Configure SCIM Connector for Sailpoint IndentityIQ

The SCIM connector adds a SCIM API to Password Safe to allow third-party applications to view and modify users, groups, and Smart Rule permissions.

For more information, please see the following:

SailPoint IdentityIQ Integration

IdentityIQ currently supports:

  • Reading users, groups, Smart Rules, and Smart Rule permissions into their system
  • Creating users, and adding and removing users to and from groups

Although this is what the IdentityIQ supports, the SCIM connector follows the SCIM and PAM extension standard, so it is possible to assign permissions to groups. IdentityIQ supports assigning permissions to users only, which isn't compatible with Password Safe.

Configure SailPoint IdentityIQ

To help configure the SCIM API in IndentityIQ, an application XML prebuilt with local and AD user provisioning is available on the BeyondTrust customer portal.

For more information, please see the SailPoint IdentityIQ Deployment Guide Tutorial.

Account Schema

To configure the IdentityIQ SCIM application manually to be compatible with Password Safe, there are some default schema settings you need to modify, as follows:

  • Under name, remove middleName, honorificPrefix, and honorificSuffix.
  • Remove nickName, profileUrl, title, userType, preferredLanguage, locale, and timezone.

For the provisioning form, if you intend to create Active Directory users only, the native identifier must be populated with the distinguished name. All other fields are populated with what is in Active Directory. The following script populates IdentityIQ fields with allowed values for distinguished name:

import java.util.*;
import sailpoint.object.*;
import sailpoint.api.*;

List adLinks = new ArrayList();
if (identity != null) {
  Application targetApplication = context.getObjectByName(Application.class, "Active Directory");
  // "Active Directory" here is the name of the AD application you want to use
  IdentityService identityService = new IdentityService(context);
  List links = identityService.getLinks(identity, targetApplication);
  if (links != null) {
    for (Link link : links) {
      adLinks.add((String)link.getAttribute("distinguishedName"));
    }
  }
}
return adLinks;

Create the SCIM Connector

The below steps detail how to create and update a SCIM connector in BeyondInsight.

Only one SCIM connector can be created by Password Safe per instance. If your Password Safe instance already has a SCIM connector configured, then you must log in to BeyondInsight with the service account credentials you created for the integration and generate OAuth credentials as detailed in step #9 below.

  1. In BeyondInsight, go to Configuration > General > Connectors.
  2. From the Connectors pane, click Create New Connector.
  3. Enter a name for the connector.
  1. Select SCIM from the Connector Type dropdown.
  2. Click Create Connector.

Create SCIM connector in BeyondInsight

  1. Set the Refresh Token Expiry.

This is intended to be long-lived.

  1. Set the Access Token Expiry.

This is intended to be short-lived.

Refresh and access tokens are an OAuth 2.0 concept.

  1. Select a Default Access Policy, and then click Create Connector.

 

If the Requestor role is assigned to a group via the SCIM API, this access policy is assigned. The API does not support assigning different access policies. The container permissions you can provision include Read, Write, and Password Safe roles, such as Requester and Approver.

Generate Refresh Token and Recycle Client Secret for SCIM connector in BeyondInsight.

  1. Now that the connector has been created, the API is available to access, and you see the Client ID specific to the user currently logged into BeyondInsight when viewing the SCIM connector from the Connectors page. You can also generate a refresh token and recycle the client secret as follows:
    • To generate a refresh token:
      • Click Generate Refresh Token.
      • Enter your Password and Client Secret.
      • Click Generate Refresh Token.
    • To create a new client secret key:
      • Click Recycle Client Secret.
      • Click Recycle on the Recycle Secret Access Key pop-up. This generates a unique access key and invalidates the previous key.
    • Click Update Connector after generating the refresh token or recycling the client secret.

Every Password Safe user with full control permissions assigned to the Options – Connectors feature can obtain a Client ID and Client Secret via the connector. Using client credentials (client ID and client secret) is recommended for lab or testing environments. For a production environment, using refresh tokens is a more secure option.

 

  1. To obtain a refresh and access token using the API, you can use client credentials or password authentication. Send a POST request with a body in one of these formats:

    The Client ID and Client Secret are part of your credentials for requesting refresh and access tokens. The authentication endpoint is [host]/scim/oauth/token.

    Client Credentials:

    grant_type=client_credentials&client_id=[Client ID]&client_secret=[Client Secret]

    Password:

    grant_type=password&username=[Username]&password=[Password]

    If you already have a refresh token, you can get a new access token with a POST request in this format:

    grant_type=refresh_token&refresh_token=[Refresh Token]

The base URL for non-authentication requests is [host]/scim/v2.