Tech Tip -SailPoint IIQ- Configure Active Directory source connection

sailpoint

Pre-requisites :

  1. A managed service account who is a member of “Account Operators” group is available in Active Directory. This account is used by IdentityIQ to connect to Active Directory and perform user provisioning and other search operations.
  2. IQService is installed and running.

Create Active Directory source Application

  • Click Application –> Add New Application
  • Choose Application Type = Active Directory – Direct

  • Click Test Connection to test connectivity.
  • Click on Schema tab and under account set :
    • Identity Attribute = sAMAccountName
    • Display Attribute = displayName

  • Click Preview to check if the user account and groups are being fetched correctly.

Next step is to scan account and groups in the newly created application (Active Directory) and create corresponding identities in IdentityIQ.

This can be done by creating Account/Group Aggregation tasks as below.

Create task to aggregate Active Directory accounts

  • Click Setup –> Task
  • Click New Task –> Account Aggregation
  • Under Account Aggregation option , select newly created Active Directory application
  • Click Save and Execute

Once Account aggregation is complete, you can see the result under Task Result :

You can also now see the imported accounts under Active Directory appplication –> Accounts tab

Create task to aggregate Active Directory Groups

  • Click Set Up –> Task
  • Click New Task –> Account Group Aggregation
  • Under Group Aggregation option , select newly created Active Directory application
  • Click Save and Execute
  • Once Group aggregation is complete, you can see the result under Task Result :

 

 

 

 

 

 

Share on facebook
Facebook
Share on google
Google+
Share on twitter
Twitter
Share on linkedin
LinkedIn
Share on pinterest
Pinterest

One Response

  1. What you’re showing above is not a managed service account. It is a standard user account that has been added to the account operators group. A MSA or gMSA has a password automatically defined and managed by the KDS. Since IIQ requires the username and password to be added on the application definition I don’t believe it they can be used for this configuration. At most can be used on the IIQService service.

Leave a Reply

Your email address will not be published. Required fields are marked *