Category: Technology

Resolved : Manage Account Request Problem in SailPoint IIQ

Posted on by Neetika Malhotra in Cyber Security, Identity Governance, Sailpoint, Technology

Environment:

SailPoint Version : 7.0, 7.1

Problem Statement:

Unable to request a new account for existing identity from Manage Accounts in SailPoint IIQ.

Problem : Account Request Option is not available

 

Solution :

Firstly we need to check the Lifecycle Manager Configurations, navigate to Lifecycle Manager and in Configure tab Search for Manage Accounts options :

Applications that support account only requests : Select all applications check box or specified application according to your requirement.

Solution part 1- Select all applications

 

Allow Manage Accounts Additional Account Requests : Enable
Allow Manage Existing Accounts : Enable
Allow Account Only Requests : Enable

–> If you are using higher version of SailPoint 6.4 then you will face problem in finding these 3 options to enable them.

Solution 1 :

For that you need to edit init-lcm.xml and import it again in iiq console. (This will effect pre-existing workflows and LCM Configuration. So, to avoid that follow Solution 2).

Follow these steps and pictures shown below for editing init-lcm.xml (Solution 1)

 Step 1: init-lcm.xml is present in ~identityIQ/WEB-INF/config/init-lcm.xml location. Make a copy of it and place it in a safe folder.

 

Now open init.xml and search for Manage Accounts under QuickLink tag.

In init.xml search Manage Account

 

Carefully observe 3 entries under Manage Accounts tag.

Original_init-lcm.xml of SailPoint 7.1 version

 

Step 2: Make few changes by enabling this options manually from false to true 3 times in Quicklink Manage Accounts tag as shown in the picture below.

<entry key=”allowManageAccountsAdditionalAccountRequests” value=”false” />
<entry key=”allowManageExistingAccounts” value=”true” />
<entry key=”allowAccountOnlyRequests” value=”false” />

After editing : <entry key=”allowManageAccountsAdditionalAccountRequests” value=”true” />
<entry key=”allowManageExistingAccounts” value=”true” />
<entry key=”allowAccountOnlyRequests” value=”true” />

 

After Editing Manage Accounts Configuration

 

Step 3: Now save it and import it in iiq console. By using command import init-lcm.xml. After importing observe following changes.

Step 4: Request Account option is available (Issue Resolved). Choose the application for account request. Submit the form.

 

Request Option Available Now 7.1

> Just for Reference in SailPoint 7.0  it will look like this as shown in the picture below.

Request Option Available in SailPoint 7.0

 

 

Step 5: Confirm Account Action . Click Confirm at the end of the page.

Confirm Account Request

 

Solution 2 :

You can get same results by configuring through Debug Pages.

Step 1: Go to Debug Page > Select object QuickLink from dropdown listChoose Manage Accounts.

Step 2: Follow same Step 2 in Solution 1.

Step 3: Request Account option is available (Issue Resolved).

 

Sailpoint IdentityIQ Pass through Authentication via Active Directory

Posted on by Ganesh Kandekar in Identity Governance, Sailpoint, Technology

When working with the Cloud, organizations of any scale wish to have common credentials across on-premise applications and the cloud applications. It’s the best user experience as well as the best IT management experience. The overhead of facilitating this can be quite a large endeavor.

Sailpoint’s IIQ provides Pass-through authentication using which a Login into IdentityIQ can be done via an enterprise directory credentials or via SSO credentials.

With pass-through authentication in Sailpoint IdentityIQ, password validation takes place through Application Configured in IdenitytIQ. What this means is a simple, but effective SSO solution for the end user. The below presentation gives a quick overview of concepts of Pass Through Authentication and how it is implemented in Sailpoint IdentityIQ.

The presentation is followed by different use cases demonstrated.

 

 

 

 

SailPoint IdentityIQ’s ER Relationship Model

Posted on by Neetika Malhotra in Cyber Security, Identity Governance, Sailpoint, Technology

Traditionally, all developers deciphered a product, by understanding the Entity Relationship model of the product’s database schema. This approach was the quick and easiest way to understand any product.

 

A similar approach is tried in deciphering SailPoint IdentityIQ, an Identity Governance solution from Sailpoint. The presentation envisages to give the audience a thorough understanding of the product, not from the API perspective, but from a database model perspective.

 

Sailpoint’s Identity IQ has some key objects like Identity, Application, Bundle etc. There are many dependent objects. Most of the key objects are covered comprehensively in the presentation.

 

 

eMail Configuration in Sailpoint IdentityIQ

Posted on by Ganesh Kandekar in Identity Governance, Sailpoint, Technology

eMail communication has revolutionized the way we communicate. A tool/facility introduced for simple communications is now considered more formal and legal. For a long time deep linking, in simple terms, embedding buttons with logic to provide email based decisions has been prevalent.

There is nothing better than sending a direct link to a page where one needs to take an action, in an email. Especially for something which needs urgent attention.

 

Sailpoint’s IdentityIQ provides the functionality to notify users through Emails. We may also have Emails with embedded URL which provides direct access to pages in IdentityIQ.

In the following presentation, a detailed overview of Email Configurations and use of Emails in IdentityIQ is presented.

Following is the demo on Email notifications with URLs embedded in mails, which provides direct access to pages in IdentityIQ.

 

Solved: “HTTP proxy setting has incorrect value”

Posted on by Abhishek Choudhary in Technology

Environment:

OS: Oracle Linux 7.0

Java: jdk1.8

DB: Oracle Database 11G R2

DB Installed mode: Single Instance Server

 

Problem Statement:

A connection to an Oracle database, via CLI mode, may be achieved using the following commands in a Linux Shell.

Start the listener by typing below command:

>lsnrctl start

Start the database by typing below command:

>sqlplus sys as sysdba

>startup

Error:

Error 46 initializing SQL*Plus
HTTP proxy setting has incorrect value
SP2-1502: The HTTP proxy server specified by http_proxy is not accessible.

HTTP proxy setting has incorrect value error

Error: HTTP proxy setting has incorrect value

 

Reasoning:

In the above error message, “HTTP proxy server specified by http_proxy variable”, the specified value is incorrect.The error may have occurred because sqlplus uses the http_proxy and no_proxy environment variables to determine if proxy is used. To bypass the proxy settings, both these values need to be unset or exported.

http_proxy: Specify the value to use as the HTTP proxy for all connections.

For example: http_proxy=“http://proxy.mycompany.com:8080”

no_proxy: Determine hosts that should bypass the proxy.

For example: no_proxy=localhost, mycompany.com, 192.168.0.10:80 so it can’t access this proxy.

 

Solution

First check the proxy settings , it should be correct value or unset it if no proxy is needed. SQL*Plus may get the proxy name from the environment variable http_proxy.This problem could be resolved by using the following commands –

>unset http_proxy

>unset no_proxy

Or

>export http_proxy=

>export no_proxy=

 

HTTP proxy setting has incorrect value issue resolved

Design Patterns for Programmers

Posted on by Abhishek Choudhary in Technology

In 1986, Chernobyl was the result of bad designs/coding. Huge disasters in the world happen due to naive and inappropriate logic built into systems.

From a refrigerator to your car, a mobile to a rocket, everything runs on a microprocessor. It is a logic builder’s responsibility to take care of some cliched issues that might crash the entire system.

In 1995 at Sun Microsystems design patterns were developed by visionaries christened as GOF (gang of four).

This Video blog is an attempt to lucidly present the design patterns, which have to be considered by every programmer, irrespective of platform of development, for impeccable results.

In this presentation, we spoke about almost all the design patterns which are mostly used in Software Development.In a nutshell, the following are the various aspects of design patterns covered as part of the video:

  1. Creational Design Pattern – 7 design patterns.
  2. Structural Design Pattern – 6 design patterns.
  3. Behavioral Design Pattern -11 design patterns.

 

 

IdentityIQ parallel and serial approvals

Posted on by Mahesh Bitla in Identity Governance, Sailpoint, Technology

 Introduction

Out of the box Sailpoint’s IdentityIQ provides numerous workflows for provisioning, we can implement our custom workflows according to the necessity. Similarly, parallel and serial approvals are workflows used in an enterprise to manage the access of the user.

Requirement

In the world of IAM, one thing every developer should remember is that “Right thing must be accessed by the Right user at a Right time“, from the above sentence we can say that an access must be rightfully distributed to the user.

In this requirement a user in an enterprise requested an entitlement or role using IdentityIQ then that access must be approved by the work groups which are maintaining that privilege.

Understanding parallel and serial approvals in IdentityIQ

The following video illustrates about parallel and serial approvals.

Working demo of parallel and serial approvals

The following video demonstrates how parallel and serial approvals accomplishes.

 

 

 

PlainID – Product Overview

Posted on by Mahesh Bitla in Identity Governance, PlainID, Technology

PlainID is a young Authorization Management software company. They found an innovative approach to simplify and optimize dynamic, fine grained access to resources and data.

Following video demonstrates about the PlainID product Overview, Architecture and practical implementation of the product in the field of Identity & Access Management.

 

Data loading into Active Directory using a simple java program

Posted on by Mahesh Bitla in Technology
  • Data loading into Active Directory implies creating AD Accounts and corresponding Exchange mailbox accounts using employee data existing in a database.
  • Java program is developed in a fashion which reads the credentials from XML, retrieves employee data from the database, creates an account with a default password in active directory and enables the account as well.
  • The PowerShell script is executed to create exchange accounts for all the users.

Requirement schematic

  • The below process flow diagram explains the requirement lucidly.

requirement

Demo

  • The working demo of this program is embedded.

Documentation and Code

The Documentation and Code for above demo can be downloaded from following links.

 

Solving problem SailPoint IdentityIQ “Mark Invalid Error”

Posted on by Mahesh Bitla in Identity Governance, implementation-problems, Sailpoint, Technology

Problem description 

When we try to correlate the accounts into SailPoint’s identityIQ using multiple authoritative sources the following
exception may arise.

Why this happens

The main reason for this error is ambiguity of accounts. After the account aggregation task completed when we try to run the task refresh identity cubes. Task is not running and error is displays as Task stopped by user. When you see the log file there a exception named Mark Invalid.

 

.erroe_scrn_sht

Case 1

The main cause for this error is, If you have added more than one authoritative sources marked for one identity. The following exception will arise. that means you have added two Authoritative sources representing the same data if run the aggregation task the accounts will be populated with their name then If we perform refresh identity cubes task the accounts will not linked its respective manager account because there will be an ambiguity between two accounts which has to be correlate as manager account.

Case 2

In other cases if you have any accounts or identities not properly deleted.

Solution

The solution I found is to get backup of the rules and application into a xml file using the console.Shutdown the application server and drop all the tables in database using the sql scripts provided by identityIQ then create the tables using the scripts. Import the init.xml using the iiq console.Then import the xml file which represents the application object. Then if you run the aggregation and correlation tasks you can see that all the identities and their managers are correlated in identity warehouse.