How to Configure SailPoint IdentityNow Integration

IdentityNow is a Software as a Service (SaaS) identity governance solution from SailPoint. This guide covers the steps required to configure OAuth Service Account in either Password Safe or Password Safe Cloud for SailPoint IdentityNow.

For more information, please see IdentityNow for BeyondTrust Password Safe at https://community.sailpoint.com/t5/Connector-Directory/IdentityNow-for-BeyondTrust-Password-Safe/ta-p/211776.

Steps for the service account creation also applies to SailPoint IdentityIQ, but the focus of this guide is IdentityNow.

Step-by-Step Installation and Configuration

Create a New Group

Create a New Group

  1. In the BeyondInsight Console, go to Configuration > Role Based Access > User Management > Groups > Create New Group > Create a New Group.
  2. On the next screen, provide a group name and description.
  3. Click Create Group.
  4. Once the group is created, you can assign features to the group.

 

In addition to creating groups locally, you can import AD, AAD, and LDAP groups.

Assign Features

View Group Details

  1. To assign features to a new or existing group, go to Configuration > Role Based Access > User Management > Groups. Find the group and click on the corresponding ellipsis to right of the group.
  2. Select View Group Details from the list.
  3. On the next screen select Features located under Group Details. A list of feature options is displayed.

 

Feature Options

Several important features are listed below:

Assign Feature Details

  1. Options – Connectors
    1. Once the option is selected, click Assign Permissions at the top of the feature list to assign the appropriate permissions.
    2. This feature is required to allow the creation of OAuth credentials by the member account. In production, this permission could be removed after connection is established, but would be needed again to cycle client_secret and refresh_token.
  2. User Accounts Management
    1. Once the option is selected, click Assign Permissions at the top of the feature list to assign the appropriate permissions.
    2. Assign Permission Full Control is required for provisioning.
  3. Management Console Access
    1. Once the option is selected, click Assign Permissions at the top of the feature list to assign the appropriate permissions.
    2. This permission is required so the IdentityNow service account can log in to BeyondInsight and obtain the service accounts’ unique oauth credentials.
  4. Password Safe Role Management
    1. Once the option is selected, click Assign Permissions at the top of the feature list to assign the appropriate permissions.
    2. This permission is required to allow visibility into account smart groups which are assigned via Groups in Password Safe.

Smart Group Feature Permissions

You may need to add additional feature permissions to allow for managing Smart Rules for Managed Accounts.

Smart Group Features

  1. Go to Configuration > Role Based Access > User Management > Groups. Find the group and click on the corresponding ellipsis to right of the group.
  2. Select View Group Details from the list.
  3. On the next screen select Smart Groups located under Group Details.
  4. Under Smart Group Permissions a list of All Smart Groups is displayed. You can also select Enabled Smart Groups or Disabled Smart Groups.

Smart Group Feature Options

Several important smart groups and features are listed below:

View All Assets Options

  1. All Assets - Password Safe Roles
    1. Select the All Assets group.
    2. Click on the ellipsis to the right of the group and select Edit Password Safe Roles.
    3. Select Information Security Administrator.
    4. Click Save Roles.
  2. All Managed Accounts - Password Safe Roles
    1. Select the All Managed Accounts group.
    2. Click on the ellipsis to the right of the group and select Edit Password Safe Roles.
    3. Select Requestor.
    4. Select an Access Policy for Requestor from the drop down list.
    5. Click Save Roles.
  3. All Managed Systems - Full Control
    1. Select the All Managed Accounts group.
    2. Click on the ellipsis to the right of the group.
    3. Select Assign Permissions Full Control.

Create a New Account in BeyondInsight

Once the group is created and assigned the appropriate features and permissions, you can create a new account to add to the group.

Permissions are assigned only via group, not account.

Create a New User

  1. In the BeyondInsight Console, go to Configuration > Role Based Access > User Management > Users > Create New User > Create a New User.
  2. On the pop-out screen, provide Identification, Credentials, Contact Information, User Status, and Authentication Options as needed.
  3. Click Create User.

 

New User Informtion

 

In addition to creating user accounts locally, you can import AD, AAD, and LDAP accounts and add them to either local or imported groups.

Assign a User Account to a Group

Once a user account is created, the account can be assigned to one or more groups.

Assign User to Group

  1. In the BeyondInsight Console, go to Configuration > Role Based Access > User Management > Users.
  2. In the Filter By field, select Username, and then type in the username. If not automatically filtered, click the Enter key.
  3. Click on the ellipsis to the right of the user account.
  4. Select View User Details. The User Details screen appears.
  5. On the left hand side of the screen, under User Details, select Groups.
  6. Under Groups, select Show > All Groups.
  7. Select the desired groups, and select Assign Group at the top of the list.

Generate OAuth Credentials

Once the user account is created and assigned to a group, you will need to log in as the new user to generate OAuth Credentials.

Generate OAuth credentials.

  1. In the BeyondInsight Console, go to Configuration > General > Connectors.
  2. Under Connectors select the SCIM connector. Once selected, the SCIM connector information will display.

Do not select the SailPoint connector. This was available in previous versions of BeyondInsight, but it is an older integration and not based on SCIM.

  1. Each logged in account in BeyondInsight has a unique client ID. The Client ID is located within the SCIM connector information. Highlight the ID, right-click, and save locally as client_id to a text file.
  2. Click Recycle Client Secret.
  3. Click Recycle on the Recycle Secret Access Key popup. This generates a unique access key.
  4. Highlight the Client Secret access key, right-click, and save as client_secret to a text file.
  5. Click the Generate Refresh Token if you want to use this method of authentication. Use the account login password when prompted.

The refresh token is used in the production environment. Client credentials (client ID and client secret) are used in a lab or test environment.

Configure the BeyondTrust Source Type in IdentityNow

BeyondTrust provides an Access Data Source supported by default with IdentityNow. Once IdentityNow has visibility into a data source, it can manage information at the source location.

Users must have the appropriate credentials to log in to IdentityNow.

Configure a Source Type for BeyondTrust

Configure a Source Type

  1. In the IdentityNow Console, go to Admin > Connections > Sources.
  2. Click the New button in the top right corner.
  3. Under Source Type select BeyondTrust Password Safe - Cloud.
  4. Include a Source Name, Description, Source Owner, and Connection Type.
  5. Click Continue.

 

Assign a Virtual Appliance Cluster

  1. On the next screen, under Base Configuration, select a Virtual Appliance Cluster.
  2. Click Save.

 

Update Connection Settings

Update Connection Settings

  1. In the IdentityNow Console, go to Admin > Connections > Sources. Select the test source.
  2. On the next screen, click the Edit Configuration button in the top right corner.
  3. On the next screen, select Connection Settings on the left hand side.
  4. For a production environment, select the API Token option. For a test environment, select the OAuth 2.0 option.
  5. Fill out the rest of the form as required with information saved earlier in the Generate OAuth Credentials section.
  6. Click Save.

 

Test Connection

  1. Once connection settings have been saved, test the connection:
    1. Select Review and Test on the right hand side of the screen.
    2. Click Test Connection on the upper left hand side of the screen.

 

Aggregate Accounts and Entitlements

Aggregate Accounts and Entitlements

  1. In the IdentityNow Console, go to Admin > Connections > Sources. Select the test source.
  2. On the next screen, select the Import Data tab.
  3. Select Account Aggregation and enter the necessary information.
  4. Click Save.
  5. Select Entitlement Aggregation and enter the necessary information.
  6. Click Save.

 

Smart Group Permissions

Within Password Safe, permissions are granted via groups. A smart group is a filtered list of managed accounts. All managed accounts are granted the read only permission.

Assign Password Safe Role as Requestor

  1. In the Password Safe Console, go to Configuration > Role Based Access > User Management > Groups. Select the group and then click on the corresponding ellipsis to right of the group.
  2. Select View Group Details.
  3. Select Smart Groups under Group Details.
  4. Select a managed account and then Assign Permissions.
  5. Assign permissions as read only.
  6. Select the managed account again and then click on the corresponding ellipsis to right of the account.
  7. Select Edit Password Safe Roles.
  8. Assign role as Requestor.
  9. Select Access Policy for Requestor from the drop down.
  10. Click Save Roles.

 

View User Entitlements

To view user entitlements and Password Safe groups assigned to the user:

View Password Safe Groups Assigned to User

  1. In the IdentityNow Console, go to Admin > Connections > Sources. Select the test source.
  2. Select Accounts.
  3. Select the user.
  4. Select Accounts.
  5. Select the Source Name.
  6. Scroll to the bottom of the screen to view entitlements.

 

Entitlement Details and Permissions

  1. To view Entitlement Details and Permissions, expand the appropriate user group.
  2. Select either the Details tab or Permissions tab to view information. Here you can find the target (Smart Group/Rule All Managed Accounts), Smart Group Permissions (Read or Write), and the Password Safe Role (Requestor).

 

Create Profile

BeyondTrust source types come with a preconfigured Create Profile.

BeyondTrust Pre-configured Profile

  1. In the IdentityNow Console, go to Admin > Connections > Sources. Select the test source.
  2. Select Accounts.
  3. Select Create Profile.

 

Correlation

BeyondTrust source types come with a preconfigured Correlation.

BeyondTrust Pre-configured Correlation

  1. In the IdentityNow Console, go to Admin > Connections > Sources. Select the test source.
  2. Select Import Data.
  3. Select Correlation.

 

Schema

BeyondTrust source types come with a preconfigured Schema.

BeyondTrust Pre-configured Schema

  1. In the IdentityNow Console, go to Admin > Connections > Sources. Select the test source.
  2. Select Import Data.
  3. Select Correlation.

 

Once the BeyondTrust source is in place, you have access to IdentityNow business processes including Access Request, Access Certification, automated provisioning for Joiner, Mover, Leaver, Search and Analytics, and more.

Password Safe Applications

It is possible to create Access Profiles that consume Password Safe Groups and then assign the Access Profiles to Roles or Applications.

For more information on assigning Access Profiles to Roles or Applications, please visit SaaS Product Documentation / IdentityNow at https://documentation.sailpoint.com.

 

Example Application with Access Profile for Password Safe Group