About the connector
SailPoint IdentityNow is a modern SaaS-based Identity Security solution that provides a centralized way to see and control every user's access to resources across hybrid IT environments while ensuring regulatory compliance. The SailPoint IdentityNow connector facilitates automated operation for identity management.
This document provides information about the SailPoint IdentityNow connector, which facilitates automated interactions with SailPoint IdentityNow using FortiSOAR™ playbooks. Add the SailPoint IdentityNow connector as a step in FortiSOAR™ playbooks and perform automated operations, such as getting account details, setting or resetting passwords, or approving and revoking access to accounts using SailPoint IdentityNow.
Version information
Connector Version: 1.0.0
Authored By: Community
Certified: No
Installing the connector
Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root user to install connectors from an SSH session:
yum install cyops-connector-sailpoint-identitynow
Prerequisites to configuring the connector
- You must have the URL of the SailPoint IdentityNow server to which you will connect and perform automated operations and credentials to access that server.
- The FortiSOAR™ server should have outbound connectivity to port 443 on the SailPoint IdentityNow server.
Minimum Permissions Required
Configuring the connector
For the procedure to configure a connector, click here
Configuration parameters
In FortiSOAR™, on the Content Hub (or Connector Store) page, click the Manage tab, and then click the SailPoint IdentityNow connector card. On the connector popup, click the Configurations tab to enter the required configuration details:
| Parameter |
Description |
| Server URL |
The service-based URL of the SailPoint IdentityNow server to which you will connect and perform automated operations. |
| Client ID |
Unique ID of the SailPoint IdentityNow application that is used to create an authentication token, or the personal access token, required to access the API. |
| Client Secret |
Unique Client Secret of the SailPoint IdentityNow application that is used to create an authentication token, or the personal access token, required to access the API. For information on how to get the secret key, see generating a personal access token article. |
| Verify SSL |
Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set to True. |
Actions supported by the connector
The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™:
| Function |
Description |
Annotation and Category |
| Get Accounts |
Retrieves a list of all accounts, from the SailPoint IdentityNow system, based on the level of detail required and the count of results to return. |
get_accounts
Investigation |
| Get Account Details |
Retrieves the details for a single account based on the account ID you have specified. |
get_account_details
Investigation |
| Get Account Activity |
Retrieves a single account activity based on the account activity ID you have specified. |
get_account_activities
Investigation |
| Get Account Activities |
Retrieves a collection of account activities based on the type of account activity requested, the count of results, and the requester details you have specified. |
get_account_activity
Investigation |
| Get Password Info |
Retrieves password-related information based on the username you have specified. |
get_password_info
Investigation |
| Reset Password |
Sets a password for an identity based on the identity ID, public key, and the RSA encrypted password you have specified. The password can only be set by the actual identity owner or by a trusted API client application. |
reset_password
Containment |
| Enable Account |
Submits a task to enable an account based on the account ID you have specified. |
enable_account
Containment |
| Disable Account |
Submits a task to disable an account based on the account ID you have specified. |
disable_account
Containment |
| Unlock Account |
Submits a task to unlock an account based on the account ID you have specified. |
unlock_account
Containment |
| Grant Access |
Grants access to roles, profiles, or entitlements based on the JSON formatted request that you have sent for granting access. |
grant_access
Containment |
| Revoke Access |
Revokes access to roles, profiles, or entitlements based on the JSON formatted request that you have sent for revoking access. |
revoke_access
Containment |
operation: Get Accounts
Input parameters
| Parameter |
Description |
| Filter |
(Optional) Specify filter criteria to filter results using the standard syntax described in SailPoint IdentityNow's V3 API Standard Collection ParametersThe API supports filtering only in some fields and with limited operators. The following is a list of fields and operators supported:
- id:
eq, in
- identityId:
eq
- name:
eq, in
- nativeIdentity:
eq, in
- sourceId:
eq, in
- uncorrelated:
eq
For example: identityId eq "2c9180858082150f0180893dbaf44201". Here,
identityId is the fieldeq is the operator, and2c9180858082150f0180893dbaf44201 is an example of identity ID
|
| Detail Level |
(Optional) Specify the level of detail required when getting the list of accounts. The available options are: SLIM or FULL; FULL being the default behavior. |
| Limit |
(Optional) Specify the maximum number of records to return in a single API call. If it is not specified, the default limit(250) is used. |
| Offset |
(Optional) Specify the offset of the first result from the beginning of the collection. The offset value is record-based, not page-based, and the index starts at 0. For example, offset=0 and limit=20 returns records 0-19, but offset=1 and limit=20 returns records 1-20. |
Output
The output contains the following populated JSON schema:
{
"id": "",
"name": "",
"created": "",
"modified": "",
"sourceId": "",
"identityId": "",
"attributes": {},
"authoritative": "",
"description": "",
"disabled": "",
"locked": "",
"nativeIdentity": "",
"systemAccount": "",
"uncorrelated": "",
"uuid": "",
"manuallyCorrelated": "",
"hasEntitlements": ""
}
operation: Get Account Details
Input parameters
| Parameter |
Description |
| Account ID |
Specify the ID of the account for which you are retrieving the details. |
Output
The output contains the following populated JSON schema:
{
"id": "",
"name": "",
"created": "",
"modified": "",
"sourceId": "",
"identityId": "",
"attributes": {},
"authoritative": "",
"description": "",
"disabled": "",
"locked": "",
"nativeIdentity": "",
"systemAccount": "",
"uncorrelated": "",
"uuid": "",
"manuallyCorrelated": "",
"hasEntitlements": ""
}
operation: Get Account Activity
Input parameters
| Parameter |
Description |
| Activity ID |
Specify the account activity ID to get a single account activity like an Access Request, Certification, or Identity Refresh. |
Output
The output contains the following populated JSON schema:
{
"id": "",
"name": "",
"created": "",
"modified": "",
"completed": "",
"completionStatus": "",
"type": "",
"requesterIdentitySummary": {
"id": "",
"name": "",
"identityId": "",
"completed": ""
},
"targetIdentitySummary": {
"id": "",
"name": "",
"identityId": "",
"completed": ""
},
"errors": [],
"warnings": [],
"items": [
{
"id": "",
"name": "",
"requested": "",
"approvalStatus": "",
"provisioningStatus": "",
"requesterComment": {
"commenterId": "",
"commenterName": "",
"body": "",
"date": ""
},
"reviewerIdentitySummary": {
"id": "",
"name": "",
"identityId": "",
"completed": ""
},
"reviewerComment": {
"commenterId": "",
"commenterName": "",
"body": "",
"date": ""
},
"operation": "",
"attribute": "",
"value": "",
"nativeIdentity": "",
"sourceId": "",
"accountRequestInfo": {
"requestedObjectId": "",
"requestedObjectName": "",
"requestedObjectType": ""
},
"clientMetadata": {},
"removeDate": ""
}
],
"executionStatus": "",
"clientMetadata": {}
}
operation: Get Account Activities
Input parameters
| Parameter |
Description |
| Type |
(Optional) Specify the type of account activity. For example, an Access Request, Certification, or Identity Refresh. |
| Requested For |
(Optional) Specify the identity for which the activity was requested. me indicates the current user. This field is mutually exclusive with regarding-identity. |
| Requested By |
(Optional) Specify the identity that requested the activity. me indicates the current user. This field is mutually exclusive with regarding-identity. |
| Regarding Identity |
(Optional) Specify the identity of either the requester or target of the account activity. me indicates the current user. This field is mutually exclusive with requested-for and requested-by. |
| Sort By |
(Optional) Specify a comma-separated list of fields to sort results based on those fields. The supported fields are type, created, and modified. For example, to sort primarily by type in ascending order, and secondarily by modified date in descending order, enter the following code in this field
type,-modified. |
| Limit |
(Optional) Specify the maximum number of records to return in a single API call. If it is not specified, the default limit(250) is used. |
| Offset |
(Optional) Specify the offset of the first result from the beginning of the collection. The offset value is record-based, not page-based, and the index starts at 0. For example, offset=0 and limit=20 returns records 0-19, but offset=1 and limit=20 returns records 1-20. |
Output
The output contains the following populated JSON schema:
{
"id": "",
"name": "",
"created": "",
"modified": "",
"completed": "",
"completionStatus": "",
"type": "",
"requesterIdentitySummary": {
"id": "",
"name": "",
"identityId": "",
"completed": ""
},
"targetIdentitySummary": {
"id": "",
"name": "",
"identityId": "",
"completed": ""
},
"errors": [],
"warnings": "",
"items": [
{
"id": "",
"name": "",
"requested": "",
"approvalStatus": "",
"provisioningStatus": "",
"requesterComment": {
"commenterId": "",
"commenterName": "",
"body": "",
"date": ""
},
"reviewerIdentitySummary": {
"id": "",
"name": "",
"identityId": "",
"completed": ""
},
"reviewerComment": {
"commenterId": "",
"commenterName": "",
"body": "",
"date": ""
},
"operation": "",
"attribute": "",
"value": "",
"nativeIdentity": "",
"sourceId": "",
"accountRequestInfo": {
"requestedObjectId": "",
"requestedObjectName": "",
"requestedObjectType": ""
},
"clientMetadata": {
"property1": "",
"property2": ""
},
"removeDate": ""
}
],
"executionStatus": "",
"clientMetadata": {
"property1": "",
"property2": ""
},
"cancelable": "",
"cancelComment": {
"commenterId": "",
"commenterName": "",
"body": "",
"date": ""
}
}
operation: Get Password Info
Input parameters
| Parameter |
Description |
| User Name |
Specify the login name of the user for whom the password information is required. |
| Source Name |
Specify the display name of the third-party application, database, or directory management system that maintains this account (Source). |
Output
The output contains the following populated JSON schema:
{
"identityId": "",
"sourceId": "",
"publicKeyId": "",
"publicKey": "",
"accounts": [
{
"accountId": "",
"accountName": ""
}
],
"policies": []
}
operation: Reset Password
Input parameters
| Parameter |
Description |
| User Name |
Specify the login name of the user for whom the password is to be reset. |
| Source Name |
Specify the display name of the third-party application, database, or directory management system that maintains this account (Source). |
| Identity ID |
Specify the ID of the identity that requested the password change. |
| Password |
Specify the RSA encrypted password to set for this user. |
| Public Key ID |
Specify the encryption key ID. This ID is returned as a response from the Get Password operation. |
| Account ID |
Specify the ID of the account for which you are setting the password. |
| Source ID |
Specify the ID of the third-party application, database, or directory management system that maintains this account (Source). |
Output
The output contains the following populated JSON schema:
{
"requestId": "",
"state": ""
}
operation: Enable Account
Input parameters
| Parameter |
Description |
| ID |
Specify the ID of the account to enable it. |
| External Verification ID |
Specify an ID generated by an external process that validates if users want to proceed with enabling their account. |
| Force Provisioning |
(Optional) Specify if you want to provision the account attribute update at the source. Use this option to ensure the attribute is updated. Providing true for an unlocked account will add and process Unlock operation by the workflow. |
Output
The output contains the following populated JSON schema:
{
"id": ""
}
operation: Disable Account
Input parameters
| Parameter |
Description |
| ID |
Specify the ID of the account to disable. |
| External Verification ID |
Specify an ID generated by an external process that validates if users want to proceed with enabling their account. |
| Force Provisioning |
(Optional) Specify if you want to provision the account attribute update at the source. Use this option to ensure the attribute is updated. Providing true for an unlocked account will add and process Unlock operation by the workflow. |
Output
The output contains the following populated JSON schema:
{
"id": ""
}
operation: Unlock Account
Input parameters
| Parameter |
Description |
| ID |
Specify the ID of the account to disable. |
| External Verification ID |
Specify an ID generated by an external process that validates if users want to proceed with enabling their account. |
| Unlock IDN Account |
(Optional) Specify if the IDN account is to be unlocked after the workflow completes. |
| Force Provisioning |
(Optional) Specify if you want to provision the account attribute update at the source. Use this option to ensure the attribute is updated. Providing true for an unlocked account will add and process Unlock operation by the workflow. |
Output
The output contains the following populated JSON schema:
{
"id": ""
}
operation: Grant Access
Input parameters
| Parameter |
Description |
| Requested For |
Specify a CSV list of identity IDs for whom access is requested. |
| Requested Items |
Specify the following information in JSON format:
- type: Specify the type of item being requested. Possible values are
ACCESS_PROFILE, ROLE, ENTITLEMENT
- id: ID of the type (
ACCESS_PROFILE, ROLE, ENTITLEMENT) being requested
- comment: Any comment provided by the requester
|
| Client Metadata |
(Optional) Specify the client metadata in JSON format. |
Output
The output contains the following populated JSON schema:
{
"status": "",
"result": ""
}
operation: Revoke Access
Input parameters
| Parameter |
Description |
| Requested For |
Specify the identity ID for which the access revoke is requested. For a revoke request, there can only be one identity ID. |
| Requested Items |
Specify the following information in JSON format:
- type: Specify the type of item for revoking access. Possible values are
ACCESS_PROFILE, ROLE, ENTITLEMENT
- id: Specify the ID of the type (
ACCESS_PROFILE, ROLE, ENTITLEMENT) for revoking access
- comment: Specify a comment. It is required when revoking access.
|
| Client Metadata |
(Optional) Specify the client metadata in JSON format. |
Output
The output contains the following populated JSON schema:
{
"status": "",
"result": ""
}
Included playbooks
The Sample - SailPoint IdentityNow - 1.0.0 playbook collection comes bundled with the SailPoint IdentityNow connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the SailPoint IdentityNow connector.
- Disable Account
- Enable Account
- Get Account Activities
- Get Account Activity
- Get Account Details
- Get Accounts
- Get Password Info
- Grant Access
- Reset Password
- Revoke Access
- Unlock Account
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.
