 |
Description | Identity Security Cloud Credential Cycling with BeyondTrust Password Safe |
 |
Legal Agreement | By using this CoLab item, you are agreeing to SailPoint’s Terms of Service for our developer community and open-source CoLab. |
 |
Repository Link | GitHub - sailpoint-oss/colab-isc-credential-cycling |
 |
Supported by | Community Developed |
Overview
This guide covers a new Custom Plugin, created with the BeyondTrust Password Safe SDK (Software Development Kit), that allows Password Safe to rotate credentials for ISC Sources via the ISC REST APi (v3). Password rotation is based on a Push strategy from Password Safe, as opposed to the Pull strategy implemented in IdentityIQ for Credentials Cycling.
Note: This Custom Plugin is functional but involves some technical steps for its configuration involving JSON Path and experience with the ISC REST API. This allows for more flexibility in terms of Source Type support. The configuration may change to abstract the technical details in the future, based on usage feedback.
Requirements
Password Safe 24.1.0.0 or 24.1.1.1
Identity Security Cloud
Custom Plugin version 24.1.0.0 or 24.1.1.1:
SailPoint_Plugin-24.1.1.1_61BA5B4B-CB27-4896-A7B9-1714971A275B.psplugin (572.8 KB)
SailPoint_Plugin-24.1.0.0_083FBE27-0C4F-41F9-B5ED-9FCE1AE84B06.psplugin (563.7 KB)
Guide
Context
This Custom Plugin supports Rotating secrets for privileged credentials used by SailPoint Identity Security Cloud for Sources (Connectors).
Capabilities
• Change Managed Account Credentials using Functional Account
• Verify Functional Account Credentials
The Plugin has been developed with the Password Safe 24.1.0.0 and 24.1.1.1 Resource Kit and SDK.
How to use the example Plugin
Create a Personal Access Token in ISC and grant permissions for managing Sources.
Scope permission is also needed.
Save the Client ID and Secret for the next steps.
Navigate to Configuration, Privileged Access Management, Platform Plugins, then Create New Platform Plugin.
Browse for the Plugin file and Upload the Plugin.
Create a Functional Account for the Plugin. Use the username is cosmetic and not used. The password format is {client_id}:{client_secret}.
Create a Managed System for the Plugin. DNS Name is is the API Url for ISC.
Note: The API Url has an extra .api part.
Create a Managed Account with the format {Source Name:password-JSONPATH}.
Note: the JSONPATH format can be identified using a tool like Postman and is specific to the Source type in ISC. You can refer to SailPoint API V3 documentation: update-source | SailPoint Developer Community
For example, for Active Directory, if we want to update the Domain service account password, the JSONPATH is /ConnectorAttributes/ForestSettings/0/Password
You can also refer to https://jsonpatch.com/
Using Postman to identify the location of password values within the Source.
At this point, you should be able to successfully Test Functional Account and Change Password for Managed Account.
However, the typical configuration would be to Synchronize the AD Managed Account with either the Domain or Forest Managed Account, or both:
We are Synchronizing the AD Managed account used by SailPoint ISC for both Domain and Forest service account with both credentials for the AD Source.
For the SailPoint Managed Account, we should see Sync to Primary whenever a Password Change is triggered for the AD Managed Account.
We can confirm that SailPoint has up-to-date password values by using Test Connection via the Source.
How to get the SDK and source files
If you would like access to the source files for the Custom Plugin, you can submit a request to [email protected]
Follow the steps in Readme pdf to create a new project using the SamplePlugin.
Note: Multiple versions of .NET can coexist on the same Visual Studio workstation.