Provisioning accounts from Entra ID to IdentityIQ, test connection gives 401

IdentityIQ (IIQ) IIQ Discussion and Questions
1

One of my clients would want to know if it is possible to provision identities to IdentityIQ from Entra ID (formerly Azure AD).

IdentityIQ provides a SCIM API and Entra ID can provision users using SCIM, so it looks like this will be a piece of cake :wink:

To configure provisioning in Entra ID the following steps need to be performed:

  1. Sign in to the Microsoft Entra admin center.
  2. Go to Identity > Applications > Enterprise applications.
  3. Select the application you want to configure for SCIM provisioning.
  4. Under Provisioning, set the Provisioning Mode to Automatic.
  5. Enter the SCIM endpoint URL and authentication credentials obtained from SailPoint IdentityIQ.
  6. Map the user attributes between Microsoft Entra ID and SailPoint IdentityIQ.

But I am stuck at point 5 :frowning:

I created an OAuth client in IIQ and the proxied user has the System Administrator capability (plus SCIM Executor and WebServices Executor). The IIQ server is almost Vanilla (did not use a OAuth Client before on this install).

Now I have a Client ID and a Secret, however Entra ID wants to have a Secret Token:

image
image736×226 7.3 KB

Whatever I test as Secret Token, I still get an 401 :frowning:

WWW-Authenticate: Basic Realm="IdentityIQ"
   Response Content: {"schemas":["urn:ietf:params:scim:api:messages:2.0:Error"],"detail":"User does not have access.","status":"401"}

Does anyone have a clue on what to provide as Secret Token for the SCIM API of IdentityIQ?

Thanks for any idea!

– Remold

2

Just a thought here, why not use the Microsoft Entra ID (Formerly Azure Active Directory because we love Microsoft’s re-branding skills) connector to aggregate users into IIQ as an Authoritative Application?

3

Regardless, as far as I know SCIM API’s within IIQ can support basic authentication or OAuth2.0. Based off the following MS documentation (https://learn.microsoft.com/en-us/entra/identity/app-provisioning/user-provisioning) It looks like it requires a single bearer token. So you can try base64 encoding a username:password and try basic authorization OR try retrieving an OAuth token from IIQ to establish a Test Connection - but would have to figure out if Entra supports OAuth for API requests.

4

Found what you’re looking for - probably needs to be asked on MS forum though!

Handling endpoint authentication

Requests from Microsoft Entra provisioning service include an OAuth 2.0 bearer token. An authorization server issues the bearer token. Microsoft Entra ID is an example of a trusted authorization server. Configure the Microsoft Entra provisioning service to use one of the following tokens:

  • A long-lived bearer token. If the SCIM endpoint requires an OAuth bearer token from an issuer other than Microsoft Entra ID, then copy the required OAuth bearer token into the optional Secret Token field. In a development environment, you can use the testing token from the /scim/token endpoint. Test tokens shouldn’t be used in production environments.
  • Microsoft Entra bearer token. If Secret Token field is left blank, Microsoft Entra ID includes an OAuth bearer token issued from Microsoft Entra ID with each request. Apps that use Microsoft Entra ID as an identity provider can validate this Microsoft Entra ID-issued token.
    • The application that receives requests should validate the token issuer as being Microsoft Entra ID for an expected Microsoft Entra tenant.
    • An iss claim identifies the issuer of the token. For example, "iss":"https://sts.windows.net/aaaabbbb-0000-cccc-1111-dddd2222eeee/". In this example, the base address of the claim value, https://sts.windows.net identifies Microsoft Entra ID as the issuer, while the relative address segment, aaaabbbb-0000-cccc-1111-dddd2222eeee, is a unique identifier of the Microsoft Entra tenant for which the token was issued.
    • The audience for a token is the Application ID for the application in the gallery. Applications registered in a single tenant receive the same iss claim with SCIM requests. The application ID for all custom apps is 8adf8e6e-67b2-4cf2-a259-e3dc5476c621. The token generated by the Microsoft Entra ID should only be used for testing. It shouldn’t be used in production environments.
5

We are testing both the options Entra ID push to (prov) IIQ and IIQ pull from (aggr) Entra ID.

The choice is based on ownership, security etc.
With Entra ID provisioning to IIQ, the accounts to be synced is defined with Entra ID (assign users to the application).
With IIQ aggregating from Entra ID the account selection is done within IIQ. It also allows IIQ to read all accounts (which might contain sensitive data, like which accounts have privileged roles).

– Remold

6

Thanks @nbhansali, using your information and MS Copilot I found:

To convert a Client ID and Secret from OAuth using IdentityIQ to a Secret Token for use with Microsoft Entra ID, follow these steps:

  1. Create an OAuth Client in IdentityIQ:

    • Navigate to Global Settings > API Authentication in IdentityIQ.
    • On the OAuth Client Management tab, click Create.
    • Enter a unique name for the Client and select a Proxy User.
    • Save the new OAuth client to generate the Client ID and Secret.

  2. Base64 Encode the Client ID and Secret:

    • Concatenate the Client ID and Client Secret with a colon (:) in between. For example, client_id:client_secret.
    • Encode this string using Base64. In Java, you can use the following code:
    import java.util.Base64;

public class Base64Example {
    public static void main(String[] args) {
        String clientId = "your_client_id";
        String clientSecret = "your_client_secret";
        String toEncode = clientId + ":" + clientSecret;
        String encodedString = Base64.getEncoder().encodeToString(toEncode.getBytes());
        System.out.println("Encoded string: " + encodedString);
    }
}

  3. Request an Access Token from IdentityIQ:

    • Use the Base64 encoded string to request an access token. Here’s an example using curl:
    curl -X POST \
  -H "Authorization: Basic <Base64EncodedClientID:ClientSecret>" \
  -d "grant_type=client_credentials" \
  https://<identityiq_url>/identityiq/oauth2/token

    Replace <Base64EncodedClientID:ClientSecret> with your actual Base64 encoded string and <identityiq_url> with your IdentityIQ URL.

  4. Use the Access Token with Microsoft Entra ID:

    • The response from IdentityIQ will include an access token. Use this token to authenticate API requests to Microsoft Entra ID.

This process ensures that your OAuth credentials from IdentityIQ are securely converted into a token that can be used with Microsoft Entra ID¹(OAuth 2.0 (client credentials) as a token-based protocol for API authentication - Compass)²(API Authentication)³(Client Credentials Flow).

I have tested the above and it seems to work. Test connection is working and I can provision a new account :slight_smile:

– Remold

2 Likes
7

Got it - looks like Entra would require some sort of long-lived bearer token. So just for testing I would configure a token for a very long time & see if it works. Wouldn’t recommend doing that as a long-term solution OR in production but you asked for feasibility. Would dig into MS documentation or create a support ticket to figure out if the SCIM app you are using supports OAuth.

Screenshot 2024-10-31 at 4.22.06 PM
Screenshot 2024-10-31 at 4.22.06 PM479×208 14.7 KB

To get a token you can go into postman and invoke the following after you configure an OAuth client in IIQ to get the clientid & secret.

Screenshot 2024-10-31 at 4.25.01 PM
Screenshot 2024-10-31 at 4.25.01 PM753×476 27.6 KB

1 Like
8

:stuck_out_tongue: we’ll all be replaced by AI very soon! Didn’t even need me!

9

And using the Rule Runner Plugin the conversion is even simpler:

import java.util.Base64;

String originalInput = "clientId:Secret";
        
        // Encode the string
        String encodedString = Base64.getEncoder().encodeToString(originalInput.getBytes());
        return "Encoded string: " + encodedString;

:slight_smile:

1 Like
10

That’s indeed an issue. Long lived Access Tokens is not a good idea :frowning:

1 Like
11

Just speaking from experience, anything with Microsoft is not built with modern security in mind. We’ve had nightmares trying to get them to do the right thing. Go SailPoint! :stuck_out_tongue:

12

Again Copilot (yes I love this little friend next to me):

To configure OAuth 2.0 for SCIM in Microsoft Entra ID, follow these steps:

  1. Register the Application in Microsoft Entra ID:

    • Sign in to the Microsoft Entra admin center.
    • Go to App registrations and select New registration.
    • Enter a name for the application and set the Redirect URI to the appropriate value for your SCIM server.
    • Click Register.

  2. Configure API Permissions:

    • After registering the application, go to API permissions.
    • Click Add a permission and select Microsoft Graph.
    • Choose the necessary permissions, such as User.Read and Group.Read.All.
    • Click Add permissions and then Grant admin consent.

  3. Generate Client Secret:

    • Go to Certificates & secrets.
    • Click New client secret and enter a description.
    • Set the expiration period and click Add.
    • Copy the client secret value and store it securely.

  4. Configure the SCIM Endpoint:

    • In the Microsoft Entra admin center, go to Identity > Applications > Enterprise applications.
    • Select the application you registered.
    • Under Provisioning, set the Provisioning Mode to Automatic.
    • Enter the SCIM endpoint URL and the client secret generated earlier.
    • Click Test Connection to ensure the configuration is correct.

  5. Set Up OAuth 2.0 Authentication:

    • In the SCIM connector settings of your application, configure OAuth 2.0 by entering the client ID, client secret, and token endpoint URL.
    • Ensure that the SCIM server is set up to accept OAuth 2.0 tokens for authentication.

  6. Test and Monitor:

    • Create a test user in Microsoft Entra ID and verify that it is provisioned to the SCIM endpoint.
    • Monitor the provisioning logs for any errors and ensure that the OAuth 2.0 tokens are being used correctly.

For detailed instructions and specific configuration parameters, refer to the Microsoft documentation on OAuth 2.0 authorization¹(OAuth 2.0 authorization with Microsoft Entra ID - Microsoft Entra | Microsoft Learn) and SCIM provisioning²(Microsoft Entra on-premises app provisioning to SCIM-enabled apps - Microsoft Entra ID | Microsoft Learn).

Now to find time to test this out :frowning:

– Remold

13

Unless I’m mistaken that’s seems like a SCIM connector back to the MS Graph API’s?

14

It look ok. To provision the app registration needs to read the user objects from Entra ID.

The issue with this is: The long lived clientid/secret is generated at Entra ID side and must be configured into IIQ.

– Remold

15

I performed a PoC and it is possible to create users from Entra ID using an Enterprise Application provisioning to IdentityIQ using SCIM, but …

Entra ID only support a ‘Long-lived bearer token’ OAuth2.0 authentication to non-gallery applications (IdentityIQ is not a gallery app in Entra ID).
(Tutorial - Develop a SCIM endpoint for user provisioning to apps from Microsoft Entra ID - Microsoft Entra ID )

IdentityIQ only provides the ‘Client Credentials’ OAuth2.0 grant type (Client ID and a Secret). With the Client ID and the Secret an access-token can be created which can be used as the bearer token for the provisioning credentials. It is possible to change the access token expiration time in IdentityIQ from 5 minutes (default) to years, but this is a global setting for all OAuth2.0 access tokens within IdentityIQ.

Considerations:

  • Long Lived Bearer Tokens (Access Tokens) increase the security risk if they are compromised
  • Changing token expiration time to create long Lived Access Tokens applies to all IdentityIQ Access Tokens
  • To have Entra ID create identities in IdentityIQ it is also possible to change any identity in IdentityIQ
  • It is possible so sent a request to Microsoft to publish an application to the Microsoft Entra application Gallery to get Client Credential Support for SCIM in Entra ID. However Microsoft is not accepting new request for provisioning applications. (We are currently not accepting new SSO or provisioning requests while we focus on the Secure Future Initiative. Update requests will be processed on a case-by-case basis.) See: Submit a request to publish your application - Microsoft Entra ID

– Remold

2 Likes
16

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.