Sailpoint Documentation

SailPoint Introduction

Sailpoint Is an automated version of identity management that reduces the expense and complexity of identity management for users while also giving them access. Sailpoint is a lightweight, portable application.

It is said to be an identity management solution since it has more functionality than identity management. IdentityIQ is provided by Sailpoint and is known as the IdentityIQ war-file. All of the application modules are contained in this war file.

Maintaining information access in today's sophisticated, data-driven environment is a problem that needs far more from Identity and Access Management (IAM) systems than ever before.

In IAM, SailPoint is the undisputed leader. Organizations can now place IAM at the core of their security and IT strategy by utilizing IdentityIQ and its Open Identity Platform, allowing them to view and manage access throughout the company, including on-premises and cloud systems and apps.

These days, Sailpoint is clinging to its status as a leader.

Productivity, Security, and Compliance all benefit from effective identity controls.

SailPoint IdentityIQ is a cutting-edge identity management system that reduces the expense and complexity of complying with laws while still providing users with access. Traditional identity management treats these areas independently and frequently employs a number of disparate products.

IdentityIQ, on the other hand, offers a unified strategy based on a single identity governance structure. This allows you to apply risk models, security policy roles, and business to access related activities in a consistent manner.

To automate access certifications, policy enforcement, and end-to-end access request and provisioning procedures, IdentityIQ offers the following essential components.

Want To Get SailPoint Training From Experts? Enroll Now For Free Demo SailPoint Training.

Compliance Manager by IdentityIQ

It allows the company to increase compliance and audit performance while saving money.

• Access Certifications that are suitable for business.
• Policy management that is automated.
• Analytics and Audit Reporting.

Lifecycle Manager of IdentityIQ

It provides a business-oriented access solution that is both safe and cost-effective.

• Request for Self-Service Access.
• Provisioning that is automated.

IdentityIQ's password manager

It provides a straightforward way to manage user passwords while also lowering operating expenses and increasing productivity.

• Password Management using Self-Service.
• Enforce Strong Password Policies and Sync.

The IdentityIQ Governance Platform

By centralizing identity data and offering a single location to model roles, rules, risk, and business processes, lays the groundwork for successful risk management.

Integration and Connectors Modules

It enables your company to connect to anything (on-premises and cloud-based apps and data) and combine IdentityIQ with other IT security and operational solutions effortlessly.

IdentityIQ Intelligence on Identity

It enables your business to have 360-degree insight in order to discover data and swiftly identify hazards, as well as uncover compliance concerns and make the best decisions possible to increase efficiency.

Customers can use IdentityIQ to:

• Allow company users to control access from any computer or mobile device.
• To minimize risk, centralize visibility and governance controls.
• Improve productivity while lowering costs.

The distinction is obvious

IdentityIQ is developed for business users, converting IT terminology into useful business data and streamlining the user experience.

IdentityIQ integrates identity management procedures across cloud, mobile, and on-premises settings, making it fit for today's complex hybrid IT environments.

By universally applying rules across all IAM services, SailPoint's governance-based solution centralizes visibility, enhances compliance, and eliminates risks – all while dramatically decreasing implementation costs.

Managing the Identity Business

SailPoint assists the world's leading companies in reducing risk, lowering IT expenses, and ensuring compliance. SailPoint IdentityIQ, the company's award-winning software, gives users better visibility and control over critical apps and data while simplifying the access request and delivery process.With risk-aware compliance management, closed-loop user life cycle management, flexible provisioning, an integrated governance architecture, and identity intelligence, IdentityIQ is the industry's premier governance-based identity management package that swiftly provides real results.

Configuring the Sailpoint

The installation procedure is as follows:

Requirements:

RedHat Linux (my version: 7)

Oracle Java JDK (my version: 1.6.0_45)

Oracle MySQL (my version: 5.5.46)

Apache Tomcat (my version: 6.0.45)

Sailpoint IdentityIQ (my version: 7.2)

Steps of Installation:

Step 1: Start downloading Sailpoint IdentityIQ 7.2

Step 2: Copy the zip file identityiq-7.2.zip to the VM and unzip it.

$ pwd

/var/tmp

$ ls

identityiq-7.2.zip

$ unzip identityiq-7.2.zip

$ ls

Integrating ConnectorGateway-6.4.zip, database doc identityiq-7.2.zip, and identityiq.war

Step 3: Create an IIQ72 root context and extract the war file.

$ mkdir /opt/sailpoint/tomcat/webapps/iiq72

$ cp /var/tmp/identityiq.war /opt/sailpoint/tomcat/webapps/iiq72/

$ cd /opt/sailpoint/tomcat/webapps/iiq64/

$ jar xvf identityiq.war

Step 4: Configure IdentityIQ 7.2's repository (MySQL)

$ cd /opt/sailpoint/tomcat/webapps/iiq72/WEB-INF/database

$ mysql -uroot -ppassword

mysql> source /opt/sailpoint/tomcat/webapps/iiq72/WEB-INF/database/create_identityiq_tables-7.2.mysql

mysql> show databases;

+————————–+

| Database |

+————————–+

| information_schema |

| identityiq |

| mysql |

| performance_schema |

+————————–+

Step 5: Configure IdentityIQ's database settings for connecting to its repository.

$ vi /opt/sailpoint/tomcat/webapps/iiq64/WEB-INF/classes/iiq.properties

##### Data Source Properties #####

dataSource.maxWait=10000

dataSource.maxActive=50

dataSource.minIdle=5

#dataSource.minEvictableIdleTimeMillis=300000

#dataSource.maxOpenPreparedStatements=-1

dataSource.username=identityiq

dataSource.password=1:iCAlakm5CVUe7+Q6hVJIBA==

##### MySQL 5 #####

## URL Format: dataSource.url=jdbc:mysql://:/?useServerPrepStmts=true&tinyInt1isBit=true&useUnicode=true&characterEncoding=utf8

dataSource.url=jdbc:mysql://localhost/identityiq?useServerPrepStmts=true&tinyInt1isBit=true&useUnicode=true&characterEncoding=utf8

dataSource.driverClassName=com.mysql.jdbc.Driver

sessionFactory.hibernateProperties.hibernate.dialect=sailpoint.persistence.MySQL5InnoDBDialect

Step 6: Import IdentityIQ's default objects to get the system started.

$ chmod +x /opt/sailpoint/tomcat/webapps/iiq64/WEB-INF/bin/iiq

$ /opt/sailpoint/tomcat/webapps/iiq64/WEB-INF/bin/iiq console -j

Using JLine

> import init.xml

Step 7: Start running Apache Tomcat and use a browser to test the login page.

IMG

 

RedHat Installation Process

The objective of this lab is to demonstrate how to set up GIT on RedHat 7.2. The RedHat repository has an earlier version of GIT (now version 1.8.3.1), which must be manually installed to obtain the most recent version (currently 2.11.0). The steps are as follows:

Step 1: GIT can be downloaded and unzipped/untarred as follows:

$ sudo cd /home/gekologic/software

$ sudo wget https://www.kernel.org/pub/software/scm/git/git-2.11.0.tar.gz

$ sudo tar xzf git-2.11.0.tar.gz

Step 2: Install the necessary packages.

$ sudo yum install gcc openssl-devel expat-devel curl-devel perl-ExtUtils-MakeMaker

Step 3: GIT should be installed as shown below.

$ cd /home/gekologic/software/git-2.11.0

$ make prefix=/usr/local/git all

$ make prefix=/usr/local/git install

Step 4: Verify the version and add git to the path.

$ /usr/local/git/bin/git –version

git version 2.11.0

$ echo “export PATH=/usr/local/git/bin:$PATH” >> /etc/bashrc

$ source /etc/bashrc

$ git –version

git version 2.11.0

Docker installation on RedHat

Docker requires a 64-bit operating system and a Linux kernel 3.10 or above. Currently, here we are using RedHat 7.2 with kernel 3.10.0. On RedHat, use the following commands to verify this information:

$ uname -r

3.10.0-327.13.1.el7.x86_64

$ cat /etc/redhat-release

Release 7.3 of Red Hat Enterprise Linux Server (Maipo)

To install Docker, we will use yum, so make sure your current packages are up to date:

$ sudo yum update

We'll add the Docker yum repo as follows:

$ sudo vi /etc/yum.repos.d/docker.repo

And then paste the below text:

[dockerrepo]

name=Docker Repository

baseurl= https://yum.dockerproject.org/repo/main/centos/7/

enabled=1

gpgcheck=1

gpgkey=https://yum.dockerproject.org/gpg

We'll install Docker as follows after saving the file:

$ sudo yum install docker-engine

At the end of the installation, we should see something similar to this:

docker-engine.x86_64 0:1.12.5-1.el7.centos

Installed dependency:

docker-engine-selinux.noarch 0:1.12.5-1.el7.centos

libseccomp.x86_64 0:2.3.1-2.el7

libtool-ltdl.x86_64 0:2.4.2-21.el7_2

The steps for installing SailPoint IdentityIQ, RedHat, and Docker are as follows.

Introduction to Sailpoint IdentityIQ using InWebo

InWebo offers software 2-factor authentication with a security level of <>. InWebo tokens may be used on any platform (smartphone, tablet, desktop, etc.) and in a self-service mode without requiring any knowledge. InWebo provides a highly available, trusted platform built with Hardware Security Modules (HSM) that is compatible with existing Identity Management systems and that you can deploy in the SaaS mode in a matter of hours with no additional investment or infrastructure.

Basic Principles of Sailpoint IdentityIQ

Many built-in interfaces are supported by the InWebo Google Appsstrong authentication service, including Web Services API, Radius, SAML 2.0, and many others. RADIUS is the ideal approach for interacting with a network device (reverse proxy, firewall, etc.).This is what we'll go through in more detail in this document.

The following is a description of architecture:

Users can download and manage their own InWebo tokens. Your company's system administrator simply needs to do the following to get the system up and running:

• Configure the SAML authentication portal in IdentityIQ.
• Make an account with InWebo.
• Download, install and activate one of the InWebo tokens.
• In this InWebo account, set up a SAML connector.
• Perform an authentication test.

The entire system could be up and operating in around 15-20 minutes.

Configuring Sailpoint IdentityIQ with inWebo SAML authentication

1. Configuring the SAML IdP connector in inWebo

You must first add a SAML connector to the InWebo IdP part since it is easier to construct the IdP connector using IdP metadata.

1. Access the administration console of InWebo 
2. Select the "Secure Sites" tab.
3. Select a "SAML 2.0" connector from the "connectors" section's drop-down list.
4. Optional: Give it a name, like 'SailPoint IIQ SAML 2.0'.
5. For the time being, leave SP Metadata blank.
6. By clicking the "Add" button, you may verify.
7. The windows, and also the newly produced IdP Metadata, are updated when a successful message is received.
8. To save them to your PC, click the link that says "Download inWebo IdP SAML 2.0 metadata in XML format."
9. To save the certificate to your PC, click the “Download inWebo IdP SAML 2.0 certificate” link. SAML assertions will be encrypted using it.

Keeping this SAML connection open in your browser since we'll need to copy-paste some information in the following step.

2. SailPoint SAML SP service configuration

In a new browser window, go to your IdentityIQ administrative interface.

We'll need to set up a SAML IdP connection so that Sailpoint IdentityIQ (as a SAML service provider) can submit authentication requests to this IdP (inWebo) and rely on it to authenticate users and grant access to the resources behind.

Note: The URLs below must be adapted to fit your specific environment. The exact URLs are supplied in the SAML v2 connection popup in the inWebo web admin console or in the Metadata file available from the inWebo web admin console for your own setup.

• Navigate to the Global Settings -> Login Configuration -> SSO Configuration -> Enable SAML Based Single Sign-On (SSO).
• The Metadata from the inWebo online admin panel is used to generate the Entity ID (Issuer):https://www.myinwebo.com/console/c//saml2//metadata (= 'Issuer URL' in the inWebo SAML connector)
• Identity Provider SSO Service URL :https://www.myinwebo.com/console/c//saml2/ ( = 'Single Sign On URL' in the inWebo SAML connector)
• SAML URL (Assertion Consumer Service) :https://www.myinwebo.com/console/c//saml2/ ( = same as above)
• Public X.509 Certificate: Open a text editor and put the contents of the certificate you got from the inWebo web admin interface here.
• Correlation Rule for SAML: Make use of the default seri.

// Imports

import sailpoint.object.Identity;

// Making a BIG assumption here that the nameid-format is unspecified/persitent

// Get the nameId from the assertionAttributes

String nameId = (String)assertionAttributes.get("nameId");

Identity ident;

if(nameId != null) {

// Lookup the identity based on nameId

ident = context.getObject(Identity.class, nameId);

}

return ident;

This is how your setup should now look:

IMG

3. Using IdentityIQ to export SAML SP metadata to inWebo

You must provide the SP metadata from IdentityIQ to the InWebo SAML IdP, which handles authentication for this SP. You can get the information you need to achieve this by exporting the SAML SP metadata to a file.

In a text file, download the IdentityIQ SAML metadata.

You must now complete the SP metadata on the InWebo IdP SAML Connector with the information from the downloaded XML file.

1. In a text editor, open the downloaded XML metadata and copy the full contents of that file to your computer's clipboard. (Almost all of the time, on Windows computers, CTRL+C is used).
2. To return to your inWebo administration console (https://www.myinwebo.com/console), choose "Secure Sites" from the tab.
3. Click the pen icon to the right of the connection name in the "connectors" section to edit the previously inserted "SailPoint SAML 2.0" connector.
4. In the Metadata Service Provider (SP) area of the opened window, paste the Metadata from the clipboard. (Most of the time, on Windows computers, CTRL+V is used).
5. Select 'Enable SSO' = 'Yes' from the 'Connector Options' option.
6. Set 'NameIDFormat' = 'Email address (emailAddress)'.
7. Set 'NameID value (NameIDAttribute)' = 'User login'.
8. The 'SAML Attributes' section should be left alone.
9. Check by clicking the Update button, then use the Cancel button to close the window.

This is how your Saml connection should now look:

IMG

4. Test your integration

To test it, type the URL for the IdentityIQ Login page.

If your current web browser is enrolled as a device in inWebo, you should now be routed to an inWebo authentication screen that shows Virtual Authenticator.

You will be requested to enter your login in the space to authenticate using your mobile phone if your current browser is not enrolled. It must have been enrolled before.

Conclusion

In this documentation, we have covered all concepts of IdentityIQ platforms which help in organizing and managing the Sailpoint. We have also seen how to configure and install Sailpoint on RedHat, Docker installation on RedHat. The concept of using the InWebo product for IdentityIQ was also explained along with basic principles and configuration steps of SAML authentication.

Related Articles

• Sailpoint Workflow
• SailPoint Integration