 |
Description | IdentityIQ Connector for BeyondTrust Privileged Remote Access & Remote Support |
 |
Legal Agreement | By using this CoLab item, you are agreeing to SailPoint’s Terms of Service for our developer community and open-source CoLab. |
 |
Repository Link | N/A |
 |
New to Connector Configurations in the CoLab? | Read the getting started guide for Connector Configurations in the CoLab. |
 |
Supported by | Community Developed |
Overview
BeyondTrust Secure Remote Access includes 2 products:
- Privileged Remote Access: Provides identity-secure, just-in-time access to all enterprise environments including cloud, on-premises and OT.
- Remote Support: Supercharge the service desk with secure access and support for any device, any system, from anywhere – including Windows, macOS, Linux, Android, & iOS.
Many organizations are looking for an integration between SailPoint IdentityIQ and BeyondTrust PRA and Remote Support. This guide is about a Connector for both PRA and Remote Support, based on the Web Services Connector in IdentityIQ, and includes step-by-step instructions for importing the Connector and Associated Rules, and configuration.
Capabilities:
- Accounts Aggregation with Pagination support;
- Groups Aggregation for Group Policies;
- Create Account;
- Add/Remove Group Policy for Accounts;
- Enable/Disable Account;
- Change Password;
- Update Account;
- Delete Account.
Requirements
IdentityIQ 8.1 and above patched, and PRA/Remote Support 24.1.2 and above.
Guide
Importing the Rules and the BTSRA Connector
The zip archive includes 2 Rules and the Application or Connector.
SailPoint_IdentityIQ_BTSRA.zip (7.7 KB)
IMPORTANT: You must edit the Application xml file and replace the name with a name you want to use for your Application. This must be done before the Import of the Application xml.
Go to Global Settings, then select Import from File. Import the 2 Rules, then the Application.
In PRA or Remote Support, go under Management, then API Configuration, and create an API account. Check the box for Configuration API, Allow Access. Copy the Client ID and Secret values, which are required in the next step.
Go to Applications, Application Definition, and replace the example Base URL and Token URL with the correct values for your SRA instance. Provide the client id and client secret for the SRA API account.
Under Correlation, you need to assign a Correlation rule, so Accounts can be correlated to Identities within IdentityIQ.
Before you can save your changes, an Owner must be assigned on the Details page.
Now you should be able to successfully test the connection for the Application.
IMPORTANT: For Remote Support, an extra step is required to configure the Application. Remote Support includes an additional Account attribute, private_display_name, which is mandatory. It must be added to the Provisioning Policy for Account.
Access Provisioning Policies under Configuration. Click Create Account under Name.
Click the + sign for Section 1, and select Add Field. Set the Name to private_display_name, and check the Required box under Type Settings. Set the Value for Script as shown.
The script value is:
return identity.getAttribute("firstname")+' '+identity.getAttribute("lastname");
Now we are ready to Aggregate Accounts and Groups for either PRA or Remote Support.
Navigate to Setup, then Tasks, and create an Aggregation Task for Accounts, and one for Groups.
After executing both Tasks for Aggregating Groups and Accounts, you should be able to see the Accounts with one or multiple Group Policies.
Under Applications, Entitlement Catalog, you should be able to see the Group Policies.
For each Group Policy, you should be able to see the members.
Advanced Configuration included within the Application
The Application Configuration includes pairs of HTTP Operations for Account Aggregation, and Add/Remove Entitlements.
Account Aggregation - 1 includes support for Paging, aligned with the default number of records for SRA which is 100.
Account Aggregation – 2 is used to resolve the multi-value groups Account attribute: Accounts can have multiple Group Policies assigned within SRA. A beanshell rule, imported previously, is used to properly update the multi-value groups attributes.
The Remove Entitlement – 1 HTTP Operation includes the other beanshell Rule to resolve the unique membership id for each Account to Group Policy assignment: The membership id is required by Remove Entitlement – 2 endpoint.
The Remove Entitlement – 1 HTTP Operation is setting the nativeIdentity Header value, ignored by SRA API, but used to extract the Account id within the beanshell After Rule.