Included below are some of the most common actions that end-users create in the SGNL CAEP Hub. The sections below are divided into Protected System Types, the most common actions therein, and details to include in fields to get moving with CAEP Hub quickly.
A special note for SGNL’s CAEP Transmitter with our Well-Known Configuration Endpoint available at the Config Service at a relative path of /metadata/v1/.well-known/ssf-configuration
– e.g. https://config.sgnlapis.cloud/metadata/v1/.well-known/ssf-configuration
Type: CAEPTransmitter-1.0.0
URL: The PUSH endpoint for the CAEP Receiver, defined in the Configuration Metadata endpoint
Authentication: This will vary greatly with the provider, commonly Bearer Authentication or OAuth2 Client Credentials
Subject: { "user" : { "format" : "email", "email" : "{{User Email Parameter}}" } }
Audience: https://targetsystem.mydomain.com
Initiating Entity: SGNL Policy
Reason Admin: {"en": "Landspeed Policy Violation: C076E82F","de": "Landspeed-Richtlinienverstoss: C076E82F"}
Reason User: {"en": "Access attempt from multiple regions.","de": "Zugriffsversuch aus mehreren Regionen."}
Subject: { "user" : { "format" : "email", "email" : "{{User Email Parameter}}" } }
Audience: https://targetsystem.mydomain.com
Credential Type: Password
Change Type: Revoke
Initiating Entity: SGNL Policy
Reason Admin: {"en": "Landspeed Policy Violation: C076E82F","de": "Landspeed-Richtlinienverstoss: C076E82F"}
Reason User: {"en": "Access attempt from multiple regions.","de": "Zugriffsversuch aus mehreren Regionen."}
Subject: { "user" : { "format" : "email", "email" : "{{User Email Parameter}}" } }
Audience: https://targetsystem.mydomain.com
Namespace: NIST-AAL
Current Level: nist-aal2
Previous Level: nist-aal2
Change Direction: increase
Initiating Entity: SGNL Policy
Subject: { "user" : { "format" : "email", "email" : "{{User Email Parameter}}" } }
Audience: https://targetsystem.mydomain.com
Claims: {{Attributes that changed}}
Initiating Entity: SGNL Policy
Reason Admin: {"en": "Attribute change identified"}
Type: AzureAD-1.0.0
URL: https://graph.microsoft.com/v1.0
Authentication: Client Credentials or Authorization Code Flow
Permissions Required: Action Dependent, but may require: User.ReadWrite.All
, GroupMember.ReadWrite.All
, User.RevokeSessions.All
, openid
, offline_access
(if token refresh is required)
Vendor Documentation: https://learn.microsoft.com/en-us/graph/api/group-post-members
User Principal Name: {$.EntraIDUser.userPrincipalName}
(or some other parameter, where EntraIDUser is the target Node Name in the relevant Trigger)
Group ID: {$.EntraIDGroup.id}
(or some other parameter, where EntraIDGroup is the target Node Name in the relevant Trigger)
Vendor Documentation: https://learn.microsoft.com/en-us/graph/api/user-update
User Principal Name: {$.EntraIDUser.userPrincipalName}
(or some other parameter, where EntraIDUser is the target Node Name in the relevant Trigger)
Vendor Documentation: https://learn.microsoft.com/en-us/graph/api/user-revokesigninsessions?view=graph-rest-1.0&tabs=http
User Principal Name: {$.EntraIDUser.userPrincipalName}
(or some other parameter, where EntraIDUser is the target Node Name in the relevant Trigger)
Type: AWS-1.0.0
Authentication: Username Password (Access Token Key ID and Secret)
Permissions Required: AWS IAM PutRolePolicy
Vendor Reference: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_revoke-sessions.html
Role Name: {{Role Name Parameter from AWS or ITSM, e.g. AWS-PowerUser-Access}}
Region: AWS Region to take action in, AWS IAM is a Global Service that is eventually consistenty, e.g. us-west-2
Conditions: AWS Condition Statement, e.g. {"DateLessThan": {"aws:TokenIssueTime": "{$.sgnl.time.now}"}}
TokenIssueTime: {{Parameter from the SGNL Graph, if appropriate, e.g. {$.SNCase.closedAt}}}
Type: Box-1.0.0
URL: https://api.box.com
Authentication: Client Credentials
Permissions Required: User Administrator Permissions
Vendor Reference: https://developer.box.com/reference/post-users-terminate-sessions/
User IDs: The User's Box User ID, e.g. 123456
User Logins: The User's Box Login Name, e.g. user@sample.com
Type: Google-1.0.0
URL: https://admin.googleapis.com
Authentication: Authorization Code Flow
Permissions Required: https://www.googleapis.com/auth/admin.directory.user.security
Vendor Reference: https://developers.google.com/admin-sdk/directory/reference/rest/v1/users/signOut
User Key: Identifies the target user in the API request. The value can be the user's primary email address, alias email address, or unique user ID, e.g. {$.EntraIDUser.mail}
Type: Okta-1.0.0
URL: https://subdomain.okta.com (your Okta Sub-Domain)
Authentication: Client Credentials flow, via the SGNL CAEP Hub API Service Integration
Permissions Required: Automatically added as part of the SGNL CAEP Hub
API Service Integration, ensure that the scopes are included in the Action Configuration (i.e. okta.users.manage, okta.groups.manage, etc)
Vendor Reference: https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Group/#tag/Group/operation/assignUserToGroup
User ID: Okta User ID, e.g. 00ub0oNGTSWTBKOLGLNR
Group ID: Okta Group ID, e.g. 00g1emaKYZTWRYYRRTSK
Vendor Reference: https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserLifecycle/#tag/UserLifecycle/operation/suspendUser
User ID: Okta User ID, e.g. 00ub0oNGTSWTBKOLGLNR
Vendor Reference: https://developer.okta.com/docs/reference/api/users/#clear-user-sessions
User ID: Okta User ID, e.g. 00ub0oNGTSWTBKOLGLNR
Vendor Reference: https://developer.okta.com/docs/api/openapi/okta-management/management/tag/SSFSecurityEventToken
Subject: { "user" : { "format" : "email", "email" : "{{User Email Parameter}}" } }
Audience: https://{yourOktaDomain}
Initiating Entity: SGNL Policy
Previous Level: low
Current Level: high
Reason Admin: {"en": "Landspeed Policy Violation: C076E82F","de": "Landspeed-Richtlinienverstoss: C076E82F"}
Reason User: {"en": "Access attempt from multiple regions.","de": "Zugriffsversuch aus mehreren Regionen."}
Address Override: https://{yourOktaDomain}/security/api/v1/security-events
Type: Sailpoint-1.0.0
URL: https://{{yourSailpointDomain}}.api.identitynow.com
Authentication: Client Credentials
Permissions Required: idn:accounts-state:manage
Vendor Reference: https://developer.sailpoint.com/docs/api/v3/disable-account/
Account ID: ID of target Sailpoint Account
Vendor Reference: https://developer.sailpoint.com/docs/api/v3/create-access-request/
Identity ID: ID of target Sailpoint Identity
Item Type: One of: ACCESS_PROFILE, ROLE, or ENTITLEMENT
Item ID: The Sailpoint ID for the type specified above
Item Comment: Optional Comment
Item Remove Date: Optional time the access will be removed, suited for paramterization from an approved change request, or similar
Type: Salesforce-1.0.0
URL: https://{{YourSalesforceDomain}}.my.salesforce.com
Authentication: Client Credentials
Permissions Required: User Administration Permissions
Vendor Reference: https://developer.salesforce.com/docs/atlas.en-us.object_reference.meta/object_reference/sforce_api_objects_permissionset.htm
Username: Salesforce Username, e.g. user@example.com
Permission Set ID: Salesforce Permission Set ID, e.g. 0PS30000000000e
Vendor Reference: https://developer.salesforce.com/docs/atlas.en-us.object_reference.meta/object_reference/sforce_api_objects_authsession.htm
Username: Salesforce Username, e.g. user@example.com
Type: Slack-1.0.0
Authentication: Authorization Code Flow
Permissions Required: admin.users:write
Vendor Reference: https://api.slack.com/methods/admin.users.session.reset
User Email: Slack Email Address, e.g. user@example.com
Vendor Reference: https://api.slack.com/messaging/sending#publishing
Text: The Text you want to send, well suited to include a parameter, e.g. "User {$.EntraIDUser.userPrincipalName} has had their session revoked at {$.sgnl.time.now}
Channel: The Channel ID to send to
Type: Snowflake-1.0.0
URL: https://account_identifier.snowflakecomputing.com/
Authentication: Authorization Code Flow
Permissions Required: User Administrator
Vendor Reference: https://docs.snowflake.com/en/developer-guide/sql-api/reference
Username: The Snowflake User's Username, e.g. exampleuser
Type: All Types
URL: Any URL
Authentication: Any Authentication
Method: One of POST, PUT, PATCH, DELETE, GET
Body: Whatever is needed in the target system, this could be plain text, JSON, Parameters, or a mix of all three
Request Headers: Headers you may need to add to the Request, these are formatted as a collection of JSON Objects {"Content-Type":"application/json","User-Agent":"sgnl-caep-hub/1.8.0"}
Address: The Address to send the request to, particularly useful if you need to override the Protected System Address, or if you wish to add Parameters to the address, e.g. https://myservice.myorg.com/users/{$.EntraIDUser.userPrincipalName}/properties/