IdentityIQ Connector for BeyondTrust Password Safe

CoLab Connector Configurations
, ,
1

Marketplace-Gradient
Marketplace-Gradient2401×1351 226 KB
:spiral_notepad: Description IdentityIQ Connector for BeyondTrust Password Safe
:balance_scale: Legal Agreement By using this CoLab item, you are agreeing to SailPoint’s Terms of Service for our developer community and open-source CoLab.
:hammer_and_wrench: Repository Link N/A
:open_book: New to Connector Configurations in the CoLab? Read the getting started guide for Connector Configurations in the CoLab.
:hospital: Supported by Community Developed

:bangbang: Note: The content in this topic is also available in a video format:

Overview

BeyondTrust Password Safe is a Privileged Access Management solution. It manages privileged passwords, accounts, keys, secrets, and sessions for people and machines and secures non-privileged employee passwords for business applications.

This guide includes instructions on how to leverage a SailPoint IdentityIQ PAM Application template as a quick start strategy that leverages the PAM Module for visibility, and a Provisioning Policy form to allow provisioning requests for both Password Safe and directory accounts.

When it comes to Provisioning, a few strategies are available, depending on the specific Use Cases, or combination of Accounts and Groups. The table below illustrates the different strategies, which can be used in parallel if needed.
image

One strategy, in highlighted in orange, is to use Password Safe Accounts and Groups: This is done via the Password Safe SCIM API.

It is possible to leverage Active Directory(green), Entra ID aka Azure AD(blue), or LDAP(yellow) for Accounts and Groups. For these 3 strategies, the Accounts and Groups are managed by IdentityIQ directly with the directory: Password Safe includes out-of-the-box Synchronization for Accounts and imported Groups.

It is also possible to use hybrid strategies, e.g. AD Accounts and local Password Safe Groups. For the hybrid strategies, provisioning is via the Password Safe SCIM API, but 2 Account attributes are included in requests: source and nativeIdentifier. These 2 attributes are used to inform Password Safe that, for example, a POST /Users request should not result in the creation of a Password Safe local Account, but instead trigger the importation of the directory Account within Password Safe and Synchronization.

Lastly, the blank boxes in the table are about invalid strategies, for example, a local Password Safe Account and an Active Directory Group: Active Directory knows only about Active Directory Accounts.

Capabilities:

  • Accounts Aggregation with Pagination support;
  • Groups Aggregation for Local and Directory Groups;
  • Create Account;
  • Import Active Directory or LDAP Account;
  • Add/Remove Local Group for both Local and Directory Accounts;
  • Enable/Disable Account;
  • Change Password;
  • Update Account;
  • Delete Account.

Requirements

IdentityIQ 8.1 and above patched, and Password Safe 24.1.0.0 and above.

Guide

Creating the SailPoint IdentityIQ service account in Password Safe.

Creating a SailPoint IdentityIQ service account in BeyondInsight requires the following:

  • Create a user group
  • Enable features and Smart Groups for the user group
  • Create a user account and add it to the user group
  • Log in to BeyondInsight as the new service account user to generate OAuth credentials.

The below sections detail the steps to take to accomplish the above.

Create a new Group in Password Safe for the IdentityIQ service account, and assign the 6 Features as shown in screenshot below:

image
image1304×933 104 KB

Password Safe Group with Features.

image
image1304×933 76.8 KB

Add each Managed Account Smart Groups with Read only permission.

image
image1304×933 61.7 KB

Create a new Account and add it to the Group.

Now we need to login as the new service account, and navigate to Configuration, Connectors, and access the SCIM Connector. If the SCIM Connector does not exist yet, it needs to be created.

image
image1304×933 77 KB

SCIM Connector with Client ID for logged in service account.

We can access the Client Secret by clicking the Recycle Client Secret button. It is also possible to use a Refresh Token for production, but for testing, Client Credentials are recommended.

Now that we have a service account with Client ID and Secret, we can move to IdentityIQ.

The Connector template is available from the Password Safe resource kit:
SCIM-PasswordSafe-IdentityIQ.xml (28.3 KB)

Before we import SCIM-PasswordSafe-IdentityIQ.xml, let’s edit the file and change the Application name. This can be used to create one or multiple Applications with desired name(s).

image
Search for the name=”BT PBPS SCIM” and replace the value with Password Safe or any desired value for the name.

image
Access Global Settings in IdentityIQ as an Administrator.

image
Select Import from File.

image
Import the modified xml file for Password Safe Application.

image
Now under Applications, select Application Definition. You should be able to see the new Application and edit it.

image
Enter the Base and Token URLs, select Client Credentials for Grant Type, and provide Client Id and Secret. You should be able to successfully test the Connection.

Note: Client Credentials is recommended for testing, Refresh Token is more for Production when security requirements are higher.

image
Configure Account Correlation, for example by using email address and username.

image
Navigate to the Unstructured Targets tab. Click Add New Unstructured Data Source.

You need to click Create TargetSource.

image
Select Privileged Account Management Collector for Target Source Types. Enter URLs and credentials. Select Correlation Rule for PAM Access Mapping.

image
Don’t forget to click the Save button a second time on the Application.

Now we should be ready to aggregate Accounts, Groups and Entitlements from Password Safe.

Navigate to Setup/Tasks.

image
Tasks.

Click the New Task button, and select Account Aggregation.

image
Task for Account Aggregation.

Repeat the steps for Groups, use Account Group Aggregation.

Now let’s create a Task for Target Aggregation.

image
Select the Target Source.

Now you can execute the 3 Tasks, Accounts, Groups, then Target.

After running the 3 Tasks, let’s go back to the Application.

image
Expand an Account, and click on one of the Groups to expose Target Permission via the Access Tab.

image
You should also be able to see the Entitlements for an Identity.

Now let’s navigate to the Privileged Account Management view.

image
Privileged Account Management menu item.

image
image1670×1063 97.3 KB

Privileged Account Management view.

Let’s go back to the Application and take a look at the Provisioning Policy example included with the Connector template.

image
Provisioning Policy.

image
image1306×1161 51.2 KB

A script example is included to set the value for the source attribute, when provisioning if for a directory account. The script needs to be modified to the proper value(s).

During a provisioning request that requires either a new Password Safe Account, or the importation of directory account, a form will be assigned to the requester to select the Account Type.

image
Example request form configured in Provisioning Policy.

Note: If the target Identity has multiple accounts for the selected directory, a radio-button selector will allow the requester to pick the desired account.

At this point, it is assumed that some customization is required for the Provisioning Policy, depending on the number and types of directories. It is also possible to make the provisioning dynamic instead of using a requester form.

2 Likes