Piyush Khandelwal, Author at IdAM Thoughts

How to run SailPoint IIQ on Synology NAS v2 – Slim Edition

So after my previous post I got a lot of queries about it. Thanks for reading it 🙂

Wanted a slimmer edition which didn’t require all the additional dockers like LDAP etc

So v2 – slim edition

Note: All disclaimers still valid from previous post

Build

This time I am using this git repo: https://github.com/steffensperling/sailpoint-iiq

Only changes to docker-compose.yaml was the path to my own locations. Also ports as current 8080 were used for other containers. Passwords and ports obviously changed 🙂

version: '2'
services:
  db:
    image: mariadb:latest
    container_name: sailpoint-iiq-mariadb-3306
    ports: 
      - "3306:3306"
    volumes:
      - '/volume1/docker/sailpoint-iiq/data/db:/var/lib/mysql'
    environment:
      - MYSQL_USER=identityiq
      - MYSQL_PASSWORD=identityiq
      - MYSQL_DATABASE=identityiq
      - MYSQL_ROOT_PASSWORD=password
  iiq:
    build: ./iiq-build
    image: sailpoint-iiq
    container_name: sailpoint-iiq-8085
    ports:
      - "8085:8080"
      - "9009:8009"
    environment:
      - MYSQL_USER=identityiq
      - MYSQL_PASSWORD=identityiq
      - MYSQL_DATABASE=identityiq
      - MYSQL_ROOT_PASSWORD=password
    depends_on:
      - db
    volumes:
    - '/volume1/docker/sailpoint-iiq/data/webapps:/opt/tomcat/webapps'

version: '2'

services:

db:

image: mariadb:latest

container_name: sailpoint-iiq-mariadb-3306

ports:

- "3306:3306"

volumes:

- '/volume1/docker/sailpoint-iiq/data/db:/var/lib/mysql'

environment:

- MYSQL_USER=identityiq

- MYSQL_PASSWORD=identityiq

- MYSQL_DATABASE=identityiq

- MYSQL_ROOT_PASSWORD=password

iiq:

build: ./iiq-build

image: sailpoint-iiq

container_name: sailpoint-iiq-8085

ports:

- "8085:8080"

- "9009:8009"

environment:

- MYSQL_USER=identityiq

- MYSQL_PASSWORD=identityiq

- MYSQL_DATABASE=identityiq

- MYSQL_ROOT_PASSWORD=password

depends_on:

- db

volumes:

- '/volume1/docker/sailpoint-iiq/data/webapps:/opt/tomcat/webapps'

Main changes were to Dockerfile under iiq-build folder. The one on the github is not using latest debian and also had issues installing Oracle JDK

Here is the modified version

FROM debian:latest

MAINTAINER Steffen Sperling <steffen.sperling@ventum.com>

ENV TOMCAT_VERSION 9.0.46
ENV IIQ_VERSION 8.1

# Fix sh
RUN rm /bin/sh && ln -s /bin/bash /bin/sh

# Install dependencies
RUN apt-get update && \
apt-get install -y apt-utils wget vim unzip tar default-mysql-client openjdk-11-jdk

# Define commonly used JAVA_HOME variable
ENV JAVA_HOME /usr/lib/jvm/java-11-openjdk-amd64

RUN java -version

# Get Tomcat
RUN wget --quiet --no-cookies http://www-eu.apache.org/dist/tomcat/tomcat-9/v${TOMCAT_VERSION}/bin/apache-tomcat-${TOMCAT_VERSION}.tar.gz -O /tmp/tomcat.tgz && \
tar xzvf /tmp/tomcat.tgz -C /opt && \
mv /opt/apache-tomcat-${TOMCAT_VERSION} /opt/tomcat && \
rm /tmp/tomcat.tgz && \
rm -rf /opt/tomcat/webapps/examples && \
rm -rf /opt/tomcat/webapps/docs && \
rm -rf /opt/tomcat/webapps/ROOT

# Add admin/admin user
ADD tomcat-users.xml /opt/tomcat/conf/
run mkdir -p /opt/tomcat/conf/Catalina/localhost
ADD manager.xml /opt/tomcat/conf/Catalina/localhost
# add IIQ
COPY src/identityiq-${IIQ_VERSION}.zip /tmp
RUN unzip /tmp/identityiq-${IIQ_VERSION}.zip identityiq.war && \
mkdir /opt/tomcat/webapps/identityiq && \
unzip identityiq.war -d /opt/tomcat/webapps/identityiq && \
chmod +x /opt/tomcat/webapps/identityiq/WEB-INF/bin/iiq && \
rm identityiq.war

RUN mkdir /opt/tomcat/webapps/ROOT
COPY index.html /opt/tomcat/webapps/ROOT

COPY entrypoint.sh /entrypoint.sh
RUN chmod +x /entrypoint.sh

ENV CATALINA_HOME /opt/tomcat
ENV PATH $PATH:$CATALINA_HOME/bin

EXPOSE 8085
EXPOSE 8009
VOLUME "/opt/tomcat/webapps"
WORKDIR /opt/tomcat

# Launch IIQ
CMD ["/entrypoint.sh", "run"]
#CMD ["/opt/tomcat/bin/catalina.sh", "run"]

FROM debian:latest

MAINTAINER Steffen Sperling <steffen.sperling@ventum.com>

ENV TOMCAT_VERSION 9.0.46

ENV IIQ_VERSION 8.1

# Fix sh

RUN rm /bin/sh && ln -s /bin/bash /bin/sh

# Install dependencies

RUN apt-get update && \

apt-get install -y apt-utils wget vim unzip tar default-mysql-client openjdk-11-jdk

# Define commonly used JAVA_HOME variable

ENV JAVA_HOME /usr/lib/jvm/java-11-openjdk-amd64

RUN java -version

# Get Tomcat

RUN wget --quiet --no-cookies http://www-eu.apache.org/dist/tomcat/tomcat-9/v${TOMCAT_VERSION}/bin/apache-tomcat-${TOMCAT_VERSION}.tar.gz -O /tmp/tomcat.tgz && \

tar xzvf /tmp/tomcat.tgz -C /opt && \

mv /opt/apache-tomcat-${TOMCAT_VERSION} /opt/tomcat && \

rm /tmp/tomcat.tgz && \

rm -rf /opt/tomcat/webapps/examples && \

rm -rf /opt/tomcat/webapps/docs && \

rm -rf /opt/tomcat/webapps/ROOT

# Add admin/admin user

ADD tomcat-users.xml /opt/tomcat/conf/

run mkdir -p /opt/tomcat/conf/Catalina/localhost

ADD manager.xml /opt/tomcat/conf/Catalina/localhost

# add IIQ

COPY src/identityiq-${IIQ_VERSION}.zip /tmp

RUN unzip /tmp/identityiq-${IIQ_VERSION}.zip identityiq.war && \

mkdir /opt/tomcat/webapps/identityiq && \

unzip identityiq.war -d /opt/tomcat/webapps/identityiq && \

chmod +x /opt/tomcat/webapps/identityiq/WEB-INF/bin/iiq && \

rm identityiq.war

RUN mkdir /opt/tomcat/webapps/ROOT

COPY index.html /opt/tomcat/webapps/ROOT

COPY entrypoint.sh /entrypoint.sh

RUN chmod +x /entrypoint.sh

ENV CATALINA_HOME /opt/tomcat

ENV PATH $PATH:$CATALINA_HOME/bin

EXPOSE 8085

EXPOSE 8009

VOLUME "/opt/tomcat/webapps"

WORKDIR /opt/tomcat

# Launch IIQ

CMD ["/entrypoint.sh", "run"]

#CMD ["/opt/tomcat/bin/catalina.sh", "run"]

create_mysql_db.sh was also modified to use 8.1 version of identityiq tables create script

#!/bin/bash
# create database schema
mysql -uroot -p$(MYSQL_ROOT_PASSWORD) < /opt/tomcat/webapps/identityiq/WEB-INF/database/create_identityiq_tables-8.1.mysql
echo "=> Done creating database!"
# set database host in properties
sed -ri -e "s/mysql:\/\/localhost/mysql:\/\/db/" /opt/tomcat/webapps/identityiq/WEB-INF/classes/iiq.properties
sed -ri -e "s/dataSource.username\=.*/dataSource.username=$(MYSQL_USER)/" /opt/tomcat/webapps/identityiq/WEB-INF/classes/iiq.properties
sed -ri -e "s/dataSource.password\=.*/dataSource.password=$(MYSQL_PASSWORD)/" /opt/tomcat/webapps/identityiq/WEB-INF/classes/iiq.properties

echo "=> Done configuring iiq.properties!"

#!/bin/bash

# create database schema

mysql -uroot -p$(MYSQL_ROOT_PASSWORD) < /opt/tomcat/webapps/identityiq/WEB-INF/database/create_identityiq_tables-8.1.mysql

echo "=> Done creating database!"

# set database host in properties

sed -ri -e "s/mysql:\/\/localhost/mysql:\/\/db/" /opt/tomcat/webapps/identityiq/WEB-INF/classes/iiq.properties

sed -ri -e "s/dataSource.username\=.*/dataSource.username=$(MYSQL_USER)/" /opt/tomcat/webapps/identityiq/WEB-INF/classes/iiq.properties

sed -ri -e "s/dataSource.password\=.*/dataSource.password=$(MYSQL_PASSWORD)/" /opt/tomcat/webapps/identityiq/WEB-INF/classes/iiq.properties

echo "=> Done configuring iiq.properties!"

Finally I had to update few lines in ./identityiq/WEB-INF/database/create_identityiq_tables-8.1.mysql which comes in IIQ package for me to work

CREATE USER IF NOT EXISTS 'identityiq'@'%' IDENTIFIED WITH mysql_native_password BY 'identityiq';

WITH

CREATE USER IF NOT EXISTS 'identityiq'@'%' IDENTIFIED BY 'identityiq';

-----

CREATE USER IF NOT EXISTS 'identityiq'@'localhost' IDENTIFIED WITH mysql_native_password BY 'identityiq';

WITH

CREATE USER IF NOT EXISTS 'identityiq'@'localhost' IDENTIFIED BY 'identityiq';

-----

CREATE USER IF NOT EXISTS 'identityiqPlugin'@'%' IDENTIFIED WITH mysql_native_password BY 'identityiqPlugin';

WITH

CREATE USER IF NOT EXISTS 'identityiqPlugin'@'%' IDENTIFIED BY 'identityiqPlugin';

----

CREATE USER IF NOT EXISTS 'identityiqPlugin'@'localhost' IDENTIFIED WITH mysql_native_password BY 'identityiqPlugin';

WITH

CREATE USER IF NOT EXISTS 'identityiqPlugin'@'localhost' IDENTIFIED BY 'identityiqPlugin';

CREATE USER IF NOT EXISTS 'identityiq'@'%' IDENTIFIED WITH mysql_native_password BY 'identityiq';

WITH

CREATE USER IF NOT EXISTS 'identityiq'@'%' IDENTIFIED BY 'identityiq';

-----

CREATE USER IF NOT EXISTS 'identityiq'@'localhost' IDENTIFIED WITH mysql_native_password BY 'identityiq';

WITH

CREATE USER IF NOT EXISTS 'identityiq'@'localhost' IDENTIFIED BY 'identityiq';

-----

CREATE USER IF NOT EXISTS 'identityiqPlugin'@'%' IDENTIFIED WITH mysql_native_password BY 'identityiqPlugin';

WITH

CREATE USER IF NOT EXISTS 'identityiqPlugin'@'%' IDENTIFIED BY 'identityiqPlugin';

----

CREATE USER IF NOT EXISTS 'identityiqPlugin'@'localhost' IDENTIFIED WITH mysql_native_password BY 'identityiqPlugin';

WITH

CREATE USER IF NOT EXISTS 'identityiqPlugin'@'localhost' IDENTIFIED BY 'identityiqPlugin';

That’s it.. Then build the docker

docker-compose build
docker-compose up -d

1 2	docker-compose build docker-compose up -d

Notes

Need to change TOMCAT_VERSION to the one available on http://www-eu.apache.org/dist/tomcat/tomcat-9/ at the time of build
For some reason in my latest build webapps folder was empty. Had to do manual steps from Dockerfile after login to the sail point_iiq-8085 container. Had to run the webapps folder part (IIQ war file and index file deployment) and then restart container. Will try to figure out later what broke it.

After a few runs I got it up and running on latest version (IIQ 8.1 at the time of writing) and with persistent storage.

By Piyush Khandelwal, 3 years10/21/2020 ago

This has been long time coming and an ask from many clients. We wanted to have a UI interface to be able to create non employees like contractors etc directly inside IDN (as a source). These type of records might not generally come from an HR source and are maintained directly in AD or other such places. Thus, we have got a new type of source called NELM (Non Employee Lifecycle Management) which has a UI interface where you can enter them.

Currently its a two step release focusing on API based release happening over the weekend in the production orgs (already in your sandbox). Read more about it in this article.

You can

Have multiple sources – how about designing each via type like service account, contractors or say via departments?
Approver for each creation – as above you can assign approvers per type or department and segregate.
Custom schema as per your liking
Manage these users as normal LCS and business rules like any other source.

Note: There is currently a launch limit of 20 NELM sources per org and 1000 identities per source. Also up-to 10 custom schema attributes. So take that into consideration of your design. I would see this lifted or eased in future as this is used more by customers.

Here is a screenshot of how it looks while creating a user for the source.

A lot is currently via API but in a few months we will have more coming in UI.

You should start testing and possibly convert your csv sources and manual uploads of such users to a nice UI interface with better auditing and management.

Let me know if any questions.

Edit: Documentation is live!!!

By Piyush Khandelwal, 4 years06/27/2020 ago

SailPoint

How to run SailPoint IdentityIQ on Synology NAS

Update: There is a newer slimmer guide for install. Try it out

I have a small home lab setup on which I do various stuff. I am running it on one of most beloved gadget – Synology NAS. It does so much for me like backup, stream, sync, upload, dockers, VM and more.. It just keeps giving!!! Worth having in every home!!!

A small glimpse of my current setup (I do much more than this on the NAS)

Homelab Setup

Hardware

NAS: Synology DS918+
RAM: 16GB
Disks: 4 x 12GB WD Elements (shucked). Setup in 3 x SHR + 1 standalone for secondary backup
SSD Cache: 2 x Samsung 970 EVO 250GB M.2

Docker Setup

Various containers running like

Pi-Hole – Excellent DNS for whole home to block ads
Home Assistant – Home Automation
Unifi SDN – For my home network hardware
SpeedTest – To keep a constant and historical graph of my internet and catch ISPs in a lie if they say “nothing changed – speed is good” – I slap the graph on the face (and have got money back from ISPs for compensation as well)
And many more like Grafana, Chronograf, Watchtower etc etc etc…

IdentityNow Setup

Running on the Virtual Machine Manager on the NAS

1 x Windows Server running AD, IQService etc. To Install certificate for TLS, see my article.
1 x Linux Server running OpenLDAP and other possible connectors
1 x Standard VA deployment for my always on IDN

Goal

Now I wanted to tinker a bit with IdentityIQ due to various reasons and didn’t want to do the classic install (and why not – wanted a challenge). So I started to google and ask around and found that some people have actually dockerised the product – sweet. But couldn’t find a single guide on how to do it on my existing Synology hardware. So this became a weekend mission (in between actual work and COVID-19 lockdown).

DISCLAMER

You need to have a license with SailPoint to run your own IIQ Instance
The guide doesn’t contain ANY proprietary code
Not responsible for breaking your NAS or setup
This is not a supported setup by SailPoint or anyone else (including me). This is just for the enthusiasts.

Prerequisites

As said earlier, you need to have license from SailPoint and access to the download page. At the time of writing this guide, v8.1 is the latest version. Go to the download page and download identityiq-8.1.zip

Unzip it and grab the identityiq.war file for later use. Upload both the zip and war file to your NAS in a folder of your liking.

Build

I found many different ways to build the docker but I decided to go with the one done by IdentityWorks. They have their own git repo containing everything you need to do the works.

They have various options there to build but I used the full stack method. Although I already had many of the requirements running as individual dockers due to other projects (traefik, ldap, mysql etc) but I thought to keep it simple and just do the whole build separately. Just in case I break anything.

NAS Customisation

Now If you run the guide as is then it will build it for you straight up from scratch in a new docker environment. But because I am running it on my NAS with existing dockers I came across various issues

Some build script commands don’t exist on Synology NAS
Some ports are already in use due to NAS UI / other dockers.

Build Script

In the build.sh script I found couple things which didn’t exist on my NAS

git command
unzip command
ant command
java package

To fix do the following

unzip command replacement

Replace the unzip with 7z command in the build.sh script

unzip -qo $IIQ_ZIP

# Replace with 

7z x $IIQ_ZIP

unzip -qo $IIQ_ZIP

# Replace with

7z x $IIQ_ZIP

ant command

Install the package by adding a new repo in the package center. Follow the guide at https://github.com/rednoah/ant-installer

git command
java package

Install the packages which are available from Synology repo in package center

You should be now able to check if the above commands exist in the terminal

ash-4.3# which git
/bin/git
ash-4.3# which java
/var/packages/Java8/target/j2sdk-image/bin/java
ash-4.3# which ant
/usr/local/bin/ant
ash-4.3# which 7z
/bin/7z

ash-4.3# which git

/bin/git

ash-4.3# which java

/var/packages/Java8/target/j2sdk-image/bin/java

ash-4.3# which ant

/usr/local/bin/ant

ash-4.3# which 7z

/bin/7z

Docker Compose File

Since I am doing this setup on my existing docker, many of the ports were already in use. So I edited the file to change some default ports

phpldapadmin: 
  image: osixia/phpldapadmin 
  ports: - 8443:443 

# Changed Port 8443 to 7443 

phpldapadmin: 
  image: osixia/phpldapadmin 
  ports: - 7443:443 
    
    
    
loadbalancer: 
  image: traefik:1.7 
  command: --api --docker --web --logLevel=DEBUG 
  ports: - "${LISTEN_PORT:-8080}:80" # The HTTP port 
  
# Changed port from 8080 to 8085 

loadbalancer: 
  image: traefik:1.7 
  command: --api --docker --web --logLevel=DEBUG 
  ports: - "${LISTEN_PORT:-8085}:80" # The HTTP port 
  
# Changed the version from 7.2 for 8.1 where ever I found it in the file 

  - IIQ_VERSION=8.1

phpldapadmin:

image: osixia/phpldapadmin

ports: - 8443:443

# Changed Port 8443 to 7443

phpldapadmin:

image: osixia/phpldapadmin

ports: - 7443:443

loadbalancer:

image: traefik:1.7

command: --api --docker --web --logLevel=DEBUG

ports: - "${LISTEN_PORT:-8080}:80" # The HTTP port

# Changed port from 8080 to 8085

loadbalancer:

image: traefik:1.7

command: --api --docker --web --logLevel=DEBUG

ports: - "${LISTEN_PORT:-8085}:80" # The HTTP port

# Changed the version from 7.2 for 8.1 where ever I found it in the file

- IIQ_VERSION=8.1

Build It!!!

That’s it guys.. Hard work done. Do the deployment in the following steps

Download Identity IIQ binaries
Install additional packages on the NAS
Login to the NAS and get root access
Download the repo

git clone
Shell

git clone https://git.identityworksllc.com/pub/sailpoint-docker.git cd sailpoint-docker

1
2
3

git clone https://git.identityworksllc.com/pub/sailpoint-docker.git

cd sailpoint-docker
Upload the identityiq-8.1.zip and identityiq.war downloaded previously to the sailpoint-docker folder
Edit the build.sh and docker-compose.yaml file as mentioned above.
Run the rest of the commands

./build.sh -z /volume1/docker/sailpoint-docker/identityiq-8.1.zip -p /volume1/docker/sailpoint-docker/identityiq.war

docker-compose up -d

./build.sh -z /volume1/docker/sailpoint-docker/identityiq-8.1.zip -p /volume1/docker/sailpoint-docker/identityiq.war

docker-compose up -d

And you see the nice logs

WARNING: The IIQ_PATCH variable is not set. Defaulting to a blank string.
WARNING: Some services (iiq-init) use the 'deploy' key, which will be ignored. Compose does not support 'deploy' configuration - use `docker stack deploy` to deploy to a swarm.
Starting sailpoint-docker_counter_1 ... done
Starting sailpoint-docker_loadbalancer_1 ... done
Starting sailpoint-docker_db_mysql_1 ... done
Starting sailpoint-docker_done_1 ... done
Starting sailpoint-docker_db_1 ... done
Starting sailpoint-docker_mail_1 ... done
Starting sailpoint-docker_phpldapadmin_1 ... done
Starting sailpoint-docker_ssh_1 ... done
Starting sailpoint-docker_ldap_1 ... done
Starting sailpoint-docker_iiq-init_1 ... done
Starting sailpoint-docker_iiq_1 ... done

WARNING: The IIQ_PATCH variable is not set. Defaulting to a blank string.

WARNING: Some services (iiq-init) use the 'deploy' key, which will be ignored. Compose does not support 'deploy' configuration - use `docker stack deploy` to deploy to a swarm.

Starting sailpoint-docker_counter_1 ... done

Starting sailpoint-docker_loadbalancer_1 ... done

Starting sailpoint-docker_db_mysql_1 ... done

Starting sailpoint-docker_done_1 ... done

Starting sailpoint-docker_db_1 ... done

Starting sailpoint-docker_mail_1 ... done

Starting sailpoint-docker_phpldapadmin_1 ... done

Starting sailpoint-docker_ssh_1 ... done

Starting sailpoint-docker_ldap_1 ... done

Starting sailpoint-docker_iiq-init_1 ... done

Starting sailpoint-docker_iiq_1 ... done

Took around 30 min (apart from couple of hours of research) for the whole build to download various images and create containers and start them up. I kept an eye on the docker logs to see the status

(not the full list above – few more there)

And finally once everything was running and settled I tried going to the IIQ home page

http://xxx.xx.xxx.xxx:8085/identityiq/

I didn’t test the full extent of it. But I was able to create a source and test connection which was external to the docker and running on my VMM on the NAS itself.

Till the next time!!!

By Piyush Khandelwal, 4 years05/02/2020 ago

Guides

Nested Transforms for Dummies: Step-by-Step Guide #IDN101

One of the most basic things everyone needs to do in SailPoint IDN (IdentityNow) is to write transforms to create an Identity Profile for business requirements.

SailPoint has a an excellent guide on what a transforms is and detailed list of transforms available for IDN and is pretty comprehensive.

The simple ones are pretty easy to implement. But we always run into creating complex nested transforms to achieve our goals. It looked daunting to me at first but I started to get the hang of it. I would like to explain in very basic terms how to easily achieve this.

Let’s take a business case here to explain easily.

Requirement

Build an emailPrefix attribute with firstName and lastName from Workday source which will be eventually used to generate an email address.

Logic

Now if we break down the requirement into logic, we need to do the following

Get firstName from Workday source
Get lastName from Workday source
Concat the two with a period (.) in the middle
Remove all spaces from the final value.

Since this is an emailPrefix to be used to generate an email attribute, it can’t contain spaces. There can be other requirements like special characters etc but let’s keep it simple here (that is just a matter of proper regex).

Build

Now if you look at the transforms guide you will need the following transforms

To get the attributes from a source – accountAttribute

{
  "attributes": {
    "attributeName": "firstName",
    "sourceName": "Workday"
  },
  "type": "accountAttribute"
}

{
  "attributes": {
    "attributeName": "lastName",
    "sourceName": "Workday"
  },
  "type": "accountAttribute"
}

{

"attributes": {

"attributeName": "firstName",

"sourceName": "Workday"

"type": "accountAttribute"

}

{

"attributes": {

"attributeName": "lastName",

"sourceName": "Workday"

"type": "accountAttribute"

}

To concat the two attribute with a period – concat

{
   "type":"concat",
   "attributes":{
      "values":[
         "firstName code block",
         ".",
         "lastName code block"
      ]
   }
}

{

"type":"concat",

"attributes":{

"values":[

"firstName code block",

".",

"lastName code block"

]

}

And then finally we need to do a replace block to remove all spaces from the final result (note the \\s is the put \s as literal in JSON while passing it via REST API)

{
  "type": "replace",
  "attributes": {
      "regex": "\\s",
      "replacement": ""
  }
}

{

"type": "replace",

"attributes": {

"regex": "\\s",

"replacement": ""

}

Now we need to join the three block. First we will begin with replacing the “firstName code block” and “lastName code block” with the accountAttribute block we had done above.

{
   "type":"concat",
   "attributes":{
      "values":[
         {
            "attributes":{
               "attributeName":"firstName",
               "sourceName":"Workday"
            },
            "type":"accountAttribute"
         },
         ".",
         {
            "attributes":{
               "attributeName":"lastName",
               "sourceName":"Workday"
            },
            "type":"accountAttribute"
         }
      ]
   }
}

{

"type":"concat",

"attributes":{

"values":[

{

"attributes":{

"attributeName":"firstName",

"sourceName":"Workday"

"type":"accountAttribute"

".",

{

"attributes":{

"attributeName":"lastName",

"sourceName":"Workday"

"type":"accountAttribute"

}

]

}

This will give us the concatenated value of “firstName.lastName”. But now we want to remove all spaces from it as it will be used for email address generation.

If you look at the replace block above, we need to do two additional things to the code

Give it an “id” key as we want to name this final transform for mapping
Give it an “input” key as we want to explicitly define the inputs for this type (i.e. the concatenated string) and not use implicit value (i.e. from the IDN mapping). Do read about the difference in the transform guide.

So the new skeleton code for replace will become

{
    "id": "Calculate Email Prefix",
    "type": "replace",
    "attributes": {
        "input": {},
        "regex": "\\s",
        "replacement": ""
    }
}

{

"id": "Calculate Email Prefix",

"type": "replace",

"attributes": {

"input": {},

"regex": "\\s",

"replacement": ""

}

The final step is now pretty easy. Replace the entire input value with the built concat value above.

{
    "id":"Calculate Email Prefix",
    "type":"replace",
    "attributes":{
       "input":{
          "type":"concat",
          "attributes":{
             "values":[
                {
                   "attributes":{
                      "attributeName":"firstName",
                      "sourceName":"Workday"
                   },
                   "type":"accountAttribute"
                },
                ".",
                {
                   "attributes":{
                      "attributeName":"lastName",
                      "sourceName":"Workday"
                   },
                   "type":"accountAttribute"
                }
             ]
          }
       },
       "regex":"\\s",
       "replacement":""
    }
 }

{

"id":"Calculate Email Prefix",

"type":"replace",

"attributes":{

"input":{

"type":"concat",

"attributes":{

"values":[

{

"attributes":{

"attributeName":"firstName",

"sourceName":"Workday"

"type":"accountAttribute"

".",

{

"attributes":{

"attributeName":"lastName",

"sourceName":"Workday"

"type":"accountAttribute"

}

]

}

"regex":"\\s",

"replacement":""

}

And that is it!! You have built your first nested transform. It gives you the immense power to build a deep nested transform for complex logics to get glorious and simplified results in the end.

Learnings

I am not an expert in this and still learning this every day even after playing with it for more than a year but here are my learnings

Write down the logic you want to achieve
Break it down to individual code blocks
Write down the nested logic which will achieve you the result in best way possible (in above example = get the attributes -> concat it -> replace spaces). We could have also done this by say getting each attribute, remove spaces from them individually and then doing a concat of the final result – but this is inefficient and longer code. So understanding the logic and making it smart and short is best way forward.
Start working from inside block to outside and encapsulating them to achieve result
ALWAYS use a good code editor with syntax highlighter – My fav is VS Code with various plugins (makes it an awesome Swiss army knife for coders).

Hope this helped you!!!

Stay tuned for some more tips and #IDN101

By Piyush Khandelwal, 4 years04/25/2020 ago

IdentityNow

AD Home Lab LDAPS Setup for SailPoint IDN TLS Connection

Welcome 2020 (Or not)!!!

Really this year needs to end. Period. Hope everyone is keeping safe and indoors as much as possible.

Been a while I haven’t written something.

Anyways I had a local VM for Active Directory running for my home lab for SailPoint IDN. Now I wanted to setup TLS connection for it. So I thought easy

Create a csr request in AD
Generate a crt
Import the cert in AD
Test Connection via ldp or IDN.

I didn’t want to go through installing a AD CA role for this one process. So I thought I will use OpenSSL which was installed on my Mac. There are many excellent guides on how to enable LDAPS in AD by generating a self signed certificate. By far the easiest I found was this one.

But what I found was that the cert being generated didn’t contain the SAN. Found many such issues linked online with openssl command. This is how I fixed it.

Followed the guide till where v3ext.txt is being generated. But used my own as below

[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no

[req_distinguished_name]
CN = dc1.abc.local

[v3_req]
keyUsage = keyEncipherment, dataEncipherment, digitalSignature
extendedKeyUsage = serverAuth, clientAuth
subjectKeyIdentifier=hash
subjectAltName = @alt_names

[alt_names]
DNS.1 = abc.local
DNS.2 = dc1.abc.local
IP = 192.168.83.210

[req]

distinguished_name = req_distinguished_name

req_extensions = v3_req

prompt = no

[req_distinguished_name]

CN = dc1.abc.local

[v3_req]

keyUsage = keyEncipherment, dataEncipherment, digitalSignature

extendedKeyUsage = serverAuth, clientAuth

subjectKeyIdentifier=hash

subjectAltName = @alt_names

[alt_names]

DNS.1 = abc.local

DNS.2 = dc1.abc.local

IP = 192.168.83.210

The IP Address and additional DNS is just an example. My domain name in example is “abc.local” and DC name is “dc1.abc.local”. You can add additional DNS entries as per your requirements

And modified the command to execute this file

openssl x509 -req -days 3650 -in dc1.csr -CA ca.crt -CAkey ca.key -extfile v3ext.txt -extensions v3_req -set_serial 01 -out dc1.crt

1	openssl x509 -req -days 3650 -in dc1.csr -CA ca.crt -CAkey ca.key -extfile v3ext.txt -extensions v3_req -set_serial 01 -out dc1.crt

Rest is all the same in guide. You will get the certificate generated with SAN and imported into your DC. LDAPS will work and IDN and IQService will connect via TLS. And forget about it for 10 years 😛

Aah the green box of approval from IDN!!! Gods are happy & everything is good in world again!!!

Hope it helps someone setup their own AD lab at home for AD LDAPS TLS connection without a CA server. Of course this will not be a problem in an enterprise deployment.

References

By Piyush Khandelwal, 4 years04/04/2020 ago

Piyush Khandelwal

SailPoint

How to run SailPoint IIQ on Synology NAS v2 – Slim Edition

Build

Like this:

Uncategorized

Goodbye CSV… Welcome NELM!!!

Like this:

SailPoint

How to run SailPoint IdentityIQ on Synology NAS

Homelab Setup

Hardware

Docker Setup

IdentityNow Setup

Goal

DISCLAMER

Prerequisites

Build

NAS Customisation

Build Script

Docker Compose File

Build It!!!

Like this:

Guides

Nested Transforms for Dummies: Step-by-Step Guide #IDN101

Requirement

Logic

Build

Learnings

Like this:

IdentityNow

AD Home Lab LDAPS Setup for SailPoint IDN TLS Connection

Like this:

Piyush Khandelwal

Build

Share this:

Like this:

Share this:

Like this:

Homelab Setup

Hardware

Docker Setup

IdentityNow Setup

Goal

DISCLAMER

Prerequisites

Build

NAS Customisation

Build Script

Docker Compose File

Build It!!!

Share this:

Like this:

Requirement

Logic

Build

Learnings

Share this:

Like this:

Share this:

Like this: