Integration of Active Directory with SailPoint IIQ
Below Steps need to be followed for the Active Directory and Sailpoint IIQ Integration
1. Need to Install IQ Service , All the Provisioning for Active Directory from IIQ happens through the Agent which need to be installed
follow the steps to install the IQ service
2. Need to step the Application and Aggregate all the existing groups and the Accounts from the Active Directory
follow this steps for Setting up the Active Directory Application.
3. Create the Filed value Rule
follow the steps for creating field value Rule
4. Create the Provisioning form and populating the value for the fields which are mandatory for creating the Active Directory account
Object Type -->User
Account DN --> User DN
User ID --> samAccountName
User Principal Name -->Log-on Name
Password
First Name
Last Name
Full Name
Make sure below Filed Value Rule Mapping is done for all the Required fields
5. Creating the After Provisioning Rule
Follow the Instruction
6. Attach this Rule in the Rule section of the Application in after Provisiong Rule , This Rule will send the Email for Success and Failure of the operation on the User.
Also make sure that this email Template are created
8. After Submission , it will go through the Approval , which can be Track from the Track Request Page , Once the Approval is done , Provisioning will start
9. Run the Perform Maintenance Task to Trigger the Provisioning.
10. Check the AD and see if the user is created with the values populated in filed value rule and Entitlement request will also get added and also Email will be Triggered with the account details and the Password.
11. Run Perform Identity Request Maintenance Task to complete the Request.
Below Steps need to be followed for the Active Directory and Sailpoint IIQ Integration
1. Need to Install IQ Service , All the Provisioning for Active Directory from IIQ happens through the Agent which need to be installed
follow the steps to install the IQ service
2. Need to step the Application and Aggregate all the existing groups and the Accounts from the Active Directory
follow this steps for Setting up the Active Directory Application.
3. Create the Filed value Rule
follow the steps for creating field value Rule
4. Create the Provisioning form and populating the value for the fields which are mandatory for creating the Active Directory account
Object Type -->User
Account DN --> User DN
User ID --> samAccountName
User Principal Name -->Log-on Name
Password
First Name
Last Name
Full Name
Make sure below Filed Value Rule Mapping is done for all the Required fields
5. Creating the After Provisioning Rule
Follow the Instruction
6. Attach this Rule in the Rule section of the Application in after Provisiong Rule , This Rule will send the Email for Success and Failure of the operation on the User.
Also make sure that this email Template are created
Active Directory PH Accounts Joiner AD Account Creation Notification
Active Directory PH Accounts Joiner AD Failure Notification
7. Now go to the Access Request Page , Select the User --> Select any of the Entitlement belongs to this Application and Submit the request (make sure the Entitlement is requestable , then only it will be available in the Access Request Page)8. After Submission , it will go through the Approval , which can be Track from the Track Request Page , Once the Approval is done , Provisioning will start
9. Run the Perform Maintenance Task to Trigger the Provisioning.
10. Check the AD and see if the user is created with the values populated in filed value rule and Entitlement request will also get added and also Email will be Triggered with the account details and the Password.
11. Run Perform Identity Request Maintenance Task to complete the Request.
I am trying to provision against AD by assigning a role as mentioned but I am getting the following error showing IQService
ReplyDelete"02/07/2020 12:44:10: ADConnectorServices [Thread-15] ERROR:" Exception caught in Create for identity: jfernandez - System.ArgumentOutOfRangeException: Length cannot be less than zero.
Parameter name: length
at System.String.Substring (Int32 startIndex, Int32 length)
at sailpoint.services.ADConnectorServices.Create () ""
In the provisioning form I have already filled in all the data so as not to miss a field.
Do you know something about the error?
Greetings and thanks for your great contributions.
What is the Identity Attribute you have defined in the Active Directory type application ? It should be distinguishedName.
DeleteThat was the problem, I was putting another attribute, thank you very much for your support.
DeleteGlad this helped You !
DeleteThanks man. It help.
DeleteIn case user is already in AD can I use provisioning to put user into a different group within AD ?
ReplyDeleteHey Vishal! Is there any guide for a Delete provisioning policy? Thanks!
ReplyDelete