IDN_1_Architecture

Are there ways to extend functionality in IDN?. TRUE. FALSE.

How extend functionality in IDN. Transforms. Rules. AI services. API configuration.

How important clean data sources before importing to IDN. Yes, save time by planning and reviewing the data sources. No.

IdentityNow has additional modules that can acquire for your organisation. TRUE. FALSE.

IDN can clean and prepare data for you. TRUE. FALSE.

Which is not a primary process of IDN. Governance. Provisioning. Reading data. Business Modeling. Transforming data.

Governance process includes certification and policy. TRUE. FALSE.

How many available zones for data residency?. 6. 7. 5. 8.

What service captures or intercepts changes when a user changes their password on a supported source outside of IdentityNow?. Password Interceptor. Active Directory. Password Policy.

IDN has shared amenities, list 5. Logging. Monitoring. Alerting. Scalability. Search. SODs. Password Management. Access review.

IDN has 2 amenities always on. Provisioning. Access Request. Logging. Search. Password Management. SODs.

IDN has 3 optional / paid amenities. SODs. Password Management. Access review. Monitoring. Alerting. Access Request.

3 Major components of IDN architecture. IDN Cloud. Backend foundation services. On-premises component Virtual Appliance. Virtual Clusters. REST API. Microservices.

Where does the organisation data reside?. Resides only in your zone location. Replicated to all zones. On-premise database.

Which 2 tenants are dedicated?. Production. Sandbox. Quality Assurance. Pre-production.

Confirm qualities of the production tenant (list 4). Proactive monitoring and alerting capabilities. Scalable. Dedicated environment. Production tenant. Replication.

Confirm qualities of the non-production tenant (list 5). Size & scale limited. Testing. Limited to 1000 identities. Testing environment. Sandbox tenant. Proactive monitoring and alerting capabilities.

IdentityNow follows a continuous integration, continuous deployment/delivery model (CI/CD), which means that new features and updates are released all the time. Features can include changes to the User Interface(UI), or changes that are not generally as noticeable to the user. True. FALSE.

Benefits of Microservice Architecture. Speed – Faster delivery of new services and Code updates. Scalability – On demand scaling of the resources. If IDNOW is making a lot of Search calls through API, then IDNOW will increase the services required and downscale the same when the demand decreases. Dynamically scalable solution helps IdentityNow respond to a customer's processing needs more quickly and reduces cost. Safety – New versions can be rolled out to a small section of Microservices instead of entire batch. Effects can be gauged for the new version without affecting the safety of existing version. In worst case scenario, Rollback can be performed on only the new rolled out version. Focus – Small, efficient, and well-defined. Responsive – Easily developed and unit tested –respond to change faster. Fluid – Each service can be independently deployed of other services. Flexibility – Embrace various technologies –not fixed!.

Example of a vanity url: acme.identitynow.com. acme-sandbox.identitynow.com. acme.identity.com. acme-sandbox.idn.com.

What is the limitation of vanity url. These have to be chosen at time of tenant deployment. Cannot be changed without tenant re-creation. This is created by Sailpoint. Can be configured in the system configuration.

How can you force a login attempt in URL?. Add login?prompt=true (https://example.identitynow.com/login/login?prompt=true). Add login?prompt=direct (https://example.identitynow.com/login/login?prompt=direct). Add login? (https://example.identitynow.com/login/login?).

Benefits of Microservice Architecture. Rollback can be performed easily if something is not working as expected. Spin up resources if increased activity or services required. Always up to date. Continuous monitoring. Automatic upgrades. Better total cost of ownership. Customised functionality can be deployed.

IdentityNow can be integrated with single sign-on tools, which adds the ability to authenticate into IdentityNow using Federation via which protocol. SAML. HTTPS. SHA-256.

Direct connection with IDN, contains the following attributes (2). Authentication SHA-256 is a 256-bit (32-byte) implementation of the Secure Hash Algorithm. cryptographic representation of the password that is sent to IdentityNow over a secure TLS connection. 2048-bit RSA public/private key pair.

Pass-through authentcation with IDN, contains the following: (2). a user with pass-through authentication creates their password, IdentityNow uses Zero Knowledge Encryption to encrypt the new password. password is encrypted in the browser using the 2048-bit RSA public key that is hosted by the virtual appliance. Authentication SHA-256 is a 256-bit (32-byte) implementation of the Secure Hash Algorithm.

Strong authentication with IDN, contains the following: IdentityNow user sets their answers to the administrator-defined security questions, the answers are then encrypted into a one-way hash. multi-factor authentication can be done with trusted third-party integrations, such as Duo Security and RSA SecurID. Answers to KBA (Knowledge based authentication) questions are encrypted. Authentication SHA-256 is a 256-bit (32-byte) implementation of the Secure Hash Algorithm.

Identity provider can assist with SSO using SAML. List process steps. User access IDN generating SAML request. Redirected to SSO url and to identity provider to authenticate user. SAML response generated and sent back IDN. IDN verifies SAML request and user logs on.

Password interceptor (PWI) is managed from where. Domain controller. Cloud Connector Gateway. Virtual Appliance.

Which 2 domain controllers accept Password Interceptor. Active Directory. IBM i. Windows Server. Unix.

Can a proxy server be added on the virtual appliances to limit the number of outbound connections the password interceptor uses to communicate with IdentityNow?. Yes. No.

What services enables IDN to participate in a Windows environment and access information only available through Windows APIs. IQService. Windows Local. Password Interceptor.

Which options can be followed to install IQService (2). Download the zip file at https://s3.amazonaws.com/files.accessiq.sailpoint.com/integrations/iqservice/IQService.zip. Go to Connections > Sources and then click on one of these sources in your IdentityNow instance. You can then download the latest version. Go to Virtual Appliance, then select the installation feature for IQService.

SailPoint's Desktop Password Reset utility allows users to reset their IdentityNow password. What prerequisites must be in place: Have Password Management enabled. An Active Directory direct connect source. Identity profiles for all users that will be using this utility must be set to Active Directory passthrough authentication. Utility must be installed on domain controllers. Sailpoint IDN parameter for Desktop reset utility must enabled in Admin Settings.

Zero Knowledge Encryption - how is is the encryption key created in IDN. The first virtual appliance in a cluster generates an RSA 2048-bit encryption key which is unique to that cluster. The virtual appliance cluster generates an RSA 2048-bit encryption key which is unique to that cluster. The company administrator specifies a passphrase (known only to them) which is used to generate a 2048-bit RSA public/private key pair that is used by the virtual appliance to secure administrative communications. The passphrase is automatically generated in the virtual appliance and transmitted along with the public/private key. The virtual appliance cluster runs inside the firewall and requires no ports to be opened. Ports need to be opened to allow the communication between the VA and IDN.

Direct IDN Authentication. When a user logs in to IDNOW with his/her password, it is encrypted with SHA - 256 (Secure Hash Algorithm). The SHA-256 algorithm is a one-way function that generates fixed-size 256-bit hash that cannot be decrypted back to the original data. This encrypted password is sent to IDNOW over a secure TLS (Transport Layer Security) connection providing double layer of security. The password is then encrypted within the browser with 2048 – bit RSA public key which is hosted by Virtual Appliance. User has to logon each time with password credentials to create a new hash. Strong authentication required to access a protected resource or for administrative access, the answers to the security questions are provided in a one-way hash and TLS. After user signs in to IdentityNow, subsequent logins is on cryptographic hash is generated each time the user signs.

Pass through authentication. The password is then encrypted within the browser with 2048 – bit RSA public key which is hosted by Virtual Appliance. Once within the company’s firewall, the VA derives the password using the customer managed 2048 – bit private key. All the above communication is carried over secured TLS connection thus providing dual layer of security. The SHA-256 algorithm is a one-way function that generates fixed-size 256-bit hash that cannot be decrypted back to the original data. When a user logs in to IDNOW with his/her password, it is encrypted with SHA - 256 (Secure Hash Algorithm). Delegation of authentication from IDNOW to a downstream system such as Active Directory.

Federation Using SAML. IDP (Identity Provider) manages the single signon authentication. Service provider is Sailpoint IDN. Service provider manages the single signon authentication. IDP (Identity Provider) is managed by Sailpoint IDN. SAML allows federated authentication. A trust relationship is established between the IdentityNow and the identity provider. A trust relationship is not required between the IdentityNow and the identity provider.

IDENTITYNOW INFORMATION SECURITY ASSESMENTS. ISO/IEC 27001:2013. SOC 2 Type 2 attestation. The IdentityNow service is hosted on Amazon Web Services (AWS) cloud platform, which provides substantial protection for the base infrastructure1. IDNOW web application uses HTTPS on top of TLS for maintaining the authenticity of the data. SOX. ITIL.

Web Application Attack Prevention. HTTPS request that can potentially modify data on the server, such as a POST, has to include a cross-site request forgery (CSRF) protection header. IdentityNow will not allow JavaScript to be loaded from any domain except the preconfigured domains that SailPoint controls and in-application notification tools employed by SailPoint. IdentityNow allow JavaScript to be loaded from any domain. IdentityNow will reject any XMLHttpRequest (XHR) that was produced as a result of an XSS injection. IdentityNow allows XMLHttpRequest (XHR) for XSS injection.

Customer Data Privacy & Security. SailPoint conducts regular third-party penetration testing. fully audit and track all security-impacting actions on the IdentityNow service. Command line interface executions are recorded and stored in the audit log. The audit log is stored in a secure offsite location and cannot be deleted, edited or changed by any SailPoint personnel. The audit log is stored in the customer environment.

VA Updates. Updates are deployed to the VA clusters. Rolling updates and reboots on the related VAs. VA updates cannot be skipped or delayed. VA updates can be delayed for deployment at another date. VA updates are usually released to sandbox environments a week before they are released to production environments. VA updates are usually released to sandbox and production environments at the same time.

Virtual Appliance. VA must be able to make continuous outbound-only calls to the cloud environment to execute actions such as installing patches and updating images. VA accepts inbound calls from IDN to execute actions such as installing patches and updating images`. 1 VA per 1 virtual machine host. Many VA can be linked to a single virtual machine host. 2 VAs minimum per cluster to ensure connectivity during updates. 2 VAs minimum on your Sandbox cluster.

Match these NTP setup commands. Edit the timesyncd.conf file. Restart the systemd-timesyncd daemon. check the UTC time status on the VA.

Password Interceptor (PWI). Password interceptor client calls the web service which in turn launches the workflow to complete the password interception process. Password interceptor client calls the web service which prompts the user for a password. Passthrough authentication is required to enable the change of the IdentityNow password. If password interception is enabled, IdentityNow intercepts this change and propagates it to the related source within IdentityNow without additional configuration. PWI must be installed on all AD domain controllers and configured for password management in a synch group to apply to downstream systems.

Where data is located depends on. where your tenant is located. is stored in IDN and replicated globally. stored on premise in customer database.

Routing Password Interceptor Traffic through a Virtual Appliance Proxy Server steps. On the virtual appliance connected to the source, establish an SSH session. Use a text editor to open the file at /home/sailpoint/config.yaml. At the bottom of this file, add proxySourceList: and the complete IP addresses of Active Directory servers with PWI installed that you expect to connect to the virtual appliance. On each domain controller where the Password Interceptor is installed, run the following command $.> PwdClient.exe -proxyUrl http://<internal ip of the va>:8888/. "Restart the client by running the following command: $.> PwdClient.exe -t".

Password Interceptor on Active Directory. On each domain controller where the Password Interceptor is installed, run the following command $.> PwdClient.exe -proxyUrl http://<internal ip of the va>:8888/. "Restart the client by running the following command: $.> PwdClient.exe -t". On the virtual appliance connected to the source, establish an SSH session. Use a text editor to open the file at /home/sailpoint/config.yaml. At the bottom of this file, add proxySourceList: and the complete IP addresses of Active Directory servers with PWI installed that you expect to connect to the virtual appliance.

Desktop Password Reset utility. Have Password Management enabled. Identity profiles for all users that will be using this utility must be set to Active Directory passthrough authentication. An Active Directory direct connect source.