Update Nov 2020: Please checkout the IdentityNow PowerShell Module readme here for the latest details for generating v2 and v3 IdentityNow API Credentials.
This post details how to generate SailPoint IdentityNow v2 and v3 API credentials. This method is valid as of Oct 2019 whereby v3 Credentials are now able to be generated via the SailPoint IdentityNow Portal and v2 Credentials can be generated via the IdentityNow API. v2 credentials are useful for some legacy API’s and API calls that are long running tasks (which thereby use Digest Auth) over using the v3 JWT method. These credentials can then be leveraged by the SailPoint IdentityNow PowerShell Module for IdentityNow orchestration tasks.
NOTE: This post supersedes my previous posts here and here.
To obtain v2 credentials we need to generate them via the API as by default via the IdentityNow Portal you can now only create v3 credentials. This is a complete transposition to what was recently possible (v2 via Portal and v3 from SailPoint Expert Services).
There are two methods to achieve generating v2 credentials. Use the New-IdentityNowAPIClient cmdlet in the SailPoint IdentityNow PowerShell Module (v1.0.3 or later) or using Postman.
With the SailPointIdentityNow PowerShell Module installed and configured with v3 API credentials the New-IdentityNowAPIClient cmdlet will generate a v2 (Legacy API Client) and return the Client ID and Client Secret.
Using Chrome and the Postman and Postman Interceptor extensions we can borrow the IdentityNow Admin Portal session and generate v2 API credentials. Postman is available from the Chrome Store here and Postman Interceptor is available from the Chrome Store here. You will need to have both those extensions installed.
Using the Chrome browser that you just added the Postman and Postman Interceptor extensions to, login to the IdentityNow Admin Portal for the Organisation you want to generate v2 API Credentials for. Select Admin from the menu bar and enter your strong auth method credentials. This elevates your session and from this session we need to obtain the CSRF token.
Enter Developer Tools in Chrome by pressing F12. Select a menu item such as Security Settings => API Management and from Sources find (Ctrl + F) CSRF and copy the CSRF Token.
Open a new tab in Chrome, select Apps from your menu bar and choose Postman. I created a collection for generating these credentials, but that is optional.
With the Postman Interceptor also enabled (left orange icon in the header bar) generate the POST API call to /api/client/create for your IdentityNow Org with;
Press Send and you will be returned new v2 ClientID and Client Secret. Copy these to your password vault.
You will also be able to see that the v2 (now Legacy) API Credentials have been generated via the API Management section of Security Settings.
v3 SailPoint IdentityNow API credentials can now be generated via the IdentityNow Admin Portal. They can also be generated using the New-IdentityNowOAuthAPIClient cmdlet from the SailPointIdentityNow PowerShell Module.
The New-IdentityNowOAuthAPIClient cmdlet can be used to create additional v3 oAuth API Clients if you already have a v3 API Client created and configured with the SailPointIdentityNow PowerShell Module.
New-IdentityNowOAuthAPIClient -description "oAuth Client via API" -grantTypes 'AUTHORIZATION_CODE,CLIENT_CREDENTIALS,REFRESH_TOKEN,PASSWORD' -redirectUris 'https://localhost'
Go to Admin => Global => Security Settings => API Management and select New
Provide a name for the credentials and select all the options and provide the redirect URL (https://localhost). Select Create.
Copy your new v3 API credentials and put them into your password vault.
The SailPoint IdentityNow PowerShell Module leverages both the v2 and v3 API credentials for orchestration of SailPoint IdentityNow.
Using the v2 & v3 API credentials generated above (and an IdentityNow Account which is granted the Admin Role) we can generate the credentials configuration for the SailPoint IdentityNow PowerShell Module.
Update;
Execute the script with your credentials and your configuration will now be saved and be able to be leveraged by the SailPoint IdentityNow PowerShell Module.
We can generate IdentityNow v3 API credentials using the IdentityNow Portal and v2 API credentials via API. We can supply these to the SailPoint IdentityNow PowerShell Module configuration and leverage the module for our IdentityNow orchestration tasks.
A few weeks back the Microsoft AI Tour was in Sydney Australia. There was a…
If you're anything like me you always have PowerShell open, and often both PowerShell and…
Decentralised Identity is a technology I'm passionate about and have written many posts and tools…
Over two years ago I authored a PowerShell Module that enabled the automation of 1Password.…
Buried in my PowerShell Snippets Vol 4 post from 2021 is the PowerShell script and…
Short post on how to recovery from "The Windows Subsystem for Linux instance has terminated"…
This website uses cookies.
View Comments