idn-orphaned-accounts-connector2401×1351 248 KB

	Description	SaaS Connector for IdentityNow Orphan Accounts
	Legal Agreement	By using this CoLab item, you are agreeing to SailPoint’s Terms of Service for our developer community and open-source CoLab.
	Repository Link	GitHub - sailpoint-oss/colab-saas-conn-identitynow-orphan-accounts: SaaS Connector for IdentityNow orphan accounts
	New to SaaS connectors in the CoLab?	Read the getting started guide for SaaS Connectors in the CoLab.
	Supported by	Community Developed

Overview

This custom SaaS connector enables IdentityNow to extend the default orphan account management capabilities by leveraging SaaS connector framework and IdentityNow API. In particular, this connector allows to:

• Manually correlate orphan accounts to identities by access request
• Disable original orphan accounts by disabling virtual identity/account from the connector
• Disable original orphan accounts by certifying access from virtual identities from the connector

Our current orphan accounts certifications only allow to certify access but not the account itself. This, in my opinion, only covers one of the typical use cases around orphan accounts. One may find useful to certify orphan accounts that are in fact known service accounts or similar entities. However, when an orphan accounts is found we generally know little about it. We don’t know whether it’s a legit account. It may be a correlation failure, a test account, a service account, an old employee account, a backdoor account, etc. We probably best start by disabling it, doing some research and based on the results delete or correlate to an identity. We can then start certifying access now the right context is in place.

In combination with existing functionality, this connector provides a good foundation for orphan account governance by adding manual correlation and account disabling to the existing access certification capabilities. It also makes reporting easier.

Supported use cases

Manual correlation

The connector creates a series of account and entitlement pairs for those uncorrelated accounts found in the specified target sources:

image3072×872 431 KB

You can use those entitlements from the request center to request the account to correlate on behalf of the identity you want to correlate to:

image1920×642 62 KB

Demo

Manual disabling

You can create a new identity profile based on the orphan accounts source:

image2144×605 112 KB

Once in place, you can manually disable the resulting account from the identity in order to disable the original orphan account:

image2144×605 145 KB

Demo

Disabling by certification

With an identity profile in place, you can certify the whole source or a subset of identities:

image2144×712 187 KB

By revoking the only entitlement those identities have you’d be disabling the original orphan account:

image2144×1189 224 KB

Demo

Requirements

• IdentityNow, or Identity Security Cloud Subscription
• SailPoint CLI
• Node.js >= 16.2.0
• TypeScript >= 4.4.3

Guide

Supported Operations

• Test Connection
• Account Create
• Account Enable
• Account Disable
• Account List
• Account Read
• Account Update
• Entitlement List
• Entitlement Read

Thanks for the connector.

Could you please give more detailed information about the connector’s purpose?
On the other hand, the repository link is not working.

What’s the intended purpose of this connector? What would it solve for me?

Thanks!

The repository should be public now. Please try again.

Documentation is up-to-date now. Please let me know if it’s sufficient.

Cheers.

Hello,

Thanks for this connector, it might be very useful for our usecase and I would like to test it.
The connector has been deployed successfully (using Zip downloaded from GitHub) but we have an error testing the new source :

image1210×483 18.6 KB

Creds used are good as they have been used to push the connector with CLI.

Do you have an idea about the issue ? Do I miss something during the deployment ?

Hi Julien,

I’m glad the connector is helpful for you. Unfortunately I haven’t updated this one for a long time and all the problems you describe are expected, since the libraries have changed a lot. For it to build you could try and remove the ^ character from the module versions in package.json. It could still not work since ISC APIs have changed too.

I’ll get to it as soon as I can, but I have quite a backlog at the moment and I cannot commit to any date.

HTH

BTW, you have to build the connector from the source you downloaded. You cannot upload the source files zip directly.

Hello Fernando,
Thanks for your quick answer. I tried to remove ^ character from the file package.json but the command “npm run pack-zip” still doesn’t work :

image1340×777 112 KB

“I’ll get to it as soon as I can, but I have quite a backlog at the moment and I cannot commit to any date.” → acknowledge

Did you run “npm i” first?

Fernando de los Rios Sanchez
Advisory Solutions Consultant
mobile: +34 647669581
[email protected]
Join the #SailPointCrew | My LinkedIn

Indeed, I have executed “npm install” before “npm run pack-zip”.
No error with “npm install”.

Hello Fernando,
Do you have an ETA for the fix ?

Hi Julien,

Let me find some time next week and get it done. No chance for a quiet summer yet!

OK, download again from here and try it using a brand new source. It packs just fine but I haven’t tested it.

log.txt (9.5 KB)
Hello Fernando,
Thanks for the new source but I still have the same error.

For this test, we test by 2 differents peoples by :

• download the new source
• npm i and npm run pack-zip
• removing the old connector
• creating the new connector
• configuring the new source in IdentityNow and testing
  Do you have any suggestions ?

You seem to have a problem with a library called form-data on which axios depends. Try and delete your package-lock.json, npm i and restart the whole process again and see if it disappears.

Does it work when you run npm run dev?

Ok, I tried to remove the file named package-lock.json and execute npm i && npm run pack-zip.

Next, I tried to create connector, upload the zip, add source, config source and test and it seems to work !

Thanks a lot Fernando, I will continue the test of this connector.
I have one question regarding the “List of sources to include” : do we need to use the source name or the source ID ?

Great to hear. It’s the source name you need to use, but remember to press enter when you do to store the element in the list.

Hello Fernando,
How works agregation account ? I made few tests and it agregates all accouts in the targeted source, not only the uncorrelated one. Is it expected ?

My bad. Fetch again, build, deploy and test. Once you give me the ok I’ll update the official repo.