Tag: SailPoint

Sailpoint is the leading IAM OEM in the world of Identity Governance. Please refer
https://www.sailpoint.com/ for further details.

Filters in Refresh Identity Cube Task of IdentityIQ

Posted on by Mohit Kayla in Identity Governance, Sailpoint, Technology

Refresh Identity cube task is one of the most popular predefined tasks in SailPoint IdentityIQ. Refresh Identity cube task performs a full refresh of the identity cubes and aggregates the data from external sources for all identities. The task has the features to specify which identities are needed to be refresh, by the use of Filters. Filters are used in many places throughout IdentityIQ to allow actions to be applied to a subset of system objects. Filters in Refresh Identity cube task make use of filter strings, which will refresh all the identities which meet the filter constraint mentioned in the task.

The following presentation discusses in detail about the different filters used in the Refresh Identity cube task.

The following is the demonstration of the usage of different filters on Refresh identity cube task.

ETL Process and Working of CloverETL in Sailpoint IdentityIQ

Posted on by Mohit Kayla in Identity Governance, Sailpoint, Technology

As data is generated rapidly day to day, there is a need to organize it to generate useful results from data. It is essential to properly format and prepare the data before loading it into data storage systems for analysis. Otherwise bad data leads to inaccurate analysis that could have a great loss for the organization. In order to prevent these problems, the data needs to be processed and transformed into quality data, which generates a better analysis.

This can be achieved by using ETL process which Extracts, Transforms, and Loads the data. Each of these phases can include functionalities to process the data as required. There are various tools that perform ETL process. Sailpoint is flagship identity management tool, which uses CloverETL(CloverDX) to perform data processing.

The following presentation sheds light on ETL process and working of CloverETL in Sailpoint.

 

Integrating CyberArk with SailPoint using SCIM

Posted on by Sandilya Krovvidi in CyberArk, Identity Governance, Sailpoint, Technology

Privileged accounts are considered to be “keys to the kingdom” in any IT Infrastructure. Almost every cyber attack that has ever happened involved compromises at the privileged account level. PAM Solutions usually help in managing such accounts, keys or files that would lead to escalated access.

CyberArk is the global leader in PAM solutions with a holistic approach towards privileged account management. It covers not only traditional PAM problems but also extends its capabilities with various features like managing hard-coded application credentials, analytics, on-demand privileges escalation and managing end-user devices like desktops.

Securing and streamlining identity and privileges data present with such solutions is of very high importance.

In the following presentation, we provide a detailed overview of CyberArk integration with SailPoint by integrating Cyberark as a SailPoint’s application.

In the following video, we provide a detailed demo of this integration.

Active Directory Application Configuration – Test Connection Failure in IdentityIQ 7.2

Posted on by Prasad Chitikela in Identity Governance, Sailpoint, Technology

Issue Description:

As part of Active Directory Application Configuration in IdentityIQ 7.2, “Test Connection”  failing with below error message.

In IdentityIQ 7.2, the Active Directory connector supports multiple Active Directory (AD) forests through one application definition.
While defining the Active Directory application through the IdentityIQ user interface in version 7.2, we do not have the option to mention the server details in Domain configuration settings.

Even though we do not specify any server details, the default configuration tries to connect to “localhost“, similar to the default port configuration which is “389“.

We see the below error message when we click on the “Test Connection”

2018-09-04 05:05:12,551 ERROR http-nio-8080-exec-6 sailpoint.web.ApplicationObjectBean:2701 – Connector failed.sailpoint.connector.ConnectorException: Failed to connect to – dc=enhcorp,dc=com : Failed to connect to server:ldap
dc=enhcorp,dc=com localhost:389

Resolution:

 

Modify the Application xml file to include the DC servers details.
Below is the example modification.

From

<entry key=”domainSettings”>
<value>
<List>
<Map>
<entry key=”authorizationType” value=”simple”/>
<entry key=”domainDN” value=”DC=enhcorp,DC=com”/>
<entry key=”password” value=”1:iIopEeOL5KrLoSjYKvh/Ww==”/>
<entry key=”port” value=”389″/>
<entry key=”servers”/>
<entry key=”useSSL”>
<value>
<Boolean></Boolean>
</value>
</entry>
<entry key=”user” value=”ENHCORP\Administrator”/>
</Map>
</List>
</value>
</entry>
To
<entry key=”domainSettings”>
<value>
<List>
<Map>
<entry key=”authorizationType” value=”simple”/>
<entry key=”domainDN” value=”DC=enhcorp,DC=com”/>
<entry key=”password” value=”1:iIopEeOL5KrLoSjYKvh/Ww==”/>
<entry key=”port” value=”389″/>
<entry key=”servers”>
<value>
<List>
<String>172.16.153.185</String>
</List>
</value>
<entry key=”useSSL”>
<value>
<Boolean></Boolean>
</value>
</entry>
<entry key=”user” value=”ENHCORP\Administrator”/>
</Map>
</List>
</value>
</entry>

Active Directory – Exchange Provisioning errors in Sailpoint Identity IQ

Posted on by Prasad Chitikela in Identity Governance, implementation-problems, Sailpoint, Technology

Issue Description:

Active Directory Provisioning along with Exchange attributes failing with below error message.

Errors returned from IQService. Connecting to remote server win-g303o4860qk.enhcorp.com failed with the following error message: The username or password is incorrect. For more information, see the about_Remote_Troubleshooting Help topic.

 

 

Troubleshooting steps:

  • Verified the User/Password details by logging in to the Domain controller as Domain Admin (the user which was used in Active Directory Application Configuration)
  • Verified and restarted Exchange services which were failed to start by default.

  • Enabled logging for AD Connector and observed the below messages.
    • 2018-08-31 02:07:09,515 DEBUG Workflow Event Thread 1 sailpoint.connector.ADLDAPConnector:3503 – 1239254649 Entering handleObjectRequest2018-08-31 02:07:10,796 ERROR Workflow Event Thread 1 sailpoint.connector.ADLDAPConnector:3380 – 1239254649 Exception occurred in handling Object Request.sailpoint.tools.GeneralException: Errors returned from IQService. Connecting to remote server win-g303o4860qk.enhcorp.com failed with the following error message: The username or password is incorrect. For more information, see the about_Remote_Troubleshooting Help topic.
  • Launched Exchange Management Shell and observed below error messages
    • VERBOSE: Connecting to WIN-G303O4860QK.enhcorp.com.New-PSSession : [win-g303o4860qk.enhcorp.com] Connecting to remote server win-g303o4860qk.enhcorp.com failed with the following error message: WinRM cannot complete the operation. Verify that the specified computer name is valid, that the computer is accessible over the network, and that a firewall exception for the WinRM service is enabled and allows access from this computer. By default, the WinRM firewall exception for public profiles limits accesses to remote computers within the same local subnet. For more information, see the about_Remote_Troubleshooting Help topic.At line:1 char:1

      + New-PSSession -ConnectionURI “$connectionUri” -ConfigurationName Microsoft.Excha …

 

Resolution:

Active Directory-Direct connector reads Exchange Server attributes by connecting to the Active Directory.

But, for provisioning any Exchange attributes, connector needs access to remote Powershell via IQService.

Windows Remote Management (WinRM) is a feature of Windows that allows

administrators to remotely run management scripts. WinRM Service should be running and that

should also be set up for Remote Management using the Enable-PSRemoting -force.

 

Enable PowerShell remoting in the domain using below cmdlet in Exchange Management Shell.

>Enable-PSRemoting -Force

Sailpoint IIQ Activity Data Sources

Posted on by Chaitanya Malladi in Identity Governance, Sailpoint, Technology

Monitoring and analysis of events that occur on a system is crucial to identify threats and generate timely alerts. It is also significant to identify by whom such events were caused if it was triggered by a user. Sailpoint IdentityIQ allows us to keep track of identity activity on various targets using Activity Data Sources. When configured, this allows us to track activity like logon times, security events, or application activity among other actions.

The following presentation discusses how Activity Data Sources can be configured on IdentityIQ for basic Security Information and Event Management (SIEM) with an example use-case:

The following demonstration presents the use case for identifying activity based policy violations by setting up Activity Data Sources:

Securing IIQ SPAdmin Account Using CyberArk PAM

Posted on by Chaitanya Malladi in CyberArk, Identity Governance, Sailpoint, Technology

In an enterprise, a large number of privileged accounts are spread over various applications and systems. These accounts have higher authorizations and hence need to be handled with higher security. CyberArk‘s Privileged Account Management solution is targeted at achieving this.

In SailPoint IdentityIQ, accounts can have the highest privilege in form of the ‘System Administrator’ capability. The ‘spadmin’ account that comes out-of-the-box is configured to have this privileged access. This account, if managed by the CyberArk PAM solution, improves safety of the IdentityIQ environment.

 

The following presentation discusses this use case and how it can be implemented using CyberArk PAM:

The following video demonstrates the use-case in action for verifying and changing spadmin password from CyberArk and initiating privileged sessions:

https://www.youtube.com/watch?v=4qRujyxiUBM

SailPoint’s IdentityIQ Integration with Okta

Posted on by Mahesh Bitla in Identity Governance, Okta, Sailpoint, Technology

In the world of Identity Management, securing and monitoring the access for the external users like partners, contractors and customers who have access to organizational resources have always been a challenge for many organizations. To mitigate and help the organizations to secure their resources two big Identity management products partnered together in February 2018. Okta and SailPoint announced a strategic partnership to provide an end-to-end identity for the enterprise – helping organizations balance providing simple, secure user access while meeting complex compliance and security requirements.

Benefits of the Combined Solutions

• Effectively manage user identities’ authentication, application assignments, while ensuring all governance and compliance requirements are met.

• Authenticate user access with single sign-on and multi-factor authentication.

• Ensure that for sensitive applications, only the right user has access, authorization policies are enforced, and the process is documented, timestamped and compliant.

• Automate provisioning throughout the user lifecycle by simplifying processes for creating, modifying and revoking access.

• Automate provisioning of applications adherent to corporate policies.

• Trigger provisioning workflows from authoritative sources, such as Active Directory or HR systems, to ensure consistency and increase efficiency.

Below presentation demonstrates Okta, IdentityIQ, SSO Concepts, Importance of SailPoint’s IdentityIQ integration to achieve SSO. The presentation is followed by a demo.

Okta and SailPoint IIQ Integration

Demo of SailPoint’s IIQ and Okta Integration.

 

Sailpoint IdentityIQ – Perform Maintenance Task

Posted on by Vishal Kuruganti in Identity Governance, Sailpoint, Technology

The Perform Maintenance Task in Sailpoint’s IdentityIQ plays a crucial role in ensuring that background maintenance activities are carried out periodically.

The following presentation is an attempt to deep dive into :

  • XML object structure of the Perform Maintenance Task
  • Native Java-based Sailpoint  objects associated with the Perform Maintenance Task
  • Understanding the flow of execution of the Perform Maintenance Task

 

Please leave your comments below

Sailpoint IdentityIQ Integration with Oracle E-Business Suite

Posted on by Narasingarao Nagireddi in Identity Governance, Oracle, Sailpoint, Technology

Oracle E-Business Suite is the most comprehensive suite of integrated, global business applications that enable organizations to make better decisions, reduce costs, and increase performance. All large enterprises use ERP systems for managing and optimizing enterprise-wide business processes. ERP systems like Oracle E-Business Suite are mission-critical which processes a huge amount of business-critical data.

Oracle EBS includes the company’s enterprise resource planning (ERP) product as well as Oracle Human Resources Management System (HRMS), Oracle Financials, Oracle Order Management and customer relationship management (CRM) applications. Each application is licensed separately enabling organizations to select the combination best suited for their business processes.

The Sailpoint Oracle E-Business connector is designed to aggregate user and entitlement data from the Oracle E-Business Suite, and provision user accounts.The Oracle EBS connector only targets APPS schema tables according to Oracle standards.

Sailpoint Connector for EBS User Management Aggregates and provisions EBS user accounts along with their role and responsibility assignments. It helps EBS customers to achieve compliant user administration by enforcing the Segregation of Duties (SoD) policies in real-time during role and responsibility grants.

In this presentation, we are going to see how the Sailpoint IdentityIQ is an innovative identity Governance solution that reduces the cost and complexity of both complying with regulations and delivering access to Oracle E-Business Suite users.

 

 

 

The Following Demo presents the use case of  Birth Right Provisioning and Implementing Security in Oracle E-Business Suite using Role Based Access Control.