Implementing Identity Security Cloud Custom Connectors
This article is referencing 2025 but the download is referencing idn and it seems that some of the calls are older. Is there a newer build for ISC?
the customer is not wanting to use SaaS as they prefer a connector that works through the VA for security reasons.
ISC is IDN. It was mainly a rebranding by Sailpoint.
I am not aware of any changes for implementing Custom Connectors via OpenConnector. I think most of the work by Sailpoint has been to the SAAS custom connector process.
I have not tested this yet, looking for a use case that applies to a customer. My customer went a different direction. I’m sharing this in hopes someone else finds it of use or can validate it before I’m able to.
Below is a reference to implementing Cherwell’s Service Desk. These steps should be a good overview of steps to take when creating a custom connector for ISC.
Cherwell Service Desk Integration
This document provides an overview of the Cherwell Service Desk Integration, a SIM (Service Desk Integration Module) connector. Its purpose is to open tickets in response to provisioning events from various sources. This integration follows a similar design pattern to the ServiceNow Service Desk integration.
The core of this use case is implemented by a special Cherwell Service Desk Integration connector provided by SailPoint Professional Services.
Functionality: Unlike typical connectors that read accounts, this one focuses on asynchronous provisioning by opening tickets on Cherwell Service Desk. It also has the ability to check the status of these tickets.
Connector Features:
Ticket Creation
Check Ticket Status
Note: The connector must be installed via IdentityNow REST APIs before configuration can be carried out.
This section details the overall architecture, components, interfaces, and networking requirements.
The following components are provided by SailPoint Services:
Cherwell Service Desk Integration JAR: Contains the packaged and compiled code that runs in the SailPoint-managed Virtual Appliances (VAs).
Cherwell Service Desk Integration ZIP: Contains template artifacts.
Cherwell Service Desk Integration JSON: An example configuration for installation into IdentityNow.
README: This document.
The integration runs entirely from the IdentityNow Virtual Appliance and does not require any additional components to be installed.
The VA must have outbound access to the specified Cherwell Service Desk URL.
Protocol: HTTPS
Port: 443
This section covers the security architecture, including data security, encryption, and authentication.
All traffic between the connector and Cherwell is sent over HTTPS / TLS.
The integration uses Cherwell’s Service Desk REST APIs. Authentication is handled by an API token using Cherwell’s OAuth 2.0 authorization flow. The API uses the Password grant type with an API client ID, username, and password. These artifacts must be generated and provided in the config JSON file.
This section details the connector’s design, including its functions and the endpoints it calls. The integration identifies the name of the business object for a ticket, queries its schema to find the field IDs, and then uses these IDs to create a ticket.
The integration leverages REST web services to communicate with the following Cherwell endpoints:
POST /api/V1/getbusinessobjectsummary/busobname/<name>
POST /api/V1/getbusinessobjectschema/busobid/<id>
POST /api/V1/getsearchresults
POST /api/V1/savebusinessobject
POST /api/V1/getsearchresults (This endpoint is listed twice in the original content)
Client credentials are required to access Cherwell’s swagger page for API specifics.
The integration implements the following methods:
testConnection: Enabled but does not perform any action.
provision: Handles ticket creation in Cherwell by calling the POST /api/V1/savebusinessobject endpoint.
checkStatus: Checks the ticket status from Cherwell by calling the POST /api/V1/getsearchresults endpoint. Tickets with a “Queued” status will be polled based on the global IdentityNow check status duration.
The connector is compatible with Cherwell Service Desk (Cherwell On Demand).
To create the custom connector, follow these installation steps using the IdentityNow REST API:
Create a New Connector: Use a POST request to /v2024/connectors.
Header Key Values:
Content-Type: application/json
Accept: application/json
Authorization: Bearer <token>
JSON Body:
JSON
{
"name": "Cherwell Service Desk Integration",
"description": "Cherwell Service Desk Integration",
"type": "custom connector type",
"className": "sailpoint.connector.OpenConnectorAdapter",
"directConnect": true,
"status": "RELEASED"
}
Note the value of the scriptName attribute from the result JSON.
Update Connector Source Configuration: Use a POST request to /v2024/connectors/:scriptName/source-config to import the source-config.xml artifacts.
Update Connector Source Template: Use a POST request to /v2024/connectors/:scriptName/source-template to import the source-template.xml artifacts.
Update Connector Correlation Configuration: Use a POST request to /v2024/connectors/:scriptName/correlation-config to import the account-correlation-config.xml artifacts.
Note: All three XML files can be found in the config/cherwell-service-desk-integration folder.
Open your ISC tenant and navigate to Admin > Connections > Sources > Create New.
Select the Cherwell Service Desk Integration source type and fill in the following details:
Source Type: Cherwell Service Desk Integration
Source Name: Cherwell Service Desk
Description: Cherwell Service Desk
Connection Type: Direct Connection
Click Continue.
Configure the Owner and Virtual Appliance Cluster. Upload the source icon and click Save.
Upload Jars:
Upload the Cherwell Integration JAR artifact.
Upload the velocity-engine-core-2.0.jar artifact. This JAR can be found in the Maven repository.
Click Save.
Note: Test Connection and account aggregations are not enabled and will not work. This source is only for uploading the required JAR files.
All configuration for this SIM integration is performed via the IdentityNow REST API. This is done by invoking a POST request to /beta/sim-integrations with a JSON body.
JSON
{
"attributes": {
"authType": "OAuth2",
"catalogItem": {
"2c91808466c584590166c6928f3d2d2c": "f90580b4dbb30300e30c76efbf96199a"
},
"clientId": "*****",
"clientSecret": "*****",
"refreshToken": "*****",
"url": "https://sample-org.cherwellondemand.com/CherwellApi/",
"splitAccountsOfSameID": true,
"useSameBearerToken": true,
"idnBaseUrl": "https://example.api.identitynow.com",
"idnClientId": "1191e3647df74916a336a2f978cc662f",
"idnClientSecret": "42d0037b6ba28451abc3d40e97019a70e82d8fcc8b552702612564196d8e196",
"serviceSourceId": "2c912345680f6cbc501812173845b28c8"
},
"cluster": "2c9180886e389dc3016e4b5d485114bd",
"description": "Cherwell Ticket Integration",
"name": "Cherwell Ticket Integration",
"request": {
"BusinessObjectName": "Incident",
"CreatedBy": "IDNAdmin",
"CustomerRecId": "6dd53665c0c24cab86870a21cf6434ae",
"Description": "#foreach($request in $plan.requests )\n#if ( $request.items )\nFor $request.id in $request.resource: #foreach ( $item in $request.items )$item.Operation $item.value to $item.name\n #end\n#end\n#end",
"Fields": "CustomerRecId,Description,Priority,ShortDescription,Source,Status,IncidentID",
"Priority": "4",
"ShortDescription": "Testing incident creation using IdentityNow custom integration",
"Source": "IdentityNow"
},
"sources": [
"2c91808466c584590166c6928f3d2d2c"
],
"statusMap": {
"": "Queued",
"Assigned": "Queued",
"Closed": "Failed",
"Default": "Committed",
"In Progress": "Queued",
"New": "Queued",
"Pending": "Queued",
"Reopened": "Queued",
"Resolved": "Committed"
},
"type": "ServiceNow"
}
catalogItem: The left entry is the delimited file source ID, and the right entry is a dummy value for API validation.
clientId / clientSecret: Username and password to connect to Cherwell.
refreshToken: The API token/Client ID for Cherwell.
url: The URL of your Cherwell tenant.
https://{tenant}.cherwellondemand.com/CherwellApi/splitAccountsOfSameID: (Optional) Set to true to split provisioning plans for requests from multiple sources.
useSameBearerToken: (Optional) Set to true to reuse a bearer token until it expires. Requires serviceSourceId, idnBaseUrl, idnClientId, and idnClientSecret.
request: The payload defining the request parameters.
Fields entry is a comma-delimited list of fields required for ticket creation. IncidentID and status are required fields.sources: The array of source IDs to link to this integration.
statusMap: A map of Cherwell statuses (left) to IdentityNow statuses (right).
Any status mapped to “Queued” will be continuously polled.
The connector will throw an exception if an invalid status is detected.
Available IdentityNow Statuses: Committed, Failed, Queued, Retry.
| Cherwell Service Desk Status | IdentityNow Status |
|---|---|
| Assigned | Queued |
| Closed | Failed |
| In Progress | Queued |
| New | Queued |
| Pending | Queued |
| Reopened | Queued |
| Resolved | Committed |
| Default | Committed |
Export to Sheets
type: Currently set to "ServiceNow" due to known limitations.Single Static Service Desk: The integration only allows for a ticket to be created under a single, static service desk.
type Must be “ServiceNow”: The type attribute must be set to “ServiceNow” to work with the IdentityNow REST APIs.
Propagation Delays: Changes to the JAR and configurations may take time to propagate to the VA and CCG due to JVM-level caching.
Manual Class Alteration: After creating the API integration, a SailPoint staff member will need to manually alter the integration configuration to use the correct connector class from the uploaded JAR file, as the system defaults to the incorrect ServiceNow class.
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.