Custom rest api

IdentityIQ (IIQ) IIQ Discussion and Questions
, ,
1

Version 8.4

We are looking to add some custom REST APIs to our IdentityIQ deployment to allow provisioning for the access request on the external application which is raised by end users within the company.

After end users submits the request on the other external application , approval flow will be in the external application itself.

After approval, request data which is submitted by the end users should come to SailPoint IIQ and do provisioning on the target application which is configured in IIQ.

Can anyone point me to any good resources with examples, best practices, etc. for doing this?

2

@Venkatesh0510
Yes, you can create your custom API. Once all approvals are completed in your external application, you can invoke those APIs or check the SailPoint SCIM API.

First, go through the SCIM API. If your requirements are not satisfied with it, then you can proceed with customization.

One more aspect you need to consider is the auto-approval process. Once a request is created in SailPoint, it must be auto-approved (since all approvals in the external application have already been completed).

3

@Venkatesh0510

Please refer to the SCIM API Documentation of SailPoint. Check if any REST API is available for your usecase. Use the link below:

identityiq-scim-rest-api | SailPoint Developer Community

If you need to create a custom REST API, then you can use the plugin framework. I am attaching a YouTube URL for your reference.

Developing custom APIs through the plugin framework

Please refer to these URLs and let me know if you need more help.

4

Hi @sukarande ,

How we can invoke those API from external application.

REST API:

IIQ/rest/workflows/AD Account creation/launch

payload:

{

“workflowArgs”:

{

"identityName":"23",

"firstname":"cbq",

"lastname":"test23",

"email":"cbqtest23@inspira.com"

}

}

this API, external application should launch a workflow in IIQ using above API and values which were submitted by end user should be request payload

Is my understanding correct?

5

@Venkatesh0510

From your external application, call the “IIQ/rest/workflows/AD Account creation/launch” API with the expected payload and authentication.

This will yield the expected result.

6

@Venkatesh0510 -

Implementing custom REST APIs in SailPoint IdentityIQ is typically achieved using the Plugin Framework. This approach provides a modular way to expose endpoints while leveraging IIQ’s built-in security, logging, and context management.

Check this video for more info - https://youtu.be/t0QoodWSb_U

7

Hi venkatesh,

It is possible through plugin. You can create your end points, and then you can invoke it from a target application.

if you need assistance let me know, I have recently create a plugin to create two endpoints for audit purpose.

8

Hi @naveenkumar3 ,

Thanks for the reply.

I want to do one API for provisioning request from external application.

Fyi.. it is like ServiceNow, end user will raise an access request and approval flow also there in the external application itself.

After approval, we have to read all values from the external application and provisioning should happen om backend which is on IIQ platform

Can you please share sample plugin which you created.

I sent my thought process on the above replies using REST APIs to lauch workflows using workflowArgs and attributes in payload

9

so tell me one thing, from your external application, you want to invoke accessrequest.jsf end to submit the request , correct?? is my understanding correct??

10

Hi @Venkatesh0510 ,

Just want to add, by default IIQ uses class “sailpoint.rest.SailPointRestApplication” to maintain REST API in web.xml.

If you want to maintain different java file for custom REST endpoints, you can create new class which extends SailPointRestApplication. e.g. (MyIIQREST.java)

Then, inside web.xml file, update tag for javax.ws.rs.Application tag to point your custom class. e.g. MyIIQREST.java. PFB screenshot for reference.

  <init-param>
    <param-name>javax.ws.rs.Application</param-name>
    <param-value>sailpoint.rest.MyIIQREST</param-value>
  </init-param>

Please refer this document for more details – IdentityIQ REST API Integration

Hope this helps.

5 Likes
11

Hi @Venkatesh0510 The easiest way to achieve this is using SailPoint provided SCIM APIs. You will have your provisioning code in a workflow and the external system will invoke this workflow using the SCIM API endpoints. The workflow input parameters will be passed in JSON format in the API. You can refer to this URL:

The downside of this approach is that you will have to expose workflow name and id to the external system which may be a security concern.

SailPoint recommend approach - SailPoint recommends using Plugins to create REST endpoints. These REST endpoints will be mapped to a worklfow. Please refer to the following post for step-by -step guide

http://community.sailpoint.com/t5/IdentityIQ-Wiki/Plugin-custom-REST-API-Filter-data-visibility-based-on-requester/ta-p/184970

1 Like
12

@Venkatesh0510 Would also recommend using Plugin to create REST endpoint like @r_pragati mentioned. It is recommended approach and you can enforce necessary security guardrails like who can access it, if any capability needs to be assigned , format the request and response as per your need, etc.