Connecting SailPoint IdentityIQ to SecureAuth IdP 9.2
Introduction
Use this guide to connect SailPoint IdentityIQ to SecureAuth IdP in order to enable User Risk Adaptive Authentication analysis.
For more information on configuring Adaptive Authentication, see Adaptive Authentication Tab Configuration.
SailPoint IdentityIQ is an identity governance solution that analyzes user risk based on the level of access a user has, and can detect when a user's access controls may be violating policy or misconfigured to provide excessive access. IdentityIQ then quantifies this information into a user reputation risk score.
For example, an HR manager's user account would naturally be assigned a high user risk score since that account has access to confidential data and systems, while an intern's user account with limited network access would have a low user risk score. However, if the intern's user account was inadvertantly given access to the HR database, IdentityIQ would assign a high user risk score, alerting information managers to a potential misconfiguration and security risk.
Connect to SailPoint via REST API v2.
In SecureAuth IdP version 9.2, a new offering is availablefrom SecureAuth's Prevent Threat Service package. Advancedadaptive capability powered by machine learning tracks and analyzes the login behavior patterns of authorized users for a period of time to identify their normal patterns, and then assigns each user a personal risk score. Bad actors' attempts to impersonate authorized users in order to gain access to the targeted site fail, since a login behavior pattern and risk score are unique to each user. See Machine learning User Risk Score calculations in Adaptive Authentication (version 9.2) and SecureAuth IdP 9.2.0-19 hotfix for machine learning deployment for more information.
Prerequisites
1. Ensure SecureAuth IdP v9.1+ is running
2. Have an existing on-premises installation of SailPoint IdentityIQ
3. Have a Trusted Certificate installed on the SailPoint server
Configuration Steps
Note
REST API v2 is supported in SailPoint v7.0p2+
SecureAuth IdP Configuration Steps
Adaptive Authentication
User Risk
 |
1. In the User Risk section, toggle the switch to Enabled to enable this analysis feature
2. Click Add User Risk Score Provider
Add New Risk Provider
 |
3. Configure the Risk Ranges for Minimum, Medium, High, and Maximum risk scores
4. Under Connection Settings, enter the Risk Score Provider Name
5. Enter the Base URL of the SailPoint instance in the format https://services.company.com:59
6. Enter /identityiq/scim/v2/Users/{username} in the Get Profile Relative URL field
7. Select Basic from the Authentication Method dropdown
8. Enter a Username from the SailPoint service account that has access to retrieve user profile information
9. Provide the Password associated with the Username
10. From the Risk Score User Identifier dropdown, select the field to store the user risk score – which is the directory Profile Field mapped to the Property configured on the Data page
NOTE: The default setting is User Authenticated ID which is usually used by SecureAuth User Risk
11. Enter {urn:ietf:params:scim:schemas:sailpoint:1.0:User}{riskScore} as the Risk Score JSON Path of the Risk Score User Identifier
12. Click Save to save the SailPoint user risk configuration
 |
13. Under User Risk Score Actions, specify the action SecureAuth IdP will take if the user risk score falls within the specified range by making a selection from the dropdown
a. High Risk - SecureAuth IdP will execute this action if the user risk score falls within the upper range
b. Medium Risk - SecureAuth IdP will execute this action if the user risk score falls within the middle range
c. Low Risk - SecureAuth IdP will execute this action if the user risk score falls within the lower range
d. Score Unavailable - SecureAuth IdP will execute this action if the user risk score cannot be retrieved
This action can occur if the user is not found in the data source or does not have a score assigned in the data source
See the KB article Unable to Communicate with the User Risk Adaptive Authentication Data Provider for more information if SecureAuth IdP is unable to communicate with the data source
Data
Profile Fields
 |
1. In the Profile Fields section, map the riskScore JSON path to a chosen Property (e.g. Phone 4) as follows:
a. Click the Source link to the right of the selected Property (usually labeled "Default Provider")
b. Select REST from the dropdown
c. In the Field text box, enter {urn:ietf:params:scim:schemas:sailpoint:1.0:User}{riskScore} as the riskScore JSON path
Warning
Click Save once the configuration has been completed and before leaving the Data page to avoid losing changes
Adaptive Authentication
User Risk
 |
2. In the User Risk section, toggle the switch to Enabled to enable this analysis feature
3. Click Add User Risk Score Provider
Add New Risk Provider
|
4. Configure the Risk Ranges for Minimum, Medium, High, and Maximum risk scores
5. Under Connection Settings, enter the Risk Score Provider Name
6. Enter the Base URL of the SailPoint instance in the format https://services.company.com:59
7. Enter /identityiq/scim/v2/Users/{username} in the Get Profile Relative URL field
8. Select Basic from the Authentication Method dropdown
9. Enter a Username from the SailPoint service account that has access to retrieve user profile information
10. Provide the Password associated with the Username
11. From the Risk Score User Identifier dropdown, select the field to store the user risk score – which is the directory Profile Field mapped to the Property configured on the Data page
NOTE: The default setting is User Authenticated ID which is usually used by SecureAuth User Risk
12. Enter {urn:ietf:params:scim:schemas:sailpoint:1.0:User}{riskScore} as the Risk Score JSON Path of the Risk Score User Identifier
13. Click Save to save the SailPoint user risk configuration
 |
14. Under User Risk Score Actions, specify the action SecureAuth IdP will take if the user risk score falls within the specified range by making a selection from the dropdown
a. High Risk - SecureAuth IdP will execute this action if the user risk score falls within the upper range
b. Medium Risk - SecureAuth IdP will execute this action if the user risk score falls within the middle range
c. Low Risk - SecureAuth IdP will execute this action if the user risk score falls within the lower range
d. Score Unavailable - SecureAuth IdP will execute this action if the user risk score cannot be retrieved
This action can occur if the user is not found in the data source or does not have a score assigned in the data source
See the KB article Unable to Communicate with the User Risk Adaptive Authentication Data Provider for more information if SecureAuth IdP is unable to communicate with the data source
Warning
Click Save once the configuration has been completed and before leaving the Adaptive Authentication page to avoid losing changes