IDN_5_Connectivity

Categories of connectors. Advanced sources (okta, ServiceNow Servicedesk). Service Desk Integration (ServiceNow, Jira). Standard (AD, SAP, Salesforce). Non-Standard (ServiceNow, Maximo).

Connectors have 3 components. User interface. Source configuration. Connector technical component apply configurations. Code configuration.

For custom connectors, where are the UI forms and custom configurations stored?. Cloud Connector Gateway. IdentityNow Cloud.

For custom connectors, where are the UI forms and custom source config stored?. Cloud Connector Gateway. Virtual Appliance. IdentityNow Cloud.

For custom connectors, where is the custom connector technical config stored?. Cloud Connector Gateway. Virtual Appliance. IdentityNow Cloud.

In order to deploy a custom connector in IdentityNow. Create a Connector via IdentityNow REST APIs. Download the Connector Bundle and Update it via IdentityNow REST APIs. Configure Source in the IdentityNow interface or via IdentityNow REST APIs. Upload Connector JAR(s) and Libraries. Download the connector bundle and upload to the IDN source connector area. Configure source in the admin source connector menu.

ATTRIBUTES REQUIRED FOR CREATION OF AN AD ACCOUNT. distinguishedName. sAMAccountName. password. UserAccount. sn Last Name.

IQ SERVICE USE. Provisioning to AD accounts and exchange mailboxes. Loading and provisioning Skype for Business accounts. Certification of Active Directory entitlements if you want to automatically revoke disapproved items. Password management for Active Directory accounts.

SERVICENOW SIM(Service Integration Module) INTEGRATION. SIM Integration would allow you to create tickets for provisioning actions initiated within IdentityNow. You must have an IdentityNow ServiceNow ServiceDesk license to use this integration. You can create an integration for each ServiceNow instance your company uses. You need to identify the URL for each one you want to integrate with. No license required with this integration.

Prerequisites for Active Directory. Create a service account on Active Directory with the required permissions. Secure Active Directory source. Initial source configuration. IQService as a prerequisite. IdentityNow is configured for Provisioning.

SECURE ACTIVE DIRECTORY SOURCE, three communication paths. Source (VA) and Active Directory Domain Controller (read operations). IQService and Active Directory Domain Controller (For provisioning and read operations for Skype management). Source (VA) and IQService (For provisioning and read operations for Skype management). Windows Local. Password Interceptor.

IQService has ability to run additional PowerShell commands too. Commands: Install. Uninstall. Start. Stop. Debug. Version.

AD attribute to IDN. sn (Last Name). mail (Work Email). dn (First Name).

ADDITIONAL ATTRIBUTES FOR CREATION OF MAILBOX. homeMDB. mailNickname. msExchHideFromAddressList. dn. mail.

Advanced Sources connectivity. Okta. ServiceNow Service Catalog. ServiceNow Service Desk. ServiceNow. Jira. AWS. Salesforce.

Standard Sources connectivity. Okta. ServiceNow Service Catalog. ServiceNow Service Desk. ServiceNow. Jira. Salesforce. AWS. SAP.

Service desk connectivity. Okta. ServiceNow Service Catalog. ServiceNow Service Desk. ServiceNow. Jira. Salesforce. AWS. SAP.

In IdentityNow, a Source for which deprecation. will be removed from the IdentityNow user interface in order to prevent any new deployment of the Source. source may continue to use already-configured instances of the source for the remainder of the 12-month notice period. Once the code is removed from the Connector Bundle, the connector will cease working. IQService, must be updated within 90 days of a new release in order to ensure supportability. users may continue to use the source but there is no support from Sailpoint once deprecated date has been reached. Deprecated Sources may be available upon request to Sailpoint.

Connector - Active Directory. Authentication. Account – Aggregation. Entitlement - Aggregation. Aggregation (All, single, delta). Entitlements (All). Account (Create, update, delete, enable, disable, unlock, password). read user account data using an SQL query. JDBC Driver JAR compatible with your source database.

Connector - Azure Active Directory. Authentication. Account – Aggregation. Entitlement - Aggregation. Aggregation (All, single, delta). Entitlements (All). Account (Create, update, delete, enable, disable, unlock, password). read user account data using an SQL query. JDBC Driver JAR compatible with your source database.

Connector - Workday. Authentication. Account (Phone; email). Entitlement - Aggregation. Aggregation (All, single, delta). Entitlements (All). Account (Create, update, delete, enable, disable, unlock, password). read user account data using an SQL query. JDBC Driver JAR compatible with your source database.

Connector - Salesforice. Authentication. Aggregation (All, single). Entitlement - Aggregation. Aggregation (All, single, delta). Entitlements (All). Account (Create, update, delete, enable, disable, unlock, password). Account (Create, update, enable, disable). SOAP API webservice. REST API. Read only.

The JDBC source supports paid features. Password Management. Access Certifications. Provisioning. Access Request.

JDBC Connection Configs. User. Password. JDBC URL. JDBC Driver Class. Test Connection SQL Query. Account SQL Query. Group SQL Query. Single Account SQL Query. Single Group SQL Query. Execute Stored Procedure.

Connectivity methods - Direct Connectivity (online). This is where a connector communicates directly to a system using APIs or data-sources. More efficient in processing only things that have changed. They are subject to availability and downtime concerns. Don't have to generate or transmit files. Subject to advantages and disadvantages that APIs might impose as well. Typically use specific APIs targeted to the system.

File-Based Connectivity. decouple, offline. This is where a connector reads from a snapshot of data presented in a file. Files are portable, easily inspected for data issues, and not typically subject to availability. Files are usually processed in their entirety, and may require processing or transformation in order to work effectively. More efficient in processing only things that have changed. They are subject to availability and downtime concerns.

Source-Specific Implementation. Typically use specific APIs targeted to the system. Typically require less configurations to get working. These are connectors built with a specific target-system in mind. Tend to be more flexible in general. They are subject to availability and downtime concerns.

General Implementation. These are general-purpose connectors which can be used to connect to a variety of sources or systems. Tend to be more flexible in general. Typically do require a bit more setup and configuration to meet needs. Examples of these are Web Services, SCIM, JDBC, Delimited Files, etc. Examples of these are Active Directory, Workday, Salesforce, SAP, etc. Typically use specific APIs targeted to the system.

Custom Implementation. These are completely custom connectors and tailored to the system and API of your choice. This approach offers the most flexibility of all connector options. Custom connectors is definitely a development-level activity, and is not to be taken lightly. The code written for custom connectors is maintained and supported by the customer who owns the connector. If a standardized SailPoint-provided file format is needed, then select a Generic File Connector. Otherwise, a Delimited File Connector would be able to read delimited files. Typically use specific APIs targeted to the system. These are general-purpose connectors which can be used to connect to a variety of sources or systems.

No Connector Available. SailPoint would suggest working with the source company to get some interface available. SailPoint is very partial to the SCIM standard (they helped found it), but can accommodate other interfaces through a mix of general or custom connector implementations. Sailpoint can build a custom connector for you. Custom connectors can be uploaded to the environment. SailPoint is very partial to the SCIM standard.

IDN Rules. A rule is a snippet of code that takes requirements you define and filters your identities through those requirements. Written, reviewed, and installed by SailPoint Services. SailPoint requires IdentityNow Expert Services hours to cover any rule configuration work (e.g., creating rules, best practices reviews, application to your IdentityNow environment, and promotion between sandbox & prod environments). Written and uploaded by the customer via REST API.

IDN rule creation process. SailPoint has instantiated a review process to ensure any submitted Cloud Rules meet SailPoint requirements and doesn't contain code that could harm the system. SailPoint does not check if the rule will execute correctly or verify that it works as expected, to deliver specific outcomes. It is merely an integrity check. Prior to submitting your Cloud rule for review, we strongly recommend running the against your artifacts to ensure that they conform to the standards of our automated rule deploy pipeline. submit your Cloud Rule for review, approval, and inclusion in the SailPoint platform, they should be submitted via SailPoint Expert Services. Sailpoint provides services to create and test the rule for the customer. SaaS Rule Validator can perform checks to ensure the rule works correctly.

2 type of rules. Identity Attribute Rule Transforms. Attribute Generator Rule Transforms. Source generator rule Transforms.

IDN There are primarily two places rules can get executed: SailPoint Cloud-Executed. Connector-Executed. Source Execution.

SailPoint Cloud-Executed. Read only access to identity data model. Efficient and secure execution paramount. SailPoint requires IdentityNow Expert Services. No access to identity data model. Specific to certain connectors.

Connector-Executed. Specific to certain connectors. No access to identity data model. No additional callouts or connections allowed. Be sure to run the SaaS Rule Validator against your rule XMLs to ensure that they will pass our automated scanning checks. Read only access to identity data model. Efficient and secure execution paramount. SailPoint requires IdentityNow Expert Services.

Cloud Execution - Rules. Identity Attribute Rule. Account Profile Attribute Generator. Account Profile Attribute Generator (from Template). Correlation Rule. Manager Correlation Rule. Before Provisioning Rule. Generic Rule. Source Connector Rule. Manager Approver Rule. Build Map Rule.

Connector Execution - Rules that are executed on the on-premise IdentityNow virtual appliance. Build Map Rule. JDBC Build Map Rule. JDBC Provisioning Rule. SAP Build Map Rule. SAP HR Provisioning Modify Rule. Web Services Before Operation Rule. Web Services After Operation Rule. Identity Attribute Rule. Account Profile Attribute Generator. Manager Correlation Rule.

Cloud Rules Process. SailPoint performs code review and approves or rejects. If approved, SailPoint implements rule. Any subsequent changes must go through this same process. No code review required. Customer can deploy and retrieve with API.

Connector Rules Process. SailPoint performs code review and approves or rejects. If approved, SailPoint implements rule. Any subsequent changes must go through this same process. Customer can deploy and retrieve with API. No code review required.

Aggregation initiation. Manual Aggregation. Delta Aggregation. Scheduled/Automated. Planned Aggregation.

Detailed Information on Aggregation Activity for a direct connect source. Admin > Connections > Sources > Import Data > Account Aggregation > Aggregation Activity Log. Audit Reports.

Manually Aggregating Information from a Direct Connect Source. first time you load account or entitlement information from a direct connect source, that information is aggregated automatically. Manually aggregate accounts and entitlements from the source as needed (Source Aggregation). An entry is added to the Aggregation Activity Log with a status of Pending, change to completed successfully. Scheduled aggregations are defined on the source. On-demand aggregations can be triggered in the UI or via the REST API. Scheduled aggregations can be defined on virtual cluster level. On-demand aggregations can be triggered only in the UI.

Account deletions can be handled in delta aggregation. FALSE. TRUE.

When an identity’s account on its authoritative source is deleted, aggregating that source deletes that authoritative account from IdentityNow, removing it from the identity. FALSE. TRUE.

Deleting Authoritative Account and Identities. If the identity has an account on another, lower priority, authoritative source, it will be reassigned to that source’s identity profile. All accounts previously correlated to the identity will remain attached to the hidden identity, but they will be treated as uncorrelated accounts since their associated identity is not an authoritative identity. identity attributes will be recalculated based on the new source identity profile’s mappings. If no other authoritative source, identity will be deleted from IdentityNow. The identity is removed from IDN and not visible unless correlated to another authoritative source.

Troubleshoot common errors with connectivity. Check the Log4j logs for both IdentityIQ and the remote system. Local system logs for connection errors, login errors, system events. Test your application connection. Check the virtual appliance connection status.

Source timeout issue. Check firewalls. DNS isn’t configured correctly, or a VA doesn’t know how to talk to intended targets - cloud or source. Check your networking configurations. Test your application connection. Check the virtual appliance connection status.

Source Errors. Check your source configuration and credentials. Check Documentation. Check your permissions in the source itself. Reach out for help either on the SailPoint Community, Expert Services, or IdentityNow. Check firewalls. Check your networking configurations.

New connector also includes a CLI tool to manage cloud connectors and an SDK to create custom connectors. TRUE. FALSE.

User Interface Forms. XML configuration. Deployed in the IdentityNow cloud. OpenConnector framework. Compiled Java JAR package. Deployed in the IdentityNow Virtual Appliance.

Source Configuration Template. XML configuration. Deployed in the IdentityNow cloud. OpenConnector framework. Compiled Java JAR package. Deployed in the IdentityNow Virtual Appliance.

Custom Connector (technical implementation). XML configuration. Deployed in the IdentityNow cloud. OpenConnector framework. Compiled Java JAR package. Deployed in the IdentityNow Virtual Appliance.

Custom Connector deployment steps. Create a Connector via IdentityNow REST APIs. Create a new project. Create and Upload Connector Bundle via IdentityNow REST APIs. Configure Source in the IdentityNow interface or via IdentityNow REST APIs. Test Your Connector from IdentityNow. Test Your Connector from IdentityNow UI.