Securing the Active Directory Application
Secure the Active Directory application by using the following communication paths based on the operations performed.
-
IdentityIQ and Active Directory Domain Controller/ Target system: For read operations *
-
IdentityIQ and IQService: For provisioning operations **
-
IQService and Active Directory Domain Controller/ Target system: For provisioning operations **
The asterisk (*) symbols represent:
* IQService is used for read operation for Skype and terminal attributes if defined in schema.
**Out-of-the-box IQService uses a fixed, known default encryption key when IQService is installed. This enables IdentityIQ to communicate with IQService with no specific configuration for encryption being put in place ahead of time, while still providing encryption for the data payload. No data persists on the disk with these keys so observers would have to trace the data in-flight to be able to decrypt any communications. Because of this extremely temporary and transitory nature of the communication stream the risk associated with using default keys here is considered extremely low. The risk can be further reduced by deployment specific keys which can be easily configuring using the IQService public key exchange task.
From this point forward, IdentityIQ and IQService use TLS for encrypting the XML data payload.
Note
SailPoint recommends securing every communication path for the Active Directory application by following the configurations outlined