Service Now Queue User Administration via SailPoint Identity IQ

The SailPoint ServiceNow Connector manages ServiceNow accounts, groups, and roles. It supports provisioning and aggregation for ServiceNow accounts and groups.

ServiceNow Connector supports configuration of multiple applications of different ServiceNow versions on same IdentityIQ. ServiceNow Rest API supports Basic and OAuth2 methods of authentication.

Under IT Service Management, Its Queue management and administration is based on roles and services assigned to a user.

SailPoint Service Catalog Integration: The integration between SailPoint and ServiceNow allows users of both systems to easily navigate from ServiceNow into IdentityIQ.

In the following presentation, ServiceNow Queue Administration using Sailpoint IdentityIQ is explained and overview of SailPoint Service Catalog Integration using MID Server.

This following demo is based on ServiceNow Queue User Administration using Sailpoint IdentityIQ with all the approval modes (serial, parallel, serialpoll, parallelpoll and any).

SOAP Error : Message request Authorization (SailPoint ServiceNow Service Integration )

Environment:

Java: jdk1.8

ServiceNow : Istanbul

SailPoint IdentityIQ version 7.1, 7.2

Problem Statement: 

javax.xml.soap.SOAPException: Message send failed: org.apache.axis2.saaj.SOAPMessageImpl cannot be cast to oracle.j2ee.ws.saaj.soap.MessageImpl===== reqeust ========Authorization:Basic

at oracle.j2ee.ws.saaj.client.p2p.HttpSOAPConnection.post2(HttpSOAPConnection.java:691)

at oracle.j2ee.ws.saaj.client.p2p.HttpSOAPConnection.post2(HttpSOAPConnection.java:691)

at oracle.j2ee.ws.saaj.client.p2p.HttpSOAPConnection$PrivilegedPost.run(HttpSOAPConnection.java:1502)

at java.security.AccessController.doPrivileged(Native Method)

 

Solution:

In the above error message it is clearly mention that it is an authorization error related with user privileged account.

Ensure that the following pre-requisites to be performed:

  • Create a ServiceNow Service Integration Module Administrator (ServiceNow user) for integration purpose with SailPoint and assign following roles.

SailPoint Administrator Role List in ServiceNow

Elevate Roles to security admin in ServiceNow for the user.

  • Use the same Integration Administrator in Application configuration of ServiceNow in SailPoint.
  • Use the same Integration Administrator credential in IntegrationConfig : ServiceNowServiceIntegrationModule.

 

 

Sailpoint IdentityIQ’s Transient workflows and their advantages

Quicklinks are usually used for faster access of specific functionalities. Often a “no delays” workflow where the start and end of the workflow happen within one single launch of quicklink shall be launched by quicklinks. Usually these kind of workflows involve custom Sailpoint forms which would not be useful once the user stops using this quick link by navigating to some other page.

Conventional workflow launches are serialized by storing the workflow cases as XML objects. This leads to many work items and workflow cases which are incomplete and hang around the Identity IQ over long run. This might lead to performance issues and unwanted data accumulated inside IIQ.

This problem could easily be solved using the transient workflows. The main feature of transient workflows is that they don’t get serialized.

Without the workflow getting serialized, we have specific advantages.

  1. Workflow cases which are inactive specific to this workflow shall not be generated.
  2. Work items that are generated do not get serialized and as a result we don’t have any unwanted work items related to this workflow in user’s inbox.

This would result in cleaner environment where we don’t have unnecessary data.

Extra perk with logging:

Workflow variables in Sailpoint are serialized in non-transient workflows. This means that we can store only the objects that Sailpoint has capability to store as XML object. Log4J loggers are very useful objects which are disqualified as workflow variables because of this restriction.

As the transient workflows do not try to serialize the objects referred by the variables, Logger objects can also be stored in the workflow variables.

This provides us the flexibility to maintain a workflow level logger variable to use your custom logging. Rather than instantiating the custom loggers whenever we require them, we can simply use the workflow variable whenever required.

Sailpoint Implementation: Referring Rule Libraries in Validation Scripts

Validation scripts are amongst the most common features while working with Sailpoint Identity IQ’s workflow forms. When we have common validation logic for multiple fields, it is always good to maintain this piece of logic in a separate rule library and call it from the validation script whenever required. This encourages modularity of the code and decreases code redundancy.

 

The way in which the name space of a validation script of a form in the workflow behaves is quite different from the rest of the workflow. Initial declaration of referenced libraries does well for referring the code in other parts of the workflow. But this does not work with validation scripts.

 

The following syntax should be used when we are using the rule referencing in validation scripts –

<ValidationScript>

<Includes>

<Reference class=”sailpoint.object.Rule” name=”Rule-Library-Name”/>

</Includes>

<Source>

// your code that calls some useful function in the rule library

</Source>

</ValidationScript>

 

 

Resolved : Manage Account Request Problem in SailPoint IIQ

Environment:

SailPoint Version : 7.0, 7.1

Problem Statement:

Unable to request a new account for existing identity from Manage Accounts in SailPoint IIQ.

Problem : Account Request Option is not available

 

Solution :

Firstly we need to check the Lifecycle Manager Configurations, navigate to Lifecycle Manager and in Configure tab Search for Manage Accounts options :

Applications that support account only requests : Select all applications check box or specified application according to your requirement.

Solution part 1- Select all applications

 

Allow Manage Accounts Additional Account Requests : Enable
Allow Manage Existing Accounts : Enable
Allow Account Only Requests : Enable

–> If you are using higher version of SailPoint 6.4 then you will face problem in finding these 3 options to enable them.

Solution 1 :

For that you need to edit init-lcm.xml and import it again in iiq console. (This will effect pre-existing workflows and LCM Configuration. So, to avoid that follow Solution 2).

Follow these steps and pictures shown below for editing init-lcm.xml (Solution 1)

 Step 1: init-lcm.xml is present in ~identityIQ/WEB-INF/config/init-lcm.xml location. Make a copy of it and place it in a safe folder.

 

Now open init.xml and search for Manage Accounts under QuickLink tag.

In init.xml search Manage Account

 

Carefully observe 3 entries under Manage Accounts tag.

Original_init-lcm.xml of SailPoint 7.1 version

 

Step 2: Make few changes by enabling this options manually from false to true 3 times in Quicklink Manage Accounts tag as shown in the picture below.

<entry key=”allowManageAccountsAdditionalAccountRequests” value=”false” />
<entry key=”allowManageExistingAccounts” value=”true” />
<entry key=”allowAccountOnlyRequests” value=”false” />

After editing : <entry key=”allowManageAccountsAdditionalAccountRequests” value=”true” />
<entry key=”allowManageExistingAccounts” value=”true” />
<entry key=”allowAccountOnlyRequests” value=”true” />

 

After Editing Manage Accounts Configuration

 

Step 3: Now save it and import it in iiq console. By using command import init-lcm.xml. After importing observe following changes.

Step 4: Request Account option is available (Issue Resolved). Choose the application for account request. Submit the form.

 

Request Option Available Now 7.1

> Just for Reference in SailPoint 7.0  it will look like this as shown in the picture below.

Request Option Available in SailPoint 7.0

 

 

Step 5: Confirm Account Action . Click Confirm at the end of the page.

Confirm Account Request

 

Solution 2 :

You can get same results by configuring through Debug Pages.

Step 1: Go to Debug Page > Select object QuickLink from dropdown listChoose Manage Accounts.

Step 2: Follow same Step 2 in Solution 1.

Step 3: Request Account option is available (Issue Resolved).

 

Sailpoint IdentityIQ Pass through Authentication via Active Directory

When working with the Cloud, organizations of any scale wish to have common credentials across on-premise applications and the cloud applications. It’s the best user experience as well as the best IT management experience. The overhead of facilitating this can be quite a large endeavor.

Sailpoint’s IIQ provides Pass-through authentication using which a Login into IdentityIQ can be done via an enterprise directory credentials or via SSO credentials.

With pass-through authentication in Sailpoint IdentityIQ, password validation takes place through Application Configured in IdenitytIQ. What this means is a simple, but effective SSO solution for the end user. The below presentation gives a quick overview of concepts of Pass Through Authentication and how it is implemented in Sailpoint IdentityIQ.

The presentation is followed by different use cases demonstrated.

 

 

 

 

SailPoint IdentityIQ’s ER Relationship Model

Traditionally, all developers deciphered a product, by understanding the Entity Relationship model of the product’s database schema. This approach was the quick and easiest way to understand any product.

 

A similar approach is tried in deciphering SailPoint IdentityIQ, an Identity Governance solution from Sailpoint. The presentation envisages to give the audience a thorough understanding of the product, not from the API perspective, but from a database model perspective.

 

Sailpoint’s Identity IQ has some key objects like Identity, Application, Bundle etc. There are many dependent objects. Most of the key objects are covered comprehensively in the presentation.

 

 

eMail Configuration in Sailpoint IdentityIQ

eMail communication has revolutionized the way we communicate. A tool/facility introduced for simple communications is now considered more formal and legal. For a long time deep linking, in simple terms, embedding buttons with logic to provide email based decisions has been prevalent.

There is nothing better than sending a direct link to a page where one needs to take an action, in an email. Especially for something which needs urgent attention.

 

Sailpoint’s IdentityIQ provides the functionality to notify users through Emails. We may also have Emails with embedded URL which provides direct access to pages in IdentityIQ.

In the following presentation, a detailed overview of Email Configurations and use of Emails in IdentityIQ is presented.

Following is the demo on Email notifications with URLs embedded in mails, which provides direct access to pages in IdentityIQ.

 

Solved: “HTTP proxy setting has incorrect value”

Environment:

OS: Oracle Linux 7.0

Java: jdk1.8

DB: Oracle Database 11G R2

DB Installed mode: Single Instance Server

 

Problem Statement:

A connection to an Oracle database, via CLI mode, may be achieved using the following commands in a Linux Shell.

Start the listener by typing below command:

>lsnrctl start

Start the database by typing below command:

>sqlplus sys as sysdba

>startup

Error:

Error 46 initializing SQL*Plus
HTTP proxy setting has incorrect value
SP2-1502: The HTTP proxy server specified by http_proxy is not accessible.

HTTP proxy setting has incorrect value error

Error: HTTP proxy setting has incorrect value

 

Reasoning:

In the above error message, “HTTP proxy server specified by http_proxy variable”, the specified value is incorrect.The error may have occurred because sqlplus uses the http_proxy and no_proxy environment variables to determine if proxy is used. To bypass the proxy settings, both these values need to be unset or exported.

http_proxy: Specify the value to use as the HTTP proxy for all connections.

For example: http_proxy=“http://proxy.mycompany.com:8080”

no_proxy: Determine hosts that should bypass the proxy.

For example: no_proxy=localhost, mycompany.com, 192.168.0.10:80 so it can’t access this proxy.

 

Solution

First check the proxy settings , it should be correct value or unset it if no proxy is needed. SQL*Plus may get the proxy name from the environment variable http_proxy.This problem could be resolved by using the following commands –

>unset http_proxy

>unset no_proxy

Or

>export http_proxy=

>export no_proxy=

 

HTTP proxy setting has incorrect value issue resolved

Sailpoint – Service Now Integration

Ticketing systems form a great part of any enterprise’s IT infrastructure. Service Now is a global leader in cloud based ticketing systems and has been playing a visionary role in ITSM and ITOM.

Sailpoint integration with Service Now provides a great value when direct provisioning from Sailpoint is not possible.

It streamlines the manual provisioning by raising tickets on Service Now for provisioning. This provides a great visibility and accountability in the IT environments.

 

In the following presentation, we provide a detailed overview of Service Now integration with Sailpoint:

The following is a demo of various types of Service Now integrations that are supported by Sailpoint: