Step-by-step deployment guide
This version of the gateway is currently compatible with Elimity Insights server versions matching >=3.43.0.
1. Setting up a dedicated user in SailPoint IIQ
As usual, we recommend creating a dedicated user in SailPoint IIQ for this connector. More specifically, this connector requires the 'SCIM Executor' capability. As described in the official documentation, use the 'User Rights' tab on the 'View Identity' page to assign this capability. Having set up the new dedicated user, we can now create an OAuth client. Navigate to 'Global settings' > 'API authentication'. Click 'Create', provide a descriptive name for the client (e.g. 'Elimity Insights') and configure the newly generated proxy user. Note down the newly generated client's id and secret.
2. Configuring the gateway
To configure your gateway, mount a JSON configuration file at /app/config/config.json with the properties listed below. Refer to the following attachment for a starting point:
Edit the following properties in this file to configure the gateway to your needs:
baseUrl
string
Base URL of your SailPoint IIQ instance, e.g. "https://sailpoint-iiq.example.com/identityiq"
clientId
string
OAuth client identifier you noted down in step 1
clientSecret
string
OAuth client secret you noted down in step 1
jwtValidationAudiences
option[list[string]]
Audiences for JWT validation, defaults to ["gateway"]
jwtValidationBaseUrl
string
Expected Elimity Insights base URL for JWT validation, e.g. "https://example.elimity.com"
jwtValidationGatewayUrl
string
Expected gateway URL for JWT validation, e.g. "https://gateway.example.com"
jwtValidationIssuer
option[string]
Issuer for JWT validation, defaults to "https://auth.elimity.com/"
jwtValidationExpr
option[string]
Expr program implementing JWT custom claim validation, defaults to "claims.base_url == baseURL && claims.gateway_url == gatewayURL && claims.source_id == sourceID"
jwtValidationOptional
option[boolean]
Flag indicating whether JWT validation is optional, defaults to false
jwtValidationSourceId
string
Expected source id for JWT validation, e.g. "42"
JWT validation
We highly recommend requiring JWT validation to secure your gateway. Please read our official documentation about the following topics to understand how Elimity Insights authenticates to gateways via OAuth2:
Our SaaS customers can simply set the jwtValidationBaseUrl, jwtValidationGatewayUrl and jwtValidationSourceId configuration options, which provides the following security guarantees:
Only requests coming from the configured Elimity Insights tenant are allowed
Only requests targeting the configured gateway URL are allowed
Only requests for importing the configured source are allowed
On-premise customers should additionally set the jwtValidationAudiences, jwtValidationIssuer and jwtValidationExpr configuration options. Alternatively you can also set jwtValidationOptional to true and perform authentication in a proxy instead.
3. Deploying the gateway
Having configured the gateway we can now deploy it so the built-in connector can start importing. Since we distribute the gateway as a Docker image, our recommendation for deployment is to use a CaaS solution like Google Cloud Run or Azure Container Apps. If that's not an option, you can also manually deploy the image on e.g. Windows Server. Refer to our documentation about gateways and import agents for additional details.
Last updated