Managing endpoints by identity adapters

IBM® Security Verify provides a way to manage endpoints by uploading an identity adapter profile JAR file for supported Identity Adapters. It automatically creates a custom application template, which can be used to create an application. You can configure account lifecycle and account synchronization for the endpoints that are managed by identity adapters in Verify.

1. Create an agent configuration for the purpose of provisioning.
   See https://www.ibm.com/docs/en/security-verify?topic=provisioning-configuring-through-verify-user-interface.
2. Deploy on-Premises components.
   See Deploying the on-premises components.
3. Use the docker compose yml file that was generated in Step 1 to deploy the on-premises components.
   Issue the following command.

   docker-compose -f <Docker compose YML file> up -d

4. Deploy the identity adapter profile to the Identity Brokerage component that was deployed in the preceding step, Step 3.
   1. Download the profile JAR file from https://www.ibm.com/support/pages/ibm-security-verify-governance-adapters-v10x.
   2. Log in as administrator in Verify.
   3. Navigate to Applications > Application profiles.
   4. In the Application profiles page, click Create profile > Identity adapter profile.
   5. Specify the Profile name.
   6. Optional: Provide a description.
   7. Select the Provisioning identity agent.
   8. Upload the identity adapter target profile JAR file.
   9. Click Create Profile.
   10. To make profile available for use, verify the details, then click Publish draft. Select the Yes, Publish option from the pop-up window.
       After the profile is successfully published, the endpoint template is generated with same name as the profile name. The template can be used to create other applications.

       Note: No templates are generated for LDAP and Oracle applications. Use the existing LDAP and Oracle templates.
5. Edit the adapter profile.
   To update the adapter profile; or to add, modify, or delete schema attributes; or to update the profile with a new JAR file on Verify, perform the following steps.
   1. Log in as administrator in Verify.
   2. Navigate to Applications > Application profiles.
   3. Select the existing application profile that you want to update and click Edit profile.
   4. Optional: Update the profile name and description.
   5. Upload the updated identity adapter profile JAR file and click Save changes.
   6. If profile is not yet available for use, verify the details, then click Publish draft and select the Yes, Publish option from the pop-up window.
      After the profile is successfully published, the endpoint template is updated with the changes.
6. Onboard the endpoint identity adapter application.
   1. Log in as administrator in Verify.
   2. Navigate to Applications > Add application.
   3. In the pop-up window, search for the application type profile name that you previously created and click Add application.
   4. In the Add applications page, select the General tab, and specify the required details.
   5. Select the Account lifecycle tab.
   6. Specify the provisioning and deprovisioning policies.

      Parameters	Description
      Provision accounts	The Provision accounts option is Disabled by default, which means that the account creation is performed outside of Verify. Select the Enabled option to automatically provision an account when the entitlement is assigned to a user. Password generation and email notification features are available for accounts that are created by using Verify.
      Deprovision accounts	Deprovision accounts is Disabled by default, which means that account removal is performed outside of Verify. Select the Enabled option to automatically deprovision an account, when the entitlement is removed from a user.
      Account password	Sync user's Cloud Directory password This option is available if password sync is enabled on the Cloud Directory and is supported by the identity adapter. It uses the Cloud Directory password when a regular user is provisioned to the application. Federated users receive a generated password when provisioned to the application. Generate password This option generates a random password for the provisioned account. The password is based on the Cloud Directory password policy. None This option provisions the account without a password.
      Send email notification	This option is available when you select the Generate password option. When you select the Send email notification option, an email notification with the auto-generated password is sent to your email address after the account is provisioned successfully.
      Grace period (days)	Set the grace period in days for which a deprovisioned account is kept as suspended before it is permanently deleted.
      Deprovision action	This option is configurable for enabled deprovisioning action to either suspend or delete the account. If deprovisioning is disabled, the deprovisioning action is deactivated.

7. Specify the API authentication details.
8. Click Test connection to test the connection of the endpoint. The connection needs to be successful to provision or reconcile accounts on the endpoint application.
9. Map the attribute names of the target attributes to verify attributes of the Cloud Directory. Select the Keep updated checkbox for the attributes that need to be updated on the target.
10. Select the Account sync tab.
11. In the Adoption policy section, add one or more attribute pairs that need to match for the account sync process to assign targets accounts to their respective account owners on Verify.
12. In the Remediation policies section, choose a remediation policy to remediate noncompliant accounts automatically.
13. Click Save.