Sailpoint IdentityIQ Loopback Connector Configuration

Loopback Connector is used to manage the Workgroup & Capability of Sailpoint. This Connector is part of the SSF Framework.

Below Configuration is done to manage the WG which start with  "VIS"

• Ignore non correlated identities = true
• Ignore identities with no entitlements = true
• Identity filter = Workgroups.name.startsWith("VIS")

Account Customization Rule

List workgroupList = (List)object.getAttribute("workgroups.name");
List updatedWorkgroupList=new ArrayList();
if(!workgroupList.isEmpty()){
  for(String workgroupName:workgroupList){  
  if(workgroupName.startsWith("VIS")){
	updatedWorkgroupList.add(workgroupName);
  }  
 }
  if(!updatedWorkgroupList.isEmpty()){
	object.setAttribute("workgroups.name",updatedWorkgroupList);
	return object;
	}else{
	return null;
	}
}else{
return null;
}

 WorkGroup Customization Rule

import sailpoint.object.ManagedAttribute;
import java.util.Map;
import java.util.HashMap;
String workGroupName = (String) object.getAttribute("name");
if (workGroupName.startsWith("VIS")){
	object.put("privileged","Yes");
	object.setDisplayName(object.getAttribute("name"));
    object.setAttribute("description",(String)object.getAttribute("description"));
return object ;
}

Sailpoint IdentityIQ Web Service Connector Configuration

 Sailpoint IdentityIQ Web Service Connector

Group Data
  
<?xml version='1.0' encoding='UTF-8'?>
<results preview='0'>
    <meta>
        <fieldOrder>
            <field>ID</field>
            <field>ATTR</field>
            <field>ATVAL</field>
        </fieldOrder>
    </meta>
    <messages>
        <msg type="DEBUG">Data informtaion</msg>
        <msg type="INFO">Your timerange was substituted based on your search string</msg>
    </messages>
    <result offset='0'>
        <field k='ID'>
            <value h='1'>
                <text>3-Role1</text>
            </value>
        </field>
        <field k='ATTR'>
            <value h='1'>
                <text>PROFILE</text>
            </value>
        </field>
        <field k='ATVAL'>
            <value>
                <text>Role one</text>
            </value>
        </field>
    </result>
    <result offset='1'>
        <field k='ID'>
            <value h='1'>
                <text>3-Role2</text>
            </value>
        </field>
        <field k='ATTR'>
            <value h='1'>
                <text>PROFILE</text>
            </value>
        </field>
        <field k='ATVAL'>
            <value>
                <text>Role two</text>
            </value>
        </field>
    </result>
</results>

Account Data

<?xml version='1.0' encoding='UTF-8'?>
<results preview='0'>
    <meta>
        <fieldOrder>
            <field>ID</field>
            <field>USERLIST</field>
            <field>UserNameInProfile</field>
            <field>EmployeeNumberProfile</field>
        </fieldOrder>
    </meta>
    <messages>
        <msg type="DEBUG">Data informtaion</msg>
        <msg type="INFO">Your timerange was substituted based on your search string</msg>
    </messages>
    <result offset='0'>
        <field k='ID'>
            <value h='1'>
                <text>3-Role1,3-Role2,3-Role3,3-Role4</text>
            </value>
        </field>
        <field k='USERLIST'>
            <value>
                <text>ABC123</text>
            </value>
        </field>
        <field k='UserNameInProfile'>
            <value>
                <text>VISHAL KEJRIWAL</text>
            </value>
        </field>
        <field k='EmployeeNumberProfile'>
            <value h='1'>
                <text>ABC123</text>
            </value>
        </field>
    </result>
    <result offset='1'>
        <field k='ID'>
            <value h='1'>
                <text>3-Role1,3-ROLE3</text>
            </value>
        </field>
        <field k='USERLIST'>
            <value>
                <text>XYZ123</text>
            </value>
        </field>
        <field k='UserNameInProfile'>
            <value>
                <text>VIS KEJ</text>
            </value>
        </field>
        <field k='EmployeeNumberProfile'>
            <value h='1'>
                <text>XYZ123</text>
            </value>
        </field>
    </result>
</results>

Schema Mapping 

Adding Group and Account Aggregation Operation

Context URL : URL to fetch data , this need to be same as URL use to fetch data from any API client

Header 

Content-Type : text/XML

Response

Response Attribute Mapping 

PROFILE :field[1]/value/text

Attribute : field[2]/value/text

ProfileName : field[3]/value/text

Root Path

//results/result

Sucessful Response Code 

2**

Similar Step need to be followed for Account Aggregation 

Sample WebServiceBeforeOperationRule  if Endpoint URL need to be modified

  import org.apache.commons.logging.Log;
  import org.apache.commons.logging.LogFactory;
  import java.io.IOException;
  import java.net.URI;
  import java.net.URISyntaxException;
  import org.apache.http.HttpHeaders;
  import org.apache.http.HttpResponse;
  import org.apache.http.client.ClientProtocolException;
  import org.apache.http.client.HttpClient;
  import org.apache.http.client.methods.HttpPost;
  import org.apache.http.client.utils.URIBuilder;
  import org.apache.http.entity.StringEntity;
  import org.apache.http.impl.client.HttpClients;
  import org.apache.http.client.entity.UrlEncodedFormEntity;
  import org.apache.http.message.BasicNameValuePair;
  import org.apache.http.util.EntityUtils;

  String SEARCH_QUERY ="search index=cleanup RECTYPE=NME ID=3-* earliest=@w0  ATTR=PROFILE | table  ID ATTR ATVAL";

  try {
    List visUrlEncoded = new ArrayList();
     visUrlEncoded.add(new BasicNameValuePair("search", SEARCH_QUERY));	
     UrlEncodedFormEntity visUrlEncodedEntity = new UrlEncodedFormEntity(visUrlEncoded);

    String visFinalURL = requestEndPoint.getFullUrl()+EntityUtils.toString(visUrlEncodedEntity);
    requestEndPoint.setFullUrl(visFinalURL);
  }
  catch (Exception exception) {
    log.error("Exception Occured: " + exception);
  }
  return requestEndPoint;

Database - JDBC Application Configuration Using OOTB Connector - Aggregation

1. Created the Custom Table Named “MARS”.
2. Below are the Details of the Custom Table which need to be Integrated for Provisioning and Aggregation.

 3. Select the Application Type as JBDC , Provide the Name , Owner and Application Type.

4. Click on Configuration → Setting  and Provide the JBDC Connection Settings and Query Settings.

5. Click on Test Connection and Check the Connectivity with the DB Which need to be Integrated.

6. Navigate to Schema ,and click on Discover Schema Attribute to Fetch all the Table column from the Database table provided to be managed.

7. Based on the Column which need to be managed , delete the unwanted column from the attributes list.

8. Modify Identity Attributes and Display Attribute based on the Requirement.

9. Navigate to Correlation and Add the Correlation Rule based on which the Account need to be Aggregated and link to the Identity.

10. Navigate to Setup and Click on Task , To create the Account Aggregation Task to Pull the Data from the Table.

11. Click on Save and Execute and Check the Result from the task Result Tab.

12. Navigate to Application → Application Definition → Accounts and see all the Accounts which are pulled from the DB.

13. Checking the linked Account to the Identity,

14. Navigate to Identity → Identity Warehouse → Select the Identity and Click on the Application Accounts to see the Accounts if the Links exists.

Delimited File Application Configuration Using OOTB Connector

Delimiter File Connector / Flat File Connector overview

This is the OOTB Connector which comes with the Sailpoint IdentityIQ Application and supports Aggregation of both the Accounts and Group object (Entitlement).

Connector Supports

1. Reading data from a file which can be located locally or which is accessible from the application via FTP or SCP .
2. Connector Supports files separated by a comma, semicolon, pipe or regular expression
3. Supports different filtering options on the Files
4. Supports the merging functionally like how  multiple records can be merged into the single
5. The connector also supports partition like how much records batch which will be created.

1. Application Creation and Configuration

Create the 2 Sample file (Account file &Entitlement file ) sunAccount.csv and sunRole.csv before on boarding any delimiter type application.

Navigate to Applications -->Application Definition -->Add New Application
Select Application Type as DelimitedFile and set the other mandatory Attributes

2. Adding group object

Navigate to Configuration -->Setting-->Add object type

3. Account and Group Source File Information

Configure the File Path, File location, Delimiter Type and other different setting based on the file need to be on-bordered for both account and group object. refer to the below as shown in the screenshot.

4.Configure Account and Group Schema

Click on Discover Schema Attribute which will automatically populate the schema attribute for both the Account and Group Object type, this values will be populated from the Account and Group files. Make sure identity Attribute is populated this attribute is used to decide the uniqueness of the object/.

Since we have an entitlement file and the account contains the group, make sure the Role attribute on account object is set as type Role and of type entitlement and multi-valued.

5.Correlation Configuration

Click on New and create a new Correlation rule by selecting USERNAME Attribute from the account file = name attribute from the user identity, make sure that once the rule is saved it will be visible in attribute-based correlation.



6.Aggregation Task

Creating a Group Aggregation Task
Setup -->Tasks --> New Task --> Account Group Aggregation
Make sure the Task is created with the proper selection of different options available in the task definition.



Creating an Account Aggregation Task
Setup -->Tasks --> New Task --> Account Aggregation
Make sure the Task is created with the proper selection of different options available in the task definition.




7.Confirming Correlations and Accounts

Navigate to Application --> Entitlement Catalog and see if the Entitlement is getting loaded from the Role file.

Same way validate the Account and Entitlement of the user which is being loaded, Open the user identity from Identity warehouse and check the Application and Entitlement details of the user