Integrating IdentityIQ with Secret Server

Third-party vendors create and maintain this integration. Delinea does not guarantee that the integration will work properly or that it respects Delinea product limitations. Delinea has not reviewed this integration and Delinea Support staff can only assist with the Delinea side of setup.

The integration of Secret Server with SailPoint IdentityIQ (IIQ) enables organizations to effectively manage and secure privileged accounts using the SCIMConnector. This integration streamlines communication between Secret Server and SailPoint IIQ, enhancing identity and access management processes.

Use Cases in SailPoint IIQ

  1. User Onboarding and Provisioning

    When a new user is onboarded in SailPoint, SailPoint automatically creates the user’s account in both SailPoint and Secret Server.

    • Steps:

      1. Trigger the onboarding of a new user in SailPoint.

      2. SailPoint provisions the user in Secret Server through SCIMConnector.

      3. Assign default permissions and add the user to relevant groups.

    • Outcome: The user is fully provisioned with appropriate access to both SailPoint and Secret Server Vault.

  2. User Access Management

    SailPoint manages access permissions for users in Secret Server. When a user’s role or department changes, SailPoint updates their access to privileged data or groups accordingly.

    • Steps:

      1. Update the user’s access profile in SailPoint (e.g., for a role change or department transfer).

      2. SailPoint updates the user’s group memberships and permissions in Secret Server.

      3. Adjust the user’s access to privileged data or containers based on the new role.

    • Outcome: The user’s access aligns with their current responsibilities, maintaining security and compliance.

  3. Privileged Account Management - Adding Users to Containers

    SailPoint grants users access to a privileged account or secret in a secure container in Secret Server Vault.

    • Steps:

      1. Identify users needing access to privileged data.

      2. SailPoint sends a request to SCIMConnector to add the user to a specific container in Secret Server Vault.

      3. Grant the user access to the privileged data within that container.

    • Outcome: The user gains secure access to the necessary privileged information while maintaining strict access control.

  4. Group Management and Privileged Data Access

    SailPoint manages group memberships in Secret Server, allowing group members to access shared privileged data in containers.

    • Steps:

      1. Create or update a group in SailPoint, ensuring it corresponds with the group in Secret Server Vault.

      2. Link the group to specific containers holding privileged data.

      3. Automatically grant or revoke access to the container’s privileged data for users in the group.

    • Outcome: Group members can access privileged information based on their group membership.

  5. User De-provisioning and Access Revocation

    When a user leaves the organization or no longer needs access to privileged data, SailPoint triggers de-provisioning and revokes their access to both SailPoint and Secret Server Vault.

    • Steps:

      1. SailPoint detects the need for de-provisioning (e.g., user termination or role change).

      2. Send a de-provisioning request to SCIMConnector to remove the user’s account and access from Secret Server Vault.

      3. Revoke all user access to privileged data and containers.

    • Outcome: The user is securely de-provisioned, ensuring they no longer have access to any privileged data or accounts.

  6. Privileged Data Management within Containers

    SailPoint manages privileged data stored in containers within Secret Server Vault, ensuring only authorized users can access it.

    • Steps:

      1. Add privileged data to a container within Secret Server via SailPoint.

      2. Assign user or group access to the privileged data based on their role or permission level.

      3. Allow users or groups to retrieve or update the privileged data as needed.

    • Outcome: Sensitive data is securely managed and accessed only by authorized users.

    SailPoint Integration Concepts and Limitations

    This section reviews any SailPoint-specific limitations. For a list of the SCIM Connector application limitations, please see the SCIM Connector Limitations section.

    • In SailPoint IdentityIQ, there are "containers" and "privileged data." The containers map to Secret Server folders, and privileged data maps to secrets.

    • SailPoint allows adding permissions to containers, but they cannot be directly added to privileged data. That is, they cannot be added directly to a secret. So when a user gets access to a container, the user is really getting access to a Secret Server folder.

    • While there is no direct way to give users access to a specific secret, they can still be given access indirectly by adding a user into a group that already has access to both the folder/container and the secret/privileged data.

    • When a users are given access to a container/folder, either with direct access or by adding them to a group, they only have "view" access to the container. More granular assignment of permission levels can only be defined in the Secret Server.

    • If the "view" permission setting seen in the Configuring a "SailPoint IdentityIQ Endpoint" section is not configured correctly, an incorrectly formatted POST call to the SCIM Connector application will result, which returns a HTTP 400 error message.

    • Any sensitive information that is associated with a secret/privileged data, such as a password, is not shared over the SCIM Connector and must be viewed in SS.

    • Personal folders in Secret Server can be viewed in SailPoint, but users cannot be given direct access to the folders. However, users can be given access by adding them to an existing group. The owner of the personal folder cannot have their access removed from the folder.

    • Using custom attributes or extensions with SailPoint IdentityIQ and the SCIM Connector is not currently supported.