Share all details about your problem, including any error messages you may have received.
We have a requirement for IdentityIQ’s some of the services to be available publicly/external network and rest for exclusively internal network. For eg. services like change password, forgot password/password reset and some workflow forms (which are using for some NDA agreements etc) should be available for external network. All others should be restricted to internal network.
Has anyone done such a hybrid implementation? If yes, I would love to know how different organizations have implemented it? Any ideas/suggestions would be much appreciated.
Your IIQ environment shouldn’t be public at all, even for SSPR type functionality. I have done quite a few projects implementing IIQ with an open source password management and profile update tool called PWM. This is a zero code solution and can make API calls as part of events so you can do things like call IIQ and the password intercept workflow to sync passwords. The alternative is to use SailPoints cloud password management solution.
@rohitpant Agree with @phodgdon . IIQ should remained within your organization network. We also had a similar requirement where we created a proxy application and made API calls to IIQ.
I agree with your assessment in general which is why I posted the question regarding how people handle different use-cases in their environments. The problem is we have a use-case of a custom single self-service UI where users can accomplish/setup all their security related requests (which could be more than just password change). Currently we have this as a custom plugin developed to handle all these use cases in a single page. In such a case, do you have a recommendation or developing a custom front-end with IIQ REST apis in the backend the only remaining option?
@neel193 Asking this for more clarification, did you end up developing your own front-end with IIQ backend API calls? I agree with both your assessment and want to bring the entire application behind org network and was exploring options for the self-service piece for external users.
@rohitpant Yes. We created a separate web app making required IIQ API calls only. We only exposed the endpoints we needed for our use case.
In your case also, you can try to expose simple web app and create an IIQ plugin based rest apis to expose only limited APIs to the application.
Note: Found a fix?Help the community by marking the comment as solution. Feel free to react(,, etc.)with an emoji to show your appreciation or message me directly if your problem requires a deeper dive.
,
, etc.)with an emoji to show your appreciation or message me directly if your problem requires a deeper dive.