cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Configuring WS-Security for Epic

Configuring WS-Security for Epic

When configuring the Epic application, it's a best practice to secure the Epic Interconnect Personnel Management/Security Web Service endpoint using WS-Security, at the moment (as of 7.2 GA) IdentityIQ doesn't support WS-Security for the Core endpoint.  Below are the steps to enable WS-Security in the Epic application in IdentityIQ:

 

  1. Copy the sailpoint_epic_connector_axis2.xml and epic_security_policy.xml files to the \WEB-INF\classes\ directory
  2. Add the following entries the Epic application xml through debug (sample data that should be replaced with instance specific information):
    • <entry key="engageWSSecurity" value="true"/>
    • <entry key="authUserID" value="local:epicsailpoint"/>
    • <entry key="authUserPassword" value="2:yqq3acVTnn2HpKdfTJr0gA=="/>

 

The authUserID and authUserPassword entries differ from the username/password entered into the application when configuring through the UI.  This is the account that should be configured for the Interconnect Web Service when enabling WS-Security and doesn't need to exist within the Epic application (EMP Record).

 

In the above sample data, the Epic team created a local account (doesn't exist in Active Directory just in the Epic Interconnect configuration) which is why the authUserID is prefixed with local:

 

For Active Directory accounts, the authUserID will need to be prefixed with windows: (i.e. windows:epicsailpoint)

Labels (2)
Tags (1)
Attachments
Comments

There are multiple ways to set the user configuration, I am coming back to this thread after long solving our issue.  We were using domain accounts instead of local server or local epic accounts which is preferred in our environment. 

local:MyLocalEPICuser

windows:MyLocalUserOnTheInterconnectServer

windows:MyDomainUser@MyUPNFQDN

Example

local:epicservice

windows:administrator

windows:epicservice@contoso.org

Does ws-security work with soap 1.2 , we are getting missing wsse header error on test connection

@checlever, Can you please help us with creating an account for WS-Security. There is no documentation on this and our EPIC team does not know how to set this up. If you could details the steps or share the screenshots , that would be really helpful. Thanks in advance.

@nazampreetkaur , I'll try to get some screenshots from the interconnect team. I'm not sure how your organization is structured but our Epic team is different than our interconnect team. The interconnect team set up a local interconnect user on the server and enabled SOAP 1.1 for it. I believe SOAP 1.2 was the default and we had to change it because the module doesn't support 1.2 (not sure if it has been fixed since then). I'll post again if I can get a screenshot 

@checlever, Thanks a lot. We also have two teams - EPIC team and Interconnect team. I need to reach out to Interconnect team with exact steps they need to follow as they struggle to understand what kind of account we need. Screenshots will really help. Thanks

@checlever, Did you find anything on the WS-Security user ? Our EPIC team is telling us "They created an Admin user for Sailpoint and added the user to the Security Console in the Interconnect instance". Is that enough ? Because when I try test connection, I am getting error "Input stream is null"

@checlever, Can you please specify which username have you used in WS-Security? Because from the screenshots you provided i see you have entered "Sailpoint-ICONLYUSER" as username in configuration page, While the name written in the other screenshot for the user is "Sailpoint Admin". 

Can you please point me to the direction where i can find the username. I have the userid.

 

Thanks

@neeraj99 Sailpoint Admin (SPADMINPRD) is the EMP account and has to be created in Epic. Sailpoint-ICONLYUSER is the interconnect server local account.

Version history
Revision #:
2 of 2
Last update:
‎Jul 19, 2023 06:09 PM
Updated by:
 
Contributors