Automating ITSM Workflows with SailPoint and IFS Assyst Integration
Are you Bogged Down by Identity Security Workarounds?
Manual processes and workarounds can slow down your Identity and Governance Administration (IGA) efforts. The good news? Integrating your IGA platform with your existing IT Service Management (ITSM) tools can significantly improve efficiency.
We know that users prefer the familiar interfaces of their existing ticketing and approval systems. By integrating SailPoint with your ITSM platform, you can make access requests and approvals a seamless part of their regular workflows. This not only improves user experience but also allows your organization to get the most out of your IGA investment.
That's why many organizations prioritize ITSM integrations as a first step towards a more mature and efficient IGA deployment.
Executive Summary
Our client, a leading insurance company in North America, was using SailPoint Identity IQ to automate their lifecycle processes and had successfully implemented the initial phases of their project. As part of maturing their “access request” process, they looked to us to help them leverage their existing ITSM workflows built on IFS assyst.
Our client's goal was to automate their access request and approval processes by using their existing ITSM application and SailPoint Identity IQ.
To help our client achieve their goals of streamlining access requests, we implemented a two-way integration between SailPoint and their existing IFS assyst ITSM system.
Business Results
We eliminated the need for a separate access request system by seamlessly integrating SailPoint with the client's existing IFS assyst ITSM platform. This successful integration yielded significant benefits, including:
- Simpler user experience: Users could leverage their known, working request process rather than learning and using a new isolated one.
- Lower organizational risk: The new access request process was simpler and used well-known interfaces, so users were more likely to follow it.
- Lower cost: Training and awareness of the new process was minimal as it closely followed existing process flows for other IT services.
Implementation Summary
We helped our client mature their access request process by integrating SailPoint with their existing IFS assyst ITSM system. The SailPoint/ITSM integration needed to cover the three main steps involved in the access request process:
Roles & Entitlements
Our client's ITSM solution needed to gather roles and entitlements from SailPoint and make them available as catalogue items for the end users to select. We used application programming interface (API) calls to SailPoint to retrieve the roles and entitlements specific to the target that the user has indicated. Now an end user can raise an access request in the ITSM system by selecting items from the access catalogue and the request can be approved through a workflow defined within the ITSM.
Automated Provisioning
Once all approvals are received, access requests are sent to the IGA platform for automated provisioning to the target application. We used API calls to submit the access request to SailPoint and invoke the provisioning of the entitlement for all approved requests. The routine also had to assess the status of the request, including the success/failure of the provisioning task and any error messages, if applicable.
Status Monitoring
The IGA needed to provide the status of the automated provisioning to the ITSM application so that the ITSM can notify the requesting user and approvers of the result of the provisioning activity. The API requests we used to access SailPoint were implemented with JavaScript snippets embedded as actions within the ITSM workflow automation.
This integrated solution streamlined user interaction with the access request process by optimizing SailPoint's automated provisioning for efficient and secure access management.
Lessons Learned
Work with a subject matter expert. All API calls are initiated from the ITSM application. So, it is important to have a SME that understands how to launch the API calls from within the ITSM application. We can guide the ITSM SME in developing such API calls and assist in providing API connectivity, integration troubleshooting, and support.
Allocate sufficient time for collaboration. The integration process is highly collaborative. Extensive testing and configuration are essential, often involving trial and error with various API calls and JSON message formats. To ensure smooth integration, sufficient time must be allocated for working sessions where these specialists can collaborate effectively. Scheduling dedicated sessions allows for focused effort and avoids the need to multitask, ultimately leading to a more efficient and successful integration process.
Use a secure API authentication method to authenticate the API client. In this case, we used different OAuth and OIDC authentication flows. Basic or password-based authentication is not recommended unless it can be coupled with a second layer of authentication, such as client/server certificate-based mutual authentication. Transport-layer security, such as TLS 1.2 or above, should always be used in API communication.
About the Author
Brian Read, Chief Technology Officer
[email protected] | Connect on LinkedIn
Brian has over 25 years of extensive experience in the IT industry, focused on managing and growing digital security practices. He has led large identity projects in the federal sector, energy sector, and financial services sectors.