Hi all,
I recently received a notification from SailPoint customer success regarding upcoming changes to the IQService. Here a snippet of the email:
I am reaching out to let you know about an upcoming change to IQService, related to a recent vulnerability discovery (identified through our Vulnerability Disclosure Program). If you are not using IQService, you can disregard this notification.
Why we are making this change
It has been our long-standing recommendation to secure communication between IdentityIQ and IQService using Transport Layer Security (TLS) along with client authentication. If TLS is not configured, IQService encrypts messages using a default encryption key. However, this default key ā designed to simplify setup and deployment for system administrators ā is the same for all installations and can be exploited to allow unauthorized access.
Action required: What to expect in the next release of IdentityIQ
Moving forward, to ensure the security of our customers, the before and after script execution will be disabled in all upcoming releases of IdentityIQ. In the meantime, if you are leveraging IQService before and after scripts, you must configure the TLS along with the client authentication for IQService to continue execution of these scripts and to address this vulnerability.
We are already using TLS along with client authentication for the IQService but Iām concerned about the disablement of the before and after script execution. We rely on this functionality for vital operations such as Home Drive provisioning and Exchange operations.
Is anybody able to clarify if before and after script execution will be disabled in future versions of IIQ, even if TLS is enabled?