assignment

IdentityNow
Requirements Gathering Wizard


This tool is designed to walk you through the documentation of your organization's business requirements. The goal is to gain a high-level understanding of the sources that are in scope for this IAM project, the access management procedures around those sources, and the expectations around your final implementation of IdentityNow.

Please understand that this is not an exhaustive list of requirements - the wizard is intended to be a data gathering tool that will guide more in-depth discussions with your SailPoint implementation team. However, we ask that you provide answers to the fullest extent possible so that the follow-up conversations you will have with your SailPoint team can be directed towards addressing any gaps or questions.

As you work through this wizard, we will automatically save your work each time you click the "Next" or "Save Progress" buttons. Once you are finished, simply click the "Send to SailPoint" button at the top of the page to generate a data file that can be downloaded and emailed to SailPoint for review.

Get Started



Accelerated by Materialize | Copyright © 2023. SailPoint Technologies Holdings, Inc. All Rights Reserved. Clear Data
Here are your answers in Markdown format:

Select All Text

Close

IdentityNow Password Interceptor

The password interceptor is managed through a web service method and a workflow. The password interceptor client calls the web service which in turn launches the workflow to complete the password interception process (usually propagation to other systems).

Password Interceptor for Active Directory provides the mechanism by which a password change initiated by an Active Directory user is captured by the Client and sent to the IdentityIQ \ IdentityNow server.

With Active Directory, there can be multiple domain controllers in a particular domain and multiple Domains in the Domain Tree. The Password Interceptor captures a password change from only the Domain Controller where it is installed.

The Password Interceptor Client service intercepts each password change and sends it to the Password Interceptor Server configured in the server. The Client service must be installed on each Domain Controller.

The following points describe the sequence of events triggered when an Active Directory user changes password:

  • A user requests a Password change on a workstation which belongs to one Domain Controller (DC) in the Domain.
  • On the Domain Controller (DC), the Local Security Authority (LSA) calls the password filter that is registered on the computer. Password filters provide means to implement password policy and change notifications. When a user makes a password change request on a Domain Controller, the Local Security Authority (LSA) calls the password filters registered on the system. NOTE: Password Interceptor must be installed on every Domain Controller (that's where the LSA service runs and detects password change request for Active Directory). The DC is the only place where password can be captured in clear text, and Password Interceptor monitors the LSA service to capture the password change.
  • The Password Change request is written to the Password Interceptor Client which is a Windows service running on the same computer.
  • The intercepted messages containing the password data from the Password Interceptor Client are sent to the server.

Close

IdentityNow Desktop Password Reset

This application allows end users to access any web-based password management solution and change their password - even if they have forgotten their password or are locked out of their computer. SailPoint strongly recommends using SailPoint's Password Management solution with this application as it is specially designed to ensure the security of the system. Changing the password will reset the user’s password and all the connected accounts on different Managed Systems. This application is accessed when the Forgot Password option is clicked from the Login screen on the end user’s computer. Once they change their password, their account is unlocked and they can log in normally.

SailPoint Desktop Password Reset (referred to as the Desktop Password Reset) must be deployed on the Windows computer of each end user who should have access to the product. In a large organization, the deployment process can involve many thousands of computers. Therefore, the process for setting up installation files and installing the product on each computer must be carefully planned.


Close

Deciding Which Connector to Use

Overview

When implementing IdentityNow, one of the first things done in a project is to plan which sources that IdentityNow will be interfacing with. Key to that onboarding task, is to understand what connector or source type a source should use to interface with that source system.

This document helps document the process of deciding which connector to use, and what questions you should be asking in order to select the right connector for your target source or application.

Connector Classifications

Connectivity Methods

IdentityNow has two primary connecivity methods:

  • Direct Connectivity - This is where a connector communicates directly to a system using APIs or data-sources. Some advantages of using direct connect are that you don't have to generate or transmit files, and you can be more efficient in processing only things that have changed. Some disadvantages are the they are subject to availability and downtime concerns like any connected system. They are also typically subject to advantages and disadvantages that APIs might impose as well.
    • Some people also refer to this as an 'online' method of connectivity.
  • File-Based Connectivity - This is where a connector reads from a snapshot of data presented in a file, rather than connecting directly to the system. Some advantages of using a file, are that files are portable, easily inspected for data issues, and not typically subject to availability. Some disadvantages are that files are usually processed in their entirety, and may require processing or transformation in order to work effectively.
    • Some people also refer to this as a 'decoupled' or 'offline' method of connectivity.
Connector Implementations

In IdentityNow, independent of the connectivity methods, connectors come in the following implementations:

  • Source-Specific Implementation - These are connectors built with a specific target-system in mind. These typically use specific APIs targeted to the system they are integrated with. Because the systems and APIs are known, these typically require less configurations to get working.
    • Examples of these are Active Directory, Workday, Salesforce, SAP, etc.
  • General Implementation - These are general-purpose connectors which can be used to connect to a variety of sources or systems. These tend to be more flexible in general, but typically do require a bit more setup and configuration to meet needs.
    • Examples of these are Web Services, SCIM, JDBC, Delimited Files, etc.
  • Custom Implementation - These are completely custom connectors and tailored to the system and API of your choice. This approach offers the most flexibility of all connector options, however making custom connectors is definitely a development-level activity, and is not to be taken lightly. The code written for custom connectors is maintained and supported by the customer who owns the connector.
    • Examples of these are custom in-house applications, etc.

Understanding these connector implementations is important, because if a source-specific implementation isn't available, another general or custom connector implementation may be used instead.

Decision Process

The full process of deciding which connector you should use is here:

connector-selection-flow.png

Here is some elaboration around the decision points on the document:

What connectivity method?

This basically is asking what connectivity method would you prefer. The options are to use File-Based Connectivity or Direct Connectivity, as defined earlier in this document.

File format?

If file-based connectivity method is selected, the next question is around the structure of the file format provided. If a standardized SailPoint-provided file format is needed, then select a Generic File Connector. Otherwise, a Delimited File Connector would be able to read delimited files.

Is this a known connector?

If you select a direct connectivity method, the next question is around if there is a known connector in our connector list.

SailPoint offers many source-specific connectors - such as Active Directory, Workday, Salesforce, SAP, etc. If the connector you are looking for is not in the connector list, then we'll have to see if we can leverage a general implementation of a source connector - something like a Web-Service, SCIM, JDBC, etc.

Does this have any APIs?

This is seeing if there are specific APIs to talk to the system in general, to help figure out which of the general connectors might be best poised to leverage those APIs. If the source has a SCIM 1.1 API, then leverage the SCIM 1.1 Connector. If the source has a SCIM 2.0 API, then leverage the SCIM 2.0 Connector. If the source has a REST API, then you might be able to use a Web Services Connector; otherwise a Custom Connector will be able to work, but would require a good amount of effort. If there are no APIs, then look at data sources next.

Does this have any data sources?

This is seeing what the underlying data store of the data of the source is. If the source stores information into a structured database, then a JDBC Connector is a popular option to pull in account and entitlement information. If the source is a directory, then a LDAP connector might be best poised connect to the data store. If there is a file data source available, then the implementation would move away from a direct connector method to a file-based connectivity method.

No Connector Available

If all data sources, APIs, and connectivity options are exhausted, then there isn't much SailPoint can do. SailPoint would suggest working with the source company to get some interface available. SailPoint is very partial to the SCIM standard (we helped define it), but can accomodate other interfaces through a mix of general or custom connector implementations.


Close