Included below are some of the most common actions that end-users create in the SGNL CAEP Hub. The sections below are divided into Protected System Types, the most common actions therein, and details to include in fields to get moving with CAEP Hub quickly.
A special note for SGNL’s CAEP Transmitter with our Well-Known Configuration Endpoint available at the Config Service at a relative path of /metadata/v1/.well-known/ssf-configuration – e.g. https://config.sgnlapis.cloud/metadata/v1/.well-known/ssf-configuration
Type: CAEPTransmitter-1.0.0
URL: The PUSH endpoint for the CAEP Receiver, defined in the Configuration Metadata endpoint
Authentication: This will vary greatly with the provider, commonly Bearer Authentication or OAuth2 Client Credentials
Subject: { "user" : { "format" : "email", "email" : "{{User Email Parameter}}" } }
Audience: https://targetsystem.mydomain.com
Initiating Entity: SGNL Policy
Reason Admin: {"en": "Landspeed Policy Violation: C076E82F","de": "Landspeed-Richtlinienverstoss: C076E82F"}
Reason User: {"en": "Access attempt from multiple regions.","de": "Zugriffsversuch aus mehreren Regionen."}
Subject: { "user" : { "format" : "email", "email" : "{{User Email Parameter}}" } }
Audience: https://targetsystem.mydomain.com
Credential Type: Password
Change Type: Revoke
Initiating Entity: SGNL Policy
Reason Admin: {"en": "Landspeed Policy Violation: C076E82F","de": "Landspeed-Richtlinienverstoss: C076E82F"}
Reason User: {"en": "Access attempt from multiple regions.","de": "Zugriffsversuch aus mehreren Regionen."}
Subject: { "user" : { "format" : "email", "email" : "{{User Email Parameter}}" } }
Audience: https://targetsystem.mydomain.com
Namespace: NIST-AAL
Current Level: nist-aal2
Previous Level: nist-aal2
Change Direction: increase
Initiating Entity: SGNL Policy
Subject: { "user" : { "format" : "email", "email" : "{{User Email Parameter}}" } }
Audience: https://targetsystem.mydomain.com
Claims: {{Attributes that changed}}
Initiating Entity: SGNL Policy
Reason Admin: {"en": "Attribute change identified"}
Type: AzureAD-1.0.0
URL: https://graph.microsoft.com/v1.0
Authentication: Client Credentials or Authorization Code Flow
Permissions Required: Action Dependent, but may require: User.ReadWrite.All, GroupMember.ReadWrite.All, User.RevokeSessions.All, openid, offline_access (if token refresh is required)
Vendor Documentation: https://learn.microsoft.com/en-us/graph/api/group-post-members
User Principal Name: {$.EntraIDUser.userPrincipalName} (or some other parameter, where EntraIDUser is the target Node Name in the relevant Trigger)
Group ID: {$.EntraIDGroup.id} (or some other parameter, where EntraIDGroup is the target Node Name in the relevant Trigger)
Vendor Documentation: https://learn.microsoft.com/en-us/graph/api/user-update
User Principal Name: {$.EntraIDUser.userPrincipalName} (or some other parameter, where EntraIDUser is the target Node Name in the relevant Trigger)
Vendor Documentation: https://learn.microsoft.com/en-us/graph/api/user-revokesigninsessions?view=graph-rest-1.0&tabs=http
User Principal Name: {$.EntraIDUser.userPrincipalName} (or some other parameter, where EntraIDUser is the target Node Name in the relevant Trigger)
Type: AWS-1.0.0
Authentication: Username Password (Access Token Key ID and Secret)
Permissions Required: AWS IAM PutRolePolicy
Vendor Reference: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_revoke-sessions.html
Role Name: {{Role Name Parameter from AWS or ITSM, e.g. AWS-PowerUser-Access}}
Region: AWS Region to take action in, AWS IAM is a Global Service that is eventually consistenty, e.g. us-west-2
Conditions: AWS Condition Statement, e.g. {"DateLessThan": {"aws:TokenIssueTime": "{$.sgnl.time.now}"}}
TokenIssueTime: {{Parameter from the SGNL Graph, if appropriate, e.g. {$.SNCase.closedAt}}}
Type: Box-1.0.0
URL: https://api.box.com
Authentication: Client Credentials
Permissions Required: User Administrator Permissions
Vendor Reference: https://developer.box.com/reference/post-users-terminate-sessions/
User IDs: The User's Box User ID, e.g. 123456
User Logins: The User's Box Login Name, e.g. user@sample.com
Type: Google-1.0.0
Authentication: Authorization Code Flow
Note: There are two methods to manage sessions within GCP, depending on your Federation configuration. SGNL recommends the use of the new Workforce Identity Federation capabilities within GCP, in order to grant short-lived access to Google Cloud Platform resources. If you are using Google Workspace or Cloud Identity Accounts to sign-in to Google, the Google Account Session Revocation is the best method to revoke Google Sessions.
Vendor Reference: https://developers.google.com/admin-sdk/directory/reference/rest/v1/users/signOut
Permissions Required: https://www.googleapis.com/auth/admin.directory.user.security
Token URL: https://oauth2.googleapis.com/token
Auth URL: https://accounts.google.com/o/oauth2/v2/auth?access_type=offline&prompt=consent Note: In order for GCP to issue Refresh Tokens, the access_type parameter is required.
User Key: Identifies the target user in the API request. The value can be the user's primary email address, alias email address, or unique user ID, e.g. {$.EntraIDUser.mail}
Address (Override): https://admin.googleapis.com
Vendor Reference: https://cloud.google.com/iam/docs/workforce-delete-user-data
Permissions Required (Scope): https://www.googleapis.com/auth/iam
Token URL: https://oauth2.googleapis.com/token
Auth URL: https://accounts.google.com/o/oauth2/v2/auth?access_type=offline&prompt=consent Note: In order for GCP to issue Refresh Tokens, the access_type parameter is required.
Subject ID: Identifies the target Workforce Identity Federation User. When Federating to GCP, SGNL recommends making this a single-use, identifier that represents the user session, rather than the user directly, e.g. {$.EntraIDUser.mail}.{$.ServiceNowCase.number} would create a unique subject identifier for the user performing work in GCP for the purposes of a case
Workforce Pool ID: Identifes the target Workforce Identity Federation Pool to remove the user from
Address (Override): https://iam.googleapis.com
Note: There are times where you might want to restore the user’s GCP Session, in the event that business context changes (e.g. a ServiceNow Case is re-opened requiring user access). In these circumstances, one can use the Undelete operation to restore the user’s session. Sessions cannot be restored simply by re-signing in with the same ephemeral identifier.
Vendor Reference: https://cloud.google.com/iam/docs/reference/rest/v1/locations.workforcePools.subjects/undelete
Permissions Required (Scope): https://www.googleapis.com/auth/iam
Token URL: https://oauth2.googleapis.com/token
Auth URL: https://accounts.google.com/o/oauth2/v2/auth?access_type=offline&prompt=consent Note: In order for GCP to issue Refresh Tokens, the access_type parameter is required.
Subject ID: Identifies the target Workforce Identity Federation User. When Federating to GCP, SGNL recommends making this a single-use, identifier that represents the user session, rather than the user directly, e.g. {$.EntraIDUser.mail}.{$.ServiceNowCase.number} would create a unique subject identifier for the user performing work in GCP for the purposes of a case
Workforce Pool ID: Identifes the target Workforce Identity Federation Pool to restore the user to
Address (Override): https://iam.googleapis.com
Type: Okta-1.0.0
URL: https://subdomain.okta.com (your Okta Sub-Domain)
Authentication: Client Credentials flow, via the SGNL CAEP Hub API Service Integration
Permissions Required: Automatically added as part of the SGNL CAEP Hub API Service Integration, ensure that the scopes are included in the Action Configuration (i.e. okta.users.manage, okta.groups.manage, etc)
Vendor Reference: https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Group/#tag/Group/operation/assignUserToGroup
User ID: Okta User ID, e.g. 00ub0oNGTSWTBKOLGLNR
Group ID: Okta Group ID, e.g. 00g1emaKYZTWRYYRRTSK
Vendor Reference: https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserLifecycle/#tag/UserLifecycle/operation/suspendUser
User ID: Okta User ID, e.g. 00ub0oNGTSWTBKOLGLNR
Vendor Reference: https://developer.okta.com/docs/reference/api/users/#clear-user-sessions
User ID: Okta User ID, e.g. 00ub0oNGTSWTBKOLGLNR
Vendor Reference: https://developer.okta.com/docs/api/openapi/okta-management/management/tag/SSFSecurityEventToken
Subject: { "user" : { "format" : "email", "email" : "{{User Email Parameter}}" } }
Audience: https://{yourOktaDomain}
Initiating Entity: SGNL Policy
Previous Level: low
Current Level: high
Reason Admin: {"en": "Landspeed Policy Violation: C076E82F","de": "Landspeed-Richtlinienverstoss: C076E82F"}
Reason User: {"en": "Access attempt from multiple regions.","de": "Zugriffsversuch aus mehreren Regionen."}
Address Override: https://{yourOktaDomain}/security/api/v1/security-events
Type: Sailpoint-1.0.0
URL: https://{{yourSailpointDomain}}.api.identitynow.com
Authentication: Client Credentials
Permissions Required: idn:accounts-state:manage
Vendor Reference: https://developer.sailpoint.com/docs/api/v3/disable-account/
Account ID: ID of target Sailpoint Account
Vendor Reference: https://developer.sailpoint.com/docs/api/v3/create-access-request/
Identity ID: ID of target Sailpoint Identity
Item Type: One of: ACCESS_PROFILE, ROLE, or ENTITLEMENT
Item ID: The Sailpoint ID for the type specified above
Item Comment: Optional Comment
Item Remove Date: Optional time the access will be removed, suited for paramterization from an approved change request, or similar
Type: Salesforce-1.0.0
URL: https://{{YourSalesforceDomain}}.my.salesforce.com
Authentication: Client Credentials
Permissions Required: User Administration Permissions
Vendor Reference: https://developer.salesforce.com/docs/atlas.en-us.object_reference.meta/object_reference/sforce_api_objects_permissionset.htm
Username: Salesforce Username, e.g. user@example.com
Permission Set ID: Salesforce Permission Set ID, e.g. 0PS30000000000e
Vendor Reference: https://developer.salesforce.com/docs/atlas.en-us.object_reference.meta/object_reference/sforce_api_objects_authsession.htm
Username: Salesforce Username, e.g. user@example.com
Type: Slack-1.0.0
Authentication: Authorization Code Flow
Permissions Required: admin.users:write
Vendor Reference: https://api.slack.com/methods/admin.users.session.reset
User Email: Slack Email Address, e.g. user@example.com
Vendor Reference: https://api.slack.com/messaging/sending#publishing
Text: The Text you want to send, well suited to include a parameter, e.g. "User {$.EntraIDUser.userPrincipalName} has had their session revoked at {$.sgnl.time.now}
Channel: The Channel ID to send to
Type: Snowflake-1.0.0
URL: https://account_identifier.snowflakecomputing.com/
Authentication: Authorization Code Flow
Permissions Required: User Administrator
Vendor Reference: https://docs.snowflake.com/en/developer-guide/sql-api/reference
Username: The Snowflake User's Username, e.g. exampleuser
Type: All Types
URL: Any URL
Authentication: Any Authentication
Method: One of POST, PUT, PATCH, DELETE, GET
Body: Whatever is needed in the target system, this could be plain text, JSON, Parameters, or a mix of all three
Request Headers: Headers you may need to add to the Request, these are formatted as a collection of JSON Objects {"Content-Type":"application/json","User-Agent":"sgnl-caep-hub/1.8.0"}
Address: The Address to send the request to, particularly useful if you need to override the Protected System Address, or if you wish to add Parameters to the address, e.g. https://myservice.myorg.com/users/{$.EntraIDUser.userPrincipalName}/properties/