Category: Identity Governance

Identity Governance comprises of Identity Management and Governance.

Identity Management is the process of Automation of JML Activities while adhering to the organizational/geographical laws.

Identity Governance helps in “Verification of Excess of Stale Privileges”.

ETL Process and Working of CloverETL in Sailpoint IdentityIQ

Posted on by Mohit Kayla in Identity Governance, Sailpoint, Technology

As data is generated rapidly day to day, there is a need to organize it to generate useful results from data. It is essential to properly format and prepare the data before loading it into data storage systems for analysis. Otherwise bad data leads to inaccurate analysis that could have a great loss for the organization. In order to prevent these problems, the data needs to be processed and transformed into quality data, which generates a better analysis.

This can be achieved by using ETL process which Extracts, Transforms, and Loads the data. Each of these phases can include functionalities to process the data as required. There are various tools that perform ETL process. Sailpoint is flagship identity management tool, which uses CloverETL(CloverDX) to perform data processing.

The following presentation sheds light on ETL process and working of CloverETL in Sailpoint.

 

SailPoint IdentityIQ Applications Credential Cycling Using PAM Solution

Posted on by Chaitanya Malladi in CyberArk, Identity Governance, Sailpoint, Technology

A large number of applications on SailPoint IdentityIQ rely on using service accounts to communicate with the application targets. These accounts have the authorizations to perform identity management tasks and should be treated as privileged accounts. When a privileged account management solution like CyberArk or BeyondTrust is used in the organisation, the credentials of the privileged account would be stored on the PAM solution and retrieved by IdentityIQ whenever required. The feature of credential cycling introduced in IdentityIQ 7.3 allows this to be configured with ease.

 

The following presentation discusses the need for credential cycling and how it works:

The following demonstration illustrates a use case where credential cycling is configured with the CyberArk PAM solution:

The next video demonstrates credential cycling when configured with the Thycotic Secret Server PAM solution:

Integrating CyberArk with SailPoint using SCIM

Posted on by Sandilya Krovvidi in CyberArk, Identity Governance, Sailpoint, Technology

Privileged accounts are considered to be “keys to the kingdom” in any IT Infrastructure. Almost every cyber attack that has ever happened involved compromises at the privileged account level. PAM Solutions usually help in managing such accounts, keys or files that would lead to escalated access.

CyberArk is the global leader in PAM solutions with a holistic approach towards privileged account management. It covers not only traditional PAM problems but also extends its capabilities with various features like managing hard-coded application credentials, analytics, on-demand privileges escalation and managing end-user devices like desktops.

Securing and streamlining identity and privileges data present with such solutions is of very high importance.

In the following presentation, we provide a detailed overview of CyberArk integration with SailPoint by integrating Cyberark as a SailPoint’s application.

In the following video, we provide a detailed demo of this integration.

Sailpoint : IdentityIQ Console

Posted on by Prasad Chitikela in Identity Governance, Sailpoint, Technology

Sailpoint IdentityIQ Console is the command line utility for interfacing with IdentityIQ.
It is a powerful tool that allows the user to view objects, execute workflows, import and export data, and much more.

In the following presentation, we have discussed how to launch the IIQ console, usage, and syntax of the frequently used console commands.

 

 

The following demonstration presents the usage of frequently used console commands along with some examples.

CyberArk Privileged Account Security Architecture

Posted on by Chaitanya Malladi in CyberArk, Identity Governance, Technology

Privileged accounts on a system possess higher authorizations and control. These accounts pose a higher risk if they are compromised. Privileged Identity Management solutions aim to address this by providing security and control over these accounts. CyberArk is a major provider that offers privileged account security and is backed by a patented vaulting technology. CyberArk enables organizations to secure, provision, manage, control and monitor activities associated with privileged accounts.

The following presentation describes privileged account security and the architecture of a CyberArk implementation. The various components of the CyberArk architecture and their functionalities are also discussed.

 

Integrating CyberArk’s PAS Solution With DUO’s 2FA

Posted on by Vishal Kuruganti in CyberArk, Identity Governance, Technology

CyberArk’s PAS solution uses the Password Vault Web Access System which provides the method by which users request passwords and high-level administrators approve the requests. Access to this system should be as secure as possible. Integrating with a multi-factor authentication system like Duo would make the login process more secure by authenticating the user based on LDAP password as well as the response received by the Duo Authentication Proxy using Duo Push setup on the user’s mobile device.

In the current demo, an LDAP user with the name “testuser” is created on the Active Directory Domain Controller as well as the DUO instance.

Once the accounts have been created, the DUO Authentication Proxy is setup and is configured as the primary LDAP host for authentication.

The Duo Authentication Proxy is a service that runs either on Windows or Linux. It is configured by using the file authproxy.cfg 

The details of the Duo instance and the details of the LDAP server which is being used for primary authentication are configured in authproxy.cfg

The firewall must allow outbound traffic to the Duo instance using HTTPS.

Only on successful primary and secondary authentication, access to the PVWA is granted.

Active Directory Application Configuration – Test Connection Failure in IdentityIQ 7.2

Posted on by Prasad Chitikela in Identity Governance, Sailpoint, Technology

Issue Description:

As part of Active Directory Application Configuration in IdentityIQ 7.2, “Test Connection”  failing with below error message.

In IdentityIQ 7.2, the Active Directory connector supports multiple Active Directory (AD) forests through one application definition.
While defining the Active Directory application through the IdentityIQ user interface in version 7.2, we do not have the option to mention the server details in Domain configuration settings.

Even though we do not specify any server details, the default configuration tries to connect to “localhost“, similar to the default port configuration which is “389“.

We see the below error message when we click on the “Test Connection”

2018-09-04 05:05:12,551 ERROR http-nio-8080-exec-6 sailpoint.web.ApplicationObjectBean:2701 – Connector failed.sailpoint.connector.ConnectorException: Failed to connect to – dc=enhcorp,dc=com : Failed to connect to server:ldap
dc=enhcorp,dc=com localhost:389

Resolution:

 

Modify the Application xml file to include the DC servers details.
Below is the example modification.

From

<entry key=”domainSettings”>
<value>
<List>
<Map>
<entry key=”authorizationType” value=”simple”/>
<entry key=”domainDN” value=”DC=enhcorp,DC=com”/>
<entry key=”password” value=”1:iIopEeOL5KrLoSjYKvh/Ww==”/>
<entry key=”port” value=”389″/>
<entry key=”servers”/>
<entry key=”useSSL”>
<value>
<Boolean></Boolean>
</value>
</entry>
<entry key=”user” value=”ENHCORP\Administrator”/>
</Map>
</List>
</value>
</entry>
To
<entry key=”domainSettings”>
<value>
<List>
<Map>
<entry key=”authorizationType” value=”simple”/>
<entry key=”domainDN” value=”DC=enhcorp,DC=com”/>
<entry key=”password” value=”1:iIopEeOL5KrLoSjYKvh/Ww==”/>
<entry key=”port” value=”389″/>
<entry key=”servers”>
<value>
<List>
<String>172.16.153.185</String>
</List>
</value>
<entry key=”useSSL”>
<value>
<Boolean></Boolean>
</value>
</entry>
<entry key=”user” value=”ENHCORP\Administrator”/>
</Map>
</List>
</value>
</entry>

Active Directory – Exchange Provisioning errors in Sailpoint Identity IQ

Posted on by Prasad Chitikela in Identity Governance, implementation-problems, Sailpoint, Technology

Issue Description:

Active Directory Provisioning along with Exchange attributes failing with below error message.

Errors returned from IQService. Connecting to remote server win-g303o4860qk.enhcorp.com failed with the following error message: The username or password is incorrect. For more information, see the about_Remote_Troubleshooting Help topic.

 

 

Troubleshooting steps:

  • Verified the User/Password details by logging in to the Domain controller as Domain Admin (the user which was used in Active Directory Application Configuration)
  • Verified and restarted Exchange services which were failed to start by default.

  • Enabled logging for AD Connector and observed the below messages.
    • 2018-08-31 02:07:09,515 DEBUG Workflow Event Thread 1 sailpoint.connector.ADLDAPConnector:3503 – 1239254649 Entering handleObjectRequest2018-08-31 02:07:10,796 ERROR Workflow Event Thread 1 sailpoint.connector.ADLDAPConnector:3380 – 1239254649 Exception occurred in handling Object Request.sailpoint.tools.GeneralException: Errors returned from IQService. Connecting to remote server win-g303o4860qk.enhcorp.com failed with the following error message: The username or password is incorrect. For more information, see the about_Remote_Troubleshooting Help topic.
  • Launched Exchange Management Shell and observed below error messages
    • VERBOSE: Connecting to WIN-G303O4860QK.enhcorp.com.New-PSSession : [win-g303o4860qk.enhcorp.com] Connecting to remote server win-g303o4860qk.enhcorp.com failed with the following error message: WinRM cannot complete the operation. Verify that the specified computer name is valid, that the computer is accessible over the network, and that a firewall exception for the WinRM service is enabled and allows access from this computer. By default, the WinRM firewall exception for public profiles limits accesses to remote computers within the same local subnet. For more information, see the about_Remote_Troubleshooting Help topic.At line:1 char:1

      + New-PSSession -ConnectionURI “$connectionUri” -ConfigurationName Microsoft.Excha …

 

Resolution:

Active Directory-Direct connector reads Exchange Server attributes by connecting to the Active Directory.

But, for provisioning any Exchange attributes, connector needs access to remote Powershell via IQService.

Windows Remote Management (WinRM) is a feature of Windows that allows

administrators to remotely run management scripts. WinRM Service should be running and that

should also be set up for Remote Management using the Enable-PSRemoting -force.

 

Enable PowerShell remoting in the domain using below cmdlet in Exchange Management Shell.

>Enable-PSRemoting -Force

Split Brain Scenario in CyberArk

Posted on by Chaitanya Malladi in CyberArk, Identity Governance, Technology

In high availability clustering, split-brain is a problem scenario that can occur when one of the nodes fails. Within a CyberArk implementation with disaster recovery enabled, a split-brain condition might arise if high availability is not configured as per the recommendations.

The following presentation discusses split-brain scenario in a CyberArk implementation and how it can be resolved:

Sailpoint IIQ Activity Data Sources

Posted on by Chaitanya Malladi in Identity Governance, Sailpoint, Technology

Monitoring and analysis of events that occur on a system is crucial to identify threats and generate timely alerts. It is also significant to identify by whom such events were caused if it was triggered by a user. Sailpoint IdentityIQ allows us to keep track of identity activity on various targets using Activity Data Sources. When configured, this allows us to track activity like logon times, security events, or application activity among other actions.

The following presentation discusses how Activity Data Sources can be configured on IdentityIQ for basic Security Information and Event Management (SIEM) with an example use-case:

The following demonstration presents the use case for identifying activity based policy violations by setting up Activity Data Sources: