SailPoint IdentityNow is a modern SaaS-based Identity Security solution that provides a centralized way to see and control every user's access to resources across hybrid IT environments while ensuring regulatory compliance. The SailPoint IdentityNow connector facilitates automated operation for identity management.
This document provides information about the SailPoint IdentityNow connector, which facilitates automated interactions with SailPoint IdentityNow using FortiSOAR™ playbooks. Add the SailPoint IdentityNow connector as a step in FortiSOAR™ playbooks and perform automated operations, such as getting account details, setting or resetting passwords, or approving and revoking access to accounts using SailPoint IdentityNow.
Connector Version: 1.0.0
Authored By: Community
Certified: No
Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root
user to install connectors from an SSH session:
yum install cyops-connector-sailpoint-identitynow
For the procedure to configure a connector, click here
In FortiSOAR™, on the Content Hub (or Connector Store) page, click the Manage tab, and then click the SailPoint IdentityNow connector card. On the connector popup, click the Configurations tab to enter the required configuration details:
Parameter | Description |
---|---|
Server URL | The service-based URL of the SailPoint IdentityNow server to which you will connect and perform automated operations. |
Client ID | Unique ID of the SailPoint IdentityNow application that is used to create an authentication token, or the personal access token, required to access the API. |
Client Secret | Unique Client Secret of the SailPoint IdentityNow application that is used to create an authentication token, or the personal access token, required to access the API. For information on how to get the secret key, see generating a personal access token article. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set to True . |
The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™:
Function | Description | Annotation and Category |
---|---|---|
Get Accounts | Retrieves a list of all accounts, from the SailPoint IdentityNow system, based on the level of detail required and the count of results to return. | get_accounts Investigation |
Get Account Details | Retrieves the details for a single account based on the account ID you have specified. | get_account_details Investigation |
Get Account Activity | Retrieves a single account activity based on the account activity ID you have specified. | get_account_activities Investigation |
Get Account Activities | Retrieves a collection of account activities based on the type of account activity requested, the count of results, and the requester details you have specified. | get_account_activity Investigation |
Get Password Info | Retrieves password-related information based on the username you have specified. | get_password_info Investigation |
Reset Password | Sets a password for an identity based on the identity ID, public key, and the RSA encrypted password you have specified. The password can only be set by the actual identity owner or by a trusted API client application. | reset_password Containment |
Enable Account | Submits a task to enable an account based on the account ID you have specified. | enable_account Containment |
Disable Account | Submits a task to disable an account based on the account ID you have specified. | disable_account Containment |
Unlock Account | Submits a task to unlock an account based on the account ID you have specified. | unlock_account Containment |
Grant Access | Grants access to roles, profiles, or entitlements based on the JSON formatted request that you have sent for granting access. | grant_access Containment |
Revoke Access | Revokes access to roles, profiles, or entitlements based on the JSON formatted request that you have sent for revoking access. | revoke_access Containment |
Parameter | Description |
---|---|
Filter | (Optional) Specify filter criteria to filter results using the standard syntax described in SailPoint IdentityNow's V3 API Standard Collection ParametersThe API supports filtering only in some fields and with limited operators. The following is a list of fields and operators supported:
identityId eq "2c9180858082150f0180893dbaf44201" . Here,
|
Detail Level | (Optional) Specify the level of detail required when getting the list of accounts. The available options are: SLIM or FULL ; FULL being the default behavior. |
Limit | (Optional) Specify the maximum number of records to return in a single API call. If it is not specified, the default limit(250 ) is used. |
Offset | (Optional) Specify the offset of the first result from the beginning of the collection. The offset value is record-based, not page-based, and the index starts at 0. For example, offset=0 and limit=20 returns records 0-19 , but offset=1 and limit=20 returns records 1-20 . |
The output contains the following populated JSON schema:
{
"id": "",
"name": "",
"created": "",
"modified": "",
"sourceId": "",
"identityId": "",
"attributes": {},
"authoritative": "",
"description": "",
"disabled": "",
"locked": "",
"nativeIdentity": "",
"systemAccount": "",
"uncorrelated": "",
"uuid": "",
"manuallyCorrelated": "",
"hasEntitlements": ""
}
Parameter | Description |
---|---|
Account ID | Specify the ID of the account for which you are retrieving the details. |
The output contains the following populated JSON schema:
{
"id": "",
"name": "",
"created": "",
"modified": "",
"sourceId": "",
"identityId": "",
"attributes": {},
"authoritative": "",
"description": "",
"disabled": "",
"locked": "",
"nativeIdentity": "",
"systemAccount": "",
"uncorrelated": "",
"uuid": "",
"manuallyCorrelated": "",
"hasEntitlements": ""
}
Parameter | Description |
---|---|
Activity ID | Specify the account activity ID to get a single account activity like an Access Request, Certification, or Identity Refresh. |
The output contains the following populated JSON schema:
{
"id": "",
"name": "",
"created": "",
"modified": "",
"completed": "",
"completionStatus": "",
"type": "",
"requesterIdentitySummary": {
"id": "",
"name": "",
"identityId": "",
"completed": ""
},
"targetIdentitySummary": {
"id": "",
"name": "",
"identityId": "",
"completed": ""
},
"errors": [],
"warnings": [],
"items": [
{
"id": "",
"name": "",
"requested": "",
"approvalStatus": "",
"provisioningStatus": "",
"requesterComment": {
"commenterId": "",
"commenterName": "",
"body": "",
"date": ""
},
"reviewerIdentitySummary": {
"id": "",
"name": "",
"identityId": "",
"completed": ""
},
"reviewerComment": {
"commenterId": "",
"commenterName": "",
"body": "",
"date": ""
},
"operation": "",
"attribute": "",
"value": "",
"nativeIdentity": "",
"sourceId": "",
"accountRequestInfo": {
"requestedObjectId": "",
"requestedObjectName": "",
"requestedObjectType": ""
},
"clientMetadata": {},
"removeDate": ""
}
],
"executionStatus": "",
"clientMetadata": {}
}
Parameter | Description |
---|---|
Type | (Optional) Specify the type of account activity. For example, an Access Request, Certification, or Identity Refresh. |
Requested For | (Optional) Specify the identity for which the activity was requested. me indicates the current user. This field is mutually exclusive with regarding-identity . |
Requested By | (Optional) Specify the identity that requested the activity. me indicates the current user. This field is mutually exclusive with regarding-identity . |
Regarding Identity | (Optional) Specify the identity of either the requester or target of the account activity. me indicates the current user. This field is mutually exclusive with requested-for and requested-by . |
Sort By | (Optional) Specify a comma-separated list of fields to sort results based on those fields. The supported fields are type , created , and modified . For example, to sort primarily by type in ascending order, and secondarily by modified date in descending order, enter the following code in this fieldtype,-modified . |
Limit | (Optional) Specify the maximum number of records to return in a single API call. If it is not specified, the default limit(250 ) is used. |
Offset | (Optional) Specify the offset of the first result from the beginning of the collection. The offset value is record-based, not page-based, and the index starts at 0. For example, offset=0 and limit=20 returns records 0-19 , but offset=1 and limit=20 returns records 1-20 . |
The output contains the following populated JSON schema:
{
"id": "",
"name": "",
"created": "",
"modified": "",
"completed": "",
"completionStatus": "",
"type": "",
"requesterIdentitySummary": {
"id": "",
"name": "",
"identityId": "",
"completed": ""
},
"targetIdentitySummary": {
"id": "",
"name": "",
"identityId": "",
"completed": ""
},
"errors": [],
"warnings": "",
"items": [
{
"id": "",
"name": "",
"requested": "",
"approvalStatus": "",
"provisioningStatus": "",
"requesterComment": {
"commenterId": "",
"commenterName": "",
"body": "",
"date": ""
},
"reviewerIdentitySummary": {
"id": "",
"name": "",
"identityId": "",
"completed": ""
},
"reviewerComment": {
"commenterId": "",
"commenterName": "",
"body": "",
"date": ""
},
"operation": "",
"attribute": "",
"value": "",
"nativeIdentity": "",
"sourceId": "",
"accountRequestInfo": {
"requestedObjectId": "",
"requestedObjectName": "",
"requestedObjectType": ""
},
"clientMetadata": {
"property1": "",
"property2": ""
},
"removeDate": ""
}
],
"executionStatus": "",
"clientMetadata": {
"property1": "",
"property2": ""
},
"cancelable": "",
"cancelComment": {
"commenterId": "",
"commenterName": "",
"body": "",
"date": ""
}
}
Parameter | Description |
---|---|
User Name | Specify the login name of the user for whom the password information is required. |
Source Name | Specify the display name of the third-party application, database, or directory management system that maintains this account (Source). |
The output contains the following populated JSON schema:
{
"identityId": "",
"sourceId": "",
"publicKeyId": "",
"publicKey": "",
"accounts": [
{
"accountId": "",
"accountName": ""
}
],
"policies": []
}
Parameter | Description |
---|---|
User Name | Specify the login name of the user for whom the password is to be reset. |
Source Name | Specify the display name of the third-party application, database, or directory management system that maintains this account (Source). |
Identity ID | Specify the ID of the identity that requested the password change. |
Password | Specify the RSA encrypted password to set for this user. |
Public Key ID | Specify the encryption key ID. This ID is returned as a response from the Get Password operation. |
Account ID | Specify the ID of the account for which you are setting the password. |
Source ID | Specify the ID of the third-party application, database, or directory management system that maintains this account (Source). |
The output contains the following populated JSON schema:
{
"requestId": "",
"state": ""
}
Parameter | Description |
---|---|
ID | Specify the ID of the account to enable it. |
External Verification ID | Specify an ID generated by an external process that validates if users want to proceed with enabling their account. |
Force Provisioning | (Optional) Specify if you want to provision the account attribute update at the source. Use this option to ensure the attribute is updated. Providing true for an unlocked account will add and process Unlock operation by the workflow. |
The output contains the following populated JSON schema:
{
"id": ""
}
Parameter | Description |
---|---|
ID | Specify the ID of the account to disable. |
External Verification ID | Specify an ID generated by an external process that validates if users want to proceed with enabling their account. |
Force Provisioning | (Optional) Specify if you want to provision the account attribute update at the source. Use this option to ensure the attribute is updated. Providing true for an unlocked account will add and process Unlock operation by the workflow. |
The output contains the following populated JSON schema:
{
"id": ""
}
Parameter | Description |
---|---|
ID | Specify the ID of the account to disable. |
External Verification ID | Specify an ID generated by an external process that validates if users want to proceed with enabling their account. |
Unlock IDN Account | (Optional) Specify if the IDN account is to be unlocked after the workflow completes. |
Force Provisioning | (Optional) Specify if you want to provision the account attribute update at the source. Use this option to ensure the attribute is updated. Providing true for an unlocked account will add and process Unlock operation by the workflow. |
The output contains the following populated JSON schema:
{
"id": ""
}
Parameter | Description |
---|---|
Requested For | Specify a CSV list of identity IDs for whom access is requested. |
Requested Items | Specify the following information in JSON format:
|
Client Metadata | (Optional) Specify the client metadata in JSON format. |
The output contains the following populated JSON schema:
{
"status": "",
"result": ""
}
Parameter | Description |
---|---|
Requested For | Specify the identity ID for which the access revoke is requested. For a revoke request, there can only be one identity ID. |
Requested Items | Specify the following information in JSON format:
|
Client Metadata | (Optional) Specify the client metadata in JSON format. |
The output contains the following populated JSON schema:
{
"status": "",
"result": ""
}
The Sample - SailPoint IdentityNow - 1.0.0
playbook collection comes bundled with the SailPoint IdentityNow connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the SailPoint IdentityNow connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.
SailPoint IdentityNow is a modern SaaS-based Identity Security solution that provides a centralized way to see and control every user's access to resources across hybrid IT environments while ensuring regulatory compliance. The SailPoint IdentityNow connector facilitates automated operation for identity management.
This document provides information about the SailPoint IdentityNow connector, which facilitates automated interactions with SailPoint IdentityNow using FortiSOAR™ playbooks. Add the SailPoint IdentityNow connector as a step in FortiSOAR™ playbooks and perform automated operations, such as getting account details, setting or resetting passwords, or approving and revoking access to accounts using SailPoint IdentityNow.
Connector Version: 1.0.0
Authored By: Community
Certified: No
Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root
user to install connectors from an SSH session:
yum install cyops-connector-sailpoint-identitynow
For the procedure to configure a connector, click here
In FortiSOAR™, on the Content Hub (or Connector Store) page, click the Manage tab, and then click the SailPoint IdentityNow connector card. On the connector popup, click the Configurations tab to enter the required configuration details:
Parameter | Description |
---|---|
Server URL | The service-based URL of the SailPoint IdentityNow server to which you will connect and perform automated operations. |
Client ID | Unique ID of the SailPoint IdentityNow application that is used to create an authentication token, or the personal access token, required to access the API. |
Client Secret | Unique Client Secret of the SailPoint IdentityNow application that is used to create an authentication token, or the personal access token, required to access the API. For information on how to get the secret key, see generating a personal access token article. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set to True . |
The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™:
Function | Description | Annotation and Category |
---|---|---|
Get Accounts | Retrieves a list of all accounts, from the SailPoint IdentityNow system, based on the level of detail required and the count of results to return. | get_accounts Investigation |
Get Account Details | Retrieves the details for a single account based on the account ID you have specified. | get_account_details Investigation |
Get Account Activity | Retrieves a single account activity based on the account activity ID you have specified. | get_account_activities Investigation |
Get Account Activities | Retrieves a collection of account activities based on the type of account activity requested, the count of results, and the requester details you have specified. | get_account_activity Investigation |
Get Password Info | Retrieves password-related information based on the username you have specified. | get_password_info Investigation |
Reset Password | Sets a password for an identity based on the identity ID, public key, and the RSA encrypted password you have specified. The password can only be set by the actual identity owner or by a trusted API client application. | reset_password Containment |
Enable Account | Submits a task to enable an account based on the account ID you have specified. | enable_account Containment |
Disable Account | Submits a task to disable an account based on the account ID you have specified. | disable_account Containment |
Unlock Account | Submits a task to unlock an account based on the account ID you have specified. | unlock_account Containment |
Grant Access | Grants access to roles, profiles, or entitlements based on the JSON formatted request that you have sent for granting access. | grant_access Containment |
Revoke Access | Revokes access to roles, profiles, or entitlements based on the JSON formatted request that you have sent for revoking access. | revoke_access Containment |
Parameter | Description |
---|---|
Filter | (Optional) Specify filter criteria to filter results using the standard syntax described in SailPoint IdentityNow's V3 API Standard Collection ParametersThe API supports filtering only in some fields and with limited operators. The following is a list of fields and operators supported:
identityId eq "2c9180858082150f0180893dbaf44201" . Here,
|
Detail Level | (Optional) Specify the level of detail required when getting the list of accounts. The available options are: SLIM or FULL ; FULL being the default behavior. |
Limit | (Optional) Specify the maximum number of records to return in a single API call. If it is not specified, the default limit(250 ) is used. |
Offset | (Optional) Specify the offset of the first result from the beginning of the collection. The offset value is record-based, not page-based, and the index starts at 0. For example, offset=0 and limit=20 returns records 0-19 , but offset=1 and limit=20 returns records 1-20 . |
The output contains the following populated JSON schema:
{
"id": "",
"name": "",
"created": "",
"modified": "",
"sourceId": "",
"identityId": "",
"attributes": {},
"authoritative": "",
"description": "",
"disabled": "",
"locked": "",
"nativeIdentity": "",
"systemAccount": "",
"uncorrelated": "",
"uuid": "",
"manuallyCorrelated": "",
"hasEntitlements": ""
}
Parameter | Description |
---|---|
Account ID | Specify the ID of the account for which you are retrieving the details. |
The output contains the following populated JSON schema:
{
"id": "",
"name": "",
"created": "",
"modified": "",
"sourceId": "",
"identityId": "",
"attributes": {},
"authoritative": "",
"description": "",
"disabled": "",
"locked": "",
"nativeIdentity": "",
"systemAccount": "",
"uncorrelated": "",
"uuid": "",
"manuallyCorrelated": "",
"hasEntitlements": ""
}
Parameter | Description |
---|---|
Activity ID | Specify the account activity ID to get a single account activity like an Access Request, Certification, or Identity Refresh. |
The output contains the following populated JSON schema:
{
"id": "",
"name": "",
"created": "",
"modified": "",
"completed": "",
"completionStatus": "",
"type": "",
"requesterIdentitySummary": {
"id": "",
"name": "",
"identityId": "",
"completed": ""
},
"targetIdentitySummary": {
"id": "",
"name": "",
"identityId": "",
"completed": ""
},
"errors": [],
"warnings": [],
"items": [
{
"id": "",
"name": "",
"requested": "",
"approvalStatus": "",
"provisioningStatus": "",
"requesterComment": {
"commenterId": "",
"commenterName": "",
"body": "",
"date": ""
},
"reviewerIdentitySummary": {
"id": "",
"name": "",
"identityId": "",
"completed": ""
},
"reviewerComment": {
"commenterId": "",
"commenterName": "",
"body": "",
"date": ""
},
"operation": "",
"attribute": "",
"value": "",
"nativeIdentity": "",
"sourceId": "",
"accountRequestInfo": {
"requestedObjectId": "",
"requestedObjectName": "",
"requestedObjectType": ""
},
"clientMetadata": {},
"removeDate": ""
}
],
"executionStatus": "",
"clientMetadata": {}
}
Parameter | Description |
---|---|
Type | (Optional) Specify the type of account activity. For example, an Access Request, Certification, or Identity Refresh. |
Requested For | (Optional) Specify the identity for which the activity was requested. me indicates the current user. This field is mutually exclusive with regarding-identity . |
Requested By | (Optional) Specify the identity that requested the activity. me indicates the current user. This field is mutually exclusive with regarding-identity . |
Regarding Identity | (Optional) Specify the identity of either the requester or target of the account activity. me indicates the current user. This field is mutually exclusive with requested-for and requested-by . |
Sort By | (Optional) Specify a comma-separated list of fields to sort results based on those fields. The supported fields are type , created , and modified . For example, to sort primarily by type in ascending order, and secondarily by modified date in descending order, enter the following code in this fieldtype,-modified . |
Limit | (Optional) Specify the maximum number of records to return in a single API call. If it is not specified, the default limit(250 ) is used. |
Offset | (Optional) Specify the offset of the first result from the beginning of the collection. The offset value is record-based, not page-based, and the index starts at 0. For example, offset=0 and limit=20 returns records 0-19 , but offset=1 and limit=20 returns records 1-20 . |
The output contains the following populated JSON schema:
{
"id": "",
"name": "",
"created": "",
"modified": "",
"completed": "",
"completionStatus": "",
"type": "",
"requesterIdentitySummary": {
"id": "",
"name": "",
"identityId": "",
"completed": ""
},
"targetIdentitySummary": {
"id": "",
"name": "",
"identityId": "",
"completed": ""
},
"errors": [],
"warnings": "",
"items": [
{
"id": "",
"name": "",
"requested": "",
"approvalStatus": "",
"provisioningStatus": "",
"requesterComment": {
"commenterId": "",
"commenterName": "",
"body": "",
"date": ""
},
"reviewerIdentitySummary": {
"id": "",
"name": "",
"identityId": "",
"completed": ""
},
"reviewerComment": {
"commenterId": "",
"commenterName": "",
"body": "",
"date": ""
},
"operation": "",
"attribute": "",
"value": "",
"nativeIdentity": "",
"sourceId": "",
"accountRequestInfo": {
"requestedObjectId": "",
"requestedObjectName": "",
"requestedObjectType": ""
},
"clientMetadata": {
"property1": "",
"property2": ""
},
"removeDate": ""
}
],
"executionStatus": "",
"clientMetadata": {
"property1": "",
"property2": ""
},
"cancelable": "",
"cancelComment": {
"commenterId": "",
"commenterName": "",
"body": "",
"date": ""
}
}
Parameter | Description |
---|---|
User Name | Specify the login name of the user for whom the password information is required. |
Source Name | Specify the display name of the third-party application, database, or directory management system that maintains this account (Source). |
The output contains the following populated JSON schema:
{
"identityId": "",
"sourceId": "",
"publicKeyId": "",
"publicKey": "",
"accounts": [
{
"accountId": "",
"accountName": ""
}
],
"policies": []
}
Parameter | Description |
---|---|
User Name | Specify the login name of the user for whom the password is to be reset. |
Source Name | Specify the display name of the third-party application, database, or directory management system that maintains this account (Source). |
Identity ID | Specify the ID of the identity that requested the password change. |
Password | Specify the RSA encrypted password to set for this user. |
Public Key ID | Specify the encryption key ID. This ID is returned as a response from the Get Password operation. |
Account ID | Specify the ID of the account for which you are setting the password. |
Source ID | Specify the ID of the third-party application, database, or directory management system that maintains this account (Source). |
The output contains the following populated JSON schema:
{
"requestId": "",
"state": ""
}
Parameter | Description |
---|---|
ID | Specify the ID of the account to enable it. |
External Verification ID | Specify an ID generated by an external process that validates if users want to proceed with enabling their account. |
Force Provisioning | (Optional) Specify if you want to provision the account attribute update at the source. Use this option to ensure the attribute is updated. Providing true for an unlocked account will add and process Unlock operation by the workflow. |
The output contains the following populated JSON schema:
{
"id": ""
}
Parameter | Description |
---|---|
ID | Specify the ID of the account to disable. |
External Verification ID | Specify an ID generated by an external process that validates if users want to proceed with enabling their account. |
Force Provisioning | (Optional) Specify if you want to provision the account attribute update at the source. Use this option to ensure the attribute is updated. Providing true for an unlocked account will add and process Unlock operation by the workflow. |
The output contains the following populated JSON schema:
{
"id": ""
}
Parameter | Description |
---|---|
ID | Specify the ID of the account to disable. |
External Verification ID | Specify an ID generated by an external process that validates if users want to proceed with enabling their account. |
Unlock IDN Account | (Optional) Specify if the IDN account is to be unlocked after the workflow completes. |
Force Provisioning | (Optional) Specify if you want to provision the account attribute update at the source. Use this option to ensure the attribute is updated. Providing true for an unlocked account will add and process Unlock operation by the workflow. |
The output contains the following populated JSON schema:
{
"id": ""
}
Parameter | Description |
---|---|
Requested For | Specify a CSV list of identity IDs for whom access is requested. |
Requested Items | Specify the following information in JSON format:
|
Client Metadata | (Optional) Specify the client metadata in JSON format. |
The output contains the following populated JSON schema:
{
"status": "",
"result": ""
}
Parameter | Description |
---|---|
Requested For | Specify the identity ID for which the access revoke is requested. For a revoke request, there can only be one identity ID. |
Requested Items | Specify the following information in JSON format:
|
Client Metadata | (Optional) Specify the client metadata in JSON format. |
The output contains the following populated JSON schema:
{
"status": "",
"result": ""
}
The Sample - SailPoint IdentityNow - 1.0.0
playbook collection comes bundled with the SailPoint IdentityNow connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the SailPoint IdentityNow connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.