Actions Quickstart

Included below are some of the most common actions that end-users create in the SGNL CAEP Hub. The sections below are divided into Protected System Types, the most common actions therein, and details to include in fields to get moving with CAEP Hub quickly.

Generic CAEP Transmitter

Type: CAEPTransmitter-1.0.0

URL: The PUSH endpoint for the CAEP Receiver, defined in the Configuration Metadata endpoint

Authentication: This will vary greatly with the provider, commonly Bearer Authentication or OAuth2 Client Credentials

Session Revoked Event

Subject: { "user" : { "format" : "email", "email" : "{{User Email Parameter}}" } }

Audience: https://targetsystem.mydomain.com

Initiating Entity: SGNL Policy

Reason Admin: {"en": "Landspeed Policy Violation: C076E82F","de": "Landspeed-Richtlinienverstoss: C076E82F"}

Reason User: {"en": "Access attempt from multiple regions.","de": "Zugriffsversuch aus mehreren Regionen."}

Credential Change Event

Subject: { "user" : { "format" : "email", "email" : "{{User Email Parameter}}" } }

Audience: https://targetsystem.mydomain.com

Credential Type: Password

Change Type: Revoke

Initiating Entity: SGNL Policy

Reason Admin: {"en": "Landspeed Policy Violation: C076E82F","de": "Landspeed-Richtlinienverstoss: C076E82F"}

Reason User: {"en": "Access attempt from multiple regions.","de": "Zugriffsversuch aus mehreren Regionen."}

Assurance Level Change Event

Subject: { "user" : { "format" : "email", "email" : "{{User Email Parameter}}" } }

Audience: https://targetsystem.mydomain.com

Namespace: NIST-AAL

Current Level: nist-aal2

Previous Level: nist-aal2

Change Direction: increase

Initiating Entity: SGNL Policy

Token Claims Change Event

Subject: { "user" : { "format" : "email", "email" : "{{User Email Parameter}}" } }

Audience: https://targetsystem.mydomain.com

Claims: {{Attributes that changed}}

Initiating Entity: SGNL Policy

Reason Admin: {"en": "Attribute change identified"}

Entra ID

Type: AzureAD-1.0.0

URL: https://graph.microsoft.com/v1.0

Authentication: Client Credentials or Authorization Code Flow

Permissions Required: Action Dependent, but may require: User.ReadWrite.All, GroupMember.ReadWrite.All, User.RevokeSessions.All

Add/Remove User to/from Group

Vendor Documentation: https://learn.microsoft.com/en-us/graph/api/group-post-members

User Principal Name: {$.EntraIDUser.userPrincipalName} (or some other parameter, where EntraIDUser is the target Node Name in the relevant Trigger)

Group ID: {$.EntraIDGroup.id} (or some other parameter, where EntraIDGroup is the target Node Name in the relevant Trigger)

Enable/Disable User

Vendor Documentation: https://learn.microsoft.com/en-us/graph/api/user-update

User Principal Name: {$.EntraIDUser.userPrincipalName} (or some other parameter, where EntraIDUser is the target Node Name in the relevant Trigger)

Revoke User Sessions

Vendor Documentation: https://learn.microsoft.com/en-us/graph/api/user-revokesigninsessions?view=graph-rest-1.0&tabs=http

User Principal Name: {$.EntraIDUser.userPrincipalName} (or some other parameter, where EntraIDUser is the target Node Name in the relevant Trigger)

AWS

Type: AWS-1.0.0

URL: https://aws.amazon.com

Authentication: Username Password (Access Token Key ID and Secret)

Permissions Required: AWS IAM PutRolePolicy

Revoke Role Session

Vendor Reference: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_revoke-sessions.html

Role Name: {{Role Name Parameter from AWS or ITSM, e.g. AWS-PowerUser-Access}}

Region: AWS Region to take action in, AWS IAM is a Global Service that is eventually consistenty, e.g. us-west-2

Conditions: AWS Condition Statement, e.g. {"DateLessThan": {"aws:TokenIssueTime": "{$.sgnl.time.now}"}}

TokenIssueTime: {{Parameter from the SGNL Graph, if appropriate, e.g. {$.SNCase.closedAt}}}

Box

Type: Box-1.0.0

URL: https://api.box.com

Authentication: Client Credentials

Permissions Required: User Administrator Permissions

Session Revocation

Vendor Reference: https://developer.box.com/reference/post-users-terminate-sessions/

User IDs: The User's Box User ID, e.g. 123456

User Logins: The User's Box Login Name, e.g. user@sample.com

Google

Type: Google-1.0.0

URL: https://admin.googleapis.com

Authentication: Authorization Code Flow

Permissions Required: https://www.googleapis.com/auth/admin.directory.user.security

Session Revocation

Vendor Reference: https://developers.google.com/admin-sdk/directory/reference/rest/v1/users/signOut

User Key: Identifies the target user in the API request. The value can be the user's primary email address, alias email address, or unique user ID, e.g. {$.EntraIDUser.mail}

Okta

Type: Okta-1.0.0

URL: https://subdomain.okta.com (your Okta Sub-Domain)

Authentication: Client Credentials flow, via the SGNL CAEP Hub API Service Integration

Permissions Required: Automatically added as part of the SGNL CAEP Hub API Service Integration, ensure that the scopes are included in the Action Configuration (i.e. okta.users.manage, okta.groups.manage, etc)

Add/Remove from Group

Vendor Reference: https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Group/#tag/Group/operation/assignUserToGroup

User ID: Okta User ID, e.g. 00ub0oNGTSWTBKOLGLNR

Group ID: Okta Group ID, e.g. 00g1emaKYZTWRYYRRTSK

Suspend/Unsuspend User

Vendor Reference: https://developer.okta.com/docs/api/openapi/okta-management/management/tag/UserLifecycle/#tag/UserLifecycle/operation/suspendUser

User ID: Okta User ID, e.g. 00ub0oNGTSWTBKOLGLNR

Revoke Sessions

Vendor Reference: https://developer.okta.com/docs/reference/api/users/#clear-user-sessions

User ID: Okta User ID, e.g. 00ub0oNGTSWTBKOLGLNR

User/Device Risk Change

Vendor Reference: https://developer.okta.com/docs/api/openapi/okta-management/management/tag/SSFSecurityEventToken

Subject: { "user" : { "format" : "email", "email" : "{{User Email Parameter}}" } }

Audience: https://{yourOktaDomain}

Initiating Entity: SGNL Policy

Previous Level: low

Current Level: high

Reason Admin: {"en": "Landspeed Policy Violation: C076E82F","de": "Landspeed-Richtlinienverstoss: C076E82F"}

Reason User: {"en": "Access attempt from multiple regions.","de": "Zugriffsversuch aus mehreren Regionen."}

Address Override: https://{yourOktaDomain}/security/api/v1/security-events

Sailpoint IdentityNow

Type: Sailpoint-1.0.0

URL: https://{{yourSailpointDomain}}.api.identitynow.com

Authentication: Client Credentials

Permissions Required: idn:accounts-state:manage

Enable/Disable Account

Vendor Reference: https://developer.sailpoint.com/docs/api/v3/disable-account/

Account ID: ID of target Sailpoint Account

Grant/Revoke Account Access

Vendor Reference: https://developer.sailpoint.com/docs/api/v3/create-access-request/

Identity ID: ID of target Sailpoint Identity

Item Type: One of: ACCESS_PROFILE, ROLE, or ENTITLEMENT

Item ID: The Sailpoint ID for the type specified above

Item Comment: Optional Comment

Item Remove Date: Optional time the access will be removed, suited for paramterization from an approved change request, or similar

Salesforce

Type: Salesforce-1.0.0

URL: https://{{YourSalesforceDomain}}.my.salesforce.com

Authentication: Client Credentials

Permissions Required: User Administration Permissions

Add/Remove Permission Set

Vendor Reference: https://developer.salesforce.com/docs/atlas.en-us.object_reference.meta/object_reference/sforce_api_objects_permissionset.htm

Username: Salesforce Username, e.g. user@example.com

Permission Set ID: Salesforce Permission Set ID, e.g. 0PS30000000000e

Revoke Sessions

Vendor Reference: https://developer.salesforce.com/docs/atlas.en-us.object_reference.meta/object_reference/sforce_api_objects_authsession.htm

Username: Salesforce Username, e.g. user@example.com

Slack

Type: Slack-1.0.0

URL: https://api.slack.com

Authentication: Authorization Code Flow

Permissions Required: admin.users:write

Revoke Sessions

Vendor Reference: https://api.slack.com/methods/admin.users.session.reset

User Email: Slack Email Address, e.g. user@example.com

Send Message

Vendor Reference: https://api.slack.com/messaging/sending#publishing

Text: The Text you want to send, well suited to include a parameter, e.g. "User {$.EntraIDUser.userPrincipalName} has had their session revoked at {$.sgnl.time.now}

Channel: The Channel ID to send to

Snowflake

Type: Snowflake-1.0.0

URL: https://account_identifier.snowflakecomputing.com/

Authentication: Authorization Code Flow

Permissions Required: User Administrator

Revoke Sessions

Vendor Reference: https://docs.snowflake.com/en/developer-guide/sql-api/reference

Username: The Snowflake User's Username, e.g. exampleuser

Generic Webhook

Type: All Types

URL: Any URL

Authentication: Any Authentication

Generic Webhook

Method: One of POST, PUT, PATCH, DELETE, GET

Body: Whatever is needed in the target system, this could be plain text, JSON, Parameters, or a mix of all three

Request Headers: Headers you may need to add to the Request, these are formatted as a collection of JSON Objects {"Content-Type":"application/json","User-Agent":"sgnl-caep-hub/1.8.0"}

Address: The Address to send the request to, particularly useful if you need to override the Protected System Address, or if you wish to add Parameters to the address, e.g. https://myservice.myorg.com/users/{$.EntraIDUser.userPrincipalName}/properties/