Tag: Identity IQ

Identity IQ is the flagship product of Sailpoint in the space of Identity Governance

https://www.sailpoint.com/products/identityiq/

SailPoint IdentityIQ SSO Integration with PingFederate

Posted on by Mohit Kayla in Sailpoint, Technology

Nowadays, almost every website requires some form of authentication to access its features and content. With the number of websites and services rising, a centralized login system has become a necessity. Single sign-on (SSO) is an authentication process that allows a user to access multiple applications with one set of login credentials. PingIdentity’s PingFederate allows the SSO for the enterprises which have the multiple applications and API’s to protect.

PingFederate is the leading enterprise federation server for user authentication and standards-based single sign-on (SSO) for employee, partner and customer identity types.

Continue reading

Sailpoint Identity IQ: Refresh logging through IIQ console

Posted on by Sandilya Krovvidi in Identity Governance, Sailpoint, Technology

Sailpoint IdentityIQ uses log4j framework for logging. “log4j.properties” is the file where all the logging related properties are configured. IdentityIQ Servers would a need a refresh of the log4j configurations after anything changes to log4.properties are made.

Usually this kind of refresh is performed through UI from the debug pages in IdentityIQ. Following are the steps to follow for refreshing log4j configurations through UI.

This image has an empty alt attribute; its file name is image-3-1024x279.png
  • Click on the “Logging” option in the menu.
  • Click on “Reload Logging Configuration”

Problem context:


log4j configurations whenever there are any changes have to refreshed across all the servers present in the environment. However, when a load balancer is configured, we might not have control to access individual servers through UI, thus making the refresh of log4j configurations through UI on each server.

Possible solutions:

There are 3 possible solutions for this problem.

  1. Temporarily re-directing load-balancer traffic to only one server and refresh the configurations on the same through debug pages. This process has to be repeated across all the servers.
  2. Accessing IdentityIQ through individual server host-names or IP addresses rather than load balancer URL. This may not be quite helpful as servers are usually configured in a way that individual servers redirect us towards load balancer URL.
  3. Best way in which this could be performed is through IIQ console.
    Following are the steps to follow for the same.
    • Launch IIQ console on one of the servers
    • Modify the log4j.properties as required.
    • Refresh the log4j configurations using the command “logconfig” as shown in the below screenshot.
  • Repeat the above steps for all servers in the environments.

Rule Library in SailPoint IdentityIQ

Posted on by Pranith Patel in Identity Governance, Sailpoint, Technology

Rule is an XML object with fully programmable java-based implementation hooks (Bean Shell). Rules can capture pieces of business-logic.SailPoint IdentityIQ is very much Rule-Driven, and thus very flexible.

Rules can reference other Rules! Helpful with creating Rule Libraries.

Rule Libraries are collections of methods that have been grouped together and stored in IdentityIQ as a Rule object. They contain a set of related but unconnected methods that can be invoked directly by workflow steps or other rules.

Continue reading

Bulk Provisioning – Batch Request in SailPoint IdentityIQ

Posted on by Pranith Patel in Identity Governance, Sailpoint, Technology

Batch Requests enable you to generate specific types of access requests for more than one user at a time. The required data is gathered from a prepared comma-delimited file for each request type. The batch files require comma-delimited data that represents the individual requests. In most cases the native identity or identity name can be used to specify the request target.

In this presentation, we will be discussing on batch requests in SailPoint IdentityIQ, different methods involved in batch requests, complete explanation on individual types implementation with the Active Directory and Azure Bulk Provisioning.

Bulk Provisioning – Batch Request in SailPoint IdentityIQ
Continue reading

Filters in Refresh Identity Cube Task of IdentityIQ

Posted on by Mohit Kayla in Identity Governance, Sailpoint, Technology

Refresh Identity cube task is one of the most popular predefined tasks in SailPoint IdentityIQ. Refresh Identity cube task performs a full refresh of the identity cubes and aggregates the data from external sources for all identities. The task has the features to specify which identities are needed to be refresh, by the use of Filters. Filters are used in many places throughout IdentityIQ to allow actions to be applied to a subset of system objects. Filters in Refresh Identity cube task make use of filter strings, which will refresh all the identities which meet the filter constraint mentioned in the task.

The following presentation discusses in detail about the different filters used in the Refresh Identity cube task.

The following is the demonstration of the usage of different filters on Refresh identity cube task.

ETL Process and Working of CloverETL in Sailpoint IdentityIQ

Posted on by Mohit Kayla in Identity Governance, Sailpoint, Technology

As data is generated rapidly day to day, there is a need to organize it to generate useful results from data. It is essential to properly format and prepare the data before loading it into data storage systems for analysis. Otherwise bad data leads to inaccurate analysis that could have a great loss for the organization. In order to prevent these problems, the data needs to be processed and transformed into quality data, which generates a better analysis.

This can be achieved by using ETL process which Extracts, Transforms, and Loads the data. Each of these phases can include functionalities to process the data as required. There are various tools that perform ETL process. Sailpoint is flagship identity management tool, which uses CloverETL(CloverDX) to perform data processing.

The following presentation sheds light on ETL process and working of CloverETL in Sailpoint.

 

Integrating CyberArk with SailPoint using SCIM

Posted on by Sandilya Krovvidi in CyberArk, Identity Governance, Sailpoint, Technology

Privileged accounts are considered to be “keys to the kingdom” in any IT Infrastructure. Almost every cyber attack that has ever happened involved compromises at the privileged account level. PAM Solutions usually help in managing such accounts, keys or files that would lead to escalated access.

CyberArk is the global leader in PAM solutions with a holistic approach towards privileged account management. It covers not only traditional PAM problems but also extends its capabilities with various features like managing hard-coded application credentials, analytics, on-demand privileges escalation and managing end-user devices like desktops.

Securing and streamlining identity and privileges data present with such solutions is of very high importance.

In the following presentation, we provide a detailed overview of CyberArk integration with SailPoint by integrating Cyberark as a SailPoint’s application.

In the following video, we provide a detailed demo of this integration.

Sailpoint : IdentityIQ Console

Posted on by Prasad Chitikela in Identity Governance, Sailpoint, Technology

Sailpoint IdentityIQ Console is the command line utility for interfacing with IdentityIQ.
It is a powerful tool that allows the user to view objects, execute workflows, import and export data, and much more.

In the following presentation, we have discussed how to launch the IIQ console, usage, and syntax of the frequently used console commands.

 

 

The following demonstration presents the usage of frequently used console commands along with some examples.

Active Directory Application Configuration – Test Connection Failure in IdentityIQ 7.2

Posted on by Prasad Chitikela in Identity Governance, Sailpoint, Technology

Issue Description:

As part of Active Directory Application Configuration in IdentityIQ 7.2, “Test Connection”  failing with below error message.

In IdentityIQ 7.2, the Active Directory connector supports multiple Active Directory (AD) forests through one application definition.
While defining the Active Directory application through the IdentityIQ user interface in version 7.2, we do not have the option to mention the server details in Domain configuration settings.

Even though we do not specify any server details, the default configuration tries to connect to “localhost“, similar to the default port configuration which is “389“.

We see the below error message when we click on the “Test Connection”

2018-09-04 05:05:12,551 ERROR http-nio-8080-exec-6 sailpoint.web.ApplicationObjectBean:2701 – Connector failed.sailpoint.connector.ConnectorException: Failed to connect to – dc=enhcorp,dc=com : Failed to connect to server:ldap
dc=enhcorp,dc=com localhost:389

Resolution:

 

Modify the Application xml file to include the DC servers details.
Below is the example modification.

From

<entry key=”domainSettings”>
<value>
<List>
<Map>
<entry key=”authorizationType” value=”simple”/>
<entry key=”domainDN” value=”DC=enhcorp,DC=com”/>
<entry key=”password” value=”1:iIopEeOL5KrLoSjYKvh/Ww==”/>
<entry key=”port” value=”389″/>
<entry key=”servers”/>
<entry key=”useSSL”>
<value>
<Boolean></Boolean>
</value>
</entry>
<entry key=”user” value=”ENHCORP\Administrator”/>
</Map>
</List>
</value>
</entry>
To
<entry key=”domainSettings”>
<value>
<List>
<Map>
<entry key=”authorizationType” value=”simple”/>
<entry key=”domainDN” value=”DC=enhcorp,DC=com”/>
<entry key=”password” value=”1:iIopEeOL5KrLoSjYKvh/Ww==”/>
<entry key=”port” value=”389″/>
<entry key=”servers”>
<value>
<List>
<String>172.16.153.185</String>
</List>
</value>
<entry key=”useSSL”>
<value>
<Boolean></Boolean>
</value>
</entry>
<entry key=”user” value=”ENHCORP\Administrator”/>
</Map>
</List>
</value>
</entry>

Active Directory – Exchange Provisioning errors in Sailpoint Identity IQ

Posted on by Prasad Chitikela in Identity Governance, implementation-problems, Sailpoint, Technology

Issue Description:

Active Directory Provisioning along with Exchange attributes failing with below error message.

Errors returned from IQService. Connecting to remote server win-g303o4860qk.enhcorp.com failed with the following error message: The username or password is incorrect. For more information, see the about_Remote_Troubleshooting Help topic.

 

 

Troubleshooting steps:

  • Verified the User/Password details by logging in to the Domain controller as Domain Admin (the user which was used in Active Directory Application Configuration)
  • Verified and restarted Exchange services which were failed to start by default.

  • Enabled logging for AD Connector and observed the below messages.
    • 2018-08-31 02:07:09,515 DEBUG Workflow Event Thread 1 sailpoint.connector.ADLDAPConnector:3503 – 1239254649 Entering handleObjectRequest2018-08-31 02:07:10,796 ERROR Workflow Event Thread 1 sailpoint.connector.ADLDAPConnector:3380 – 1239254649 Exception occurred in handling Object Request.sailpoint.tools.GeneralException: Errors returned from IQService. Connecting to remote server win-g303o4860qk.enhcorp.com failed with the following error message: The username or password is incorrect. For more information, see the about_Remote_Troubleshooting Help topic.
  • Launched Exchange Management Shell and observed below error messages
    • VERBOSE: Connecting to WIN-G303O4860QK.enhcorp.com.New-PSSession : [win-g303o4860qk.enhcorp.com] Connecting to remote server win-g303o4860qk.enhcorp.com failed with the following error message: WinRM cannot complete the operation. Verify that the specified computer name is valid, that the computer is accessible over the network, and that a firewall exception for the WinRM service is enabled and allows access from this computer. By default, the WinRM firewall exception for public profiles limits accesses to remote computers within the same local subnet. For more information, see the about_Remote_Troubleshooting Help topic.At line:1 char:1

      + New-PSSession -ConnectionURI “$connectionUri” -ConfigurationName Microsoft.Excha …

 

Resolution:

Active Directory-Direct connector reads Exchange Server attributes by connecting to the Active Directory.

But, for provisioning any Exchange attributes, connector needs access to remote Powershell via IQService.

Windows Remote Management (WinRM) is a feature of Windows that allows

administrators to remotely run management scripts. WinRM Service should be running and that

should also be set up for Remote Management using the Enable-PSRemoting -force.

 

Enable PowerShell remoting in the domain using below cmdlet in Exchange Management Shell.

>Enable-PSRemoting -Force