Create and Configure a Web Services Application in SailPoint IdentityIQ

How to create and configure a SailPoint IdentityIQ web services application and its subsequent operations like aggregation of a list of users, groups, applications, and the correlation between them.

It involves the following steps:

1. Create a Web Services Application in SailPoint IdentityIQ
2. Navigate to Edit the Application
3. Configure Schema
4. Add Operations in SailPoint Application
5. Create and execute tasks

Create a Web Services Application in SailPoint IdentityIQ

This application aggregates all the users, groups, and applications that belong to a virtual server in STA, so that you can audit it.

To create a new web service application in SailPoint IdentityIQ, perform the following steps:

1. Login to the SailPoint IdentityIQ console URL. For example, Sailpoint IdentityIQ FQDN>/identityiq/login.jsf.

2. On the SailPoint IdentityIQ console, at the top pane, click Applications > Application Definition.

   

3. Under Application Definition window, click Add New Application.

   

4. On the Edit Application <application name> window, under the Details tab, perform the following steps:

   1. In the Name field, enter an application name. For example, SafeNet.

   2. In the Owner dropdown, select an application owner for the SafeNet application.

      For more details on the application owner, refer to the SailPoint IdentityIQ Application Configuration Guide.

   3. In the Application Type dropdown, select Web Services.

      

5. At the top pane, click Configuration, and then click Settings. Under Add Object Type, in the General Settings section, enter the following details:

   1. In the Base URL field, enter the STA API Endpoint URL which you have obtained earlier from Generate an API key API web serverURL>/api/v1/tenants/

   2. In the Authentication Method field, select API Token.

   3. In the API Token field, enter the API Key which you have generated in Generate an API key section.

6. Scroll down to the bottom of the window and click Save.

Navigate to Edit the Application

This section describes the steps for editing the applications while configuring the operations. Ensure to refer the following steps to search an application:

1. On the SailPoint IdentityIQ console, at the top pane, click Applications > Application Definition.

   

2. Search and select the application that you have created in Step 4(a) of Create a Web Services Application in SailPoint IdentityIQ section. For example, SafeNet.

   

Configure Schema

This section provides information about SafeNet Trusted Access (STA) attribute mapping to the SailPoint IdentityIQ schema.

1. Perform the steps in Navigate to Edit the Application section.

2. Under Edit Application <application name> window, click Configuration, and then click Settings.

   

3. Under Settings, click Add Object Type. On the Add Object Type window, in the Name Object Type field, enter Applications, and then click OK.

   

4. Scroll down to the bottom of the window and click Save.

5. Perform the steps in Navigate to Edit the Application section.

6. At the top pane, click Configuration, and then click Schema.

   

7. Under Object Type: account, perform the following steps:

   1. Under Details, enter the following values in the specified fields:

      Fields (case sensitive)	Values (case sensitive)
      Native Object Type	user
      Identity Attribute	id
      Display Attribute	userName
      Instance Attribute

      

   2. Under Attributes, click Add New Schema Attribute and then perform the following steps:

      

   3. Add all the attributes as mentioned in the following table:

      Name (case sensitive)	Description (Optional)	Type	Properties
      id		String
      schemaVersionNumber		String
      userName		String
      firstName		String
      lastName		String
      email		String
      isSynchronized		boolean
      applications		Applications	Managed, Entitlement, Multi-Valued
      groups		group	Managed, Entitlement, Multi-Valued

      Repeat this step until all the attributes from the above table are added.

      

   4. After adding the groups and applications attribute in the schema, edit the Properties by clicking on the Edit icon in the respective row.

   5. Under Advanced Properties, select Managed, Entitlement, and Multi-Valued.

   6. Click Save

      

8. Under Object Type: group section, perform the following steps:

   1. Under Details, enter the following values in the specified fields:

      Fields (case sensitive)	Values (case sensitive)
      Native Object Type	group
      Identity Attribute	id
      Display Attribute	name
      Description Attribute	name
      Instance Attribute

      

   2. Under Attributes, click Add New Schema Attribute and then perform the following steps:

      

   3. Add all the attributes as mentioned in the following table:

      Name (case sensitive)	Description (optional)	Type	Properties
      id		String
      schemaVersionNumber		String
      Name		String
      descirption		String
      isSynchronized		boolean
      applications		Applications	Multi-Valued, Entitlement, Indexed

   Repeat this step until all the attributes from the above table are added.

   

   • After adding the applications attribute in the schema, edit the Properties by clicking on the Edit icon in the respective row.

   • Under Attributes, enter the Name with the specified Type and its corresponding Properties.

   • Under Advanced Properties, select Managed, Entitlements, and Multi-Valued.

   • Click Save.

   

9. Under Object Type: Applications, perform the following steps:

   1. Under Details, enter the following values in the specified fields:

      Field (case sensitive)	Values (case sensitive)
      Aggregation Type	Group
      Native Object Type	application
      Identity Attribute	id
      Display Attribute	name
      Instance Attribute
      Description Attribute	name

      

   2. Under Attributes, click Add New Schema Attribute and then perform the following steps:

      

   3. Add all the attributes as mentioned in the following table:

   4. Under Attributes, enter the Name with the specified Type and its corresponding Properties.

      Field (case sensitive)	Description	Types (case sensitive)	Properties
      id		string
      name		string
      status		string

      Repeat this step until all the attributes from the above table are added.

   

10. Scroll down to the bottom of the window and click Save.

    

Add Operations in SailPoint Application

Operations in the web services application act as an interdependent sub-task. Each operation performs its own aggregation in a predefined sequence so that the web service application added in SailPoint IdentityIQ is able to gather users, groups, and applications and provide a correlation between them. The operations are also required to take provisioning and remediation actions.

For SafeNet Trusted Access (STA), each operation communicates with a dedicated Rest API endpoint. For example, a user ID aggregation operation is responsible for mapping all the user accounts in a virtual server and communicating with the /api/v1/tenants/{tenantCode}/users Rest API endpoint.

For the web services application to function correctly, the operations must be created in the following sequence:

1. Test connection
2. Aggregate user IDs
3. Aggregate user IDs and their groups
4. Aggregate user IDs and their applications
5. Aggregate applications
6. Aggregate groups
7. Aggregate groups and their applications
8. Remove user from a group
9. Add user to a group

Test connection

The test connection operation interacts with the /api/v1/tenants/{tenantCode}/authorized API endpoint in STA.

It ensures that the API connection is successfully established between SailPoint and STA.

1. Perform the steps in Navigate to Edit the Application section.

2. On the Edit Application <application name> window, click Configuration > Settings > Connector Operations.

3. In the Connector Operations section, click Add Operation.

   

4. Under Connector Operations, to edit the operation settings, perform the following steps:

   1. In the Operation dropdown, select Test Connection, and then in the Name field, enter a name for the operation, for example, test_connection.

   2. Click the Edit icon to edit the operation settings.

   

5. In the Context URL field, enter authorized, and in the Method dropdown, ensure that GET is selected.

   

6. In the Connection Settings window, click Save.

7. Scroll down to the bottom of the window and click Save.

8. Perform the steps in Navigate to Edit the Application section.

9. On the Edit Application <application name> window, click Configuration > Settings.

10. Under Connector Operations, click Test Connection and verify that the result is displayed as Test Successful.

    

Aggregate user IDs

This operation interacts with users API endpoint /api/v1/tenants/{tenantCode}/users in STA. It aggregates all the users in a STA virtual server in SailPoint IdentityIQ.

1. Perform the steps in Navigate to Edit the Application section.

2. On the Edit Application <application name> window, click Configuration > Settings > Connector Operations.

3. In the Connector Operations section, click Add Operation.

4. Under Connector Operations, to edit the operation settings, perform the following steps:

   1. In the Operation dropdown, select Account Aggregation, and then in the Name field, enter a name for the operation, for example, UserID.

   2. Click the Edit icon to edit the operation settings.

   

5. In the left pane, under Connection Settings, perform the following steps:

   1. In the Context URL field, enter users.

   2. In the Method dropdown, ensure that GET is selected.

   3. In the Header section, click Add Row and enter the following Key and Value:

      Key	Value (case sensitive)
      Object-Id-Format	hex

      

   4. Click Response. In the Response Attribute Mapping section, click Add Row and then enter the following information:

      Schema Attribute (case sensitive)	Attribute Path (case sensitive)
      firstName	firstName
      lastName	lastName
      schemaVersionNumber	schemaVersionNumber
      groups	groups
      isSynchronized	isSynchronized
      id	id
      userName	userName
      email	email
      applications	applications

      Repeat this step until all the attributes from the above table are added.

   5. In the Root Path field, enter $.page.items.

   6. In the Successful Response Code field, enter 200.

6. Click Paging and then enter the following values:

   Fields	Values (case sensitive)
   Initial Page Offset	0
   Page Size	50 (Recommended range: 20-50)
   Paging Step	TERMINATE_IF $response.links.next$ == NULL $endpoint.fullUrl$ = $response.links.next$

   

7. In the Connection Settings window, click Save.

8. Scroll down to the bottom of the window and click Save.

Aggregate user IDs and their groups

The user ID/group connection operation interacts with the API endpoint in STA. For example, api/v1/tenants/{tenantCode}/users/{userId}/groups.

It aggregates the list of groups assigned to a user in a STA virtual server to SailPoint IdentityIQ. If the user is a member of a nested group, all the groups on the path up to the top-level group in the nested tree hierarchy are included.

1. Perform the steps in Navigate to Edit the Application section.

2. On the Edit Application <application name> window, click Configuration > Settings > Connector Operations.

3. In the Connector Operations section, click Add Operation.

4. In the Connector Operations section, perform the following steps:

   1. In the Operation dropdown, select Account Aggregation, and then in the Name field, enter a name for the operation, for example, UserID/Groups.

   2. Click the Edit icon to edit the operation settings.

   

5. In the left pane, under Connection Settings, perform the following steps:

   1. In the Context URL field, enter users/$response.id$/groups.

   2. In the Method dropdown, ensure that GET is selected.

   3. In the Header section, click Add Row, and then enter the following Key and Value:

   Key (case sensitive)	Value (case sensitive)
   Object-Id-Format	hex

   

6. Click Response. In the Response Attribute Mapping section, click Add Row, and then enter the following values:

   Schema Attribute	Attribute Path (case sensitive)
   groups
   id	id
   applications

   • In the Root Path field, enter $.page.items.

   • In the Successful Response Code field, enter 200.

   

7. Click After Rule and then click button next to After Operation Rule.

   

8. On the Rule Editor window, perform the following steps:

   • In the right pane, in the Rule Name field, enter a rule name, for example, SafeNet After Account Group Rule.

   • In the left pane, under Rule Editor, copy and paste the code provided in Rule 1 and then click Save

   

9. In the After Operation Rule, select the rule name that you have created in the above steps. For example, SafeNet After Account Group Rule.

   

10. Click Paging and then enter the following values in the specified fields:

    Fields	Values
    Page Offset	0
    Page Size	50 (Recommended range: 20-50)

    

11. Click Parent Endpoint. In the Parent Endpoint Name field, enter the name which you have added in Step 4a of Aggregate User IDs section for example,UserID.

    

12. In the Connection Settings window, click Save.

13. Scroll down to the bottom of the window and click Save.

Aggregate user IDs and their applications

The user ID/application connection operation interacts with the /api/v1/tenants/{tenantCode}/users/{userId}/applications API endpoint in STA. It aggregates the list of applications that are assigned to a user in a STA virtual server to SailPoint IdentityIQ.

Agent applications are not supported.

1. Perform the steps in Navigate to Edit the Application section.

2. On the Edit Application <application name> window, click Configuration > Settings > Connector Operations.

3. In the Connector Operations section, click Add Operation.

4. Under Connector Operations, perform the following steps:

   1. In the Operation dropdown, select Account Aggregation, and then in the Name field, enter a name for the operation, for example, UserID/Applications.

   2. Click the Edit icon to edit the operation settings.

   

5. In the left pane, under Connection Settings, perform the following steps:

   1. In the Context URL field, enter users/$response.id$/applications.

   2. In the Method dropdown, ensure that GET is selected.

   3. In the Header section, click Add Row and then enter the following Key and Value:

   Key (case sensitive)	Value (case sensitive)
   Object-Id-Format	hex

   

6. Click Response. In the Response Attribute Mapping section, click Add Row, and then enter the following values:

   Schema Attribute	Attribute Path (case sensitive)
   id	id
   applications

   • In the Root Path field, enter $.page.items.

   • In the Successful Response Code field, enter 200.

   

7. Click After Rule and then click button (next to After Operation Rule).

   

8. On the Rule Editor window, perform the following steps:

   • In the right pane, in the Rule Name field, enter a Rule Name, for example, SafeNet After Account Application Rule.

   • In the left pane, under Rule Editor, copy and paste the code provided in Rule 2 and then click Save.

     

9. In the After Operation Rule dropdown, select the rule name that you have created in the above step. For example, SafeNet After Account Application Rule.

   

10. Click Paging and then enter the following values in the specified fields:

    Field	Value
    Initial Page Offset	0
    Page Size	50 (Recommended range: 20-50)

    

11. Click Parent Endpoint. In the Parent Endpoint Name field, enter the same name added in Step 4(a) of Aggregate User IDs section, for example, UserID.

    

12. In the Connection Settings window, click Save.

13. Scroll down to the bottom of the window and click Save.

Aggregate applications

The application connection operation interacts with the /api/v1/tenants/{tenantCode}/applications API endpoint in STA. It aggregates the lis of applications for a virtual server in STA to SailPoint IdentityIQ.

1. Perform the steps in Navigate to Edit the Application section.

2. On the Edit Application <application name> window, click Configuration > Settings > Connector Operations.

3. In the Connector Operations section, click Add Operation.

4. Under Connector Operations, to edit the operation settings, perform the following steps:

   1. In the Operation dropdown, select Group Aggregation-Applications, and then in the Name field, enter a name for the operation, for example, Applications.

   2. Click the Edit icon to edit the operation settings.

   

5. In the left pane, under Connection Settings, perform the following steps:

   1. In the Context URL field, enter applications.

   2. In the Method field, ensure that GET is selected.

   3. Click Response. In the Response Attribute Mapping section, click Add Row, and then enter the following values:

      Schema Attribute	Attribute Path (case sensitive)
      name	name
      id	id
      groups	groups
      status	status

   4. In the Root Path field, enter $.page.items.

   5. In the Successful Response Code field, enter 200.

   

6. Click Paging and then enter the following values:

   Key	Value (case sensitive)
   Initial Page Offset	0
   Page Size	50 (Recommended range: 20-50)
   Paging Steps	TERMINATE_IF $response.links.next$ == NULL$endpoint.fullUrl$ = $response.links.next$

   

7. In the Connection Settings window, click Save.

8. Scroll down to the bottom of the window and click Save.

Aggregate groups

The groups connection operation interacts with the /api/v1/tenants/{tenantCode}/groups API endpoint in STA. It aggregates the list of groups in a virtual server in STA to SailPoint IdentityIQ.

1. Perform the steps in Navigate to Edit the Application section.

2. On the Edit Application <application name> window, click Configuration > Settings > Connector Operations.

3. In the Connector Operations section, click Add Operation and perform the following steps:

   1. In the Operation dropdown, select Group Aggregation, and in the Name field, enter a name for the operation, for example, Groups.

   2. Click the Edit icon to edit the operation settings.

   

4. In the left pane, under Connection Settings, perform the following steps:

   1. In the Context URL field, enter groups and in the Method dropdown, ensure that GET is selected.

   2. Click Response. In the Response Attribute Mapping section, click Add Row and then enter the following values:

   Schema Attribute (case sensitive)	Attribute Path (case sensitive)
   name	name
   id	id
   schemaVersionNumber	schemaVersionNumber
   description	description
   isSynchronized	isSynchronized
   applications	applications

   • In the Root Path field, enter $.page.items.

   • In the Successful Response Code field, enter 200.

   

5. Click Paging and then enter the following values in the specified fields:

   Field	Value (case sensitive)
   Initial Page Offset	0
   Page Siz	50 (Recommended range: 20-50)
   Paging Steps	TERMINATE_IF $response.links.next$ == NULL $endpoint.fullUrl$ = $response.links.next$

   

6. In the Connection Settings window, click Save.

7. Scroll down to the bottom of the window and click Save.

Aggregate groups and their applications

The groups/applications connection operation interacts with the /api/v1/tenants/{tenantCode}/groups/{groupId}/applications API endpoint in STA. It aggregates the list of applications that are assigned to a group in a virtual server in STA to SailPoint IdentityIQ.

1. Perform the steps in Navigate to Edit the Application section.

2. On the Edit Application <application name> window, click Configuration > Settings > Connector Operations.

3. In the Connector Operations section, click Add Operation.

4. Under Connector Operations, to edit the operation settings, perform the following steps:

   1. In the Operation dropdown, select Group Aggregation, and then in the Name field, enter a name for the operation, for example, Groups/Applications.

   2. Click the Edit icon to edit the operation settings.

   

5. In the left pane, under Connection Settings, perform the following steps:

   1. In the Context URL field, enter groups/$response.id$/applications and in the Method dropdown, ensure that GET is selected.

   2. Click Response. In the Response Attribute Mapping section, click Add Row, and then enter the following Schema Attribute and Attribute Path values:

   Schema Attribute	Attribute Path (case sensitive)
   name	name
   id	id
   status	status
   applications

   • In the Root Path field, enter $.page.items.

   • In the Successful Response Code field, enter 200.

   

6. Click After Rule and then in the After Operation Rule dropdown, select the rule name that you have created in Step 8 of Aggregate user IDs and their groups section. For example, SafeNet After Account Group Rule.

   

7. Click Paging and then enter the following field values:

   Field	Value (case sensitive)
   Initial Page Offset	0
   Page Size	50 (Recommended range: 20-50)

   

8. Click Parent Endpoint. In the Parent Endpoint Name field, enter the same name added in Step 3(a) of Aggregate Groups section (for example: Groups).

   

9. In the Connection Settings window, click Save

10. Scroll down to the bottom of the window and click Save.

Remove user from a group

This connection operation interacts with the /api/v1/tenants/{tenantCode}/groups/{groupId}/members/{userId} API endpoint in STA. It removes the user from a group in STA, and acts as a remove entitlement operation in SailPoint IdentityIQ.

1. Perform the steps in Navigate to Edit the Application section.

2. On the Edit Application <application name> window, click Configuration > Settings > Connector Operations.

3. In the Connector Operations section, click Add Operation.

4. Under Connector Operations, to edit the operation settings, perform the following steps:

   1. In the Operation dropdown, select Remove Entitlement, and then in the Name field, enter a name for the operation, for example, remove-usr-frm-grp.

   2. Click the Edit icon to edit the operation settings.

   

5. In the left pane, under Connection Settings, perform the following steps:

   1. In the Context URL field, enter groups/$plan.groups$/members/$plan.nativeIdentity$ and in the Method dropdown, ensure that DELETE is selected.

   2. In the Header section, click Add Row, and then enter the following values:

   Key	Value (case sensitive)
   Object-Id-Format	hex

   

6. Click Response and in the Successful Response Code field, enter 204.

   

7. In the Connection Settings window, click Save.

8. Scroll down to the bottom of the window and click Save.

Add user to a group

This connection operation interacts with the /api/v1/tenants/{tenantCode}/groups/{groupId}/members API endpoint in STA. It adds the user in a group in STA and acts as an ADD entitlement operation in SailPoint IdentityIQ.

1. Perform the steps in Navigate to Edit the Application section.

2. On the Edit Application <application name> window, click Configuration > Settings > Connector Operations.

3. In the Connector Operations section, click Add Operation.

4. Under Connector Operations, to edit the operation settings, perform the following steps:

   1. In the Operation dropdown, select Add Entitlement and in the Name field, enter a name for the operation, for example, add-usr-to-grp.

   2. Click the Edit icon to edit the operation settings.

   

5. In the left pane, under Connection Settings, perform the following steps:

   1. In the Context URL field, enter groups/$plan.groups$/members and in the Method dropdown, ensure that POST is selected.

   2. In the Header section, click Add Row and then enter the following values:

   Key	Value (case sensitive)
   Object-Id-Format	hex

   

6. Click Body and enter the following code in raw format, as mentioned below:

        {"id":"\$plan.nativeIdentity\$","type":"User"}
   

   Ensure that you copy and paste the above code as is.

   

7. Click Response and in the Successful Response Code field, enter 200.

   

8. In the Connection Settings window, click Save.

9. Scroll down to the bottom of the window and click Save.

Create and Execute Tasks

In SailPoint IdentityIQ, a task acts as a trigger to execute a created application. In this integration, our application is a web services application, for example, SafeNet.

A task also results in either a success or an error during the execution of an application. To generate the audit report, a successful execution of a task is required.

For creation and execution of a task in SailPoint IdentityIQ, perform the following steps:

1. Account aggregation tasks provides a high-level summary for the accounts count that are scanned by successful execution of the SailPoint web services application.

2. Group aggregation tasks provides a high-level summary for the groups and applications count that are scanned by successful execution of the SailPoint web services application.

3. Task Execution steps can be used to execute an existing task.

If any of the task does not execute successfully and generates an error, verify that all the steps are followed correctly.

Account aggregation tasks

1. Open the SailPoint admin console.

2. At the top pane, click Setup > Tasks.

   

3. On the Tasks window, in the top-right pane, click New Task, and then click Account Aggregation.

   

4. In the New Task window, in the Name field, enter a name for the task (for example: SafeNet-ac-task).

   

5. Under Account Aggregation Options, select the application that you have created in Step 4(a) of Create a Web Services Application in SailPoint IdentityIQ section. For example, SafeNet.

   

6. Ensure that Detect deleted accounts checkbox is selected.

   

7. Scroll down to the bottom of the window and click Save and Execute.

   

8. To verify the Account Aggregation Task, perform the following steps:

   1. On the SailPoint admin console, at the top-left pane, click Setup > Tasks.

      

   2. On the Tasks window, click the Task Results tab.

      

   3. Search for the task that you have created in Step 4 of Account aggregation tasks section. (for example, SafeNet-ac-task).

   4. Verify that the task is completed successfully.

   An account aggregation task might take several minutes to complete, depending upon the number of accounts to aggregate.

   

9. On the Tasks window, under Name, click on the successful task (for example, SafeNet-ac-task) to view the task execution details.

   

10. A detailed view of the successful task will be displayed.

    

Group aggregation tasks

1. On the SailPoint admin console, at the top pane, click Setup > Tasks.

   

2. In the right pane, click New Task, and then click Account Group Aggregation.

   

3. In the New Task window, in the Name field, enter a name for the task (for example, SafeNet-grp-task).

   

4. In the New Task window, under Account Group Aggregation Options, in Select applications to scan, select the application that you have created in Step 4(a) of Create a Web Services Application in SailPoint IdentityIQ section. For example, SafeNet.

   

5. Under Account Group Aggregation Options, select the Filter object types to scan checkbox.

6. In the Filter object types to scan section, click the Add object type dropdown, and then select Applications and group.

7. Ensure that Detect deleted account groups checkbox is selected.

   

8. In the Automatically promote descriptions to this locale field, select en_us.

9. In the Description attribute (default "description") field, enter description.

10. In the Group Aggregation Refresh Rule field, click the button.

    

11. In the Rule Editor window, perform the following steps:

    1. In the right pane, in the Rule Name field, enter a rule name (for example, Create SailPoint Managed Group).

    2. In the left pane, under Rule Editor, copy and paste the code provided in Rule 3.

    3. Click Save.

       

    4. Under Rule Type, in Group Aggregation Refresh Rule field,select the rule that you have created in above step (for example, Create SailPoint Managed Group).

       

12. Scroll down to the bottom of the window and click Save and Execute.

    

13. To verify the account group aggregation task, perform the following steps:

    1. On the SailPoint admin console, at the top-left pane, click Setup > Tasks > Task Results.

    2. Search for the task that you have created in Step 3 of Group Aggregation Task section.

    3. Verify that the account aggregation task is completed successfully.

    A group aggregation task might take several minutes tocomplete, depending upon the number of groups to aggregate.

    

14. On the Tasks window, under Name, click on the successfu task (for example, SafeNet-grp-task) to view the task execution details.

    

15. A detailed view of the successful task will be displayed.

    

Task Execution

To execute an existing task, perform the following steps:

1. Navigate to SailPoint admin console, and at the top pane, click Setup > Tasks.

   

2. In the Tasks window, under the Tasks tab, search the task that you want to execute (for example, SafeNet-grp-task). Right click on the task and then click Execute In Background.

   

   For the new on-boarded users, you can click Schedule to run the task based on a schedule, for example, daily during off hours (for both Account and Group aggregation tasks).

3. To monitor the task execution progress, perform the following steps:

   1. In the Tasks window, under the Task results tab, search the task that you want to monitor (for example, SafeNet-grp-task).

   2. Click on the task. The result status is displayed as either Success or Fail.