Service Principal Account Management

IdentityIQ (IIQ) IIQ Discussion and Questions
, ,
1

Which IIQ version are you inquiring about?

8.4 p1

Hello Team,

We want to aggregate the Service Principals from Azure to SailPoint IIQ

We have the following concerns and require your guidance:

Object Type Configuration:

  1. In the Azure application configuration in IIQ, we are unable to find any specific object type that corresponds to Service Principals. Could you confirm whether Service Principals are supported, and if so, which object type we need to configure to include them?

  2. I could see in the document we can enable the features, could you please how can get the object type: Service Principal

Account Schema Update:

  1. As per the documentation, we have added the recommended attributes to the account schema. Despite this, we are still only fetching user accounts and not Service Principals during aggregation. Could you help us identify any additional configurations required?
    Service Principal as Accounts Attributes

Additional Configuration Steps:

If applicable, could you provide detailed documentation or guidance on how to enable this functionality?

2

Hi @deepakn ,

In SailPoint IIQ version 8.4p1, Service Principals are natively supported as an object type. You should be able to see the Service Principal object type by default in your configuration. If this object type is not visible, you may need to add it manually.

If you want to add the service principals as object type, you add it from configuration.

image
image1162×448 34.8 KB

otherwise, you add the below schema directly to app xml using debug.

 <Schema aggregationType="group" created="" descriptionAttribute="displayName" displayAttribute="displayName" id="" identityAttribute="objectId" nativeObjectType="servicePrincipal" objectType="servicePrincipal">
      <AttributeDefinition name="displayName" type="string">
        <Description>ServicePrincipal name</Description>
      </AttributeDefinition>
      <AttributeDefinition name="servicePrincipalType" type="string">
        <Description>ServicePrincipal type</Description>
      </AttributeDefinition>
      <AttributeDefinition name="objectId" type="string">
        <Description>ServicePrincipal ID</Description>
      </AttributeDefinition>
      <AttributeDefinition multi="true" name="owners" type="string">
        <Description>ServicePrincipal Owners</Description>
      </AttributeDefinition>
      <AttributeDefinition multi="true" name="appRoles" type="string">
        <Description>ServicePrincipal Roles</Description>
      </AttributeDefinition>
    </Schema>

when you run the group aggregation, service principals also fetched into sailpoint. When setting up the group aggregation, make sure that the filter for object types includes Service Principals. If the filter is incorrectly configured to exclude Service Principals, they will not be fetched during aggregatio

image
image1543×466 19.3 KB

3

Hi @Arun-Kumar,

Thanks for helping with the details. I can now see the service principal object. However, when running the group aggregation, we are receiving an error. We have a customization rule in place for groups to fetch only the cloud-only group. I’m not sure if this is causing the error.

Exception during aggregation of Object Type Group on Application Azure_Test_APP. Reason: java.lang.RuntimeException: sailpoint.connector.ConnectorException: failed to lazily initialize a collection of role: sailpoint.object.Rule.referencedRules, could not initialize proxy - no Session

Could you please let me know, how can i approach this situation?

4

Hi @deepakn ,

The error is being caused by the customization rule in place.

5

Hi @Arun-Kumar, can you please let me know how we can overcome this error. I want to filter out cloud only group and get the service principal also.

6

Hi @deepakn ,

Please provide the customization rules that you are using in the group aggregation? Additionally, are you utilizing any group refresh rule?

7

@Arun-Kumar

if(null == object.getAttribute(dirSyncEnabled)). → Customization rule to fetch Cloud Only Groups.

Yes, we are using Group refresh rule also.

8

Hi @deepakn ,

Share the Group refresh rule as well.

9

Hi @Arun-Kumar,

Thanks for the support! I’ve resolved the issue. Could you please confirm if, in SailPoint IIQ version 8.1p3, Service Principals are natively supported as an object type?

10

@deepakn ,

yes, Service Principals are supported in Sailpoint IIQ 8.1p3 version.

11

Hi @Arun-Kumar,

Can we run all the group-type aggregations in a single group aggregation? When I tried running the group aggregation without a filter, I received the following error:

Exception during aggregation of Object Type Group on Application Azure_Test_APP. Reason: java.lang.RuntimeException: sailpoint.connector.ConnectorException: failed to lazily initialize a collection of role: sailpoint.object.Rule.referencedRules, could not initialize proxy - no Session

I believe this issue is due to the Customization Rule we used for the Azure Cloud Only group aggregation. Here is the rule in question:

if(null == object.getAttribute(dirSyncEnabled)). → Customization rule to fetch Cloud Only Groups.

Could you provide some suggestions on how to overcome this issue? We are looking to run all group types in a single aggregation instead of having separate tasks for each group type, such as Service Principal, Group, and Role.

12

@deepakn ,

Yes, you can run the group aggregation without enabling the “Filter object types to scan” option, as this will include all object types. I assume you are also using the Group Refresh rule. This error could be originating from the Group Refresh rule. Could you please share the details of the rule for further analysis?

13

Adding Group refresh rule

I have created the separate task for the Service Principal aggregation. Even in the task I am having group refresh rule it is working fine, no error I received.

14

When I run each group aggregation separately with a filter for the object type, it works fine using the same group refresh rule

15

@deepakn ,

Try using the IncrementalObjectIterator in your Group refresh rule instead of the standard Iterator.

IncrementalObjectIterator iterator = new IncrementalObjectIterator(context, SailPointObject.class, queryOptions);
16

@Arun-Kumar Can you explain what the issue would be here and also let me know where to use it Incremental ObjectIterator

17

@deepakn ,

It is a recommanded best practice when iterating the object. Let’s try this.

IncrementalObjectIterator iterator = new IncrementalObjectIterator(context, Identity.class, options);
if (iterator != null) {
    while (iterator.hasNext()) {
        Identity ownerIdentity = (Identity) iterator.next();
        if (ownerIdentity != null) {
            accountGroup.setOwner(ownerIdentity);
        }
    }
}
18

@Arun-Kumar ,

As you mentioned I have added the code, I’m receiving below error.

Exception during aggregation of 0ddaf3d2-k3n3-847a-l2k3-bda3bf9dea77. Reason: BeanShell script error: bsh.EvalError: Sourced file: inline evaluation of: import java.util.Map; import sailpoint.api.SailPointContext; import sailpoint.ob . . . '' : Typed variable declaration : Class: IncrementalObjectIterator not found in namespace : at Line: 44 : in file: inline evaluation of: import java.util.Map; import sailpoint.api.SailPointContext; import sailpoint.ob . . . ‘’ : IncrementalObjectIterator BSF info: GroupAggregation Azure at line: 0 column: columnNo

19

@deepakn ,

Add the below import statement to the Group Refresh Rule.

import sailpoint.api.IncrementalObjectIterator;
20

@Arun-Kumar, still receiving the following error:

Exception during aggregation of Object Type Group on Application Azure_Role_Test. Reason: java.lang.RuntimeException: sailpoint.connector.ConnectorException: failed to lazily initialize a collection of role: sailpoint.object.Rule.referencedRules, could not initialize proxy - no SessionPreformatted text