AD Home Lab LDAPS Setup for SailPoint IDN TLS Connection

Welcome 2020 (Or not)!!! 

Really this year needs to end. Period. Hope everyone is keeping safe and indoors as much as possible.

Been a while I haven’t written something.

Anyways I had a local VM for Active Directory running for my home lab for SailPoint IDN. Now I wanted to setup TLS connection for it. So I thought easy

  1. Create a csr request in AD
  2. Generate a crt
  3. Import the cert in AD
  4. Test Connection via ldp or IDN.

I didn’t want to go through installing a AD CA role for this one process. So I thought I will use OpenSSL which was installed on my Mac. There are many excellent guides on how to enable LDAPS in AD by generating a self signed certificate. By far the easiest I found was this one

But what I found was that the cert being generated didn’t contain the SAN. Found many such issues linked online with openssl command. This is how I fixed it.

Followed the guide till where v3ext.txt is being generated. But used my own as below

The IP Address and additional DNS is just an example. My domain name in example is “abc.local” and DC name is “”. You can add additional DNS entries as per your requirements

And modified the command to execute this file

Rest is all the same in guide. You will get the certificate generated with SAN and imported into your DC. LDAPS will work and IDN and IQService will connect via TLS. And forget about it for 10 years 😛 

Aah the green box of approval from IDN!!! Gods are happy & everything is good in world again!!! 

Hope it helps someone setup their own AD lab at home for AD LDAPS TLS connection without a CA server. Of course this will not be a problem in an enterprise deployment.


SailPoint Certified IdentityNow Engineer!!!

So happy to report that I successfully passed the exam and now a certified SailPoint IdentityNow Engineer!!!

Exam was very interesting. Proctored by Examity and involved with DOMC style questions and rating. Keeps you on your toes and you can’t just luck your way out of it.

For more information on the IDN Engineer Exam, head over to the SailPoint University Website.

SailPoint Certified IdentityNow Engineer




Navigate-d Successfully!!!

Continuing the previous post.. Happy to say Navigate Sydney 2019 was a successful event!!! 😅

The training went pretty well I reckon. Larger crowd than I expected in my class. I would say about 100-150 people in attendance. 

Few pictures of the event uploaded with a snippet of my training (unprofessional video but thankful to an ex colleague to take it).

If you want the full video or more information lemme know.

Presenting @ SailPoint Flagship Event – Navigate Sydney 2019

Hey Guys

Will be presenting on the topic “Practical IdentityNow REST API Examples” on the 2nd Day (Training) August 15th 2019.

It is the flagship event of SailPoint and has industry leaders attending it with focus on how SailPoint can help in identity governance and what the future holds. The only other such event from SailPoint is in Austin which happened earlier this year.

Looking forward to it and hopefully won’t get a stage fright 😰

Give me a shout if you can make it to the event. It is FREE to register & attend!!! Did I also mention free food 🙂 

Here is a snippet of what you can look forward to

Practical IdentityNow REST API Examples

Piyush Khandelwal

Get a fast-paced introduction to the REST API and the out-of-the-box Seaspray transforms available from IdentityNow. We’ll combine these two topics to show you how to design, build and deploy a transform, giving you the ability to extend the functionality of IdentityNow with these key features.

More Info & Register:

See you there!!!


Terminology Comparison: MIM vs SailPoint IDN

So I’ve been learning SailPoint IdentityNow (IDN) and I am rattling my brains trying to match what I know about MIM and make sense in my brain and relate to the terms and how they are the same/similar but have different names in each product.

I have done up a little comparison table showing the most common things I have understood till date and tried to put it in words the way they are termed differently in MIM and IDN.

I am not an expert in either and not saying they are essentially correct or which product is better than other (btw there is no right answer to that – each have clear pros and cons depending on what you want in a product) but just trying to bridge the gap on understanding what they are in each.

 MIMSailPoint IDN
Data TypeHas various like integer, string etc.Everything is defined as string essentially.
ConnectionDirect via MA which has config parameters.Done via a VA (Virtual Appliance) which is a lightweight custom Linux VM deployed at customer side (think of it as a secure tunnel from cloud IDN to your network).
Management Agents (MA)Individual connectors connected to sources.Called a Source - Downstream or upstream.
Connector Space (CS)Staging area for data in a connector.Shows up in the Accounts tab in the Source.
DisconnectorsObjects which had not connected to MV.Called "Uncorrelated Accounts" under the import data tab of the source.
Metaverse (MV)Where all the identities are connected to each MA and the fullest form of it in essence.Identity List which has links to all the sources.
Projection & ProvisioningEach MA has the rules and mappings to project a CS into MV and to the external source as well.Each Identity Profile has a mapping against a source and also provisioning rules. Sources which have an Identity Profile are also called Authoritative Source and ones which't don't are called Non-Authoritative.
Join RulesRules which join CS objects to MV based on defined criteria.Called "Correlation" in the Source where we define those criteria.
GroupsAD or MIM GroupsCalled Entitlements. It doesn't show groups as MIM does i.e. Group Management is not a thing. You do User Management with entitlements i.e. group membership.
ImportImporting objects from a connector to CS.Called "Account Aggregation" or "Entitlement Aggregation" which brings in the data.
AD Password Sync from DCDone via PCNSDone via PWI (Password Interceptor)
AD WriteDirect via ADMANeeds a domain joined computer with IQService installed.
Automation of logicSets / MPR and Workflows in MIM Portal.Does it via Access Profiles , Roles and Identity Profiles in IDN Portal.
Advance RulesDone via Workflows and other advanced methods like MIMWAL etc.Called Rules written in JAVA/BeanShell wrapped with XML.
Under the hood configLot of config is exported and modified in XML.Extensive API access mainly giving JSON outputs with few XML as well.

Feel free to correct me where I am wrong and / or if you want me to add something else or explain something more in details, do reach out.

Hopefully it made sense to someone!!!