Fundamentals of IdentityIQ Implementation

Training for SailPoint IdentityIQ Version 7.2

11305 Four Points Drive

Bldg 2, Suite 100
Austin, TX 78726
www.sailpoint.com

Copyright © 2017 SailPoint Technologies – All Rights Reserved – VERSION 7.1b

 Section 1 - 2

© Copyright 2017 SailPoint Technologies, Inc., All Rights Reserved.

SailPoint Technologies, Inc. makes no warranty of any kind with regard to this manual, including, but not limited to, the implied
warranties of merchantability and fitness for a particular purpose. SailPoint Technologies shall not be liable for errors contained
herein or direct, indirect, special, incidental or consequential damages in connection with the furnishing, performance, or use of
this material.

Restricted Rights Legend. All rights are reserved. No part of this document may be photocopied, reproduced, or
translated to another language without the prior written consent of SailPoint Technologies. The information contained in
this document is subject to change without notice.

Use, duplication or disclosure by the U.S. Government is subject to restrictions as set forth in subparagraph (c) (1) (ii) of
the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 for DOD agencies, and subparagraphs
(c) (1) and (c) (2) of the Commercial Computer Software Restricted Rights clause at FAR 52.227-19 for other agencies.

Regulatory/Export Compliance. The export and reexport of this software is controlled for export purposes by the U.S.
Government. By accepting this software and/or documentation, licensee agrees to comply with all U.S. and foreign export
laws and regulations as they relate to software and related documentation. Licensee will not export or reexport outside
the United States software or documentation, whether directly or indirectly, to any Prohibited Party and will not cause,
approve or otherwise intentionally facilitate others in so doing. A Prohibited Party includes: a party in a U.S. embargoed
country or country the United States has named as a supporter of international terrorism; a party involved in
proliferation; a party identified by the U.S. Government as a Denied Party; a party named on the U.S. Government's
Entities List; a party prohibited from participation in export or reexport transactions by a U.S. Government General Order;
a party listed by the U.S. Government's Office of Foreign Assets Control as ineligible to participate in transactions subject
to U.S. jurisdiction; or any party that licensee knows or has reason to know has violated or plans to violate U.S. or foreign
export laws or regulations. Licensee shall ensure that each of its software users complies with U.S. and foreign export
laws and regulations as they relate to software and related documentation.

Trademark Notices. Copyright © 2017 SailPoint Technologies, Inc. All rights reserved. SailPoint, the SailPoint logo,
SailPoint IdentityIQ, and SailPoint Identity Analyzer are trademarks of SailPoint Technologies, Inc. and may not be used
without the prior express written permission of SailPoint Technologies, Inc. All other trademarks shown herein are
owned by the respective companies or persons indicated.

Copyright © 2017 SailPoint Technologies – All Rights Reserved – VERSION 7.1b

 Section 1 - 3

Section One: Installation, Identity Cubes, and Onboarding

Applications

Fundamentals of IdentityIQ Implementation

11305 Four Points Drive

Bldg 2, Suite 100
Austin, TX 78726
www.sailpoint.com

Copyright © 2017 SailPoint Technologies – All Rights Reserved – VERSION 7.1b

 Section 1 - 4

Contents
Course Overview ...................................................................................................................................................................... 7
Introduction .......................................................................................................................................................................... 7
The Virtual Machine Environment .............................................................................................................................. 7
Shortcuts/Applications Provided ................................................................................................................................ 8
Section 1: Installing, Identity Cubes, Onboarding Applications ........................................................................... 9
Exercise #1: Installing IdentityIQ ................................................................................................................................... 11
Objective ............................................................................................................................................................................... 11
Overview .............................................................................................................................................................................. 11
Assess Your Implementation Role ............................................................................................................................. 11
Prepare Application Server and Install IdentityIQ War File ........................................................................... 12
Configure Extended Searchable Attributes ............................................................................................................ 13
Configure the Database .................................................................................................................................................. 15
Initialize IdentityIQ and Verify your Installation ................................................................................................ 17
Exercise #2: Patching IdentityIQ..................................................................................................................................... 19
Objective ............................................................................................................................................................................... 19
Overview .............................................................................................................................................................................. 19
Patch Installation .............................................................................................................................................................. 19
Exercise #3: Configuring IdentityIQ .............................................................................................................................. 21
Objective ............................................................................................................................................................................... 21
Overview .............................................................................................................................................................................. 21
Configure the Email Redirector .................................................................................................................................. 22
Configure IdentityIQ Object Expiration ................................................................................................................... 22
Configure IdentityIQ Auditing ..................................................................................................................................... 24
Configure IdentityIQ Logging ...................................................................................................................................... 26
Exercise #4: Populating Identity Cubes – Loading Authoritative Data ........................................................... 27
Objective ............................................................................................................................................................................... 27
Overview .............................................................................................................................................................................. 27
Define Employee Application ...................................................................................................................................... 29
Aggregate the Employee Data ..................................................................................................................................... 32
Define Contractor Application and Load Contractor Data............................................................................... 34
Confirm that the aggregations were successful ................................................................................................... 36
Understanding What We Just Did .............................................................................................................................. 37

Copyright © 2017 SailPoint Technologies – All Rights Reserved – VERSION 7.1b

 Section 1 - 5

Configure Identity Mappings ....................................................................................................................................... 39

Configure Standard Attributes ............................................................................................................................... 39
Define Extended (Custom) Identity Attributes................................................................................................ 42
Update Manager Status .................................................................................................................................................. 47
Configure the UI to Display New Identity Attributes ......................................................................................... 48
Refresh and Populate the Identity Attributes ....................................................................................................... 49
Investigate Your Data...................................................................................................................................................... 52
Resetting Identities ............................................................................................................................................................... 54
Resetting the IdentityIQ Database.................................................................................................................................. 54
Exercise #5: Loading and Correlating the Financials Application .................................................................... 55
Objective ............................................................................................................................................................................... 55
Overview .............................................................................................................................................................................. 55
Define the Financials Application .............................................................................................................................. 56
Aggregate from the Financials Application ............................................................................................................ 59
Confirm that Accounts and managed entitlements were properly loaded............................................... 60
Exercise #6: Loading and Correlating the PAM Application................................................................................ 63
Objective ............................................................................................................................................................................... 63
Overview .............................................................................................................................................................................. 63
Create the Base PAM Application............................................................................................................................... 64
Configure Account Schema for PAM Application ................................................................................................ 64
Use connectorDebug to Confirm PAM Application Account Data ................................................................ 67
Configure the Group Data Source for PAM Application .................................................................................... 68
Configure Group Schema for PAM Application .................................................................................................... 68
Aggregate PAM Accounts and Groups ...................................................................................................................... 71
Exercise #7: Onboarding JDBC Applications .............................................................................................................. 74
Objective ............................................................................................................................................................................... 74
Overview .............................................................................................................................................................................. 74
Configure the Application and Connector for the TRAKK Application ....................................................... 74
Configure Account Schema for the TRAKK Application.................................................................................... 75
Configure Correlation Rule for the TRAKK Application ................................................................................... 78
Aggregate Accounts from TRAKK .............................................................................................................................. 78
Loading the PRISM Application .................................................................................................................................. 81
Exercise #8: Onboarding an LDAP Application......................................................................................................... 86

Copyright © 2017 SailPoint Technologies – All Rights Reserved – VERSION 7.1b

 Section 1 - 6

Objective ............................................................................................................................................................................... 86
Overview .............................................................................................................................................................................. 86
Start the local LDAP Server .......................................................................................................................................... 86
Loading the LDAP Application .................................................................................................................................... 87
Refresh Identities ............................................................................................................................................................. 89
Exercise #9: Exploring the Identity Refresh Task.................................................................................................... 90
Investigate the Default Refresh Identity Cube Task ........................................................................................... 90
Constrain the Refresh Identity Task ......................................................................................................................... 91

Copyright © 2017 SailPoint Technologies – All Rights Reserved – VERSION 7.1b

 Section 1 - 7

Course Overview
Introduction
The exercises contained in this document are meant to accompany the Fundamentals of IdentityIQ
Implementation training lecture materials.

These exercises are run within a Virtual Machine environment, which contains the following
software:

• Oracle/Sun JDK (Version 1.7)

• Tomcat Application Server (Version 7.0.59)

• MySQL Database Server (Version 5.5.42)

• OpenLDAP Server (Version 2.4.40)

• Apache Directory Studio (Version 2.0.0)

During these Implementer Training exercises, we will be installing and configuring the following:

• IdentityIQ Version 7.2

The Virtual Machine Environment

Logins
Linux Username/Password spadmin/admin
IdentityIQ Username/Password spadmin/admin
MySQL Administrator Login/Password root/root
OpenLDAP Login User: cn=Manager,dc=training,dc=sailpoint,dc=com
Password: password
Install Directories
IIQ Install Directory /home/spadmin/tomcat/identityiq
Installer File Location /home/spadmin/InstallImages
Implementer Training Files /home/spadmin/ImplementerTraining
LDAP Install Location /home/spadmin/openldap
MySQL Details
MySQL Database Name identityiq

Copyright © 2017 SailPoint Technologies – All Rights Reserved – VERSION 7.1b

 Section 1 - 8

Shortcuts/Applications Provided
The Virtual Machine environment includes several useful shortcuts.

Shortcuts

Clear
Desktop

Application Shortcuts Launcher Shortcuts on the Desktop

File Browser – Linux utility to browse the file system Launchers to Start/Stop Tomcat

gedit – A common Linux text editor Launcher to start the IdentityIQ Console

Firefox - Web browser Launchers to observe the IdentityIQ Logs, IdentityIQ

Email Logs, Standard Out Logs

Terminal - Launches a command line terminal Launcher to start ApacheDirectoryStudio LDAP

Browser

Miscellaneous Commands and Keyboard Setup

• Clear Desktop – Use this to minimize windows to see the Desktop

• If you have a non-US English keyboard, follow these steps:

o To change the keyboard input to your native keyboard, navigate to System >
Preferences > Keyboard > Layouts and click Add. Use the dropdowns to select
your keyboard and variant. Once you have selected your keyboard, click Add in the
bottom right corner.

Copyright © 2017 SailPoint Technologies – All Rights Reserved – VERSION 7.1b

 Section 1 - 9

Section 1: Installing, Identity Cubes, Onboarding

Applications
In this section, we will be setting up our system, loading Identity data into the system and
onboarding account and group data from different applications.

• Install IdentityIQ

• Patch IdentityIQ

• Configure certain IdentityIQ administrative features

o Redirect Emails to a file

o Enable Logging

o Configure certain audit events

• Onboard Identity information from authoritative (systems of record) application sources

o Employees

o Contractors

• Onboard additional account and group data from additional non-authoritative (systems of
interest) application sources

o Flat File (CSV) data feeds containing user accounts and group data

o JDBC data feeds containing user accounts and group data

o LDAP system containing user accounts and group data

o Logical Application

o Multiplexed Application

The diagram on the following page provides a visual representation of the systems which will be
onboarded in this section and utilized throughout this course. The numbers correspond to the
Application onboarding exercises.

Copyright © 2017 SailPoint Technologies – All Rights Reserved – VERSION 7.1b

 Section 1 - 10

Copyright © 2017 SailPoint Technologies – All Rights Reserved – VERSION 7.1b

 Section 1 - 11

Exercise #1: Installing IdentityIQ

Objective
In this exercise, we will install and configure IdentityIQ.

Overview
Our training scenario represents a typical implementation cycle with a customer. The client has
provided us with the following:

• A running database server with host, port and login information provided

• A pre-configured Tomcat Application Server instance

We need to install IdentityIQ with the following requirements.

• Install IdentityIQ into the /identityiq directory in Tomcat.

• Adjust the IdentityIQ Hibernate files to support our installation. Our installation needs to
support the following:

o 2 named extended identity attributes

o 10 searchable and indexed placeholder extended identity attributes

• Generate the IdentityIQ database schema files and use these to create the IdentityIQ
database within the MySQL database instance

• Initialize IdentityIQ

• Start the application server

• Confirm that everything is running okay

Assess Your Implementation Role

1. Will you be responsible for installing IdentityIQ in a development, test, or production
environment? Yes / No (Circle one)

If No:

• Use the scripts provided in this virtual machine to complete the installation. See
Appendix, Scripted IdentityIQ Installation for instructions.

If Yes:

• Continue to next step: Prepare Application Server and Install IdentityIQ War File.

Copyright © 2017 SailPoint Technologies – All Rights Reserved – VERSION 7.1b

 Section 1 - 12

Prepare Application Server and Install IdentityIQ War File

1. Stop the Tomcat Application Server

a. From the desktop, run the shortcut labeled Stop Tomcat or

b. Alternatively, you can open a Linux terminal window and type the following
command:

StopTomcat

Note: If this is the first time this VM has been used, Tomcat should already be stopped.

2. Unzip and extract the IdentityIQ war file

a. Open a Linux terminal window and navigate to the directory:

/home/spadmin/InstallImages. At the $ command prompt, enter:

cd InstallImages

Note: For help navigating in Linux, see Basic Linux Commands, Appendix-1.

b. Confirm that the IdentityIQ zip file is in the directory. Enter the following command
to view the contents of the directory.

ls

c. Unzip the IdentityIQ-7.2.zip file:

unzip identityiq-7.2.zip

d. Within the InstallImages directory, locate the identityiq.war file and copy it to the
installation directory for IdentityIQ:
/home/spadmin/tomcat/webapps/identityiq

Copy Options:

Option 1: Use the file browser to copy and paste the file.

Option 2: Use the Linux copy command. At the $ command prompt, enter:

cp identityiq.war /home/spadmin/tomcat/webapps/identityiq

e. In a command window, navigate to the

/home/spadmin/tomcat/webapps/identityiq directory and extract the war file.

jar –xvf identityiq.war

Copyright © 2017 SailPoint Technologies – All Rights Reserved – VERSION 7.1b

 Section 1 - 13

Configure Extended Searchable Attributes

1. For our implementation, we have documented requirements for two extended identity
attributes that need to be searchable: empId and status.

In a standard implementation, the implementation team is responsible for adding the extended
attributes to the Hibernate XML file. In our training environment, the Hibernate XML file has
already been configured with these two named extended attributes.

In this exercise, you will replace the default Hibernate XML file with the pre-configured
Hibernate XML file, and you will review the configuration to ensure it meets requirements.

a. Navigate to the directory /home/spadmin/ImplementerTraining/config

b. Copy the file IdentityExtended.hbm.xml to

/home/spadmin/tomcat/webapps/identityiq/WEB-INF/classes/sailpoint/object

Copy Options:

Option 1:
Use the file browser to copy and paste the file. When prompted, click Replace.

Option 2:
Use the Linux copy command. At the $ command prompt, specify the file name
and directory listed above in the following command:

cp <insert file name> <insert directory name>

c. Navigate to the directory: /home/spadmin/tomcat/webapps/identityiq/WEB-

INF/classes/sailpoint/object

d. In the object directory, open the IdentityExtended.hbm.xml file using any editor;
gedit is provided in the VM and is a good editor for viewing and editing XML files.

Note: You will not be making changes to the file.

About gedit: If red highlights are displayed, there is a syntax error in the XML. This
may be a sign that you’ve accidentally changed the file.

e. Find the entries for the named extended attributes, empId and status. Complete the
missing components of the definitions below.

<property name="empId" type=" " length="450"

access="sailpoint.persistence.ExtendedPropertyAccessor"
index="spt_identity_empId_ci"/>
<property name="status" type="string" length=" "
access="sailpoint.persistence.ExtendedPropertyAccessor"
index="spt_identity_______________"/>

Copyright © 2017 SailPoint Technologies – All Rights Reserved – VERSION 7.1b

 Section 1 - 14

f. This exercise confirms that the empId and status extended attributes will be created in
the database, with indexes. Later in this training course, after IdentityIQ is installed, you
will create these extended attributes within IdentityIQ. Until they are created within
IdentityIQ, you will see errors that they are not defined in the Identity object
configuration.

2. Project requirements also tell us that we will need additional searchable and indexed extended
identity attributes, but we don’t yet know which ones. For these, we will use the 10 default
placeholder attributes, but we want all 10 to be indexed, rather than the default of 5 indexed.

a. Confirm that the Hibernate XML file is configured to support 10 searchable and indexed
placeholder attributes per identity. Complete the missing components of the definitions
below:

<property name="extended1" type="string" length="450"

index="spt_identity_extended1_ci"/>
<property name="extended2" type="string" length="450"
index="spt_identity_extended2_ci"/>
<property name="extended3" type="string" length="450"
index="spt_identity_extended3_ci"/>
<property name="extended4" type="string" length="450"
index="spt_identity_extended4_ci"/>
<property name="extended5" type="string" length="450"
index="spt_identity_extended5_ci"/>
<property name="extended6" type="string" length="450"

________________________________ />
<property name="extended7" type="string" length="450"
index="spt_identity_extended7_ci"/>
<property name="extended8" type="string" length="450"
index="spt_identity_extended8_ci"/>
<property name="extended9" type="string" length="450"
index="spt_identity_extended9_ci"/>
<property name="extended10" type="string" length="450"
index="spt_identity_ _ci"/>
___________

b. How many identity extended attribute placeholders are configured by default? (Hint:
check the in-line documentation at the top of the file)

_____________________________________________________________________________________________________

c. How many identity extended attributes may be configured in total?

_____________________________________________________________________________________________________

Copyright © 2017 SailPoint Technologies – All Rights Reserved – VERSION 7.1b

 Section 1 - 15

d. How many extended attribute placeholders are configured with a database index by
default?

_____________________________________________________________________________________________________

e. How many extended attribute placeholders in this Hibernate file are configured to have
a database index?

_____________________________________________________________________________________________________

3. Close the file and do not save any changes.

Configure the Database

1. Configure permissions on the iiq command so that we may execute it.

a. Using a Linux terminal window, navigate to the

/home/spadmin/tomcat/webapps/identityiq/WEB-INF/bin directory

b. Run the following command to mark the iiq command as executable:

chmod +x iiq

2. Generate IdentityIQ Schema files

a. Run the following command from the Linux terminal to generate the database
schema files:

./iiq schema

3. Load the MySQL Schema file into MySQL to create the IdentityIQ database

a. Using the command prompt, navigate to the

/home/spadmin/tomcat/webapps/identityiq/WEB-INF/database directory
and run the following commands to log in to MySQL:

mysql –u root –p
Enter password: root

b. Within the MySQL command line utility, type the following to load the schema into
MySQL:

mysql> source create_identityiq_tables.mysql

c. When the command finishes running, type the following to confirm that the
identityiq database has been created properly. The other databases are not
important. Make sure that identityiq is in the list of databases.

mysql> show databases;

Copyright © 2017 SailPoint Technologies – All Rights Reserved – VERSION 7.1b

 Section 1 - 16

+--------------------+
| Database |
+--------------------+
| information_schema |
| identityiq |
| identityiqPlugin |
| mysql |
| performance_schema |
| trakk |
| prism |
+--------------------+
7 rows in set (0.00 sec)

d. Type quit to exit the MySQL command line utility.

4. Analyze the Database Settings that IdentityIQ will use to connect to the database. You will
not edit this file for the training environment. The default values will work in our
environment with no modifications.

a. Navigate to and open the configuration file for the IdentityIQ database:
/home/spadmin/tomcat/webapps/identityiq/WEB-INF/classes/
iiq.properties

b. The table below lists the most commonly edited values. View the iiq.properties file
and fill in the blanks in the table for the three missing default values.

Database Type Determined by which database section is uncommented.

dataSource.username
dataSource.password
Default: ____________________________________
Username to use when connecting to the database Default:
_____________________________________________________
Encrypted password to use when connecting to the
database. (default: identityiq)

Note: generated using the iiq encrypt <password>

command
dataSource.url Defines the host name, port and database to connect to.
(default: use the standard port on localhost, database name
= identityiq)
dataSource.driverClassName Defines the driver to use when connecting to the database
Default:______________________________________________________

Note: For best performance, it is VERY important to update the default JDBC driver supplied
with IdentityIQ to the most current driver supplied by your database vendor.

Copyright © 2017 SailPoint Technologies – All Rights Reserved – VERSION 7.1b

 Section 1 - 17

Initialize IdentityIQ and Verify your Installation

1. Using the IdentityIQ Console, import the default IdentityIQ objects to initialize the system.
The console starts an instance of IdentityIQ and may take a few moments to start. You will
know that it is running when you see the > prompt.

a. Using a Linux terminal, navigate to:

/home/spadmin/tomcat/webapps/identityiq/WEB-INF/bin

b. Run the following command:

./iiq console

Note: In the training environment, the console can also be run from the desktop
shortcut.

c. Upon console start-up, you will see two error messages. What is causing the error
messages? Hint: See page 1-13, number 1f.

_________________________________________________________________________________________________

d. At the console command prompt, load the default IdentityIQ objects using the
following command:

> import init.xml

e. When the import is complete, quit the console.

2. Start the Tomcat Application Server and wait 30 to 60 seconds while the application server
starts.

Options to start Tomcat:

Option 1: From the desktop, run the “Start Tomcat” shortcut

Option 2: Type the following command in a Linux terminal:

StartTomcat

To monitor the start process in the log file, use the desktop shortcut, Tail Tomcat Standard
Out. The server has started when you see the phrase: INFO: Server startup in xxxxx ms.

3. When Tomcat has started, log in to IdentityIQ using Firefox

a. Click the Firefox bookmark in the VM and go to:

http://localhost:8080/identityiq/

Copyright © 2017 SailPoint Technologies – All Rights Reserved – VERSION 7.1b

 Section 1 - 18

Note: there are Bookmarks provided within the Firefox Browser for the IdentityIQ
login page and others that we will use throughout this course.

b. Log in to IdentityIQ as spadmin/admin

c. If you can successfully log in and see the IdentityIQ application, then your
installation was successful. If not, let your instructor know.

Copyright © 2017 SailPoint Technologies – All Rights Reserved – VERSION 7.1b

 Section 1 - 19

Exercise #2: Patching IdentityIQ

Objective
In this exercise, we will patch the product code to the latest patch level.

Overview
The patch process involves three major steps. Note that each patch install may not require all three
steps. Always read the release notes for any patch in their entirety before patching a system.

• Deploy new product code (deploy the patch jar file in our install directory)

• Upgrade the database tables to support any changes required by the patch

o New Tables

o Deprecated Tables

• Run the patch script to convert any data as required by the new patch

Patch Installation
1. Stop the Tomcat Application Server.

Options to stop Tomcat:

Option 1: From the desktop, run the shortcut labeled “Stop Tomcat” or

Option 2: Type the following command at a Linux terminal window: StopTomcat

2. Extract the IdentityIQ Patch file.

a. Use the File Browser to locate the identityiq-7.2pX.jar (where 'x' represent the
patch version) file under /home/spadmin/InstallImages and copy it to the
installation directory for IdentityIQ:
/home/spadmin/tomcat/webapps/identityiq

Using a Linux terminal window, navigate to the

b.
/home/spadmin/tomcat/webapps/identityiq directory and run the
following command to extract the patch jar file.

jar -xvf identityiq-7.2p2.jar

Copyright © 2017 SailPoint Technologies – All Rights Reserved – VERSION 7.1b

 Section 1 - 20

3. Patch the IdentityIQ Database

a. Using the command prompt, navigate to the

/home/spadmin/tomcat/webapps/identityiq/WEB-INF/database directory
and run the following commands to log in to MySQL:

mysql –u root –p Enter password: root

b. Within the MySQL command line utility, type the following to upgrade the IdentityIQ
schema:

mysql> source upgrade_identityiq_tables-7.2p2.mysql

c. Type quit to exit the MySQL command line utility

4. Apply the Patch

a. Using your Linux terminal, navigate to:

/home/spadmin/tomcat/webapps/identityiq/WEB-INF/bin

b. Run the following command

./iiq patch 7.2p2

c. Wait for the patch command to finish and watch for any errors. You should see two
errors regarding the extended attributes Employee ID and Status; we have not yet
completed defining these attributes to IdentityIQ. If you also see a Pool not open
error, ignore it.

5. Confirm the installation

d. Run the IdentityIQ Console either through the provided desktop shortcut or through
a Linux terminal.

e. Run the following command and confirm that the version and patch are 7.1p1.

>about

f. Quit the console.

4. Start the Tomcat Application Server and wait while the application server starts.

Options to start Tomcat:

Option 1: From the desktop, run the “Start Tomcat” shortcut

Option 2: Type the following command in a Linux terminal: StartTomcat

Copyright © 2017 SailPoint Technologies – All Rights Reserved – VERSION 7.1b

 Section 1 - 21

Exercise #3: Configuring IdentityIQ

Objective
In this exercise, we will configure features of IdentityIQ that will assist us in our implementation
efforts. We will also set defaults on how long certain objects are maintained in the IdentityIQ
database.

Overview
In order to support our client’s needs, we will be turning on some
troubleshooting/debugging/auditing features of IdentityIQ to support our development efforts:

• Configure the Email Redirector to send all system-generated emails to a local file instead of
an SMTP Mail Server. This file is useful for debugging email notifications without sending
real emails to users.

• Set the save duration on various IdentityIQ objects.

• Configure Auditing to log certain audit events into the Audit Table.

• Configure Logging to send IdentityIQ log messages to a local file.

Copyright © 2017 SailPoint Technologies – All Rights Reserved – VERSION 7.1b

 Section 1 - 22

Configure the Email Redirector

1. Click the Firefox icon to start IdentityIQ and log in with credentials spadmin/admin.

2. Within IdentityIQ, from the system setup gear, , select Global Settings and select
IdentityIQ Configuration. Configure the following two options under Email Settings.

a. Email Notification Type = Redirect to File

b. Redirection File Name = /home/spadmin/logs/iiq_email.log

Notes:

• This is the location in the UI where you can also configure the default Email
Templates used for many notification types within the IdentityIQ application.

• When you are ready to connect IdentityIQ to an SMTP mail server to send out real
email notifications, change this configuration page to point to an SMTP mail server.

Configure IdentityIQ Object Expiration

There are certain IdentityIQ objects that may not be necessary to store indefinitely. However, the
default for object retention is often “forever”. These objects can then fill up the database and impact
performance. When the values are set to non-zero, IdentityIQ will automatically delete/archive
objects that attain the expiration age.

1. Still on the Configure IdentityIQ Settings page, navigate to Miscellaneous.

2. For Other Object Expirations, configure the following:

a. Days before task result deletion: 90

b. Days before certifications are archived: 720 (2 yrs)

c. Days before certification archive deletion: 1080 (3 yrs)

3. For Syslog Setting, configure the following:

a. Days before syslog event deletion: 30

Copyright © 2017 SailPoint Technologies – All Rights Reserved – VERSION 7.1b

 Section 1 - 23

4. For Provisioning Transaction Log Settings, configure the following:

a. Days before provisioning transaction event deletion: 90

Note: We will discuss a number of these items later in this training.

5. Scroll down to the bottom of the page and Save.

Copyright © 2017 SailPoint Technologies – All Rights Reserved – VERSION 7.1b

 Section 1 - 24

Configure IdentityIQ Auditing

1. Navigate to  Global Settings  Audit Configuration

2. In the General Actions tab, configure the following four options by checking the box next to
each:

3. List the 4 General Actions that are audited by default:

_________________________________________________________________________________________________________

_________________________________________________________________________________________________________

_________________________________________________________________________________________________________

_________________________________________________________________________________________________________

4. Observe the other auditing options available.

Note: You can turn on auditing for actions in the system, but can also turn on auditing for
any changes to identity attributes or even the create/update/deletion of system objects.
Also, it is possible to use the SailPoint API to audit additional items of your own choosing
during rules or workflow steps.

5. Scroll to the bottom of the page and Save

6. Test the newly configured audit functions.

a. Log out of IdentityIQ and attempt to log in using an incorrect username and
password: example: foo/foo

b. After this, log back in with the proper credentials: spadmin/admin

c. Navigate to Intelligence  Advanced Analytics and from Search Type drop down,
select Audit

Copyright © 2017 SailPoint Technologies – All Rights Reserved – VERSION 7.1b

 Section 1 - 25

d. Don’t adjust any parameters for the search; just choose Run Search from the
bottom left

e. Confirm that you see entries showing the login failure and the successful login:

7. While here, notice that Advanced Analytics provides detailed searching across IdentityIQ.

a. How many different types of searches are provided? ________

b. Navigate to the Identity search

i. How many Standard Attributes are there for searching identities? ________

ii. How many Searchable Attributes are there? ________

iii. You increased the number of indexed searchable attributes defined in the
IdentityIQ database. However, no searchable attributes have been defined to
IdentityIQ. You will define attributes as searchable in upcoming exercises.

Copyright © 2017 SailPoint Technologies – All Rights Reserved – VERSION 7.1b

 Section 1 - 26

Configure IdentityIQ Logging

IdentityIQ uses log4J (a popular Java-based logging package), as its logging component. In this
section, we will configure logging by configuring a log4j.properties file:

1. Copy the file: log4j.properties from /home/spadmin/ImplementerTraining/config and

place it into /home/spadmin/tomcat/webapps/identityiq/WEB-INF/classes

Note: This will overwrite the default log4j.properties file with options added for the class
environment.

2. This sample log configuration file will send all IdentityIQ logging output to the file:
/home/spadmin/logs/iiq_training_rolling.log

3. Finish the configuration process by restarting the Tomcat application server to reload the
log4j.properties file. Restart the application server from a terminal window (type the
commands listed below) or use the shortcuts on the desktop.

StopTomcat
StartTomcat

Note: You can view the success of both commands in the Tomcat Standard Out log.

4. Launch the desktop shortcut named: Tail IdentityIQ Log and leave this window running.
This window will show any log messages generated by IdentityIQ as we work through the
lab exercises.

5. You can edit the log4j.properties file to change the logging levels used by IdentityIQ. We
will periodically adjust this file as we work through the exercises.

Copyright © 2017 SailPoint Technologies – All Rights Reserved – VERSION 7.1b