SailPoint IdentityIQ Deployment Guide

Overview

The SailPoint IdentityIQ Deployment Guide outlines how to use a SailPoint IdentityIQ Privileged Access Management (PAM) application template. This quick start strategy leverages the PAM module for visibility and provides a provisioning policy form that replaces the default provisioning capabilities that come with the PAM module. The provisioning capabilities found within the PAM module are based on user entitlements, while Password Safe is exclusively based on Group Entitlements via Role Based Access Control (RBAC).

Container creation in Password Safe results in creating an account Smart Group , which includes conditions, actions, and resource consumption. Container creation is not applicable as a use case within the PAM module.

For Password Safe, privileged data items (discovered managed accounts) are displayed under containers (managed account Smart Groups). This use case does not apply to Password Safe, and is based on a different PAM Application design.

The application template, found in the Password Safe Resource Kit, helps complement the PAM module and allows provisioning without the need for complex customization.

When it comes to provisioning, a few strategies are available depending on the specific use case, or combination of account and group. In the table below, Local means created directly into Password Safe. The table below illustrates entitlement type used for provisioning vs account-group combinations.

Group
Account Local AD Entra ID LDAP
Local PS      
AD PS - Import AD - Sync    
Entra ID PS - Import   Entra ID - Sync  
LDAP PS - Import     LDAP - Sync

PS – Import = Password Safe entitlements are provisioned via the Provisioning Policy – Form, within the application definition for Password Safe, by configuring attributes including nativeIdentifier (unique identifier associated to an individual account) and source, as described below in this document.

Sync = Password Safe group synchronization, via previously imported groups

Password Safe group synchronization is triggered
  • by synchronization interval
  • by manual synchronization
  • at log in, where group memberships are re-evaluated or synchronized

From an access perspective, group sync causes no delay versus provisioning and deprovisioning.

Create the SailPoint IdentityIQ Service Account in Password Safe

Creating a SailPoint IdentityIQ service account in BeyondInsight requires the following:

  • Create a user group
  • Enable features and Smart Groups for the user group
  • Create a user account and add it to the user group
  • Log in to BeyondInsight as the new service account user to generate OAuth credentials.

The below sections detail the steps to take to accomplish the above.

Create a New Group for the Service Account

To create a local group in BeyondInsight, follow the below steps:

  1. Navigate to Configuration > Role Based Access > User Management.

Create a New Group in BeyondInsight

  1. From the Groups tab, click + Create New Group.

 

  1. Select Create a New Group.
  2. Enter a Group Name and Description for the group.
  3. Click Create Group.
  4. Follow the steps in the below sections to enable features and Smart Group for your newly created group.

 

In addition to creating groups locally, you can import Active Directory, Entra ID, and LDAP groups into BeyondInsight.

Enable Features for the Group

To enable features for a group in BeyondInsight, assign permissions to the features as follows:

  1. Go to Configuration > Role Based Access > User Management.
  2. From the Groups tab, find the group and click on the corresponding ellipsis to right of the group.
  3. Select View Group Details from the list.
  4. Click Features located under Group Details.
  5. Select All Features from the Show dropdown above the grid to display a list of features in the grid.

Features must be added to the service account group by assigning permissons.

  1. Select the Management Console Access feature and click Assign Permissions > Assign Permissions Read Only above the grid. This permission is required so the service account can log in to BeyondInsight and obtain the service accounts’ unique OAuth credentials.
  2. Select the following features and click Assign Permissions > Assign Permissions Full Control above the grid.
    • Options - Connectors: This feature is required to allow the creation of OAuth credentials by the member account. In production, this permission could be removed after connection is established, but is needed again to cycle client_secret and refresh_token.
    • Password Safe Account Management: This feature is required to read or write managed accounts through the public API.
    • Password Safe Role Management: This feature is required to allow visibility into account Smart Groups, which are assigned via user groups in BeyondInsight.
    • Smart Rule Management - Managed Account: This feature is required to manage Smart Rules for managed accounts.
    • User Accounts Management: This feature is required for the service account to manage user groups and user accounts.

 

Enable Smart Groups for the Group

To enable Smart Groups for a group in BeyondInsight, assign permissions to the Smart Groups as follows:

  1. Go to Configuration > Role Based Access > User Management.
  2. From the Groups tab, find the group and click on the corresponding ellipsis to right of the group.
  3. Select View Group Details from the list.
  4. Click Smart Groups located under Group Details.
  5. Select All Smart Groups from the Show dropdown above the grid to display a list of Smart Groups in the grid.

Assign read only permission to all Managed Account type Smart Groups.

  1. Select the All Managed Accounts Smart Group and click Assign Permissions > Assign Permissions Read Only above the grid.

Managed Account Smart Groups with a category of Managed Accounts are visible via the SCIM API. Managed Account Smart Groups with a category of Platforms are not visible. However, you can recreate the same Smart Group with a category of Managed Accounts.

 

Create a New User and Assign to Group

Once the group is created and assigned the appropriate features and Smart Groups permissions, you can create a new account in BeyondInsight for the service account and add it to the group.

Permissions are assigned only to the group, not to the account.

Create a New User in BeyondInsight for the service account.

  1. Go to Configuration > Role Based Access > User Management.
  2. From the Users tab, click Create New User.
  3. Select Create a New User.

 

  1. Provide Identification, Credentials, Contact Information, User Status, and Authentication Options as needed.
  2. Click Create User.

Assign User Group to User Account in BeyondInsight

  1. You are taken to the details page for the user account where Groups is automatically selected. Select All Groups from the Show dropdown above the Groups grid to list all available user groups.
  2. Locate the group you created above for the service account, select it, and then click Assign Group above the grid.

In addition to creating user accounts locally, you can import AD, Entra ID, and LDAP accounts and add them to either local or imported groups.

 

Generate OAuth Credentials

Once the user account is created and assigned to a group, you must log in as the new user to generate OAuth credentials.

Generate OAuth credentials.

  1. Go to Configuration > General > Connectors.
  2. Under Connectors, select the SCIM connector. Once selected, the SCIM connector information displays.

Do not select the SailPoint connector. This was available in previous versions of BeyondInsight, but it is an older integration and is not based on SCIM.

  1. Each logged-in account in BeyondInsight has a unique client ID. The Client ID is located within the SCIM connector information. Highlight the ID, right-click, and save locally as client_id to a text file.
  2. Click Recycle Client Secret.
  3. Click Recycle on the Recycle Secret Access Key pop-up. This generates a unique access key.
  4. Highlight the Client Secret access key, right-click, and save as client_secret to a text file.
  5. Click Generate Refresh Token if you want to use this method of authentication. Use the account login password when prompted.

 

The refresh token is used in the production environment. Client credentials (client ID and client secret) are used in a lab or test environment. Every Password Safe user with full control permissions to the Options – Connectors feature can obtain a Client ID and Client Secret via the connector.

Only one SCIM connector can be created by Password Safe per instance.

Create the SailPoint IdentityIQ SCIM Application for Password Safe

Application Import File in Password Safe Resource Kit

Access the Password Safe Resource Kit

The Password Safe Resource Kit is available with product downloads via the Customer Portal. A preconfigured application for Password Safe is available in the Resource Kit.

 

 

 

 

 

 

Edit Application Name

Before you import SCIM-Password Safe-IdentityIQ.xml, save a copy of the file and edit it using the text editor of your choice to change the application name. You can create one or more applications, each with a unique name.

Search for BT PBPS SCIM and replace the value with Password Safe or any desired value for the name.

 

 

 

 

 

Import File

Import the XML File

To be able to import the SCIM-PasswordSafe-IdentityIQ.xml file, users must have administrator permissions.

To import the XML file:

  1. Log in to SailPoint IdentityIQ.
  2. Click the gear icon at the top of the screen and select Global Settings.
  3. On the Global Settings page, click Import from File.
  4. On the Import from File page under Import Objects, click Choose File and navigate to the edited XML file.
  5. Click Import.

Application Definition

Edit New Application

  1. Under the Application menu item, select Application Definition. You are able to see and edit the new application.
  2. Double-click the new application.
  3. Click the Configuration tab. Then click Settings.
  4. Under Grant Type, select Client Credentials.
  5. Enter the Base and Token URLs.
  6. Provide the Client ID and Client Secret, which you saved locally while in the Generate oAuth Credentials section of this guide.
  7. Click Test Connection. If the test is successful, a Connection Successful message is displayed. If the test is not successful, an error message is displayed.

Client credentials are recommended for testing. A refresh token is used in production where security requirements are higher.

  1. Click the Correlation tab.
  2. Configure the Account Correlation, for example, by using an email address and username.

Edit New Application

  1. Click the Unstructured Targets tab.
  2. Click the Add New Unstructured Data Source button.
  3. On the pop-up dialog, click the Create Target Source button.
  4. On the next screen, select Privileged Account Management Collector from the Target Source Types dropdown list.
  5. Enter URLs and credentials.
  6. Select PAM Access Mapping Correlation Rule from the Correlation Rule dropdown list.
  7. Click Save on the Unstructured Target Configuration screen.
  8. Click Save on the Edit Application screen.

Aggregate Accounts, Groups, and Entitlements from Password Safe

Before a user can start using SailPoint IdentityIQ, it must aggregate, or discover, Password Safe accounts, permissions, and groups.

Create New Task

  1. Under the Setup menu item, click the Tasks tab.
  2. Under the New Task dropdown list select Account Aggregation.
  3. Include a task name and update all remaining fields as required.
  4. Click Save.
  5. Repeat steps one through four, this time for Account Group Aggregation.
  6. Repeat steps one through four, this time for Target Aggregation.
  7. Once all three tasks have been created, right-click on the Account task and select Execute in Background. Repeat this step for Group, and then Target.

View Target Permissions and Entitlements

To view how permissions and accounts are represented in IdentityIQ after aggregation:

View Target Permissions

  1. Return to the applications list by clicking the Application menu item, and then select Application Definition.
  2. Double-click the application.
  3. Click the Accounts tab.
  4. Expand an account.
  5. Click one of the groups listed, and then click the Access tab to view Target Permissions.
  6. To view identity entitlements, click the Identities menu at the top of the page, and then select Identity Warehouse.
  7. Double-click user name, and then click the Entitlements tab.

Configure the PAM Module to point to Password Safe

Configure PAM Module to point to Password Safe

  1. Click the gear icon in the upper right corner of SailPoint IdentityIQ and select Global Settings.
  2. On the Global Settings page, click IdentityIQ Configuration.
  3. Click the Privileged Account Management tab.
  4. Select Password Safe from the first dropdown list.
  5. Click Save.

 

PAM Module for Password Safe

  1. Click the list icon in the upper left corner of SailPoint IdentityIQ to access the Tasks menu and expand Manage Access.
  2. Select Privileged Account Management to view the PAM module for Password Safe.

 

The PAM module provides the Add Identities button, which is configured by default to provision entitlements to users. Password Safe allows for entitlements at the group level only, via its RBAC model. Some customers have reconfigured the PAM module to provision entitlements through Groups, but that is beyond the scope of this guide, and it is recommended that customers work with SailPoint Professional Services for such changes. However, the provisioning strategy described later in this guide provides provisioning support for both directory and non-directory or local users.

Provision Directory and Non-Directory Users

The application template for Password Safe comes with a preconfigured provisioning policy. To access the provisioning policy:

Provisioning Policies for Password Safe

  1. Under the Applications menu item, select Application Definition.
  2. Double-click the application.
  3. Click the Configuration tab.
  4. Click Create Account Form.

 

Create Source Attribute

The "Source" attribute is required to recognize that an account exists in a source outside of Password Safe. Without knowing the source, provisioning fails to find and modify the account.

  1. On the next screen, create an attribute called Source:
    • Click the blue plus sign icon and select Add Field.
    • Under Edit Options > Settings, type source in the Name field.
    • Type Source in the Display Name field.
    • Under Value Settings, select Script from the Value dropdown list.
    • Under Allowed Values, select one or more values.
    • Enter a Value Script. In the below example, Active Directory is the name of the application in IdentityIQ:

 

if (accountType != void)
{
   if ("Local".equals(accountType))
   {
      return null;
   }
}
return "Active Directory";

Source must be null for local provisioning, otherwise this will instruct Password Safe to look for the user in the source/application.

  1. Next, create an attribute called Active.
    1. Click the blue plus sign icon and select Add Field.
    2. Under Edit Options > Settings, type active in Name field.
    3. Type Active in Display Name field.
    4. Under Value Settings, select Value from the Value dropdown list.
    5. Type true in the field under Value. If the value is not set to true, the account will be inactive in Password Safe.
  2. Click the pencil icon to the right of the Distinguished Name to Import attribute. Add Help Text to explain that this is based on the import of a pre-existing account from Active Directory.

For an account with a source other than Password Safe, e.g.; in LDAP or AD, one Distinguished Name is presented. However, if the target user has multiple accounts in different directories, a list of accounts is provided. Each of these accounts should be provisioned.

  1. Click Save in the top right corner.

Password Safe cannot provision a new account to Active Directory. It can only import an existing account from Active Directory and add it to a Password Safe local group. Password Safe cannot modify accounts, groups, or group gemberships in Active Directory. Password Safe can import and synchronize groups and account members.

Test the Integration

The most common scenario consists of a user with a directory account. For this scenario, use Password Safe as the application. To test this scenario:

Main Menu

  1. On the SailPoint IdentityIQ homepage, click the menu icon in the upper left corner.
  2. Select Manage Access > Manage User Access.

 

Select User

  1. On the Select User screen, enter the username in the Search field and click the magnifying glass icon. One or more users are returned.
  2. Click the check mark icon next to a user name to select that user.
  3. Click Next.

 

Select Local Group

  1. On the Manage Access screen, type Password Safe in the Search field and click the magnifying glass icon. One or more groups are returned.
  2. Click the check mark icon next to a local group to select that group.
  3. Click Next.
  4. On the Review and Submit screen, make sure everything is correct, and then click Submit.

 

Select Local Group

  1. You may be asked for additional information. Click Complete Form.
  2. On the next screen, under Account Type, click Active Directory to resolve the value (or values) via Directory Source.
  3. Check the Distinguished Name to Import box.
  4. Click OK.

View Execution Status of User Access Request

Track User Access Request

  1. On the SailPoint IdentityIQ homepage, click the menu icon in the upper left corner.
  2. Select Manage Access >Track My Requests.

 

View Execution Status for User Access Request

  1. On the Access Request page, click Details to view the execution status of the request.
  2. The access request is in Verifying status until aggregation is performed for Password Safe. Once aggregation is complete, the user account is imported from Active Directory into the Password Safe local group.

Provision a User Without a Directory Account

You might need to provision populations of users without a Directory Account. For example, this is required for vendor access.

To view application accounts assigned to a user:

View Application Accounts Assigned to a User

  1. On the SailPoint IdentityIQ homepage, click the Identities menu, and then select Identity Warehouse.
  2. Select Manage Access >Track My Requests.
  3. On the Identity Warehouse screen, enter the username in the Search field, and then click the magnifying glass icon. One or more users are returned.
  4. Double-click the correct user name.
  5. On the View Identity User.Name screen, click Application Accounts.

 

To provision a user without a directory account:

  1. On the SailPoint IdentityIQ homepage, click the menu icon in the upper left corner.
  2. Select Manage Access > Manage User Access.
  3. On the Select User screen, enter the username in the Search field, and then click the magnifying glass icon. One or more users are returned.
  4. Click the check mark icon next to a user name to select that user.
  5. Click Next.
  6. On the Manage Access screen, enter Password Safe in the Search field and click the magnifying glass icon. One or more groups are returned.
  7. Click the check mark icon next to a local group to select that group.
  8. Click Next.
  9. On the Review and Submit screen, make sure everything is correct, and then click Submit.

 

Select Local Group

  1. Additional information is required. Click Complete Form.
  2. On the next screen, under Account Type, select Local.
  3. Provide a username and password.
  4. Click OK.

The User Name and Password values can be assigned dynamically in the Provisioning Policy Create Form.

 

The new local user account is now available in Password Safe. To view this account:

  1. On the BeyondInsight homepage, select Configuration > Role Based Access > User Management > Groups.
  2. Click the ellipsis to the right of the group that the new local user account was assigned to. Select View Group details.
  3. Under Group Details, select Users. The new local user account is visible under Assigned Users.