CloudFlare is a distributed Content Delivery Network (CDN) provider and Web Application Firewall (WAF) service provider. Its worldwide network helps protect SaaS products like IdentityNow from Distributed Denial of Service (DDoS) and other common attacks.
CloudFlare maintains numerous industry certifications, including ISO 27001, SOC 2 Type II and PCI DSS 3.1. More information about CloudFlare’s compliance information can be found here: Certifications and compliance resources | CloudFlare
SailPoint is deploying CloudFlare’s vast content delivery network and security services to protect its SaaS products, including IdentityNow, from DDoS and other common attacks as part of SailPoint’s Defense in Depth security strategy.
During the migration, SailPoint will be changing its Domain Name System (DNS) records for its SaaS products to route through CloudFlare’s Content Delivery Network and Web Application Firewall (WAF) services. This change is not expected to have any impact on your usage of our SaaS applications.
Customers will not need to change anything. You will continue to access SailPoint products at their current URLs, and no changes to bookmarks or links will be required.
The hostnames and URLs your users access will not change. The hostnames will now direct the traffic to our SaaS platform via the CloudFlare network whereas, before, it would go directly to our SaaS endpoints.
Specific IP addresses for those hostnames will point to CloudFlare instead directly at our edge endpoints. These IPs can change at any time, so IP-based firewall rules are not supported by SailPoint.
To verify that your users will not be impacted by this change, you can use this web address to validate network connectivity:
https://cloudflaretest.identitynow.com/
When you open this in your browser, you should see the following response:
If you do not see this sign-in screen or you get an error, please contact your network administrators to allow this network connectivity. In a later question in this FAQ, we have provided a sample request you can send to your administrators that explains what is needed.
To validate that your Virtual Appliances' connectivity to SailPoint will not be affected, log in to the shell of one of your appliances and run this command:
You should see this output:
{"error":"No message available"}
If you do not, please reach out to your network administrators to allow this connectivity. In a later question in this FAQ, we have provided a sample request you can send to your administrators that explains what is needed.
We have created a test tenant in our production environment and migrated it to be behind CloudFlare in the exact same way your tenant will be migrated in the future. All requests to the tenant endpoints are routed via CloudFlare’s security services. This means that if you are able to access the test tenant in your browser, you will be able to access your Sandbox and Production tenants after the migration is complete.
If either the browser login page test or the VA curl
test do not produce the expected results, please contact your network administrators with the message provided below to explain the issue.
Provide this message from SailPoint to your network administration team.
Network Administration Team:
SailPoint provides Identity Management software to your company via an online SaaS platform. We are migrating our SaaS edge endpoints to be protected by CloudFlare's CDN and WAF services. We have migrated a test endpoint behind CloudFlare for our customers to use to comprehensively validate your users' ability to access our SaaS platform after we complete your site’s migration to CloudFlare. You are getting this request because our contact at your company was unable to verify successful network connectivity to our test endpoint.
There are 2 key endpoints to test.
The UI, which can be tested by loading this URL in any web browser:
https://cloudflaretest.identitynow.com/
This should present an IdentityNow sign-in page.
The API, which must be tested by logging into the console of one of the SailPoint IdentityNow Virtual Appliances running in your environment and attempting to access this API URL:
https://cloudflaretest.api.identitynow.com
with the curl
command:curl https://cloudflaretest.api.identitynow.com
This should return this string: {"error":"No message available"}
If the web page does not load, there is likely an outbound network rule denying this connectivity. The same applies to the API URL test, but the block might be on the network used by the Virtual Appliance.
The method to allow this traffic will depend on the nature of the network rule blocking it. URL or DNS based allow rules will work correctly after the migration, as your tenant hostnames will not change. This can be validated by adding an allow rule for the test tenant hostnames. Other ways of filtering traffic may require additional action for both the test URL and your tenants' URLs.
If you have further questions, please work with your IdentityNow administrator to contact our Support team.
Thank you,
SailPoint SaaS DevOps
Yes, this security improvement will also be applied to tenants using their own domains to access our SaaS products. There is nothing extra that customers who use Vanity Domains need to do, and you can still use the verification link above to ensure that your users will be able to access our SaaS platform after the migration.
SailPoint will migrate sandbox tenants first before moving on to production tenants. We plan to complete the updates to Sandbox tenants by February 3, 2023 and start the production updates on February 6, 2023. This allows for a two week period where you will be able to ensure that your sandbox tenant and its Virtual Appliances are healthy.
Please reach out to our Support team with any issues you encounter, including delays.
CloudFlare maintains a list of the IP ranges for their networks here: IP Ranges | Cloudflare