Pass the SailPoint Identity Security Engineer IdentityNow-Engineer Questions and answers with CertsForce

Yes, it is possible to remove the approval requirement for an application in IdentityNow by editing the access profile and unchecking the 'Required Approval' box. This configuration change would eliminate the need for a manager or other approver to review access requests, allowing users to be granted access without requiring approval.

Key Reference from SailPoint Documentation:

Access Profile Configuration: Access profiles can be configured to require or not require approval for access requests, and this option can be modified directly in the profile settings.

The Web Services connector in SailPoint IdentityNow does not support SAML authentication. SAML is primarily used for Single Sign-On (SSO) authentication for web applications, whereas the Web Services connector in IdentityNow typically supports Basic Authentication, OAuth, or custom header-based authentication for API-based integrations. SAML authentication is generally used for federated identity management rather than for API-based interactions.

References:

SailPoint IdentityNow Web Services Connector Configuration Guide.

SailPoint IdentityNow Authentication Methods for Connectors.

Yes, search-based certification campaigns can be used to review access for non-correlated accounts. Non-correlated accounts are accounts that do not have a direct link to any identity in the system, which means they may represent orphaned or unmanaged accounts. Search-based certifications allow administrators to create campaigns based on specific criteria, including targeting these non-correlated accounts to ensure they are properly reviewed and addressed within the organization.

References:

SailPoint IdentityNow Search-Based Certification Campaign Guide.

SailPoint IdentityNow Non-Correlated Account Management Documentation.

The use case describes a user logging into IdentityNow via an external identity provider’s login, where information is exchanged via federation. This correctly aligns with the concept of passthrough authentication.

Passthrough authentication often uses protocols like SAML (Security Assertion Markup Language) or OAuth for federation. In this case, the identity provider (IdP) handles the authentication and then passes the necessary authentication tokens or assertions back to SailPoint IdentityNow, granting the user access without directly requiring their password to be stored or authenticated by IdentityNow. This is a typical use case of federation and passthrough authentication.

References:

SailPoint IdentityNow Documentation on SAML and OAuth Federation.

SailPoint IdentityNow Federation and Passthrough Authentication Configuration Guides.

Yes, the Virtual Appliances (VAs) should reside in C, which represents the on-premise network. In this scenario, the engineer has an Active Directory, a database server, and cloud applications. The VA needs to reside inside the internal on-premises network (C) to securely communicate with the Active Directory and database server. The VA will manage the secure connection to these internal resources and can also interact with cloud applications via SailPoint IdentityNow.

Key Reference from SailPoint Documentation:

VA Deployment in On-Prem Network: SailPoint advises deploying Virtual Appliances within the internal on-premises network where they can securely access identity sources like Active Directory and internal databases.

Clearing the authentication checkbox for a source in SailPoint IdentityNow is not a typical troubleshooting step for a timeout error. This option is related to whether or not authentication is required for the source connection. A timeout error typically points to a network issue (e.g., port, firewall, or network latency), not authentication problems. The engineer should instead focus on network-related configurations such as checking port access or firewall settings.

Key Reference from SailPoint Documentation:

Source Connectivity Troubleshooting: Timeout errors are generally caused by network issues rather than authentication problems, so adjusting authentication settings is not recommended for resolving such errors.

No, reconfiguration within IdentityNow is not required to connect to the disaster recovery (DR) VAs, which makes this scenario not a disadvantage. When properly configured, all VAs (including DR VAs) in a cluster are part of the same logical unit, meaning that failover to the DR VAs should happen seamlessly without manual intervention or significant reconfiguration. IdentityNow handles the failover automatically, directing traffic to the DR VAs when primary VAs become unavailable.

While there might be some overhead in a manual failover scenario for certain configurations, the use of a single VA cluster helps mitigate this by ensuring the system can failover without needing complex reconfigurations for every source.

References:

SailPoint IdentityNow Virtual Appliance Failover and Disaster Recovery Configuration.

SailPoint IdentityNow High Availability Architecture Guide.

SailPoint IdentityNow APIs are not authenticated using client certificates. Instead, they use OAuth 2.0 for secure authentication and authorization. API consumers are required to obtain an access token, which is used to authenticate requests made to the IdentityNow API. The token is typically obtained by sending client credentials (client ID and client secret) to the IdentityNow authorization server, which grants the token for API access.

Key Reference from SailPoint Documentation:

API Authentication: SailPoint IdentityNow uses OAuth 2.0 for API authentication rather than client certificates. Detailed steps on how to implement OAuth-based authentication are available in SailPoint’s API documentation.

Yes, using a query select statement with a clause to match the incoming account to an existing account is a key configuration for the Single Account SQL Query in a JDBC connector. This query is used to fetch specific account details from the database and must be written in such a way that it uniquely identifies each account, ensuring accurate correlation between the data in the source and the identities in IdentityNow. Properly configuring this SQL query ensures the right accounts are matched and managed.

References:

SailPoint IdentityNow JDBC Connector Single Account Query Configuration Guide.

SailPoint IdentityNow SQL Query Best Practices Documentation.

Yes, an access profile can be acknowledged during certifications. During access certification campaigns, reviewers can review access profiles as part of the items that need to be certified. They can either approve or revoke access to the access profiles, just like they would with individual entitlements. This ensures that users' access to these bundled entitlements is regularly reviewed and compliant with organizational policies.

References:

SailPoint IdentityNow Certification Campaigns Guide.

SailPoint IdentityNow Access Profile Certification Documentation.