SSF Tools Loopback Connector User Guide

User Manual:

Open the PDF directly: View PDF PDF.
Page Count: 9

SSF Tools: IdentityIQ Loopback Connector
User Guide
IdentityIQ Loopback Connector User Guide Page 2 of 9
Document Revision History
Revision Date
Written/Edited By
Comments
January 2017
Christian Cairney
Initial version released with SSD v3
March 3rd 2017
Christian Cairney
New features:
Filter on identities with entitlements, correlated
identities and custom filter expression
May 18th, 2018
Christian Cairney
Updated documentation with note on projected queries
and the object schema
May 23rd 2018
Christian Cairney
Enabled Password and Authenticate features
© Copyright 2018 SailPoint Technologies, Inc., All Rights Reserved.
SailPoint Technologies, Inc. makes no warranty of any kind with regard to this manual, including, but not limited to, the implied
warranties of merchantability and fitness for a particular purpose. SailPoint Technologies shall not be liable for errors
contained herein or direct, indirect, special, incidental or consequential damages in connection with the furnishing,
performance, or use of this material.
Restricted Rights Legend. All rights are reserved. No part of this document may be photocopied, reproduced, or translated to
another language without the prior written consent of SailPoint Technologies. The information contained in this document is
subject to change without notice.
Use, duplication or disclosure by the U.S. Government is subject to restrictions as set forth in subparagraph (c) (1) (ii) of the
Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 for DOD agencies, and subparagraphs (c)
(1) and (c) (2) of the Commercial Computer Software Restricted Rights clause at FAR 52.227-19 for other agencies.
Regulatory/Export Compliance. The export and reexport of this software is controlled for export purposes by the U.S.
Government. By accepting this software and/or documentation, licensee agrees to comply with all U.S. and foreign export laws
and regulations as they relate to software and related documentation. Licensee will not export or reexport outside the United
States software or documentation, whether directly or indirectly, to any Prohibited Party and will not cause, approve or
otherwise intentionally facilitate others in so doing. A Prohibited Party includes: a party in a U.S. embargoed country or country
the United States has named as a supporter of international terrorism; a party involved in proliferation; a party identified by the
U.S. Government as a Denied Party; a party named on the U.S. Government's Entities List; a party prohibited from
participation in export or reexport transactions by a U.S. Government General Order; a party listed by the U.S. Government's
Office of Foreign Assets Control as ineligible to participate in transactions subject to U.S. jurisdiction; or any party that licensee
knows or has reason to know has violated or plans to violate U.S. or foreign export laws or regulations. Licensee shall ensure
that each of its software users complies with U.S. and foreign export laws and regulations as they relate to software and
related documentation.
Trademark Notices. Copyright © 2018 SailPoint Technologies, Inc. All rights reserved. SailPoint, the SailPoint logo, SailPoint
IdentityIQ, and SailPoint Identity Analyzer are trademarks of SailPoint Technologies, Inc. and may not be used without the
prior express written permission of SailPoint Technologies, Inc. All other trademarks shown herein are owned by the
respective companies or persons indicated.
IdentityIQ Loopback Connector User Guide Page 3 of 9
Table of Contents
Overview ............................................................................................................................................ 4
Supported Features ........................................................................................................................ 4
Installation .......................................................................................................................................... 5
Application Details .............................................................................................................................. 6
Application Type ............................................................................................................................. 6
Configuration ...................................................................................................................................... 7
Settings .......................................................................................................................................... 7
Ignore non correlated Identities ................................................................................................... 7
Ignore identities with no entitlements ........................................................................................... 7
Identity Filter ............................................................................................................................... 7
Schema attributes .............................................................................................................................. 8
Account Attributes ........................................................................................................................... 8
Workgroup Attributes ...................................................................................................................... 8
Capability Attributes ........................................................................................................................ 8
Passthrough Authentication and Password features........................................................................... 9
IdentityIQ Loopback Connector User Guide Page 4 of 9
Overview
The IdentityIQ Loopback connector is designed to read in IdentityIQ Identities and expose them as
accounts. Out of the box, the connector exposes workgroups and permissions as entitlements which
can be re-used in roles and for LCM access requests and certifications. It is compatible with IdentityIQ
6.4 and later.
The connector uses the SailPoint Provisioning API to avoid locking issues and supports Delta
Aggregation to reduce aggregation times.
This connector supports Provisioning and Search.
Supported Features
The IdentityIQ Loopback connector supports:
Account Management
o Managed IdentityIQ Identitiy cubes as Accounts
o Aggregation, Delta Aggregation
o Password
o Authentication
o Update
Create is not supported and is transformed to a modify
Delete is not supported and is transformed to a modify
Account Group Management
o Workgroups is a pseudo class, and aggregated using Identity + isWorkgroup = true
o Capabilities are aggregated as is.
IdentityIQ Loopback Connector User Guide Page 5 of 9
Installation
The IdentityIQ Loopback connector consists of the following class files:
Filename
Description
LoobackConnector.java
Main Loopback Connector java class
The configuration files are:
Filename
Description
IIQ_Application_Config.xml
Connector Registry merge config file to describe the
connector
These files are included in the Services Standard Deployment (SSD) and automatically deployed with
your project using the Services Standard Build (SSB). Follow the SSB instructions to create a build for
your environment and deploy the files.
If you wish to prevent automated deployment of the IdentityIQ Loopback Connector you can set the
following property in the build.properties file in the SSD:
deployIIQLoopbackConnector=false
This prevents the Connector Registry updates being made, although the connector Java class will still
be added to the resulting build.
IdentityIQ Loopback Connector User Guide Page 6 of 9
Application Details
Application Type
The Application Type is “IdentityIQ Loopback Connector.
IdentityIQ Loopback Connector User Guide Page 7 of 9
Configuration
Settings
Ignore non correlated Identities
If this option is checked, then only correlated accounts will be aggregated.
Ignore identities with no entitlements
If this option is checked, only identities with any entitlement values will be aggregated based on this
applications schema.
Identity Filter
IdentityIQ Filter expression which will be applied when querying for Identity objects on aggregation.
IdentityIQ Loopback Connector User Guide Page 8 of 9
Schema attributes
The application schema is used to configure the objects returned from a connector. When a connector
is called, the schema is supplied to the methods on the connector interface. This connector currently
supports three types of objects: account, workgroup and capability. Account objects are used when
building identities Link objects. The workgroup and capabilities schema is used when building
AccountGroup objects which are used to hold entitlements shared across identities.
NB: Any object schema’s attributes must be marked up as searchable; non-searchable attributes cannot be queried for
and will result in an error.
Account Attributes
Type
Description
string
Identity cube name
string
Identity first name
string
Identity last name
string
Identity display name
workgroup
Multi value list of all the
workgroups the identity has a
membership of
capability
Multi value list of the capabilities
assigned to the identity
String
Identity inactive flag
Workgroup Attributes
Type
Description
string
Workgroup name
string
Workgroup display name
capability
Multi value list of the capabilities
assigned to the workgroup
Capability Attributes
Type
Description
string
Capability name
IdentityIQ Loopback Connector User Guide Page 9 of 9
Passthrough Authentication and Password features
The Loopback Connector supports AUTHENTICATION and PASSWORD features which allow the
implementer to configure this Loopback connector for pass through authentication and allow the reset
of the identity password through the application password management pages.
The main use case for these features on this connector is to enable password self-service if the identity
does not have an authentication-enabled application correlated which can be used for pass through
authentication.
The Loopback connector Authentication feature respects IdentityIQ’s account lockout and disable
features.

Navigation menu