Sailpoint IQ Active Directory Application Integration Using OOTB Connector - Provisioning

Integration of Active Directory with SailPoint IIQ

Below Steps need to be followed for the Active Directory and Sailpoint IIQ Integration

1. Need to Install IQ Service , All the Provisioning for Active Directory from IIQ happens through the Agent  which need to be installed
follow the steps to install the IQ service 

2. Need to step the Application and Aggregate all the existing groups and the Accounts from the Active Directory
follow this steps for Setting up the Active Directory Application. 

3. Create the Filed value Rule 
follow the steps for creating field value Rule

4. Create the Provisioning form and populating the value for the fields which are mandatory for creating the Active Directory account
Object Type -->User
Account DN --> User DN
User ID --> samAccountName
User Principal Name -->Log-on Name
Password
First Name
Last Name
Full Name

Make sure below Filed Value Rule Mapping is done for all the Required fields

5.  Creating the After Provisioning Rule
Follow the Instruction 

6. Attach this Rule in the Rule section of the Application in after Provisiong Rule , This Rule will send the Email for Success and Failure of the operation on the User.

Also make sure that this email Template are created 

Active Directory PH Accounts Joiner AD Account Creation Notification

Active Directory PH Accounts Joiner AD Failure Notification

7. Now go to the Access Request Page , Select the User --> Select any of the Entitlement belongs to this Application and Submit the request (make sure the Entitlement is requestable , then only it will be available in the Access Request Page)

8. After Submission , it will go through the Approval , which can be Track from the Track Request Page , Once the Approval is done , Provisioning will start

9. Run the Perform Maintenance Task to  Trigger the Provisioning.

10. Check the AD and see if the user is created with the values populated in filed value rule and Entitlement request will also get added  and also Email will be Triggered with the account details and the Password.

11. Run Perform Identity Request Maintenance Task to complete the Request. 

Database - JDBC Application Configuration Using OOTB Connector - Provisioning

1. Perform the steps to configure the Database/JDBC connector as mentioned in the link

2. Navigate to → Application → Rules → Provisioning Rule → Global Provisioning Rule, here we are writing the Rule to Perform the Create and Delete operation , Sample code is attached below

3. Below is the Sample code

import sailpoint.object.ProvisioningResult; import sailpoint.object.ProvisioningPlan; import sailpoint.object.ProvisioningPlan.AccountRequest; import sailpoint.object.ProvisioningPlan.AttributeRequest; import sailpoint.object.Filter; import sailpoint.object.ManagedAttribute; import sailpoint.object.Link; import sailpoint.tools.Util; import sailpoint.api.IdentityService; import java.util.List; import java.util.HashMap; import java.sql.PreparedStatement; ProvisioningResult result = new ProvisioningResult(); if (plan != null){ List accountRequests = plan.getAccountRequests(); if (( accountRequests != null ) && ( accountRequests.size() > 0 )){ for(AccountRequest accRequest: accountRequests){ try { System.out.println("Opeartion Requested: "+accRequest.getOperation()); if(AccountRequest.Operation.Create.equals(accRequest.getOperation())){ accRequest.setNativeIdentity(plan.getNativeIdentity()); PreparedStatement statement = connection.prepareStatement("INSERT INTO MARS(LANID) values (?)"); statement.setString(1, plan.getNativeIdentity()); statement.executeUpdate(); result.setStatus(ProvisioningResult.STATUS_COMMITTED); } if(AccountRequest.Operation.Delete.equals(accRequest.getOperation())){ accRequest.setNativeIdentity(plan.getNativeIdentity()); PreparedStatement statement = connection.prepareStatement("DELETE FROM MARS WHERE LANID =(?)"); statement.setString(1, plan.getNativeIdentity()); statement.executeUpdate(); result.setStatus(ProvisioningResult.STATUS_COMMITTED); } }catch (SQLException e) { result.setStatus(ProvisioningResult.STATUS_FAILED); result.addError(e); } } } } System.out.println("returning the result: "+result.toXml()); return result;

4. Click on Application→ Provisioning Policy → Create a new policy and attach the same to the Create operation

5. Checking the Provisioning for the application , Navigate to → Manage Request → Account Request → Select the Identity for which Account need to be request

(Make sure the setting is done to make this application as requestable)

6. Checking  the Database to validate if the Provisioning created the account for the Custom Application ,  

Here we can see the Entry for the User is added to the Configured table

7. We won’t we able to see the Link until we run the Account Aggregation Task which we created in earlier post

8. Click on Save and Execute and Check the Result from the task Result Tab.

9. Navigate to Application → Application Definition → Accounts and see all the Accounts which are pulled from the DB.

10. Checking the linked Account to the Identity,

11. Navigate to Identity → Identity Warehouse → Select the Identity

Click on the Application Accounts to see the the Accounts if the Link Exists.

12 . Few Important point Noticed :

Link will be created only once the Aggregation Task is ran , ie if the Application is requested for create
Provisioning will be done at the End point , but no link can be seen on the Identity Cube .

Link will be deleted if the Application is requested to perform delete .

getSQL operation will work only once the link is present on the account.