Tag: SailPoint

Sailpoint is the leading IAM OEM in the world of Identity Governance. Please refer
https://www.sailpoint.com/ for further details.

SailPoint IdentityIQ Prod Architectures

Posted on by Kishore Gaddam in Identity Governance, Sailpoint, Technology

Introduction:

IT infrastructure and operations are critical assets for businesses to function smoothly. Disaster recovery management involves planning and implementing strategies to ensure that an organization can quickly recover from disruptive events, such as natural disasters, cyberattacks or equipment failures. IT disaster recovery management is a way to save the business from negative consequences of these risks. 

Such scenarios can present a direct threat to business continuity and survival. The impact can be in the form of financial losses, operation disruptions, reputation loss, or even legal consequences.

This blog post discusses disaster recovery management and the best practices to adopt. 

Disaster Recovery:

Disaster recovery is the process by which an organization attempts to prevent or minimize the loss of business and data in the event of a disaster. It is about how an organization bounces back and regains normalcy after the catastrophic impact of such events. 

Disasters can have significant impacts on software systems, affecting both the functionality and security of applications.

Some key impacts:

  1. Data Loss: Disasters can lead to the loss of critical data, especially if proper backup systems are not in place.
  2. Downtime: Software systems may experience prolonged downtime, disrupting business operations and leading to financial losses.
  3. Security Breaches: Disasters can expose vulnerabilities, making systems more susceptible to cyberattacks and data breaches.
  4. Corrupted Data: Data corruption can occur during disasters, leading to inaccurate or unusable information.
  5. Service Disruptions: Essential services and applications may become unavailable, affecting users and customers.

For example, in 2024, OpenAI experienced a major outage due to a misconfiguration in their Kubernetes system, which disrupted key services like ChatGPT and Sora for several hours. This incident highlighted the importance of proper configuration management and disaster recovery planning.

SailPoint Disaster recovery plan for business continuity. It refers to the processes and procedures to ensure the uninterrupted functioning of the business’s during and after a disruptive event.

The simple flow illustrates the DC-DR strategy.

Data Center-Disaster Recovery (DC-DR) architecture has several advantages.

Advantages:

  1. Business Continuity: Ensures that critical business operations can continue during and after a disaster, minimizing downtime.
  2. Data Protection: Provides robust data backup and recovery solutions, safeguarding against data loss.
  3. Compliance: Helps meet regulatory requirements for data protection and disaster recovery.
  4. Scalability: Can be scaled to accommodate growing business needs and data volumes.

This video explains the SailPoint IdentityIQ Production Architecture and business continuity plan strategies.

Prerequisites: (DC-DR works for all latest versions).

The below software’s are used by our ENH environment.

  1. SailPoint IIQ
  2. JDK
  3. Tomcat (any application servers).
  4. NGINX (Load Balancer)
  5. Database (Mysql)
  6. Linux (OS)

The Key points of Disaster recovery is Data Replication and Load balancing.

Database Replication:

Steps – How database replication works:

  • Step 1: Identify the Primary Database (Source): A primary (or master) database is chosen as the main source of truth where data changes originate.
  • Step 2: Set Up Replica Databases (Targets): One or more replicas (or secondary databases) are configured to receive data from the primary database.
  • Step 3: Data Changes Captured: Any updates, inserts, or deletes in the primary database are recorded, typically through a transaction log or change data capture mechanism.
  • Step 4: Transmit Changes to Replicas: The captured changes are sent to replica databases over the network in real-time or at scheduled intervals.
  • Step 5: Apply Changes on Replicas: The replicas apply these updates to keep their data in sync with the primary database.

Load Balancing:

In an active-standby (or active-passive) load balancer setup, the primary load balancer (active) handles all the traffic under normal conditions, while the secondary load balancer (standby) remains on standby, ready to take over if the primary load balancer fails.

Steps – How Load balancers works.

  • Primary Load Balancer (Active):
    1. Actively manages and distributes incoming traffic to the servers in the primary data center (DC).
    2. Continuously monitors the health and performance of the servers and the network.
  • Secondary Load Balancer (Standby):
    1. Remains on standby, not handling any traffic under normal conditions.
    2. Regularly synchronizes with the primary load balancer to stay updated with the current state and configurations.
  • Failover Process:
    1. If the primary load balancer detects a failure or significant issue, it triggers the failover process.
    2. The secondary load balancer becomes active and starts handling the traffic, ensuring minimal disruption to services.
  • Failback Process:
    1. Once the primary load balancer is restored and verified to be fully operational, traffic can be redirected back.
    2. The secondary load balancer returns to standby mode, ready for any future failover events.

This setup ensures high availability and reliability by providing a backup load balancer that can quickly take over in case of a failure.

The following demo video is a deep dive demonstration of SailPoint Disaster recovery plan and failover configurations using our ENH environment.

Recommendations:

NGINX (Load Balancer):

  1. Configure only UI servers in Load Balancer.
  2. Sticky Sessions: Configure the load balancer for sticky sessions (also known as session persistence) to ensure that user sessions are consistently routed to the same application server.
  3. We recommend active-standby (or active-passive) load balancer setup.

Database:

  1. Configure your database for replication to ensure high availability and disaster recovery. Use native database replication features like MySQL replication or Oracle Data Guard.
  2. Data base must be one phase commit.
  3. While replicating make sure only identityiq, identityiqah, identityiqPlugin are replicated.



Pass Through Authentication via Active Directory in SailPoint IdentityIQ

Posted on by Kashyap Kota in Sailpoint

Pass Through Authentication (PTA)

In today’s digital age, secure authentication is crucial for all kinds of organizations. Pass Through Authentication enables users to access resources seamlessly without the need for maintaining credentials in on-prem infrastructure. The user credentials are validated against the organization’s directory service such as Active Directory without the need to store credentials. PTA is used commonly in hybrid environments where organizations want control over authentication while integrating with cloud services. The diagram below depicts the process of Pass Through Authentication via Active Directory in SailPoint IdentityIQ.

Image: Pass Through Authentication via Active Directory

  1. A user requests to log in to an application, in our case, SailPoint.
  2. The application (SailPoint) secures the credentials by encrypting them.
  3. The login configuration is checked and found out to be Pass Through Authentication.
  4. The credentials are validated against Active Directory.
  5. After successful validation, the user is logged in.

Advantages

⦁ Pass Through Authentication ensures the credentials are not stored, reducing the risk of exposure.
⦁ Simplifies user management by validating with a directory system like Active Directory.
⦁ Provides real-time authentication, ensuring accurate and up-to-date access control.
⦁ Offers seamless experience as users can log in to on-prem and cloud-based applications using the same credentials.

Let’s have a close look into Pass Through Authentication in below video.

In this video, a detailed demonstration on Pass Through Authentication via Active Directory and usecases like AD Birthright Provisioning are discussed.

SailPoint Identity Security Cloud Launcher and Launchpad

Posted on by Prince Singh in Identity Governance, Sailpoint, Technology

Introduction

SailPoint Identity Security Cloud is a comprehensive Identity and Access Management (IAM) solution designed to help organizations manage user access to critical systems and applications efficiently and securely. Within IdentityNow, Launcher and Launchpad are key components that enhance user experience and streamline access management processes.

Launcher

Launcher is a feature within IdentityNow that allows users to manually initiate interactive processes related to access management. It is tied to entitlements and can be assigned to users through regular governance practices. Here’s how it works:

  • Manual Initiation: Users can manually start processes such as access requests, certifications, and reviews.
  • Entitlements: The launcher is linked to specific entitlements, ensuring that users have the appropriate permissions to initiate these processes.
  • Governance Integration: It integrates with IdentityNow’s governance framework, allowing for seamless management and oversight of access-related activities.

Launchpad

Launchpad is a centralized interface within IdentityNow that provides users with a single point of access to various identity management tasks and applications. It offers a user-friendly and intuitive way to navigate and manage identity-related activities. Key features include:

  • Centralized Access: Users can access different identity management functions from one place, improving efficiency and ease of use.
  • Customization: The launchpad can be customized to meet the specific needs of an organization, allowing for personalized dashboards and workflows.
  • Self-Service Capabilities: Users can perform self-service tasks such as password resets, access requests, and profile updates directly from the launchpad.

Creation Flow for Launcher and Launchpad

Together, Launcher and Launchpad enhance the user experience by providing intuitive and efficient ways to manage access and identity-related tasks within IdentityNow.

In the video below, I have thoroughly explained Launcher and Launchpad, along with Forms and Workflow, using a simple presentation:

In this video, I have vividly explained the entire process of Launcher and Launchpad using real-life analogies:

Machine Identity Management in SailPoint Identity Security Cloud

Posted on by Anirudh Rajagopal in Identity Governance, Sailpoint, Technology

Introduction

The age of AI and automation is here. With organizations all around the globe leveraging Artificial Intelligence and Machine Learning, more and more tasks and processes previously done manually, are now being automated. This leads to the creation of several machine accounts dealing with Robotic Process Automation (RPA), privileged service accounts for authenticating requests from an external system, and the like. Consequently, organizations are spending more time and resources managing the access held by these non-human accounts in every application, which can often lead to complicated situations as there is no centralized view of the same.

Why Machine Identity Management?

As described above, organizations are automating mundane processes, and thus more machine accounts are being created. These accounts can be difficult to manage and govern in a standalone environment, considering the lack of ownership and effective ways to control and manage their access. The following are some statistical insights on machine accounts shared by SailPoint: –

This gives a clear picture as to how AI, Automated Scripts and Robotic Processes are taking over the workplace, which signifies the difficulty as well as importance of managing these machine accounts.

The solution – SailPoint Machine Identity Security

This is where SailPoint’s Machine Identity Security jumps in. It offers a robust set of features to:-

  • Discover any accurately configured machine account on any source
  • Classify the accounts as machine accounts, by using an account attribute/set of attributes (eg, in Active Directory, if there are machine accounts containing the word “bot” in their sAMAccountName, we can use this account attribute to classify these accounts as machine accounts in SailPoint)
  • Assign a human owner to a machine account. This identity will be responsible for reviewing the access held by the machine account in a certification campaign
  • Correlate the machine accounts to machine identities
  • Certify the machine account’s access using Certification Campaigns

The diagram above depicts SailPoint Machine Identity Security, which aggregates machine accounts from various applications such as Active Directory, SAP and Web Service and manages them under a single platform i.e., Identity Security Cloud.

Advantages

There are several advantages to using SailPoint Machine Identity Security: –

  • It provides clear visibility and insights on all machine accounts across various applications.
  • It provides tools to automate the management of machine accounts. This eliminates the need to maintain and manage these accounts and their access manually, such as on excel sheets.
  • Human owners can be assigned to machine accounts, ensuring accountability, risk detection and mitigation.
  • Access reviews via Certification Campaigns help ensure that machine accounts follow the principle of Least Privileged Access Control.

Let’s have a close look at how SailPoint Machine Identity Security works in the following video: –

The following video is a deep dive demonstration of SailPoint Machine Identity Security: –

Hope this blog gave you some insights into how you can use SailPoint Machine Identity Security to effectively classify, manage and govern machine accounts from any source. Please share your thoughts and feedback in the comment box below.

Please follow our socials to stay up to date with the latest technology content.

Thank you!

SailPoint Identity Security Cloud Multi Host Groups

Posted on by Sreeja Agamamidi in Technology

Introduction:

Modern Enterprises have huge infrastructure and configurations, governing and managing them in complex and difficult.

To overcome this problem, SailPoint Identity Security Cloud Multi Host Groups allows easier management of infrastructure and related integrations.

Multi Host Groups helps bulk source creation of infrastructure components and server configurations from a centralized location.

Basically, it is a container which holds sources and associated account aggregation and entitlement aggregation groups. So that we can aggregate all the sources at once, instead of doing one at a time.

From the diagram we can see, without multi host group, we need to aggregate all the sources, one at a time, which will be redundant and time consuming, but using multi host groups we can aggregate a group of sources once.

Features:

Below, is the list of available features in SailPoint Identity Security Cloud Multi Host Groups:

  • Bulk Source Integration
  • Support for MS SQL Server and Oracle Database Connector use cases
  • Aggregation Groups
  • Centralized integrations

In this blog, we will be discussing about the Identity Security Cloud Multi Host Group in detail. The following are the key topics that are discussed as part of the blog.

  1. What is Multi Host Group?
  2. Key Features of Multi Host Group.
  3. Creating and Viewing Multi Host Groups.
  4. Editing, Testing and Deleting Multi Host Groups
  5. Managing Account and Entitlement Aggregation Groups
  6. Limitations and Best Practices

In the video blog of SailPoint Identity Security Cloud Multi Host Groups, we will be discussing above mentioned topics.

Video:

Detailed demo on managing multi host groups is present in the following video.

Video:

SailPoint Identity Security Cloud Loopback Connector

Posted on by Sreeja Agamamidi in Technology

Problem:

In SailPoint Identity Security Cloud, we often face challenges in managing and governing user level permissions and governance group membership effectively, which may lead to unauthorized access and audit failures. Governing access inside Identity Security Cloud is important.

Current blog helps govern access in Identity Security Cloud using Identity Security Cloud loopback connector.

Solution – Loopback connector:

The purpose of loopback connector is used to manage Identity Security Cloud user levels and governance groups as entitlements.

Users can request for elevated user levels permissions and governance groups as entitlements through request center. Once that is approved user will get required higher permission or governance group membership based on requested entitlement.

Supported Operations:

Below are the supported operations in loopback connector:

  • Account Aggregation
  • Governance Groups Aggregation
  • User levels Aggregation
  • Provisioning
  • Add Entitlement
  • Remove Entitlement

Operations and APIs

Below is the list of endpoints we used for each operation in loopback connector:

S. NoOperationsEndpoints
1Account Aggregation/v3/accounts
2Governance Group Aggregation/beta/workgroups
3Provisioning/v3/accounts
4Authentication/oauth/token
5Add Entitlement for User Levels/v3/auth-users/:id
6Add Entitlement for Governance Groups/v3/workgroups/accessId/members/bulk-add

In this blog, we will be discussing about the Identity Security Cloud Loopback Connector in detail. The following are the key topics that are discussed as part of the blog.

  1. Problem statement
  2. What is loopback connector and what we can achieve from that?
  3. Use cases we can achieve using loopback connector
  4. What are the supported operations?
  5. End points used for each operation.

In the video blog of SailPoint Identity Security Cloud Loopback Connector, we will be discussing above mentioned topics.

Video:

Detailed demo on developing & testing loopback connector is present in the following video.

Video:

All the mentioned technical components are only available for internal use. However, refer to the below table for an overview on different technical components, which can be used to develop the loopback connector.

S. NoComponent NameUse
1Java ProgramThis program is used to take details like tenant id, client id, client secret and source id and update all rules with provided input data.
2Account Aggregation RuleThis is Webservice After Operation Rule. Users can build this rule in such a way, where they can read all the available accounts from the respective tenant.
3User Levels Aggregation RuleThis is Webservice After Operation Rule. Users can build this rule in such a way, where they can read all user levels available from the respective tenant.
4Governance Groups Aggregation RuleThis is Webservice After Operation Rule. Users can build this rule in such a way, where they can read all the available governance groups from the respective tenant..
5Add EntitlementThis is Webservice Before Operation Rule. Users can build this rule in such away, upon entitlement request, respective governance group membership or elevated permissions are assigned to users
6Remove EntitlementThis is Webservice Before Operation Rule. Users can build this rule in such away, respective governance group membership or elevated permissions are removed from users.

Duo Two-Factor Authentication for SailPoint Identity Security Cloud

Posted on by Sravanthi Pedduri in Cyber Security, Sailpoint

What is Duo

Duo is a two-factor authentication solution that helps organizations boost security by verifying user identity, establishing device trust, and providing a secure connection to company networks and applications.

Why Duo

Duo is fast, easy and flexible. Passwords and even basic Multi-Factor Authentication (MFA) aren’t enough to keep you safe from today’s attackers. Duo gives you the extra layers of protection you need for secure access management. With this setup, Duo two-factor authentication (2FA) is added as a verification option for account unlocking and password resets.

Prerequisites to integrate Duo

  1. Configure SailPoint Web application and copy ClientID, secret and hostname these details are required for SailPoint integration.
  2. Add users and enroll them in the application. User should have an account in SailPoint.

Technical Overview:

Here’s the technical demonstration on the integration of Duo

Use case Demonstration – Integration flow:

Please refer to the below video to have an understanding about Duo integration

SailPoint configuration

  1. The steps to be done in SailPoint tenant for duo integration
  2. First in SailPoint, integrate the Duo and then check the test connection after successful test connection
  3. Enable multifactor Authentication in Identity profile
  4. And select duo web in Password Reset and Unlock Settings
  5. Now you are all set to use duo authentication

Duo 2FA for Identity security cloud password reset

  1. With duo integration user can reset his password
  2. First user has to proceed to reset password
  3. Enter the username
  4. Then you should enter the passcode received from duo after successful duo authentication you can able to set new password

Duo 2FA for Identity security cloud Unlock account

  1. If the user account got locked, then he can unlock his account with duo integration
  2. First user has to proceed to unlock account
  3. Enter the username
  4. After successful duo authentication your account will be unlocked

 

SailPoint Identity Security Cloud Transforms

Posted on by Sreeja Agamamidi in Technology

Introduction

SailPoint Identity Security Cloud Transforms are configurable objects that allow us to manipulate attribute data while aggregating from or provisioning to a source. Sometimes transforms are referred to as Seaspray, the codename for transforms. Identity Security Cloud Transforms and Seaspray are essentially the same.

As we can see from the below diagram, we will be providing input to transform, transformation occurs and output will be returned. So, the way transformation occurs depends on the type of operation used. Some of the transform operations are Concatenation, Conditional, Date Format etc.

Transform REST APIs

In order to create the transform, get transform details, update transform or delete any tranform, we can make use of REST APIs available for transforms.

There are 5 REST APIs are available for transforms in V3 and Beta APIs.

Rest APIsDescription
List TransformsList Transform API is used to get list of all available transforms from the tenant
Create TransformCreate Transform API is used to create a new transform and upload it into the tenant.
Transform by IDTransform by ID is used to get the details of a particular transform.
Update TransformUpdate a transform API is used to update any existing transform.
Delete TransformDelete transform API is used to delete any transform using transform ID.

Transform Operations:

In order to make use of transform according to the use case, we should understand various transform operations that are available.

Below are the various types of operations that are available in transform. Each of these operations performs specific task, we can use them according to our needs.

Transform OperationDescription
Account Attribute TransformAccount attribute transform used to look up an account for a particular source on an identity and return a specific attribute value from that account. 
Base64 Decode TransformThe base64 decode transform allows you to take incoming data that has been encoded using a Base64-based text encoding scheme and render the data in its original binary format.
Base64 Encode TransformBase64 transform will take an input, this input is given to base64 encode transform and the encodes string is returned as output.
Decompose Diacritical Marks TransformDecompose diacritical marks transform to clean or standardize symbols used within language to inform the reader how to say or pronounce a letter.
E.164 Phone TransformUse the E.164 phone transform to convert an incoming phone number string into an E.164-compatible number.
Identity Attribute TransformTransform is used to get the users identity attribute value.
Lower TransformThis transform is used to convert input string into lowercase character.
Upper TransformThis transform is used to convert input string into uppercase characters.

In below series of 4 videos, we comprehensively cover all the details around the transforms including basic syntax of transforms, APIs around transforms and all the types of transforms.

Transforms Series – Video 1 of 4:
Below video is the first video in a series of 4 videos about transforms. This part contains an introduction to transforms, syntax of transform, types of Inputs, REST APIs and API Responses.

Video:

Transforms Series – Video 2 of 4: Below video is the second video in a series of 4 videos about transforms. This part contains use cases, transform operations like account attribute transform, base64 decode transform, base64 encode transform, concatenation, conditional, date format, date math, date compare, decompose diacritical marks, first valid, generate random string

Video:


Transforms Series Video 3 of 4:
Below video is the third video in a series of 4 videos about transforms. This part contains about transform operations like  get end of string, get reference identity attribute, identity attribute, index of , ISO3166, last index of, left pad, look up lower, name normalizer, random alphanumeric, random numeric

Video:

Transforms SeriesVideo 4 of 4:
Below video is the fourth video in a series of 4 videos about transforms. This part contains about transform operations like reference, replace all, replace, right pad, rule, split, static, substring, trim, upper, username generator, UUID generator

Video:

SailPoint IdentityNow Rules

Posted on by Mahesh Mukku in Technology

INTRODUCTION:

  • Generally we write Rules when the required goal cannot be achieved by using transforms.
  • It is a Code based Configuration option.
  • A flexible framework that allows for very advanced or complex configurations.
  • You can just think of it as basically just writing Java code.
  • Technically it is Bean Shell however, it is much similar to Java, such that if you are familiar with Java, you will be familiar with Bean Shell.
  • Just like with transforms, the use cases drive the need for a rule and thus we have many different rule types.
  • Rules are very powerful but due to the IdentityNow architecture there are some special considerations regarding rules.
  • Essentially, rules must be very high-quality code because they are being deployed into a multi-tenant service.

Rule Execution :

There are two primary places where you can execute rules one is CLOUD EXECUTION RULE & other one is CONNECTER EXECUTION RULE .

Let us have an overview on the difference between the cloud rules & connector rules

Cloud Executed rules are running in the cloud within the Identity Now tenant. Connector rules run on the virtual appliance which is on-premise inside the customer’s data center

Cloud Execution Rule :

  • Cloud executed rules, as the name implies, are executed within the Identity Now multi-tenant environment.
  • They typically have independent functions for a specific purpose.  For example, calculating an Identity attribute value.
  • Cloud executed rules typically need to query the Identity Now data model in order to complete their work.
  • The rule might need to guarantee uniqueness of a value and it would generate a value and query Identity Now to determine if that value already exists.
  • Access to any Identity Now data is read-only and you can’t make any calls outside of Identity Now such as a REST API from another vendor service.
  • Because they run in a multi-tenant environment,  the are put in a very restricted context and there is a great deal of scrutiny taken during the required review process for rules.
  • We will cover the review process that is required when a cloud-executed rules is submitted later in the presentation.
  • Of course, this all makes sense as you cannot allow rules to effect other tenants if they are poorly written.
  • You also have to restrict the rules context so they can’t access any data from another tenant and things along those lines.

Connecter Execution Rule :

  • Connector executed rules do not run in the cloud which is fairly obvious based on the name.
  • These rules instead run on the VA itself. So they are running in the customers data center and therefore they are not running side by side  with services from another tenant.
  • They are usually extending the connector capabilities. The functions that they perform are quite complex.
  • They do NOT have access to the Identity Now Data Model because they are executing on a virtual appliance.
  • The huge difference here is that they are not subject to a review process by SailPoint. These rules can be uploaded via the REST API and are significantly easier to work with. With that said you still want these rules to be well written.
  • The simple fact is that the possible negative effect of a poorly written connector rule is limited because it is not running within the Identity Now tenant.

SailPoint Provides us with six APIs to perform connector rule operations mentioned below :

  • GET, LIST, CREATE, UPDATE, DELETE, VALIDATE are the APIs that are currently used for connector rule operations.
  • A token with ORG_ADMIN authority is required to perform any operation.

Rule Examples

Example usage:

  • Calculate complex identity attributes. 
  • Calculate complex account attributes. 
  • Provide connector logic

Connector rule Example – If there is a requirement to disable the account based on the number of entitlements or the account should be disabled automatically based on role revocation, this can be achieved by writing a connector rule

Cloud rule Example– This can be used for generating a unique email id which can scan the existing email id’s and generate a unique id for every joiner.

Please subscribe to our social media and stay updated with latest technology content. Thanks you.

SailPoint IdentityIQ Custom Connector

Posted on by Harshith Thondamnati in Cyber Security, Identity Governance, Sailpoint, Technology

Introduction

Connectivity is critical to successful IAM deployments. SailPoint is committed to providing design, configuration, troubleshooting and best practice information to deploy and maintain connectivity to target systems. SailPoint IdentityIQ enables you to manage and govern access for digital identities across various applications in your environment. Connectors are the bridges that IdentityIQ uses to communicate with and aggregate data from applications. SailPoint IdentityIQ provides a wide range of OOTB connectors that facilitate integration with variety of systems, applications and data sources. These connectors are designed to simplify the process of managing Identity information and access across different platforms.  

In SailPoint IdentityIQ, a Custom Connector is a specialized integration component that allows the IdentityIQ platform to connect and interact with external systems, applications, or data sources that are not supported by the standard OOTB connectors. Custom connectors extend the capabilities of IdentityIQ by enabling it to manage identity-related information in a wider range of systems. 

High level architecture of Custom connector 

Custom Connector Development

Developing Custom connector in SailPoint IdentityIQ involves creating a Java-based implementation that adheres to the connector framework and API provided by SailPoint.  

This allows you to define the interaction between IdentityIQ and the specific external system you want to integrate with. A typical development of custom connector includes 4 steps – 

  1. Creating a new implementation of functionality and packaging it into JAR file. 
  • The custom connector uses the openconnector framework provided by SailPoint in the openconnector package where there are lot of methods provided for different type of operations.  
  • The custom logic which you want to implement using this custom connector shall be developed in the specified methods.  
  • Once code development is completed, Custom connector code with all the classes must be compiled and packaged to a JAR file.  
  • And the JAR file must be placed in WEB-INF/lib folder of IIQ Installation directory 
  1. Defining Connector type in Connector Registry 
  • Connector Registry is an XML file present in IdentityIQ as Configuration object. This file contains the information about all the different connectors and their related details.  
  • Now that we have created a new connector in our IdentityIQ, we have to declare its information and details in Connector Registry.  
  • Here we will create an xml file consisting of the details pertaining to our custom connector. Once we Import this xml file into IdentityIQ, it will be merged with the existing Connector Registry file in IdentityIQ database allowing IdentityIQ to create a new entry in the list of connectors.  
  • Alternatively, the Connector Registry could be manually edited through the Debug page
  1. Defining .xhtml page which specifies required and optional connection parameters. 
  • Usually, some parameters are required to define the connection to the target resource (e.g. host, port, username, password, etc.).  
  • To allow these parameters to be specified through the UI for each application that uses this connector, an .xhtml page must be written to define how the Application Configuration user interface will request and record those parameters.  
  • This file must be placed in the [IdentityIQ Installation Directory]/define/applications/ directory and must be referenced in the application definition’s XML as the “formPath” entry.  
  1. Testing the connector by Creating an application which uses this connector. 
  • Finally, after completing all the development related activities, one must start the application server which is hosting IdentityIQ.   
  • An Application object must be created for using the IdentityIQ’s UI. Select the configured custom connector as application type to tie it to the connector registry configuration and specifying any connection parameters through the configuration. 
  •  Once the application is onboarded, we can perform all the configured functionalities in it and verify back the results within the targeted external application.  
  • Alternatively, Application connector can be tested from the integration console (run iiq integration from the [IdentityIQ Installation Directory]/WEB-INF/bin directory).  
  • This console can be used to test the various features of your connector including Aggregation and Provisioning

The following presentation gives you clear understanding of custom connector development in detail.

Now let’s have a demo on building custom connector, deploying it into SailPoint IdentityIQ and using it. 

Please subscribe to our social media and stay updated with latest technology content. Thanks!