SailPoint Identity IQ

What is the SailPoint IdentityIQ integration?

SailPoint IdentityIQ delivers full lifecycle and compliance management for comprehensive identity security. IdentityIQ is an on-premises product, used by large and small organizations.

BeyondTrustRemote Support supercharges the service desk with secure access and support for any device, any system, from anywhere – including Windows, macOS, Linux, Android, and iOS.

How is this integration useful?

Many organizations are looking for an integration between SailPoint IdentityIQ and Remote Support . This guide provides a connector, based on the Web Services Connector in IdentityIQ, and includes step-by-step instructions for importing the connector and associated rules, and configuration.

Supported use cases

• Accounts Aggregation with Pagination support
• Groups Aggregation for Group Policies
• Create Account
• Add/Remove Group Policy for Accounts
• Enable/Disable Account
• Change Password
• Update Account
• Delete Account

Requirements

• IdentityIQ 8.1+, patched
• BeyondTrustRemote Support 23.1+

Create API account

In BeyondTrustRemote Support , navigate to Management - API Configuration, and Add an API account:

• For the Configuration API, check Allow Access.
• Copy the OAuth Client ID and OAuth Client Secret, as these are needed later.

ℹ️

Note

For more information about adding API accounts, see API Configuration

Import the Rules and the BTSRA Connector

1. Download the zip archive from the SailPoint Developer Community: https://developer.sailpoint.com/discuss/t/identityiq-connector-for-beyondtrust-privileged-remote-access-remote-support/74886
2. The zip archive includes two rules and the application or connector.
3. Edit the application XML file and replace the name with a name you want to use for your application. This must be done before importing the Application XML.
4. In SailPoint, go to Global Settings, then select Import from File. Import the two rules and the application.

Configure SailPoint

1. Go to Applications, Application Definition.
2. Under Configuration, Settings, replace the example Base URL and Token URL with the correct values for your BeyondTrust instance.
3. Enter the Client ID and Client Secret for the API account.
4. Under Correlation, assign a correlation rule, so accounts can be correlated to identities within IdentityIQ.
5. Go to Provisioning Policies under Configuration.
6. Click Create Account under Name.
7. Click the + sign for Section 1, and select Add Field.
8. Set the Name to private_display_name, and check Required under Type Settings.
9. Enter the Value for Script as: return identity.getAttribute("firstname")+' '+identity.getAttribute("lastname");
10. Before you can save your changes, an owner must be assigned to the Details page.
11. Now you should be able to successfully test the connection for the application.

Aggregate accounts and groups

1. Go to Setup, then Tasks.
2. Create an aggregation task for accounts and one for groups.
3. Execute both tasks.
4. You can now view the accounts with one or multiple group policies.
5. Under Applications, Entitlement Catalog, you can view the group policies.
6. For each group policy, you can view the members.

Advanced configuration

The Application Configuration includes pairs of HTTP operations for account aggregation, and add/remove entitlements:

• Account Aggregation – 1: includes support for pagination.
• Account Aggregation – 2: used to resolve the multi-value groups account attribute. Accounts can have multiple group policies assigned. A beanshell rule, imported previously, is used to properly update the multi-value groups' attributes.
• Remove Entitlement – 1: includes the other beanshell rule to resolve the unique membership ID for each account to group policy assignment. The membership ID is required by the Remove Entitlement – 2 endpoint.
• Remove Entitlement – 2: sets the nativeIdentity header value. This is not used by the BeyondTrust API but is used to extract the account ID within the beanshell After Rule.