CyberArk account creation from SaiPoint

Which IIQ version are you inquiring about?

Version 8.1

Is this question regarding a custom connector? If so, please share relevant details below.

No, this question is not regarding a custom connector.

Share all details related to your problem, including any error messages you may have received.

I have been able to create a safe and give permission to an existing account in CyberArk. But I have not been able to create an account in CyberArk. I need to be able to add an existing Active Directory account into CyberArk. If anyone has done this before I would really like to see the code.

I do have an example provisioning plan that was given during a Sailpoint meeting.

• Create the external Active Directory account inside CyberArk createExternalAccount: plan.

<ProvisioningPlan nativeIdentity="Bob.Kelso">
  <AccountRequest application="CyberArk PAM Server" nativeIdentity="Bob.Kelso" op="Create">
    <AttributeRequest name="source" op="Set" value="SERI Active Directory"/>
   <AttributeRequest name="nativeIdentifier" op="Set" value="CN=Bob Kelso,OU=Austin,OU=Americas,OU=Demo,DC=seri,DC=sailpointdemo,DC=com"/>

------------------------ No error with my current code, but it does not work. -----------------------------

  Identity identity=context.getObjectByName(Identity.class, "XXX0786");
   ProvisioningPlan plan=new ProvisioningPlan();  
  ProvisioningPlan.AccountRequest ar=new ProvisioningPlan.AccountRequest();
  ar.setApplication("CyberArk PAM Server");
  AttributeRequest aReq = new AttributeRequest("source", ProvisioningPlan.Operation.Set, "Our Active Directory");
  AttributeRequest aReq = new AttributeRequest("nativeIdentifier", ProvisioningPlan.Operation.Set, "CN=XXX0786,OU=People,OU=Usersloc,OU=DC=DomainName,DC=net");
  Provisioner safeProvisioner = new Provisioner(context);
  ProvisioningProject createProj = safeProvisioner.compile(plan);

Sorry for not answering your question, but keep in mind IIQ8.1 is on limited support from SailPoint and the dropped support date s Feb 21, 2024.
(see IdentityIQ end of life dates)

– Remold

@jhuggard your plan seems correct and is how I’ve done it in the past. Is this integration with the newer CyberArk Identity SaaS offering (Provision accounts with SCIM) or with the older standalone Java SCIM server (Marketplace)? The newer SaaS offering had a ton of issues when trying to integrate, I think this issue here with LDAP attributes being one of them. The older Java SCIM server was a lot less of a headache.

This is a standalone SCIM server. And we are schedule to update to 8.4 soon.

Do you have the following in your PAM application’s schemaPropertyMappings?

<SchemaPropertyMapping urn="urn:ietf:params:scim:schemas:pam:1.0:LinkedObject">
  <AttributePropertyMapping getter="openconnector.connector.scim2.SCIM2PropertyGetter" name="source" property="source" setter="openconnector.connector.scim2.SCIM2ExtendedPropertySetter"/>
  <AttributePropertyMapping getter="openconnector.connector.scim2.SCIM2PropertyGetter" name="nativeIdentifier" property="nativeIdentifier" setter="openconnector.connector.scim2.SCIM2ExtendedPropertySetter"/>

Also, the value you are passing for the source attribute is the name of the LDAP config in CyberArk, correct?

Yes we have the exact configurations.
I’m using the application name of our Active Directory in SailPoint as the “source”. Guessing that is incorrect?

Yes, that is incorrect. source needs to be set to the name of the LDAP source defined in CyberArk since the account you are creating in CyberArk needs to be linked against that LDAP source. Get that info from your CyberArk admin (if that isn’t you).

Thanks so much for the help. Our CyberArk guy is out today. But I will follow-up and let you know how it turns out.

1 Like

If those attributes are in your account schema (should be if they are not), you may be able to gather the source value from accounts already existing in that CyberArk environment that you have aggregated into IIQ which have been synced from the LDAP source in CyberArk.

CyberArk didn’t have a clear answer. Looked for source in Scheme. It is listed as Correlation Key. I did find a note in Compass.

<LDAPDirectoryName from LDAP Integration Config>

Which is listed. But it still isn’t creating the account.

Thanks. That was correct. I just forgot to un comment out the adding the AccountRequest to the plan. So the correct source is the LDAPDirectoryName in cyberArk or and existing account in SailPoint.

1 Like

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.