IdentityNow connector for EPM-UL (BIUL)

This guide covers the steps to configure the IdentityNow Connector for EPM-UL (BIUL).

Prerequisites

• IdentityNow instance
• Endpoint Privilege Management for Unix and Linux (EPM-UL)
• BeyondInsight for Unix & Linux (BIUL) 23.1

Use cases

• Joiner, Mover, and Leaver (JML)
• Access Request
• Access Governance

Introduction

BeyondInsight for Unix & Linux (BIUL) is a web-based tool that you use to:

• Manage software for AD Bridge and Endpoint Privilege Management for Unix and Linux.
• Remotely assess the suitability of a remote host's state by running a profile. After a profile is complete, installs, uninstalls, domain joins, and other actions can be performed on remote hosts.
• Manage Endpoint Privilege Management for Unix and Linux licenses on policy servers.
• Manage Endpoint Privilege Management for Unix and Linux script, File Integrity Monitoring (FIM), and role-based policies.
• Manage Sudo host groups and FIM policy host assignment.
• View, replay, and audit Endpoint Privilege Management for Unix and Linux logs.

Organizations using SailPoint IdentityNow can leverage this configuration guide to configure a Source or Connector to BeyondInsight for Unix & Linux, using the Web Services generic Source template. Supported use cases include:

• Account Aggregation or Discovery
• Role Aggregation
• Create Account
• Enable Account
• Disable Account
• Update Password
• Unlock Account
• Delete Account
• Add Role to User
• Remove Role from User

You can use the Source for Provisioning, Access Request, Access Certification, Reporting, etc.

Configuration

ℹ️

Note

A preconfigured Swagger UI /swagger is available as part of BeyondInsight for Unix & Linux BIUL, which can be used to test API access.

To start the configuration process, in IdentityNow, connect as admin, navigate to Connections > Sources, and then click Create New.

Create web services or connector

For source type, select Web Services, and then click Configure.

Base configuration

On the left side menu, select Base Configuration.

Complete the Source Name, Description, Source Owner, and Virtual Appliance Cluster fields, and then click Save.

Connection settings

Collect the information (see right) from the BIUL > Console Access > Edit User Roles page.

To set the connection settings:

1. On the left side menu, select Connection Settings.
2. Ensure that Custom Authentication type is selected, and then complete the Base URL, Username, and Password fields.
3. Click Save.

HTTP operations

Once you have created the Web Services Source or Connector, you must create each individual HTTP Operation.

On the left side menu, select HTTP Operations.

Authenticate (custom authentication)

On the HTTP Operations panel, click Add Operation and set the Operation Type to Custom Authentication.

General information

To set the Authenticate information:

1. On the Authenticate panel, ensure that General Information is selected.
2. Enter a unique Operation Name.
3. Ensure the Operation Type is set to Custom Authentication.
4. Enter the Context URL.
5. Replace the BIUL instance https://ubuntu-elk:58082 with the actual BIUL server URL you want to configure the connector for.
6. Ensure the HTTP Method is set to POST.
7. Click Save.

Headers

To set the Headers information:

1. On the Authenticate panel, select Headers.
2. Complete the Key and Value fields.
3. To add additional key and value information, click Add Another.
4. When done, click Save.

Body

To set the Body information:

1. On the Authenticate panel, select Body.
2. Select Raw.
3. Complete the Body information by entering the following text:

{"domain":"","dsDomain":"","dsID":0,"password":"$application.password$","username":"$application.username$"}

4. Click Save.

Response information

To set the Response Information:

1. On the Authenticate panel, select Response Information.
2. Set the Root Path and Success Codes.
3. Click Save.

Response mapping

To set the Response Mapping information:

1. On the Authenticate panel, select Response Mapping.
2. Save the token included in the response into a _CA variable for encrypted values.
3. Click Save.

Test connection

Here we decided to use Account Aggregation in the Test Connection.

On the HTTP Operations panel, click Add Operation and set the Operation Type to Test Connection.

General information

To set the Test Connection information:

1. On the Test Connection panel, ensure that General Information is selected.
2. Enter a unique Operation Name.
3. Ensure the Operation Type is set to Test Connection.
4. Enter the Context URL.
5. Ensure the HTTP Method is set to GET.
6. Click Save.

Headers

Headers must include the Access Token generated by Custom Authentication. All HTTP Operations will need the Authorization Header with the token value.

To set the Headers information:

1. On the Test Connection panel, select Headers.
2. Complete the Key and Value fields.
3. To add additional key and value information, click Add Another.
4. When done, click Save.

Response information

To set the Response Information:

1. On the Test Connection panel, select Response Information.
2. Set the Root Path and Success Codes.
3. Click Save.

Account aggregation

General information

To set the Account Aggregation information:

1. On the Account Aggregation panel, ensure that General Information is selected.
2. Enter a unique Operation Name.
3. Ensure the Operation Type is set to Account Aggregation.
4. Enter the Context URL.
5. Ensure the HTTP Method is set to GET.
6. Click Save.

Headers

To set the Headers information:

1. On the Account Aggregation panel, select Headers.
2. Complete the Key and Value fields.
3. To add additional key and value information, click Add Another.
4. When done, click Save.

Response information

To set the Response Information:

1. On the Account Aggregation panel, select Response Information.
2. Set the Root Path and Success Codes.
3. Click Save.

Response mapping

To set the Response Mapping information:

1. On the Account Aggregation panel, select Response Mapping.
2. Set a Schema Attribute and the Attribute Path.
3. To add additional values, click Add Another.
4. When done, click Save.

Role aggregation

General information

To set the Role Aggregation information:

1. On the Role Aggregation panel, ensure that General Information is selected.
2. Enter a unique Operation Name.
3. Ensure the Operation Type is set to Group Aggregation.
4. Enter the Context URL.
5. Ensure the HTTP Method is set to GET.
6. Click Save.

Headers

To set the Headers information:

1. On the Role Aggregation panel, select Headers.
2. Complete the Key and Value fields.
3. To add additional key and value information, click Add Another.
4. When done, click Save.

Response information

To set the Response Information:

1. On the Role Aggregation panel, select Response Information.
2. Set the Root Path and Success Codes.
3. Click Save.

Response mapping

To set the Response Mapping information:

1. On the Role Aggregation panel, select Response Mapping.
2. Set a Schema Attribute and the Attribute Path.
3. To add additional values, click Add Another.
4. When done, click Save.

Create account

General information

To set the Create Account information:

1. On the Create Account panel, ensure that General Information is selected.
2. Enter a unique Operation Name.
3. Ensure the Operation Type is set to Create Account.
4. Enter the Context URL.
5. Ensure the HTTP Method is set to POST.
6. Click Save.

Headers

To set the Headers information:

1. On the Create Account panel, select Headers.
2. Complete the Key and Value fields.
3. To add additional key and value information, click Add Another.
4. When done, click Save.

Body

To set the Body information:

1. On the Create Account panel, select Body.
2. Select Raw.
3. Complete the Body information by entering the text as written below.

{
 "active": $plan.active$,
 "email": "$plan.email$",
 "firstname": "$plan.firstname$",
 "lastname": "$plan.lastname$",
 "password": "$plan.password$",
 "passwordConfirm": "$plan.password$",
 "username": "$plan.username$"
}

Response information

To set the Response Information:

1. On the Create Account panel, select Response Information.
2. Set the Root Path and Success Codes.
3. Click Save.

Response mapping

To set the Response Mapping information:

1. On the Create Account panel, select Response Mapping.
2. Set a Schema Attribute and the Attribute Path.
3. To add additional values, click Add Another.
4. When done, click Save.

Add role to user and remove role from user

General information

To set the Add Role to User information:

1. On the Add Role to User panel, ensure that General Information is selected.
2. Enter a unique Operation Name, such as Add Role to User.
3. Ensure the Operation Type is set to Add Entitlement.
4. Enter the Context URL.
5. Ensure the HTTP Method is set to PUT.
6. Click Save.

To set the Remove Role from User information:

1. On the Remove Role from User panel, ensure that General Information is selected.
2. Enter a unique Operation Name, such as Remove Role from User.
3. Ensure the Operation Type is set to Remove Entitlement.
4. Enter the Context URL.
5. Ensure the HTTP Method is set to DELETE.
6. Click Save.

Headers

To set the Headers information:

1. On the Add Role to User (or Remove Role from User) panel, select Headers.
2. Complete the Key and Value fields.
3. To add additional key and value information, click Add Another.
4. When done, click Save.

Response information

To set the Response Information:

1. On the Add Role to User (or Remove Role from User) panel, select Response Information.
2. Set the Root Path and Success Codes.
3. Click Save.

Response mapping

To set the Response Mapping information:

1. On the Add Role to User (or Remove Role from User) panel, select Response Mapping.
2. Set a Schema Attribute and the Attribute Path.
3. To add additional values, click Add Another.
4. When done, click Save.

Disable account and enable account

Both HTTP Operations are accomplished in two steps, and only differ in the General Information and Body page for step 2 (Disable Account – 2 and Enable Account – 2).

Disable account -1 and enable account -1

General information

To set the Disable Account-1 information:

1. On the Disable Account -1 panel, ensure that General Information is selected.
2. Enter a unique Operation Name, such as Disable Account-1.
3. Ensure the Operation Type is set to Disable Account.
4. Enter the Context URL.
5. Ensure the HTTP Method is set to GET.
6. Click Save.

To set the Enable Account-1 information:

1. On the Enable Account -1 panel, ensure that General Information is selected.
2. Enter a unique Operation Name, such as Enable Account-1.
3. Ensure the Operation Type is set to Enable Account.
4. Enter the Context URL.
5. Ensure the HTTP Method is set to GET.
6. Click Save.

Headers

To set the Headers information:

1. On the Disable Account-1 (or Enable Account-1) panel, select Headers.
2. Complete the Key and Value fields.
3. To add additional key and value information, click Add Another.
4. When done, click Save.

Response information

To set the Response Information:

1. On the Disable Account-1 (or Enable Account-1) panel, select Response Information.
2. Set the Root Path and Success Codes.

Response mapping

To set the Response Mapping information:

1. On the Disable Account-1 (or Enable Account-1) panel, select Response Mapping.
2. Set a Schema Attribute and the Attribute Path.
3. To add additional values, click Add Another.
4. When done, click Save.

Disable account-2 and enable account-2

General information

To set the Disable Account-2 information:

1. On the Disable Account -2 panel, ensure that General Information is selected.
2. Enter a unique Operation Name, such as Disable Account-2.
3. Ensure the Operation Type is set to Disable Account.
4. Enter the Context URL.
5. Ensure the HTTP Method is set to PUT.
6. Click Save.

To set the Enable Account-2 information:

1. On the Enable Account -2 panel, ensure that General Information is selected.
2. Enter a unique Operation Name, such as Enable Account-2.
3. Ensure the Operation Type is set to Enable Account.
4. Enter the Context URL.
5. Ensure the HTTP Method is set to PUT.
6. Click Save.

Headers (disable account-2 only)

To set the Headers information:

1. On the Disable Account-2 panel, select Headers.
2. Complete the Key and Value fields.
3. To add additional key and value information, click Add Another.
4. When done, click Save.

Body (disable account-2 and enable account-2)

To set the Body information for Disable Account-2:

1. On the Disable Account-2 panel, select Body.
2. Select Raw.
3. Complete the Body information by entering the text as written below.

{
 "username": "$response.username$",
 "email": "$response.email$",
 "firstname": "$response.firstname$",
 "lastname": "$response.lastname$",
 "active": false
}

4. When done, click Save.

To set the Body information for Enable Account-2:

1. On the Enable Account-2 panel, select Body.
2. Select Raw.
3. Complete the Body information by entering the text as written below.

{
 "username": "$response.username$",
 "email": "$response.email$",
 "firstname": "$response.firstname$",
 "lastname": "$response.lastname$",
 "active": true
}

4. When done, click Save.

Response information (disable account-2 only)

To set the Response Information:

1. On the Disable Account-2 panel, select Response Information.
2. Set the Root Path and Success Codes.
3. Click Save.

Response mapping (disable account-2 only)

To set the Response Mapping information:

1. On the Disable Account-2 panel, select Response Mapping.
2. Set a Schema Attribute and the Attribute Path.
3. To add additional values, click Add Another.
4. When done, click Save.

Update password

General information

To set the Update Password information:

1. On the Update Password panel, ensure that General Information is selected.
2. Enter a unique Operation Name.
3. Ensure the Operation Type is set to Change Password.
4. Enter the Context URL.
5. Ensure the HTTP Method is set to PUT.
6. Click Save.

Headers

To set the Headers information:

1. On the Update Password panel, select Headers.
2. Complete the Key and Value fields.
3. To add additional key and value information, click Add Another.
4. When done, click Save.

Body

To set the Body information:

1. On the Update Password panel, select Body.
2. Select Raw.
3. Complete the Body information by entering the text as written below.

{"new_password":"$plan.password$"}

Response information

To set the Response Information:

1. On the Update Password panel, select Response Information.
2. Set the Root Path and Success Codes.
3. Click Save.

Response mapping

To set the Response Mapping information:

1. On the Update Password panel, select Response Mapping.
2. Set a Schema Attribute and the Attribute Path.
3. To add additional values, click Add Another.
4. When done, click Save.

Unlock account

General information

To set the Unlock Account information:

1. On the Unlock Account panel, ensure that General Information is selected.
2. Enter a unique Operation Name.
3. Ensure the Operation Type is set to Unlock Account.
4. Enter the Context URL.
5. Ensure the HTTP Method is set to DELETE.
6. Click Save.

Headers

To set the Headers information:

1. On the Unlock Account panel, select Headers.
2. Complete the Key and Value fields.
3. To add additional key and value information, click Add Another.
4. When done, click Save.

Response information

To set the Response Information:

1. On the Unlock Account panel, select Response Information.
2. Set the Root Path and Success Codes.
3. Click Save.

Response mapping

To set the Response Mapping information:

1. On the Unlock Account panel, select Response Mapping.
2. Set a Schema Attribute and the Attribute Path.
3. To add additional values, click Add Another.
4. When done, click Save.

Delete account

General information

To set the Delete Account information:

1. On the Delete Account panel, ensure that General Information is selected.
2. Enter a unique Operation Name.
3. Ensure the Operation Type is set to Delete Account.
4. Enter the Context URL.
5. Ensure the HTTP Method is set to DELETE.
6. Click Save.

Headers

To set the Headers information:

1. On the Delete Account panel, select Headers.
2. Complete the Key and Value fields.
3. To add additional key and value information, click Add Another.
4. When done, click Save.

Response information

To set the Response Information:

1. On the Delete Account panel, select Response Information.
2. Set the Root Path and Success Codes.
3. Click Save.

This completes the list of HTTP Operations.

Now that we have HTTP Operations defined, we can test the connection.

Test the connection

To test the connection:

1. On the left side menu, select Review and Test.
2. On the Base Configuration panel, click Test Connection. Upon a successful connection, a Test Success! message appears.
3. Click Return to Source Page.

ℹ️

Note

If BIUL is using a self-signed certificate, or a certificate from a Certification Authority that is not trusted already by IdentityNow, the BIUL root certificate (base64 encoded) needs to be put on each Virtual Appliance, in the ~/sailpoint/certificates directory. Refer to the SailPoint documentation for the detailed steps.

Add a correlation rule

Add a correlation rule so BIUL accounts map to Identities.

1. Under Connections, select the Import Data tab.
2. Select Correlation.
3. Complete the Correlation Configuration fields.

Create account and provisioning policy

For Create Account, you need a provisioning policy. The provisioning policy must be uploaded into the Connector using the IdentityNow REST API.

⚠️

Important

This step requires a SailPoint REST API call by someone who is a developer (typically). For more information, see SailPoint APIs.

1. Under Connections, select the Accounts tab.
2. Select Create Account.

Provisioning policies:

{
    "name": "Account",
    "description": null,
    "usageType": "CREATE",
    "fields": [
        {
        "name": "password",
        "transform": {
            "type": "static",
            "attributes": {
                "value": "P@ssw0rd123"
            }
        },
        "attributes": {},
        "isRequired": false,
        "type": "string",
        "isMultiValued": false
       },
       {
        "name": "active",
        "transform": {
            "type": "static",
            "attributes": {
                "value": true
            }
        },
        "attributes": {},
        "isRequired": false,
        "type": "boolean",
        "isMultiValued": false
       },
       {
        "name": "username",
        "transform": {
            "type": "identityAttribute",
            "attributes": {
                "name": "uid"
            }
        },
        "attributes": {},
        "isRequired": false,
        "type": "string",
        "isMultiValued": false
       },
       {
        "name": "email",
        "transform": {
            "type": "identityAttribute",
            "attributes": {
                "name": "email"
            }
        },
        "attributes": {},
        "isRequired": false,
        "type": "string",
        "isMultiValued": false
       },
       {
        "name": "firstname",
        "transform": {
            "type": "identityAttribute",
            "attributes": {
                "name": "firstname"
            }
        },
        "attributes": {},
        "isRequired": false,
        "type": "string",
        "isMultiValued": false
       },
       {
        "name": "lastname",
        "transform": {
            "type": "identityAttribute",
            "attributes": {
                "name": "lastname"
            }
        },
        "attributes": {},
        "isRequired": false,
        "type": "string",
        "isMultiValued": false
       }
     ]
}

Aggregate accounts and entitlements

You can now aggregate accounts and set entitlements.

Aggregate accounts

1. Under Connections, select the Accounts tab.
2. Select User Accounts.

Entitlements

Under Connections, select the Entitlements tab.

Access profiles

Access Profiles with associated Roles and Applications allows support for various use cases including Joiner, Mover, Leaver (JML), and Access Request.