Update: Oct 2019. Searching Identities can be easily performed using the SailPoint IdentityNow PowerShell Module.
SailPoint recently made available in BETA their new Search functionality. There’s some great documentation around using the Search functions through the IdentityNow Portal on Compass^. Specifically;
^ Compass Access Required
Each of those articles are great, but they are centered around performing the search via the Portal. For some of my needs, I need to do it via the API and that’s what I’ll cover in this post.
*NOTE: Search is currently in BETA. There is a chance some functionality may change. SailPoint advise to not use this functionality in Production whilst it is in Beta.
Under Admin => Global => Security Settings => API Management select New and give the API Account a Description.
Client ID and Client Secret
In the script to access the API we will take the Client ID and Client Secret and encode them for Basic Authentication to the IdentityNow Search API. To do that in PowerShell use the following example replacing ClientID and ClientSecret with yours.
$clientID = 'abcd1234567' $clientSecret = 'abcd12345sdkslslfjahd' $Bytes = [System.Text.Encoding]::utf8.GetBytes("$($clientID):$($clientSecret)") $encodedAuth =[Convert]::ToBase64String($Bytes)
With API access now enabled we can start building some queries. There are two methods I’ve found. Using query strings on the URL and using JSON payloads as an HTTP Post. I’ll give examples of both.
Here is the base of all my scripts for using PowerShell to access the IdentityNow Search.
Change;
First we will start with searching by having the query string in the URL.
$query = 'firstname EQ Darren' $Accounts = Invoke-RestMethod -Method Get -Uri "$($URI)limit=$($searchLimit)&query=$($query)" -Headers @{Authorization = "Basic $($encodedAuth)" }
Multiple criteria queries need to be constructed carefully. The query below just looks wrong, yet if you place the quotes where you think they should go, you don’t get the expected results. The following works.
$query = 'attributes.firstname"="Darren" AND attributes.lastname"="Robinson"'
and it works whether you Encode the URL or not
$queryEncoded = [System.Web.HttpUtility]::UrlEncode($query) $Accounts = Invoke-RestMethod -Method Get -Uri "$($URI)limit=$($searchLimit)&query=$($queryEncoded)" -Headers @{Authorization = "Basic $($encodedAuth)"
Here is another searching based on identities having a connection to a source containing the word ‘Directory’ AND having less the 5 accounts
$URI = "https://$($org).api.identitynow.com/v2/search/identities?" $query = '@access(source.name:*Directory*) AND entitlementCount:<5' $Accounts = Invoke-RestMethod -Method Get -Uri "$($URI)limit=$($searchLimit)&query=$($query)" -Headers @{Authorization = "Basic $($encodedAuth)" }
Now we will perform similar searches, but with the search strings in the body of the HTTP Request.
$body = @{"match"=@{"attributes.firstname"="Darren"}} $body = $body | convertto-json $Accounts = Invoke-RestMethod -Method POST -Uri "$($URI)limit=$($searchLimit)" -Headers @{Authorization = "Basic $($encodedAuth)" } -ContentType 'application/json' -Body $body
If you want to have multiple criteria and submit it via a POST request, this is how I got it working. For each part I construct it and convert it to JSON and build up the body with each search element.
$body1 = @{"match"=@{"attributes.firstname"="Darren"}} $body2 = @{"match"=@{"attributes.lastname"="Robinson"}} $body = $body1 | ConvertTo-Json $body += $body2 | ConvertTo-Json
$Accounts = Invoke-RestMethod -Method POST -Uri "$($URI)limit=$($searchLimit)" -Headers @{Authorization = "Basic $($encodedAuth)" } -ContentType 'application/json' -Body $body
Lastly now that we’ve been able to build queries via two different methods and we have the results we’re looking for, lets output some relevant information about them. We will iterate through each of the returned results and output some specifics about their sources and entitlements. Same as above, update for your ClientID, ClientSecret, Orgname and search criteria.
Once you’ve enabled API access and understood the query format it is super easy to get access to the identity data in your IdentityNow tenant.
My recommendation is to use the IdentityNow Search function in the Portal to refine your searches for what you are looking to return programmatically and then use the API to get the data for whatever purpose it is.
A few weeks back the Microsoft AI Tour was in Sydney Australia. There was a…
If you're anything like me you always have PowerShell open, and often both PowerShell and…
Decentralised Identity is a technology I'm passionate about and have written many posts and tools…
Over two years ago I authored a PowerShell Module that enabled the automation of 1Password.…
Buried in my PowerShell Snippets Vol 4 post from 2021 is the PowerShell script and…
Short post on how to recovery from "The Windows Subsystem for Linux instance has terminated"…
This website uses cookies.
View Comments