Getting Started with AI-Driven Identity Security for IdentityIQ
SailPoint AI-Driven Identity Security can be configured to analyze identity and access data from IdentityIQ. The following sections discuss how to get started using AI-Driven Identity Security with IdentityIQ.
AI-Driven Identity Security for IdentityIQ is accessed in the Identity Security Cloud tenant. IdentityIQ users must work with SailPoint Professional Services to create a tenant and deploy a virtual appliance (VA).
The VA is a Linux-based virtual machine that is deployed inside your corporate network or in a cloud environment where you control and manage its access to your IdentityIQ implementation. The VA allows collection of your IdentityIQ data for analysis. Once the VA is deployed and configured, IdentityIQ users can start using Access History in their tenant.
There are additional configuration and activation steps to complete before IdentityIQ users can start using Access Modeling or Access Recommendations.
Connecting IdentityIQ and AI-Driven Identity Security
Work through the steps in the following sections to connect IdentityIQ to AI-Driven Identity Security:
-
Verify requirements.
-
Provide administrator access information.
-
SailPoint creates the tenant.
-
Gather information for virtual appliance deployment.
-
Deploy one virtual appliance (VA) with the IAI Harvester VA cluster type.
Important
Only one VA is required to connect IdentityIQ to AI-Driven Identity Security.
-
Create an IdentityIQ data source in your tenant.
-
If you have Access Modeling, configure IdentityIQ for Access Modeling.
-
If you have Access Recommendations, activate Access Recommendations for IdentityIQ.
Verifying Requirements
To begin connecting AI-Driven Identity Security to IdentityIQ, verify the following system, network, and software requirements:
-
Your system and network must meet the requirements for VA deployments with IdentityIQ.
-
Your browser and operating system (OS) must be supported. AI-Driven Identity Security is accessed through an Identity Security Cloud tenant.
-
You must be running IdentityIQ version 8.1 or higher. These versions include support for AI-Driven Identity Security.
-
If you plan to use the HTTP proxy virtual appliance configuration and you have IdentityIQ version 8.3p1 or earlier, a patch upgrade is required. Install the patch upgrade before connecting AI-Driven Identity Security to IdentityIQ. Contact Professional Services for more information.
Providing Administrator Access Information
After purchasing AI-Driven Identity Security, you will receive a welcome email from your Customer Success Manager (CSM) that outlines the onboarding process. You will be asked to provide the following administrator access information:
-
A shared admin email address or group/distribution list.
This email address or group/distribution list will used to create the initial admin account and typically serves as a unique, generic account for emergency access. This email address should not be a user email address, as it will conflict with user details brought from the source system.
-
Email addresses for any individual users that should have access to the tenant for AI-Driven Identity Security features.
Creating the Identity Security Cloud Tenant
SailPoint sets up your tenant and notifies you when it is accessible. After a tenant is created, you will receive an email invitation from SailPoint.
Unless you have arranged in advance for a different URL, your tenant URL will be [CustomerName].identitynow.com
.
Note
FedRAMP customers will use the following URL: [CustomerName].saas.sailpointfedramp.com
.
Generating IdentityIQ API Authentication Credentials
IdentityIQ API authentication credentials are required when creating the data source and configuration automatic role creation.
Complete the following steps in IdentityIQ:
- From the IdentityIQ gear icon, select Global Settings > API Authentication.
- Create a new client or refer to an existing client on this screen. The proxy user for new or existing clients must have Administrator permissions.
- Save the following information offline to enter later in your tenant:
- API Client ID
- API Client Secret
- API Base URL for the IdentityIQ App server, including the port and endpoints such as
/identityiq
.
Save these credentials to use later during configuration and activation.
Gathering Information for Setup
For virtual appliance and data source setup, IdentityIQ administrators should have the following items ready:
- A local database user on the IdentityIQ database with read-only access to the entire IdentityIQ schemaD
- The JDBC URL from the
iiq.properties
file - The Hibernate Dialect from the
iiq.properties
file - Your database vendor's JDBC driver (
<jdbc-file.jar>
) -
IdentityIQ API authentication credentials:
- API Client ID
- API Client Secret
- API Base URL for the IdentityIQ App server
Deploying the Virtual Appliance with IdentityIQ
Complete the steps in this section to deploy a VA.
For general information about VAs, refer to the Virtual Appliances documentation.
For troubleshooting tools and resources, refer to the Virtual Appliance Troubleshooting Guide.
-
Deploy the VA image.
Important
To reduce latency, the VA must be deployed on the same location as the IdentityIQ database. If IdentityIQ is installed on-premises, the VA must be installed in the same datacenter. If IdentityIQ is installed in the cloud, the VA must be installed in the same region.
Deployment to the following virtualization platforms is described in Deploying Virtual Appliances:
- Local with vSphere - Deploy the downloaded image on a virtual machine behind your firewall.
- Local with Hyper-V - Deploy the downloaded image on a virtual machine behind your firewall.
- On AWS - Work with SailPoint to get access to our AMI so you can deploy it on your AWS infrastructure.
- On Azure - Deploy the downloaded image on a virtual machine in Azure.
- On GCP - Import the downloaded VA image to Google Cloud Platform.
-
Set up a static network for local deployments.
If you deployed the VA image locally, follow the directions to set up a static network.
-
Select a VA configuration type.
Descriptions and instructions for implementing the following configurations can be found in the virtual appliance configuration documentation:
- Standard - Uses the standard traffic generated by the VA.
- HTTP Proxy - Routes all HTTP/HTTPS traffic through a proxy.
- Network Tunnel - Strictly limits the outbound connections generated by the VA.
-
Complete tasks in your tenant.
Refer to the directions in the deployment guide for your selected virtualization environment, and complete the following tasks in your tenant Admin interface. Refer to the linked instructions in each step.
- Create the VA cluster with the IAI Harvester VA cluster type.
- Add a VA to the cluster.
-
After you have created a cluster and VA, contact SailPoint Services so they can "pin" the IdentityIQ harvester to the virtual appliance. Once this has been completed, you can move on to the next step.
-
Run the following command to determine if there is a JDBC directory for your IdentityIQ version:
ls -lR iai
If the directory is not owned by
sailpoint
, modify the directory permissions by running the following command from/home/sailpoint/
:sudo chown -R sailpoint /home/sailpoint/iai
This command must be entered exactly as shown, and should not ask for a password.
-
Copy the JDBC JAR file to the VA.
Copy your database vendor's
<jdbc-file.jar>
file to the VA using the following scp command and the corresponding IdentityIQ version path.scp <local_path>/<jdbc-file.jar> sailpoint@<va_ip_address>:/home/sailpoint/iai/identityiq<xx>/jdbc/<jdbc-file.jar>
IdentityIQ Version JDBC Path on VA 8.1, 8.2, 8.3 /home/sailpoint/iai/identityiq81/jdbc/<jdbc-file.jar>
8.4 /home/sailpoint/iai/identityiq84/jdbc/<jdbc-file.jar>
Creating an IdentityIQ Data Source for Connectivity with AI-Driven Identity Security
Complete the following steps in your tenant:
-
Go to Admin > Global > Additional Settings.
-
Select Add Data Source.
-
In the Basic Information section:
- Name your data source and add a meaningful description.
- Under Data Source Types, select the IdentityIQ version:
- If you use IdentityIQ 8.2 or 8.3, select IdentityIQ 8.1.
-
If you use IdentityIQ 8.4, select IdentityIQ 8.4.
After a Data Source Type is selected, additional fields appear.
-
Select the VA cluster that you deployed specifically to connect to IdentityIQ.
-
Complete the following required fields in the Database Settings section:
- JDBC URL - Enter the JDBC URL found in the
iiq.properties
file. - JDBC Driver - Enter your JDBC driver class name found in the
iiq.properties
file. Example:com.microsoft.sqlserver.jdbc.SQLServerDriver
- Username - Enter your local database connection username.
- Password - Enter your local database connection password.
- Hibernate Dialect - Enter the hibernate dialect from the
iiq.properties
file. - Max DB Connections - Maximum number of database connections. Defaults to 12.
- JDBC URL - Enter the JDBC URL found in the
-
Complete the following required fields in the IIQ API Client Settings section to create roles with Access Modeling:
- API Baseurl - Enter the base URL for the IdentityIQ API.
- API Client ID - Enter the client ID for the IdentityIQ API.
- API Client Secret - Enter the client secret for the IdentityIQ API.
- Role Provision Timeout - How long the system will wait for a response after attempting to create a role. Defaults to 60 seconds.
-
Optionally, you can complete the fields in the Harvester Settings section:
- Exclude Identity Attributes - Add a comma-separated list of identity attributes (usually privacy related) that you do not want to be visible in AI features.
- Exclude Account Attributes - Add a comma-separated list of account attributes (usually privacy related) that you do not want to be visible in AI features.
- Included Identities - Add a filter derived from an Identity Advanced Search in IdentityIQ Advanced Analytics. The filter limits what identities AI features can use. The filter can include only named attributes and not Extended Attributes or namedColumns.
- Harvest Batch Limit - Maximum number of object IDs to be fetched per harvest cycle for the type being harvested. Default maximum is 500,000.
- Observed Objects Batch Limit - Maximum number of object IDs to be fetched per harvest cycle for the object type being harvested. Default maximum is 200,000.
- State Update Batch Size - The number of objects each batch will contain. Default is 10,000.
-
Select Save Config.
You are now ready to start using Access History.
Additional configuration and activation steps are required to use Access Modeling and Access Recommendations with IdentityIQ.
Configuring IdentityIQ for Access Modeling
To configure IdentityIQ for Access Modeling, you will complete the following tasks:
-
Generate client credentials in your tenant.
-
Import the init-ai.xml file.
-
Configure AI-Driven Identity Security in IdentityIQ.
-
Install the Access Modeling plugin.
-
Configure automatic role creation.
Generating Client Credentials in Your Tenant
IdentityIQ sends data to Access Modeling through APIs. To create a secure connection between IdentityIQ and Access Modeling, you’ll need to generate client credentials within your tenant and configure IdentityIQ (the client) to use them to communicate with Access Modeling.
Complete the following steps to generate a Client ID and Client Secret in your tenant:
-
Log in to your tenant as an Administrator.
-
From the Admin Dashboard, select Admin > Security Settings.
-
Select API Management in the options on the left.
-
Select +New to display the New API Client dialog.
-
Enter a description for how the access token will be used.
-
Check Client Credentials as the method you want the client to use to access the APIs.
-
Select Create.
A Client ID and Client Secret are generated for you. Save these offline. You’ll need them later when you configure AI-Driven Identity Security in IdentityIQ.
Importing the init-ai.xml File
After generating client credentials in your tenant, you will next import the init-ai.xml
file to initialize IdentityIQ with the object components to support integration. This file includes objects such as the AI Module, some AI-specific IdentityIQ capabilities, system configuration entries, and an AIServices identity, among others.
Complete the following steps to import the init-ai.xml
file in IdentityIQ:
-
Verify that
plugins.enabled=true
in theWEB-INF/classes/iiq.properties
file of your IdentityIQ installation. Plugins must be enabled to use Access Modeling. -
Log on to your browser instance of IdentityIQ as an administrator.
-
Select Global Settings under the gear icon and select Import from File.
-
Select Browse and navigate to the following directory:
Windows:
<identityiq_home>\WEB-INF\config
UNIX:
<identityiq_home>/WEB-INF/config
where:
<identityiq_home>
is the directory to which you extracted theidentityiq.war
file during IdentityIQ installation. -
Select the
init-ai.xml
file and select Import. -
When the import is complete, select Done.
You may notice that the plugin for Access Recommendations is also installed as part of this process, but access is enabled for licensed users only. Please contact your CSM for Access Recommendations pricing and licensing.
Configuring AI-Driven Identity Security in IdentityIQ
Complete the following steps to configure IdentityIQ to connect to your tenant with the client credentials you previously generated:
-
From the IdentityIQ gear icon, select Global Settings > AI Services Configuration.
-
Complete following fields with information from your IdentityIQ installation and the client credentials from your tenant:
- AI Services Hostname (The API Gateway URL for your tenant)
Example:
https://<org>.api.identitynow.com
orhttps://<org>.api.saas.sailpointfedramp.com
- Client ID
- Client Secret
- AI Services Hostname (The API Gateway URL for your tenant)
Example:
-
Select Test Connection to ensure that the connection information is correct and operating.
-
Select Save.
Installing the Access Modeling Plugin
The Access Modeling plugin is required for IdentityIQ 8.1, 8.2, or 8.3. IdentityIQ 8.4 does not require the Access Modeling plugin.
Complete the following steps to install the plugin:
-
Get the Access Modeling plugin.
-
From the IdentityIQ gear icon, select Plugins.
-
Use the Plugins page to install the plugin.
-
Select the Configure button for the Access Modeling plugin and provide the URL for the tenant.
Example:
https://<tenant>.identitynow.com
orhttps://<tenant>.saas.sailpointfedramp.com
Configuring Automatic Role Creation in IdentityIQ
To be able to automatically create a new role in IdentityIQ, there is some additional configuration required in your tenant.
Complete the following steps in your tenant:
-
Log in as an administrator, and select Admin > Global > Additional Settings.
-
Select Edit on the enabled IdentityIQ data source.
-
Enter the IdentityIQ API authentication information in the following fields:
- API Client ID
- API Client Secret
- API Base URL (Enter the base URL for the IdentityIQ App server, including the port and endpoints such as
/identityiq
.)
If these fields are not visible, contact Professional Services for help.
-
Select Save Config.
You are now ready to auto-create roles for IdentityIQ.
Activating Access Recommendations for IdentityIQ
IdentityIQ users will need to complete steps to integrate or activate Access Recommendations. For integration information, see Integration with IdentityAI for Decision Recommendations.
For implementation/activation information see the following documentation:
- IdentityIQ 8.1 - IdentityAI Activation Guide
- IdentityIQ 8.2 - IdentityIQ AI Services Guide
- IdentityIQ 8.3 - IdentityIQ AI Services Guide
- IdentityIQ 8.4 - IdentityIQ AI Services Guide
After activating Access Recommendations, IdentityIQ users are ready to start using certification and approval recommendations.
Documentation Feedback
Feedback is provided as an informational resource only and does not form part of SailPoint’s official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.