Sailpoint IdentityIQ: Bulk User Creation Plugin

Bulk User Creation Plugin in IdentityIQ

Introduction

A plugin is a tiny piece of software that extends the functionality of an Application or Computer program.

The IdentityIq Plugin Framework is an protract framework model for IdentityIQ.It allows third parties to develop affluent application and service-level amplification to the core SailPoint IdentityIQ. It enables plugins to extend the excellence in user interface, deliver custom REST endpoints, and to deliver conventional background services.

In the following presentation, I will be providing a brief introduction of IdentityIQ Plugins:

Plugin Versioning Requirements

Plugin version numbers must be numeric, denote the parts of the version number with decimal points, and not contain any alphabetic or other characters in order to better facilitate upgrading plugins.
Leading zeroes will be removed from each segment of the version number, and the values between the decimal points are converted to integers.

For example:
06 and 00006 are both interpreted as 6
A segment containing any non-numeric values is interpreted as 0
7.009.alpha is parsed as 7.9.0
5.7.8a is parsed as 5.7.0

Plugin Object Model

The Plugin XML object, which specifies the plugin’s constant, describes a plugin in IdentityIQ. REST resources, Snippets, and settings are a few examples of features. The manifest.xml file contains the definition of the Plugin object. This file is necessary for plugin.

The XML object known as the Plugin Object defines the plugin’s feature. By binding them as attributes of a Plugin Object, this object informs IdentityIQ about the facets that are present in your plugin. You can also specify information about the plugin in the Plugin Object, such its name, the privileges needed to use it, its version, snippets, and REST resources. Use the advanced plugin settings to define a form or to refer to a specific plugin configuration file for more complicated plugins that need support for several field types and more dynamic behavior, such as drop-down lists or password fields. Depending on past selections, dynamic behavior can involve showing or hiding other fields.

For Example: In contrast to when the user picks basic authentication, it could be more acceptable to display an access token field when the user selects o-auth authentication.

Plugin Settings

Attributes that can be changed during installation are known as plugin settings. To view the configuration options page, click Configure. Forms are used to display the settings. The form is generated automatically if the plugin does not use its advanced options.
On the plugin settings page, the settings from the manifest file are shown in alphabetical order.
A single setting on a plugin’s configuration settings page can be represented by the Plugin setting object. On the settings page, each object serves to represent a single customizable setting.

Developing Plugins

IdentityIQ stores the .zip archive file of the Plugin in the IdentityIQ database in the spt_file_bucket table. The data in the spt_file_bucket table is a referenced ID to an entry in the spt_persisted_file table.

After establishment or amid an application server restart, plugins are stacked from this.zip file. All consequence files are taken from the.zip file and cached for ensuing utilization. The cached files can be gotten to using a assortment of accessor ways, but they can moreover be retrieved by utilizing

the URL prefix /identityiq/plugin/pluginName taken after by the way indicated within the construct structure. The PluginClassLoader lesson is utilized to stack and cache compiled Java classes from the.zip file.

Example Plugin Directory Structure:    

Bulk User Creation Plugin

This is a custom plugin built by ENH iSecure for creating Identities through SailPoint IdentityIQ and Provision the following identities to the requested Applications in IdentityIQ

A User like a manger level will have a Privilege to request for Bulk User Creation, once a .csv file is Uploaded in UI page by the following user and if the users request gets Approved a bulk number of identities will be created in Sailpoint IdentityIQ and the following identities provisioning takes place on the identities joining dates for the Requested Applications and following Email notification follows with respective action steps.

In the following video, I will be providing a detailed demo on IdentityIQ custom Plugin (Bulk User Creation)

SailPoint IdentityIQ SSO Integration with Okta

You have to admit that there are many people who change their password to ‘incorrect’ .That way it always reminds them whenever they enter a wrong password – “your password is incorrect” . Also a survey stated more than 78% of people tend to forget their latest passwords within 21 days of inactivity .

Amidst such scenarios , securing and monitoring the access for any external users like partners, contractors and customers who have access to organizational resources have always been a challenge for many organizations thereby increasing the demand for a centralized login system. Single sign-on (SSO) is an authentication process that allows a user to access multiple applications with one set of login credentials. 

Okta is the one of the leading provider for user authentication and standards-based single sign-on (SSO) for employee, partner and customer identity types. Okta supports and manages SSO for the enterprises with wide range of applications thereby providing a single secured centralized login system.

SailPoint IdentityIQ  supports Single sign-on as one of its supported login configurations . The SSO is based on the SAML protocol which is a standard protocol for the SSO and other security assertions.

In this blog we are going to take a look at the integration of SailPoint IdentityIQ with Okta for Single Sign on.

The following presentation discusses in detail about the integration between SailPoint IdentityIQ and Okta.

The following is the demonstration of steps for configuring Okta as an Identity Provider for SailPoint IdentityIQ

SailPoint IdentityIQ Plugins

Introduced with IdentityIQ 7.1, the plugin framework provides the infrastructure and tools to enable developers to extend the Open Identity Platform to meet a variety of specialized use cases that one might encounter in a non-standard deployment.

SailPoint IdentityIQ 7.1 Plugin Framework provides a dynamic, plugin-specific class loader. It also introduces a simple, supportable, and upgrade-able user experience. The dynamic class loader provides protection for the base classes from modification, and allows for additional security and upgrade-ability.

continue reading

Sailpoint Identity IQ: Refresh logging through IIQ console

Sailpoint IdentityIQ uses log4j framework for logging. “log4j.properties” is the file where all the logging related properties are configured. IdentityIQ Servers would a need a refresh of the log4j configurations after anything changes to log4.properties are made.

Usually this kind of refresh is performed through UI from the debug pages in IdentityIQ. Following are the steps to follow for refreshing log4j configurations through UI.

This image has an empty alt attribute; its file name is image-3-1024x279.png
  • Click on the “Logging” option in the menu.
  • Click on “Reload Logging Configuration”

Problem context:


log4j configurations whenever there are any changes have to refreshed across all the servers present in the environment. However, when a load balancer is configured, we might not have control to access individual servers through UI, thus making the refresh of log4j configurations through UI on each server.

Possible solutions:

There are 3 possible solutions for this problem.

  1. Temporarily re-directing load-balancer traffic to only one server and refresh the configurations on the same through debug pages. This process has to be repeated across all the servers.
  2. Accessing IdentityIQ through individual server host-names or IP addresses rather than load balancer URL. This may not be quite helpful as servers are usually configured in a way that individual servers redirect us towards load balancer URL.
  3. Best way in which this could be performed is through IIQ console.
    Following are the steps to follow for the same.
    • Launch IIQ console on one of the servers
    • Modify the log4j.properties as required.
    • Refresh the log4j configurations using the command “logconfig” as shown in the below screenshot.
  • Repeat the above steps for all servers in the environments.

Securing IIQ SPAdmin Account Using CyberArk PAM

In an enterprise, a large number of privileged accounts are spread over various applications and systems. These accounts have higher authorizations and hence need to be handled with higher security. CyberArk‘s Privileged Account Management solution is targeted at achieving this.

In SailPoint IdentityIQ, accounts can have the highest privilege in form of the ‘System Administrator’ capability. The ‘spadmin’ account that comes out-of-the-box is configured to have this privileged access. This account, if managed by the CyberArk PAM solution, improves safety of the IdentityIQ environment.

 

The following presentation discusses this use case and how it can be implemented using CyberArk PAM:

The following video demonstrates the use-case in action for verifying and changing spadmin password from CyberArk and initiating privileged sessions:

Reassignment of Employee mailbox to manager via Sailpoint’s Identity IQ

Email is the most powerful tool for enterprise level communication as it provides accountability and reliability in communication. To an organization, the emails that are received by the employees are a valuable resource. When an employee resigns or is terminated from the company, the organization might still need access to his/her mailbox. This is especially significant in sales, support and administration activities as it can impact the organization either directly or indirectly. This scenario can be addressed by allowing an authority within the organization to access the de-provisioned mailbox and is an important challenge within identity and access management. The risks and compliance guidelines associated with this approach are also factors that need to be considered.

Sailpoint’s IdentityIQ is shipped with a connector for Active Directory. This connector supports management of users, groups and mailboxes on Exchange server. However, for modifying the mailbox permissions, native rules need to be configured in order to execute the corresponding PowerShell scripts.

The following presentation introduces a scenario where handling mailbox permissions would be required. After an overview of native rules, the implementation of this use case is also discussed.

The following demo focuses on granting Exchange mailbox permissions via IdentityIQ and verifying that the changes are reflected on the mail server.

XML Tags in Sailpoint

XML Objects:

Every object in Sailpoint is stored as an XML file. The existing XML objects can be explored from the “Debug Pages”. XML files are useful while adding new objects. This can be done using “Import from XML” under Global Settings. Any object like rules, certifications, system configurations, email templates, etc. can be created using XML.

XML Object Tags:

Each of the objects is represented by its respective XML tag and has its own structure. For example, rules are referred with the <Rule> tag, tasks with <TaskDefinition> tag, email templates with <EmailTemplate> tag.

An XML file with only one object begins and ends with a tag corresponding to that object type. However, it is a better practice to always wrap the objects with the <sailpoint> tags as this offers more flexibility. This approach also enables to import multiple objects defined in the same XML file.

For example, two XML files can be combined into a single file:

 

Usage of combined XML objects:

Taking the approach of using a single XML file is extremely useful for deploy-ready and stable objects. Doing this in general will reduce the modularity which raises few concerns:

  1. If an issue arises with importing one of the objects, it will halt the process of import and rest of the features would be left out
  2. As part of the development process, it would be inconvenient to import all the objects repeatedly while only one or few of them are updated.

Due to these reasons, it is better to combine tested and stable XML objects instead of objects that are still in development.

The usage of this approach can be observed in the “init.xml” file that comes with Sailpoint. This file contains all of the objects required for the basic features of the product, packaged into a single XML file.

Service Now Queue User Administration via SailPoint Identity IQ

The SailPoint ServiceNow Connector manages ServiceNow accounts, groups, and roles. It supports provisioning and aggregation for ServiceNow accounts and groups.

ServiceNow Connector supports configuration of multiple applications of different ServiceNow versions on same IdentityIQ. ServiceNow Rest API supports Basic and OAuth2 methods of authentication.

Under IT Service Management, Its Queue management and administration is based on roles and services assigned to a user.

SailPoint Service Catalog Integration: The integration between SailPoint and ServiceNow allows users of both systems to easily navigate from ServiceNow into IdentityIQ.

In the following presentation, ServiceNow Queue Administration using Sailpoint IdentityIQ is explained and overview of SailPoint Service Catalog Integration using MID Server.

This following demo is based on ServiceNow Queue User Administration using Sailpoint IdentityIQ with all the approval modes (serial, parallel, serialpoll, parallelpoll and any).

Sailpoint IdentityIQ’s Transient workflows and their advantages

Quicklinks are usually used for faster access of specific functionalities. Often a “no delays” workflow where the start and end of the workflow happen within one single launch of quicklink shall be launched by quicklinks. Usually these kind of workflows involve custom Sailpoint forms which would not be useful once the user stops using this quick link by navigating to some other page.

Conventional workflow launches are serialized by storing the workflow cases as XML objects. This leads to many work items and workflow cases which are incomplete and hang around the Identity IQ over long run. This might lead to performance issues and unwanted data accumulated inside IIQ.

This problem could easily be solved using the transient workflows. The main feature of transient workflows is that they don’t get serialized.

Without the workflow getting serialized, we have specific advantages.

  1. Workflow cases which are inactive specific to this workflow shall not be generated.
  2. Work items that are generated do not get serialized and as a result we don’t have any unwanted work items related to this workflow in user’s inbox.

This would result in cleaner environment where we don’t have unnecessary data.

Extra perk with logging:

Workflow variables in Sailpoint are serialized in non-transient workflows. This means that we can store only the objects that Sailpoint has capability to store as XML object. Log4J loggers are very useful objects which are disqualified as workflow variables because of this restriction.

As the transient workflows do not try to serialize the objects referred by the variables, Logger objects can also be stored in the workflow variables.

This provides us the flexibility to maintain a workflow level logger variable to use your custom logging. Rather than instantiating the custom loggers whenever we require them, we can simply use the workflow variable whenever required.

Sailpoint Implementation: Referring Rule Libraries in Validation Scripts

Validation scripts are amongst the most common features while working with Sailpoint Identity IQ’s workflow forms. When we have common validation logic for multiple fields, it is always good to maintain this piece of logic in a separate rule library and call it from the validation script whenever required. This encourages modularity of the code and decreases code redundancy.

 

The way in which the name space of a validation script of a form in the workflow behaves is quite different from the rest of the workflow. Initial declaration of referenced libraries does well for referring the code in other parts of the workflow. But this does not work with validation scripts.

 

The following syntax should be used when we are using the rule referencing in validation scripts –

<ValidationScript>

<Includes>

<Reference class=”sailpoint.object.Rule” name=”Rule-Library-Name”/>

</Includes>

<Source>

// your code that calls some useful function in the rule library

</Source>

</ValidationScript>