Genie Integration with SailPoint IdentityIQ

Before going through the Integration of Genie with SailPoint IdentityIQ, let us understand what a ticket and a ticketing system is.

What is a ticket?

A Ticket is a special record that represents an incident, request or event that requires action from the IT department. It contains the necessary details of the incident, request or event.

A ticketing system is a software platform designed to manage and track customer support requests. It streamlines the process of resolving customer issues, making it easier for businesses to provide fast and effective support.

Benefits of embracing a ticketing system in your organization:

  • Control High Volume of Requests from a Centralized Place – Organizations can track and manage inbound support requests with the help of a good ticketing system. The solution can be used by executives to manage support cases more efficiently while still attending to all client issues.
  • Combine interactions into one thread – Your team can use ticketing system to combine customer-related conversations into a single thread when offering customer care to clients via a variety of channels.
  • Process automation and workload management – Ticketing systems provide several potentials for automation. As an illustration, the software gathers assistance requests from several sources before automating the creation of tickets. Regardless of the help channel clients select, tickets are automatically created whenever they submit requests.
  • Adequate team collaboration – Ticketing systems provide a platform to the customer service representatives to collaborate among themselves in assigning tickets to senior associates in terms of P0 escalations.

About Genie:

Genie is a ticketing tool, in which there are different types of tickets such as Work Order tickets, Incident tickets, etc. SailPoint handles creation of below tickets in Genie from SailPoint.

  1. Onboarding ticket
  2. Exit or Off-boarding ticket
    • Provision failure ticket

    Among the above tickets, Onboarding and Off-boarding tickets are Work Order tickets and Provision failure ticket is an Incident ticket.

    Integration with SailPoint IdentityIQ:

    Genie is integrated with SailPoint using REST APIs.

    Below is the high-level architecture of Genie – SailPoint Integration

    High level architecture

    Now, let us have a look at the APIs used in the Integration process. Below is the list of APIs used for creating tickets and getting specific ticket details:

    1. Generate Authentication key: We are using this API to generate an Authentication key. Here, the generated Authentication key expires for every few minutes.
    2. Creating Work Order ticket: We are using this API to create a Work Order ticket in Genie.
    3. Get specific Work Order ticket: We are using this API to Get a specific Work Order ticket details. In other words, it is used to Retrieve the Work Order ID of the submitted request.
    4. Creating Incident ticket: We are using this API to create a Work Order ticket in Genie.
    5. Get specific Incident ticket: We are using this API to Get a specific Incident ticket details. In other words, it is used to Retrieve the Incident number of the submitted request.

    Prerequisites for integrating Genie with SailPoint:

    Following are the prerequisites that are essential for integration of Genie with SailPoint IdentityIQ

    1. Genie API details for creating tickets
    2. Base URL and Authentication details of the APIs
    3. Access to Genie Test Instance
    4. Database table to store the ticket details
    5. Connection details of the Database

    Now, let us discuss the use cases involved in the integration process.

    Use Cases

    1. Onboarding Ticket Creation:

    An Onboarding Work order ticket will be created in Genie from SailPoint when a new joiner joins the organization and his/her account is created in Truth Source and Active Directory applications.

    The ticket contains details of the New Joiner such as Start Date, First Name, Last Name, Employee ID, Employment Type, AD ID, Domain ID, Contact Information, etc.

    Onboarding ticket creation process

    Success case:

    Once the ticket gets created in Genie successfully, the details of the created ticket such as    Work Order ID, Creation Date, Request ID and ticket summary will be added to the database table.

    Failure case:

    If the ticket creation fails for some reason, then an Email notification containing the New Joiner’s details, will be triggered to the respective stakeholders.

    1. Exit or Off-boarding Ticket Creation

    An Exit or Off-boarding Work order ticket will be created in Genie when HR assigns the Last working date of the user in Truth source and that Last working date is 7 days away from today’s date.

    The ticket contains details of the End dated user such as Last Working Date, First Name, Last Name, Employee ID, Employment Type, AD ID, Domain ID, Contact Information, etc.

    Exit ticket creation process

    Success case:
    Once the ticket gets created in Genie successfully, the details of the created ticket such as Work Order ID, Creation Date, Request ID and ticket summary will be added to the database table.
     
    Failure case:
    If the ticket creation fails for some reason, then an Email notification with the End Dated user’s details, will be triggered to the respective stakeholders specifying.

    1. Provisioning Failure (Incident Ticket)

    A Provisioning Failure (Incident) ticket per application will be created if the provisioning operations failed in SailPoint in last 24 hours. In this use case, applications under consideration are Active Directory, G-Suite and OpenLDAP and operations under consideration are Create, Enable, Disable and Delete.

    For example, if the Disable operation failed in Active Directory for an account, then a ticket (which will be of Incident type) will be created in Genie containing the details such as Type of operation failed and Display Name, Employee ID, email, sAMAccountName, userPrincipalName, distinguishedName, etc details of the account.

    Provisioning Failure ticket creation process

    Success case:

    Once the ticket gets created in Genie successfully, the details of the created ticket such as Incident Number, Creation Date, Request ID and ticket summary will be added to the database table.

    Failure case:

    If the ticket creation fails for some reason, then an Email notification will be triggered to the respective stakeholders specifying Type of operation failed, Application name in which Provisioning failed and Display Name, Employee ID, email, etc. details of the account.

    Now, let us understand the advantages of integrating a ticketing system with SailPoint IdentityIQ when compared with a traditional ITSM.

    Advantages of Integrating Genie with SailPoint IdentityIQ:

    1. In this integration, we have automated the creation of onboarding tickets for New Joiners. Whereas in traditional ITSM’s, the ticket should be created manually by the end user.
    2. While creating tickets in Genie, SailPoint uses the data coming from Truth Source which will be updated by the HR team. Whereas in traditional ITSM’s, there is every chance that end user does not give the mandatory details required by IT team to perform necessary action on that ticket or the end user mistakenly may also enter incorrect details. So, IT team might need to contact the HR team or the end user, which is a time-consuming process.
    3. In this integration, we will be using the details of the user as per the Truth Source application while creating the ticket. So, the IT team may not wait for the communication from the concerned team.
    4. Whereas in traditional ITSM’s, when the ticket is created, the IT team should get certain required details from the concerned team manually. The Exit ticket will be created automatically when the end-dated user is one week away from the Last Working date, which gives the IT team ample amount of time to take necessary actions such as collection of assets and disabling of access.
    5. In this integration, we are storing the ticket details such as Work Order ID, Incident Number, Creation Date, Request ID and Summary in the database table for all the tickets created from SailPoint. So, we can use this table’s data for auditing purposes which ensures centralized governance.
    6. The Incident tickets are created every day (one ticket per application) from SailPoint in Genie for applications such as Active Directory, G-Suite and OpenLDAP and for operations such as Create, Enable, Disable and Delete, if the provisioning fails in these applications. The point to be noted here is, if in an application, no provisioning operations failed for that day, then no ticket will be created for that application for the particular day. But, there is every chance that, one ticket per application will be created where each ticket contains the information of all the accounts for which Provisioning failed. Using SailPoint, this is one of the critical advantages of integrating genie with SailPoint IIQ. Whereas in traditional ITSM’s, this needs to be done manually, which will be a tedious task to do.

    The detailed discussion of APIs, use cases and integration approach is discussed in the following video:

    Now, let us a have a demo on integration of Genie with SailPoint IdentityIQ in the following video:

    SAP SuccessFactors Integration with SailPoint IdentityNow

    SAP SuccessFactors integration with  SailPoint IdentityNow.

    SuccessFactors is an SAP product suite to provide cloud-based solution to manage business alignment, people performance, recruitment, and employee central and learning activities for all sizes of organizations.

    SAP SuccessFactors is cloud based HCM solution and is designed on Software as a Service (SaaS) cloud model. Software as a Service is also known as On-demand software solution where software is licensed on a subscription basis and is centrally hosted.

    SaaS has become a common delivery model for many business applications, including office and messaging software, payroll processing software, DBMS software, management software, CAD software, development software, gamification, virtualization, accounting, collaboration, customer relationship management (CRM), management information systems (MIS), enterprise resource planning (ERP), invoicing, human resource management (HRM), talent acquisition management and other software and infrastructure services.

    • In SaaS, software and application data is hosted on a remote cloud and can be accessed on demand from any location using secured login credentials.
    • SaaS software is multitenant that allows many instances of the software to be accessed and are on the same application version.
    • Users have an option to select features and functionality to use in the standard solution and in the regular releases that are introduced by the vendor.
    • SaaS Solution is based on multitenant architecture where a single configuration is applied for all the tenants or customers. To provide scalability, you install application on multiple machines.

    IdentityNow SAP SuccessFactors connector supports Account Management for loading accounts, delta aggregation and Provisioning.

    SAP SuccessFactors integration with SailPoint IdentityNow Blog

    Pre-requisite

    At-least Virtual Appliance need to be configured in order to have communication between IdentityNow cloud and SAP source however SailPoint recommends to have 2 virtual appliances in cluster.

    Permissions required :

    •Test connection : To test the connectivity from IDN cloud to SAP SuccessFactors source.

    •Account Aggregation : To aggregate account details to IDN cloud.

    •To perform connection tasks, must have the following permissions:

    a. SFAPI User Login

    b. Employee Central HRIS SOAP API

    •For example, The Success Factor source aggregates the employee data from the SuccessFactors managed system based on the Picklist configuration which is a configurable set of options or selection lists used to populate a data input field with one of a number of predefined values in the Success Factors that can be obtained.

    Next for aggregation we required the following permission:

    • Manage User : Employee Export
    • Metadata Framework : Admin access to MDF OData API
    • Manage System Properties : Picklist Management and Picklists Mappings Setup
    • Employee Central API : Employee Central Foundation OData API (read-only), Employee Central HRIS OData API (read-only), Manage Role-Based Permission Access

    Let us see prerequisites for SAP SF integration.

    •For configuring the base URL for IdentityNow tenant we need to configure data center wise.

    •The base url will vary from datacentre to datacentre.

    •In the blog we have provided the link for SuccessFactors API URLs for different Datacenters.

    https://userapps.support.sap.com/sap/support/knowledge/E/2215682

    SAP SuccessFactors integration with SailPoint IdentityNow Demo

    DocuSign Integration with SailPoint

    The DocuSign electronic signature app provides users a simplified way to digitally sign and return documents from anywhere in the world.

    describes the Integration for the DocuSign Application of SailPoint IdentityIQ (IIQ) solution implementation.

    SailPoint webservice connector is application type used to connect from SailPoint to DocuSign application. for creating account, update account, Activate and deactivate account.

    Details Required for DocuSign integrate with SailPoint

    1. Need to get the DocuSign API details for the different operation.
    2. Base URL will be different for different environment.
    3. secret key and client ID for the token generation.
    4. Generating access token with Authorization code.

    Use Cases

    The following operation will be performed by IIQ – 

    Create, Update, Enable, Disable, Account Aggregation, Group Aggregation

    Created Account operation: This use case will be used to create the account for the different user with adding the groups, permission, and different details required for the account creation.

    Update Account operation : If the existing user need to update the details , where the details can be updated in the form which is provided in the SailPoint.

    Leaver Process : As the user will be left the company or the department, then the user will be disabled or deleted automatically by the leaver process.

    Mover Process : Once the user is transferred from the one department to other department or to the position is changed of the user then the mover process will be triggered.

    Rehire Process: Once the user is re-hired in the organization then the re-hire process will be triggered.

    Sailpoint IdentityIQ: Bulk User Creation Plugin

    Bulk User Creation Plugin in IdentityIQ

    Introduction

    A plugin is a tiny piece of software that extends the functionality of an Application or Computer program.

    The IdentityIq Plugin Framework is an protract framework model for IdentityIQ.It allows third parties to develop affluent application and service-level amplification to the core SailPoint IdentityIQ. It enables plugins to extend the excellence in user interface, deliver custom REST endpoints, and to deliver conventional background services.

    In the following presentation, I will be providing a brief introduction of IdentityIQ Plugins:

    Plugin Versioning Requirements

    Plugin version numbers must be numeric, denote the parts of the version number with decimal points, and not contain any alphabetic or other characters in order to better facilitate upgrading plugins.
    Leading zeroes will be removed from each segment of the version number, and the values between the decimal points are converted to integers.

    For example:
    06 and 00006 are both interpreted as 6
    A segment containing any non-numeric values is interpreted as 0
    7.009.alpha is parsed as 7.9.0
    5.7.8a is parsed as 5.7.0

    Plugin Object Model

    The Plugin XML object, which specifies the plugin’s constant, describes a plugin in IdentityIQ. REST resources, Snippets, and settings are a few examples of features. The manifest.xml file contains the definition of the Plugin object. This file is necessary for plugin.

    The XML object known as the Plugin Object defines the plugin’s feature. By binding them as attributes of a Plugin Object, this object informs IdentityIQ about the facets that are present in your plugin. You can also specify information about the plugin in the Plugin Object, such its name, the privileges needed to use it, its version, snippets, and REST resources. Use the advanced plugin settings to define a form or to refer to a specific plugin configuration file for more complicated plugins that need support for several field types and more dynamic behavior, such as drop-down lists or password fields. Depending on past selections, dynamic behavior can involve showing or hiding other fields.

    For Example: In contrast to when the user picks basic authentication, it could be more acceptable to display an access token field when the user selects o-auth authentication.

    Plugin Settings

    Attributes that can be changed during installation are known as plugin settings. To view the configuration options page, click Configure. Forms are used to display the settings. The form is generated automatically if the plugin does not use its advanced options.
    On the plugin settings page, the settings from the manifest file are shown in alphabetical order.
    A single setting on a plugin’s configuration settings page can be represented by the Plugin setting object. On the settings page, each object serves to represent a single customizable setting.

    Developing Plugins

    IdentityIQ stores the .zip archive file of the Plugin in the IdentityIQ database in the spt_file_bucket table. The data in the spt_file_bucket table is a referenced ID to an entry in the spt_persisted_file table.

    After establishment or amid an application server restart, plugins are stacked from this.zip file. All consequence files are taken from the.zip file and cached for ensuing utilization. The cached files can be gotten to using a assortment of accessor ways, but they can moreover be retrieved by utilizing

    the URL prefix /identityiq/plugin/pluginName taken after by the way indicated within the construct structure. The PluginClassLoader lesson is utilized to stack and cache compiled Java classes from the.zip file.

    Example Plugin Directory Structure:    

    Bulk User Creation Plugin

    This is a custom plugin built by ENH iSecure for creating Identities through SailPoint IdentityIQ and Provision the following identities to the requested Applications in IdentityIQ

    A User like a manger level will have a Privilege to request for Bulk User Creation, once a .csv file is Uploaded in UI page by the following user and if the users request gets Approved a bulk number of identities will be created in Sailpoint IdentityIQ and the following identities provisioning takes place on the identities joining dates for the Requested Applications and following Email notification follows with respective action steps.

    In the following video, I will be providing a detailed demo on IdentityIQ custom Plugin (Bulk User Creation)

    SAP HR & ECC Source Integration

    SAP is one of the world’s leading producers of software for the management of business processes, developing solutions that facilitate effective data processing and information flow across organizations.

    SAP software provides multiple business functions with a single view to the entire data. This helps companies better manage complex business processes by giving employees of different departments easy access to real-time insights across the enterprise.

    SAP solutions are classified into 6 core products as listed below.

    In the below video, we are going to see the SAP HR/HCM source and SAP ERP Core Component (ECC) source integration in SailPoint IdentityNow.

    SAP HR system integration.

    SAP HCM solution is used to streamline the HR process and create a people centric organization.

    SAP HR/HCM system that we are integrating in SailPoint IdentityNow will be the truth source from which identity governance is managed.

    SAP ECC system integration

    SAP ECC is the ERP system that integrates information from one SAP system to another system in real time, this helps companies better manage complex business processes by giving employees of different departments easy access to real-time insights across the enterprise.

    As a result, businesses can accelerate workflows, improve operational efficiency and raise productivity.

    By integrating SAP ECC to SailPoint IdentityNow, Identity access management and governance will be simplified.

    Use cases.

    On demand access request: User can request access based on requirement from request center.

    Separation of Duties: Whenever user request for conflicting access SoD policy violation check will happen and warn the approver that approving access will violate SoD policy.

    Leaver Scenario: When user lifecycle state is changed to terminated the end target applications access will be disabled.

    Certification campaign: To certify user is having right access certification campaign can be configured and can be certified by user’s manager or source owner or a specific individual.

    In the below video, we are going to look at a demo of above specified integrations and use cases.

    SailPoint IdentityNow: Connector Rule API’s

    Extensibility of services using vast API collections is sign of a true SaaS solution. SailPoint IdentityNow has recently released few APIs which allow us to upload our own connector rules required for app integrations.

    Rule

    In IdentityNow, Rules are the configurations which are used to provide additional flexibility where needed. Rules are basically developed using a scripting language called Bean Shell, it is a lightweight scripting language whose syntax is similar to Java.

    Based on Execution type rules are divided into two types:

    Cloud ExecutionConnector Execution
    1)The Rules which are executed in the IDN tenant cloud are called Cloud Execution Rules.
    1)The Rules which are executed on virtual Appliance (on premise) are called Connector Execution Rules.
    2)There will be a review process for cloud rules to ensure any submitted Cloud Rules meet SailPoint requirements and doesn’t contain code that could harm the system and the only way to upload the rule is through SailPoint.2)Connector Rules are usually extension of the connector itself. These rules are mainly used to implement pre-processing of data and post-processing of data and to manipulate, merge or otherwise transform the incoming data as it’s being read

    Rule Deployment Process

    As-Is Process

    In As-Is Process for deploying Connector Rules on the tenant developer should follow the below steps:

    1. Rule needs to be developed as per the requirements.
    2. Developed rule shall be submitted to SailPoint Expert services for review.
    3. Post review, rule will be uploaded on to the tenant.
    4. In case of any changes required the rule shall be resubmitted to the SailPoint Expert Services.

    To-Be Process

    In To-Be process the rule can directly be deployed to the IDN tenant using APIs. In case of any changes required/delete the developer can directly use these APIs and make required changes instead of going through tedious process like earlier.

    Advantages and Limitations

    Advantages

    1. Easy to Deploy – They are Easy to deploy on to the tenant compared to the entire previous process
    2. Faster deployment of rules – Rules will be deployed on the tenant instantly using APIs where old process used to take a minimum of 24hrs
    3. Low Cost from SailPoint Expert Services – Compare to previous methodology, deploying connector rules using APIs has minimal involvement from Expert Services.
    4. Rework is Faster – In case of any changes rather than repeating the entire process, rework is quicker using these APIs.
    5. Faster Integrations – Using APIs, the overall application integrations are faster.

    Limitations

    The only limitations for these APIs are that these APIs support only connector rule types, but not for the cloud rules as of now.

    Connector Rule Rest API Operations

    SailPoint Provides us with six APIs to perform connector rule operations mentioned below:

    GET, LIST, CREATE, UPDATE, DELETE, VALIDATE are the APIs that are currently used for connector rule operations. A token with ORG_ADMIN authority is required to perform any operation.

    Detailed documentation on connector rules APIs can be found here:

    https://developer.sailpoint.com/apis/beta/#tag/Connector-Rule-Management

    In the following presentation, I will be providing a detailed overview of Rules and Connector Rule APIs

    In the following video, I will be providing a detailed demo of the Connector Rule APIs and their operations

    SailPoint IdentityNow SSO integration with Okta

    Okta is the leading solution for user authentication and single sign-on (SSO) for workforce as well as customer identities. Okta is capable of managing SSO to wide range of applications along with multi-factor authentication, directory integrations and lifecycle management from the cloud.

    SailPoint IdentityNow is a cloud based identity and access management solution which aims to provide identity-as-a-service. IdentityNow enables a complete set of IAM capabilities delivered from the cloud to manage hybrid IT environments that include on-premises and cloud resources. IdentityNow supports SAML based Single Sign On. SAML is an open standard which allows an identity provider (like Okta) to pass on authentication information to a service provider (like IdentityNow).

    In the following demonstration, we take a look at the SAML integration of IdentityNow with Okta for Single Sign-on. We will also go over the Active Directory integration in Okta and how this can be backed by IdentityNow’s lifecycle management.

    SailPoint IdentityIQ SSO Integration with Okta

    You have to admit that there are many people who change their password to ‘incorrect’ .That way it always reminds them whenever they enter a wrong password – “your password is incorrect” . Also a survey stated more than 78% of people tend to forget their latest passwords within 21 days of inactivity .

    Amidst such scenarios , securing and monitoring the access for any external users like partners, contractors and customers who have access to organizational resources have always been a challenge for many organizations thereby increasing the demand for a centralized login system. Single sign-on (SSO) is an authentication process that allows a user to access multiple applications with one set of login credentials. 

    Okta is the one of the leading provider for user authentication and standards-based single sign-on (SSO) for employee, partner and customer identity types. Okta supports and manages SSO for the enterprises with wide range of applications thereby providing a single secured centralized login system.

    SailPoint IdentityIQ  supports Single sign-on as one of its supported login configurations . The SSO is based on the SAML protocol which is a standard protocol for the SSO and other security assertions.

    In this blog we are going to take a look at the integration of SailPoint IdentityIQ with Okta for Single Sign on.

    The following presentation discusses in detail about the integration between SailPoint IdentityIQ and Okta.

    The following is the demonstration of steps for configuring Okta as an Identity Provider for SailPoint IdentityIQ

    SailPoint IdentityNow Ticketing integration with ServiceNow

    Ticketing systems form an excessive part of any enterprise’s IT infrastructure. An IT ticketing software, also known as an IT ticketing system, is a software program that enables organizations to resolve their internal IT support queries by managing and streamlining the process of issue resolution.
    ServiceNow is a global leader in cloud-based ticketing systems and has been playing a visionary role in ITSM and ITOM.

    IdentityNow is a leader in the market for a perfect IAM solution for organizations taking the next step into cloud computing. The product is simpler to tack together than several other IAM solutions in the market, thus additional configuration can be completed without the need for specialist resources. The User interface (UI) is a lot easier to interface for end-users and needs less coaching.
    IdentityNow’s Service Integration Module, or SIM integration with ServiceNow, which converts IdentityNow provisioning actions into tickets in ServiceNow.

    The following presentation will give the overall idea of ServiceNow service catalog integration with SailPoint IdentityNow and explanation of the use case,

    The following is the demonstration and walk through the IdentityNow integration with Servicenow and showcases the integration use case,

    Oracle E-Business Suite Integration with SailPoint IdentityNow

    Oracle‘s E-Business Suite (EBS) is the most comprehensive collection of business applications to enable management and optimization of critical business processes. EBS includes applications for enterprise resource planning (ERP), human resources management (HRMS), customer relationship management (CRM), financials and supply chain management (SCM) among others.

    SailPoint IdentityNow provides a complete solution to manage Oracle E-Business accounts data, passwords, and access with it’s connector. The user management and the assignment of roles and responsibilities can be simplified and streamlined using IdentityNow. This integration also facilitates implementation of Segregation of Duties (SoD) policies in real-time, enabling role based access and performing user access reviews.

    In this presentation, we will overview of Oracle EBS and its integration with IdentityNow for user access management including the pre-requisites and the connector APIs.

    The following demonstration includes the basic integration process along with role based access control for Oracle EBS.