Protocol-based connectors enable broad integration

Connectivity is at the heart of SailPoint Identity and Access Governance. IGA program managers see significant increases in business value as they integrate highly critical applications, in higher quantities, under governance.

Our integrations fall under two categories:

  1. Named application connectors – These are out of the box integrations with a specific governed system, such as Workday, Microsoft Active Directory, Azure Active Directory, Okta, LDAP, Unix, and SAP HR. 
  2. Protocol-based connectors – These are integrations available for governed systems that follow standard protocols such as System for Cross-domain Identity Management (SCIM), HTTP REST Web Services, JDBC, and flat files.

By following standard protocols, most of the systems can be integrated with minimal effort, saving much time, and reducing errors.

Protocol-based connectors are quick to configure and easy to use. In the configuration, we have options for different authentication protocols chosen by what the governed system supports. We frequently see governed systems expect basic authentication (username, password-based), API Token or OAuth 2.0 protocols with various grant types as shown in the below image:

Image 1: Configuration settings for Web Services with OAuth2.0 authentication method with “Grant Type”

We use schema driven attribute management to map all the attributes of each entity in the schema of the governed system to our schema. The governed system fetches attributes present in the schema. The connector configuration allows the administrator to declare any input fields as sensitive to prevent information from those fields being included in any plaintext logs.  Additional custom attributes can be added to the schema. The feature of “Discover Schema” is a simple way of visualizing the schema mapping, as shown in the below image:

Image 2: “Discover” and “New” buttons representing the automatic discovery of attributes and addition of new attributes in the schema respectively

A governed system may have entities and attributes which are not to be governed (yet), such as including or excluding some Organizational Units in an Active Directory forest.  An admin can configure filter conditions to support such needs, which also speeds up the integration by only synchronizing entities to be governed.

In configuring these integrations, sometimes mistakes happen.  To help debug the integration, we provide smart logging, human-understandable exceptions, and suggestions to address common problems, which helps you to understand better and resolve issues as they occur.

Whenever the governed system provides a SCIM server for integration, we encourage admins to use our SCIM connector.  This provides the highest fidelity and simplest setup experience because the SCIM protocol itself handles many of the object mappings.  SCIM can be used with WSO2, Slack, Salesforce, and more.

Still, other governed systems have REST or SOAP protocol endpoints, which are handled well by our Web Services connector.  Zoom, Box, Dropbox, ServiceNow are just a few applications that routinely use our Web Services connector.

Our JDBC Connector is used to read or write the data of JDBC- enabled database engines. This connector integrates our governance platform with many database types, including MySQL, Oracle, IBM DB2, Sybase, and Microsoft SQL Server. We see this commonly used when the governed application does not provide its own higher-level integration API.

For applications that don’t fit into the above categories, there is an option to use our Delimited File Connector. Most systems allow for some form of data export, which can be loaded using our Delimited File connector, and transferred using a secure file upload protocol such as FTP, SFTP, or SCP.

To conclude, if there is a “named application connector” available for a specific governed system, it is always better and recommended to make use of it. This provides the most straightforward and deepest integration without many administrators overhead. Otherwise, a protocol-based connector is the best option.


Discussion