You have to admit that there are many people who change their password to ‘incorrect’ .That way it always reminds them whenever they enter a wrong password – “your password is incorrect” . Also a survey stated more than 78% of people tend to forget their latest passwords within 21 days of inactivity .
Amidst such scenarios , securing and monitoring the access for any external users like partners, contractors and customers who have access to organizational resources have always been a challenge for many organizations thereby increasing the demand for a centralized login system. Single sign-on (SSO) is an authentication process that allows a user to access multiple applications with one set of login credentials.
Okta is the one of the leading provider for user authentication and standards-based single sign-on (SSO) for employee, partner and customer identity types. Okta supports and manages SSO for the enterprises with wide range of applications thereby providing a single secured centralized login system.
SailPoint IdentityIQ supports Single sign-on as one of its supported login configurations . The SSO is based on the SAML protocol which is a standard protocol for the SSO and other security assertions.
In this blog we are going to take a look at the integration of SailPoint IdentityIQ with Okta for Single Sign on.
The following presentation discusses in detail about the integration between SailPoint IdentityIQ and Okta.
The following is the demonstration of steps for configuring Okta as an Identity Provider for SailPoint IdentityIQ
SailPoint has the solution to meet the needs of identity governance that exist in today’s business environments. The solution is available for businesses to easily consume because it’s in the cloud this solution which is IdentityNow. With many features such as User Password Management, Access Certification, Access Requests, Provisioning, Multi-factor authentication, Strong Authentication and Analytics. IdentityNow is a leader in the market for a perfect IAM solution for organizations taking the next step into cloud computing.
The product is simpler to tack together than several other IAM solutions in the market, thus additional configuration can be completed without the need for specialist resources. The User interface (UI) is a lot of easier to interface for end-users and needs less coaching.
Pass-Through Authentication, the user logs in to the IdentityIQ application through the normal IdentityIQ login page but the system validates the user’s credentials against an external source, “passing” the ID and password “through” to the authorizing system instead of consulting IdentityIQ’s internal records.
What is Global-Catalog server ?
The global catalog contains a partial replica of every naming context in the directory like, the schema and configuration naming contexts But, with only a small number of their attributes.
Introduced with IdentityIQ 7.1, the plugin framework provides the infrastructure and tools to enable developers to extend the Open Identity Platform to meet a variety of specialized use cases that one might encounter in a non-standard deployment.
SailPointIdentityIQ 7.1 Plugin Framework provides a dynamic, plugin-specific class loader. It also introduces a simple, supportable, and upgrade-able user experience. The dynamic class loader provides protection for the base classes from modification, and allows for additional security and upgrade-ability.
Nowadays, almost every website requires some form of authentication to access its features and content. With the number of websites and services rising, a centralized login system has become a necessity. Single sign-on (SSO) is an authentication process that allows a user to access multiple applications with one set of login credentials. PingIdentity’s PingFederate allows the SSO for the enterprises which have the multiple applications and API’s to protect.
PingFederate is the leading enterprise federation server for user authentication and standards-based single sign-on (SSO) for employee, partner and customer identity types.
Usually this kind of refresh is performed through UI from the debug pages in IdentityIQ. Following are the steps to follow for refreshing log4j configurations through UI.
log4j configurations whenever there are any changes have to refreshed across all the servers present in the environment. However, when a load balancer is configured, we might not have control to access individual servers through UI, thus making the refresh of log4j configurations through UI on each server.
Possible solutions:
There are 3 possible solutions for this problem.
Temporarily re-directing load-balancer traffic to only one server and refresh the configurations on the same through debug pages. This process has to be repeated across all the servers.
Identity attributes in SailPoint IdentityIQ are central to any implementation. They usually comprise a lot of information useful for a user’s functioning in the enterprise.
Purpose: The blog speaks about a rare way of configuring the identity attributes in SailPoint which would lead to a few challenges.
Requirements Context: By nature, a few identity attributes need to point to another identity. 2 such use-cases would be:
Any identity attribute in IdentityIQ can be configured as either searchable or non-searchable attribute. A searchable attribute has a dedicated database column for itself. In case of attributes like manager, we would ideally need a lot of filtering capability on the attributes and this makes a perfect case for being searchable attribute. A few use-cases where having manager as searchable attributes would help are.
However, usage of assistant attribute is not quite similar. Not a lot of searching/filtering would happen in a typical IAM implementation based on assistant attribute. It would be preferable to have this attribute as a non-searchable attribute.
Implementation:
As part of the implementation, an extended attribute is configured in the Identity Configuration for assistant attribute as follows.
Assistant identity attribute configuration
The following configuration details are to be observed.
Challenge faced: A specific challenge is faced when this type of configuration is used with identity attributes.
Scenario: There will be certain situations where the assistant attribute in Active Directory points to itself. For example, John.Doe’s assistant would be John.Doe himself. This configuration has lead to failure of a lot of operations/tasks due to a SailPoint behavior described below.
Possible Solutions: Above problem can be solved in 2 ways.
Adding checks to avoid self-references. Logic to populate such type of identity attribute shall include a check to avoid self-referencing of non-searchable identity attributes.
Using Searchable attributes. Avoiding the use of non-searchable attributes for identity attributes of type identity.
Rule is an XML object with fully programmable java-based implementation hooks (Bean Shell). Rules can capture pieces of business-logic.SailPointIdentityIQ is very much Rule-Driven, and thus very flexible.
Rules can reference other Rules! Helpful with creating Rule Libraries.
Rule Libraries are collections of methods that have been grouped together and stored in IdentityIQ as a Rule object. They contain a set of related but unconnected methods that can be invoked directly by workflow steps or other rules.
Batch Requests enable you to generate specific types of access requests for more than one user at a time. The required data is gathered from a prepared comma-delimited file for each request type. The batch files require comma-delimited data that represents the individual requests. In most cases the native identity or identity name can be used to specify the request target.
In this presentation, we will be discussing on batch requests in SailPointIdentityIQ, different methods involved in batch requests, complete explanation on individual types implementation with the Active Directory and AzureBulk Provisioning.
Bulk Provisioning – Batch Request in SailPoint IdentityIQContinue reading →
