Documentation

Introduction

Use this guide to connect SailPoint IdentityIQ to SecureAuth IdP in order to enable User Risk Adaptive Authentication analysis.

For more information on configuring Adaptive Authentication, see Adaptive Authentication Configuration (version 9.0.1 - 9.0.2).

SailPoint IdentityIQ is an identity governance solution that analyzes user risk based on the level of access a user has, and can detect when a user's access controls may be violating policy or misconfigured to provide excessive access. IdentityIQ then quantifies this information into a user reputation risk score.

For example, an HR manager's user account would naturally be assigned a high user risk score since that account has access to confidential data and systems, while an intern's user account with limited network access would have a low user risk score. However, if the intern's user account was inadvertantly given access to the HR database, IdentityIQ would assign a high user risk score, alerting information managers to a potential misconfiguration and security risk.

Connect to Sailpoint in one of the following ways:

Prerequisites

1. Have an existing on-premises installation of SailPoint IdentityIQ.

2. Have a Trusted Certificate installed on the SailPoint server.

REST API is only supported in SailPoint v7.0p2 and beyond.

For pre-7.0p2 versions of SailPoint, use SQL, Oracle, or MySQL.

SecureAuth IdP Configuration Steps
Data

 

1. In the Profile Connection Settings section, configure the following settings:

  • Data Server: REST API (read only)
  • Base URL: Enter the root URL of the SailPoint instance
  • Get Profile Relative URL: /identityiq/scim/v2/Users/{username}
  • Authentication Method: Basic
  • Username: Provide the Username of a SailPoint service account that has access to retrieve user profile information
  • Password: Provide the Password associated with the Username
Profile Fields

 

2. In the Profile Fields section, map the riskScore JSON path to a chosen Property (e.g. Phone 4) as follows:

a. Click the Source link next to the selected Property (usually "Default Provider").
b. In the dropdown that appears, select REST.

 

c. In the Field text box, enter the riskScore JSON path: {urn:ietf:params:scim:schemas:sailpoint:1.0:User}{riskScore}

Click Save once the configurations have been completed and before leaving the Data page to avoid losing changes.

SecureAuth IdP Configuration Steps
Data

 

1. In the Profile Connection Settings section, set the Data Server dropdown to SQL Server.

2. Configure the remaining Datastore Type fields with the correct settings to connect to the datastore.

Click Save once the configurations have been completed and before leaving the Data page to avoid losing changes.

Adaptive Authentication

 

3. Check Enable User Risk.

4. In the From field of each risk level (High, Medium, Low), enter the User Risk score that will trigger the Action for that level.

5. In the Action dropdown for each risk level (High, Medium, Low), configure the action to be taken when the User Risk score of an end-user falls within the specified range.

6. In the No Score Returned field, configure the action to take when the Adaptive Authentication engine is unable to retrieve an end-user's risk score.

7. In the Profile Field dropdown, assign the directory profile field (located in the Data tab) where the User Risk score is mapped.

Click Save once the configurations have been completed and before leaving the Adaptive Authentication page to avoid losing changes.

SQL Server Configuration Steps

 

8. In SQL Server, ensure that the userRisk score is mapped to the same Profile field chosen in Step 7.

SecureAuth IdP Configuration Steps
Data

 

1. In the Profile Connection Settings section, set the Data Server dropdown to Oracle.

2. Configure the remaining Datastore Type fields with the correct settings to connect to the datastore.

Click Save once the configurations have been completed and before leaving the Data page to avoid losing changes.

Adaptive Authentication

 

3. Check Enable User Risk.

4. In the From field of each risk level (High, Medium, Low), enter the User Risk score that will trigger the Action for that level.

5. In the Action dropdown for each risk level (High, Medium, Low), configure the action to be taken when the User Risk score of an end-user falls within the specified range (see Definitions for more information on actions).

6. In the No Score Returned field, configure the action to take when the Adaptive Authentication engine is unable to retrieve an end-user's risk score.

7. In the Profile Field dropdown, assign the directory profile field (located in the Data tab) where the User Risk score is mapped.

Click Save once the configurations have been completed and before leaving the Adaptive Authentication page to avoid losing changes.

Oracle Database Configuration Steps

 

8. In Oracle, ensure that the userRisk score is mapped to the same Profile field chosen in Step 7.

SecureAuth IdP Configuration Steps
Data

 

1. In the Profile Connection Settings section, configure the following settings:

  • Data Store: ODBC
  • Connection String: Data Source=[ServerName];Initial Catalog=[DatabaseName];User ID=[UserName];Password=[Password]
  • (optional) Get Profile SP: if using a non-default stored procedure name enter it here; otherwise leave blank

    Note: Replace <ProfileField> below with the Profile Field being used to contain the Risk Score (e.g. Phone4).

    sp_GetUserProfile

    CREATE DEFINER=`root`@`%` PROCEDURE `sp_GetUserProfile`(username varchar(250))
    BEGIN
    SELECT spt_scorecard.composite_score as <ProfileField>
    FROM spt_identity INNER JOIN
    spt_scorecard ON spt_identity.scorecard = spt_scorecard.id
    WHERE (spt_identity.name = username);

  • (optional) Update Profile SP: if using a non-default stored procedure name enter it here; otherwise leave blank

Click Save once the configurations have been completed and before leaving the Data page to avoid losing changes.

Adaptive Authentication

 

2. Check Enable User Risk.

3. In the From field of each risk level (High, Medium, Low), enter the User Risk score that will trigger the Action for that level.

4. In the Action dropdown for each risk level (High, Medium, Low), configure the action to be taken when the User Risk score of an end-user falls within the specified range (see Definitions for more information on actions).

5. In the No Score Returned field, configure the action to take when the Adaptive Authentication engine is unable to retrieve an end-user's risk score.

6. In the Profile Field dropdown, assign the directory profile field (located in the Data tab) where the User Risk score is mapped.

Click Save once the configurations have been completed and before leaving the Adaptive Authentication page to avoid losing changes.

ODBC Data Source Administrator Configuration Steps

 

7. Open the ODBC Data Source Administrator.

a. In Windows, click the Start button or icon.
b. Type ODBC.
c. Select Data Sources (ODBC).

The ODBC Data Source Administrator opens.

8. Select the System DSN tab.

9. Click Add.

The Create New Data Source window opens.

 

10. Select the MySQL ODBC 5.3 ANSI Driver.

If this driver is not installed, it can be obtained from https://dev.MySQL.com/downloads/connector/odbc/

11. Click Finish.

 

12. Follow the prompts to finish configuring the ODBC connector on the server.

Sailpoint MySQL Database Configuration Steps

13. Create the sp_GetUserProfile stored procedure below on the SailPoint MySQL database.

Replace <ProfileField> below with the Profile Field being used to map the Risk Score (e.g. Phone4).

DELIMITER $$
CREATE DEFINER=`root`@`%` PROCEDURE `GetScore`(username varchar(250))
BEGIN
SELECT  spt_scorecard.composite_score as <ProfileField>
FROM      spt_identity INNER JOIN
             spt_scorecard ON spt_identity.scorecard = spt_scorecard.id
WHERE   (spt_identity.name = username);
END$$
DELIMITER ;
  • No labels