Sailpoint Connectors

Sailpoint IdentityIQ utilizes connectors in a multitude of ways. Connectors are classified into groups depending on how they communicate with IdentityIQ. In this blog, you will go through and comprehend the concepts such as What is Sailpoint Connector, Working of connectors, Various Read/Write Connectors and Read only Direct Connectors.

What is Sailpoint Connector?

IdentityIQ binds to target resources using a software component that reads and writes to the target resource.

Sailpoint Connector
The method of onboarding an application ultimately leads to the development of the connector; for a clearer explanation of the flow, the below is the illustration of logic flow diagram.

Development of sailpoint connector
For each connector/application instance, we must specify the following parameters in each connector:

  • Connection parameters: Login, Password.
  • Schema
  • Groups
  • Activity sources
  • Formatting
  • IdentityIQ rules
  • Application owners

The following are the most popular types of connectors:

  • Delimited File
  • JDBC
  • LDAP
  • AD
  • Logical
  • Multiplex

Want To Get SailPoint Training From Experts? Enroll Now For Free Demo SailPoint Online Training.

Working of Connectors

Governance Connector 

Governance connector aims to provide direct read-only access to an external application using the connection parameters defined in the Application Specification.

The Governance Connectors that are currently available are as follows:

  • LDIF 
  • SAP HR/HCM
  • UNIX 
  • VMS 
  • Mainframe 
  • TopSecret 
  • Delimited File
  •  Logical 
  • RuleBasedFileParser 
  • RuleBasedLogical 
  • Yammer

Direct Connectors 

Direct connectors are read-write connectors that enable IdentityIQ and the external application to exchange data directly in both directions. When read and write capabilities are needed for applications that have these connectors, they are the most efficient and safest choice to use. Here's a rundown of the existing direct connectors:

  • ADAM - Direct 
  • JDBC
  •  Novell Edirectory - Direct
  •  OID - Direct
  •  OpenLDAP - Direct
  •  SunOne - Direct
  •  Tivoli - Direct
  •  Google Apps
  •  Webex
  •  Salesforce
  •  Active Directory
  •  GotoMeeting
  •  Box.NET
  •  NetSuite
  •  AWS
  •  Office 365
  •  SharePoint Online
  •  Exchange Online
  •  SharePoint Inpremises 
  • IBM Lotus Domino 
  • BMC Remedy IT Service Management 
  • BMC Remedy 
  • Oracle E-Business Suite
  •  RSA Ace Server
  •  SAP
  •  SAP Enterprise Portal 
  • Tenrox
  • Rally 
  • Tivoli Access Manager 
  • ServiceNow 
  • Microsoft SQL Server 
  • Oracle 
  • AIX
  • Linux 
  • Solaris 
  • Sybase
  • PeopleSoft
  • RemedyForce

Gateway Connectors 

Direct Connectors have been rewritten with gateway connectors that use Connector Manager to connect to an external application.

Related Article: Sailpoint Architecture

Agent Connectors

Agent connectors are meant to connect to unified mainframe security networks, and Agents are the simplest and safest means of doing so. Agents, including Gateway connectors, communicate with IdentityIQ through the Connector Gateway. Agent connectors have the features of the Connector Manager, so the Connector Manager is no longer needed. The IdentityIQ Agent Connectors are as follows:

  • ACF2 
  • AS400
  • RACF Full 
  • TopSecret Full 
  • DB2-UDB 

Target permissions support (RACF, ACF2, and Top Secret) 

The Target permissions function is supported by Mainframe-based connectors such as RACF, ACF2, and Top Secret.

There are two types of groups available in Sailpoint IdentityIQ Connectors: 

  • Read-only connectors that can only transmit data to IdentityIQ (Governance) from an external program.
  • Connectors that can read and write data to and from an external program. (Gateway and Direct)

Sailpoint Training

  • Master Your Craft
  • Lifetime LMS & Faculty Access
  • 24/7 online expert support
  • Real-world & Project Based Learning

Read/Write Direct Connectors

Let us now discuss a few Read/Write Direct Connectors.

1. SailPoint IdentityIQ Active Directory Connector

To connect with Windows Domain Controllers, IdentityIQ specifically uses the LDAP and ADSI Active Directory interfaces. In Active Directory, there are two forms of group membership:

  • Primary group concept 
  • Other group membership 

You can only have one primary group in Active Directory, but you can have any number of other groups. In Active Directory, the other groups are listed as a property of the user object. In the member attribute of a user object, there is a list of groups. However, since the primary group isn't identified as a group in the member attribute, the connector must perform a follow-up query to decide which primary group the user belongs to. When searching for a user's primary group, the Active Directory connector starts with the primaryGroupSearchDN attribute.

Users, groups, and entitlements can be provisioned from IdentityIQ using the Active Directory connector. The following functions are provided by the connector: 

  • Create/Update/Delete User 
  • Create/Update/Delete Group 
  • Manage Terminal Services, Dial-in Attributes 
  • To set the extended attributes, add custom attributes to the provisioning policy.
  • Manage Exchange 2007, Exchange 2010, Exchange 2013 
  • Enable/Disable/Unlock/Reset Password for Users 
  • Add/Remove entitlements 
  • Pass-through Authentication 
  • Password Interceptor

2. SailPoint IdentityIQ WebEx Connector

WebEx accounts and groups (Meeting Types) are managed by this connector. For WebEx accounts, it supports both read and write. Users and groups can be created, deleted, retrieved, authenticated, and unlocked using the WebEx connector.

Related Article: SailPoint Integration

The following operations are assisted by this release of the connector:

  • Account Aggregation 
  • Account-Group Aggregation 
  • Request entitlement 
  • Create/Delete/Refresh user 
    Enable/Disable user 
  • Lock/Unlock user 
  • Managed password

3. SailPoint IdentityIQ Google Apps Connector

SailPoint Google Apps connector handles Google Apps users and groups. 

The following functions are provided by the connector: 

  • Account Aggregation 
  • Account-Group Aggregation 
  • Create\Delete\Refresh Account 
  • Create\Update\Delete Account-Group 
  • Add\Remove Entitlement 
  • Enable\Disable Account 
  • Change Password 
  • Authenticate

4. SailPoint IdentityIQ LDAP Connector

The LDAP RFC was used to build this connector. The LDAP connector should work with virtually every LDAP server and requires no additional configuration. Provisioning of users and entitlements, as well as retrieval of LDAP account and group object classes, are now supported by the LDAP Connector.

The following functions are supported by the SailPoint IdentityIQ LDAP Connector:

  • Account Aggregation 
  • Account-Group Aggregation 
  • Create/Update/Delete Account 
  • Create/Update/Delete Account-Group 
  • Account Refresh 
  • Add/Remove Entitlement 
    Enable/Disable/Unlock Account 
  • Change/Reset password 
  • Pass through Authentication 
  • Password Interceptor 
  • The LDAP Password Interceptor offers a way for the Client to record and send to IdentityIQ a password change initiated by the LDAP system.
  • Delta Aggregation

5. SailPoint IdentityIQ Box.Net Connector

The Box.Net Connector is used to handle the Box server's managed users and groups. The Box.Net connector is a read/write connector that can retrieve a network's managed users and groups, activate/inactivate managed users, and delegate managed users to groups.

The SailPoint IdentityIQ Box.Net Connector supports the following capabilities:

  • Account Aggregation 
  • Account - Group Aggregation 
  • Account Refresh 
  • Create Account 
  • Add/Remove entitlements 
  • Enable/Disable Account

6. SailPoint IdentityIQ Microsoft Office 365 Connector

This connector handles the Microsoft Office 365 Online directory store's users, groups, and attributes. It does not handle the characteristics associated with the Microsoft Office 365 suite's other products, such as Exchange Online, SharePoint Online, and Lync Online. To enforce its functionalities in IQService, which must be running on a Windows 7 or Windows Server 2008 R2 computer, the Microsoft Office 365 Connector uses Microsoft Office 365 cmdlets for Windows PowerShell.

  • SailPoint IdentityIQ Microsoft Office 365 Connector aids in the implementation of the following features:
  • Account Aggregation 
  • Account - Group Aggregation 
  • Account Refresh 
  • Create/Delete/Update Account 
  • Create/Delete/Update Group 
    Add/Remove Entitlements 
  • Enable/Disable Account (Revoke/Restore) 
  • Password Reset 
  • Pass through Authentication

7. SailPoint IdentityIQ ServiceNow Connector

ServiceNow accounts and groups are managed by the ServiceNow connector. It has read and write capability for ServiceNow accounts.

SailPoint IdentityIQ ServiceNow Connector can be used to support the following features:

  • Account Aggregation 
  • Account-Group Aggregation 
  • Create/Update/Delete User 
  • Enable/Disable/Unlock User 
  • Change password 
  • Add/Remove Entitlement( Account-group, roles) 
  • Create/Update/Delete Group

8. SailPoint IdentityIQ Microsoft SharePoint Connector

Microsoft SharePoint offers tools that enable users to create websites to share information with others, maintain documents from start to finish, and publish reports to aid in decision-making. IdentityIQ will combine current SharePoint users from any SharePoint platform or set to show which SharePoint groups, sites, lists, directories, and files those users have access to. The Microsoft SharePoint connector is used to handle SharePoint users and groups in SharePoint 2007 (Classic mode or Windows Claim based authentication), 2010 (Windows Claim based authentication), and 2013 (Windows Claim based authentication) environments using the Microsoft SharePoint server APIs included with the SharePoint applications. Domain groups that are called consumers of SharePoint are currently not supported by the connector.

  • The SharePoint connector allows users, groups, and entitlements to be provisioned from IdentityIQ.The following functions are provided by the connector:
  • Users and groups aggregation 
  • Create/Delete/Update User 
  • Create/Delete/Update Group 
  • Add/Remove entitlements 
  • Unstructured Target permissions for Sites, Lists, List Items, Folders, and Files may be read or revoked. Aggregation of Targets.

9. SailPoint IdentityIQ Amazon Web Services Identity and Access Management Connector

Identity and Access Management (IAM) from Amazon Web Services (AWS) enables you to safely manage access to Amazon Web Services and your account tools. You can build multiple IAM users under your AWS account or grant temporary access through identity federation with your corporate directory using IAM. You may also allow access to services through AWS accounts in some instances. When using AWS, IAM provides more security, flexibility, and control. Without IAM, you'll have to either build several AWS accounts, each with its billing and subscriptions to AWS products or share a single AWS account's protection credentials. Furthermore, without IAM, you have no control over what activities a user or system can perform or what AWS services they can use. Identity federation between your corporate directory and AWS services is feasible with IAM. This allows you to give safe and direct access to AWS services, such as Amazon S3 buckets, using your current organizational identities rather than building new AWS identities for those customers. IAM is a web service that allows AWS consumers to monitor their account's users and permissions. See AWS Identity and Access Management (IAM) for more detail on this product. This connector's purpose is to enable you to read and provision AWS IAM accounts, account groups, and account group assignments.

The following operations are assisted by this release of the connector:

Account Aggregation (Aggregates IAM Users under the AWS Account) 

  • Account-Group Aggregation (Aggregates IAM Groups under the AWS Account) 
  • Account Refresh 
  • Create/Update/Delete Account 
  • Create/Update/Delete Account-Group 
    Account Enable (Activates ONLY ONE existing Access Key and Signing Certificate) 
  • Account Disable (Deactivates and/or deletes ALL existing Security Credentials) 
  • Reset Password (Does not require a current password) 
  • Request/Remove Entitlement 
  • Direct Permissions on Account (Aggregation only) 
  • Direct Permissions on Account-Group (Aggregation only)

10. SailPoint IdentityIQ NetSuite Connector

NetSuite is a cloud-based Software-as-a-Service (SaaS) platform for integrated business management. ERP/accounting, order management/inventory, CRM,

Professional Services Automation (PSA), and E-commerce are all available through NetSuite's cloud business management system. 

In NetSuite, Enterprise Resource Planning (ERP) includes accounting, procurement, order control, project management, and workforce management, among other things.

Employee data in the NetSuite ERP framework can be controlled by NetSuite Connector. The connector is a write-capable connector that manages the entities mentioned below:

  • Employee Account 
  • Employee Role 
  • Employee Entitlement

The following operations are assisted by this release of the connector:

  • Account Aggregation 
  • Group Aggregation 
  • Refresh Account 
  • Create/Delete Account 
  • Add/Delete Account Entitlement 
  • Enable/Disable Account 
  • Change Password 
  • Pass-through Authentication

11. SailPoint IdentityIQ JDBC Connector

The JDBC Connector is used to read and write data from database engines that support JDBC. Data from a flat table is supported by this connector. You'll need to build a rule and a more complicated SQL statement to work with multi-table data.

  • This connector can be set up to allow for the exploration of schema attributes automatically.
  • In version 5.2 and above, IdentityIQ supports the following additional JDBC Connector features:
  • Ability to include a SQL declaration or stored procedure for automated discovery of account-group schema attributes from the same or a different database than the account schema during application setup.
  • To provision account and group attributes, you can specify provisioning rules that are named for each row in the data file.
  • To provision account and group attributes, the option to specify different provisioning rules for unique operations named for each row in the data file is available. Enable,
  • Disable, Unlock, Delete, Create, and Modify is some of the operations available.

The following functions are provided by the SailPoint IdentityIQ JDBC Connector:

  • Account Aggregation 
  • Group Aggregation 
  • Refresh Account 
  • Create/Delete 
  • Add /Delete Account Entitlement 
  • Enable/Disable Account 
  • Change Password

12. SailPoint IdentityIQ PeopleSoft Connector

The PeopleSoft Connector is responsible for the PeopleSoft server's administrative entities (User Profiles and Roles). Through component interfaces, the PeopleSoft connector connects to the PeopleSoft server.

The following functions are provided by the PeopleSoft Connector:

  • Account Aggregation 
  • Account-Group Aggregation 
  • Create/Update/Delete Account 
  • Get/Sync Account 
  • Enable/Disable Account 
  • Change Password 
  • Discover Schema

13. SailPoint IdentityIQ Siebel Connector

The Siebel Connector is a component of Oracle's Siebel CRM that handles entities. Employees are handled as Accounts, and positions are managed as Account Groups

in this system. For account provisioning, the Siebel Connector defaults to using the Employee Siebel business attribute of the Employee Siebel business object. Connector uses the Position business component of the Position business object for Account Group provisioning. In the Account/Account Group provisioning, the Connector may be configured to handle other Siebel Business Objects/Components. The Siebel Connector handles both single and multi-valued attributes. Other than the Schema that comes with Connector, the Connector schema can be modified to handle other attributes.

The following features are supported by SailPoint IdentityIQ Siebel Connector:

  • Account Aggregation 
  • Account-Group Aggregation 
  • Create/Update/Delete Account 
  • Get/Sync Account 
  • Enable/Disable Account 
  • Change Password 
  • Create/Update/Delete Account-Group 
  • Add/Remove entitlement
  • Add\Remove Entitlement 
  • Enable\Disable\Unlock Account 
  • Change Password (HTTP - Default and ID file)
  • Authenticate (using HTTP password only)

14. SailPoint IdentityIQ Microsoft SQL Server

Microsoft SQL Server is a relational database management system that Microsoft has developed. As a database, it is a software product whose primary purpose is to store and retrieve data as required by other software programs, whether they are running on the same device or a networked computer (including the Internet). SailPoint IdentityIQ Microsoft SQL Server Connector handles the following entities on Microsoft SQL Server: 

  • User 
  • Login User 
  • Database User 
  • Role 
  • Application Role 
  • Database Role

The following features are supported by SailPoint IdentityIQ Microsoft SQL Server Connector:

  • Account/Group Aggregation 
  • Create/Update/Delete/Refresh Account 
  • Create/Delete Group 
  • Enable/ Disable Account 
  • Set Password 
  • Request/Remove Entitlement 
  • Direct Permissions

Related Article: Sailpoint Certification

15. SailPoint IdentityIQ Oracle Connector

The Oracle Database (also known as Oracle RDBMS or Oracle) is a relational database management system (ORDBMS). SailPoint IdentityIQ Oracle Server Connector is an Oracle database server connector that lets you handle full user administration, including provisioning and password protection. Oracle Server Connector handles the following entities of the Oracle server: 

  • Account 
  • Role

SailPoint IdentityIQ Oracle Connector provides support for the following features: 

  • Account/Group Aggregation 
  • Create/Update/Delete/Refresh Account 
  • Request/Remove Entitlement 
  • Enable/Disable Account 
  • Set Password 
  • Pass through Authentication 
  • Create/Update/Delete Group 
  • Direct Permissions: Target is Table

16. SailPoint IdentityIQ Solaris Connector 

Users on a Solaris computer are used to provision accounts in Solaris Connector. Groups are used for community provisioning. The Connector may be programmed to use all of the user/group attributes that are provided by Solaris commands. 

The following features are provided by the Solaris Connector:

  • Account Aggregation 
  • Account Group Aggregation 
  • Create/Delete/Update Account 
  • Enable/Disable/Unlock Account 
  • Get/Sync Account 
  • Change Password 
  • Create/Update/Delete Account Group 
  • Add/Delete Entitlement 
  • Reset password 
  • Target Aggregation For more information
  • Revoke Target Permissions 
  • Password Interceptor

17. SailPoint IdentityIQ SAP Connector 

SAP Enterprise Resource Planning platform is an advanced software system that combines the organization's core business functions. The SAP Connector populates the SAP system with both users and functions, as well as provisioning users and their roles and/or profiles.

The SailPoint IdentityIQ SAP Connector was modified to support provisioning functionality to both a standalone SAP system and SAP Central User Administration (CUA) system.

The following features are supported by SailPoint IdentityIQ SAP Connector:

  • Password Reset 
  • Create Account 
  • Delete Account 
  • Enable/Disable/ Account 
  • Request/Remove Entitlement (for standalone and CUA SAP System) 
  • Pass-through Authentication

Visit here to learn Sailpoint Training In Hyderabad

Subscribe to our youtube channel to get new updates..!

Read Only Direct Connectors

Let us now discuss a few Read Only Direct Connectors.

1. SailPoint IdentityIQ Yammer Connector

The Yammer Connector is a read-only connector that retrieves account and community information from one or more Yammer networks (Enterprise Social Network).

2. SailPoint IdentityIQ ALES Connector

BEA's Aqualogic Enterprise Security Server is communicated with using this connector. The ALES Entitlement Query API is used for the integration.

3. SailPoint IdentityIQ Logical Connector

The logical connector was designed to build objects that look and function like IdentityIQ applications, but are actually built by detecting accounts from other, or tier, applications in existing identity cubes. For instance, one logical application may represent three other accounts on tier applications, an Oracle database, an LDAP authorization application, and a custom internal authentication application. When the logical application detects the three requisite accounts on a single identity, it scans identities and generates an account on the logical application. You can then use the same, representative account for certification, reporting, and tracking instead of the three different accounts from which it is made up.

4. SailPoint IdentityIQ Delimited Connector

The Delimited File connector follows a set of rules. The rules in this connector can be customised to accommodate the difficulty of the data being extracted. This connector can be set up to allow for the discovery of schema attributes automatically.

5. SailPoint IdentityIQ LDIF Connector

Data is extracted from LDIF files using the LDIF connector. If the membership is not part of the account details, there is a setting called "groupMembershipAttribute" that can be used to support. The name of the attribute from the group file that contains the list of its members is stored in this configuration environment. Make this attribute multi-valued and add it to the account schema. For this function to work, you'll need to configure the "groupMembershipAttribute" and a group file. The connector will read the groups file during account iteration to get the group -> use mapping and adorn each account with their allocated groups as they are aggregated.

6. SailPoint IdentityIQ IBM Tivoli Identity Manager Connector 

The IBM Tivoli Identity Manager connector scans the directory for ALL group memberships using the groupMemberSearchDN attribute as a starting point. Since the IBM Tivoli Identity Manager does not keep track of a user's group references, this connector must always run a separate query to get a list of all the user's groups.

7. SailPoint IdentityIQSAP HR/HCM Connector

The SAP HR/HCM connector was created to retrieve all user data from the SAP HR/HCM system.

8. SailPoint IdentityIQSun IDM Connector

The Sun IDM connector was created to return all of the Sun IDM user accounts and capabilities.

9. SailPoint IdentityIQ Top Secret Connector

To read the TSSCFILE export, the Top Secret connector was made.

10. SailPoint IdentityIQ UNIX Connector

To construct identities and groups, the UNIX connector was created to read and parse the passwd and group files from UNIX servers. There is some overlap between the UNIX and Delimited File connectors since this connector is based on files. IdentityIQ evaluates authentication performance by authenticating using the ftp or scp service with the given login credentials, depending on the application configuration. As a consequence, the UNIX application's passwdfile attribute must point to the same password file used by the system for authentication. In a NIS environment, this password file is usually /etc/passwd, but it may be different.

11. SailPoint IdentityIQ Mainframe Connector

Screen scraping is used by this connector, and each deployment must write Rules to drive the login/logout/fetch accounts.During the conversation, the connector analyses the screens and operates as the user.Screen scraping is the only way to get the data needed by IdentityIQ on certain legacy systems.Since the Rules that drive this connector are very unique to the application on which it is operating, each Mainframe connector needs a lot of manual configuration. 

The IBM Host Access API libraries are used to construct the Mainframe connector, which is designed for TN3270 applications.Before operating with this connector, you must have the IBM Host Access API libraries. These IBM libraries are available for purchase.

12. SailPoint IdentityIQ Novell Identity Manager Connector

The Novell Identity Manager connector searches the directory for ALL group memberships using the groupMemberSearchDN attribute as a starting point. Since the Novell Identity Manager does not keep track of a user's category references, this connector must always run a separate query to get a list of all the user's groups.

The Novell IDM connector is a multiplexing and non-multiplexing connector.The IDM vault is used for both aggregation and remediation in the multiplexed mode. Aggregation occurs through individual connectors in the non-multiplexed mode, however account removal and disabling occurs through the vault.Aggregation occurs through individual connectors in the non-multiplexed mode, however account removal and disabling occurs through the vault.

13. SailPoint IdentityIQ RACF Connector

The RACF connector was built to read the RACF unload utility's file. 

14. SailPoint IdentityIQ Rule Based Logical Connector

The Rule Based Logical connector was created to generate objects that look and behave like IdentityIQ applications, but are actually built by detecting accounts from other applications in existing identity cubes. For instance, one logical program may represent three other accounts on separate databases, such as an Oracle database, an LDAP authorization application, and a custom application for internal authentication. As the logical application rule identifies the three requisite accounts on a single identity, it scans identities and generates an account on the logical application. For certification, reporting, and tracking in the product, you should use the same, representative account instead of the three different accounts from which it is made up.

Sailpoint Training

Weekday / Weekend Batches

Conclusion
Thus we have seen various connectors and supported features which can be used in Sailpoint. It assists the business in boosting the IT performance by using out-of-the-box connectors and integrations for quick application onboarding. By using unified controls and rules, you can keep data secure. Ascertain the data protection and compliance regulations are enforced at all times.

Related Article: What is Sailpoint

Find our upcoming Sailpoint Training Online Classes

  • Batch starts on 10th Jul 2022, Weekend batch

  • Batch starts on 14th Jul 2022, Weekday batch

  • Batch starts on 18th Jul 2022, Weekday batch

Global Promotional Image
 

Categories

Request for more information

Manikanth
Manikanth
Research Analyst
As a Senior Writer for HKR Trainings, Sai Manikanth has a great understanding of today’s data-driven environment, which includes key aspects such as Business Intelligence and data management. He manages the task of creating great content in the areas of Digital Marketing, Content Management, Project Management & Methodologies, Product Lifecycle Management Tools. Connect with him on LinkedIn and Twitter.