Read credentials from CyberArk in the AD After provisioning Rule

Which IIQ version are you inquiring about?

8.4p2

Hi All,

We have enabled the credential cycling for AD application in our environment, now we have requirement to fetch the IQService and domain settings credentials from CyberArk in the after provisioning rule to call the powershell script.

Please let us know if anyone has achieved to retrieve the credentials from CyberArk in the Rules.

Good Morning Shrivanand, Yes we have achieved this functionality. Look into the sailpoint.pam.credential.CyberArkCredentialManager Class. I don’t think there is documentation available in the general JavaDocs, but there are other ways to investigate the functionality of the class. Hoping the example below may set you on the right course.

String getCAAttribute(String appId, String folder, String safe, String object, String attribute) {
    
//Below entries are exactly what you would have configured in the CredentialConfiguration.
//We've added an extra step in here to encrypt the returned password, the consumer
//of the password must then decrypt it.

    sailpoint.pam.credential.Request req = new sailpoint.pam.credential.Request(new sailpoint.pam.credential.Configuration());

    req.put("appId", appId);
    req.put("folder", folder);
    req.put("safe", safe);
    req.put("object", object);
    req.setAttributeName(attribute); //This is the "credentialAttributeName for a CredentialAssociation.

    CyberArkCredentialManager credMgr = new CyberArkCredentialManager(new sailpoint.pam.credential.Configuration());
    Response response = credMgr.getCredential(req);
    String attributeValue = null;
    if(attribute.toLowerCase().equals("password")) {
      attributeValue = context.encrypt(response.getString(attribute));
    } else {
      attributeValue = response.getString(attribute);
    }
    return attributeValue;
  }
1 Like

Thank you very much Kevin for providing the code snippet, it is really useful for us.

1 Like