SailPoint IdentityIQ Custom Connector

Introduction

Connectivity is critical to successful IAM deployments. SailPoint is committed to providing design, configuration, troubleshooting and best practice information to deploy and maintain connectivity to target systems. SailPoint IdentityIQ enables you to manage and govern access for digital identities across various applications in your environment. Connectors are the bridges that IdentityIQ uses to communicate with and aggregate data from applications. SailPoint IdentityIQ provides a wide range of OOTB connectors that facilitate integration with variety of systems, applications and data sources. These connectors are designed to simplify the process of managing Identity information and access across different platforms.  

In SailPoint IdentityIQ, a Custom Connector is a specialized integration component that allows the IdentityIQ platform to connect and interact with external systems, applications, or data sources that are not supported by the standard OOTB connectors. Custom connectors extend the capabilities of IdentityIQ by enabling it to manage identity-related information in a wider range of systems. 

High level architecture of Custom connector 

Custom Connector Development

Developing Custom connector in SailPoint IdentityIQ involves creating a Java-based implementation that adheres to the connector framework and API provided by SailPoint.  

This allows you to define the interaction between IdentityIQ and the specific external system you want to integrate with. A typical development of custom connector includes 4 steps – 

  1. Creating a new implementation of functionality and packaging it into JAR file. 
  • The custom connector uses the openconnector framework provided by SailPoint in the openconnector package where there are lot of methods provided for different type of operations.  
  • The custom logic which you want to implement using this custom connector shall be developed in the specified methods.  
  • Once code development is completed, Custom connector code with all the classes must be compiled and packaged to a JAR file.  
  • And the JAR file must be placed in WEB-INF/lib folder of IIQ Installation directory 
  1. Defining Connector type in Connector Registry 
  • Connector Registry is an XML file present in IdentityIQ as Configuration object. This file contains the information about all the different connectors and their related details.  
  • Now that we have created a new connector in our IdentityIQ, we have to declare its information and details in Connector Registry.  
  • Here we will create an xml file consisting of the details pertaining to our custom connector. Once we Import this xml file into IdentityIQ, it will be merged with the existing Connector Registry file in IdentityIQ database allowing IdentityIQ to create a new entry in the list of connectors.  
  • Alternatively, the Connector Registry could be manually edited through the Debug page
  1. Defining .xhtml page which specifies required and optional connection parameters. 
  • Usually, some parameters are required to define the connection to the target resource (e.g. host, port, username, password, etc.).  
  • To allow these parameters to be specified through the UI for each application that uses this connector, an .xhtml page must be written to define how the Application Configuration user interface will request and record those parameters.  
  • This file must be placed in the [IdentityIQ Installation Directory]/define/applications/ directory and must be referenced in the application definition’s XML as the “formPath” entry.  
  1. Testing the connector by Creating an application which uses this connector. 
  • Finally, after completing all the development related activities, one must start the application server which is hosting IdentityIQ.   
  • An Application object must be created for using the IdentityIQ’s UI. Select the configured custom connector as application type to tie it to the connector registry configuration and specifying any connection parameters through the configuration. 
  •  Once the application is onboarded, we can perform all the configured functionalities in it and verify back the results within the targeted external application.  
  • Alternatively, Application connector can be tested from the integration console (run iiq integration from the [IdentityIQ Installation Directory]/WEB-INF/bin directory).  
  • This console can be used to test the various features of your connector including Aggregation and Provisioning

The following presentation gives you clear understanding of custom connector development in detail.

Now let’s have a demo on building custom connector, deploying it into SailPoint IdentityIQ and using it. 

Please subscribe to our social media and stay updated with latest technology content. Thanks!

SailPoint IdentityNow Workflows

About SailPoint IdentityNow Workflows:

IdentityNow workflows are a way to automate processes related to Identity Security Cloud. These processes when carried individually are manual, error prone and laborious in nature.

Here are a few examples of the power of workflows.

  1. Design workflows that can handle a growing number of users onboarding requests, ensuring scalability as the organization hires new employees.
  2. Design workflow to raise tickets in ticketing system to automate the resolution of access-related issues reported by users, ensuring a streamlined process.
  3. Modify an existing workflow to include new steps for managing temporary access during a special project, adapting to changing business needs.
  4. Implement a workflow for access reviews that automatically identifies and revokes unnecessary access rights, ensuring that users only retain permissions relevant to their current roles.
  5. Streamline access request procedures including approval steps for access approval or modification.
  6. Send email alert when an identity changes group in end application.
  7. No human involvement while configuring and activating certification campaign when identity changes department and also send email alert to reviewer.

In this video blog, we will be discussing about the IdentityNow workflows in detail. The following are the key topics that are discussed as part of the blog.

  1. Why SailPoint introduced Workflow in IdentityNow
  2. Available platforms in IdentityNow to build a workflow.
  3. General terminology and use of Inline variables
  4. Simulating and testing a workflow
  5. Migrate workflows between sandbox and production.

The detailed discussion of Workflows, it’s terminology and configuration process are present in the following video.

Detailed demo on developing & testing workflows in all 3 possible ways is present in the following video.

Please subscribe to our socials and stay updated with latest technology content.

SailPoint IdentityNow Automation Testing

Introduction
Automation testing refers to the testing of the software in which tester write the test script once with the help of testing tools and framework and run it on the software.
The test script automatically tests the software without human intervention and shows the result.

Prerequisites for Automation:
To begin automation testing using Selenium, there are few prerequisites should have in place:

  1. Programming Language: Choose a programming language in which you will write your test scripts. Java, Python, C#, and Ruby are common choices for Selenium automation. You should have a good grasp of the chosen language.so we have chosen java.
  2. Integrated Development Environment (IDE): Install an integrated development environment (IDE) such as Eclipse, IntelliJ IDEA, or Visual Studio Code to write and manage your Selenium scripts. We have chosen Eclipse as IDE platform.
  3. Java Development Kit (JDK): If u opt for Java, you’ll need to install the Java Development Kit (JDK) on your system.
  4. Selenium WebDriver: Download the Selenium WebDriver for your preferred programming language. You can add the WebDriver libraries to your project using build tools like Maven.
  5. Web Browsers: Make sure you have the web browsers you intend to automate (e.g., Chrome, Firefox) installed on your system.
  6. Web Drivers: Selenium interacts with browsers through web drivers. You should have the appropriate web drivers for the browsers you plan to test with (e.g., Chrome Driver, Gecko Driver). These should be downloaded and configured. Ensure that your chosen IDE is integrated with the Selenium WebDriver, making it easier to write, run, and debug test scripts.
  7. Test Framework: Select a test framework such as TestNG or Hybrid. Test frameworks help structure your tests and provide reporting capabilities.

By meeting these prerequisites, you’ll be well. prepared to start automation testing using Selenium and create efficient, maintainable, and effective test scripts.

The following below video showcases a small presentation on automation testing:

Tools used for Automation testing.

  1. Eclipse:
    Eclipse is a digital workspace for automation testing. It’s a special software that makes creating and running automated tests easier. It is used by testers because it’s super flexible and works with different programming languages. It helps in writing, organizing, and running tests for finding problems or bugs in software, making sure everything works smoothly.
  2. Selenium:
    Selenium is an Open source, It Supports multiple languages like java, python, Ruby. Scripts can be run on Multiple browsers like Chrome, Firefox, IE, Microsoft Edge. It supports Multiple operating systems like Linux, Windows, MacOS. It can be integrated with third party applications like TestNG, Cucumber.
  3. TestNG:
    TestNG is a testing framework used with Selenium for automating tests. It allows for organizing test cases, running tests in a specific sequence. It offers annotations to manage test execution flow, such as @Test for defining test cases, @BeforeMethod and @AfterMethod as you can see the highlighted point in the picture for pre and post-test setups, and @DataProvider for parameterization. This combination of Selenium and TestNG helps in efficient and structured automation testing, enabling testers to create, manage, and execute test cases reliably. Generates HTML reports showing test execution details.
  4. Maven:
    Maven is an open-source tool. Maven allows to download all the JARs and Dependencies and manage lifecycle for a Selenium Java project. This makes it easier for the QA to configure dependencies for Selenium Java by automatically downloading the JARs from the Maven repository.

Advantages of Automation testing

Efficiency: Automation testing can execute repetitive and complex tasks faster than manual testing.
Accuracy: Automated tests perform the same steps precisely every time, reducing the chance of human errors.
Reusability: Test scripts can be reused across different phases of development and in various testing scenarios.
Faster Feedback: Automated tests provide rapid feedback on the software’s stability and functionality.

Let us see how we can execute the test cases in the below video:

SailPoint IdentityNow REST API’s

Introduction

API stands for Application Programming Interface. APIs are mechanisms that enable two software components to communicate with each other using a set of definitions and protocols.

API architecture is usually explained in terms of client and server. The application sending the request is called the client and the application sending the response is called the server.

API Workflow

Fig. – API dataflow

What is REST API:

  REST stands for Representational State Transfer. This is the most popular and flexible APIs found on the web today. The client sends requests to the server as data. The server uses this client input to start internal functions and returns output data back to the client.  REST defines a set of functions like GET, POST, PUT, DELETE, etc. that clients can use to access server data. Clients and servers exchange data using HTTP.

The main feature of REST API is statelessness. Statelessness means that servers do not save client data between requests. Client requests to the server are similar to URLs you type in your browser to visit a website. The response from the server is plain data, without the typical graphical rendering of a web page.

Rest API operation in SailPoint IdentityNow

Post Operation: POST APIs request allows appending data to the endpoint. This is a method used to add information within the request body in the server. It is commonly used for passing delicate information.

GET operations: GET APIs request is used to obtain details from the endpoint and does not have any impact on the endpoint. The GET request does not update any endpoint data while it is triggered.

UPDATE operations: PUT APIs request is used to pass data to the server for creation or modification of an endpoint. The difference between POST and PUT is that POST request is not idempotent.

DELETE operations: DELETE APIs request deletes a resource already present in the server. The DELETE method sends a request to the server for deleting the request mentioned in the endpoint.

Let us understand usage of REST API’s in SailPoint IdentityNow in the following below presentation:

Pre-requisite

  • Base URL of SailPoint tenant.
  • secret key and client ID for the token generation.
  • Generating access token with Authorization code.

Rest API Authentication in IdentityNow

              Authentication is the process of determining whether someone or something is, in fact, who or what it says it is. Authentication provides access control for systems by checking to see if a user’s credentials match the credentials in a database of authorized users or in a data authentication server. In doing this, authentication assures secure systems, secure processes and enterprise information security.

OAuth 2.0

  • OAuth 2.0 is the industry-standard protocol for AUTHORIZATION.
  • OAuth 2.0 is designed primarily as a means of granting access to a set of resources, in simple way OAuth 2.0 Access Token is a string that the OAuth client uses to make requests to the resource server.

JSON Web Token

          JSON Web Token (JWT) authentication is a stateless method of securely transmitting information between two parties as (JSON) object. It is often used to authenticate and authorize users in web applications and APIs.

Rest API Authorization in IdentityNow

          Authorization in system security is the process of giving the user permission to access a specific resource or Authorization is the act of validating the user’s permission to access a given resource. This term is often used interchangeably with access control or client privilege.

Personal Access Token in IdentityNow

In IdentityNow a personal access token (PAT) is a method of authenticating to an API as a user without providing a username and password.

Now, let us go through a demo on how we can use these REST API’s in SailPoint IdentityNow.

Features of Rest API in IdentityNow

  • APIs extend IdentityNow functionality and Usability
  • Advanced configuration such as
    • Transform creation
    • Customization of account profiles
    • Ranking authoritative source priority
    • System level changes
    • Object management
  • Interface with other systems – pull data/initiate processes

Identity Deletion in SailPoint IdentityNow

Identity management (IDM), also known as identity and access management (IAM), ensures that authorized people and only authorized people have access to the technology resources they need to perform their job functions.

And access is managed by the user lifecycle state in IdentityNow. Identity Lifecycle State aims to automate and manage the entire digital identity lifecycle process and access throughout the organization.

Identity lifecycle is a set of stages of the identity from the creation to its deactivation or deletion. It contains a creation of an account, assignment of correct groups and permissions, setting and resetting passwords and in the end deactivation or deletion of the account.

Figure 1: Identity Lifecycle Management

Handling the unwanted identities in SailPoint increases the processing time and reduces the usability of the SailPoint tenant. To reduce the process and speed up the work, in tenant only limited and require identities we can handle, handling is easy and processing the limited identities is a less time-consuming process, so we can delete unwanted and terminated users’ identities from SailPoint.

Now, let us have a look at the SailPoint REST API’s used in the Identity deletion process. Below is the list of APIs used for Identity deletion in SailPoint IdentityNow:

Figure 2:  REST APIs in PowerShell Script connecting with SailPoint IdentityNow

And here, we will be using A personal access token (PAT) is a method of authenticating to an API as a user without providing a username and password.

Prerequisites for Identity deletion:

  1. SailPoint REST API’s.
  2. Client ID and Client Secret.
  3. IQservice Server.

Now, let us discuss the use case of Identity deletion.

Use Case:

All the identities in the “30daysPostTermination” lifecycle state will be deleted from IdentityNow. 

The deleted identities would be re-aggregated in the next aggregation cycle as “Uncorrelated accounts” in target application, and hence would not affect the new hire creation logic and the SAMAccount name would remain unique as per the requirement and the logic defined.

A PowerShell script will be developed to call the APIs to identify all the Identities in the required lifecycle state i.e. “30daysPostTermination” and will delete the accounts from the HRMS Source for all the Identities.

Figure 3: Use Case diagram.

Steps Overview as per the script:

Step1: As part of the PowerShell script first it will read the require details from property file. In property file we can maintain the ClientID, client Secret, base URL, search query, deletion limit, log file path and debug values.

Step2: Authentication API will execute to generate the access token.

Step3: Next Search API will execute and the fetch “30daysPostTermination” lifecycle state identities from SailPoint Tenant.

Step4: One by one Identities will pass to Delete API to delete from SailPoint Tenant.

Let us understand Identity Deletion by using SailPoint REST APIs, use cases and automation of the script via windows task scheduler in the following below presentation:

Advantages of Identities Deletion in SailPoint IdentityNow.

  1. It will increase the usability of the tenant.
  2. It decreases the aggregation and identity refresh process time.
  3. It will fasten the backend processes and reduce the unwanted identity handling.
  4. Reduce the burden on the tenant.

When a user got terminated or left the organization, all access will be removed, and accounts will be disabled.
Now, let us go through a demo on how we can achieve identity deletion in SailPoint IdentityNow.

Oracle Fusion Integration with SailPoint IdentityIQ

About Oracle Fusion: Oracle Fusion Cloud HCM is a complete cloud solution that connects every human resource process and every person across the enterprise.

Benefits of Oracle Fusion:

  • Oracle HCM cloud enables HR leaders by delivering an end-to-end solution to manage every stage of the employee lifecycle.
  • Human capital management transforms the traditional administrative functions of human resource departments – recruiting, training, payroll, compensation, and performance management into opportunities to drive engagement, productivity, and business value.
  • It also offers Data Efficiency by preserving history of changes made to the attributes of some objects. As a Professional user, you can retrieve and edit past and future versions of an object.
  • Many HCM objects, including person names, assignments, benefits-plans, grades, jobs, locations, payrolls, and positions are date-effective. Date-effective objects include one or more physical records. Each record has effective start and end dates. One record is current and available to transactions. Others are past or take effect in the future. Together, these records constitute the logical record or object instance.

Integration with SailPoint IdentityIQ

Here, Oracle Fusion application is integrated with SailPoint using Webservices connector. Let us have a quick overview of basic configuration parameters of SailPoint IdentityIQ Webservices Connector

Webservices connector application configuration
  • Base URL: The base URL is used to connect to the web service managed system.
  • Authentication Method: Authentication methods that is supported are: OAuth2, API Token, Basic Authentication and No/Custom Authentication
  • Schema Attribute for Account Enable status: Attribute name and value required to be provided to check the Enable status. For example: status=Active
  • Username: Username of the resource owner
  • Password: Password of the resource owner
  • Grant Type: We can select the type of Grant from below: Refresh Token, JWT, Client Credentials, Password and SAML Bearer Assertion
  • Client Id: (Optional for JWT and SAML Bearer Assertion) Client Id for OAuth2 authentication.
  • Client Secret: (Optional for JWT and SAML Bearer Assertion) Client Secret for OAuth2 authentication.
  • Token URL: URL for generating access token.

Basically, connecting SailPoint to your Web Services allows you to configure any web service supported managed system which can read and write on the managed system using the respective managed system’s Web Services. Web Services supports JSON and XML for read and write.

Oracle Fusion Integration with SailPoint IdentityIQ

Now, let us have a look at the Oracle Fusion REST APIs used in the Integration process. Below is the list of APIs used for integrating Oracle Fusion to SailPoint:

  • Get all Workers API: This fetches all the worker records as of the specified date. Worker types include employee, contingent worker, and pending worker. By default, the current date is retained.
  • Get all User Accounts API: This fetches all the userAccounts. We may need to manage user accounts for the workers to assign or revoke Fusion Roles
  • Get all Roles API: This is used the get the roles assigned to the user accounts.
  • Create Employee API: This is used to create an Employee record in Oracle Fusion.
  • Update Employee API: This is used to update an Employee record in Oracle Fusion.
  • Terminate Worker API: This is used to Disable a Worker record in Oracle Fusion.
  • Role Revoke API: This is used to revoke an assigned role.
  • Rehire Employee API: This is used to Enable an Employee record in Oracle Fusion.

And here, we will be using Basic Authentication in the Integration Process where we have used Username and Password of the resource owner to from connection between Oracle Fusion and SailPoint IdentityIQ

Prerequisites for integrating Oracle Fusion with SailPoint

  1. Oracle Fusion REST APIs
  2. Oracle Fusion instance
  3. Base URL of the Oracle Fusion instance
  4. As we are using Basic Authentication, we need username and password for the APIs

Now, let us discuss the use cases involved in the integration process.

Use Cases

1. Joiner/Create account Process

Joiner Process starts with the creation of account in Truth Source application. Then that account will be brought to SailPoint through a scheduled aggregation task.

Joiner/Create Account Process

Then through a Scheduled Refresh Identity Cube task and using a configured Business Role and Assignment Rule, two conditions are checked.

  1. Identity or Account in Truth Source is Active
  2. Business Unit is XXXX

If these two conditions are satisfied. Then the account creation process for Oracle Fusion application gets triggered. As part of the Joiner or Account creation process, Basic access will be provisioned to the newly created account from the Fusion end automatically.

2. Leaver/Disable Account Process:

Leaver process starts when the Last working day attribute of account is populated in Truth Source application.

Leaver/Disable Account Process

Then that Last working day for that account will be updated in SailPoint through a scheduled aggregation task. Then through a Scheduled Refresh Identity Cube task, it is checked that if that Last working day is equal to Today’s date. In other words, it is checked that if the Last working day has reached.

If the Last working day has reached, then the account disable process for Oracle Fusion application gets triggered.

As part of the Termination process, all the Roles which that account has, will be de-provisioned.

3. Rehire/Enable Account Process:

Rehire Process starts by enabling the account in Truth Source application. Then that is updated in SailPoint through a scheduled aggregation task.

Rehire/Enable Account Process

Then through a Scheduled Refresh Identity Cube task, the account enable process for Oracle Fusion application gets triggered.

As part of the Rehire/Enable account process, another new Assignment is created for that account with AssignmentName and AssignmentNumber appended with “R”. And Basic access will be assigned to that enabled account as we saw in the create account use case.

Advantages of Integrating Oracle Fusion with Sailpoint IdentityIQ:

  1. In this integration, we have automated the creation of account in Oracle Fusion. Whereas before the integration, Oracle Fusion team had to create an account in Oracle Fusion manually for the new Joiners
  2. In this integration, we have also automated the Disabling and Role Revoke operations. Actually, when the Last Working Date of the user has reached, then the Oracle Fusion account of this leaver will be disabled and Oracle Fusion Roles assigned to this leaver will Revoked, by Sailpoint. Whereas, before the integration, Oracle Fusion team had to disable the account and Revoked Roles in Oracle Fusion manually for the leavers.
  3. In this Integration, we have also automated the update operation as well. From Sailpoint, we are updating the attributes such as LegalEmployerName, Department, Job, Grade, FirstName, LastName, DisplayName, etc. Whereas, before the integration, Oracle Fusion team had to handle these updates manually which will be a tedious task to do.
  4. We have also automated the Rehire Process. When a user got rehired, then for that user, Oracle Fusion account will be enabled and a new work relationship will be created from Sailpoint.

When a user got Rehired, only the Basic access will be given, not the access that user had before Leaver process for that user initiated.
The detailed discussion of Oracle Fusion introduction, Oracle Fusion TEST APIs, use cases and integration approach is discussed in the following video:

Now, let us a have a demo on integration of Oracle Fusion with SailPoint IdentityIQ in the following video:

Genie Integration with SailPoint IdentityIQ

Before going through the Integration of Genie with SailPoint IdentityIQ, let us understand what a ticket and a ticketing system is.

What is a ticket?

A Ticket is a special record that represents an incident, request or event that requires action from the IT department. It contains the necessary details of the incident, request or event.

A ticketing system is a software platform designed to manage and track customer support requests. It streamlines the process of resolving customer issues, making it easier for businesses to provide fast and effective support.

Benefits of embracing a ticketing system in your organization:

  • Control High Volume of Requests from a Centralized Place – Organizations can track and manage inbound support requests with the help of a good ticketing system. The solution can be used by executives to manage support cases more efficiently while still attending to all client issues.
  • Combine interactions into one thread – Your team can use ticketing system to combine customer-related conversations into a single thread when offering customer care to clients via a variety of channels.
  • Process automation and workload management – Ticketing systems provide several potentials for automation. As an illustration, the software gathers assistance requests from several sources before automating the creation of tickets. Regardless of the help channel clients select, tickets are automatically created whenever they submit requests.
  • Adequate team collaboration – Ticketing systems provide a platform to the customer service representatives to collaborate among themselves in assigning tickets to senior associates in terms of P0 escalations.

About Genie:

Genie is a ticketing tool, in which there are different types of tickets such as Work Order tickets, Incident tickets, etc. SailPoint handles creation of below tickets in Genie from SailPoint.

  1. Onboarding ticket
  2. Exit or Off-boarding ticket
    • Provision failure ticket

    Among the above tickets, Onboarding and Off-boarding tickets are Work Order tickets and Provision failure ticket is an Incident ticket.

    Integration with SailPoint IdentityIQ:

    Genie is integrated with SailPoint using REST APIs.

    Below is the high-level architecture of Genie – SailPoint Integration

    High level architecture

    Now, let us have a look at the APIs used in the Integration process. Below is the list of APIs used for creating tickets and getting specific ticket details:

    1. Generate Authentication key: We are using this API to generate an Authentication key. Here, the generated Authentication key expires for every few minutes.
    2. Creating Work Order ticket: We are using this API to create a Work Order ticket in Genie.
    3. Get specific Work Order ticket: We are using this API to Get a specific Work Order ticket details. In other words, it is used to Retrieve the Work Order ID of the submitted request.
    4. Creating Incident ticket: We are using this API to create a Work Order ticket in Genie.
    5. Get specific Incident ticket: We are using this API to Get a specific Incident ticket details. In other words, it is used to Retrieve the Incident number of the submitted request.

    Prerequisites for integrating Genie with SailPoint:

    Following are the prerequisites that are essential for integration of Genie with SailPoint IdentityIQ

    1. Genie API details for creating tickets
    2. Base URL and Authentication details of the APIs
    3. Access to Genie Test Instance
    4. Database table to store the ticket details
    5. Connection details of the Database

    Now, let us discuss the use cases involved in the integration process.

    Use Cases

    1. Onboarding Ticket Creation:

    An Onboarding Work order ticket will be created in Genie from SailPoint when a new joiner joins the organization and his/her account is created in Truth Source and Active Directory applications.

    The ticket contains details of the New Joiner such as Start Date, First Name, Last Name, Employee ID, Employment Type, AD ID, Domain ID, Contact Information, etc.

    Onboarding ticket creation process

    Success case:

    Once the ticket gets created in Genie successfully, the details of the created ticket such as    Work Order ID, Creation Date, Request ID and ticket summary will be added to the database table.

    Failure case:

    If the ticket creation fails for some reason, then an Email notification containing the New Joiner’s details, will be triggered to the respective stakeholders.

    1. Exit or Off-boarding Ticket Creation

    An Exit or Off-boarding Work order ticket will be created in Genie when HR assigns the Last working date of the user in Truth source and that Last working date is 7 days away from today’s date.

    The ticket contains details of the End dated user such as Last Working Date, First Name, Last Name, Employee ID, Employment Type, AD ID, Domain ID, Contact Information, etc.

    Exit ticket creation process

    Success case:
    Once the ticket gets created in Genie successfully, the details of the created ticket such as Work Order ID, Creation Date, Request ID and ticket summary will be added to the database table.
     
    Failure case:
    If the ticket creation fails for some reason, then an Email notification with the End Dated user’s details, will be triggered to the respective stakeholders specifying.

    1. Provisioning Failure (Incident Ticket)

    A Provisioning Failure (Incident) ticket per application will be created if the provisioning operations failed in SailPoint in last 24 hours. In this use case, applications under consideration are Active Directory, G-Suite and OpenLDAP and operations under consideration are Create, Enable, Disable and Delete.

    For example, if the Disable operation failed in Active Directory for an account, then a ticket (which will be of Incident type) will be created in Genie containing the details such as Type of operation failed and Display Name, Employee ID, email, sAMAccountName, userPrincipalName, distinguishedName, etc details of the account.

    Provisioning Failure ticket creation process

    Success case:

    Once the ticket gets created in Genie successfully, the details of the created ticket such as Incident Number, Creation Date, Request ID and ticket summary will be added to the database table.

    Failure case:

    If the ticket creation fails for some reason, then an Email notification will be triggered to the respective stakeholders specifying Type of operation failed, Application name in which Provisioning failed and Display Name, Employee ID, email, etc. details of the account.

    Now, let us understand the advantages of integrating a ticketing system with SailPoint IdentityIQ when compared with a traditional ITSM.

    Advantages of Integrating Genie with SailPoint IdentityIQ:

    1. In this integration, we have automated the creation of onboarding tickets for New Joiners. Whereas in traditional ITSM’s, the ticket should be created manually by the end user.
    2. While creating tickets in Genie, SailPoint uses the data coming from Truth Source which will be updated by the HR team. Whereas in traditional ITSM’s, there is every chance that end user does not give the mandatory details required by IT team to perform necessary action on that ticket or the end user mistakenly may also enter incorrect details. So, IT team might need to contact the HR team or the end user, which is a time-consuming process.
    3. In this integration, we will be using the details of the user as per the Truth Source application while creating the ticket. So, the IT team may not wait for the communication from the concerned team.
    4. Whereas in traditional ITSM’s, when the ticket is created, the IT team should get certain required details from the concerned team manually. The Exit ticket will be created automatically when the end-dated user is one week away from the Last Working date, which gives the IT team ample amount of time to take necessary actions such as collection of assets and disabling of access.
    5. In this integration, we are storing the ticket details such as Work Order ID, Incident Number, Creation Date, Request ID and Summary in the database table for all the tickets created from SailPoint. So, we can use this table’s data for auditing purposes which ensures centralized governance.
    6. The Incident tickets are created every day (one ticket per application) from SailPoint in Genie for applications such as Active Directory, G-Suite and OpenLDAP and for operations such as Create, Enable, Disable and Delete, if the provisioning fails in these applications. The point to be noted here is, if in an application, no provisioning operations failed for that day, then no ticket will be created for that application for the particular day. But, there is every chance that, one ticket per application will be created where each ticket contains the information of all the accounts for which Provisioning failed. Using SailPoint, this is one of the critical advantages of integrating genie with SailPoint IIQ. Whereas in traditional ITSM’s, this needs to be done manually, which will be a tedious task to do.

    The detailed discussion of APIs, use cases and integration approach is discussed in the following video:

    Now, let us a have a demo on integration of Genie with SailPoint IdentityIQ in the following video:

    Sailpoint IdentityIQ: Bulk User Creation Plugin

    Bulk User Creation Plugin in IdentityIQ

    Introduction

    A plugin is a tiny piece of software that extends the functionality of an Application or Computer program.

    The IdentityIq Plugin Framework is an protract framework model for IdentityIQ.It allows third parties to develop affluent application and service-level amplification to the core SailPoint IdentityIQ. It enables plugins to extend the excellence in user interface, deliver custom REST endpoints, and to deliver conventional background services.

    In the following presentation, I will be providing a brief introduction of IdentityIQ Plugins:

    Plugin Versioning Requirements

    Plugin version numbers must be numeric, denote the parts of the version number with decimal points, and not contain any alphabetic or other characters in order to better facilitate upgrading plugins.
    Leading zeroes will be removed from each segment of the version number, and the values between the decimal points are converted to integers.

    For example:
    06 and 00006 are both interpreted as 6
    A segment containing any non-numeric values is interpreted as 0
    7.009.alpha is parsed as 7.9.0
    5.7.8a is parsed as 5.7.0

    Plugin Object Model

    The Plugin XML object, which specifies the plugin’s constant, describes a plugin in IdentityIQ. REST resources, Snippets, and settings are a few examples of features. The manifest.xml file contains the definition of the Plugin object. This file is necessary for plugin.

    The XML object known as the Plugin Object defines the plugin’s feature. By binding them as attributes of a Plugin Object, this object informs IdentityIQ about the facets that are present in your plugin. You can also specify information about the plugin in the Plugin Object, such its name, the privileges needed to use it, its version, snippets, and REST resources. Use the advanced plugin settings to define a form or to refer to a specific plugin configuration file for more complicated plugins that need support for several field types and more dynamic behavior, such as drop-down lists or password fields. Depending on past selections, dynamic behavior can involve showing or hiding other fields.

    For Example: In contrast to when the user picks basic authentication, it could be more acceptable to display an access token field when the user selects o-auth authentication.

    Plugin Settings

    Attributes that can be changed during installation are known as plugin settings. To view the configuration options page, click Configure. Forms are used to display the settings. The form is generated automatically if the plugin does not use its advanced options.
    On the plugin settings page, the settings from the manifest file are shown in alphabetical order.
    A single setting on a plugin’s configuration settings page can be represented by the Plugin setting object. On the settings page, each object serves to represent a single customizable setting.

    Developing Plugins

    IdentityIQ stores the .zip archive file of the Plugin in the IdentityIQ database in the spt_file_bucket table. The data in the spt_file_bucket table is a referenced ID to an entry in the spt_persisted_file table.

    After establishment or amid an application server restart, plugins are stacked from this.zip file. All consequence files are taken from the.zip file and cached for ensuing utilization. The cached files can be gotten to using a assortment of accessor ways, but they can moreover be retrieved by utilizing

    the URL prefix /identityiq/plugin/pluginName taken after by the way indicated within the construct structure. The PluginClassLoader lesson is utilized to stack and cache compiled Java classes from the.zip file.

    Example Plugin Directory Structure:    

    Bulk User Creation Plugin

    This is a custom plugin built by ENH iSecure for creating Identities through SailPoint IdentityIQ and Provision the following identities to the requested Applications in IdentityIQ

    A User like a manger level will have a Privilege to request for Bulk User Creation, once a .csv file is Uploaded in UI page by the following user and if the users request gets Approved a bulk number of identities will be created in Sailpoint IdentityIQ and the following identities provisioning takes place on the identities joining dates for the Requested Applications and following Email notification follows with respective action steps.

    In the following video, I will be providing a detailed demo on IdentityIQ custom Plugin (Bulk User Creation)

    SAP HR & ECC Source Integration

    SAP is one of the world’s leading producers of software for the management of business processes, developing solutions that facilitate effective data processing and information flow across organizations.

    SAP software provides multiple business functions with a single view to the entire data. This helps companies better manage complex business processes by giving employees of different departments easy access to real-time insights across the enterprise.

    SAP solutions are classified into 6 core products as listed below.

    In the below video, we are going to see the SAP HR/HCM source and SAP ERP Core Component (ECC) source integration in SailPoint IdentityNow.

    SAP HR system integration.

    SAP HCM solution is used to streamline the HR process and create a people centric organization.

    SAP HR/HCM system that we are integrating in SailPoint IdentityNow will be the truth source from which identity governance is managed.

    SAP ECC system integration

    SAP ECC is the ERP system that integrates information from one SAP system to another system in real time, this helps companies better manage complex business processes by giving employees of different departments easy access to real-time insights across the enterprise.

    As a result, businesses can accelerate workflows, improve operational efficiency and raise productivity.

    By integrating SAP ECC to SailPoint IdentityNow, Identity access management and governance will be simplified.

    Use cases.

    On demand access request: User can request access based on requirement from request center.

    Separation of Duties: Whenever user request for conflicting access SoD policy violation check will happen and warn the approver that approving access will violate SoD policy.

    Leaver Scenario: When user lifecycle state is changed to terminated the end target applications access will be disabled.

    Certification campaign: To certify user is having right access certification campaign can be configured and can be certified by user’s manager or source owner or a specific individual.

    In the below video, we are going to look at a demo of above specified integrations and use cases.

    Event Triggers

    Event triggers is an extensibility feature recently released by sailpoint which enables us to integrate identitynow with third party applications. Event triggers follows an event based architecture towards integration.

    IdentityNow has many even triggers which capture the events internal to IdentityNow. This can be related to various IdentityNow internal processes like aggregation, provisioning, access request etc.

    In response or action to an event, Event triggers have a capability to communicate with external applications. This response can happen via webhooks or AWS event bridge.

    If webhook is configured as an action for the event trigger, respective HTTP APIs will be called.

    If an AWS event bridge is configured for the event trigger, an event can be setup to be captured on an AWS event bridge.

    Types of Event Triggers

    REQUEST_RESPONSE

    This type of trigger is used to give the custom application an ability to answer back to a trigger event sent by the trigger service. This integration is bi-directional. A response from the custom application is required for a trigger invocation to be considered complete and successful.

    FIRE_AND_FORGET

    This type of trigger is used to notify the custom application of a particular occurrence of an event. This integration is uni-directional. Trigger invocation is successful the moment the trigger service notifies the external application, and it does not require a response from the custom application.

    IdentityNow has a set of event triggers that you can configure to connect to web hooks in third-party systems.

    Available Event Triggers

    In below presentation we will be viewing the concept of event triggers in brief.

    Use Case:

    Let us see a real time use case for this.

    Below is the workflow representation.

    In below video we will be demonstrating the real time implementation of event triggers.

    References:

    https://developer.sailpoint.com/triggers/getting_started.html