Update: Oct 2019. Searching Identities can be easily performed using the SailPoint IdentityNow PowerShell Module.
Introduction
SailPoint recently made available in BETA their new Search functionality. There’s some great documentation around using the Search functions through the IdentityNow Portal on Compass^. Specifically;
- Take a Tour of Search
- IdentityNow Common Search Queries
- Structuring a Search
- Elements of a Search
- Search Use Cases
^ Compass Access Required
Each of those articles are great, but they are centered around performing the search via the Portal. For some of my needs, I need to do it via the API and that’s what I’ll cover in this post.
*NOTE: Search is currently in BETA. There is a chance some functionality may change. SailPoint advise to not use this functionality in Production whilst it is in Beta.
Enabling API Access
Under Admin => Global => Security Settings => API Management select New and give the API Account a Description.
Client ID and Client Secret
In the script to access the API we will take the Client ID and Client Secret and encode them for Basic Authentication to the IdentityNow Search API. To do that in PowerShell use the following example replacing ClientID and ClientSecret with yours.
$clientID = 'abcd1234567' $clientSecret = 'abcd12345sdkslslfjahd' $Bytes = [System.Text.Encoding]::utf8.GetBytes("$($clientID):$($clientSecret)") $encodedAuth =[Convert]::ToBase64String($Bytes)
Searching
With API access now enabled we can start building some queries. There are two methods I’ve found. Using query strings on the URL and using JSON payloads as an HTTP Post. I’ll give examples of both.
PowerShell Setup
Here is the base of all my scripts for using PowerShell to access the IdentityNow Search.
Change;
- line 3 for your Client ID
- line 5 for your Client Secret
- line 10 for your IdentityNow Tenant Organisation name (by default the host portion of the URL e.g https://orgname.identitynow.com )
Searching via URL Query String
First we will start with searching by having the query string in the URL.
Single attribute search via URL
$query = 'firstname EQ Darren' $Accounts = Invoke-RestMethod -Method Get -Uri "$($URI)limit=$($searchLimit)&query=$($query)" -Headers @{Authorization = "Basic $($encodedAuth)" }
Multiple attribute search via URL
Multiple criteria queries need to be constructed carefully. The query below just looks wrong, yet if you place the quotes where you think they should go, you don’t get the expected results. The following works.
$query = 'attributes.firstname"="Darren" AND attributes.lastname"="Robinson"'
and it works whether you Encode the URL or not
$queryEncoded = [System.Web.HttpUtility]::UrlEncode($query) $Accounts = Invoke-RestMethod -Method Get -Uri "$($URI)limit=$($searchLimit)&query=$($queryEncoded)" -Headers @{Authorization = "Basic $($encodedAuth)"
Here is another searching based on identities having a connection to a source containing the word ‘Directory’ AND having less the 5 accounts
$URI = "https://$($org).api.identitynow.com/v2/search/identities?" $query = '@access(source.name:*Directory*) AND entitlementCount:<5' $Accounts = Invoke-RestMethod -Method Get -Uri "$($URI)limit=$($searchLimit)&query=$($query)" -Headers @{Authorization = "Basic $($encodedAuth)" }
Searching via HTTP Post and JSON Body
Now we will perform similar searches, but with the search strings in the body of the HTTP Request.
Single attribute search via POST and JSON Based Body Query
$body = @{"match"=@{"attributes.firstname"="Darren"}} $body = $body | convertto-json $Accounts = Invoke-RestMethod -Method POST -Uri "$($URI)limit=$($searchLimit)" -Headers @{Authorization = "Basic $($encodedAuth)" } -ContentType 'application/json' -Body $body
Multiple attribute search via POST and JSON Based Body Query
If you want to have multiple criteria and submit it via a POST request, this is how I got it working. For each part I construct it and convert it to JSON and build up the body with each search element.
$body1 = @{"match"=@{"attributes.firstname"="Darren"}} $body2 = @{"match"=@{"attributes.lastname"="Robinson"}} $body = $body1 | ConvertTo-Json $body += $body2 | ConvertTo-Json
$Accounts = Invoke-RestMethod -Method POST -Uri "$($URI)limit=$($searchLimit)" -Headers @{Authorization = "Basic $($encodedAuth)" } -ContentType 'application/json' -Body $body
Getting Full Identity Objects based off Search
Lastly now that we’ve been able to build queries via two different methods and we have the results we’re looking for, lets output some relevant information about them. We will iterate through each of the returned results and output some specifics about their sources and entitlements. Same as above, update for your ClientID, ClientSecret, Orgname and search criteria.
Summary
Once you’ve enabled API access and understood the query format it is super easy to get access to the identity data in your IdentityNow tenant.
My recommendation is to use the IdentityNow Search function in the Portal to refine your searches for what you are looking to return programmatically and then use the API to get the data for whatever purpose it is.