I have seen many questions on community asking how we can read application configuration data in the before/after PowerShell scripts.
Most of the time implementors end up storing required information in the external file and reading that information using PowerShell commands. If config data contains sensitive attributes like ‘password’ then in that case those are stored/retrieved using PowerShell command Import-CliXml and Export-CliXml. This external file needed to update each time whenever sensitive data values changes.
Following PowerShell script example will show how we can achieve this without storing data in the external file.
Example 1: Assume Azure AD application contains attribute ‘Office365UserName’ and ‘password’ which will store username and password to connect to Office365 using PowerShell commands. Following script will read those attributes to connect to Office365 and Exchange Online and will set some Exchange Online Attributes for the user.
I have provided 2 versions of each scripts based on IQService version. In the IQService version 8.1 and 8.0p2 or above, we made it little simpler.
Script which can be used for IQService version < 8.1, 8.0p2 or IdentityNow IQService version.
Add-type -path C:\Program files\IQService\bin\Debug\utils.dll
# Read the environment variables
$sReader = New-Object System.IO.StringReader([System.String]$env:Request);
$sResult = New-Object System.IO.StringReader([System.String]$env:Result);
# Form the xml reader objects
$xmlReader = [ System.xml.XmlTextReader]([sailpoint.utils.xml.XmlUtil]::getReader($sReader));
$xmlReader_Result = [ System.xml.XmlTextReader]([sailpoint.utils.xml.XmlUtil]::getReader($sResult));
# Create SailPoint objects
$requestObject = New-Object Sailpoint.Utils.objects.AccountRequest($xmlReader);
$resultObject = New-Object Sailpoint.Utils.objects.ServiceResult($xmlReader_Result);
# Retrive nativeIdentity from request object
$nativeIdentity = $requestObject.NativeIdentity
# Get xmlFactory object to retive application configuration
$xmlFactory = [sailpoint.Utils.xml.XmlFactory]::Instance;
# Read the environment variables
$sReader1 = $env:Application
# Remove any line containing '<Date>' from app xml, because IQService was expecting date in milliseconds
# but application contains date in the format MM/DD/YY HH:MM:SS AM
$escaped = $sReader1 -split "`n" | Select-String -Pattern "Date" -NotMatch
# Convert String array to String
$content = $escaped | Out-String
#Create stringReader object from app xml string
$stringReader = New-Object -TypeName System.IO.StringReader -ArgumentList $content
# New xml reader object
$appXmlreader = [System.Xml.XmlTextReader] [sailpoint.Utils.xml.XmlUtil]::getReader([System.IO.TextReader]$stringReader);
$appXmlreader.MoveToContent()
# parsObject will return application object as a Hashtable
$appObject = $xmlFactory.parseObject($appXmlreader)
#Retrive application configuration entries named Office365username and password value from AzureAD application config
$office365AdminUsername = $appObject.Office365username
#Retrive password attribute value
$o365Password = $appObject.password
#create Credential object
$secpasswd = ConvertTo-SecureString $o365Password -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential ($office365AdminUsername, $secpasswd)
#Connect to Office365
Import-Module msonline
Connect-MsolService -Credential $cred
#Connect Exchange-Online
$msoExchangeURL = "https://ps.outlook.com/powershell/"
$session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri $msoExchangeURL -Credential $cred -Authentication Basic -AllowRedirection
Import-PSSession $session
# Set mailbox properties
Set-MailBox -identity $nativeIdentity -UseDatabaseQuotaDefaults $false -IssueWarningQuota "200MB" -ProhibitSendQuota "250MB" -ProhibitSendReceiveQuota "280MB"
Script which can be used for IQService 8.1,8.0p2 onward.
# Refer to SailPoint class library.
Add-type -path C:\Program files\IQService\bin\Debug\utils.dll
# Read the environment variables
$sReader = New-Object System.IO.StringReader([System.String]$env:Request);
$sResult = New-Object System.IO.StringReader([System.String]$env:Result);
# Form the xml reader objects
$xmlReader = [ System.xml.XmlTextReader]([sailpoint.utils.xml.XmlUtil]::getReader($sReader));
$xmlReader_Result = [ System.xml.XmlTextReader]([sailpoint.utils.xml.XmlUtil]::getReader($sResult));
# Create SailPoint objects
$requestObject = New-Object Sailpoint.Utils.objects.AccountRequest($xmlReader);
$resultObject = New-Object Sailpoint.Utils.objects.ServiceResult($xmlReader_Result);
# Retrive nativeIdentity from request object
$nativeIdentity = $requestObject.NativeIdentity
# Get xmlFactory object to retive application configuration
$xmlFactory = [sailpoint.Utils.xml.XmlFactory]::Instance;
# Read the environment variables
$sReader1 = $env:Application
# Retrive application configuration object
$appObject = $xmlFactory.parseXml($sReader1)
#Retrive application configuration entries named Office365username and password value from AzureAD application config
$office365AdminUsername = $appObject.Office365username
#Retrive password attribute value
$o365Password = $appObject.password
#create Credential object
$secpasswd = ConvertTo-SecureString $o365Password -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential ($office365AdminUsername, $secpasswd)
#Connect to Office365
Import-Module msonline
Connect-MsolService -Credential $cred
#Connect Exchange-Online
$msoExchangeURL = "https://ps.outlook.com/powershell/"
$session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri $msoExchangeURL -Credential $cred -Authentication Basic -AllowRedirection
Import-PSSession $session
# Set mailbox properties
Set-MailBox -identity $nativeIdentity -UseDatabaseQuotaDefaults $false -IssueWarningQuota "200MB" -ProhibitSendQuota "250MB" -ProhibitSendReceiveQuota "280MB"
Example 2: Reading AD application domainSettings and password
Script which can be used for IQService version < 8.1, 8.0p2 or IdentityNow IQService version.
Add-type -path "C:\IQService\Utils.dll"
# get xmlFactory object
$xmlFactory = [sailpoint.Utils.xml.XmlFactory]::Instance;
# Read the environment variables
$sReader1 = [System.String]$env:Application;
# Remove any line containing '<Date>' because IQService was expecting date in milliseconds
# but application contains date in the format MM/DD/YY HH:MM:SS AM
$escaped = $sReader1 -split "`n" | Select-String -Pattern "Date" -NotMatch
# Convert String array to String
$content = $escaped | Out-String
#Create stringReader object from app xml string
$stringReader = New-Object -TypeName System.IO.StringReader -ArgumentList $content
# New xml reader object
$xmlreader = [System.Xml.XmlTextReader] [sailpoint.Utils.xml.XmlUtil]::getReader([System.IO.TextReader]$stringReader);
# This step is missing in existing IQservice
$xmlreader.MoveToContent()
# parsObject will return application object as a Hashtable
$appObject = $xmlFactory.parseObject($xmlreader)
#Retrive domainSettings value from AD application config
$domainSettings = $appObject.domainSettings
#Read domain info of 1st domain in DomainSettings
$domainDN = $domainSettings[0].domainDN
$forestName = $domainSettings[0].forestName
$servers = $domainSettings[0].servers
$useSSL = $domainSettings[0].servers
$user = $domainSettings[0].user
#Encoded password of 1st domain setting object
$encodede = $domainSettings[0].password
#Decoded password of 1st domain setting object
$decoded = [sailpoint.Utils.tools.Util]::decode($encodede, $true)
Script which can be used for IQService 8.1,8.0p2 onward.
Add-type -path "C:\IQService\Utils.dll"
$xmlFactory = [sailpoint.Utils.xml.XmlFactory]::Instance;
# Read the environment variables
$sReader1 = $env:Application
$appObject = $xmlFactory.parseXml($sReader1)
#Retrive domainSettings value from AD application config
$domainSettings = $appObject.domainSettings
#Read domain info of 1st domain in DomainSettings
$domainDN = $domainSettings[0].domainDN
$forestName = $domainSettings[0].forestName
$servers = $domainSettings[0].servers
$useSSL = $domainSettings[0].servers
$user = $domainSettings[0].user
#Encoded password of 1st domain setting object
$encodede = $domainSettings[0].password
#Decoded password of 1st domain setting object
$decoded = [sailpoint.Utils.tools.Util]::decode($encodede, $true)
@sagar_bhingare , I have unusual issue with below command :
$decoded = [sailpoint.Utils.tools.Util]::decode($encodede, $true)
My ConnectorAfterModify rule which is invoked as part for AD provisioning is able to decode the password , but when I am invoking same ConnectorAfterModify rule from custom rule , encoded password become null. I have tried both true and false flag in arg parameter. IIQ version is 8.0 p1.