SailPoint IdentityNow: Extensibility Feature Integration for Access Requests

Each progressing year, IT is getting more and more complex. Organizations keep growing and subsequently more and more people come into the organization each with their own needs. These users are then provided with their own levels of access to resources. The problem that arises here is that the growing mess of systems and user access management.

IdentityNow is an IDaaS (Identity as a Service) based IAM solution, unlike IdentityIQ which is on-premise. IdentityNow also helps people get the access that they need and manage the lifecycle around it. The current blog discusses the extensibility features announced by SailPoint. These features will help make security decisions on the go very effectively.

In the following presentation, I will be providing a detailed overview of Extensibility Feature Integration with IdentityNow for Access Requests.

Overview of Extensibility Features :

Users at an enterprise level are distributed among different geographies of the world. SailPoint’s access request integration with applications such as Microsoft Teams and Slack enable the users to get the access that they need right from the tool that they use the most. SailPoint also ensures that the appropriate governance and compliance controls are enforced while providing ease of access to the users while making access requests.

Current Access Request Process :

To briefly understand the current access request process in IdentityNow below is an illustrative diagram:

Roles in IdentityNow combine provisioning to multiple sources by combining different access profiles. However, for access requests, roles can be marked as “requestable”. By doing this, the roles are then visible in the Request Center tab in IdentityNow. We can have approvals in place for this role such that any user who requests for this role, will by routed through an approval process.

Applications in IdentityNow have their own XML structure with their own password policies and account creation restrictions. For the approvals, we can define the approval hierarchy in Access Profiles itself. Once the application has been created, it should be marked as ‘visible in request center’ and ‘allow access requests’.

Users have to login to their IdentityNow tenant with their credentials. They navigate to Request Center tab to see “Applications” and “Roles” where they can make an access request from either of these. Both Roles and Applications facilitate provisioning to the target source using Access Profiles.

Applications and Integration Overview :

  1. Microsoft Teams

Microsoft teams is a chat-based collaboration platform from Microsoft. With capabilities such as documents sharing, online meetings, teams and channels, online video calling and screen sharing, messaging and many more extensible features for business communication. It is extremely user friendly and can facilitate a work environment between remote users and large businesses. Below are the benefits from this integration:

  • Ease of making access requests from within the Teams Application.
  • Users can request either for a Role or Application depending on the business needs.
  • This integration ensures seamless user experience for making access requests.

Below is the process followed post the integration with MS Teams:

  • Users will login to their Teams application using their Office365 account.
  • A SailPoint chatbot is configured which appears in the Applications tab.
  • Connect to your IdentityNow tenant and click on “Create Access Request”.
  • Find and select the Application/Role to request.
  • Select the role for himself or for others.
  • Submit the request.

2. Slack

Slack is workspace alternative communication tool just like teams which combines the functionalities for messaging, tools and files. Users can communicate over channels or Direct Messages based on their requirement and it has support for third-party application integrations and add-ins. Although the application is free to use with certain limitations, there is an enterprise level application as well. Below are the benefits from this integration:

  • Ease of making access requests from within the Slack Application.
  • Users can request either for a Role or Application depending on the business need.
  • This integration ensures seamless user experience for making access requests.

Below is the process followed post the integration with Slack:

  • A user will login to their Slack application using their work email and authenticating from it.
  • A SailPoint chatbot is configured which appears in the Applications tab.
  • Connect to your IdentityNow tenant and click on “Create Access Request” by entering a forward slash in the SailPoint’s chatbot.
  • Find and select the Application/Role to request.
  • Select the role for himself or for others.
  • Submit the request.

Access Request : From an API perspective

  • This integration is achieved using REST API’s. REST stands for Representational State Transfer.
  • It is an architectural style for the web services.
  • This architectural style helps in lesser use of bandwidth to make an application more suitable to communicate over the internet.
  • It is often regarded as the language of the internet.
  • The primary methods that the REST APIs communicate are
    • Create – POST
    • Read – GET
    • Update – PUT/PATCH
    • Delete – DELETE
  • SailPoint has developed the REST API’s for IdentityNow. The reference documentation is available at developer.sailpoint.com
  • Please note that the {api-url} below is the org name of your IdentityNow tenant.
  • The primary APIs that are used behind this integration are:
    • List of access request objects: Returns a list of requestable items for an access request.
      • GET – https://{api-url}.api.identitynow.com/v3/requestable-objects
    • Create an access request: Submits an access request to IdentityNow. This will not return any result because the request has been submitted by the system. If there are more than one identity for the access request, the JSON payload will contain a list of id’s for each identity.
      • POST – https://{api-url}.api.sailpoint.com/v3/access-requests
    • Get the access-request status: Returns a list of access request statuses based on the specified query parameters.
      • GET – https://{api-url}.api.identitynow.com/beta/access-request-status

In the following video, I will be providing a detailed demo of the access request integration with Teams and Slack.

Sailpoint IdentityIQ: Object Exporter Script

Introduction:

SailPoint IdentityIQ is a J2EE Application that is built on top of Hibernate object-relational model. All the Dev Artifacts are Java Objects represented in XML. The current blog discusses the script which helps in

  1. Migrating Artifacts to higher environments
  2. Migrating standard libraries

Working:

Below are the steps describing working of the script:

  1. The script will export objects from one IdentityIQ Environment through console attached to the instance (Console is a command line utility to each identityIQ instance provided).
  2. Script will perform necessary processing on the exported objects and prepares to be imported to the Target Environment.
  3. The Objects will be imported into the Target Environment through console attached to the instance.

Usage:

  1. Configure the Config.xml file provided with the following parameters
    1. Export Console Path
    2. Import Console Path
    3. Required Objects
  2. Run the script provided.

Below is the Demo on Exporter script:

SailPoint IdentityNow SSO integration with Okta

Okta is the leading solution for user authentication and single sign-on (SSO) for workforce as well as customer identities. Okta is capable of managing SSO to wide range of applications along with multi-factor authentication, directory integrations and lifecycle management from the cloud.

SailPoint IdentityNow is a cloud based identity and access management solution which aims to provide identity-as-a-service. IdentityNow enables a complete set of IAM capabilities delivered from the cloud to manage hybrid IT environments that include on-premises and cloud resources. IdentityNow supports SAML based Single Sign On. SAML is an open standard which allows an identity provider (like Okta) to pass on authentication information to a service provider (like IdentityNow).

In the following demonstration, we take a look at the SAML integration of IdentityNow with Okta for Single Sign-on. We will also go over the Active Directory integration in Okta and how this can be backed by IdentityNow’s lifecycle management.

SailPoint IdentityIQ QuickBooks ERP Integration using Dell Boomi as Middleware

In recent years, we’ve witnessed a rapid shift from on-premise applications to a hybrid mix of SaaS (software-as-a-service), iPaaS (Integration Platform as a service) and on-premise applications, as well as integration between various cloud providers and platforms. Very Soon Everything is going to be connected to Cloud and data . All this is going to be mediated by a software(Middleware).

Amidst such scenarios , It is essential for the need of a software to bridge the gap between applications and other tools or databases. It is effectively a method of communication and data management between applications that would otherwise not have any way to exchange data — such as with software tools and databases. 

Dell Boomi AtomSphere is an on-demand multi-tenant cloud integration platform for connecting cloud and on-premises applications and data. The platform enables customers to design cloud-based integration processes called Atoms and transfer data between cloud and on-premises applications. Dell Boomi specializes in cloud-based integrationAPI management and Master Data Management

QuickBooks is an accounting software package developed and marketed by Intuit and are geared mainly toward small and medium-sized businesses and offer on-premises accounting applications as well as cloud-based versions that accept business payments, manage and pay bills, and payroll functions.

The following is the demonstration of steps for Integrating  SailPoint IdentityIQ QuickBooks ERP using Dell Boomi as Middleware.

SailPoint IdentityIQ SSO Integration with Okta

You have to admit that there are many people who change their password to ‘incorrect’ .That way it always reminds them whenever they enter a wrong password – “your password is incorrect” . Also a survey stated more than 78% of people tend to forget their latest passwords within 21 days of inactivity .

Amidst such scenarios , securing and monitoring the access for any external users like partners, contractors and customers who have access to organizational resources have always been a challenge for many organizations thereby increasing the demand for a centralized login system. Single sign-on (SSO) is an authentication process that allows a user to access multiple applications with one set of login credentials. 

Okta is the one of the leading provider for user authentication and standards-based single sign-on (SSO) for employee, partner and customer identity types. Okta supports and manages SSO for the enterprises with wide range of applications thereby providing a single secured centralized login system.

SailPoint IdentityIQ  supports Single sign-on as one of its supported login configurations . The SSO is based on the SAML protocol which is a standard protocol for the SSO and other security assertions.

In this blog we are going to take a look at the integration of SailPoint IdentityIQ with Okta for Single Sign on.

The following presentation discusses in detail about the integration between SailPoint IdentityIQ and Okta.

The following is the demonstration of steps for configuring Okta as an Identity Provider for SailPoint IdentityIQ

Comprehensive Overview of Sailpoint’s IdentityNow

SailPoint has the solution to meet the needs of identity governance that exist in today’s business environments. The solution is available for businesses to easily consume because it’s in the cloud this solution which is IdentityNow. With many features such as User Password Management, Access Certification, Access Requests, Provisioning, Multi-factor authentication, Strong Authentication and Analytics. IdentityNow is a leader in the market for a perfect IAM solution for organizations taking the next step into cloud computing.

The product is simpler to tack together than several other IAM solutions in the market, thus additional configuration can be completed without the need for specialist resources. The User interface (UI) is a lot of easier to interface for end-users and needs less coaching.

Continue reading

Governing G Suite using SailPoint Identity IQ

Identity IQ – G Suite Integration

Office productivity suites comprise the essential set of tools required for an employee’s day to day work. They offer core services to users like email, calendars, shared storage and other tools to create and consume the information. New generation productivity suites understand today’s business needs and are designed to be omnipresent and highly collaborative.

G Suite is Google’s cloud based productivity suite. Being a cloud based solution, it is omnipresent and can be accessed all possible devices. Also, it is highly collaborative in nature. Google’s most popular services like Google mail, calendar, drive, docs, sheets, hangouts are bundled into G Suite. G Suite has been received greatly by organizations of all the sizes and has recorded 5 million organizations by end of 2018. G Suite has quickly climbed up the ladder to become a leader in Gartner’s magic quadrant for 2 years consecutively.

Governing such core cloud based services containing sensitive information is of great importance.

In the following presentation, we provide a detailed overview of G Suite integration with Identity IQ.

G Suite – Identity IQ Integration

In the following video, we provide a detailed demo of this integration.

A detailed demo of G Suite governance with IDENTITY NOW is coming shortly.

SailPoint IIQ Pass Through Authentication using Active Directory – Global Catalog

Purpose : Here, we will be discussing about the SailPoint IIQ Pass-Through Authentication with respect to custom Active Directory attribute using Global Catalog Server.

Quick Description :

What is Pass-Through Authentication ?

Pass-Through Authentication, the user logs in to the IdentityIQ application through the normal IdentityIQ login page but the system validates the user’s credentials against an external source, “passing” the ID and password “through” to the authorizing system instead of consulting IdentityIQ’s internal records.

What is Global-Catalog server ?

The global catalog contains a partial replica of every naming context in the directory like, the schema and configuration naming contexts But, with only a small number of their attributes.

Requirements Context :

In a multi domain environment, it would be efficient to use global catalog because IIQ does not need to traverse through all the LDAP referrals returned for different domains during user login authentication. When using a Custom Active Directory attribute for correlation, where that attribute is not promoted to global catalog repository, then the SailPoint IIQ will be driven to a tangled state which results in Pass-Through Authentication Failure.

In order to overcome such scenarios, we can

Continue Reading

SailPoint IdentityIQ Plugins

Introduced with IdentityIQ 7.1, the plugin framework provides the infrastructure and tools to enable developers to extend the Open Identity Platform to meet a variety of specialized use cases that one might encounter in a non-standard deployment.

SailPoint IdentityIQ 7.1 Plugin Framework provides a dynamic, plugin-specific class loader. It also introduces a simple, supportable, and upgrade-able user experience. The dynamic class loader provides protection for the base classes from modification, and allows for additional security and upgrade-ability.

continue reading

SailPoint IdentityIQ SSO Integration with PingFederate

Nowadays, almost every website requires some form of authentication to access its features and content. With the number of websites and services rising, a centralized login system has become a necessity. Single sign-on (SSO) is an authentication process that allows a user to access multiple applications with one set of login credentials. PingIdentity’s PingFederate allows the SSO for the enterprises which have the multiple applications and API’s to protect.

PingFederate is the leading enterprise federation server for user authentication and standards-based single sign-on (SSO) for employee, partner and customer identity types.

Continue reading