Configuring the Privileged Account Management Module

Configuring the PAM module in IdentityIQ involves several steps:

• Configuring applications to connect to your PAM vendor to aggregate data about PAM accounts and groups. The PAM application should include a collector to aggregate data about PAM vaults and permissions. See Configuring a PAM Application.

• Setting global options for PAM, that determine things like how PAM containers can be modified within IdentityIQ, and which business process to use for provisioning PAM identities. See PAM Global Configuration Settings

• Configuring the tasks that will aggregate and index PAM data, and refresh identities. See Privileged Account Management Tasks: Aggregation, Indexing, and Refresh

Configuring a PAM Application

The PAM module includes a PAM-specific application (connector) type: Privileged Account Management. To use the PAM feature, configure a PAM application to connect to each of your PAM vendor systems.

Applications should be configured to include both a connector and a target collector.

• The connector aggregates users, groups, and containers into IdentityIQ.

• The target collector reads in permissions users have on containers, and can write permissions back to the target system.

  Important

  The PAM connector type is based on IdentityIQ's SCIM 2.0 connector, with special schemas, object types, and policies. The SCIM 2.0 Connector documentation, which is available in the SailPoint documentation portal, gives detailed information about all the configuration parameters in this application definition. The information below provides some essential and PAM-specific information about configuring PAM applications.

To configure a PAM application:

1. Click Applications > Application Definition > Add New Application.

2. Enter a Name and Owner for the PAM application.

3. For Application Type choose Privileged Account Management

4. On the Configuration tab, click Settings to enter connection information. Note the following:

   • The Base URL is the URL to the PAM vendor's SCIM server.

   • The PAM connector type supports several methods for authentication. These are discussed in detail in Configuring Authentication for the PAM Application

   Note

   For Thycotic implementations, it is not recommended that you select the Explicit Attribute Request setting, as this may cause issues when aggregating.

5. Also on the Settings tab, add Permissions; these are the container permissions that will display for the PAM container in the PAM UI. The permissions you enter here should correspond to the permissions used by the vendor's PAM application, and will vary depending on vendor. To add a permission, type the permission name in the Permissions field and click the plus icon to add it.

6. On the Provisioning Policies tab, edit the out-of-the-box policies for creating accounts and creating containers as needed. These policies determine which fields are presented to users when adding accounts or containers, and can also determine how container information is displayed in the Entitlement Catalog.

7. Set up an Unstructured Target Collector for the application. This will aggregate permissions users and groups have on containers.

   1. Click the Unstructured Targets tab.

   2. Click Add New Unstructured Data Source.

   3. An Add or Create dialog appears. Click Create TargetSource.

   4. Enter a Name (required) and Description (optional).

   5. Choose or create a Correlation Rule for correlating the data. You can use the PAM Access Mapping Correlation Rule which is provided out of the box, or create your own rule.

   6. For Target Source Type, choose Privileged Account Management Collector.

   7. A new set of SCIM Settings fields is displayed. For the Base URL, enter the URL to the PAM vendor's SCIM server. For details on authentication settings, see Configuring Authentication for the PAM Application. For other fields, refer to the SCIM 2.0 Connector documentation.

   8. Save the data source.

8. Optional: On the Rules tab, choose rules for managing your PAM application:

   • You can create a Customization Rule on the application to map external application names to internal IdentityIQ application names, and / or external users to IdentityIQ identities.

   • You can use the PAM Group Refresh rule (included with the PAM module) to make external groups non-requestable. You might want to make external groups non-requestable if, for example, your organization's process is for group membership to be requestable through an external application such as Active Directory; this is a common use case.

9. Save the Application definition.

Configuring Authentication for the PAM Application

The PAM application supports three types of authentication:

• OAuth2.0

• API Token

• Basic Authentication

Important

Details of how to obtain the necessary credentials will vary by solution provider, so you should consult your PAM solution provider's documentation for details.

OAuth2.0

OAuth 2.0 is an industry-standard protocol for authorization. It provides a variety of authorization flows for web applications, desktop applications, mobile phones, and devices.

The PAM application supports several grant types for OAuth 2.0:

• Refresh Token

• Client Credentials

• JWT

• Password

Refresh Token

This grant type is used by clients in order to exchange a refresh token for a new access token when the existing access token has expired. This allows the PAM application to get a new session when the current session expires, without having to re-authenticate as frequently. This grant type is commonly used together with Authorization Code to prevent a user from having to log in several times per day.

Note

Before any OAuth 2.0 token requests can be initiated, a Client ID and secret are necessary. Details of how to obtain the necessary credentials will vary by solution provider, so you should consult your PAM solution provider's documentation for details.

For more information see OAuth 2.0 Refresh Token.

To configure Refresh Token authentication:

1. Enter the OAuth 2.0 Token URL for generating access token. This URL is on the PAM solution provider side. Refer to your PAM solution provider system administrator or documentation for information about this URL.

2. Enter the Client ID for OAuth 2.0 authentication. This is obtained from your PAM solution provider.

3. Enter the Client Secret for OAuth 2.0 authentication. This is obtained from your PAM solution provider.

4. Enter the Refresh Token used to generate an access token. This is obtained from your PAM solution provider.

Client Credentials

The Client Credentials grant is used when applications request an access token to access their own resources, not on behalf of a user.

Note

Before any OAuth 2.0 token requests can be initiated, a Client ID and secret are necessary. Details of how to obtain the necessary credentials will vary by solution provider, so you should consult your PAM solution provider's documentation for details.

For more information see OAuth 2.0 Client Credentials Grant.

To configure Client Credentials authentication:

1. Enter the OAuth 2.0 Token URL for generating access token. This URL is on the PAM solution provider side. Refer to your PAM solution provider system administrator or documentation for information about this URL.

2. Enter the Client ID for OAuth 2.0 authentication. This is obtained from your PAM solution provider.

3. Enter the Client Secret for OAuth 2.0 authentication. This is obtained from your PAM solution provider.

JWT

A JWT (JSON Web Token) securely authenticates the connection to an external application to perform operations as required. A JWT contains encoded JSON objects, and is signed using a signing algorithm to ensure that the claims cannot be altered after the token is issued. These tokens have a specific structure consisting of a header, payload, and signature.

JWTs can be used as OAuth 2.0 Bearer Tokens to encode all relevant parts of an access token into the access token itself instead of having to store them in a database.

You can use the Additional Payload field for systems where authentication may require additional parameters along with mandatory fields.

For example, if the PAM system expects the client_id and client_secret in the payload, then it must be provided in the Additional Payload field. The Additional Payload field accepts additional body parameters in JSON format.

For more information, see JWT Profile for OAuth 2.0 Access Tokens.

To configure JWT authentication:

1. Enter the OAuth 2.0 Token URL for generating access token. This URL is on the PAM solution provider side. Refer to your PAM solution provider system administrator or documentation for information about this URL.

2. In the JWT Header field, you can add additional headers in JSON format if required. The header consists of the type of the token (JWT) and the signing algorithm being used. For example:

   { 
       "typ" : "JWT", 
       "alg" : "RS256" 
   }
   

3. Enter the JWT Issuer for authorization. The Issuer is the party that issued the JWT. For example: https://issuer.example.com/

4. Enter the JWT Subject for authorization. The Subject is the user for which the access token is being requested. For example: 145234573

5. Enter the JWT Audience. This is the recipient for which the JWT is intended, and is takes the form of an array of case-sensitive strings, each containing a StringOrURI value.

6. You can add Additional Payload details as needed. See above for details about Additional Payload values.

7. Enter the Private Key and the corresponding Private Key Password to be used to sign the JWT.

Password

The Password grant type is a way to exchange a user's credentials for an access token. Although this type is supported, it is considered less secure than other grant types.

You can use the Additional Payload field for systems where authentication may require additional parameters along with mandatory fields.

For example, if the PAM system expects the client_id and client_secret in the payload, then it must be provided in the Additional Payload field. The Additional Payload field accepts additional body parameters in JSON format.

For more information see OAuth 2.0 Password Grant.

To configure Password authentication:

1. Enter the OAuth 2.0 Token URL for generating access token. This URL is on the PAM solution provider side. Refer to your PAM solution provider system administrator or documentation for information about this URL.

2. Enter the OAuth 2.0 Username and the corresponding Password.

You can add Additional Payload details as needed. See above for details about Additional Payload values.

API Token

API tokens allow a user to bypass two-step verification and SSO, in order to authenticate and retrieve data, and requires only an API Token. The token is self-contained and contains all the information it needs for authentication. The token type must be included with the value. For example:

Bearer <AUTH TOKEN>

For more information see OAuth Access Tokens.

Basic Authentication

Basic Authentication is a simple method for authenticating, requiring only a Username and Password.

For Basic Authentication, it is a best practice to set up an identity within IdentityIQ specifically for performing this authentication.

PAM Global Configuration Settings

Part of configuring the PAM module is configuring global settings for the module. Global settings include things like how PAM containers can be modified within IdentityIQ, and which business process to use for provisioning PAM identities

To configure PAM's global settings, click the gear icon > Global Settings > IdentityIQ Configuration and select the Privileged Account Management tab.

Define the following:

Enable adding and removing identities in PAM containers
Allow PAM users to manually add or remove identities on the container details page.

Enable adding and removing privileged items in PAM containers
Allow PAM users to manually add or remove privileged items on the container details page.

Enable owners to modify PAM containers
Allow owners of PAM containers to change or edit their containers.

Enable the creation of PAM containers
Allow PAM users to manually add PAM containers on the Privileged Account Management page.

The maximum number of selectable users in Privileged Account Management
The maximum number of identities you can take action on at one time in the PAM module.

The workflow used to provision identities
The workflow, or business process, that defines the provisioning process for the PAM Module. Business processes are defined and maintained on the Business Process Editor page. See Business Processes for more information .

A rule to filter privileged items that can be added to containers
You can use a rule to add business logic to limit which privileged items can be added to PAM containers. Rules must be of rule type PrivilegedItemSelector to be included in the dropdown list. You can also click the [...] icon to open the rule editor to create or edit a rule.

Allowing View-Only Access to PAM Containers

To give users view-only access to PAM containers and their data, you can grant the PAM Viewer capability to those users.

For details on how to grant capabilities to users, see the User Rights Tab.

Privileged Account Management Tasks: Aggregation, Indexing, and Refresh

Once your PAM applications have been configured to connect to your PAM vendors, and your PAM global settings have been configured, you can aggregate data from your PAM vendor systems. Data is aggregated using tasks. In addition to data aggregation tasks, tasks for indexing effective access and for updating identities should be configured for PAM.

The following tasks are required for the PAM feature, and should be run in this sequence:

• Account Aggregation – this task aggregates PAM accounts from your PAM vendor. Other than setting the PAM application as the application to scan, there are no other specific options you need to select specifically for PAM; you can choose Account Aggregation Options that suit your business needs.

• Account Group Aggregation – this task aggregates group information from your PAM vendor. Other than setting the PAM application as the application to scan, there are no other specific options you need to select specifically for PAM; you can choose Account Group Aggregation Options that suit your business needs.

• Target Aggregation – this task aggregates data about PAM vaults and the rights that users have to those vaults. Configure the task to select your PAM Target Source (that is, the Unstructured Target Collector you configured when setting up your PAM application) as the target source to aggregate.

• Effective Access Indexing – this task refreshes the effective access privileges on the PAM containers; that is, container access that is granted by virtue of membership in a group. Check the Index Entitlement Targets and Index unstructured targets options when running this task for PAM.

• Identity Refresh – this task refreshes identities with relevant PAM group and permissions data. For PAM, run this task with the Refresh Identity Entitlements for all links selected.

Refer to Tasks (link) for detailed information on defining tasks.

Adding a PAM Quicklink Card to the Home Page

The Privileged Account Quicklink is added to your Quicklink menu during the installation process, under the Manage Access sub-menu.

You can manually add a Quicklink card to your Home page as well.

1. Go to your Home page.

2. Click Edit.

3. Click Add Card.

4. Select Privileged Account Management and Save.

5. Save again on the Home Edit page to load the card.

For more information about Quicklinks (link) and Quicklink cards (link), see QuickLinks and QuickLink Cards.