Creating and Configuring a Sailpoint IdentityNow System of Record

Prerequisites

  • Sailpoint Account with permissions to create API Keys in Sailpoint and assign Scopes
  • SGNL User Account with at least Protected System Admin and Log Reader (or Global Reader) privileges to your SGNL Client

Configuring Sailpoint IdentityNow

Using OAuth2 with Client Credentials Flow

Note This flow is suitable for those objects in Sailpoint that do not require admin or user context, Accounts and Entitlements (and the relationship between them) are suitable for synchronizing with this flow. If you require objects that have an API requirement for admin or user context, see below for instructions on using a Personal Access Token (PAT).

  1. Login to your Sailpoint instance as a user with Admin role
  2. Through the Admin panel, go to Global->Security Settings->API Management as shown below:

Sailpoint - API Management

  1. Click on +New, which opens up the New API Client modal

Sailpoint - New API Client

  1. Add Description, select Client Credentials and search and enable the following Scopes and click on Save:

    1. idn:identity-account:read, idn:entitlement:read, idn:accounts:read

  2. Copy the Client ID and Client Secret and store in a secure place

Sailpoint - Credentials

Using OAuth2 with a Personal Access Token (PAT) and Client Credentials Flow

This flow is suitable for synchronizing objects in Sailpoint that may require admin or user context, that are not able to be synchronized via the method above. Objects such as Identities require this context.

  1. Login to your Sailpoint instance as a user with Admin role
  2. Select your user Id in the top right hand corner of the Sailpoint Console, and select Preferences
  3. From the left-side, select Personal Access Tokens and then select New Token
  4. Grant the token the Scopes that you may require to synchronize, to collect all objects in the SGNL template, select:
  • idn:identity:read, idn:identity-self:read, idn:identity-account:read, idn:entitlement:read, idn:accounts:read Sailpoint - New PAT
  1. Create the Token, and save the Client Id and Client Secret in a secure place

Configuring SGNL

  1. Login to the SGNL Console
  2. From the left menu, select Systems of Record
  3. Click “Add System of Record” or “Add”.
  4. The SGNL SoR Catalog will show up on the screen

SGNL - Catalog

  1. Click on “Sailpoint IdentityNow”, which will open up the New System of Record screen with some configuration options pre-populated from the Sailpoint IdentityNow SoR template.

SGNL - New Sailpoint SoR

  1. Enter the URL of your Sailpoint instance. This is the URL you use to login into your Sailpoint instance
  2. Choose the correct adapter that matches the Sailpoint System of Record Type
  3. Select OAuth2 Client Credentials as the Authentication Method and enter the Client ID and Secret copied in the previous section
  4. Update the Token URL for your Sailpoint instance - replace the scaffolding in curly braces with the URL you use to login into your Sailpoint instance
  5. Click Continue to save your Sailpoint IdentityNow SoR. You will be taken to the Sailpoint IdentityNow System of Record page.

SGNL - New Sailpoint SoR - Disabled Entities

  1. All entities and relationships are created as defined in the Sailpoint IdentityNow template. If applicable, you can edit an entity and modify any properties of the entity or the associated attributes. Hover over the entity on the screen above to see the Edit button as shown above.
  2. You can check the relationships created through the Relationships tab. However, relationships cannot be modified. You will need to delete an existing one, and create a new relationship.
  3. (If applicable) You can also create relationships joining entities and attributes in Sailpoint IdentityNow to entities and attributes in other Systems of Record configured in SGNL. For more information on relationships, please refer to our Relationships page.
  4. Note that synchronization is disabled by default when a new System of Record is created. You can choose to enable synchronization on Entities individually. Hover over the entity to see the Enable Sync button, and click on it.
  5. Repeat for all Entities you want to synchronize to SGNL. Finally, Enable synchronization for the System of Record.
  6. Go to SGNL Ingestion Logs to confirm that ingestion has started. Wait a few seconds for ingestion to complete.

SGNL - Logs

  1. After some time, SGNL should complete ingesting the data from your Sailpoint IdentityNow instance into the SGNL graph. The number of objects ingested per entity are displayed on the Sailpoint IdentityNow screen. You should then be able to construct policies based on your Sailpoint IdentityNow data and make access evaluation calls to SGNL.

SGNL - Ingested Entities 18. Once ingestion is complete and Sailpoint IdentityNow data is in the SGNL graph, you can use Data Lens to explore the SGNL graph.

Synchronization Filters

In most cases, you will want to reduce the data coming from Sailpoint IdentityNow to only the entities, attributes, and objects that you need to sucessfully evaluate your policies or take action within SGNL. Given that, it’s likely that you will want to make use of filters to reduce that data.

As with other SoRs, you can apply the native filtering syntax from the SoR, in this case Sailpoint, to the Adapter Config for the System. Filters are configured per Entity and are passed directly to the System of Record at Synchronization time to be evaluated and have only the right data made available to SGNL.

SGNL uses Sailpoint IdentityNow’s existing filtering syntax, supported on each of their entities (e.g. Identities,Accounts) and this filtering can be used directly within SGNL Adapter Config

Sample Adapter Config

{
    "apiVersion": "v3",
    "entityConfig": {
        "accounts": {
            "uniqueIDAttribute": "id",
            "filter": "identityId eq \"1700926aca594aa2861d9dbd24ca64b9\""
        },
        "entitlements": {
            "uniqueIDAttribute": "id",
            "apiVersion": "beta" // overrides the top level apiVersion.
        },
        "accountEntitlements": {
            "uniqueIDAttribute": "id",
            "apiVersion": "beta"
        },
        "identities": {
            "uniqueIDAttribute": "id",
            "filter": "name sw \"Alice\"",
            "apiVersion": "beta"
        }
    }
}

Adapter Config Fields

  • apiVersion - the version of the Sailpoint IDN API, default "v3", but overridable for each entity as needed
  • entityConfig - object - contains the configuration for each of the entities you’ll want to synchronize, if no configuration exists, defaults are selected
    • uniqueIDAttribute - provides the option to override id as the unique attribute for entities
    • filter - where you would apply Sailpoint IDN Request Filters, Sailpoint supports operations like equal (eq) and starts with (sw) as well as some other filters depending on the object/attribute
    • apiVersion - used if you want to override the default apiVersion for a specific entity