Identity Governance and Administration as a Service Quick Start
This quick start provides a brief overview of the NetIQ Identity Governance and Administration hybrid solution and the tasks you need to complete to start using Identity Governance as a Service.
Figure 1 Overview of Identity Governance and Administration
Identity Governance and Administration (IGA) manages and governs digital identities and enforces appropriate access across the enterprise. With a unified governance framework, organizations can determine who has access to which resources and whether that access is appropriate. Scaling to billions of identities, IGA automates and streamlines processes related to access requests, access certification, identity lifecycle management, provisioning, and compliance reporting. IGA detects changes as they happen in the connected systems and adjusts security controls for continuous compliance, thus reducing risk and increasing efficiency for the organization.
IGA, as illustrated in the above diagram, includes following main components and additional services:
-
NetIQ Identity Governance helps organizations run effective access certification campaigns and implement identity governance. Key features include certification reviews, micro-certifications, access request and approval, segregation of duties (SOD), and governance insight. Identity Governance can be deployed on premises or using SaaS.
-
NetIQ Identity Manager powers the entire identity management lifecycle, managing identities and their associated attributes to minimize privileges. Key features include automated provisioning, identity attribute management, password synchronization, and data and event transformation to match organizational business processes.
You can use the IGA hybrid solution to log in to Identity Governance as a Service using Advanced Authentication as a Service for authentication based on methods and repositories configured in Advanced Authentication tenancy. In addition, you can collect data from on-premises Identity Manager using a data transfer bridge (Cloud Bridge), create custom workflows for request approval on fulfillment, and generate reports.
Identity Governance as a Service and Advanced Authentication as a Service will be deployed, configured, and maintained by Micro Focus. Once you receive your tenancy URL (http://tenantid.igasubdomain.hostedsaasdomain.com), you can log in to Identity Governance, assign authorizations, and perform governance tasks.
4.0 Installing and Configuring the Cloud Bridge Agent
In as a Service environment, Cloud Bridge is a data transfer bridge between the application in the cloud and data sources in on-premises environments. The Cloud Bridge Agent(CBA) is the entity that responds to the collection and fulfillment commands and directs them to the proper data source for execution. The following diagram provides a brief overview of the Cloud Bridge setup.
Figure 2 Overview of Cloud Bridge Setup
The Cloud Bridge Data Center in your Identity Governance tenancy is created by the SaaS team based on the information you provide in the technical questionnaire. Data Centers are a conceptual representation of your Cloud Bridge Agent instance and could reside in different on-premises and cloud environments. DataCenter.json contains customer-specific data center information. Defines the connection information between the CBC and a single CBA instance. Install the Cloud Bridge Agents on your local systems, then configure Identity Governance Data Source Connections and Data Sources as needed to connect to your on-premises data sources.
For information about the Cloud Bridge Agent and related Identity Governance procedures, see the following sections.
4.1 Installing and Upgrading the Cloud Bridge Agent
Prior to installing the Cloud Bridge Agent on premises, the SaaS operations team must have granted you the privilege to use Cloud Bridge. You or an authorized user can then add an external repository in the IGA Advanced Authentication tenancy.
NOTE:Use TENANT_ID_AA_ER, where TENANT_ID is in uppercase, as the name of the external repository. For more information about adding Cloud Bridge external repository, refer to the NetIQ Advanced Authentication Administration Guide.
Regarding upgrading your Cloud Bridge Agent, before you upgrade an existing CBA installation, you should review your environment and do some planning for high availability. For more information about installing and upgrading the Cloud Bridge Agent on premises, refer to the NetIQ Cloud Bridge Agent Release Notes and the NetIQ Cloud Bridge Agent Installation and Administration Guide.
IMPORTANT:The connector jar files used for identity and application data collection and fulfillment have been updated to Java 11. The Cloud Bridge Agent 1.10.0 has been updated to JDK 17, which is backward compatible with JDK 11. If you have custom connectors that were compiled with JDK 8, you will need to recompile them with JDK 11. You must also ensure that any new custom connectors are compiled with JDK 11.
The CBA installation script does not automatically remove custom connectors from the bridge-lib folder, so you must manually remove them if you want to replace them with the updated connectors.
Additionally, with JDK 17, the Nashorn JS Engine is no longer a part of the JDK. As a result, Identity Governance 4.2 and Cloud Bridge 1.10.x now utilize the Graal JS Engine. This change could impact your transformation scripts in collectors and fulfillment, as well as your code in a custom collector or fulfillment. Ensure that you review and test all of your transformation scripts and custom code accordingly.
4.2 Configuring Identity Governance Data Source Connection and Adding Credentials
After installing the agent, you must configure a data source connection in Identity Governance, then add credentials using the Cloud Bridge Agent UI. For information about configuring data source connections, and adding credentials, see Collecting Data Using Cloud Bridge
in the Identity Governance as a Service User and Administration Guide and Add Credentials for Data Source Connections
in the Cloud Bridge Installation and Administration Guide.
When adding credentials, in addition to unique ID, user name, and password, you must also specify the appropriate ordinal for the authentication method. When a connector (collector or fulfiller) takes only one credential pair, then the default ordinal value of 0 is used. When a connector supports more than one credential pair (user name and password) combination such as the IDM AE Permission Collector and SCIM collectors and fulfiller, then you need to specify additional ordinals.
NOTE:The user name and password fields are limited to 255 characters.
You can view the existing credentials you have by visiting http://localhost (CBA IP address or DNS name):8080/api/v1/credential. Since the connector can only be configured for one type of authentication, the other credential sets will be unused by the connector.
IMPORTANT:When configuring the Cloud Bridge Agent, it is critical that the proper ordinal value be utilized for the authentication method being utilized. For example, if a SCIM Identity Collector is being configured in Identity Governance and Basic Auth is selected for the Authentication Method, the basic authentication credentials would need to be added to the Cloud Bride Agent using ordinal value 3. Also note that if an authentication method is chosen that requires multiple credential sets, ALL of these credential sets must be added to the CBA using specific ordinal values. For addition information about specific ordinal values and authentication methods, refer to the Identity Governance as a Service User and Administration Guide.