Sailpoint Connectors

Sailpoint IdentityIQ utilizes connectors in a multitude of ways. Connectors are classified into groups depending on how they communicate with IdentityIQ. In this blog, you will go through and comprehend the concepts such as What is Sailpoint Connector, Working of connectors, Various Read/Write Connectors and Read only Direct Connectors.

What is Sailpoint Connector?
IdentityIQ binds to target resources using a software component that reads and writes to the target resource.

IMAGE

The method of onboarding an application ultimately leads to the development of the connector; for a clearer explanation of the flow, the below is the illustration of logic flow diagram.

IMAGE

For each connector/application instance, we must specify the following parameters in each connector:

  • Connection parameters: Login, Password.
  • Schema
  • Groups
  • Activity sources
  • Formatting
  • IdentityIQ rules
  • Application owners

The following are the most popular types of connectors:

  • Delimited File
  • JDBC
  • LDAP
  • AD
  • Logical
  • Multiplex

Working of Connectors
Governance Connector 

Governance connector aims to provide direct read-only access to an external application using the connection parameters defined in the Application Specification.

The Governance Connectors that are currently available are as follows:

  • LDIF 
  • SAP HR/HCM
  • UNIX 
  • VMS 
  • Mainframe 
  • TopSecret 
  • Delimited File
  •  Logical 
  • RuleBasedFileParser 
  • RuleBasedLogical 
  • Yammer

Direct Connectors 

Direct connectors are read-write connectors that enable IdentityIQ and the external application to exchange data directly in both directions. When read and write capabilities are needed for applications that have these connectors, they are the most efficient and safest choice to use. Here's a rundown of the existing direct connectors:

  • ADAM - Direct 
  • JDBC
  •  Novell Edirectory - Direct
  •  OID - Direct
  •  OpenLDAP - Direct
  •  SunOne - Direct
  •  Tivoli - Direct
  •  Google Apps
  •  Webex
  •  Salesforce
  •  Active Directory
  •  GotoMeeting
  •  Box.NET
  •  NetSuite
  •  AWS
  •  Office 365
  •  SharePoint Online
  •  Exchange Online
  •  SharePoint Inpremises 
  • IBM Lotus Domino 
  • BMC Remedy IT Service Management 
  • BMC Remedy 
  • Oracle E-Business Suite
  •  RSA Ace Server
  •  SAP
  •  SAP Enterprise Portal 
  • Tenrox
  • Rally 
  • Tivoli Access Manager 
  • ServiceNow 
  • Microsoft SQL Server 
  • Oracle 
  • AIX
  • Linux 
  • Solaris 
  • Sybase
  • PeopleSoft
  • RemedyForce

Gateway Connectors 

Direct Connectors have been rewritten with gateway connectors that use Connector Manager to connect to an external application.

Agent Connectors

Agent connectors are meant to connect to unified mainframe security networks, and Agents are the simplest and safest means of doing so. Agents, including Gateway connectors, communicate with IdentityIQ through the Connector Gateway. Agent connectors have the features of the Connector Manager, so the Connector Manager is no longer needed. The IdentityIQ Agent Connectors are as follows:

  • ACF2 
  • AS400
  • RACF Full 
  • TopSecret Full 
  • DB2-UDB 

Target permissions support (RACF, ACF2, and Top Secret) 

The Target permissions function is supported by Mainframe-based connectors such as RACF, ACF2, and Top Secret.

There are two types of groups available in Sailpoint IdentityIQ Connectors: 

  • Read-only connectors that can only transmit data to IdentityIQ (Governance) from an external program.
  • Connectors that can read and write data to and from an external program. (Gateway and Direct)

Sailpoint Training

  • Master Your Craft
  • Lifetime LMS & Faculty Access
  • 24/7 online expert support
  • Real-world & Project Based Learning

Read/Write Direct Connectors
Let us now discuss a few Read/Write Direct Connectors.

1. SailPoint IdentityIQ Active Directory Connector
To connect with Windows Domain Controllers, IdentityIQ specifically uses the LDAP and ADSI Active Directory interfaces. In Active Directory, there are two forms of group membership:

Primary group concept 
Other group membership 
You can only have one primary group in Active Directory, but you can have any number of other groups. In Active Directory, the other groups are listed as a property of the user object. In the member attribute of a user object, there is a list of groups. However, since the primary group isn't identified as a group in the member attribute, the connector must perform a follow-up query to decide which primary group the user belongs to. When searching for a user's primary group, the Active Directory connector starts with the primaryGroupSearchDN attribute.


Users, groups, and entitlements can be provisioned from IdentityIQ using the Active Directory connector. The following functions are provided by the connector: 

Create/Update/Delete User 
Create/Update/Delete Group 
Manage Terminal Services, Dial-in Attributes 
To set the extended attributes, add custom attributes to the provisioning policy.
Manage Exchange 2007, Exchange 2010, Exchange 2013 
Enable/Disable/Unlock/Reset Password for Users 
Add/Remove entitlements 
Pass-through Authentication 
Password Interceptor
2. SailPoint IdentityIQ WebEx Connector
WebEx accounts and groups (Meeting Types) are managed by this connector. For WebEx accounts, it supports both read and write. Users and groups can be created, deleted, retrieved, authenticated, and unlocked using the WebEx connector.

The following operations are assisted by this release of the connector:

Account Aggregation 
Account-Group Aggregation 
Request entitlement 
Create/Delete/Refresh user 
Enable/Disable user 
Lock/Unlock user 
Managed password
3. SailPoint IdentityIQ Google Apps Connector
SailPoint Google Apps connector handles Google Apps users and groups. 

The following functions are provided by the connector: 

Account Aggregation 
Account-Group Aggregation 
Create\Delete\Refresh Account 
Create\Update\Delete Account-Group 
Add\Remove Entitlement 
Enable\Disable Account 
Change Password 
Authenticate
4. SailPoint IdentityIQ LDAP Connector
The LDAP RFC was used to build this connector. The LDAP connector should work with virtually every LDAP server and requires no additional configuration. Provisioning of users and entitlements, as well as retrieval of LDAP account and group object classes, are now supported by the LDAP Connector.


The following functions are supported by the SailPoint IdentityIQ LDAP Connector:

Account Aggregation 
Account-Group Aggregation 
Create/Update/Delete Account 
Create/Update/Delete Account-Group 
Account Refresh 
Add/Remove Entitlement 
Enable/Disable/Unlock Account 
Change/Reset password 
Pass through Authentication 
Password Interceptor 
The LDAP Password Interceptor offers a way for the Client to record and send to IdentityIQ a password change initiated by the LDAP system.
Delta Aggregation
5. SailPoint IdentityIQ Box.Net Connector
The Box.Net Connector is used to handle the Box server's managed users and groups. The Box.Net connector is a read/write connector that can retrieve a network's managed users and groups, activate/inactivate managed users, and delegate managed users to groups.


The SailPoint IdentityIQ Box.Net Connector supports the following capabilities:

Account Aggregation 
Account - Group Aggregation 
Account Refresh 
Create Account 
Add/Remove entitlements 
Enable/Disable Account
6. SailPoint IdentityIQ Microsoft Office 365 Connector
This connector handles the Microsoft Office 365 Online directory store's users, groups, and attributes. It does not handle the characteristics associated with the Microsoft Office 365 suite's other products, such as Exchange Online, SharePoint Online, and Lync Online. To enforce its functionalities in IQService, which must be running on a Windows 7 or Windows Server 2008 R2 computer, the Microsoft Office 365 Connector uses Microsoft Office 365 cmdlets for Windows PowerShell.


SailPoint IdentityIQ Microsoft Office 365 Connector aids in the implementation of the following features:

Account Aggregation 
Account - Group Aggregation 
Account Refresh 
Create/Delete/Update Account 
Create/Delete/Update Group 
Add/Remove Entitlements 
Enable/Disable Account (Revoke/Restore) 
Password Reset 
Pass through Authentication
7. SailPoint IdentityIQ ServiceNow Connector
ServiceNow accounts and groups are managed by the ServiceNow connector. It has read and write capability for ServiceNow accounts.

SailPoint IdentityIQ ServiceNow Connector can be used to support the following features:

Account Aggregation 
Account-Group Aggregation 
Create/Update/Delete User 
Enable/Disable/Unlock User 
Change password 
Add/Remove Entitlement( Account-group, roles) 
Create/Update/Delete Group
8. SailPoint IdentityIQ Microsoft SharePoint Connector
Microsoft SharePoint offers tools that enable users to create websites to share information with others, maintain documents from start to finish, and publish reports to aid in decision-making. IdentityIQ will combine current SharePoint users from any SharePoint platform or set to show which SharePoint groups, sites, lists, directories, and files those users have access to. The Microsoft SharePoint connector is used to handle SharePoint users and groups in SharePoint 2007 (Classic mode or Windows Claim based authentication), 2010 (Windows Claim based authentication), and 2013 (Windows Claim based authentication) environments using the Microsoft SharePoint server APIs included with the SharePoint applications. Domain groups that are called consumers of SharePoint are currently not supported by the connector.


The SharePoint connector allows users, groups, and entitlements to be provisioned from IdentityIQ.The following functions are provided by the connector:

Users and groups aggregation 
Create/Delete/Update User 
Create/Delete/Update Group 
Add/Remove entitlements 
Unstructured Target permissions for Sites, Lists, List Items, Folders, and Files may be read or revoked. Aggregation of Targets.
9. SailPoint IdentityIQ Amazon Web Services Identity and Access Management Connector
Identity and Access Management (IAM) from Amazon Web Services (AWS) enables you to safely manage access to Amazon Web Services and your account tools. You can build multiple IAM users under your AWS account or grant temporary access through identity federation with your corporate directory using IAM. You may also allow access to services through AWS accounts in some instances. When using AWS, IAM provides more security, flexibility, and control. Without IAM, you'll have to either build several AWS accounts, each with its billing and subscriptions to AWS products or share a single AWS account's protection credentials. Furthermore, without IAM, you have no control over what activities a user or system can perform or what AWS services they can use. Identity federation between your corporate directory and AWS services is feasible with IAM. This allows you to give safe and direct access to AWS services, such as Amazon S3 buckets, using your current organizational identities rather than building new AWS identities for those customers. IAM is a web service that allows AWS consumers to monitor their account's users and permissions. See AWS Identity and Access Management (IAM) for more detail on this product. This connector's purpose is to enable you to read and provision AWS IAM accounts, account groups, and account group assignments.


The following operations are assisted by this release of the connector:

Account Aggregation (Aggregates IAM Users under the AWS Account) 
Account-Group Aggregation (Aggregates IAM Groups under the AWS Account) 
Account Refresh 
Create/Update/Delete Account 
Create/Update/Delete Account-Group 
Account Enable (Activates ONLY ONE existing Access Key and Signing Certificate) 
Account Disable (Deactivates and/or deletes ALL existing Security Credentials) 
Reset Password (Does not require a current password) 
Request/Remove Entitlement 
Direct Permissions on Account (Aggregation only) 
Direct Permissions on Account-Group (Aggregation only)
10. SailPoint IdentityIQ NetSuite Connector
NetSuite is a cloud-based Software-as-a-Service (SaaS) platform for integrated business management. ERP/accounting, order management/inventory, CRM, Professional Services Automation (PSA), and E-commerce are all available through NetSuite's cloud business management system. 


In NetSuite, Enterprise Resource Planning (ERP) includes accounting, procurement, order control, project management, and workforce management, among other things.


Employee data in the NetSuite ERP framework can be controlled by NetSuite Connector. The connector is a write-capable connector that manages the entities mentioned below:

Employee Account 
Employee Role 
Employee Entitlement

The following operations are assisted by this release of the connector:

Account Aggregation 
Group Aggregation 
Refresh Account 
Create/Delete Account 
Add/Delete Account Entitlement 
Enable/Disable Account 
Change Password 
Pass-through Authentication
11. SailPoint IdentityIQ JDBC Connector
The JDBC Connector is used to read and write data from database engines that support JDBC. Data from a flat table is supported by this connector. You'll need to build a rule and a more complicated SQL statement to work with multi-table data.

This connector can be set up to allow for the exploration of schema attributes automatically.


In version 5.2 and above, IdentityIQ supports the following additional JDBC Connector features:

Ability to include a SQL declaration or stored procedure for automated discovery of account-group schema attributes from the same or a different database than the account schema during application setup.
To provision account and group attributes, you can specify provisioning rules that are named for each row in the data file.
To provision account and group attributes, the option to specify different provisioning rules for unique operations named for each row in the data file is available. Enable, Disable, Unlock, Delete, Create, and Modify is some of the operations available.

The following functions are provided by the SailPoint IdentityIQ JDBC Connector:

Account Aggregation 
Group Aggregation 
Refresh Account 
Create/Delete 
Add /Delete Account Entitlement 
Enable/Disable Account 
Change Password
12. SailPoint IdentityIQ PeopleSoft Connector
The PeopleSoft Connector is responsible for the PeopleSoft server's administrative entities (User Profiles and Roles). Through component interfaces, the PeopleSoft connector connects to the PeopleSoft server.

The following functions are provided by the PeopleSoft Connector:

Account Aggregation 
Account-Group Aggregation 
Create/Update/Delete Account 
Get/Sync Account 
Enable/Disable Account 
Change Password 
Discover Schema
13. SailPoint IdentityIQ Siebel Connector
The Siebel Connector is a component of Oracle's Siebel CRM that handles entities. Employees are handled as Accounts, and positions are managed as Account Groups in this system. For account provisioning, the Siebel Connector defaults to using the Employee Siebel business attribute of the Employee Siebel business object. Connector uses the Position business component of the Position business object for Account Group provisioning. In the Account/Account Group provisioning, the Connector may be configured to handle other Siebel Business Objects/Components. The Siebel Connector handles both single and multi-valued attributes. Other than the Schema that comes with Connector, the Connector schema can be modified to handle other attributes.

The following features are supported by SailPoint IdentityIQ Siebel Connector:

Account Aggregation 
Account-Group Aggregation 
Create/Update/Delete Account 
Get/Sync Account 
Enable/Disable Account 
Change Password 
Create/Update/Delete Account-Group 
Add/Remove entitlement
Add\Remove Entitlement 
Enable\Disable\Unlock Account 
Change Password (HTTP - Default and ID file)
Authenticate (using HTTP password only)
14. SailPoint IdentityIQ Microsoft SQL Server
Microsoft SQL Server is a relational database management system that Microsoft has developed. As a database, it is a software product whose primary purpose is to store and retrieve data as required by other software programs, whether they are running on the same device or a networked computer (including the Internet). SailPoint IdentityIQ Microsoft SQL Server Connector handles the following entities on Microsoft SQL Server: 

User 
Login User 
Database User 
Role 
Application Role 
Database Role

The following features are supported by SailPoint IdentityIQ Microsoft SQL Server Connector:

Account/Group Aggregation 
Create/Update/Delete/Refresh Account 
Create/Delete Group 
Enable/ Disable Account 
Set Password 
Request/Remove Entitlement 
Direct Permissions
15. SailPoint IdentityIQ Oracle Connector
The Oracle Database (also known as Oracle RDBMS or Oracle) is a relational database management system (ORDBMS). SailPoint IdentityIQ Oracle Server Connector is an Oracle database server connector that lets you handle full user administration, including provisioning and password protection. Oracle Server Connector handles the following entities of the Oracle server: 

Account 
Role

SailPoint IdentityIQ Oracle Connector provides support for the following features: 

Account/Group Aggregation 
Create/Update/Delete/Refresh Account 
Request/Remove Entitlement 
Enable/Disable Account 
Set Password 
Pass through Authentication 
Create/Update/Delete Group 
Direct Permissions: Target is Table
16. SailPoint IdentityIQ Solaris Connector 
Users on a Solaris computer are used to provision accounts in Solaris Connector. Groups are used for community provisioning. The Connector may be programmed to use all of the user/group attributes that are provided by Solaris commands. 

The following features are provided by the Solaris Connector:

Account Aggregation 
Account Group Aggregation 
Create/Delete/Update Account 
Enable/Disable/Unlock Account 
Get/Sync Account 
Change Password 
Create/Update/Delete Account Group 
Add/Delete Entitlement 
Reset password 
Target Aggregation For more information
Revoke Target Permissions 
Password Interceptor
17. SailPoint IdentityIQ SAP Connector 
SAP Enterprise Resource Planning platform is an advanced software system that combines the organization's core business functions. The SAP Connector populates the SAP system with both users and functions, as well as provisioning users and their roles and/or profiles.


The SailPoint IdentityIQ SAP Connector was modified to support provisioning functionality to both a standalone SAP system and SAP Central User Administration (CUA) system. 


The following features are supported by SailPoint IdentityIQ SAP Connector:

Password Reset 
Create Account 
Delete Account 
Enable/Disable/ Account 
Request/Remove Entitlement (for standalone and CUA SAP System) 
Pass-through Authentication

Subscribe to our youtube channel to get new updates..!

Read Only Direct Connectors
Let us now discuss a few Read Only Direct Connectors.

1. SailPoint IdentityIQ Yammer Connector
The Yammer Connector is a read-only connector that retrieves account and community information from one or more Yammer networks (Enterprise Social Network).

2. SailPoint IdentityIQ ALES Connector
BEA's Aqualogic Enterprise Security Server is communicated with using this connector. The ALES Entitlement Query API is used for the integration.

3. SailPoint IdentityIQ Logical Connector
The logical connector was designed to build objects that look and function like IdentityIQ applications, but are actually built by detecting accounts from other, or tier, applications in existing identity cubes. For instance, one logical application may represent three other accounts on tier applications, an Oracle database, an LDAP authorization application, and a custom internal authentication application. When the logical application detects the three requisite accounts on a single identity, it scans identities and generates an account on the logical application. You can then use the same, representative account for certification, reporting, and tracking instead of the three different accounts from which it is made up.


4. SailPoint IdentityIQ Delimited Connector
The Delimited File connector follows a set of rules. The rules in this connector can be customised to accommodate the difficulty of the data being extracted. This connector can be set up to allow for the discovery of schema attributes automatically.

5. SailPoint IdentityIQ LDIF Connector
Data is extracted from LDIF files using the LDIF connector. If the membership is not part of the account details, there is a setting called "groupMembershipAttribute" that can be used to support. The name of the attribute from the group file that contains the list of its members is stored in this configuration environment. Make this attribute multi-valued and add it to the account schema. For this function to work, you'll need to configure the "groupMembershipAttribute" and a group file. The connector will read the groups file during account iteration to get the group -> use mapping and adorn each account with their allocated groups as they are aggregated.

6. SailPoint IdentityIQ IBM Tivoli Identity Manager Connector 
The IBM Tivoli Identity Manager connector scans the directory for ALL group memberships using the groupMemberSearchDN attribute as a starting point. Since the IBM Tivoli Identity Manager does not keep track of a user's group references, this connector must always run a separate query to get a list of all the user's groups.

7. SailPoint IdentityIQSAP HR/HCM Connector
The SAP HR/HCM connector was created to retrieve all user data from the SAP HR/HCM system.

8. SailPoint IdentityIQSun IDM Connector
The Sun IDM connector was created to return all of the Sun IDM user accounts and capabilities.


9. SailPoint IdentityIQ Top Secret Connector
To read the TSSCFILE export, the Top Secret connector was made.

10. SailPoint IdentityIQ UNIX Connector
To construct identities and groups, the UNIX connector was created to read and parse the passwd and group files from UNIX servers. There is some overlap between the UNIX and Delimited File connectors since this connector is based on files. IdentityIQ evaluates authentication performance by authenticating using the ftp or scp service with the given login credentials, depending on the application configuration. As a consequence, the UNIX application's passwdfile attribute must point to the same password file used by the system for authentication. In a NIS environment, this password file is usually /etc/passwd, but it may be different.

11. SailPoint IdentityIQ Mainframe Connector
Screen scraping is used by this connector, and each deployment must write Rules to drive the login/logout/fetch accounts.During the conversation, the connector analyses the screens and operates as the user.Screen scraping is the only way to get the data needed by IdentityIQ on certain legacy systems.Since the Rules that drive this connector are very unique to the application on which it is operating, each Mainframe connector needs a lot of manual configuration. 


The IBM Host Access API libraries are used to construct the Mainframe connector, which is designed for TN3270 applications.Before operating with this connector, you must have the IBM Host Access API libraries. These IBM libraries are available for purchase.

12. SailPoint IdentityIQ Novell Identity Manager Connector
The Novell Identity Manager connector searches the directory for ALL group memberships using the groupMemberSearchDN attribute as a starting point. Since the Novell Identity Manager does not keep track of a user's category references, this connector must always run a separate query to get a list of all the user's groups.


The Novell IDM connector is a multiplexing and non-multiplexing connector.The IDM vault is used for both aggregation and remediation in the multiplexed mode. Aggregation occurs through individual connectors in the non-multiplexed mode, however account removal and disabling occurs through the vault.Aggregation occurs through individual connectors in the non-multiplexed mode, however account removal and disabling occurs through the vault.

13. SailPoint IdentityIQ RACF Connector
The RACF connector was built to read the RACF unload utility's file. 

14. SailPoint IdentityIQ Rule Based Logical Connector
The Rule Based Logical connector was created to generate objects that look and behave like IdentityIQ applications, but are actually built by detecting accounts from other applications in existing identity cubes. For instance, one logical program may represent three other accounts on separate databases, such as an Oracle database, an LDAP authorization application, and a custom application for internal authentication. As the logical application rule identifies the three requisite accounts on a single identity, it scans identities and generates an account on the logical application. For certification, reporting, and tracking in the product, you should use the same, representative account instead of the three different accounts from which it is made up.

Sailpoint Training

Weekday / Weekend Batches

Conclusion
Thus we have seen various connectors and supported features which can be used in Sailpoint. It assists the business in boosting the IT performance by using out-of-the-box connectors and integrations for quick application onboarding. By using unified controls and rules, you can keep data secure. Ascertain the data protection and compliance regulations are enforced at all times.

Find our upcoming Sailpoint Training Online Classes

  • Batch starts on 18th Jun 2021, Fast Track batch

  • Batch starts on 22nd Jun 2021, Weekday batch

  • Batch starts on 26th Jun 2021, Weekend batch

Global Promotional Image
 

Categories

Request for more information

Manikanth
Manikanth
Research Analyst
As a Senior Writer for HKR Trainings, Sai Manikanth has a great understanding of today’s data-driven environment, which includes key aspects such as Business Intelligence and data management. He manages the task of creating great content in the areas of Digital Marketing, Content Management, Project Management & Methodologies, Product Lifecycle Management Tools. Connect with him on LinkedIn and Twitter.