector.
      </Step>

      <Step>
        Click **Next**.
      </Step>

      <Step>
        In the **Settings** area of the page, click **Edit**.
      </Step>

      <Step>
        Click **Rotate** to generate a new Client ID and Secret.

        Carefully copy and save these credentials.
      </Step>
    </Steps>

    ### Step 2: Create Kubernetes configuration files

    Create two Kubernetes manifest files for your Seismic connector deployment:

    #### Secrets configuration

    ```yaml expandable theme={null}
    # baton-seismic-secrets.yaml
    apiVersion: v1
    kind: Secret
    metadata:
      name: baton-seismic-secrets
    type: Opaque
    stringData:
      # C1 credentials
      BATON_CLIENT_ID: <C1 client ID>
      BATON_CLIENT_SECRET: <C1 client secret>

      # Seismic credentials
      BATON_SEISMIC_CLIENT_ID: <Seismic OAuth2 Client ID>
      BATON_SEISMIC_CLIENT_SECRET: <Seismic OAuth2 Client Secret>
      BATON_SEISMIC_TENANT: <Seismic tenant name>
      BATON_SEISMIC_DELEGATION_USER_ID: <delegationUserId from your callback>

      # Enable provisioning (create/delete users, grant/revoke groups and roles)
      BATON_PROVISIONING: "true"
    ```

    #### Deployment configuration

    ```yaml expandable theme={null}
    # baton-seismic.yaml
    apiVersion: apps/v1
    kind: Deployment
    metadata:
      name: baton-seismic
      labels:
        app: baton-seismic
    spec:
      selector:
        matchLabels:
          app: baton-seismic
      template:
        metadata:
          labels:
            app: baton-seismic
            baton: "true"
            baton-app: seismic
        spec:
          containers:
          - name: baton-seismic
            image: public.ecr.aws/conductorone/baton-seismic:latest
            imagePullPolicy: IfNotPresent
            env:
            - name: BATON_HOST_ID
              value: baton-seismic
            envFrom:
            - secretRef:
                name: baton-seismic-secrets
    ```

    ### Step 3: Deploy the connector

    <Steps>
      <Step>
        Create a namespace in which to run C1 connectors (if desired), then apply the secret config and deployment config files.
      </Step>

      <Step>
        Check that the connector data uploaded correctly. In C1, click **Applications**. On the **Managed apps** tab, locate and click the name of the application you added the Seismic connector to. Seismic data should be found on the **Entitlements** and **Accounts** tabs.
      </Step>
    </Steps>

    **Done.** Your Seismic connector is now pulling access data into C1.
  </Tab>
</Tabs>

***

<Tip>
  All versions of this connector are available at
  [dist.conductorone.com](https://dist.conductorone.com/ConductorOne/baton-seismic).
</Tip>
