Hey Folks
As you may be aware, I gave a presentation at SailPoint Developer Days 2023 on IDN Admin Console
The video link is up. I hurried it up a bit so missed some features and probably came out bad and rushed
All links the event
Let me know what you think…
Hi All
This has been a long time coming!!! This has been my personal goal to drive this and to get help to build something for the community. Thanks for the great internal support this vision is finally coming true for me!!!
I am not a coder and definitely have 0 knowledge on Angular. But just have been looking and improvising on some existing codes after building a framework with someone who had the know-how. Have had a great support team to help build with me. Weekends, nights.. all sweat and blood 🙂Â
NOTE:Â This application is not developed, maintained or supported by SailPoint. It is built and based on a community effort. We are hoping people will contribute and help it grow.
The goal of this project was to lessen the pain we saw in the field during deployment and go-live and by clients during daily op. I also wanted to drive the goal of a GUI model for easy and codeless interaction for end users for some basic tasks.
GitHub Repo: https://github.com/piyush-khandelwal-sp/idn-admin-console
SailPoint Developer Community Post: https://developer.sailpoint.com/discuss/t/tool-idn-admin-console/4688
In an ideal world, wish we had dedicated time and knowledge on how to keep building on this but…
We are looking for (list is not exhaustive)
Current Feature list is
It is an Angular app and using Electron to build for various environments. There is some technical how-to in the readme file. Currently hosted on GitHub repo and open source with MIT license.
I really hope this tool helps you in some way and feel free to enhance it and spread the word!!!
Till the next time…
Happy New Year Folks!!!
Hopefully this year is better than previous and as always.. stay safe!!!
Anyone who would have worked with IDN would have used or encountered rules. They are wildly used and inevitable component of any deployment to achieve your requirements. So you must be well aware that no client, partner and in fact most of internal SailPoint PS/ES also don’t have access to deploy their rules to their tenants. These rules are reviewed by a specialist team within ES and they upload it to the tenant. There are some very good reasons for doing so due to the SaaS nature of our product and IDN architecture.
There is a lot of work being done to reduce dependency on rules and also a lot in pipeline to make this process simpler. This also does increase our own workload on tickets, review and deployment and we want to reduce it too as IDN has exploded into the world in past few years and new tenants onboarding everyday.
Current Process of Rule upload
To make this process faster and seamless do follow some best practices
Once the rule has been uploaded to your tenant, there might be a need of additional steps to attach the rule to your source (depending on the type of rule). Once the rule is uploaded you will need the RuleID for some of the rules (mentioned below) to attach it to your source. Please ask the ES person for it if not already given. It will be a long random GUID. We use Postman to execute the API calls but feel free to use your choice of client.
There is a great guide written internally by Neil McGlennon but I am expanding on it.
Few common things found below
Beware! Removals can be destructive if the path isn’t configured properly. This could negatively alter your source config!
This rule doesn’t need to be attached via API as it can be seen via UI under Attribute Mappings
Â
This rule doesn’t need to be attached via API as it can be seen via UI under Create Profile for any source which has one.
Â
This rule doesn’t need to be attached via API as it can be seen via UI under Create Profile for any source which has one. (as above)
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
PATCH /beta/sources/{id} Content-Type: application/json-patch+json [ { "op":"add", "path":"/accountCorrelationRule", "value":{ "type":"RULE", "id":"{ruleID}", "name":"{Rule Name}" } } ] |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
PATCH /beta/sources/{id} Content-Type: application/json-patch+json [ { "op":"add", "path":"/managerCorrelationRule", "value":{ "type":"RULE", "id":"{ruleID}", "name":"{Rule Name}" } } ] |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
PATCH /beta/sources/{id} Content-Type: application/json-patch+json [ { "op":"add", "path":"/beforeProvisioningRule", "value":{ "type":"RULE", "id":"{ruleID}", "name":"{Rule Name}" } } ] |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
PATCH /beta/sources/{id} Content-Type: application/json-patch+json Note: Because the value is a list, all available AfterCreate, AfterModify, BeforeCreate, and BeforeModify rules will need to set in the same list. [ { "op":"add", "path":"/connectorAttributes/nativeRules", "value":[ "{Rule Name 1}", "{Rule Name 2}" ] } ] |
|
1 2 3 4 5 6 7 8 9 10 |
PATCH /beta/sources/{id} Content-Type: application/json-patch+json [ { "op":"add", "path":"/connectorAttributes/buildMapRule", "value":"{Rule Name}" } ] |
|
1 2 3 4 5 6 7 8 9 10 |
PATCH /beta/sources/{id} Content-Type: application/json-patch+json [ { "op":"add", "path":"/connectorAttributes/jdbcProvisionRule", "value":"{Rule Name}" } ] |
|
1 2 3 4 5 6 7 8 9 10 11 12 |
PATCH /beta/sources/{id} Content-Type: application/json-patch+json Note: Replace * with the index of operation. For example 0, 1, 2, etc. [ { "op":"add", "path":"/connectorAttributes/connectionParameters/*/beforeRule", "value": "{Rule Name}" } ] |
|
1 2 3 4 5 6 7 8 9 10 11 12 |
PATCH /beta/sources/{id} Content-Type: application/json-patch+json Note: Replace * with the index of operation. For example 0, 1, 2, etc. [ { "op":"add", "path":"/connectorAttributes/connectionParameters/*/afterRule", "value": "{Rule Name}" } ] |
Â
Once any of the rule is attached, it’s ready for use immediately by the source or profile.
Hopefully this covers all rule types and if you have any issues with attaching a rule in your tenant, please feel free to reach out to me or to Support / ES team.
Hey Folks!!!
Since the last time we chatted about transforms and had said we are in process of adding new types in future. Well.. here we are with few news ones fresh out of the oven!!!
They will greatly help you achieve your goals without the need of rules. Please do revisit them while doing your design or upliftment. The goal is to minimise dependency on rules and by using transforms it gives you more control over the testing and deployment process.
For some new noteworthy ones
The date math transform allows you to add, subtract and round components of a timestamp to or from an incoming value. It also allows you to work with a referential value of “now” to run operations against the current date and time instead of a fixed value.
Imagine using this for LCS calculation if simple or just to get some dates for different systems say 10 days in future or so.
The username generator transform allows you to specify logic to use when attempting to derive a unique value for an attribute in an account create profile, . Oftentimes this can be as simple as combining parts of a user’s name and/or HR data (e.g., firstName.lastName), but sometimes generator logic such as a uniqueness counter might be needed to find a unique value in the target system (e.g., firstName.lastName1 if firstName.lastName is already taken).
How about ditching an AttributeGenerator rule and using this?Â
The UUID generator is a simple transform allows you to create a universal unique id (UUID) in the form of a 36-character string. The underlying code is written in such a way as to provide a 1 in 68,719,476,736 chance of creating a string that actually collides with another string within the tenant.
Generate UUID on the fly
The name normalizer transform allows you to clean or standardize the spelling of strings coming in from source systems. Most commonly, this pertains to names and other proper nouns, but the transform is not necessarily limited to those data elements.
Get rid of the WiERd CasINg
So after my previous post I got a lot of queries about it. Thanks for reading it 🙂Â
Wanted a slimmer edition which didn’t require all the additional dockers like LDAP etc
So v2 – slim edition
Note: All disclaimers still valid from previous post
This time I am using this git repo: https://github.com/steffensperling/sailpoint-iiq
Only changes to docker-compose.yaml was the path to my own locations. Also ports as current 8080 were used for other containers. Passwords and ports obviously changed 🙂Â
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 |
version: '2' services: db: image: mariadb:latest container_name: sailpoint-iiq-mariadb-3306 ports: - "3306:3306" volumes: - '/volume1/docker/sailpoint-iiq/data/db:/var/lib/mysql' environment: - MYSQL_USER=identityiq - MYSQL_PASSWORD=identityiq - MYSQL_DATABASE=identityiq - MYSQL_ROOT_PASSWORD=password iiq: build: ./iiq-build image: sailpoint-iiq container_name: sailpoint-iiq-8085 ports: - "8085:8080" - "9009:8009" environment: - MYSQL_USER=identityiq - MYSQL_PASSWORD=identityiq - MYSQL_DATABASE=identityiq - MYSQL_ROOT_PASSWORD=password depends_on: - db volumes: - '/volume1/docker/sailpoint-iiq/data/webapps:/opt/tomcat/webapps' |
Main changes were to Dockerfile under iiq-build folder. The one on the github is not using latest debian and also had issues installing Oracle JDK
Here is the modified version
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 |
FROM debian:latest MAINTAINER Steffen Sperling <steffen.sperling@ventum.com> ENV TOMCAT_VERSION 9.0.46 ENV IIQ_VERSION 8.1 # Fix sh RUN rm /bin/sh && ln -s /bin/bash /bin/sh # Install dependencies RUN apt-get update && \ apt-get install -y apt-utils wget vim unzip tar default-mysql-client openjdk-11-jdk # Define commonly used JAVA_HOME variable ENV JAVA_HOME /usr/lib/jvm/java-11-openjdk-amd64 RUN java -version # Get Tomcat RUN wget --quiet --no-cookies http://www-eu.apache.org/dist/tomcat/tomcat-9/v${TOMCAT_VERSION}/bin/apache-tomcat-${TOMCAT_VERSION}.tar.gz -O /tmp/tomcat.tgz && \ tar xzvf /tmp/tomcat.tgz -C /opt && \ mv /opt/apache-tomcat-${TOMCAT_VERSION} /opt/tomcat && \ rm /tmp/tomcat.tgz && \ rm -rf /opt/tomcat/webapps/examples && \ rm -rf /opt/tomcat/webapps/docs && \ rm -rf /opt/tomcat/webapps/ROOT # Add admin/admin user ADD tomcat-users.xml /opt/tomcat/conf/ run mkdir -p /opt/tomcat/conf/Catalina/localhost ADD manager.xml /opt/tomcat/conf/Catalina/localhost # add IIQ COPY src/identityiq-${IIQ_VERSION}.zip /tmp RUN unzip /tmp/identityiq-${IIQ_VERSION}.zip identityiq.war && \ mkdir /opt/tomcat/webapps/identityiq && \ unzip identityiq.war -d /opt/tomcat/webapps/identityiq && \ chmod +x /opt/tomcat/webapps/identityiq/WEB-INF/bin/iiq && \ rm identityiq.war RUN mkdir /opt/tomcat/webapps/ROOT COPY index.html /opt/tomcat/webapps/ROOT COPY entrypoint.sh /entrypoint.sh RUN chmod +x /entrypoint.sh ENV CATALINA_HOME /opt/tomcat ENV PATH $PATH:$CATALINA_HOME/bin EXPOSE 8085 EXPOSE 8009 VOLUME "/opt/tomcat/webapps" WORKDIR /opt/tomcat # Launch IIQ CMD ["/entrypoint.sh", "run"] #CMD ["/opt/tomcat/bin/catalina.sh", "run"] |
create_mysql_db.sh was also modified to use 8.1 version of identityiq tables create script
|
1 2 3 4 5 6 7 8 9 10 |
#!/bin/bash # create database schema mysql -uroot -p$(MYSQL_ROOT_PASSWORD) < /opt/tomcat/webapps/identityiq/WEB-INF/database/create_identityiq_tables-8.1.mysql echo "=> Done creating database!" # set database host in properties sed -ri -e "s/mysql:\/\/localhost/mysql:\/\/db/" /opt/tomcat/webapps/identityiq/WEB-INF/classes/iiq.properties sed -ri -e "s/dataSource.username\=.*/dataSource.username=$(MYSQL_USER)/" /opt/tomcat/webapps/identityiq/WEB-INF/classes/iiq.properties sed -ri -e "s/dataSource.password\=.*/dataSource.password=$(MYSQL_PASSWORD)/" /opt/tomcat/webapps/identityiq/WEB-INF/classes/iiq.properties echo "=> Done configuring iiq.properties!" |
Finally I had to update few lines in ./identityiq/WEB-INF/database/create_identityiq_tables-8.1.mysql which comes in IIQ package for me to work
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 |
CREATE USER IF NOT EXISTS 'identityiq'@'%' IDENTIFIED WITH mysql_native_password BY 'identityiq'; WITH CREATE USER IF NOT EXISTS 'identityiq'@'%' IDENTIFIED BY 'identityiq'; ----- CREATE USER IF NOT EXISTS 'identityiq'@'localhost' IDENTIFIED WITH mysql_native_password BY 'identityiq'; WITH CREATE USER IF NOT EXISTS 'identityiq'@'localhost' IDENTIFIED BY 'identityiq'; ----- CREATE USER IF NOT EXISTS 'identityiqPlugin'@'%' IDENTIFIED WITH mysql_native_password BY 'identityiqPlugin'; WITH CREATE USER IF NOT EXISTS 'identityiqPlugin'@'%' IDENTIFIED BY 'identityiqPlugin'; ---- CREATE USER IF NOT EXISTS 'identityiqPlugin'@'localhost' IDENTIFIED WITH mysql_native_password BY 'identityiqPlugin'; WITH CREATE USER IF NOT EXISTS 'identityiqPlugin'@'localhost' IDENTIFIED BY 'identityiqPlugin'; |
That’s it.. Then build the docker
|
1 2 |
docker-compose build docker-compose up -d |
Notes
After a few runs I got it up and running on latest version (IIQ 8.1 at the time of writing) and with persistent storage.
Â
Â