Sailpoint IdentityIQ Console is the command line utility for interfacing with IdentityIQ.
It is a powerful tool that allows the user to view objects, execute workflows, import and export data, and much more.
In the following presentation, we have discussed how to launch the IIQ console, usage, and syntax of the frequently used console commands.
The following demonstration presents the usage of frequently used console commands along with some examples.
Privileged accounts on a system possess higher authorizations and control. These accounts pose a higher risk if they are compromised. Privileged Identity Management solutions aim to address this by providing security and control over these accounts. CyberArk is a major provider that offers privileged account security and is backed by a patented vaulting technology. CyberArk enables organizations to secure, provision, manage, control and monitor activities associated with privileged accounts.
The following presentation describes privileged account security and the architecture of a CyberArk implementation. The various components of the CyberArk architecture and their functionalities are also discussed.
CyberArk’s PAS solution uses the Password Vault Web Access System which provides the method by which users request passwords and high-level administrators approve the requests. Access to this system should be as secure as possible. Integrating with a multi-factor authentication system like Duo would make the login process more secure by authenticating the user based on LDAP password as well as the response received by the Duo Authentication Proxy using Duo Push setup on the user’s mobile device.
In the current demo, an LDAP user with the name “testuser” is created on the Active Directory Domain Controller as well as the DUO instance.
Once the accounts have been created, the DUO Authentication Proxy is setup and is configured as the primary LDAP host for authentication.
The Duo Authentication Proxy is a service that runs either on Windows or Linux. It is configured by using the file authproxy.cfg
The details of the Duo instance and the details of the LDAP server which is being used for primary authentication are configured in authproxy.cfg
The firewall must allow outbound traffic to the Duo instance using HTTPS.
Only on successful primary and secondary authentication, access to the PVWA is granted.
As part of Active Directory Application Configuration in IdentityIQ 7.2, “Test Connection” failing with below error message.
In IdentityIQ 7.2, the Active Directory connector supports multiple Active Directory (AD) forests through one application definition.
While defining the Active Directory application through the IdentityIQ user interface in version 7.2, we do not have the option to mention the server details in Domain configuration settings.
Even though we do not specify any server details, the default configuration tries to connect to “localhost“, similar to the default port configuration which is “389“.
We see the below error message when we click on the “Test Connection”
2018-09-04 05:05:12,551 ERROR http-nio-8080-exec-6 sailpoint.web.ApplicationObjectBean:2701 – Connector failed.sailpoint.connector.ConnectorException: Failed to connect to – dc=enhcorp,dc=com : Failed to connect to server:ldap
dc=enhcorp,dc=com localhost:389
Modify the Application xml file to include the DC servers details.
Below is the example modification.
From
<entry key=”domainSettings”>
<value>
<List>
<Map>
<entry key=”authorizationType” value=”simple”/>
<entry key=”domainDN” value=”DC=enhcorp,DC=com”/>
<entry key=”password” value=”1:iIopEeOL5KrLoSjYKvh/Ww==”/>
<entry key=”port” value=”389″/>
<entry key=”servers”/>
<entry key=”useSSL”>
<value>
<Boolean></Boolean>
</value>
</entry>
<entry key=”user” value=”ENHCORP\Administrator”/>
</Map>
</List>
</value>
</entry>
To
<entry key=”domainSettings”>
<value>
<List>
<Map>
<entry key=”authorizationType” value=”simple”/>
<entry key=”domainDN” value=”DC=enhcorp,DC=com”/>
<entry key=”password” value=”1:iIopEeOL5KrLoSjYKvh/Ww==”/>
<entry key=”port” value=”389″/>
<entry key=”servers”>
<value>
<List>
<String>172.16.153.185</String>
</List>
</value>
<entry key=”useSSL”>
<value>
<Boolean></Boolean>
</value>
</entry>
<entry key=”user” value=”ENHCORP\Administrator”/>
</Map>
</List>
</value>
</entry>
Active Directory Provisioning along with Exchange attributes failing with below error message.
Errors returned from IQService. Connecting to remote server win-g303o4860qk.enhcorp.com failed with the following error message: The username or password is incorrect. For more information, see the about_Remote_Troubleshooting Help topic.
+ New-PSSession -ConnectionURI “$connectionUri” -ConfigurationName Microsoft.Excha …
Active Directory-Direct connector reads Exchange Server attributes by connecting to the Active Directory.
But, for provisioning any Exchange attributes, connector needs access to remote Powershell via IQService.
Windows Remote Management (WinRM) is a feature of Windows that allows
administrators to remotely run management scripts. WinRM Service should be running and that
should also be set up for Remote Management using the Enable-PSRemoting -force.
Enable PowerShell remoting in the domain using below cmdlet in Exchange Management Shell.
>Enable-PSRemoting -Force
In high availability clustering, split-brain is a problem scenario that can occur when one of the nodes fails. Within a CyberArk implementation with disaster recovery enabled, a split-brain condition might arise if high availability is not configured as per the recommendations.
The following presentation discusses split-brain scenario in a CyberArk implementation and how it can be resolved:
Monitoring and analysis of events that occur on a system is crucial to identify threats and generate timely alerts. It is also significant to identify by whom such events were caused if it was triggered by a user. Sailpoint IdentityIQ allows us to keep track of identity activity on various targets using Activity Data Sources. When configured, this allows us to track activity like logon times, security events, or application activity among other actions.
The following presentation discusses how Activity Data Sources can be configured on IdentityIQ for basic Security Information and Event Management (SIEM) with an example use-case:
The following demonstration presents the use case for identifying activity based policy violations by setting up Activity Data Sources:
In an enterprise, a large number of privileged accounts are spread over various applications and systems. These accounts have higher authorizations and hence need to be handled with higher security. CyberArk‘s Privileged Account Management solution is targeted at achieving this.
In SailPoint IdentityIQ, accounts can have the highest privilege in form of the ‘System Administrator’ capability. The ‘spadmin’ account that comes out-of-the-box is configured to have this privileged access. This account, if managed by the CyberArk PAM solution, improves safety of the IdentityIQ environment.
The following presentation discusses this use case and how it can be implemented using CyberArk PAM:
The following video demonstrates the use-case in action for verifying and changing spadmin password from CyberArk and initiating privileged sessions:
https://www.youtube.com/watch?v=4qRujyxiUBM
In the world of Identity Management, securing and monitoring the access for the external users like partners, contractors and customers who have access to organizational resources have always been a challenge for many organizations. To mitigate and help the organizations to secure their resources two big Identity management products partnered together in February 2018. Okta and SailPoint announced a strategic partnership to provide an end-to-end identity for the enterprise – helping organizations balance providing simple, secure user access while meeting complex compliance and security requirements.
• Effectively manage user identities’ authentication, application assignments, while ensuring all governance and compliance requirements are met.
• Authenticate user access with single sign-on and multi-factor authentication.
• Ensure that for sensitive applications, only the right user has access, authorization policies are enforced, and the process is documented, timestamped and compliant.
• Automate provisioning throughout the user lifecycle by simplifying processes for creating, modifying and revoking access.
• Automate provisioning of applications adherent to corporate policies.
• Trigger provisioning workflows from authoritative sources, such as Active Directory or HR systems, to ensure consistency and increase efficiency.
Below presentation demonstrates Okta, IdentityIQ, SSO Concepts, Importance of SailPoint’s IdentityIQ integration to achieve SSO. The presentation is followed by a demo.
The Perform Maintenance Task in Sailpoint’s IdentityIQ plays a crucial role in ensuring that background maintenance activities are carried out periodically.
The following presentation is an attempt to deep dive into :
Please leave your comments below