We are looking to add some custom REST APIs to our IdentityIQ deployment to allow provisioning for the access request on the external application which is raised by end users within the company.
After end users submits the request on the other external application , approval flow will be in the external application itself.
After approval, request data which is submitted by the end users should come to SailPoint IIQ and do provisioning on the target application which is configured in IIQ.
Can anyone point me to any good resources with examples, best practices, etc. for doing this?
@Venkatesh0510
Yes, you can create your custom API. Once all approvals are completed in your external application, you can invoke those APIs or check the SailPoint SCIM API.
First, go through the SCIM API. If your requirements are not satisfied with it, then you can proceed with customization.
One more aspect you need to consider is the auto-approval process. Once a request is created in SailPoint, it must be auto-approved (since all approvals in the external application have already been completed).
Implementing custom REST APIs in SailPoint IdentityIQ is typically achieved using the Plugin Framework. This approach provides a modular way to expose endpoints while leveraging IIQ’s built-in security, logging, and context management.
so tell me one thing, from your external application, you want to invoke accessrequest.jsf end to submit the request , correct?? is my understanding correct??
Just want to add, by default IIQ uses class “sailpoint.rest.SailPointRestApplication” to maintain REST API in web.xml.
If you want to maintain different java file for custom REST endpoints, you can create new class which extends SailPointRestApplication. e.g. (MyIIQREST.java)
Then, inside web.xml file, update tag for javax.ws.rs.Application tag to point your custom class. e.g. MyIIQREST.java. PFB screenshot for reference.
Hi @Venkatesh0510 The easiest way to achieve this is using SailPoint provided SCIM APIs. You will have your provisioning code in a workflow and the external system will invoke this workflow using the SCIM API endpoints. The workflow input parameters will be passed in JSON format in the API. You can refer to this URL:
The downside of this approach is that you will have to expose workflow name and id to the external system which may be a security concern.
SailPoint recommend approach - SailPoint recommends using Plugins to create REST endpoints. These REST endpoints will be mapped to a worklfow. Please refer to the following post for step-by -step guide
@Venkatesh0510 Would also recommend using Plugin to create REST endpoint like @r_pragati mentioned. It is recommended approach and you can enforce necessary security guardrails like who can access it, if any capability needs to be assigned , format the request and response as per your need, etc.
@naveenkumar3, I am in a similar boat as Venkatesh. I am looking to build custom APIs to receive access requests from an external application. Can you please share the plugin you created
Hi @Venkatesh0510 , We implemented a similar implementation. Access requests and approvals are done at ServiceNow. Once approvals are completed, we provide ServiceNow’s implementation team with the data to call the SCIM API’s laucherWorkflow endpoint. The user and request information are included in the input JSON. At the SailPoint end, we created the workflow where all input JSON variables in the workflow variable, and the SCIM connector itself, set the value into the workflow variable. Based on the request values, we construct the plan, and the approval schema is none since approvals are done on the ServiceNow side. Then, we pass the plan through the remaining steps for provisioning and return the JSON back to the results for ServiceNow.
Best way is to create a custom plugin by extending BasePluginResource to expose REST API to access the request from your external application and process request in Sailpoint.