(General Settings) Basic Configuration Parameters

The SailPoint IdentityIQ Web Services Connector uses the following list for basic configuration parameters.

Important

The parameters and their respective descriptions of the parameters are mentioned in the following format:

Description of the parameter.

This enables a button to display a window which enables users to add the name of the object type.

For example, Group Aggregation - Role

The base URL to used to connect to the web service managed system.

The authentication method supported by the managed system.

  • OAuth2

  • API Token

  • Basic Authentication

  • No / Custom Authentication

Note

  • If No / Custom Authentication is selected, for more information related to specific use case configuration, refer to Configuration for No / Custom Authentication.

  • SOAP Web Services supports only ‘Basic Authentication’ method.

Enter the attribute name and value to set the account status while loading accounts. The status of accounts with the specified attribute and value will be marked as Enabled; the status for all other accounts will be Disabled.

For example, if you enter status=Active, the status of all accounts with the status attribute set to the Active will be enabled.

Note

This attribute has the following limitations:

  • The feature only supports single value status attributes.

  • Conditional operators are not supported. Examples of unsupported operators are as follows:

    status=Active || status=Pending

    status=Active && status=Pending

  • The connector doesn’t support the ability to select the n-th element (including 1st element) from a list. This feature's supported types are string, integer, and Boolean.

    For example, this expression, values[?(@.name=="accountDisabled")].values[0] evaluates the expression value in a list format and is therefore not supported. You need to implement the Web Services After Operation Rule to configure enable/disable account for such scenario. For more information, refer to Web Services After Operation Rule.

Duration of time allowed, in seconds, for the application to return a request. If the duration expires with no response, the request fails.

Configure the client certificate and its authentication.

  • Client Certificate* – Client certificate for authentication.

  • Certificate Key* – Client certificate’s private key.

The SailPoint Web Services connector only supports the PEM format for the Client Certificate and the certificate’s private key.

Additionally, the Web Services connector expects the PEM private key to be an RSA PEM private key. The following process enables you to convert the private key to an RSA private key on a Windows computer:

  1. Download openssl-1.0.2q-x64_86-win64.zip and extract it.

  2. Open cmd to OpenSSL path.

  3. Copy the Private_ADP_Key.key file to the extracted/openSSL path.

  4. Run the following command -

    openssl rsa -in Private_ADP_Key.key -out rsa_private_key.pem

  5. Use the resulting rsa_private_key.pem in the connector.

Attributes for Authentication Method: OAuth2

Note
For more information on configuration attributes for OAuth 2.0 authentication, refer to Additional Configuration Attributes for OAuth2.

Select the type of grant used for OAuth 2.0 authentication:

  • Refresh Token

  • JWT

  • Client Credentials

  • Password

  • SAML Bearer Assertion

(Optional for JWT and SAML Bearer Assertion) Client Id for OAuth2 authentication.

(Optional for JWT and SAML Bearer Assertion) Client Secret for OAuth2 authentication.

URL from which the connector can retrieve application-generated access tokens.

Token URL supports placeholders for the dynamic replacement of application attributes.
For example, if the token URL requires sensitive preset information such as the client_secret, then you can configure $application.client_secret$ as the attribute value. This configuration ensures that the corresponding value is set by the application in the token URL.

(Applicable if Grant Type is selected as SAML Bearer Assertion)

URL for generating SAML Assertion.

If the SAML Assertion URL requires sensitive preset information such as a password, then you can configure $application.saml_password$ as the attribute value. Setting this value ensures that the corresponding value is set by the application in the SAML Assertion URL.

(Applicable if Grant Type is selected as SAML Bearer Assertion) Request Body for generating SAML Assertion.

SailPoint recommends using $application.saml_username$ and $application.saml_password$ as placeholders in the request body to hide sensitive data.

(Applicable if Grant Type is selected as Password and optional for SAML Bearer Assertion)

Username of the resource owner.

(Applicable if Grant Type is selected as Password and optional for SAML Bearer Assertion) Password of the resource owner.

(Applicable if Grant Type is selected as Refresh Token) A valid refresh token for grant type authentication.

(Applicable if Grant Type is selected as JWT) The private key to be used to sign the JWT.

(Applicable if Grant Type is selected as JWT) Password for the provided private key.

Attribute for Authentication Method: API Token

Enter the API token specific to the Managed System.

Attributes for Authentication Method: Basic

Username for the service account with permission to execute the Web Service.

Password to authenticate the service account