IdentityNow Workflows: Managing PAT-Based API Calls When Workflow Owners Are Deactivated

Identity Security Cloud (ISC) ISC Discussion and Questions
, ,
1

Hi All,

We are currently working with SailPoint IdentityNow Workflows and we have a major design concern.

At the moment:

  • Workflows are configured with an owner, which is a human identity.

  • Inside the workflows, there are HTTP Request steps making calls to the IdentityNow tenant APIs.

  • These calls are authenticated using Personal Access Tokens (PATs) associated with that same human identity.

The issue is that when the identity that owns the workflows (and the PATs) is deactivated or removed from the tenant:

  • The PATs stop working

  • The workflow owner is removed

  • Existing workflows become orphaned or stop working

We would like to understand what is the officially supported best practice from SailPoint to handle this scenario.

Specifically:

  • Is using a dedicated service account (non-human identity) with PATs the recommended and supported approach for Workflow ownership and API authentication?

  • Is there any alternative to PAT-based authentication for Workflow HTTP calls that avoids dependency on a human identity?

We have already evaluated API Management, but it is not a viable option for us because not all API calls behave or work the same way as when using PATs.

Any idea?

2

Hello @bblanco ,

We are following the service account approach. This way PAT token never expires. Also, you can select the service account (identity) as workflow owner. One more thing is to make sure you are using latest API version as old ones may get deprecated any soon.

I don’t think there is any other alternative than using service account.

3

I agree with @JackSparrow

The better option would be to use a service account for the following tasks as we do the same.

  • Workflows (PATs & owner)
  • Emergency or backdoor access (bypass SSO) in the event of an SSO-related issue
  • Saved search queries and their associated subscriptions
4

Thanks @JackSparrow and @nhassan .

I am reviewing this, but when I create a service account (as an identity) , as soon as I assign roles to it, the platform requires me to configure the authenticator app.

Since this account is intended to be used only as a technical/service identity (for Workflow ownership and PAT-based API calls) and will not perform interactive UI login or SSO access, is it still required to configure an authenticator for this identity?

5

Hi @bblanco

Yes, configuring an authenticator is still required. MFA is now mandatory for all admin accounts. See this Deprecation of Strong Authentication on Admin Step-Up and MFA set up for IDN Admin account

While you may not need to log in through the interactive UI often, you would still need to authenticate to create PATs and/or to create or update saved search queries and subscriptions etc. Setting up an authenticator provides an added layer of protection to the service account.