Sailpoint IdentityIQ utilizes connectors in a multitude of ways. Connectors are classified into groups depending on how they communicate with IdentityIQ. In this blog, you will go through and comprehend the concepts such as What is Sailpoint Connector, Working of connectors, Various Read/Write Connectors and Read only Direct Connectors.
IdentityIQ binds to target resources using a software component that reads and writes to the target resource.
The method of onboarding an application ultimately leads to the development of the connector; for a clearer explanation of the flow, the below is the illustration of logic flow diagram.
For each connector/application instance, we must specify the following parameters in each connector:
The following are the most popular types of connectors:
Want To Get SailPoint Training From Experts? Enroll Now For Free Demo SailPoint Online Training.
Governance connector aims to provide direct read-only access to an external application using the connection parameters defined in the Application Specification.
The Governance Connectors that are currently available are as follows:
Direct connectors are read-write connectors that enable IdentityIQ and the external application to exchange data directly in both directions. When read and write capabilities are needed for applications that have these connectors, they are the most efficient and safest choice to use. Here's a rundown of the existing direct connectors:
Direct Connectors have been rewritten with gateway connectors that use Connector Manager to connect to an external application.
Related Article: Sailpoint Architecture
Agent connectors are meant to connect to unified mainframe security networks, and Agents are the simplest and safest means of doing so. Agents, including Gateway connectors, communicate with IdentityIQ through the Connector Gateway. Agent connectors have the features of the Connector Manager, so the Connector Manager is no longer needed. The IdentityIQ Agent Connectors are as follows:
The Target permissions function is supported by Mainframe-based connectors such as RACF, ACF2, and Top Secret.
There are two types of groups available in Sailpoint IdentityIQ Connectors:
Let us now discuss a few Read/Write Direct Connectors.
To connect with Windows Domain Controllers, IdentityIQ specifically uses the LDAP and ADSI Active Directory interfaces. In Active Directory, there are two forms of group membership:
You can only have one primary group in Active Directory, but you can have any number of other groups. In Active Directory, the other groups are listed as a property of the user object. In the member attribute of a user object, there is a list of groups. However, since the primary group isn't identified as a group in the member attribute, the connector must perform a follow-up query to decide which primary group the user belongs to. When searching for a user's primary group, the Active Directory connector starts with the primaryGroupSearchDN attribute.
Users, groups, and entitlements can be provisioned from IdentityIQ using the Active Directory connector. The following functions are provided by the connector:
WebEx accounts and groups (Meeting Types) are managed by this connector. For WebEx accounts, it supports both read and write. Users and groups can be created, deleted, retrieved, authenticated, and unlocked using the WebEx connector.
Related Article: SailPoint Integration
The following operations are assisted by this release of the connector:
SailPoint Google Apps connector handles Google Apps users and groups.
The following functions are provided by the connector:
The LDAP RFC was used to build this connector. The LDAP connector should work with virtually every LDAP server and requires no additional configuration. Provisioning of users and entitlements, as well as retrieval of LDAP account and group object classes, are now supported by the LDAP Connector.
The following functions are supported by the SailPoint IdentityIQ LDAP Connector:
The Box.Net Connector is used to handle the Box server's managed users and groups. The Box.Net connector is a read/write connector that can retrieve a network's managed users and groups, activate/inactivate managed users, and delegate managed users to groups.
The SailPoint IdentityIQ Box.Net Connector supports the following capabilities:
This connector handles the Microsoft Office 365 Online directory store's users, groups, and attributes. It does not handle the characteristics associated with the Microsoft Office 365 suite's other products, such as Exchange Online, SharePoint Online, and Lync Online. To enforce its functionalities in IQService, which must be running on a Windows 7 or Windows Server 2008 R2 computer, the Microsoft Office 365 Connector uses Microsoft Office 365 cmdlets for Windows PowerShell.
ServiceNow accounts and groups are managed by the ServiceNow connector. It has read and write capability for ServiceNow accounts.
SailPoint IdentityIQ ServiceNow Connector can be used to support the following features:
Microsoft SharePoint offers tools that enable users to create websites to share information with others, maintain documents from start to finish, and publish reports to aid in decision-making. IdentityIQ will combine current SharePoint users from any SharePoint platform or set to show which SharePoint groups, sites, lists, directories, and files those users have access to. The Microsoft SharePoint connector is used to handle SharePoint users and groups in SharePoint 2007 (Classic mode or Windows Claim based authentication), 2010 (Windows Claim based authentication), and 2013 (Windows Claim based authentication) environments using the Microsoft SharePoint server APIs included with the SharePoint applications. Domain groups that are called consumers of SharePoint are currently not supported by the connector.
Identity and Access Management (IAM) from Amazon Web Services (AWS) enables you to safely manage access to Amazon Web Services and your account tools. You can build multiple IAM users under your AWS account or grant temporary access through identity federation with your corporate directory using IAM. You may also allow access to services through AWS accounts in some instances. When using AWS, IAM provides more security, flexibility, and control. Without IAM, you'll have to either build several AWS accounts, each with its billing and subscriptions to AWS products or share a single AWS account's protection credentials. Furthermore, without IAM, you have no control over what activities a user or system can perform or what AWS services they can use. Identity federation between your corporate directory and AWS services is feasible with IAM. This allows you to give safe and direct access to AWS services, such as Amazon S3 buckets, using your current organizational identities rather than building new AWS identities for those customers. IAM is a web service that allows AWS consumers to monitor their account's users and permissions. See AWS Identity and Access Management (IAM) for more detail on this product. This connector's purpose is to enable you to read and provision AWS IAM accounts, account groups, and account group assignments.
The following operations are assisted by this release of the connector:
Account Aggregation (Aggregates IAM Users under the AWS Account)
NetSuite is a cloud-based Software-as-a-Service (SaaS) platform for integrated business management. ERP/accounting, order management/inventory, CRM,
Professional Services Automation (PSA), and E-commerce are all available through NetSuite's cloud business management system.
In NetSuite, Enterprise Resource Planning (ERP) includes accounting, procurement, order control, project management, and workforce management, among other things.
Employee data in the NetSuite ERP framework can be controlled by NetSuite Connector. The connector is a write-capable connector that manages the entities mentioned below:
The following operations are assisted by this release of the connector:
The JDBC Connector is used to read and write data from database engines that support JDBC. Data from a flat table is supported by this connector. You'll need to build a rule and a more complicated SQL statement to work with multi-table data.
The following functions are provided by the SailPoint IdentityIQ JDBC Connector:
The PeopleSoft Connector is responsible for the PeopleSoft server's administrative entities (User Profiles and Roles). Through component interfaces, the PeopleSoft connector connects to the PeopleSoft server.
The following functions are provided by the PeopleSoft Connector:
The Siebel Connector is a component of Oracle's Siebel CRM that handles entities. Employees are handled as Accounts, and positions are managed as Account Groups
in this system. For account provisioning, the Siebel Connector defaults to using the Employee Siebel business attribute of the Employee Siebel business object. Connector uses the Position business component of the Position business object for Account Group provisioning. In the Account/Account Group provisioning, the Connector may be configured to handle other Siebel Business Objects/Components. The Siebel Connector handles both single and multi-valued attributes. Other than the Schema that comes with Connector, the Connector schema can be modified to handle other attributes.
The following features are supported by SailPoint IdentityIQ Siebel Connector:
Microsoft SQL Server is a relational database management system that Microsoft has developed. As a database, it is a software product whose primary purpose is to store and retrieve data as required by other software programs, whether they are running on the same device or a networked computer (including the Internet). SailPoint IdentityIQ Microsoft SQL Server Connector handles the following entities on Microsoft SQL Server:
The following features are supported by SailPoint IdentityIQ Microsoft SQL Server Connector:
The Oracle Database (also known as Oracle RDBMS or Oracle) is a relational database management system (ORDBMS). SailPoint IdentityIQ Oracle Server Connector is an Oracle database server connector that lets you handle full user administration, including provisioning and password protection. Oracle Server Connector handles the following entities of the Oracle server:
SailPoint IdentityIQ Oracle Connector provides support for the following features:
Users on a Solaris computer are used to provision accounts in Solaris Connector. Groups are used for community provisioning. The Connector may be programmed to use all of the user/group attributes that are provided by Solaris commands.
The following features are provided by the Solaris Connector:
SAP Enterprise Resource Planning platform is an advanced software system that combines the organization's core business functions. The SAP Connector populates the SAP system with both users and functions, as well as provisioning users and their roles and/or profiles.
Related Article: Sailpoint CertificationThe SailPoint IdentityIQ SAP Connector was modified to support provisioning functionality to both a standalone SAP system and SAP Central User Administration (CUA) system.
The following features are supported by SailPoint IdentityIQ SAP Connector:
Let us now discuss a few Read Only Direct Connectors.
The Yammer Connector is a read-only connector that retrieves account and community information from one or more Yammer networks (Enterprise Social Network).
BEA's Aqualogic Enterprise Security Server is communicated with using this connector. The ALES Entitlement Query API is used for the integration.
The logical connector was designed to build objects that look and function like IdentityIQ applications, but are actually built by detecting accounts from other, or tier, applications in existing identity cubes. For instance, one logical application may represent three other accounts on tier applications, an Oracle database, an LDAP authorization application, and a custom internal authentication application. When the logical application detects the three requisite accounts on a single identity, it scans identities and generates an account on the logical application. You can then use the same, representative account for certification, reporting, and tracking instead of the three different accounts from which it is made up.
The Delimited File connector follows a set of rules. The rules in this connector can be customised to accommodate the difficulty of the data being extracted. This connector can be set up to allow for the discovery of schema attributes automatically.
Data is extracted from LDIF files using the LDIF connector. If the membership is not part of the account details, there is a setting called "groupMembershipAttribute" that can be used to support. The name of the attribute from the group file that contains the list of its members is stored in this configuration environment. Make this attribute multi-valued and add it to the account schema. For this function to work, you'll need to configure the "groupMembershipAttribute" and a group file. The connector will read the groups file during account iteration to get the group -> use mapping and adorn each account with their allocated groups as they are aggregated.
The IBM Tivoli Identity Manager connector scans the directory for ALL group memberships using the groupMemberSearchDN attribute as a starting point. Since the IBM Tivoli Identity Manager does not keep track of a user's group references, this connector must always run a separate query to get a list of all the user's groups.
The SAP HR/HCM connector was created to retrieve all user data from the SAP HR/HCM system.
The Sun IDM connector was created to return all of the Sun IDM user accounts and capabilities.
To read the TSSCFILE export, the Top Secret connector was made.
To construct identities and groups, the UNIX connector was created to read and parse the passwd and group files from UNIX servers. There is some overlap between the UNIX and Delimited File connectors since this connector is based on files. IdentityIQ evaluates authentication performance by authenticating using the ftp or scp service with the given login credentials, depending on the application configuration. As a consequence, the UNIX application's passwdfile attribute must point to the same password file used by the system for authentication. In a NIS environment, this password file is usually /etc/passwd, but it may be different.
Screen scraping is used by this connector, and each deployment must write Rules to drive the login/logout/fetch accounts.During the conversation, the connector analyses the screens and operates as the user.Screen scraping is the only way to get the data needed by IdentityIQ on certain legacy systems.Since the Rules that drive this connector are very unique to the application on which it is operating, each Mainframe connector needs a lot of manual configuration.
The IBM Host Access API libraries are used to construct the Mainframe connector, which is designed for TN3270 applications.Before operating with this connector, you must have the IBM Host Access API libraries. These IBM libraries are available for purchase.
The Novell Identity Manager connector searches the directory for ALL group memberships using the groupMemberSearchDN attribute as a starting point. Since the Novell Identity Manager does not keep track of a user's category references, this connector must always run a separate query to get a list of all the user's groups.
The Novell IDM connector is a multiplexing and non-multiplexing connector.The IDM vault is used for both aggregation and remediation in the multiplexed mode. Aggregation occurs through individual connectors in the non-multiplexed mode, however account removal and disabling occurs through the vault.Aggregation occurs through individual connectors in the non-multiplexed mode, however account removal and disabling occurs through the vault.
The RACF connector was built to read the RACF unload utility's file.
The Rule Based Logical connector was created to generate objects that look and behave like IdentityIQ applications, but are actually built by detecting accounts from other applications in existing identity cubes. For instance, one logical program may represent three other accounts on separate databases, such as an Oracle database, an LDAP authorization application, and a custom application for internal authentication. As the logical application rule identifies the three requisite accounts on a single identity, it scans identities and generates an account on the logical application. For certification, reporting, and tracking in the product, you should use the same, representative account instead of the three different accounts from which it is made up.
Thus we have seen various connectors and supported features which can be used in Sailpoint. It assists the business in boosting the IT performance by using out-of-the-box connectors and integrations for quick application onboarding. By using unified controls and rules, you can keep data secure. Ascertain the data protection and compliance regulations are enforced at all times.
Batch starts on 22nd Jan 2022, Weekend batch
Batch starts on 26th Jan 2022, Weekday batch
Batch starts on 30th Jan 2022, Weekend batch