Quick Setup Guide - Connect Governance & Lifecycle to ID Plus
a day ago

Quick Setup Guide - Connect Governance & Lifecycle to ID Plus

This guide provides instructions for connecting the RSA Governance & Lifecycle (G&L) instance to the RSA ID Plus server and establishing a trust relationship between them to enable subsequent bi-directional integrations.

What You Need to Have

You need to have the following details:

  • Registration Code

  • Registration URL

To generate a Registration Code and Registration URL, follow the instructions in the below procedure.

Generate the Registration Code and URL to Connect G&L to ID Plus

You need a registration code and URL to enter into the G&L instance to establish the connection between G&L and ID Plus. To generate this code and URL, perform the following steps.

Procedure 

  1. In the Cloud Administration Console, click Platform > Governance & Lifecycle.

  2. Click Generate Code.
    The Registration Code is generated.

  3. Copy the values from the Registration Code and URL fields and store them securely on your computer.

  4. (Optional) Select a Network Zone from the drop-down list.

Connect G&L to ID Plus

You need to connect a G&L instance to the ID Plus server to establish a bi-directional trust relationship. To connect them, perform the following steps.

Procedure 

  1. Log in to RSA Governance and Lifecycle.

  2. Navigate to Admin > IDPlus Connect, and then click Create IDPlus Application.

  3. On the Remote Application Setup page (1), click Next.

  4. On Page 2 (Register RSA G&L with RSA IDPlus), enter the following details:

  5. Click Next.

  6. Click Connect to the RSA IDPlus.
    A Connection Successful message is displayed.

  7. After successful registration, do the following.

    • Select the Create Collector checkbox to create an ADC collector.

    • Select the User Sync with IDPlus checkbox to onboard the new user to the ID Plus application.

      Note:   The IDPlus Lookup Api field is automatically generated from the API and is not editable.

  8. Click Next.

  9. On the Connection page 2, the details for the following fields are provided by default, and can be customized if needed.

    1. Base URL

    2. Use Base URL for All API(s) is set to true.

    3. SSL Authentication is set to One-Way-SSL.

    4. User Authentication Type is OAuth2 - The field is not editable.

    5. Enter Client ID, Client Secret, Authentication URL, and Access Token URL.

    6. Click Get OAuth 2.0 Access Token.

  10. Click Next.

  11. On the Select types of account data to collect page 3, select Accounts and click Next.

  12. On the Configuration of Account collection page 4, do the following.

    1. Enter the Request Parameters.

    2. Enter the Header Name and Header Value in the given fields.

    3. Enter the Response Path for the Collector Mapping Parameters.

    4. To check the records, click Test Rest API - 1.

  13. Click Next.

  14. On the Map Collector Attributes to Account Attributes page 6, from the User Reference drop-down list, select AccountId.

  15. Click Next.
    A confirmation page appears for the Create IDPlus Application.

  16. On the Edit User Resolution Rules page 7, do the following.

    1. Click Add More, and then click Next.

    2. Review the details and click Finish.
      IDPlus Application has been created and is displayed on the Admin > IDPlus Connect page.

  17. Click the ID Plus Application displayed under the Application Name.

  18. To collect the accounts, do the following.

    1. Navigate to Collectors and click the ADC collector.

    2. Click Test.
      The collected accounts are displayed on the Accounts page.

Test the Lookup API

To test the Lookup API, perform the following steps.

Procedure 

  1. Add a new user.

  2. On the home page, navigate to Collectors > Identity Collection.

  3. To run the Identity Collection, do the following.

    1. Select the Collector.

    2. Click the Collect Identity button.

      You can monitor the collection on the Monitoring page.

Delete the ID Plus Application and Collectors

To remove the ID Plus application and its associated collectors from G&L, perform the following steps.

Before you begin 

Ensure you are logged in to the G&L application with administrative privileges.

Procedure 

  1. Navigate to Admin > IDPlus Connect.

  2. Select the ID Plus application that you want to delete.

  3. On the Collectors tab, select IDPlus_ADC collector and click Deactivate.

  4. After deactivation, click the Delete icon present at the right corner of the application to remove the collector.

  5. Return to the General tab of the ID Plus application.

  6. Click Delete to remove the application.

Configure the Remote Agent with ID Plus

Perform the following steps to configure the remote agent with ID Plus.

Procedure 

  1. Download the certificate from the ID Plus server.

  2. Log in to G&L application and navigate to Admin > User Interface > Files.

  3. Select the SSL certificate files.

  4. Upload the ID Plus certificate file, and click OK.

  5. Download the keystore files from the remote agent.

  6. Replace the existing client.keystore file with the newly downloaded file in the remote agent.

  7. Restart the remote agent.

Troubleshooting

If the ID Plus application is deleted before the collector is removed, then the collector may remain in the database and will need to be removed manually.

Before you begin 

Ensure you have access to the correct database schema depending on your deployment type:

  • Cloud Customers: Navigate to Admin > System > SQL Utility within the application UI and ensure the avuser schema is selected.

  • On-Premise Customers: Access the database directly using a tool such as sqlplus or SQLDeveloper and ensure the avuser schema is selected.

Procedure 

To remove the collector manually, perform the following steps.

  1. Run the following query and locate the associated ADC collector to identify the record.

    SELECT * FROM t_oauth2_record WHERE CLIENT_ID = <Client_ID_Here> And TOKEN_URL = <Insert_URL_Here>;

  2. From the results, identify the specific ID and respective token URL of the orphaned ADC collector to locate the client ID.

  3. Run the following deletion command using the client ID and token URL identified in the previous step to delete the record.

    DELETE FROM t_oauth2_record WHERE CLIENT_ID = <Client_ID_Here> And TOKEN_URL = <Insert_URL_Here>;

  4. Run the following query to commit the changes.

    DELETE FROM t_oauth2_record WHERE CLIENT_ID = 'glAdminClientId' and token_url='https://voyager-karma-gp8-ngx.auth-dev.securid.com/oauth/token';

    Note:  In the preceding query, replace <Client_ID_Here> and <Insert_URL_Here> with the actual client ID and token URL found in Step 2.