Sailpoint Connectors

Sailpoint IdentityIQ utilizes connectors in a multitude of ways. Connectors are classified into various groups depending on how they communicate with IdentityIQ. In this blog, you will go through and comprehend the concepts such as What Sailpoint connector is, the Working of connectors, Various Read/Write Connectors, and Read-only Direct Connectors.

Sailpoint Connectors - Table of Content

What is Sailpoint Connector?

A Sailpoint connector is a bridge that IdentyIQ uses to connect with different data sources and collect them. Further, it enables you to design any management system supported by web services where it can read and write them. IdentityIQ binds to target resources using a software component that reads and reports to the target resource.

Sailpoint Application Configuration

The method of onboarding an application leads to the development of the connector; for a more precise explanation of the flow, below is the illustration of a logic flow diagram.sailpoint Connector

For each connector/application instance, we must specify the following parameters in each connector:

  • Connection parameters: Login, Password.
  • Schema
  • Groups
  • Activity sources
  • IdentityIQ rules

The following are the most popular types of connectors:

  • Delimited File
  • JDBC
  • LDAP
  • AD
  • Logical
  • Multiplex

Want To Get SailPoint Training From Experts? Enroll Now For Free Demo SailPoint Training

Working of Connectors

1) Governance Connector

Governance connector aims to provide direct read-only access to an external application using the connection parameters defined in the Application Specification.

The Governance Connectors that are currently available are as follows:

  • LDIF
  • SAP HR/HCM
  • UNIX
  • VMS
  • Mainframe
  • TopSecret
  • Delimited File
  • Logical
  • RuleBasedFileParser
  • RuleBasedLogical
  • Yammer

2) Direct Connectors

Direct connectors are read-write connectors that enable IdentityIQ and the external application to exchange data directly in both directions. When read-and-write capabilities are needed for apps that have these connectors, they are the most efficient and safest choice to use. Here's a rundown of the existing direct connectors:

  • ADAM - Direct
  • JDBC
  • Novell Directory - Direct
  • OID - Direct
  • OpenLDAP - Direct
  • SunOne - Direct
  • Tivoli - Direct
  • Google Apps
  • Webex
  • Salesforce
  • Active Directory
  • GoToMeeting
  • Box.NET
  • NetSuite
  • AWS
  • Office 365
  • SharePoint Online
  • Exchange Online
  • SharePoint Inpremises
  • IBM Lotus Domino
  • BMC Remedy ITSM
  • BMC Remedy
  • Oracle E-Business Suite
  • RSA Ace Server
  • SAP
  • SAP Enterprise Portal
  • Tenrox
  • Rally
  • Tivoli Access Manager
  • ServiceNow
  • Microsoft SQL Server
  • Oracle
  • AIX
  • Linux
  • Solaris
  • Sybase
  • PeopleSoft
  • RemedyForce

3) Gateway Connectors

Direct Connectors have been rewritten with gateway connectors that use Connector Manager to connect to an external application.

4) Agent Connectors

Agent connectors are meant to connect to unified mainframe security networks, and Agents are the simplest and safest means of doing so. Agents, including Gateway connectors, communicate with IdentityIQ through the Connector Gateway. Agent connectors have the features of the Connector Manager, so the Connector Manager is no longer needed. The IdentityIQ Agent Connectors are as follows:

  • ACF2
  • AS400
  • RACF Full
  • TopSecret Full
  • DB2-UDB

Want To Get SailPoint Training From Experts? Enroll Now For a Free Demo SailPoint Training.

Target permissions support (RACF, ACF2, and Top Secret)

The Target permissions function is supported by Mainframe-based connectors such as RACF, ACF2, and Top Secret.

There are two types of groups available in Sailpoint IdentityIQ Connectors:

1) Read-only connectors that can only transmit data to IdentityIQ (Governance) from an external program.

2) Connectors that can read and write data to and from an external program (Gateway and Direct).

Sailpoint Training

  • Master Your Craft
  • Lifetime LMS & Faculty Access
  • 24/7 online expert support
  • Real-world & Project Based Learning

Read/Write Direct Connectors:

Let us now discuss a few Read/Write Direct Connectors.

1. SailPoint IdentityIQ Active Directory Connector

To connect with Windows Domain Controllers, IdentityIQ specifically uses the LDAP and ADSI Active Directory interfaces. In AD, there are two forms of group membership:

  • Primary group concept
  • Other group membership

You can only have one primary group in Active Directory, but you can have any number of other groups. In Active Directory, the other groups are listed as a property of the user object. In the member attribute of a user object, there is a list of groups. However, since the primary group isn't identified as a group in the member attribute, the connector must perform a follow-up query to decide which primary group the user belongs to. When searching for a user's primary group, the Active Directory connector starts with the primaryGroupSearchDN attribute.

Users, groups, and entitlements can be provisioned from IdentityIQ using the Active Directory connector. The connector provides the following functions:

  • Create/Update/Delete User
  • Create/Update/Delete Group
  • Manage Terminal Services, Dial-in Attributes
  • To set the extended attributes, add custom attributes to the provisioning policy.
  • Manage Exchange 2007, Exchange 2010, Exchange 2013
  • Enable/Disable/Unlock/Reset Password for Users
  • Add/Remove entitlements
  • Pass-through Validation
  • Password Interceptor

2. SailPoint IdentityIQ WebEx Connector

This connector manages WebEx accounts and groups (Meeting Types). WebEx accounts support both reading and writing. Users and groups can be created, deleted, retrieved, validated, and unlocked using the WebEx connector.

This release of the connector assists the following operations:

  • Account Aggregation
  • Account-Group Aggregation
  • Request entitlement
  • Create/Delete/Refresh user
  • Enable/Disable user
  • Lock/Unlock user
  • Managed password

3. SailPoint IdentityIQ Google Apps Connector

SailPoint Google Apps connector handles Google Apps users and groups.

The connector provides the following functions:

  • Account Aggregation
  • Account-Group Aggregation
  • Create\Delete\Refresh Account
  • Create\Update\Delete Account-Group
  • Add\Remove Entitlement
  • Enable\Disable Account
  • Change Password
  • Authenticate

4. SailPoint IdentityIQ LDAP Connector

The LDAP RFC was used to build this connector. The LDAP connector should work with virtually every LDAP server and requires no additional configuration. Provisioning of users and entitlements, as well as retrieval of LDAP account and group object classes, are now supported by the LDAP Connector.

The SailPoint IdentityIQ LDAP Connector supports the following functions:

  • Account Aggregation
  • Account-Group Aggregation
  • Create/Update/Delete Account
  • Create/Update/Delete Account-Group
  • Account Refresh
  • Add/Remove Entitlement
  • Enable/Disable/Unlock Account
  • Change/Reset password
  • Pass through Validation
  • Password Interceptor
  • The LDAP Password Interceptor offers a way for the Client to record and send to IdentityIQ a password change initiated by the LDAP system.
  • Delta Aggregation

5. SailPoint IdentityIQ Box.Net Connector

The Box.Net Connector is used to handle the Box server's managed users and groups. The Box.Net connector is a read/write connector that can retrieve a network's managed users and groups, activate/inactivate managed users, and delegate managed users to groups.

The SailPoint IdentityIQ Box.Net Connector supports the following capabilities:

  • Account Aggregation
  • Account - Group Aggregation
  • Account Refresh
  • Create Account
  • Add/Remove entitlements
  • Enable/Disable Account

6. SailPoint IdentityIQ Microsoft Office 365 Connector

This connector handles the Microsoft Office 365 Online directory store's users, groups, and attributes. It does not hold the features related to the Microsoft Office 365 suite's other products, such as Exchange Online, SharePoint Online, and Lync Online. To enforce its functionalities in IQService, which must be running on a Windows 7 or Windows Server 2008 R2 computer, the MS Office 365 Connector uses MS Office 365 cmdlets for Windows PowerShell.

SailPoint IIQ MS Office 365 Connector aids in the application of the following features:

  • Account Aggregation
  • Account - Group Aggregation
  • Account Refresh
  • Create/Delete/Update Account
  • Create/Delete/Update Group
  • Add/Remove Entitlements
  • Enable/Disable Account (Revoke/Restore)
  • Password Reset
  • Pass through Authentication

7. SailPoint IdentityIQ ServiceNow Connector

The ServiceNow connector manages ServiceNow accounts and groups. It has read and write capability for the Now platform accounts.

SailPoint IIQ ServiceNow Connector can be used to support the following features:

  • Account Aggregation
  • Account-Group Aggregation
  • Create/Update/Delete User
  • Enable/Disable/Unlock User
  • Change password
  • Add/Remove Entitlement (Account-group, roles)
  • Create/Update/Delete Group

8. SailPoint IdentityIQ Microsoft SharePoint Connector

MS SharePoint offers tools that enable users to create websites to share information with others, maintain overall documents, and publish reports to aid in decision-making. IdentityIQ will combine current SharePoint users from any SharePoint platform or set to show which SharePoint groups, sites, lists, directories, and files those users have access to. 

The Microsoft SharePoint connector is used to handle SharePoint users and groups in SharePoint 2007 (Classic mode or Windows-based authentication), 2010 (Windows-based authentication), and 2013 (Windows Claim-based Validation) environments using the MS SharePoint server APIs included with the SharePoint apps. Domain groups that are called consumers of SharePoint are currently not supported by the connector.

The SharePoint connector allows users, groups, and entitlements to be provisioned from IdentityIQ. The connector provides the following functions:

  • Users and groups aggregation
  • Create/Delete/Update User
  • Create/Delete/Update Group
  • Add/Remove entitlements.
  • Unstructured Target permissions for Sites, Lists, List Items, Folders, and Files may be read or revoked—aggregation of Targets.

9. SailPoint IdentityIQ, AWS Identity, and Access Management Connector

IAM from Amazon Web Services (AWS) enables you to safely manage access to Amazon Web Services and your account tools. You can build multiple IAM users under your AWS account or grant temporary access through identity federation with your corporate directory using IAM. You may also allow access to services through AWS accounts in some instances. When using AWS, IAM provides more security, flexibility, and control. Without IAM, you'll have to either build several AWS accounts, each with its billing and subscriptions to AWS products, or share a single AWS account's protection credentials. 

Furthermore, without IAM, you have no control over what activities a user or system can perform or what AWS services they can use. Identity federation between your corporate directory and AWS services is feasible with IAM. It allows you to give safe and direct access to AWS services, such as Amazon S3 buckets, using your current organizational identities rather than building new AWS identities for those customers. IAM is a web service that allows AWS consumers to monitor their account's users and permissions. See AWS Identity and Access Management (IAM) for more details on this product. This connector's purpose is to enable you to read and provision AWS IAM accounts, account groups, and account group tasks.

This release of the connector assists the following operations:

  • Account Aggregation (Collects IAM Users under the AWS Account)
  • Account-Group Aggregation (Aggregates IAM Groups under the AWS Account)
  • Account Refresh
  • Create/Update/Delete Account
  • Create/Update/Delete Account-Group
  • Account Enable (Activates ONLY ONE existing Access Key and Signing Certificate)
  • Account Disable (Deactivate or delete ALL existing Security Credentials)
  • Reset Password (Does not require a current password)
  • Request/Remove Entitlement
  • Direct Permissions on Account (Aggregation only)
  • Direct Permissions on Account-Group (Aggregation only)

10. SailPoint IdentityIQ NetSuite Connector

NetSuite is a cloud-based Software-as-a-Service (SaaS) platform for integrated business management. ERP/accounting, order management/inventory, CRM, Professional Services Automation (PSA), and E-commerce are all available through NetSuite's cloud business management system.

In NetSuite, Enterprise Resource Planning (ERP) includes accounting, procurement, order control, project management, and workforce management, among other things.

NetSuite Connector can control employee data in the NetSuite ERP framework. The connector is a write-capable connector that manages the entities mentioned below:

  • Employee Account
  • Employee Role
  • Employee Entitlement

This release of the connector assists the following operations:

  • Account Aggregation
  • Group Aggregation
  • Refresh Account
  • Create/Delete Account
  • Add/Delete Account Entitlement
  • Enable/Disable Account
  • Change Password
  • Pass-through Validation

11. SailPoint IdentityIQ JDBC Connector

The JDBC Connector is used to read and write data from database engines that support JDBC. This connector supports data from a flat table. You'll need to build a rule and a more complex SQL statement to work with multi-table data. This connector can be set up to allow for the exploration of schema attributes automatically.

In version 5.2 and above, IIQ supports the following additional JDBC Connector features:

Ability to include a SQL declaration or stored procedure for automated discovery of account-group Schema attributes from the same or a different database than the account schema during application setup.

To provision account and group attributes, you can specify provisioning rules that are named for each row in the data file.

To provision account and group attributes, the option to specify different provisioning rules for unique operations named for each row in the data file is available. Enable, Disable, Unlock, Delete, Create, and Modify are some of the processes available.

The SailPoint IdentityIQ JDBC Connector provides the following functions:

  • Account Aggregation
  • Group Aggregation
  • Refresh Account
  • Create/Delete
  • Add /Delete Account Entitlement
  • Enable/Disable Account
  • Change Password

12. SailPoint IdentityIQ PeopleSoft Connector

The PeopleSoft Connector is responsible for the PeopleSoft server's administrative entities (User Profiles and Roles). Through component interfaces, the PeopleSoft connector connects to the PeopleSoft server.

The PeopleSoft Connector provides the following functions:

  • Account Aggregation
  • Account-Group Aggregation
  • Create/Update/Delete Account
  • Get/Sync Account
  • Enable/Disable Account
  • Change Password
  • Discover Schema

13. SailPoint IdentityIQ Siebel Connector

The Siebel Connector is a component of Oracle's Siebel CRM that handles entities. Employees are taken as Accounts, and positions are managed as Account Groups in this system. For account provisioning, the Siebel Connector defaults to using the Employee Siebel business attribute of the Employee Siebel business object. Connector uses the Position business component of the Position business object for Account Group provisioning. 

In the Account/Account Group provisioning, the connector may be configured to handle other Siebel Business Objects/Components. The Siebel Connector takes both single and multi-valued attributes. Other than the Schema that comes with the connector, the Connector schema can be modified to handle further details.

SailPoint IdentityIQ Siebel Connector supports the following features:

  • Account Aggregation
  • Account-Group Aggregation
  • Create/Update/Delete Account
  • Get/Sync Account
  • Enable/Disable Account
  • Change Password
  • Create/Update/Delete Account-Group
  • Add/Remove entitlement
  • Add\Remove Entitlement
  • Enable\Disable\Unlock Account
  • Change Password (HTTP - Default and ID file)
  • Validate (using HTTP password only)

14. SailPoint IdentityIQ MS SQL Server

MS SQL Server is a relational DBMS that Microsoft has developed. As a database, an SQL server is a software product whose principal purpose is to store and recover data as needed by other software programs. They may be running on the same device or a networked computer (including the Internet). SailPoint IdentityIQ MS SQL Server Connector handles the following entities on Microsoft SQL Server:

  • User
  • Login User
  • Database User
  • Role
  • Application Role
  • Database Role

SailPoint IdentityIQ Microsoft SQL Server Connector supports the following features:

  • Account/Group Aggregation
  • Create/Update/Delete/Refresh Account
  • Create/Delete Group
  • Enable/ Disable Account
  • Set Password
  • Request/Remove Entitlement
  • Direct Permissions

15. SailPoint IdentityIQ Oracle Connector

The Oracle Database (or Oracle RDBMS or Oracle) is a relational database management system (ORDBMS). SailPoint IdentityIQ Oracle Server Connector is an Oracle database server connector that lets you handle complete user administration, including provisioning and password protection. Oracle Server Connector manages the following entities of the Oracle server:

  • Account
  • Role

SailPoint IdentityIQ Oracle Connector provides support for the following features:

  • Account/Group Aggregation
  • Create/Update/Delete/Refresh Account
  • Request/Remove Entitlement
  • Enable/Disable Account
  • Set Password
  • Pass through Authentication
  • Create/Update/Delete Group
  • Direct Permissions: The target is Table

16. SailPoint IdentityIQ Solaris Connector

Users on a Solaris computer are used to provision accounts in Solaris Connector. Groups are used for community provisioning. The connector may be programmed to use all of the user/group attributes that are provided by Solaris commands.

The Solaris Connector provides the following features:

  • Account Aggregation
  • Account Group Aggregation
  • Create/Delete/Update Account
  • Enable/Disable/Unlock Account
  • Get/Sync Account
  • Change Password
  • Create/Update/Delete Account Group
  • Add/Delete Entitlement
  • Reset password
  • Target Aggregation For more information
  • Revoke Target Permissions
  • Password Interceptor

17. SailPoint IdentityIQ SAP Connector

SAP Enterprise Resource Planning platform is an advanced software system that combines the organization's core business functions. The SAP Connector populates the SAP system with both users and processes, as well as provisioning users and their roles or profiles.

The SailPoint IdentityIQ SAP Connector was modified to support provisioning functionality to both a standalone SAP system and the SAP Central User Administration (CUA) system.

SailPoint IdentityIQ SAP Connector supports the following features:

  • Password Reset
  • Create Account
  • Delete Account
  • Enable/Disable/ Account
  • Request/Remove Entitlement (for standalone and CUA SAP System)
  • Pass-through Authentication

Subscribe to our youtube channel to get new updates..!

Read Only Direct Connectors

Let us now discuss a few Read Only Direct Connectors.

  1. SailPoint IdentityIQ Yammer Connector

The Yammer Connector is a read-only connector that retrieves account and community information from one or more Yammer networks (Enterprise Social Network).

  1. SailPoint IdentityIQ ALES Connector

BEA's Aqualogic Enterprise Security Server is communicated with using this connector. The ALES Entitlement Query API is used for the integration.

  1. SailPoint IdentityIQ Logical Connector

The logical connector was designed to build objects that look and function like IdentityIQ apps but are actually made by detecting accounts from other, or tier, apps in existing identity cubes. For instance, one logical application may represent three other accounts on tier apps, an Oracle database, an LDAP authorization application, and a custom internal validation application. When the analytical application detects the three requisite accounts on a single identity, it scans identities and generates a report on the logical application. You can then use the same representative account for certification, reporting, and tracking instead of the three different accounts from which it is made up.

  1. SailPoint IdentityIQ Delimited Connector

The Delimited File connector follows a set of rules. The rules in this connector can be customized to accommodate the difficulty of the data being extracted. This connector can be set up to allow for the discovery of schema attributes automatically.

  1. SailPoint IdentityIQ LDIF Connector

Data is extracted from LDIF files using the LDIF connector. If the membership is not part of the account details, there is a setting called "groupMembershipAttribute" that can be used to support. The name of the attribute from the group file that contains the list of its members is stored in this configuration environment. Make this attribute multi-valued and add it to the account schema. For this function to work, you'll need to configure the "groupMembershipAttribute" and a group file. The connector will read the groups file during account iteration to get the group -> use mapping and adorn each account with their allocated groups as they are aggregated.

  1. SailPoint IdentityIQ IBM Tivoli Identity Manager Connector

The IBM Tivoli Identity Manager connector scans the directory for ALL group memberships using the "groupMemberSearchDN" attribute as a starting point. Since the IBM Tivoli Identity Manager does not keep track of a user's group references, this connector must always run a separate query to get a list of all the user's groups.

  1. SailPoint IdentityIQSAP HR/HCM Connector

The SAP HR/HCM connector was created to retrieve all user data from the SAP HR/HCM system.

  1. SailPoint IdentityIQSun IDM Connector

The Sun IDM Connector was created to return all of the Sun IDM user accounts and capabilities.

  1. SailPoint IdentityIQ Top Secret Connector

To read the export of TSSCFILE, the Top Secret connector was made.

  1. SailPoint IdentityIQ UNIX Connector

To build identities and groups, the UNIX connector was created to read and parse the "passwd" and group files from UNIX servers. There is some overlap between the UNIX and Delimited File connectors since this connector is based on files. IdentityIQ evaluates validation performance by authenticating using the FTP or SCP service with the given login credentials, depending on the application design. As a consequence, the UNIX app's "passwdfile" attribute must point to the same password file used by the system for validation. In an NIS environment, this password file is usually /etc/passwd, but it may be different.

  1. SailPoint IdentityIQ Mainframe Connector

This connector uses screen scraping, and each deployment must write Rules to drive the login/logout/fetch accounts. During the discussion, the connector analyses the screens and operates as the user. Screen scraping is the only way to get the data needed by IIQ on specific legacy systems. Since the Rules that drive this connector are unique to the application on which it is operating, each Mainframe connector needs a lot of manual configuration.

The IBM Host Access API libraries are used to construct the Mainframe connector, which is designed for TN3270 apps. Before operating with this connector, you must have the IBM Host Access API libraries. These IBM libraries are available for purchase.

  1. SailPoint IdentityIQ Novell Identity Manager Connector

The Novell Identity Manager connector searches the directory for ALL group memberships using the "groupMemberSearchDN" attribute as a starting point. Since the Novell Identity Manager does not keep track of a user's category references, this connector must always run a separate query to get a list of all the user's groups.

The Novell IDM connector is a multiplexing and non-multiplexing connector. The IDM vault is used for both grouping and remediation in the multiplexed mode. Collection occurs through individual connectors in a non-multiplexed manner. However, account removal and disabling occur through the vault. Accumulation occurs through individual connectors in the non-multiplexed mode. However, account removal and disabling occur through the vault.

  1. SailPoint IdentityIQ RACF Connector

The RACF connector was built to read the RACF unload utility's file. 

  1. SailPoint IdentityIQ Rule-Based Logical Connector

The Rule-Based Logical connector was created to generate objects that look and behave like IdentityIQ apps but are actually built by detecting accounts from other apps in existing identity cubes. For instance, one logical program may represent three other accounts on separate databases, such as an Oracle database, an LDAP authorization application, and a custom application for internal validation. 

As the logical application rule identifies the three requisite accounts on a single identity, it scans identities and generates a report on the analytical application. For certification, reporting, and tracking of the product, you should use the same proxy account instead of the three different accounts from which it is made up.

Sailpoint Training

Weekday / Weekend Batches

Enroll Now For Free Demo SailPoint Training in Hyderabad

Conclusion

Thus, we have seen various connectors and supported features that can be used in Sailpoint. It assists the business in boosting IT performance by using out-of-the-box connectors and integrations for quick application onboarding. By using unified controls and rules, you can keep data secure. Ensure that data protection and compliance rules are enforced at all times.

Related Articles