Update Nov 2020: Please checkout the IdentityNow PowerShell Module readme here for the latest details for generating v2 and v3 IdentityNow API Credentials.
This post details how to generate SailPoint IdentityNow v2 and v3 API credentials. This method is valid as of Oct 2019 whereby v3 Credentials are now able to be generated via the SailPoint IdentityNow Portal and v2 Credentials can be generated via the IdentityNow API. v2 credentials are useful for some legacy API’s and API calls that are long running tasks (which thereby use Digest Auth) over using the v3 JWT method. These credentials can then be leveraged by the SailPoint IdentityNow PowerShell Module for IdentityNow orchestration tasks.
Generating v2 IdentityNow API Credentials
To obtain v2 credentials we need to generate them via the API as by default via the IdentityNow Portal you can now only create v3 credentials. This is a complete transposition to what was recently possible (v2 via Portal and v3 from SailPoint Expert Services).
There are two methods to achieve generating v2 credentials. Use the New-IdentityNowAPIClient cmdlet in the SailPoint IdentityNow PowerShell Module (v1.0.3 or later) or using Postman.
Generating v2 Credentials using the SailPointIdentityNow PowerShell Module
With the SailPointIdentityNow PowerShell Module installed and configured with v3 API credentials the New-IdentityNowAPIClient cmdlet will generate a v2 (Legacy API Client) and return the Client ID and Client Secret.
Generating v2 Credentials with Postman
Using Chrome and the Postman and Postman Interceptor extensions we can borrow the IdentityNow Admin Portal session and generate v2 API credentials. Postman is available from the Chrome Store here and Postman Interceptor is available from the Chrome Store here. You will need to have both those extensions installed.
Using the Chrome browser that you just added the Postman and Postman Interceptor extensions to, login to the IdentityNow Admin Portal for the Organisation you want to generate v2 API Credentials for. Select Admin from the menu bar and enter your strong auth method credentials. This elevates your session and from this session we need to obtain the CSRF token.
Enter Developer Tools in Chrome by pressing F12. Select a menu item such as Security Settings => API Management and from Sources find (Ctrl + F) CSRF and copy the CSRF Token.
Open a new tab in Chrome, select Apps from your menu bar and choose Postman. I created a collection for generating these credentials, but that is optional.
With the Postman Interceptor also enabled (left orange icon in the header bar) generate the POST API call to /api/client/create for your IdentityNow Org with;
- Params type=API
- X-CSRF-Token = your CSRF token copied from developer tools and your IdentityNow Admin Page above
- Content-Type = application/json
Press Send and you will be returned new v2 ClientID and Client Secret. Copy these to your password vault.
You will also be able to see that the v2 (now Legacy) API Credentials have been generated via the API Management section of Security Settings.
Generating v3 IdentityNow API Credentials
v3 SailPoint IdentityNow API credentials can now be generated via the IdentityNow Admin Portal. They can also be generated using the New-IdentityNowOAuthAPIClient cmdlet from the SailPointIdentityNow PowerShell Module.
Generating v3 oAuth API Credentials using the SailPointIdentityNow PowerShell Module.
The New-IdentityNowOAuthAPIClient cmdlet can be used to create additional v3 oAuth API Clients if you already have a v3 API Client created and configured with the SailPointIdentityNow PowerShell Module.
New-IdentityNowOAuthAPIClient -description "oAuth Client via API" -grantTypes 'AUTHORIZATION_CODE,CLIENT_CREDENTIALS,REFRESH_TOKEN,PASSWORD' -redirectUris 'https://localhost'
Generating v3 oAuth API Credentials using the IdentityNow Admin Portal
Go to Admin => Global => Security Settings => API Management and select New
Provide a name for the credentials and select all the options and provide the redirect URL (https://localhost). Select Create.
Copy your new v3 API credentials and put them into your password vault.
Using v2 and v3 Credentials with the SailPointIdentityNow PowerShell Module
The SailPoint IdentityNow PowerShell Module leverages both the v2 and v3 API credentials for orchestration of SailPoint IdentityNow.
Using the v2 & v3 API credentials generated above (and an IdentityNow Account which is granted the Admin Role) we can generate the credentials configuration for the SailPoint IdentityNow PowerShell Module.
- your Org name in Line 3
- your Admin Account name in Line 7
- your Admin Account password in Line 8
- your v3 Client ID in Line 12
- your v3 Client Secret in Line 13
- your v2 Client ID in Line 17
- your v2 Client Secret in Line 19
Execute the script with your credentials and your configuration will now be saved and be able to be leveraged by the SailPoint IdentityNow PowerShell Module.
We can generate IdentityNow v3 API credentials using the IdentityNow Portal and v2 API credentials via API. We can supply these to the SailPoint IdentityNow PowerShell Module configuration and leverage the module for our IdentityNow orchestration tasks.