Integrating SailPoint App on Microsoft Teams Application

Introduction:

SailPoint for Microsoft Teams provide users access to corporate resources anytime, anywhere right from Microsoft.

Users are distributed worldwide, the number of applications used are constantly increasing and the lines between who can access these applications and who should access these apps are increasingly getting blurred. SailPoint for Microsoft Teams enables users to get the access they need to stay productive right from within the tool they use the most, all while maintaining strict governance and compliance controls.

Figure:1 SailPoint Integration Flow on Teams

Supported Features:

  • Make role or application requests right within Microsoft Teams using SailPoint bot.
  • Cancel an access request if you don’t need it.
  • Approve or deny new access requests and add comments if needed.
  • Get notified when an access request is approved or denied along with comments.

Prerequisites & Required Permissions:

  • Prior tenant mapping is required to use the reset password feature.
  • We required Admin privileges to do the following,
  • Reset the Identity Now tenant.
  • Receive certification campaign notifications.

Let us understand SailPoint App integration using Microsoft teams’ applications in the following below presentation:

Commands used in Teams integration:

  1. Sign In: Sign in command used to login to the tenant after tenant mapping you will need to sign in to the tenant.
  2. Create: create command used to create an access request using Applications, Roles or Entitlements with in the team’s integration.
  3. Sign out: Sign out command used to sign out from the current existing tenant, you will not receive any notifications until sign in.
  4. Help: It will showcase all the available commands list.
  5. Reset Tenant: Resent tenant command used map a new tenant from current tenant, for resetting tenant need admin level privileges.
  6. Reset Password: This command used to reset your tenant password. It required tenant mapping before changing the password.

In the following demo, I will be providing a brief introduction of SailPoint App Integration on Microsoft teams:

Advantages of using SailPoint Teams Integration:

  • Make Application, Role, or Entitlements requests from within Microsoft teams using the shortcuts buttons.
  • Approve or deny access requests with a single click to improve employee productivity and reduce learning curve.

SailPoint IdentityNow Transforms

Introduction

Transform allows you to manipulate attributes values while provisioning to a source. It will help in manipulating any incoming data from the source as per the requirement.

Transforms are configurable objects that define easy ways to manipulate attribute data without requiring you to write code. Transforms are configurable building blocks with sets of inputs and outputs.

As we can see in diagram there is Input-Transform-Output. In input the value or data is coming from identity attributes or Account attribute and according to requirement we will write the transforms and in output we can see our result.

Transform syntax

The Transform syntax has the following properties:

  • The basic requirement for a transform is name, type, attributes.
  • For name, we can take any objects and that will reflect to your identity profile.
  • For Type, we can put the transforms according to your requirement.
  • For inputs, the developer can decide whether we want to take the value from identity attribute or Account attribute.

Basic String Operations

These are basic string operation there are 18 transform. These transform are commonly used in any operation.

I will discuss each and every transform.

1)Base64 Decode– This transform is used for converting String to Base64. Basically it used for decoding purpose.

2)Base64 Encode-This transform is used for converting Base64 to String. Basically it used for encoding purpose.

3)Concatenation-Concatenation transform is used for Combining two string. This transform basically used to combined first name and last name.

4)Index Of– The index of transform is used to get the location of a specific substring. Suppose that if we give the string to find the index of a string if its found it will return the index number, if doesn’t find it will return -1.

5)Substring– Substring transform is used to take the specific part of the string with provided begin index and end index.

6)Split– Split Transform basically used to split the string based on the provided delimiter. This transform is often useful when you want to split combined names into their constituent parts or when you want to simplify an ordered list of values into a single attribute.

7)Leftpad – Left pad transform to pad the string left side with a user-supplied character out to a specific number of characters. This transform is often useful for data normalization situations.  such as user IDs are not uniform in length.

8)Right pad– Right pad transform to pad the string right side with a user-supplied character out to a specific number of characters. This transform is often useful for data normalization situations.  such as user IDs are not uniform in length.

9)Replace– Replace transform is used for replace the specific string based on the provided regex.

10)Replace All– Replace All transform used to replace the string based on the provided table attribute of key-value pairs as an argument.

11)Upper– Upper transform use to convert an string into uppercase letters.

12)Lower– Lower transform use to convert an string into lowercase letters.

13)Static– Static transform is use to return a fixed string value, or more commonly, to evaluate Velocity. Static transform can also take other dynamically provided variables as inputs into the value attribute.

14)Last Index of – The  last index of transform is used to get the last location of a specific substring.

15)Trim– Trim transform used to trim whitespaces from both the beginning and ending of input strings.

16)Get End of String– Get end of string transform as an out-of-the-box rule transform provided through SailPoint’s Cloud Services Deployment Utility rule. The transform allows you to get the rightmost N characters of a string.

17) Decompose Diacritial Marks– Decompose Diacritial marks transform is used to remove the diacritical marks.

18)E.164 phone transform:- The E.164 phone transform is used to convert an incoming phone number string into an E.164-compatible number.

Date Operation

Under the date operation there are three transform.

 1)Date compare , 2)Date format , 3)Date Math.

1)Date compare:-The date compare transform is used to compare two dates and, depending on the comparison it will return the one value accordingly.

For comparing the date we can use some of the operation like:- Less than , Less than or equal to , greater than and Greater than or equal to.

 We can use the date compare for calculating the Life cycle state.

2)Date Format:- The date format transform is used to convert datetime strings from one format to another. It is useful when you are syncing data from one system to another, because each application uses a different format for date and time data.

3)Date Math:- Date Math transform can be used for performing mathematical operation like addition, subtractions and rounding of a timestamp.

 It also allows you to work with a referential value of “now” to run operations against the current date and time instead of a fixed value.

Generators

Under generators Transform there are six different transforms are present.

Under generators Transform there are six different transforms are present.

1)Generate Random String- Generate Random String Transform provided through SailPoint’s Cloud Services Utility rule. This transform allow us to generate a random string of any length.

2) Random Alphanumeric:- The random alphanumeric transform is used to generate a random string of any provided length, if we do not provide the length it will give the default output that is 32 char. comprising both numbers and letters (both lowercase and uppercase). The maximum allowable value is 450 characters.

3)Username Generator:- To set the logic to use when it determines a unique value for an attribute in an account create profile, utilize the username generator transform. The logic of the generator can be as basic as combining elements of an HR record or the user’s name.

4)Name normalizer:- The name normalizer transform is used to clean or standardize the spelling of strings coming in from source systems. The most common use for this transform is for names.

5)Random Numeric:- The random numeric transform is used to generate a random number of any length. The transform defaults value is 10 char. and maximum allowable value is 450 characters.

6)UUID Generator:-The UUID generator transform is use to create a universal unique ID (UUID) in the form of a 36-character string.

Extending Transforms

Under extending transforms there are two transforms.

1)Reference transform:- The reference transform is used to reuse a transform that has already been written within another transform. We can use this transform when you want to repeat the same logic multiple times within other transforms.

2)Rule Transform:- Rule transform allows you to reuse logic that has already been written for a previous use case. you can use the rule transform to reuse code contained within a Generic rule.

Rules Vs Transforms

Transforms

  • Transforms are JSON-based configurations, editable with IdentityNow’s transform REST APIs.
  • It supports complex logic to modify aggregation and provisioning process.
  • We can view, create, edit, and delete transforms directly via REST API without any involvement of SailPoint.

Rules

  • Rules are implemented with code (typically BeanShell, a Java-like syntax).
  • It support more complex logic.
  • By creating Rules there is involvement of Sailpoint for cloud rules.

Triggering Email from PowerShell for NELM users

Introduction

This blog is intended to demonstrate on automating email notifications for newly on-boarded contractors from IdentityNow. This will help in sending auto email notifications to users & their managers (if required) to reset their first password. This is enabled by running a PowerShell script in a shared folder in the IQ Service Server. In the current process, the IT help desk team needs to reach out to the user for his first login. With the help of PowerShell script, this process can be automated by sharing the password reset link automatically.

Use Case Diagram

The above diagram depicts the overall process flow of the use case with the point of initiation being the IQ Service Server following with the SMTP server.

  • Current IdentityNow templates don’t have email notification which will send Email ID ,password reset link and user manual to end user on his first day to instantly. To achieve this requirement, we have written PowerShell script and rule to achieve desired requirement above diagram gives the overview of how we have achieved this requirement.
  • From UI Request center, HR or Manager will request for an AD account depending on the license to be assigned for the user to be on-boarded.
  • Once request is completed Active Directory account will be created and the After create rule will be triggered.  By using this rule, we are triggering PowerShell script which is placed in IQ service server for sending Email by using SMTP server containing Email Id, Password reset link & user manual. We can also edit the contents to be shared in the email based on the organization requirements.

Detailed discussion on the overall Use case, communication flow and the advantages:

Introduction to IQ Service Server

  • The IQ Service, also known as the Integration Service, is a native Windows service that allows Identity Now to participate in a Windows environment and access information that is only accessible via Windows APIs.
  • It is a lightweight service that must be installed on any supported Windows Server that has connectivity to the target systems you want to manage in Identity Now.
  • It also secures all incoming & outgoing communications of the server. Overall security of the solution and data integrity will be ensured even in crucial stage.
  • We can create several instances on the same machine as per the system requirements.
  • This server is primarily responsible for provisioning in AD from IdentityNow.

IQ Service Communication Flow

  • IdentityNow always push task to a VA cluster queue and from cluster queue, VA will pull the request based on the priority of task.
  • Once request is fetched by VA, VA will communicate to IQService for tasks such as aggregation, create and modify the accounts.
  • IQService server communicates with domain controller using LDAP/LDAPS.
  • IQService receives the data from domain controller and gives it back to VA (Outbound traffic).
  •  Finally VA will give the updated results to the tenant and requests for the new task.

Rule Execution process in IdentityNow

Rule execution can be executed in 2 primary places:

  • Cloud Execution – These rules are executed in the IDN multi-tenant cloud.
  • Connector Execution – These rules are executed on the on-premise IDN virtual appliance.
  • Connector Rules are rules that are executed in the IdentityNow virtual appliance, and they are usually extensions of the connector itself. The rules are particular to only certain connectors since they are frequently applied to carry out complex connector-related tasks. Because these rules function within the virtual appliance, they are unable to access IdentityNow’s data model or collect data from it.
  • The basic logic required to initiate a PowerShell script is derived from the after-creation rule, which then transfers the majority of the subsequent events and/or modifications to the PowerShell script itself. Since this script would be stored on the client’s servers, the customer could easily modify it as needed. Since the code runs outside of the IdentityNow platform, it allows the client to add updates to the PowerShell scripted functionality without requiring SailPoint to review the code.

Demonstration of the use case in IdentityNow

Use of Powershell script in IdentityNow

  • The popularity of scripting languages with Object Oriented capabilities—like PowerShell is because of their simplicity and use.
  • These languages’ native scripts can access request and result objects more quickly and effectively.
  • The Utils.dll class library that is bundled with the IQ Service contains all the necessary classes to access the request and result objects. Process environment variables would be presented as inputs to the script.
  • The environment variables contain XML-based data. Using Utils.dll, the script creates the appropriate objects.
  • Once the object is modified, the script should execute the object’s xml() function to convert it to XML and then send the XML to the path mentioned in the script’s single argument.
  • In the event of an error, the script generates a non-zero value and logs the message in the appropriate file at the specified directory.

Before/ After Scripts for IQ Service

  • The IQ Service allows function customization by allowing the integration of before/after scripts developed using scripting languages such as PowerShell.
  • Any required tasks that cannot be automated with the current source functionalities can be automated with scripts.
  • Native before scripts are scripts that are called before the request is processed; native after scripts are scripts that are called after the request is processed.

The following sources support Before/After Scripts for IQ Service:

Advantages

  • It will helps end user to get his organization email ID, password Reset Link & User manual for SailPoint as IdentityNow Default email templates don’t have this type of functionality.
  • We can set a customized template and add an initial login guide or any policy documents as an attachments while triggering this email.
  • The dependency on IT help desk team for sharing login details for the newly on-boarded contractors is reduced to a huge extent.
  • Contractors can login to their system almost immediately post completion of the on-boarding without having any downtime.

Sailpoint Unix Integration

Unix is the mother of all operating systems and also is the foundation for Tim Berner Lee’s invention.

Every enterprise has a huge Unix foot print spanning across thousands of servers running various legacy applications.

As part of the mammoth task of securing the IT environments, securing the Unix servers would be the first step.

At ENH iSecure, we thrive to achieve complete and impeccable solutions leaving nothing to chance.
As a part of these efforts, we are speaking about Identity Governance in Unix with the help of Sailpoint’s IIQ.

The following is a video where we speak about governance of Unix using Sailpoint’s IIQ.

The following is a demo on Unix integration with Sailpoint.