Transcription
SailPoint DirectConnectorsVersion 8.0Administration andConfiguration Guide
Copyright 2019 SailPoint Technologies, Inc., All Rights Reserved.SailPoint Technologies, Inc. makes no warranty of any kind with regard to this manual, including, but not limited to,the implied warranties of merchantability and fitness for a particular purpose. SailPoint Technologies shall not beliable for errors contained herein or direct, indirect, special, incidental or consequential damages in connection withthe furnishing, performance, or use of this material.Restricted Rights Legend. All rights are reserved. No part of this document may be published, distributed,reproduced, publicly displayed, used to create derivative works, or translated to another language, without the priorwritten consent of SailPoint Technologies. The information contained in this document is subject to change withoutnotice.Use, duplication or disclosure by the U.S. Government is subject to restrictions as set forth in subparagraph (c) (1) (ii)of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 for DOD agencies, andsubparagraphs (c) (1) and (c) (2) of the Commercial Computer Software Restricted Rights clause at FAR 52.227-19 forother agencies.Regulatory/Export Compliance. The export and re-export of this software is controlled for export purposes by theU.S. Government. By accepting this software and/or documentation, licensee agrees to comply with all U.S. andforeign export laws and regulations as they relate to software and related documentation. Licensee will not exportor re-export outside the United States software or documentation, whether directly or indirectly, to any ProhibitedParty and will not cause, approve or otherwise intentionally facilitate others in so doing. A Prohibited Party includes:a party in a U.S. embargoed country or country the United States has named as a supporter of international terrorism;a party involved in proliferation; a party identified by the U.S. Government as a Denied Party; a party named on theU.S. Government's Specially Designated Nationals (SDN) List; a party prohibited from participation in export orre-export transactions by a U.S. Government General Order; a party listed by the U.S. Government's Office of ForeignAssets Control as ineligible to participate in transactions subject to U.S. jurisdiction; or any party that licensee knowsor has reason to know has violated or plans to violate U.S. or foreign export laws or regulations. Licensee shall ensurethat each of its software users complies with U.S. and foreign export laws and regulations as they relate to softwareand related documentation.Copyright and Trademark Notices. Copyright 2019 SailPoint Technologies, Inc. All Rights Reserved. All logos, text,content, including underlying HTML code, designs, and graphics used and/or depicted on these written materials or in this Internetweb site are protected under United States and international copyright and trademark laws and treaties, and may not be used orreproduced without the prior express written permission of SailPoint Technologies, Inc.“SailPoint Technologies & Design,” “SailPoint,” “IdentityIQ,” “IdentityNow,” “SecurityIQ” “IdentityAI” “AccessIQ,”“Identity Cube,” “Managing the Business of Identity” are registered trademarks of SailPoint Technologies, Inc.“Identity is Everything” and “The Power of Identity” are trademarks of SailPoint Technologies, Inc. None of theforegoing marks may be used without the prior express written permission of SailPoint Technologies, Inc. All othertrademarks shown herein are owned by the respective companies or persons indicated.
Revision HistoryThe following table describes the revision history of SailPoint Direct Connectors Administration andConfiguration Guide for version 8.0:Version7.1DescriptionIncluded the following important changes: Deprecating support for Tenrox, Rally and ALES Connector IQService: Support for Windows FIPS compliant mode New Connectors: SCIM 2, SAP HANA, Web Services and RACF via LDAP Workday Connector Enhancements:- It is a Standard Deployment Connector now- Future data- Delta Aggregation - Extensible account schema including schema attributesAdministrator Permissions changes for SAP HANA ConnectorDeleted the Password Interceptor appendix from the guide. For moreinformation about Password Interceptor for Active Directory and IBM i, ltiple group support in Tivoli, SunOne, and OpenLDAP LDAP ConnectorsRSA Connector: Support for Extended Attributes such as mobile numberSAP HR/HCM Connector Enhancements- support for future hire and future data- enhancement for supporting different models to detect employee’smanager- Administrator permissions changes7.1 Patch 1Includes the following important changes: Changes in Workday Connector Moved the following Connectors to the Integration Guide:- Mainframe Integration Module: Agent Connectors, RACF LDAP- Enterprise Resource Planning Integration Modules: PeopleSoft, SAPPortal-User Management Web Service, Siebel, SAP, Oracle E-BusinessSuite and NetSuite ConnectorThe ‘Component Interface’ appendix related to PeopleSoft Connector alsomoved to Integration Guide.- Healthcare Integration Module: Epic Connector RSA Connector: Support for RSA Authentication Manager 8.2 Azure Active Directory Connector: Support for Pass Through AuthenticationSailPoint Direct Connectors Administration and Configuration Guide
VersionDescription7.2Includes the following important changes: Deprecating support for CyberArk Connector Multiforest support for Active Directory Administrator permissions update in SAP HR/HCM Azure Active Directory: Support for Pass through Authentication Sybase Performance Optimization Changes in Workday Connector7.3Includes the following important changes: Deprecated Connectors: AWS IAM and Microsoft Project ServerNew Integration Module for Amazon Web Services is available now. This isdocumented in the SailPoint Integration Guide. Deprecated support for SharePoint Target and Lieberman Target Collector New Connector: SharePoint Online, Okta, SuccessFactors and PeopleSoftCampus Solution module supported by PeopleSoft Direct Connector ServiceNow Connector:- Kingston support- Support for Helsinki is dropped. Active Directory Connector: Support for Simple Authentication and SecurityLayer (SASL) Azure Active Directory Connector: Support for Delta Aggregation (Accountsand Groups) and Partitioning Delta Aggregation (Accounts) Google Apps (G Suite) Connector:- Support for Role assignments, aggregation and provisioning of customschema attributes, delta aggregation- G Suite is the new name for formerly called Google Apps. Web Services Connector: Support for paging, OAuth2 authentication type,paging, XML based request New platform support for various connectors SailPoint Oracle Connector now supports managing Oracle Database hostedon Amazon Web Services Relational Database Service (AWS RDS) SailPoint Microsoft SQL Server Connector now supports managing SQL Serverhosted on Amazon Web Services Relational Database Service (AWS RDS) PeopleSoft Connector: Support for Databases (MSSQL, Oracle, MySQL and soon)SailPoint Direct Connectors Administration and Configuration Guide
Version8.0DescriptionIncludes the following important changes: Okta Connector moved to the Integration Guide under the “AccessManagement Infrastructure Modules” section Deprecated Connector: Jive Connector New Connector:- Workday Accounts- Oracle Fusion HCM IQService: Support for Client Authentication and TLS support ServiceNow Connector:- Supports ServiceNow London and Madrid release - Drop support for Jakarta and Istanbul releaseSCIM 2.0: Supports delta aggregation for accounts, groups, roles,entitlementsWorkday: Supports Workday API version 30.1LDAP: Support for Microsoft ADAM version 2019 and Novell eDirectory(NetIQ) version 9.1SAP HANA: Supports SAP HANA 2.0 SPS3DB2: Supports DB2 database installed on LinuxSybase: Supports HADR (High Availability Disaster Recovery) SAP ASE 16.0SP03Microsoft SharePoint Server: Supports Microsoft SharePoint Server version2019 and “Exclude Site Collections” filter to define application scopeSalesforce: Support for Public GroupsSolaris: Support for Solaris 11.4 Sparc x86Linux: Support for RHEL 7.6Duo: Support pagination parameters as per Duo guidelines, aggregation andprovisioning of administrator user in the Duo manage system and minimumpermission for Test Connection operationWeb Services: Supports Pass-Through Authentication, Client certificateauthentication and supports possible HTTP error codes and messages foridentifying failed operations Workday: Support for Parallel Aggregation, Include Additional Jobsresponse group, Organizational level filters, minimum permission in Workdayversion 31.0 and option to set 'auto complete' as true while updating contactinformation. SCIM 2.0: Supports delta aggregation for accounts, groups, roles,entitlements Success Factors: Supports aggregation of termination date Active Directory Connector: Support for Microsoft Exchange Server 2019 andMicrosoft Windows Server 2019 Sybase: Supports aggregating Password Expiration Interval,password expired and Expire Login attributeSailPoint Direct Connectors Administration and Configuration Guide
SailPoint Direct Connectors Administration and Configuration Guide
Table of ContentsRevision History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1Connector basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1Connector Licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1Working of Connectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1Retryable mechanism . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2Mainframe Connectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2What are Direct Connectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3Application Types for Connectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3Viewing the available connectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6Connector selection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6Chapter 1: SailPoint IdentityIQ Active Directory Connector . . . . . . . . . . . . . . . . . . . . . . . . 7Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Supported features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8Supported Managed System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9Pre-requisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10Administrator permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10Configuration parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12IQService Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12Forest Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12Domain Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13Exchange Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14Additional configuration parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15Configuring searchDNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19Schema attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19Account attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20Group attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26Provisioning Policy attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27Active Directory Recycle Bin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31Pre-requisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31Configuring Recycle Bin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32Additional information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32Unstructured Target Collector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32Creating TLS communication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34Using Strong Authentication (SASL) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35Chapter 2: SailPoint IdentityIQ AIX Connector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .37Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .37Supported features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .37Supported Managed Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38Pre-requisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38Administrator permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39Configuration parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .40Additional configuration parameters for SSH configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .40Public key authentication configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41Schema attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41Account attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41
Group attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .47Provisioning policy attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .47Account attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .47Group attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .48Additional information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .49Upgrade considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .49Unstructured Target Collector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .49Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .50Chapter 3: SailPoint IdentityIQ Azure Active Directory Connector . . . . . . . . . . . . . . . .55Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .55Supported features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .55Pre-requisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .56Administrator permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .57Configuration parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .58Additional configuration parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .59Schema attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .60Account attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .60Group attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .61Provisioning Policy attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .62Create Account Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .62Create Group Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . .
- Enterprise Resource Planning Integration Modules: PeopleSoft, SAP Portal-User Management Web Service, Siebel, SAP, Oracle E-Business Suite and NetSuite Connector The ‘Component Interface’ appendix related to PeopleSoft Connector also moved to Integrati
