Configuring HP Service Manager (MicroFocus) for IdentityIQ Integration

This section provides the required information for configuring IdentityIQ to integrate with HP Service Manager. This integration enables IdentityIQ to create tickets for requested revocations, track ticket numbers in association with revocation tasks, and update IdentityIQ with the status of current tickets.

SailPoint provides a default HP Service Manager Service Integration configuration. This configuration implements the integration between IdentityIQ and the HP Service Manager (MicroFocus) to fulfill creation of tickets based on IdentityIQ access certification remediation events.

Configuration

  • The default configuration is located in iiqHome/WEB-INF/config/ directory, where iiqHome is the location where IdentityIQ was installed.

  • When integrating with the following requests, modify the respective config files and import in IdentityIQ:

    Request

    XML files

    Service Request

    HPServiceManagerIntegrationConfigForRequest.xml

    Incident Request

    HPServiceManagerIntegrationConfigForIncident.xml

    Change Request

    HPServiceManagerIntegrationConfigForChange.xml

  • The integration configuration must include the following entries:

    • endpoint: URL to the web service

    • namespace: namespace of the XML returned by the web service

    • prefix: prefix associated with the namespace

    Note
    For more information of the entries in the IntegrationConfig file, refer to Creating the IntegrationConfig Object.

  • The integration configuration includes the following entries if the web service side of the integration is configured for authentication using the SOAP authentication specifications:

    • username

    • password

    • statusMap

    • statusMapClosureCode

    The web services and authentication entries are consumed by configuration entries for each web service. They can be positioned either within the configuration entries themselves or as children of the Attributes element. Entries that are children of the Attributes element can be thought of as global values, while entries within the configuration entities can be thought of as local.

    For example, if both entries share the same authentication credentials, those credentials might be placed in the Attributes element as peers of the configuration entries and the integration code searches the parent entry for the credentials if they are not found in the configuration entries. Conversely, if the configuration entries have different endpoints (are handled by separate web services), each configuration entry specifies the endpoint of the web service to call and any value outside of the configuration entry is ignored.

  • Following are the supported configuration entries for integration with HP Service Manager. These entries are children of the integration Attributes element:

    • provision

    • getRequestStatus

    The values of each are Map elements containing key/value pairings of the configuration data. They contain the specific data needed by the provision() and getRequestStatus() methods of the IdentityIQ integration executor and correspond to HP Service Manager Web Service methods.

    The provision and getRequestStatus entries contain the following entries:

    Note
    Items marked with an asterisk (*) are required entries.

    Entries

    Description

    soapMessage*

    Full XML template of the entire SOAP envelope that is sent to the web service. The integration code first runs this template through Apache's Velocity template engine to provide the data needed by the web service.

    responseElement*

    Name of the element containing the results of the web service call (for example, the element containing the ticket number opened by the web service in response to the call from IdentityIQ).

    SOAPAction*

    SOAP requests action

    endpoint*

    HP Service Manager endpoint to send create and get ticket status

    namespace*

    Namespace of the XML returned by the web service

    prefix*

    Prefix associated with the namespace

    Before a template is sent to the web service, it is processed by the Velocity template engine. The integration code provides different data objects to Velocity for evaluation based on the integration method.

    The following calls pass the respective objects to Velocity:

    Call

    Objects

    Description

    provision

    config

    The integration configuration for provision, represented as a Map

    provisioninPlan

    The data model of the provision request

    getRequestStatus

    config

    The integration configuration for getRequestStatus, represented as a Map

    requestID

    The string ID of the request whose status is being queried

    Both calls have access to a timestamp variable containing a current Date object and a dateFormatter object. The dateFormatter is built using an optional dateFormat attribute from the config object. If the dateFormat attribute does not exist, the formatter defaults to the pattern EEE, d MMM yyyy HH:mm:ss z.

Mappings for Service, Incident and Change Request

If any changes required in the mapping, change the value/key values in "statusMap" and "statusMapClosureCode" as mentioned in the following tables for Service, Incident and Change Request:

Service Request

statusMap

Entry Key

Values

Categorize

inProcess

Assign

inProcess

Dispatched

inProcess

In Progress

inProcess

Resolved

committed

Suspended

inProcess

Closed

committed

Pending Other

inProcess

Referred

inProcess

Replaced Problem

inProcess

Open

inProcess

Open - Linked

inProcess

Open - Idle

inProcess

Accepted

inProcess

Rejected

failure

Work In Progress

inProcess

Pending Customer

inProcess

Pending Vendor

inProcess

Pending Change

inProcess

Pending Evidence

inProcess

Pending Vendor/Supplier

inProcess

Withdrawal Requested

failure

initial

inProcess

waiting

inProcess

reopened

inProcess

closed

committed

Denied Service Catalog Request

failure
Status Map Closure Codes

Entry Key

Values
Incident Closure Codes

Automatically Closed

committed

Cancelled

failure

Fulfilled

committed

Not Reproducible

committed

Out of Scope

committed

Request Rejected

failure

Solved by Change/Service Request

committed

Solved by User Instruction

committed

Solved by Workaround

committed

Unable to solve

failure

Withdrawn by User

failure

Invalid

failure
Request Fulfilment Closure Codes

1 - Successful

committed

2 - Successful (with problems)

committed

3 - Failed

failure

4 - Rejected (financial)

failure

5 - Rejected (technical)

failure

6 - Rejected (security)

failure

7 - Withdrawn

failure

8 - Withdrawal requested by customer

failure

9 - Cancelled

failure

10 - Denied request fulfillment

failure

11 - Automatically Closed

committed
Change Request Closure Codes

1

committed

2

committed

3

failure

4

failure

5

failure

6

failure

Incident Request

statusMap

Entry key

Values

Closed

committed

Pending Other

inProcess

Referred

inProcess

Replaced Problem

inProcess

Resolved

committed

Open

inProcess

Accepted

inProcess

Rejected

failure

Work In Progress

inProcess

Pending Customer

inProcess

Pending Vendor

inProcess

Pending Change

inProcess
 
Status Map Closure Codes

Entry key

Values

Automatically Closed

committed

Not Reproducible

committed

Out of Scope

committed

Request Rejected

committed

Solved by Change/Service Request

committed

Solved by User Instruction

committed

Solved by Workaround

committed

Unable to solve

failure

Withdrawn by User

failure

Diagnosed Successfully

committed

No Fault Found

committed

No User Response

failure

Resolved Successfully

committed

Change Request

statusMap

Entry Key

Values

initial

inProcess

waiting

inProcess

reopened

inProcess

closed

committed

Status Map Closure Codes

Entry Key

Values

1 - Successful

committed

2 - Successful (with problems)

committed

3 - Failed

failure

4 - Rejected

failure

5 - Withdrawn

failure

6 - Cancelled

failure

Configuration Procedure

The following steps should be performed to modify the default HP Service Manager Service Integration configuration for a specific HP Service Manager Server.

  1. Obtain the environment-specific Web Service "endpoint", for example:

    http://<host>:<port>/SM/7/ws.

  2. (For HP Service Manager 9.5 or later)

    • HPServiceManagerIntegrationConfigForIncident: Set Service as a Configuration Item Identifier. For example:

      <ns:Service type="String" mandatory="" readonly="">CI1001030</ns:Service>

    • HPServiceManagerIntegrationConfigForChange:

      • Set Category as a Standard Change. For example:

        <ns:Category type="String" mandatory="" readonly="">Standard Change</ns:Category>

      • Set Service as a Configuration Item Identifier. For example, CI1001030

        For example:

        <ns:Service type="String" mandatory="" readonly="">CI1001030</ns:Service>

  3. Once you are familiar with the WSDL, modify the default IdentityIQ HP Service Manager configuration using the information collected about the web service.

    • In the <IntegrationConfig> element of the integration configuration, modify the username and password entries in the attributes map to contain the credentials required for authentication to the web service.

    • In the <IntegrationConfig> element of the integration configuration, modify the provision entry of the Attributes map by setting the endpoint, and, if necessary, the namespace, the prefix, the responseElement, and the soapMessage attributes (the default values: IdentityIQ HP Service Manager IntegrationConfig):

      1. Set the value for endpoint to the value located in the WSDL earlier.

        Note
        The value in the IdentityIQ integration configuration must be a valid HTTP URL and have any special characters escaped. The most common change that must be made is to replace all and symbols with &amp;

      2. The value for namespace comes from the targetNamespace attribute of the xsd:schema element in the WSDL.

      3. The value for prefix is the prefix of the XML elements that will be contained in the SOAP response.

      4. The value for responseElement should be the HP Service Manager form field that corresponds to the id of the form that the web service creates.

      5. The value for soapMessage should be the SOAP message body that IdentityIQ will send to HP Service Manager. The exact format of this message is a function of the form that is published as described by the form's WSDL. The XML elements in the soapenv:Body element should be changed to match the HP Service Manager form fields for the published web service. Each required HP Service Manager form field must have an element in the SOAP message. The value can be fixed or can be a variable that will be substituted using IdentityIQ's Velocity templating.

        Note
        For more information on <ManagedResources> in the IntegrationConfig file, refer to Identity Management Integration Configuration.

  4. (Only for Service Request and MicroFocus version 9.7) In the <IntegrationConfig> element of the integration configuration, modify the catalogItem entry of attributes map. Provide key as Managed Application name and value as Request Item Name. This request item must be present on HP Service Manager’s Service Request.
    For example:

    <entry key="Demo App1" value="Identity Access Request Item"/>

  5. (Only for Service Request) Modify the Rule for applicationName and provide its value same as that of application created while importing HP Users in IdentityIQ.

    Note
    In Rule, the attributeName represents the Application's link attribute and is used to populate the requestedFor field in Service Request.

  6. (For MicroFocus version 9.7 only): Replace all occurrences of incident.id in HPServiceManagerIntegrationConfigForRequest.xml file with InteractionID.

The information in the reference section above show the variables that are provided and the example integration configuration provides examples of how they are used.