Sailpoint IQ Active Directory Application Integration Using OOTB Connector - Provisioning

Integration of Active Directory with SailPoint IIQ

Below Steps need to be followed for the Active Directory and Sailpoint IIQ Integration

1. Need to Install IQ Service , All the Provisioning for Active Directory from IIQ happens through the Agent  which need to be installed
follow the steps to install the IQ service 

2. Need to step the Application and Aggregate all the existing groups and the Accounts from the Active Directory
follow this steps for Setting up the Active Directory Application. 

3. Create the Filed value Rule 
follow the steps for creating field value Rule

4. Create the Provisioning form and populating the value for the fields which are mandatory for creating the Active Directory account
Object Type -->User
Account DN --> User DN
User ID --> samAccountName
User Principal Name -->Log-on Name
Password
First Name
Last Name
Full Name

Make sure below Filed Value Rule Mapping is done for all the Required fields

5.  Creating the After Provisioning Rule
Follow the Instruction 

6. Attach this Rule in the Rule section of the Application in after Provisiong Rule , This Rule will send the Email for Success and Failure of the operation on the User.

Also make sure that this email Template are created 

Active Directory PH Accounts Joiner AD Account Creation Notification

Active Directory PH Accounts Joiner AD Failure Notification

7. Now go to the Access Request Page , Select the User --> Select any of the Entitlement belongs to this Application and Submit the request (make sure the Entitlement is requestable , then only it will be available in the Access Request Page)

8. After Submission , it will go through the Approval , which can be Track from the Track Request Page , Once the Approval is done , Provisioning will start

9. Run the Perform Maintenance Task to  Trigger the Provisioning.

10. Check the AD and see if the user is created with the values populated in filed value rule and Entitlement request will also get added  and also Email will be Triggered with the account details and the Password.

11. Run Perform Identity Request Maintenance Task to complete the Request. 

Sailpoint Rule - FieldValue Rule

Sailpoint Identity IQ  IIQ Rule - FieldValue Rule

Creating a FiledValue Rule to populate the value in the provisioning policy . 

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE Rule PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<Rule language="beanshell" name="Active Directory PH Accounts Field Value Rule" type="FieldValue">
  <Description>This rule can be used to generate a field value (eg - an account name) using data from the given Identity. If this rule is run in the context of a workflow step then the arguments passed into the step will also be available. Also, any field values that have been processed so far from the policy related to the Application/Role will be available.</Description>

  <Signature returnType="String">
    <Inputs>
      <Argument name="log">
        <Description>
          The log object associated with the SailPointContext.
        </Description>
      </Argument>
      <Argument name="context">
        <Description>
          A sailpoint.api.SailPointContext object that can be used to query the database if necessary.
        </Description>
      </Argument>
      <Argument name="identity" type="Identity">
        <Description>
          The Identity object that represents the user needing the field value.
        </Description>
      </Argument>
      <Argument name="link" type="Link">
        <Description>
          The sailpoint.object.Link that is being acted upon. If the link is not applicable,
          this value will be null.
        </Description>
      </Argument>
      <Argument name="group" type="ManagedAttribute">
        <Description>
          The sailpoint.object.ManagedAttribute that is being acted upon. If the managed attribute
          is not applicable, the value will be null.
        </Description>
      </Argument>
      <Argument name="project" type="ProvisioningProject">
        <Description>
          The provisioning project being acted upon. If a provisioning project is not applicable,
          the value will be null.
        </Description>
      </Argument>
      <Argument name="accountRequest" type="ProvisioningPlan.AccountRequest">
        <Description>
          The account request. If an account request is not applicable, the value will be null.
        </Description>
      </Argument>
      <Argument name="objectRequest" type="ProvisioningPlan.ObjectRequest">
        <Description>
          The object request. If an object request is not applicable, the value will be null.
        </Description>
      </Argument>
      <Argument name="role" type="Bundle">
        <Description>
          The role with the template we are compiling. If the role is
          not applicable, the value will be null.
        </Description>
      </Argument>
      <Argument name="application" type="Application">
        <Description>
          The sailpont.object.Application with the template we are compiling. If the application
          is not applicable, the value will be null.
        </Description>
      </Argument>
      <Argument name="template" type="Template">
        <Description>
          The Template that contains this field.
        </Description>
      </Argument>
      <Argument name="field" type="Field">
        <Description>
          The current field being computed.
        </Description>
      </Argument>
      <Argument name="current" type="Object">
        <Description>
          The current value corresponding to the identity or account attribute that the field represents.
          If no current value is set, this value will be null.
        </Description>
      </Argument>
      <Argument name="operation" type="ProvisioningPlan.Operation">
        <Description>
          The operation being performed.
        </Description>
      </Argument>
    </Inputs>
    <Returns>
      <Argument name="value">
        <Description>
          The string value created.
        </Description>
      </Argument>
    </Returns>
  </Signature>
  <Source>
    import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import sailpoint.object.Field;
 import sailpoint.object.Identity;  
 
 Log log = LogFactory.getLog("rule.fieldValueRule");
 log.debug("Entering FieldValue Rule");
   String value = ""; 
   log.debug("determining value for the field: "+field.getName());

    switch (field.getName()) {

      case "distinguishedName":
          value = "CN="+identity.getDisplayName().replace(",","\\,")+"OU=Accounts,DC=corp,DC=staging"; 
      break;
      
      case "sAMAccountName": 
      value= identity.getStringAttribute("name");      
      break; 

      case "userPrincipalName": 
         value=identity.getStringAttribute("name")+"@corp.staging";
      break; 

      case "password": 
      value= generatePassword();      
      break; 

      case "givenName": 
      value= identity.getFirstname();      
      break; 

      case "sn": 
      value= identity.getLastname();      
      break;  

      case "middleName": 
      value= identity.getStringAttribute(IDENTITY_MIDDLE_NAME);      
      break; 

      case "displayName": 
      value= identity.getDisplayName();    
      break;

      case "cn": 
      value= identity.getDisplayName();
      break;

      case "extensionAttribute1": 
      value = identity.getStringAttribute("employeeNumber");     
      break;

      default: 
      break;
    }
 log.debug("setting value: "+value);  
 log.debug("Exiting FieldValue Rule"); 
 return value;
  </Source>
</Rule>