Documentation

Table of Contents


Other Resources


This topic describes how to connect SailPoint IdentityIQ to SecureAuth IdP using REST API v2 to enable adaptive authentication user risk checks

SailPoint IdentityIQ is an identity governance solution that analyzes user risk based on the user's access level, and detects when a user's access control is violating policy or is misconfigured because it is providing excessive access. IdentityIQ then quantifies this information into a user reputation risk score.

For example, an HR manager's user account would naturally be assigned a high user risk score since that account has access to confidential data and systems, while an intern's user account with limited network access would have a low user risk score. However, if the intern's user account was inadvertently given access to the HR database, IdentityIQ would assign a high user risk score, alerting information managers to a potential misconfiguration and security risk.

For each level of user risk (High, Medium, and Low) you can define which action SecureAuth IdP is to take as described in risk check actions.  



Prerequisites

  • SecureAuth IdP realm configured with an application integration
  • Optional: Prevent package license to use the machine learning user risk score analysis feature – contact SecureAuth Support
  • Existing, on-premises installation of SailPoint IdentityIQ v7.0p2+
  • Trusted certificate installed on the SailPoint server



SecureAuth IdP configuration

  1. Select the Adaptive Authentication tab. 
  2. In the User Risk section, move the slider to Enabled for the User Risk analysis feature. 
  3. Click Add User Risk Score Provider or edit an existing SailPoint configuration. 
  4. On the risk ranges configuration page, set the following:  

    Risk Ranges

    Configure the risk ranges for Minimum, Medium, High, and Maximum risk scores. 

    By default, a low score indicates a good user, and a high score indicates a risky user. 

    Alternatively, you can set the risk ranges in reverse order by moving the slider to enable Use Inverted Risk Ranges

    With inverted risk ranges, a low score indicates a risky user, and a high score indicates a good user. 

    Risk Score Provider NameSet the descriptive name for the risk provider.

    Base URL

    Set the base URL of the SailPoint instance in this format:  http://services.company.com:59. 

    Get Profile Relative URL

    Set the endpoint in this format: /identityiq/scim/v2/Users/{username}.

    Insert the {username} variable in the position the endpoint expects the userID to be in the string. 

    Authentication Method

    Set the authentication method to Basic.

    UsernameSet the username of the SailPoint service account to which it has access to retrieve user profile information. 

    PasswordProvide the password associated with the Username. 

    Risk Score User Identifier

    Set the target user ID in the format to which the user risk provider expects to identify end users. It most cases, it is the same value as the default  User Authenticated ID. In other cases, the user risk provider might use a different user ID; for example, the end user logs in with a sAMAccount name, but the user risk provider uses an email address as the user identifier. 

    To use another user identifier, you must map that field to a property in the Data tab. Then, from the  Risk Score User Identifier  list, select the mapped Property.

    For example, on the  Data  tab, in the Profile fields section, Email 1 field is mapped as a Default Provider source with a field entry of mail. So, for the  Risk Score User Identifier  field, you would select  Email 1

    Risk Score JSON Path

    Set the risk score JSON path values used to parse the JSON string returned to SecureAuth IdP and to extract the numeric score value from it. 

    The JSON path string should be in this format: {urn:ietf:params:scim:schemas:sailpoint:1.0:User}{riskScore}.

  5. Save the SailPoint user risk configuration. 
  6. Under User Risk Score Actions, for each risk range (High, Medium, Low, and Score Unavailable), specify the adaptive authentication action SecureAuth IdP takes when the user risk score falls within the specified range. 
    For more information about the actions to take, see the risk check action definitions.
    The Score Unavailable risk score can occur when the user is not found in the data source or does not have an assigned risk score in the data source. 
    If the SecureAuth IdP is unable to communicate with the data source, see the Knowledge base article Unable to Communicate with the User Risk Adaptive Authentication Data Provider for more information. 
  7. Save the configuration. 
    To update the risk provider configuration, click edit in the far right column. 
    To delete the risk provider, click edit in the far right column, and on the edit page, click Delete Risk Provider