Pass-Through Authentication, the user logs in to the IdentityIQ application through the normal IdentityIQ login page but the system validates the user’s credentials against an external source, “passing” the ID and password “through” to the authorizing system instead of consulting IdentityIQ’s internal records.
What is Global-Catalog server ?
The global catalog contains a partial replica of every naming context in the directory like, the schema and configuration naming contexts But, with only a small number of their attributes.
Identity attributes in SailPoint IdentityIQ are central to any implementation. They usually comprise a lot of information useful for a user’s functioning in the enterprise.
Purpose: The blog speaks about a rare way of configuring the identity attributes in SailPoint which would lead to a few challenges.
Requirements Context: By nature, a few identity attributes need to point to another identity. 2 such use-cases would be:
Any identity attribute in IdentityIQ can be configured as either searchable or non-searchable attribute. A searchable attribute has a dedicated database column for itself. In case of attributes like manager, we would ideally need a lot of filtering capability on the attributes and this makes a perfect case for being searchable attribute. A few use-cases where having manager as searchable attributes would help are.
However, usage of assistant attribute is not quite similar. Not a lot of searching/filtering would happen in a typical IAM implementation based on assistant attribute. It would be preferable to have this attribute as a non-searchable attribute.
Implementation:
As part of the implementation, an extended attribute is configured in the Identity Configuration for assistant attribute as follows.
Assistant identity attribute configuration
The following configuration details are to be observed.
Challenge faced: A specific challenge is faced when this type of configuration is used with identity attributes.
Scenario: There will be certain situations where the assistant attribute in Active Directory points to itself. For example, John.Doe’s assistant would be John.Doe himself. This configuration has lead to failure of a lot of operations/tasks due to a SailPoint behavior described below.
Possible Solutions: Above problem can be solved in 2 ways.
Adding checks to avoid self-references. Logic to populate such type of identity attribute shall include a check to avoid self-referencing of non-searchable identity attributes.
Using Searchable attributes. Avoiding the use of non-searchable attributes for identity attributes of type identity.
As part of Active Directory Application Configuration in IdentityIQ 7.2, “Test Connection” failing with below error message.
In IdentityIQ 7.2, the Active Directory connector supports multiple Active Directory (AD) forests through one application definition.
While defining the Active Directory application through the IdentityIQ user interface in version 7.2, we do not have the option to mention the server details in Domain configuration settings.
Even though we do not specify any server details, the default configuration tries to connect to “localhost“, similar to the default port configuration which is “389“.
We see the below error message when we click on the “Test Connection”
2018-09-04 05:05:12,551 ERROR http-nio-8080-exec-6 sailpoint.web.ApplicationObjectBean:2701 – Connector failed.sailpoint.connector.ConnectorException: Failed to connect to – dc=enhcorp,dc=com : Failed to connect to server:ldap
dc=enhcorp,dc=com localhost:389
Resolution:
Modify the Application xml file to include the DC servers details.
Below is the example modification.
Errors returned from IQService. Connecting to remote server win-g303o4860qk.enhcorp.com failed with the following error message: The username or password is incorrect. For more information, see the about_Remote_Troubleshooting Help topic.
Troubleshooting steps:
Verified the User/Password details by logging in to the Domain controller as Domain Admin (the user which was used in Active Directory Application Configuration)
Verified and restarted Exchange services which were failed to start by default.
Enabled logging for AD Connector and observed the below messages.
2018-08-31 02:07:09,515 DEBUG Workflow Event Thread 1 sailpoint.connector.ADLDAPConnector:3503 – 1239254649 Entering handleObjectRequest2018-08-31 02:07:10,796 ERROR Workflow Event Thread 1 sailpoint.connector.ADLDAPConnector:3380 – 1239254649 Exception occurred in handling Object Request.sailpoint.tools.GeneralException: Errors returned from IQService. Connecting to remote server win-g303o4860qk.enhcorp.com failed with the following error message: The username or password is incorrect. For more information, see the about_Remote_Troubleshooting Help topic.
VERBOSE: Connecting to WIN-G303O4860QK.enhcorp.com.New-PSSession : [win-g303o4860qk.enhcorp.com] Connecting to remote server win-g303o4860qk.enhcorp.com failed with the following error message: WinRM cannot complete the operation. Verify that the specified computer name is valid, that the computer is accessible over the network, and that a firewall exception for the WinRM service is enabled and allows access from this computer. By default, the WinRM firewall exception for public profiles limits accesses to remote computers within the same local subnet. For more information, see the about_Remote_Troubleshooting Help topic.At line:1 char:1
When working with the Cloud, organizations of any scale wish to have common credentials across on-premise applications and the cloud applications. It’s the best user experience as well as the best IT management experience. The overhead of facilitating this can be quite a large endeavor.
Sailpoint’s IIQ provides Pass-through authentication using which a Login into IdentityIQ can be done via an enterprise directory credentials or via SSO credentials.
With pass-through authentication in Sailpoint IdentityIQ, password validation takes place through Application Configured in IdenitytIQ. What this means is a simple, but effective SSO solution for the end user. The below presentation gives a quick overview of concepts of Pass Through Authentication and how it is implemented in Sailpoint IdentityIQ.
The presentation is followed by different use cases demonstrated.
Data loading into Active Directory implies creating AD Accounts and corresponding Exchange mailbox accounts using employee data existing in a database.
Java program is developed in a fashion which reads the credentials from XML, retrieves employee data from the database, creates an account with a default password in active directory and enables the account as well.
The PowerShell script is executed to create exchange accounts for all the users.
Requirement schematic
The below process flow diagram explains the requirement lucidly.
Demo
The working demo of this program is embedded.
Documentation and Code
The Documentation and Code for above demo can be downloaded from following links.
We can export the certificate which can accept the SSL authentication in many ways. But in this article we are exporting the certificate using the internet explorer and command prompt.
i. Exporting the certificate using the internet explorer
Open in the internet explorer in the windows server and click on internet options
navigate to content and click on certificate
In the certificates tab navigate to trusted root certificates and click on the certificate with your server name. (in this case server name is ADSERVER)
A new popup will populate with certificate name that you have selected, in that click on details tab and select copy file option.
Then new popup windows will appear, in that click next.
select the option do not export private key and click next
Select the base 64 encoded and click next.
Provide the path and name to certificate.
Verify the options and click on finish.
ii. Exporting the certificate using command prompt