SailPoint IdentityIQ Deployment Guide

Overview

The SailPoint IdentityIQ Deployment Guide outlines how to use a SailPoint IdentityIQ Privileged Access Management (PAM) application template. This quick start strategy leverages the PAM module for visibility and provides a provisioning policy form that replaces the default provisioning capabilities that come with the PAM module. The provisioning capabilities found within the PAM module are based on user entitlements, while Password Safe is exclusively based on Group Entitlements via Role Based Access Control (RBAC).

Container creation in Password Safe results in creating an account Smart Group , which includes conditions, actions, and resource consumption. Container creation is not applicable as a use case within the PAM module.

For Password Safe, privileged data items (discovered managed accounts) are displayed under containers (managed account Smart Groups). This use case does not apply to Password Safe, and is based on a different PAM Application design.

The application template, found in the Password Safe Resource Kit, helps complement the PAM module and allows provisioning without the need for complex customization.

When it comes to provisioning, a few strategies are available depending on the specific use case, or combination of account and group. In the table below, Local means created directly into Password Safe. The table below illustrates entitlement type used for provisioning vs account-group combinations.

Group
Account Local AD Azure AD LDAP
Local PS      
AD PS - Import AD - Sync    
Azure AD PS - Import   AAD - Sync  
LDAP PS - Import     LDAP - Sync

PS – Import = Password Safe entitlements are provisioned via the Provisioning Policy – Form, within the application definition for Password Safe, by configuring attributes including nativeIdentifier (unique identifier associated to an individual account) and source, as described below in this document.

Sync = Password Safe group synchronization, via previously imported groups

Password Safe group synchronization is triggered
  • by synchronization interval
  • by manual synchronization
  • at log in, where group memberships are re-evaluated or synchronized

From an access perspective, group sync causes no delay versus provisioning and deprovisioning.

Create the SailPoint IdentityIQ Service Account in Password Safe

To create a SailPoint IdentityIQ service account:

Create a New Group

Create a New Group

  1. In the BeyondInsight Console, go to Configuration > Role Based Access > User Management > Groups > Create New Group > Create a New Group.
  2. On the next screen, provide a group name and description.
  3. Click Create Group.
  4. Once the group is created, you can assign features to the group.

 

In addition to creating groups locally, you can import AD, AAD, and LDAP groups.

Assign Features

View Group Details

  1. To assign features to a new or existing group, go to Configuration > Role Based Access > User Management > Groups. Find the group and click on the corresponding ellipsis to right of the group.
  2. Select View Group Details from the list.
  3. On the next screen select Features located under Group Details. A list of feature options is displayed.

 

Feature Options

Several important features are listed below:

Assign Feature Details

  1. Options – Connectors
    • Once the option is selected, click Assign Permissions at the top of the feature list to assign the appropriate permissions.
    • This feature is required to allow the creation of OAuth credentials by the member account. In production, this permission could be removed after connection is established, but it would be needed again to cycle client_secret and refresh_token.
  2. User Accounts Management
    • Once the option is selected, click Assign Permissions at the top of the feature list to assign the appropriate permissions.
    • Assign Permission Full Control is required for provisioning.
  3. Management Console Access
    • Once the option is selected, click Assign Permissions at the top of the feature list to assign the appropriate permissions.
    • This permission is required so the IdentityNow service account can log in to BeyondInsight and obtain the service accounts’ unique oAuth credentials.
  4. Password Safe Role Management
    • Once the option is selected, click Assign Permissions at the top of the feature list to assign the appropriate permissions.
    • This permission is required to allow visibility into account Smart Groups, which are assigned via Groups in Password Safe.

Add Smart Group Feature Permissions

You may need to add additional feature permissions to allow for managing Smart Rules for managed accounts.

Smart Group Features

  1. Go to Configuration > Role Based Access > User Management > Groups. Find the group and click on the corresponding ellipsis to the right of the group.
  2. Select View Group Details from the list.
  3. On the next screen, select Smart Groups located under Group Details.
  4. Under Smart Group Permissions, a list of All Smart Groups is displayed. You can also select Enabled Smart Groups or Disabled Smart Groups.

Assign Smart Group Feature Options

Several important Smart Groups and features are listed below:

View All Assets Options

  1. All Assets - Password Safe Roles
    • Check the All Assets group box.
    • Click the ellipsis to the right of the group and select Edit Password Safe Roles.
    • Check the Information Security Administrator box.
    • Click Save Roles.
  2. All Managed Accounts - Password Safe Roles
    • Check the All Managed Accounts group box.
    • Click the ellipsis to the right of the group and select Edit Password Safe Roles.
    • Select Requestor.
    • Select an Access Policy for Requestor from the dropdown list.
    • Click Save Roles.
  3. All Managed Systems - Full Control
    • Check the All Managed Accounts group box.
    • Click the ellipsis to the right of the group.
    • Select Assign Permissions Full Control.

Create a New Account in BeyondInsight

Once the group is created and assigned the appropriate features and permissions, you can create a new account to add to the group.

Permissions are assigned only via group, not account.

Create a New User

  1. In the BeyondInsight Console, go to Configuration > Role Based Access > User Management > Users > Create New User > Create a New User.
  2. On the pop-out screen, provide Identification, Credentials, Contact Information, User Status, and Authentication Options as needed.
  3. Click Create User.

 

New User Informtion

 

In addition to creating user accounts locally, you can import AD, AAD, and LDAP accounts and add them to either local or imported groups.

Assign a User Account to a Group

Once a user account is created, the account can be assigned to one or more groups.

Assign User to Group

  1. In the BeyondInsight Console, go to Configuration > Role Based Access > User Management > Users.
  2. In the Filter By field, select Username, and then type the username. If not automatically filtered, click the Enter key.
  3. Click the ellipsis to the right of the user account.
  4. Select View User Details. The User Details screen appears.
  5. On the left side of the screen, below User Details, click Groups.
  6. Under Groups, select Show > All Groups.
  7. Check the boxes of the desired groups, and then click Assign Group at the top of the list.

Generate OAuth Credentials

Once the user account is created and assigned to a group, you must log in as the new user to generate OAuth Credentials.

Generate OAuth credentials.

  1. In the BeyondInsight Console, go to Configuration > General > Connectors.
  2. Under Connectors, select the SCIM connector. Once selected, the SCIM connector information displays.

Do not select the SailPoint connector. This was available in previous versions of BeyondInsight, but it is an older integration and is not based on SCIM.

  1. Each logged-in account in BeyondInsight has a unique client ID. The Client ID is located within the SCIM connector information. Highlight the ID, right-click, and save locally as client_id to a text file.
  2. Click Recycle Client Secret.
  3. Click Recycle on the Recycle Secret Access Key pop-up. This generates a unique access key.
  4. Highlight the Client Secret access key, right-click, and save as client_secret to a text file.
  5. Click Generate Refresh Token if you want to use this method of authentication. Use the account login password when prompted.

The refresh token is used in the production environment. Client credentials (client ID and client secret) are used in a lab or test environment.

Create the SailPoint IdentityIQ SCIM Application for Password Safe

Application Import File in Password Safe Resource Kit

Access the Password Safe Resource Kit

The Password Safe Resource Kit is available with product downloads via the Customer Portal. A preconfigured application for Password Safe is available in the Resource Kit.

 

 

 

 

 

 

Edit Application Name

Before you import SCIM-Password Safe-IdentityIQ.xml, save a copy of the file and edit it using the text editor of your choice to change the application name. You can create one or more applications, each with a unique name.

Search for BT PBPS SCIM and replace the value with Password Safe or any desired value for the name.

 

 

 

 

 

Import File

Import the XML File

To be able to import the SCIM-PasswordSafe-IdentityIQ.xml file, users must have administrator permissions.

To import the XML file:

  1. Log in to SailPoint IdentityIQ.
  2. Click the gear icon at the top of the screen and select Global Settings.
  3. On the Global Settings page, click Import from File.
  4. On the Import from File page under Import Objects, click Choose File and navigate to the edited XML file.
  5. Click Import.

Application Definition

Edit New Application

  1. Under the Application menu item, select Application Definition. You are able to see and edit the new application.
  2. Double-click the new application.
  3. Click the Configuration tab. Then click Settings.
  4. Under Grant Type, select Client Credentials.
  5. Enter the Base and Token URLs.
  6. Provide the Client ID and Client Secret, which you saved locally while in the Generate oAuth Credentials section of this guide.
  7. Click Test Connection. If the test is successful, a Connection Successful message is displayed. If the test is not successful, an error message is displayed.

Client credentials are recommended for testing. A refresh token is used in production where security requirements are higher.

  1. Click the Correlation tab.
  2. Configure the Account Correlation, for example, by using an email address and username.

Edit New Application

  1. Click the Unstructured Targets tab.
  2. Click the Add New Unstructured Data Source button.
  3. On the pop-up dialog, click the Create Target Source button.
  4. On the next screen, select Privileged Account Management Collector from the Target Source Types dropdown list.
  5. Enter URLs and credentials.
  6. Select PAM Access Mapping Correlation Rule from the Correlation Rule dropdown list.
  7. Click Save on the Unstructured Target Configuration screen.
  8. Click Save on the Edit Application screen.

Aggregate Accounts, Groups, and Entitlements from Password Safe

Before a user can start using SailPoint IdentityIQ, it must aggregate, or discover, Password Safe accounts, permissions, and groups.

Create New Task

  1. Under the Setup menu item, click the Tasks tab.
  2. Under the New Task dropdown list select Account Aggregation.
  3. Include a task name and update all remaining fields as required.
  4. Click Save.
  5. Repeat steps one through four, this time for Account Group Aggregation.
  6. Repeat steps one through four, this time for Target Aggregation.
  7. Once all three tasks have been created, right-click on the Account task and select Execute in Background. Repeat this step for Group, and then Target.

View Target Permissions and Entitlements

To view how permissions and accounts are represented in IdentityIQ after aggregation:

View Target Permissions

  1. Return to the applications list by clicking the Application menu item, and then select Application Definition.
  2. Double-click the application.
  3. Click the Accounts tab.
  4. Expand an account.
  5. Click one of the groups listed, and then click the Access tab to view Target Permissions.
  6. To view identity entitlements, click the Identities menu at the top of the page, and then select Identity Warehouse.
  7. Double-click user name, and then click the Entitlements tab.

Configure the PAM Module to point to Password Safe

Configure PAM Module to point to Password Safe

  1. Click the gear icon in the upper right corner of SailPoint IdentityIQ and select Global Settings.
  2. On the Global Settings page, click IdentityIQ Configuration.
  3. Click the Privileged Account Management tab.
  4. Select Password Safe from the first dropdown list.
  5. Click Save.

 

PAM Module for Password Safe

  1. Click the list icon in the upper left corner of SailPoint IdentityIQ to access the Tasks menu and expand Manage Access.
  2. Select Privileged Account Management to view the PAM module for Password Safe.

 

The PAM module provides the Add Identities button, which is configured by default to provision entitlements to users. Password Safe allows for entitlements at the group level only, via its RBAC model. Some customers have reconfigured the PAM module to provision entitlements through Groups, but that is beyond the scope of this guide, and it is recommended that customers work with SailPoint Professional Services for such changes. However, the provisioning strategy described later in this guide provides provisioning support for both directory and non-directory or local users.

Provision Directory and Non-Directory Users

The application template for Password Safe comes with a preconfigured provisioning policy. To access the provisioning policy:

Provisioning Policies for Password Safe

  1. Under the Applications menu item, select Application Definition.
  2. Double-click the application.
  3. Click the Configuration tab.
  4. Click Create Account Form.

 

Create Source Attribute

The "Source" attribute is required to recognize that an account exists in a source outside of Password Safe. Without knowing the source, provisioning fails to find and modify the account.

  1. On the next screen, create an attribute called Source:
    • Click the blue plus sign icon and select Add Field.
    • Under Edit Options > Settings, type source in the Name field.
    • Type Source in the Display Name field.
    • Under Value Settings, select Script from the Value dropdown list.
    • Under Allowed Values, select one or more values.
    • Enter a Value Script. In the below example, Active Directory is the name of the application in IdentityIQ:

 

if (accountType != void)
{
   if ("Local".equals(accountType))
   {
      return null;
   }
}
return "Active Directory";

Source must be null for local provisioning, otherwise this will instruct Password Safe to look for the user in the source/application.

  1. Next, create an attribute called Active.
    1. Click the blue plus sign icon and select Add Field.
    2. Under Edit Options > Settings, type active in Name field.
    3. Type Active in Display Name field.
    4. Under Value Settings, select Value from the Value dropdown list.
    5. Type true in the field under Value. If the value is not set to true, the account will be inactive in Password Safe.
  2. Click the pencil icon to the right of the Distinguished Name to Import attribute. Add Help Text to explain that this is based on the import of a pre-existing account from Active Directory.

For an account with a source other than Password Safe, e.g.; in LDAP or AD, one Distinguished Name is presented. However, if the target user has multiple accounts in different directories, a list of accounts is provided. Each of these accounts should be provisioned.

  1. Click Save in the top right corner.

Password Safe cannot provision a new account to Active Directory. It can only import an existing account from Active Directory and add it to a Password Safe local group. Password Safe cannot modify accounts, groups, or group gemberships in Active Directory. Password Safe can import and synchronize groups and account members.

Test the Integration

The most common scenario consists of a user with a directory account. For this scenario, use Password Safe as the application. To test this scenario:

Main Menu

  1. On the SailPoint IdentityIQ homepage, click the menu icon in the upper left corner.
  2. Select Manage Access > Manage User Access.

 

Select User

  1. On the Select User screen, enter the username in the Search field and click the magnifying glass icon. One or more users are returned.
  2. Click the check mark icon next to a user name to select that user.
  3. Click Next.

 

Select Local Group

  1. On the Manage Access screen, type Password Safe in the Search field and click the magnifying glass icon. One or more groups are returned.
  2. Click the check mark icon next to a local group to select that group.
  3. Click Next.
  4. On the Review and Submit screen, make sure everything is correct, and then click Submit.

 

Select Local Group

  1. You may be asked for additional information. Click Complete Form.
  2. On the next screen, under Account Type, click Active Directory to resolve the value (or values) via Directory Source.
  3. Check the Distinguished Name to Import box.
  4. Click OK.

View Execution Status of User Access Request

Track User Access Request

  1. On the SailPoint IdentityIQ homepage, click the menu icon in the upper left corner.
  2. Select Manage Access >Track My Requests.

 

View Execution Status for User Access Request

  1. On the Access Request page, click Details to view the execution status of the request.
  2. The access request is in Verifying status until aggregation is performed for Password Safe. Once aggregation is complete, the user account is imported from Active Directory into the Password Safe local group.

Provision a User Without a Directory Account

You might need to provision populations of users without a Directory Account. For example, this is required for vendor access.

To view application accounts assigned to a user:

View Application Accounts Assigned to a User

  1. On the SailPoint IdentityIQ homepage, click the Identities menu, and then select Identity Warehouse.
  2. Select Manage Access >Track My Requests.
  3. On the Identity Warehouse screen, enter the username in the Search field, and then click the magnifying glass icon. One or more users are returned.
  4. Double-click the correct user name.
  5. On the View Identity User.Name screen, click Application Accounts.

 

To provision a user without a directory account:

  1. On the SailPoint IdentityIQ homepage, click the menu icon in the upper left corner.
  2. Select Manage Access > Manage User Access.
  3. On the Select User screen, enter the username in the Search field, and then click the magnifying glass icon. One or more users are returned.
  4. Click the check mark icon next to a user name to select that user.
  5. Click Next.
  6. On the Manage Access screen, enter Password Safe in the Search field and click the magnifying glass icon. One or more groups are returned.
  7. Click the check mark icon next to a local group to select that group.
  8. Click Next.
  9. On the Review and Submit screen, make sure everything is correct, and then click Submit.

 

Select Local Group

  1. Additional information is required. Click Complete Form.
  2. On the next screen, under Account Type, select Local.
  3. Provide a username and password.
  4. Click OK.

The User Name and Password values can be assigned dynamically in the Provisioning Policy Create Form.

 

The new local user account is now available in Password Safe. To view this account:

  1. On the BeyondInsight homepage, select Configuration > Role Based Access > User Management > Groups.
  2. Click the ellipsis to the right of the the group that the new local user account was assigned to. Select View Group details.
  3. Under Group Details, select Users. The new local user account is visible under Assigned Users.