IdentityNow has many even triggers which capture the events internal to IdentityNow. This can be related to various IdentityNow internal processes like aggregation, provisioning, access request etc.
In response or action to an event, Event triggers have a capability to communicate with external applications. This response can happen via webhooks or AWS event bridge.
This type of trigger is used to give the custom application an ability to answer back to a trigger event sent by the trigger service. This integration is bi-directional. A response from the custom application is required for a trigger invocation to be considered complete and successful.
FIRE_AND_FORGET
This type of trigger is used to notify the custom application of a particular occurrence of an event. This integration is uni-directional. Trigger invocation is successful the moment the trigger service notifies the external application, and it does not require a response from the custom application.
For example, a user from IT department is able to see Jira, Bitbucket, Administrative / Privileged access across applications like Active Directory, ServiceNow and various other applications in the request center. For a user from Marketing department, the above access is not relevant and with segments, we are abstracting those items. The relevant access for marketing users would be Salesforce CRM and the same will be visible for the users.
In the presentation below, we will be discussing about segments feature in detail :
In the below video, we will provide a practical demonstration on how to configure segments, how it affects the end user perspective using a practical use-case :
Advantages
Limit end user visibility for applicable access
Only the access that is applicable for a subset of identities and relevant for them is displayed using segments. This helps in avoiding the confusion in finding the right role/access profile while making an access request.
Reduce incorrect access requests
End users shall not make any incorrect access requests because the only access items that they’ll see in the request center are already fine tuned and configured according to the organizational requirement.
Limit accidental provisioning
If presented with a lot of access items, users might request for something that they don’t need. This can be avoided by creating and assigning users to their respective segments based on certain criteria.
Reduce cost of software licensing
Due to accidental access provisioning, users might be consuming additional licenses for access that they do not need which is a major costing risk. This can be avoided by configuring segments.
Extensibility of services using vast API collections is sign of a true SaaS solution. SailPointIdentityNow has recently released few APIs which allow us to upload our own connector rules required for app integrations.
Based on Execution type rules are divided into two types:
Cloud Execution
Connector Execution
1)The Rules which are executed in the IDN tenant cloud are called Cloud Execution Rules.
1)The Rules which are executed on virtual Appliance (on premise) are called Connector Execution Rules.
2)There will be a review process for cloud rules to ensure any submitted Cloud Rules meet SailPoint requirements and doesn’t contain code that could harm the system and the only way to upload the rule is through SailPoint.
2)Connector Rules are usually extension of the connector itself. These rules are mainly used to implement pre-processing of data and post-processing of data and to manipulate, merge or otherwise transform the incoming data as it’s being read
Rule Deployment Process
As-Is Process
In As-Is Process for deploying Connector Rules on the tenant developer should follow the below steps:
Rule needs to be developed as per the requirements.
Developed rule shall be submitted to SailPoint Expert services for review.
Post review, rule will be uploaded on to the tenant.
In case of any changes required the rule shall be resubmitted to the SailPoint Expert Services.
To-Be Process
In To-Be process the rule can directly be deployed to the IDN tenant using APIs. In case of any changes required/delete the developer can directly use these APIs and make required changes instead of going through tedious process like earlier.
Advantages and Limitations
Advantages
Easy to Deploy – They are Easy to deploy on to the tenant compared to the entire previous process
Faster deployment of rules – Rules will be deployed on the tenant instantly using APIs where old process used to take a minimum of 24hrs
Low Cost from SailPoint Expert Services – Compare to previous methodology, deploying connector rules using APIs has minimal involvement from Expert Services.
Rework is Faster – In case of any changes rather than repeating the entire process, rework is quicker using these APIs.
Faster Integrations – Using APIs, the overall application integrations are faster.
GET, LIST, CREATE, UPDATE, DELETE, VALIDATE are the APIs that are currently used for connector rule operations. A token with ORG_ADMIN authority is required to perform any operation.
Each progressing year, IT is getting more and more complex. Organizations keep growing and subsequently more and more people come into the organization each with their own needs. These users are then provided with their own levels of access to resources. The problem that arises here is that the growing mess of systems and user access management.
IdentityNow is an IDaaS (Identity as a Service) based IAM solution, unlike IdentityIQ which is on-premise. IdentityNow also helps people get the access that they need and manage the lifecycle around it. The current blog discusses the extensibility features announced by SailPoint. These features will help make security decisions on the go very effectively.
In the following presentation, I will be providing a detailed overview of Extensibility Feature Integration with IdentityNow for Access Requests.
Overview of Extensibility Features:
Users at an enterprise level are distributed among different geographies of the world. SailPoint’s access request integration with applications such as Microsoft Teams and Slack enable the users to get the access that they need right from the tool that they use the most. SailPoint also ensures that the appropriate governance and compliance controls are enforced while providing ease of access to the users while making access requests.
Current Access Request Process :
To briefly understand the current access request process in IdentityNow below is an illustrative diagram:
Roles in IdentityNow combine provisioning to multiple sources by combining different access profiles. However, for access requests, roles can be marked as “requestable”. By doing this, the roles are then visible in the Request Center tab in IdentityNow. We can have approvals in place for this role such that any user who requests for this role, will by routed through an approval process.
Applications in IdentityNow have their own XML structure with their own password policies and account creation restrictions. For the approvals, we can define the approval hierarchy in Access Profiles itself. Once the application has been created, it should be marked as ‘visible in request center’ and ‘allow access requests’.
Users have to login to their IdentityNow tenant with their credentials. They navigate to Request Center tab to see “Applications” and “Roles” where they can make an access request from either of these. Both Roles and Applications facilitate provisioning to the target source using Access Profiles.
Applications and Integration Overview:
Microsoft Teams
Microsoft teams is a chat-based collaboration platform from Microsoft. With capabilities such as documents sharing, online meetings, teams and channels, online video calling and screen sharing, messaging and many more extensible features for business communication. It is extremely user friendly and can facilitate a work environment between remote users and large businesses. Below are the benefits from this integration:
Ease of making access requests from within the Teams Application.
Users can request either for a Role or Application depending on the business needs.
This integration ensures seamless user experience for making access requests.
Below is the process followed post the integration with MS Teams:
Users will login to their Teams application using their Office365 account.
A SailPointchatbot is configured which appears in the Applications tab.
Connect to your IdentityNow tenant and click on “Create Access Request”.
Find and select the Application/Role to request.
Select the role for himself or for others.
Submit the request.
2. Slack
Slack is workspace alternative communication tool just like teams which combines the functionalities for messaging, tools and files. Users can communicate over channels or Direct Messages based on their requirement and it has support for third-party application integrations and add-ins. Although the application is free to use with certain limitations, there is an enterprise level application as well. Below are the benefits from this integration:
Please note that the {api-url} below is the org name of your IdentityNow tenant.
The primary APIs that are used behind this integration are:
List of access request objects: Returns a list of requestable items for an access request.
GET – https://{api-url}.api.identitynow.com/v3/requestable-objects
Create an access request: Submits an access request to IdentityNow. This will not return any result because the request has been submitted by the system. If there are more than one identity for the access request, the JSON payload will contain a list of id’s for each identity.
POST – https://{api-url}.api.sailpoint.com/v3/access-requests
Get the access-request status: Returns a list of access request statuses based on the specified query parameters.
GET – https://{api-url}.api.identitynow.com/beta/access-request-status
In the following video, I will be providing a detailed demo of the access request integration with Teams and Slack.
Okta is the leading solution for user authentication and single sign-on (SSO) for workforce as well as customer identities. Okta is capable of managing SSO to wide range of applications along with multi-factor authentication, directory integrations and lifecycle management from the cloud.
SailPoint IdentityNow is a cloud based identity and access management solution which aims to provide identity-as-a-service. IdentityNow enables a complete set of IAM capabilities delivered from the cloud to manage hybrid IT environments that include on-premises and cloud resources. IdentityNow supports SAML based Single Sign On. SAML is an open standard which allows an identity provider (like Okta) to pass on authentication information to a service provider (like IdentityNow).
In the following demonstration, we take a look at the SAML integration of IdentityNow with Okta for Single Sign-on. We will also go over the Active Directory integration in Okta and how this can be backed by IdentityNow’s lifecycle management.
Ticketing systems form an excessive part of any enterprise’s IT infrastructure. An IT ticketing software, also known as an IT ticketing system, is a software program that enables organizations to resolve their internal IT support queries by managing and streamlining the process of issue resolution. ServiceNow is a global leader in cloud-based ticketing systems and has been playing a visionary role in ITSM and ITOM.
IdentityNow is a leader in the market for a perfect IAM solution for organizations taking the next step into cloud computing. The product is simpler to tack together than several other IAM solutions in the market, thus additional configuration can be completed without the need for specialist resources. The User interface (UI) is a lot easier to interface for end-users and needs less coaching. IdentityNow’s Service Integration Module, or SIM integration with ServiceNow, which converts IdentityNow provisioning actions into tickets in ServiceNow.
The following presentation will give the overall idea of ServiceNow service catalog integration with SailPoint IdentityNow and explanation of the use case,
The following is the demonstration and walk through the IdentityNow integration with Servicenow and showcases the integration use case,
Oracle‘s E-Business Suite (EBS) is the most comprehensive collection of business applications to enable management and optimization of critical business processes. EBS includes applications for enterprise resource planning (ERP), human resources management (HRMS), customer relationship management (CRM), financials and supply chain management (SCM) among others.
SailPointIdentityNow provides a complete solution to manage Oracle E-Business accounts data, passwords, and access with it’s connector. The user management and the assignment of roles and responsibilities can be simplified and streamlined using IdentityNow. This integration also facilitates implementation of Segregation of Duties (SoD) policies in real-time, enabling role based access and performing user access reviews.
In this presentation, we will overview of Oracle EBS and its integration with IdentityNow for user access management including the pre-requisites and the connector APIs.
The following demonstration includes the basic integration process along with role based access control for Oracle EBS.
SailPoint has the solution to meet the needs of identity governance that exist in today’s business environments. The solution is available for businesses to easily consume because it’s in the cloud this solution which is IdentityNow. With many features such as User Password Management, Access Certification, Access Requests, Provisioning, Multi-factor authentication, Strong Authentication and Analytics. IdentityNow is a leader in the market for a perfect IAM solution for organizations taking the next step into cloud computing.
The product is simpler to tack together than several other IAM solutions in the market, thus additional configuration can be completed without the need for specialist resources. The User interface (UI) is a lot of easier to interface for end-users and needs less coaching.