In the world of Identity Management, securing and monitoring the access for the external users like partners, contractors and customers who have access to organizational resources have always been a challenge for many organizations. To mitigate and help the organizations to secure their resources two big Identity management products partnered together in February 2018. Okta and SailPoint announced a strategic partnership to provide an end-to-end identity for the enterprise – helping organizations balance providing simple, secure user access while meeting complex compliance and security requirements.
Benefits of the Combined Solutions
• Effectively manage user identities’ authentication, application assignments, while ensuring all governance and compliance requirements are met.
• Authenticate user access with single sign-on and multi-factor authentication.
• Ensure that for sensitive applications, only the right user has access, authorization policies are enforced, and the process is documented, timestamped and compliant.
• Automate provisioning throughout the user lifecycle by simplifying processes for creating, modifying and revoking access.
• Automate provisioning of applications adherent to corporate policies.
• Trigger provisioning workflows from authoritative sources, such as Active Directory or HR systems, to ensure consistency and increase efficiency.
Out of the box Sailpoint’s IdentityIQ provides numerous workflows for provisioning, we can implement our custom workflows according to the necessity. Similarly, parallel and serial approvals are workflows used in an enterprise to manage the access of the user.
In the world of IAM, one thing every developer should remember is that “Right thing must be accessed by the Right user at a Right time“, from the above sentence we can say that an access must be rightfully distributed to the user.
In this requirement a user in an enterprise requested an entitlement or role using IdentityIQ then that access must be approved by the work groups which are maintaining that privilege.
Understanding parallel and serial approvals in IdentityIQ
The following video illustrates about parallel and serial approvals.
Working demo of parallel and serial approvals
The following video demonstrates how parallel and serial approvals accomplishes.
Data loading into Active Directory implies creating AD Accounts and corresponding Exchange mailbox accounts using employee data existing in a database.
Java program is developed in a fashion which reads the credentials from XML, retrieves employee data from the database, creates an account with a default password in active directory and enables the account as well.
When we try to correlate the accounts into SailPoint’sidentityIQ using multiple authoritative sources the following
exception may arise.
Why this happens
The main reason for this error is ambiguity of accounts. After the account aggregation task completed when we try to run the task refresh identity cubes. Task is not running and error is displays as Task stopped by user. When you see the log file there a exception named Mark Invalid.
The main cause for this error is, If you have added more than one authoritative sources marked for one identity. The following exception will arise. that means you have added two Authoritative sources representing the same data if run the aggregation task the accounts will be populated with their name then If we perform refresh identity cubes task the accounts will not linked its respective manager account because there will be an ambiguity between two accounts which has to be correlate as manager account.
In other cases if you have any accounts or identities not properly deleted.
The solution I found is to get backup of the rules and application into a xml file using the console.Shutdown the application server and drop all the tables in database using the sql scripts provided by identityIQ then create the tables using the scripts. Import the init.xml using the iiqconsole.Then import the xml file which represents the application object. Then if you run the aggregation and correlation tasks you can see that all the identities and their managers are correlated in identity warehouse.