capam33
HID_ConfigSailpoint
SailPoint STI (Simple Table Integration)
STI is an extensive SailPoint-specific integration, with configuration required on both sides, resulting in automatic synchronization and workflow. This option requires an integration license option. See the following STI Setup section.
SCIM (System for Cross-domain Identity Management)
SCIM is an application-level REST protocol for managing user identity data between domains. The
PAM
REST API includes a SCIM section, including several undocumented SailPoint-specific extensions. For information about enabling the REST API, see Connect with SCIM API. For information about the SCIM standard, see http://www.simplecloud.info/. For information about the SailPoint side of the integration, see the SailPoint documentation. The STI configuration is not necessary when using SCIM.
Clustering
When Privileged Access Manager
STI Setup
Privileged Access Manager Privileged Access Manager Privileged Access Manager Privileged Access Manager Privileged Access Manager
Configuration
For the SailPoint configuration options to appear, the SailPoint integration option must be licensed.SailPoint STI uses port 3306 to communicate with PAM
To configure SailPoint integration in Privileged Access Manager
Go to
Configuration
,3rd Party
,SailPoint
.Enter the
Database User
, andDatabase Password
.The password is used in SailPoint configuration, which follows.Set the
Update Interval
, in seconds. This value determines how oftenPrivileged Access Manager
checks for incoming SailPoint requests, exports relevant data to SailPoint.For
SailPoint Whitelist
, enter at least one SailPoint server address. These addresses are the only connections to allow for SailPoint integration. Validentries are IP address, hostname, and FQDN values.Select
Save
to save your settings.Select
Install
to set up the SailPoint integration Tables. The installation is only done once. This button is enabled if SailPoint is licensed, and disabled again once the installation is complete.Select
Download
to acquire a zip file of thePrivileged Access Manager
SailPoint application. Use this file during the configuration of the SailPoint side of the integration. Unzip this file and save CAPamConfiguration.xml in a location accessible by your SailPoint application.The
Import
button is optional. You can manually directPrivileged Access Manager
to read the provisioning queue. Import is also automatically done according to the Update Interval setting.The
Export
button is optional. You can manually directPrivileged Access Manager
to populate the SailPoint tables. Export isalso automatically done according to the Update Interval setting.
SailPoint Configuration
Before you configure the integration in SailPoint IdentityIQ, ensure that these prerequisites are met:
Install the LCM (Lifecycle Manager) module for SailPoint
Install the STI(Simple Table Integration) integration for SailPoint
To configure the integration in SailPoint, follow these steps:
In SailPoint IdentityIQ, select the configuration gear icon and select
Global Settings
.The Global Settings page appears.
Select the
Import from File
option in the lower right.Select
Choose File
underImport Objects
. Select CAPamConfiguration.xml, which you downloaded during thePrivileged Access Manager
configuration.Select
Import.
Under
Applications
,Application Definitions
, selecttheCAPam
application.The
Edit Application CAPam
page appears.Select the Configuration tab.
Under
Settings
, enter the correctConnection Password
, which was not provided in the configuration XML file. Thispassword is the password that you entered in step 2 of Privileged Access Manager Configuration.Scroll down to
Object Type: usergroup
. UnderSettings
,enter the correctConnection Password
.Scroll down to
Object Type: role
. UnderSettings
,enter the correctConnection Password
.Scroll down to
Object Type: group
. UnderSettings
,enter the correctConnection Password
.Scroll to the bottom of the page and select
Test Connection
."Test successful" appears. If not, edit the passwords.
Select
Save
to save your changes.
For your specific SailPoint IdentityIQ configuration, you can change the default provisioning policies that are provided by Privileged Access Manager
Under
Configuration
, selectProvisioning Policies
.Under
Object Type: account
, for theCreate
Type, selectUser
.The
Attributes
for User appear.Select an Attribute, such as
lastName
. See Operations and Attributes for a list of the supported operations and attributes.The
Edit Options
appear on the right.Select
Value Settings
. The value forlastName
can be a static Value, be Dependent, be determined by a Script, or be determined by a Rule.If you want to save you changes, select
Save
.On the
Edit Application CAPam
,Password Policy
page, configure a default password policy that follows the default password policy set forPrivileged Access Manager
users.
Operations and Attributes
The following operations and attributes are supported for SailPoint integration. The listed attributes must be associated with a rule or value in a Provisioning Policy in the SailPoint
CAPam
application for attributes to sync. TheCAPam
application is configured with some default values, but clients might need to adjust these settings.Create a User
To create a user with the " local
authType
, all the listed attributes are required. To create a user with the "cac
"authType
, none of the listed attributes are required.firstName
: User first namelastName
: User last nameemail
: User email addresspassword
: User passwordauthType
: supported values arelocal
orcac
(for smartcard users)IIQDisabled
:true
if user is disabled, orfalse
if user is enabledRoles
andUser Groups
are assigned asEntitlements
.
Modify a User
To modify a user, all attributes are optional.
firstName
: User first namelastName
: User last nameemail
: User email addresspassword
: User passwordauthType
: supported values arelocal
orcac
(for smartcard users)IIQDisabled
:true
if user is disabled, orfalse
if user is enabledRoles
andUser Groups
are assigned or removed asEntitlements.
Delete a User
No attributes
Aggregation Tasks
As part of the
CAPam
application setup in SailPoint, aggregation tasks are defined to SailPoint to collect the user and entitlement data fromPrivileged Access Manager
. These tasks should be scheduled to execute regularly to keep this data in sync withPrivileged Access Manager
.Follow these steps:
From the main SailPoint menu, select
Setup
,Tasks
.Two Tasks are set up by the initial configuration:
CAPam Account Aggregation
regularly reads thePrivileged Access Manager
User table to keep in sync with Users and their entitlementsCAPam Group Aggregation
readsPrivileged Access Manager
User Roles and Groups and creates SailPoint Entitlements from them.
To schedule a task, right‐click and select
Schedule
from the drop‐down list to display the New Schedule dialog.Select the
Scheduled Tasks
tab to edit schedules. You can select theRun Now
box on theEdit Schedule
tab to run the Task immediately.To see a list of SailPoint entitlements, go to the main menu,
Applications
,Entitlement Catalog
.
Workflow Example
Once everything is configured in Privileged Access Manager Privileged Access Manager
In SailPoint, go to
Home
, and selectManage User Access
.An IdentityIQ user list appears under the
Select Users
tab.Select a User and select the
Manage Access
tab.Select
Filters
on the right.The
Filter Access
panel appears.From the
Entitlement Application
drop-down list, selectCAPam
, andApply
.The Roles and User Groups that are imported from
Privileged Access Manager
appear as Entitlements.Select a User Group or Role as an Entitlement. Select the
Review
tab at the top of the page.If the listed
Add Access
Entitlements are correct, selectSubmit
at the bottom of the page.The Home page appears with a Success message at the top of the page.
SailPoint send this data to
Privileged Access Manager
as a provisioning request.In
Privileged Access Manager
, go toUsers, Manage Users
, and find the new (or updated) User.The User should have the matching information, including Roles and Groups, as applicable.
The User should be able to log in to
Privileged Access Manager
with the appropriate entitlements.An Aggregation Task runs in SailPoint, reading the information in the
Privileged Access Manager
integration tables,This Task closes the loop on the operation.
Activity Log
The
Activity Log
displays information about every action pertaining to the SailPoint integration. Create, delete, and update actions, their source, time, and results are listed. To view the Activity Log, follow these steps:Go to
Configuration
,3rd Party
,SailPoint
.Select the
Activity Log
tab.The log table is sortable by clicking column headings. You can filter data using the controls above the headings.
The
Info
column provides error messages, if applicable.