How Create a Person via API in ISC

ffalcitelli · December 17, 2024, 10:59am

Hello,
we have an external portal (that does not expose API) where users are manually created. The requirement is that every user created on this portal is real-time created also in Sailpoint ISC.
In Sailpoint does not exist the API Create Identity but only the Create Account, so I think that the integration must be done in this way:

Create a dummy Authoritative Source in Sailpoint of type “Flat File”
The Portal must call the API of Create Account for this Source
In case of modify, suspend or restore it must call the realative Update Account API

Do you think this is the correct way for this integration ?

I tried in my lab this scenario and the behavior is very strange.
I created the first user by calling the /v3/accounts API and JSON:

{
  "attributes": {
    "sourceId": "7070eb4b124c4db88b2cf1efeb7ecf26",
    "id": "F74637A",
    "name": "g.carini",
    "givenName": "Giorno",
    "familyName": "Carini",
    "location": "Torino"
  }
}

And the identity is present in Sailpoint and under the source.
I tried to create a second person:

{
  "attributes": {
    "sourceId": "7070eb4b124c4db88b2cf1efeb7ecf26",
    "id": "F23445A",
    "name": "g.verds",
    "givenName": "Mark",
    "familyName": "Bisini",
    "location": "Torino",
    "e-mail": "[email protected]"
  }
}

And the API response is in success but the account does not esist in the Source and in Sailpoint.
The response is the id of the task that if I try to check with /beta/task-status/18414f5df97e422e8cf76850e5969891
I read:
“completionStatus”: “SUCCESS”,
“progress”: null,
“percentComplete”: 0

Could you help me ?

Thanks

ffalcitelli · December 17, 2024, 11:04am

I have an update.
After an hour the second user is popped up on Sailpoint.

The question remain: This is correct way to integrate an external portal like this ?

pablonovoa · December 17, 2024, 11:37am

Hello francesco, one way to do it, is connecting with a Non-Employee source and you will be able to call the API to create the external employees in real-time. Here is the API documentation: Non-Employee Lifecycle Management | SailPoint Developer Community

Regards,
Pablo

ts_fpatterson · December 17, 2024, 12:19pm

I built a Python Dash app that retrieves the connectors, retrieves the schema, retrieve the accounts and then update the accounts.

I used the below end points:

api_url = f"https://{tenant}.api.identitynow-demo.com/v3/sources"

schema_url = f"https://{tenant}.api.identitynow-demo.com/v3/sources/{source_id}/schemas/accounts"

base_url = f"https://{tenant}.api.identitynow-demo.com/beta"

base_url = f"https://{tenant}.api.identitynow-demo.com/beta/sources/{source_id}/load-accounts"

ffalcitelli · December 18, 2024, 1:02pm

I see some strange limitations for these Non-Employee users.

For example is present in the source the properties:

Who should manage these accounts?
These identities can request accounts on this source. Choose a maximum of 10.

But in my requirement these people must request for themselves the accounts. This is possible ?

Thanks

ffalcitelli · January 7, 2025, 5:33pm

Why should I use Non-Employee and not “Flat-File” Source ?
Non-Employee have a lot of limitations like MAXIMUM 10 Custom Attributes or MAX 20.000 users for source.
The “Flat-File” Source does not have these limitations.
Why sould I use Non-Employee ? It is a license theme ?

Thanks

ethompson · January 7, 2025, 6:46pm

@ffalcitelli The Non-Employee source has the advantage of being able to manipulate attributes in the UI as an Admin, but for your use case, I would recommend using the APIs around the Delimited File connector like you have done.

cinilsunny · January 11, 2025, 2:57pm

That is the correct and best way to integrate, I have done it similarly. Try to avoid using non-employee module as most likely Sailpoint will de-commission it as there is NERM now and also it is severely restrictive module.

Yes, on the UI, sometimes there is a delay but you could use Get Account Details API to query the backend, you should be able to see the account.

gvscdeep1 · January 17, 2025, 8:38am

It’s a good approach that you have taken. Like others have mentioned NELM is a bit of a gray area currently on how SailPoint will look at it down the line with their NERM acquisition.

Can I check if you have the requirement to delete these users or just disabled them down the line?
If there is no requirement of delete, I would suggest to parse the user details into a CSV and leverage file upload utility to aggregate the file to ISC. This would resolve the delay issue you are currently facing. But this would mean you need to have a host system on where you can generate a CSV file and run the file upload utility from.

ffalcitelli · January 27, 2025, 8:47am

For now we don’t have the requirement of Delete users.
For the delay, if I try to poll the taskID returned from the API of Create Account, I see maximum 2 minutes of elaboration time. This because every action here in Sailpoint is asyncronous. I think that this delay can be ok for the client but he needs to implement a polling code to check if the creation is in success.

Thanks