Introduction to SailPoint Integration
sesametechnologies Share this Post to earn Money ( Upto ₹100 per 1000 Views )
Integrate with SailPoint
You can integrate SailPoint with Privileged Access Manager in two ways:
SailPoint STI (Simple Table Integration)
STI is an extensive SailPoint-specific integration, with configuration required on both sides, resulting in automatic synchronization and workflow. This option requires an integration license option. See the following STI Setup section.
SCIM (System for Cross-domain Identity Management)
SCIM is an application-level REST protocol for managing user identity data between domains.
Want To Get SailPoint Training From Experts? Enroll Now For Free Demo SailPoint Training.
Clustering
When Privileged Access Manager is clustered, users should connect to the cluster Primary Site VIP rather than an individual server. The VIP address provides availability in case the server that was originally configured for SailPoint is unavailable.
STI Setup
Privileged Access Manager populates SailPoint integration tables with Privileged Access Manager Users (with current Role and User Group assignments), Roles, and User Groups. Privileged Access Manager Roles and User Groups are imported by SailPoint to be defined as Entitlements. Privileged Access Manager Users are imported and made into IdentityIQ Users in SailPoint. Whenever changes occur within Privileged Access Manager, these tables are updated on a configurable interval.
Privileged Access Manager Configuration
For the SailPoint configuration options to appear, the SailPoint integration option must be licensed. SailPoint STI uses port 3306 to communicate with PAM.
To configure SailPoint integration in Privileged Access Manager, follow these steps:
Go to Configuration, 3rd Party, SailPoint.
Enter the Database User, and Database Password. The password is used in SailPoint configuration, which follows.
Set the Update Interval, in seconds. This value determines how often Privileged Access Manager checks for incoming SailPoint requests, exports relevant data to SailPoint.
For SailPoint Whitelist, enter at least one SailPoint server address. These addresses are the only connections to allow for SailPoint integration. Valid entries are IP address, hostname, and FQDN values.
Select Save to save your settings.
Select Install to set up the SailPoint integration Tables. The installation is only done once. This button is enabled if SailPoint is licensed, and disabled again once the installation is complete.
Select Download to acquire a zip file of the Privileged Access Manager SailPoint application. Use this file during the configuration of the SailPoint side of the integration. Unzip this file and save CAPamConfiguration.xml in a location accessible by your SailPoint application.
The Import button is optional. You can manually direct Privileged Access Manager to read the provisioning queue. Import is also automatically done according to the Update Interval setting.
The Export button is optional. You can manually direct Privileged Access Manager to populate the SailPoint tables. Export is also automatically done according to the Update Interval setting.
SailPoint Configuration
Before you configure the integration in SailPoint IdentityIQ, ensure that these prerequisites are met:
Install the LCM (Lifecycle Manager) module for SailPoint
Install the STI (Simple Table Integration) integration for SailPoint
To configure the integration in SailPoint, follow these steps:
In SailPoint IdentityIQ, select the configuration gear icon and select Global Settings.
The Global Settings page appears.
Select the Import from File option in the lower right.
Select Choose File under Import Objects. Select CAPamConfiguration.xml, which you downloaded during the Privileged Access Manager configuration.
Select Import.
Under Applications, Application Definitions, select the CAPam application.
The Edit Application CAPam page appears.
Select the Configuration tab.
Under Settings, enter the correct Connection Password, which was not provided in the configuration XML file. This password is the password that you entered in step 2 of Privileged Access Manager Configuration.
Scroll down to Object Type: usergroup. Under Settings, enter the correct Connection Password.
Scroll down to Object Type: role. Under Settings, enter the correct Connection Password.
Scroll down to Object Type: group. Under Settings, enter the correct Connection Password.
Scroll to the bottom of the page and select Test Connection.
"Test successful" appears. If not, edit the passwords.
Select Save to save your changes.
For your specific SailPoint IdentityIQ configuration, you can change the default provisioning policies that are provided by Privileged Access Manager. Inspect these settings to determine if you must change them.
Under Configuration, select Provisioning Policies.
Under Object Type: account, for the Create Type, select User.
The Attributes for User appear.
Select an Attribute, such as lastName. See Operations and Attributes for a list of the supported operations and attributes.
The Edit Options appear on the right.
Select Value Settings. The value for lastName can be a static Value, be Dependent, be determined by a Script, or be determined by a Rule.
If you want to save you changes, select Save.
On the Edit Application CAPam, Password Policy page, configure a default password policy that follows the default password policy set for Privileged Access Manager users.
Operations and Attributes
The following operations and attributes are supported for SailPoint integration. The listed attributes must be associated with a rule or value in a Provisioning Policy in the SailPoint CAPam application for attributes to sync. The CAPam application is configured with some default values, but clients might need to adjust these settings.
Create a User
To create a user with the "local" authType, all the listed attributes are required. To create a user with the "cac" authType, none of the listed attributes are required.
firstName: User first name
lastName: User last name
email: User email address
password: User password
authType: supported values are local or cac (for smartcard users)
IIQDisabled: true if user is disabled, or false if user is enabled
Roles and User Groups are assigned as Entitlements.
Modify a User
To modify a user, all attributes are optional.
firstName: User first name
lastName: User last name
email: User email address
password: User password
authType: supported values are local or cac (for smartcard users)
IIQDisabled: true if user is disabled, or false if user is enabled
Roles and User Groups are assigned or removed as Entitlements.
Delete a User
No attributes
Aggregation Tasks
As part of the CAPam application setup in SailPoint, aggregation tasks are defined to SailPoint to collect the user and entitlement data from Privileged Access Manager. These tasks should be scheduled to execute regularly to keep this data in sync with Privileged Access Manager.
Follow these steps:
From the main SailPoint menu, select Setup, Tasks.
Two Tasks are set up by the initial configuration:
CAPam Account Aggregation regularly reads the Privileged Access Manager User table to keep in sync with Users and their entitlements
CAPam Group Aggregation reads Privileged Access Manager User Roles and Groups and creates SailPoint Entitlements from them.
To schedule a task, right‐click and select Schedule from the drop‐down list to display the New Schedule dialog.
Select the Scheduled Tasks tab to edit schedules. You can select the Run Now box on the Edit Schedule tab to run the Task immediately.
To see a list of SailPoint entitlements, go to the main menu, Applications, Entitlement Catalog.
Workflow Example
Once everything is configured in Privileged Access Manager and SailPoint IdentityIQ, the following example of the integration workflow is valid. This example shows a SailPoint user making a provisioning request for a Privileged Access Manager user.
In SailPoint, go to Home, and select Manage User Access.
An IdentityIQ user list appears under the Select Users tab.
Select a User and select the Manage Access tab.
Select Filters on the right.
The Filter Access panel appears.
From the Entitlement Application drop-down list, select CAPam, and Apply.
The Roles and User Groups that are imported from Privileged Access Manager appear as Entitlements.
Select a User Group or Role as an Entitlement. Select the Review tab at the top of the page.
If the listed Add Access Entitlements are correct, select Submit at the bottom of the page.
The Home page appears with a Success message at the top of the page.
SailPoint send this data to Privileged Access Manager as a provisioning request.
In Privileged Access Manager, go to Users, Manage Users, and find the new (or updated) User.
The User should have the matching information, including Roles and Groups, as applicable.
The User should be able to log in to Privileged Access Manager with the appropriate entitlements.
An Aggregation Task runs in SailPoint, reading the information in the Privileged Access Manager integration tables,
This Task closes the loop on the operation.
Activity Log
The Activity Log displays information about every action pertaining to the SailPoint integration. Create, delete, and update actions, their source, time, and results are listed. To view the Activity Log, follow these steps:
Go to Configuration, 3rd Party, SailPoint.
Select the Activity Log tab.
The log table is sortable by clicking column headings. You can filter data using the controls above the headings.
The Info column provides error messages, if applicable.
Content feedback and comments
If you want to know more about integration visit this blog SailPoint Integration
