Active Directory provisioning
Introduction
This document provides instructions for configuring IBM® Security Verify User Lifecycle Management for an on-premises Microsoft® Active Directory.
There are multiple components are required to be in place in order to manage provisioning with Active Directory, such as:
- IBM Security Identity Adapter for Windows Active Directory
- Onprem components such as Identity Brokerage, Postgres database and Verify agent (to be installed as containers)
- LDAP Adapter profile for Identity Brokerage
- Configure Identity agent in IBM Security Verify
Refer to the on-premise provisioning in order to install various pre-requisite components
Installing IBM Security Identity Adapter for Windows Active Directory
The Active Directory Adapter is designed to create and manage accounts on Microsoft® Active Directory. The adapter communicates using Microsoft® ADSI API and PowerShell to the systems being managed. This adapter will be used to perform all provisioning requests via Verify Govern.
The latest adapter information can be found at:
https://www.ibm.com/support/pages/ibm-security-verify-governance-adapters-v10x
Get the latest version details and part number for “IBM Security Identity Adapter for Windows AD 64-bit with optional Exchange and Lync Support” from above site and then download the installer from the IBM Passport advantage site.
Install the adapter on the on-premise Microsoft®Active Directory server. Once the Active directory adapter is installed successfully it creates the “ISIM Active Directory Adapter” service which listens to 45580 port. Please make sure to note the port number if it has been changed.
Verify that “ISIM Active Directory Adapter” service is started successfully and its shown running status in Windows Services console.
Configure the Active Directory Application for Provisioning
After the required on-premise components are installed, Active Directory application need to be configured in IBM Security Verify.
Create Active Directory application
- Login to IBM® Security Verify as tenant admin (Scott)
- Navigate to Applications page, click the Add application button
- On the Select Application Type dialog, enter active into the search box
- When the Active Directory application is displayed, select it then click the Add application button
- On the Add Application provide some Company name and click on “Add owner” to assign owner for the application
- In the “Select User” pop-up, search for user Jacob (make sure that user is already created by the admin)
- Select the listed user and click on “OK”
Define Account lifecycle
- Click on Account lifecycle tab
- Enable Provisioning and Deprovisioning for accounts. Also provide value for Grace period (days) and Deprovision action
- Scroll below and provide details for API authentication
o Agent URL – Active directory adapter access URL (installed on the AD server)
o Agent user ID – agent (default user, if changed use other)
o Agent password – agent (default user, if changed use other) - Select the Identity agent from the dropdown
- Scroll below and provide optional details for User base DN and Group base DN. If you do not provide the values then the root DN of the Active Directory server will be fetched
- Click on Test connection to validate the configuration is correct for the various components
-
If all the components are able to communicate properly then Success message gets displayed as:
The connection test was successful -
Scroll further below and validate the API attribute mappings as
o sAMAccountName = preferred_username
o givenName = given_name
o sn = family_name
o mail = email
o telephoneNumber = mobile_number -
Optionally select the “Keep value updated” checkbox against each attribute if the value of the attribute is always need to be kept updated with the source data
- Click the Save button to save the changes to application
Define adoption policy for account synchronization
As we have successfully tested the connection with Active Directory server, lets define the adoption policy in order to synchronize the users and groups with IBM® Security Verify. The adoption policy determines how the accounts are matched as part of account sync operations.
In order to define the adoption policy, click on “Account sync” tab from the details of Active Directory application.
- Click on + Attribute pairs to add the attribute rule to be used to match the users from Active Directory with the existing users in IBM® Security Verify. Define the rules as:
o sAMAccountName = preferred_username
o givenName = given_name
Account sync rule
The accounts will be matched on the basis on the attributes mapping defined in Adoption policy of Application. So, admin need to be careful while defining the attribute mapping.
- Click the Save button
Define remediation policy for account synchronization
Also define the remediation policy on the Account sync tab so that action need to be taken for the attributes which differ between IBM® Security Verify and the target application.
Different remediation policies are:
- Do not remediate non-compliant accounts automatically
- Update IBM Security Verify with the target application's values
- Update target application with IBM Security Verify values
- Select the policy as to Update IBM Security Verify with the target application's values
- Click the Save button
Define reverse attribute mapping
Reverse attribute mappings determine how individual attribute values are transformed and stored with IBM® Security Verify after an account is matched successfully. It’s optional configuration and can be defined at attribute level.
Click + Add attribute mapping to define reverse attribute mapping.
- Click the Save button
Set Owner, Attributes and Entitlements for Application
When you saved above, a new tab (Entitlements) was exposed.
Let’s define the entitlement so that user will be able to do a self-provisioning for account.
- Click on the Entitlements tab
- Update the entitlements for the application as Approval required for all users and groups
- Also select the checkbox against the Application owner for approval
- Click the Save button
Active Directory application configuration is complete now.
Account Synchronization with Active Directory
After the Active Directory is successfully configured as mentioned in above section, tenant admin (Scott) can synchronize the Active directory users and groups with IBM® Security Verify.
During the account synchronization, Active Directory accounts will get adopted based on the adoption rule defined while configuring the application. Make sure that tenant admin (Scott) has created a user having username as Jessica and Given name as Jessica in IBM® Security Verify.
Also make sure that Active Directory has the user with sAMAccountName as Jessica and givenName as Jessica
In order to synchronize accounts:
- Login to ISV as tenant admin (Scott)
- From the admin console navigate to Applications
- Select Accounts from the three dot action menu against the Active Directory application
- Click Start account synchronization
- In order to monitor the account synchronization operation, navigate to the Governance menu
- Then click on Account sync tab
- Click the Refresh button until the status of the account sync operation changes to Completed
- Click on the account sync row to view the details of sync operation. Right pane will show the details for accounts fetched from the Active Directory. It will also show the account details such as:
Compliant– Accounts which got adapted and has all matching attributes as defined in application
Non-compliant – Accounts which got adapted but has mismatch in attributes data
Unmatched – Accounts which does not gets adopted with existing Verify users
Failed – Accounts which failed to get synced
Account sync rule
Accounts will be matched on the basis on the attributes mapping defined in “Adoption policy” of Application. So, admin need to be careful while defining the attribute mapping
- Click on Account sync result to view the results sync operation
Account sync result will show details of various accounts retrieved from the Active Directory.
- Click on View accounts page to see details of various accounts
- Click on the compliant account of Jessica which open user details in right pane
- Click on View details to view remediation details (remember the remediation policy defined for Active Directory application in Account sync” tab)
Remediation updates the IBM® Security Verify user record or the target application based on remediation policy
You can validate the details of various users and perform the remediation action based on remediation policy defined at application level.
Once the account sync is successful, all users and groups data from Active directory gets available in IBM® Security Verify which can be further used for role management or adoption etc.
Provisioning with Active Directory
First, let’s create a new user in Security Verify and make sure he / she can log in.
Create New User
- Log to IBM® Security Verify tenant as your administrative user (Scott)
- Go to Users & groups
- Click the Add user button
- Create a user. You can create any user you like (as long as it doesn’t clash with existing ones).
For example:
o Identity Source = Cloud Directory
o User name = podrick
o Given name = Podrick
o Surname = Payne
o Email = a valid real email address
- Click the Save button to create the user
The user should get created and listed in the users table.
Test the New User Can Login
New user will get the initial password via e-mail. Go to your email client of newly created user and look for an email indicating a user has been created
- Open a new browser session, copy the link from the email and log in with the username and password from the email
- When prompted enter a New password and Confirm password and click the Change Password button
- Validate that user is able to access the Verify launchpad
Provisioning Use Case
While creating the Active Directory application we have selected entitlement as Approval required for all users and groups and Approver as “Application owner”.
So it has set the workflow where user can request access which need to be reviewed by the Application owner - Jacob
Request new account
- Log into IBM® Security Verify tenant as end user (Podrick)
- Form the launchpad click on Add app +
- Click Request access for the Active directory application
- Provide the Justification for access and Submit the request
- Once the request is submitted it will be shown as Pending
- Click on View Request to see the details of request
The request is now pending for approval with the application owner (Jacob)
Approve new account
For the new account approval request, application owner / manager will receive the notification email as:
- Log into IBM® Security Verify tenant as Application owner (Jacob)
- Form the launchpad click on Task manager tab which will show the pending application requests
- Click anywhere on the pending approval request for Podrick which opens the Request details in right pane
- Click Approve which opens the Approval popup
- Provide any additional comments and click Approve
- As the account request gets approved, requestor (Podrick) gets the email for approval
Validate new account
As the account request gets approved, a new Active Directory account gets provisioned
- Log into IBM® Security Verify tenant as end user (Podrick)
- Validate the new account tile for Active Directory is shown on launchpad
- Also, user Podrick will get the email having details of password for new Active Directory account
- Validate that new user gets provisioned on Active Directory as Podrick
- Validate various attributes of user gets provisioned as per the attribute mapping defined in Active Directory application
Tenant admin (Scott) or application owner (Jacob) can also validate the account provisioning task details from admin console
- Log into IBM® Security Verify tenant as Tenant admin (Scott) or application owner (Jacob)
- Navigate to Governance > Operation results tab
- Validate details for Provision account operation
Suspend User Account
- Log into IBM® Security Verify tenant as your administrative user (Scott)
- Navigate to Users & groups
- Click on the user Podrick
- Click View full profile link from right page
- From the user details page click Edit user information icon
- Update the status of the user to disabled and save the user changes
- Log into IBM® Security Verify tenant as Tenant admin (Scott) or application owner (Jacob)
- Navigate to Applications from admin console
- Select Accounts from three dot menu against the Active Directory application
- Validate user account for Podrick shows status as Suspended
Deprovisioning use case
- Log into IBM® Security Verify tenant as Tenant admin (Scott)
- Navigate to Users & groups
- Click on the user Podrick
- Click Delete icon from right page
- Confirm the Delete action
- Make sure that user gets removed from Users list
- Now, navigate to Governance > Operation results tab
- Validate user account for Podrick shows status as Scheduled for Deprovision account operation
Nilesh Atal, IBM Security
Updated 8 months ago