IdentityNow

PSA: New Transform Types Available for IdentityNow

Hey Folks!!!

Since the last time we chatted about transforms and had said we are in process of adding new types in future. Well.. here we are with few news ones fresh out of the oven!!!

They will greatly help you achieve your goals without the need of rules. Please do revisit them while doing your design or upliftment. The goal is to minimise dependency on rules and by using transforms it gives you more control over the testing and deployment process.

For some new noteworthy ones

The date math transform allows you to add, subtract and round components of a timestamp to or from an incoming value. It also allows you to work with a referential value of “now” to run operations against the current date and time instead of a fixed value.

Imagine using this for LCS calculation if simple or just to get some dates for different systems say 10 days in future or so.

The username generator transform allows you to specify logic to use when attempting to derive a unique value for an attribute in an account create profile, . Oftentimes this can be as simple as combining parts of a user’s name and/or HR data (e.g., firstName.lastName), but sometimes generator logic such as a uniqueness counter might be needed to find a unique value in the target system (e.g., firstName.lastName1 if firstName.lastName is already taken).

How about ditching an AttributeGenerator rule and using this? 

The UUID generator is a simple transform allows you to create a universal unique id (UUID) in the form of a 36-character string. The underlying code is written in such a way as to provide a 1 in 68,719,476,736 chance of creating a string that actually collides with another string within the tenant.

Generate UUID on the fly

The name normalizer transform allows you to clean or standardize the spelling of strings coming in from source systems. Most commonly, this pertains to names and other proper nouns, but the transform is not necessarily limited to those data elements.

Get rid of the WiERd CasINg

The get reference identity attribute transform is an out-of-the-box rule transform provided via SailPoint’s Cloud Services Deployment Utility rule. It allows you to easily get the identity attribute of another user from within a given identity’s calculation. As a convenience feature, the transform allows you to use “manager” as a referential lookup to the target identity.

Want the manager’s employee number, email, phone and other details listed easily on the profile?? so easy now!!!

And so many more added.. Do review the full list here and see what can benefit you from removing rules and going down the transform path

By Piyush Khandelwal, ago

Nested Transforms for Dummies: Step-by-Step Guide #IDN101

One of the most basic things everyone needs to do in SailPoint IDN (IdentityNow) is to write transforms to create an Identity Profile for business requirements.

SailPoint has a an excellent guide on what a transforms is and detailed list of transforms available for IDN and is pretty comprehensive. 

The simple ones are pretty easy to implement. But we always run into creating complex nested transforms to achieve our goals. It looked daunting to me at first but I started to get the hang of it. I would like to explain in very basic terms how to easily achieve this.

Let’s take a business case here to explain easily.

Requirement

Build an emailPrefix attribute with firstName and lastName from Workday source which will be eventually used to generate an email address.

Logic

Now if we break down the requirement into logic, we need to do the following

  • Get firstName from Workday source
  • Get lastName from Workday source
  • Concat the two with a period (.) in the middle
  • Remove all spaces from the final value.

Since this is an emailPrefix to be used to generate an email attribute, it can’t contain spaces. There can be other requirements like special characters etc but let’s keep it simple here (that is just a matter of proper regex).

Build

Now if you look at the transforms guide you will need the following transforms

To get the attributes from a source – accountAttribute

To concat the two attribute with a period – concat

And then finally we need to do a replace block to remove all spaces from the final result (note the \\s is the put \s as literal in JSON while passing it via REST API)

Now we need to join the three block. First we will begin with replacing the “firstName code block” and “lastName code block” with the accountAttribute block we had done above.

This will give us the concatenated value of “firstName.lastName”. But now we want to remove all spaces from it as it will be used for email address generation. 

If you look at the replace block above, we need to do two additional things to the code

  1. Give it an “id” key as we want to name this final transform for mapping
  2. Give it an “input” key as we want to explicitly define the inputs for this type (i.e. the concatenated string) and not use implicit value (i.e. from the IDN mapping). Do read about the difference in the transform guide.

So the new skeleton code for replace will become

The final step is now pretty easy. Replace the entire input value with the built concat value above.

And that is it!! You have built your first nested transform. It gives you the immense power to build a deep nested transform for complex logics to get glorious and simplified results in the end.

Learnings

I am not an expert in this and still learning this every day even after playing with it for more than a year but here are my learnings

  • Write down the logic you want to achieve
  • Break it down to individual code blocks
  • Write down the nested logic which will achieve you the result in best way possible (in above example = get the attributes -> concat it -> replace spaces). We could have also done this by say getting each attribute, remove spaces from them individually and then doing a concat of the final result – but this is inefficient and longer code. So understanding the logic and making it smart and short is best way forward.
  • Start working from inside block to outside and encapsulating them to achieve result
  • ALWAYS use a good code editor with syntax highlighter – My fav is VS Code with various plugins (makes it an awesome Swiss army knife for coders).

Hope this helped you!!!

Stay tuned for some more tips and #IDN101

By Piyush Khandelwal, ago

AD Home Lab LDAPS Setup for SailPoint IDN TLS Connection

Welcome 2020 (Or not)!!! 

Really this year needs to end. Period. Hope everyone is keeping safe and indoors as much as possible.

Been a while I haven’t written something.

Anyways I had a local VM for Active Directory running for my home lab for SailPoint IDN. Now I wanted to setup TLS connection for it. So I thought easy

  1. Create a csr request in AD
  2. Generate a crt
  3. Import the cert in AD
  4. Test Connection via ldp or IDN.

I didn’t want to go through installing a AD CA role for this one process. So I thought I will use OpenSSL which was installed on my Mac. There are many excellent guides on how to enable LDAPS in AD by generating a self signed certificate. By far the easiest I found was this one

But what I found was that the cert being generated didn’t contain the SAN. Found many such issues linked online with openssl command. This is how I fixed it.

Followed the guide till where v3ext.txt is being generated. But used my own as below

The IP Address and additional DNS is just an example. My domain name in example is “abc.local” and DC name is “dc1.abc.local”. You can add additional DNS entries as per your requirements

And modified the command to execute this file

Rest is all the same in guide. You will get the certificate generated with SAN and imported into your DC. LDAPS will work and IDN and IQService will connect via TLS. And forget about it for 10 years 😛 

Aah the green box of approval from IDN!!! Gods are happy & everything is good in world again!!! 

Hope it helps someone setup their own AD lab at home for AD LDAPS TLS connection without a CA server. Of course this will not be a problem in an enterprise deployment.

References

By Piyush Khandelwal, ago

SailPoint Certified IdentityNow Engineer!!!

So happy to report that I successfully passed the exam and now a certified SailPoint IdentityNow Engineer!!!

Exam was very interesting. Proctored by Examity and involved with DOMC style questions and rating. Keeps you on your toes and you can’t just luck your way out of it.

For more information on the IDN Engineer Exam, head over to the SailPoint University Website.

SailPoint Certified IdentityNow Engineer

By Piyush Khandelwal, ago

Terminology Comparison: MIM vs SailPoint IDN

So I’ve been learning SailPoint IdentityNow (IDN) and I am rattling my brains trying to match what I know about MIM and make sense in my brain and relate to the terms and how they are the same/similar but have different names in each product.

I have done up a little comparison table showing the most common things I have understood till date and tried to put it in words the way they are termed differently in MIM and IDN.

I am not an expert in either and not saying they are essentially correct or which product is better than other (btw there is no right answer to that – each have clear pros and cons depending on what you want in a product) but just trying to bridge the gap on understanding what they are in each.

MIMSailPoint IDN
Data TypeHas various like integer, string etc.Everything is defined as string essentially.
ConnectionDirect via MA which has config parameters.Done via a VA (Virtual Appliance) which is a lightweight custom Linux VM deployed at customer side (think of it as a secure tunnel from cloud IDN to your network).
Management Agents (MA)Individual connectors connected to sources.Called a Source - Downstream or upstream.
Connector Space (CS)Staging area for data in a connector.Shows up in the Accounts tab in the Source.
DisconnectorsObjects which had not connected to MV.Called "Uncorrelated Accounts" under the import data tab of the source.
Metaverse (MV)Where all the identities are connected to each MA and the fullest form of it in essence.Identity List which has links to all the sources.
Projection & ProvisioningEach MA has the rules and mappings to project a CS into MV and to the external source as well.Each Identity Profile has a mapping against a source and also provisioning rules. Sources which have an Identity Profile are also called Authoritative Source and ones which't don't are called Non-Authoritative.
Join RulesRules which join CS objects to MV based on defined criteria.Called "Correlation" in the Source where we define those criteria.
GroupsAD or MIM GroupsCalled Entitlements. It doesn't show groups as MIM does i.e. Group Management is not a thing. You do User Management with entitlements i.e. group membership.
ImportImporting objects from a connector to CS.Called "Account Aggregation" or "Entitlement Aggregation" which brings in the data.
AD Password Sync from DCDone via PCNSDone via PWI (Password Interceptor)
AD WriteDirect via ADMANeeds a domain joined computer with IQService installed.
Automation of logicSets / MPR and Workflows in MIM Portal.Does it via Access Profiles , Roles and Identity Profiles in IDN Portal.
Advance RulesDone via Workflows and other advanced methods like MIMWAL etc.Called Rules written in JAVA/BeanShell wrapped with XML.
Under the hood configLot of config is exported and modified in XML.Extensive API access mainly giving JSON outputs with few XML as well.

Feel free to correct me where I am wrong and / or if you want me to add something else or explain something more in details, do reach out.

Hopefully it made sense to someone!!!

By Piyush Khandelwal, ago