Hello, everyone. In this post, we'll be discussing how to set an IIQ user's password expiration via REST, or to be more precise, how to work around the fact that setting a user's password via REST doesn't set their password expiration date as well.
Now, we're going to make a few assumptions about your environment.
First, let's assume you have days until expiry set in your password policy:
(If you don't, log into your admin account and go to Global Settings -> IdentityIQ Configuration -> Passwords to set it)
We'll assume assume that you're familiar with SailPoint's REST API, and can both GET a user object and update the user with PUT.
We'll also assume that you're familiar with basic IIQ functionality, including creating custom attributes, workflows, rules, etc.
So, how did we get around our dilemma (i.e., setting a password expiration)? Well, we added a new Identity attribute called "Last Password Reset", created a Lifecycle Event to detect changes in the field, which then triggers a workflow that calls a rule to calculate and set the password expiration. Sound like a lot? Don't worry, we'll tackle it step by step. Feel free to skip ahead using the following links:
#1: Create a new Identity Attribute
Here, we're going to create a new attribute that we'll set via REST, in addition to the new password itself.
Navigate to Global Settings -> Identity Mappings and click on "Add New Attribute". Give your new attribute an attribute name and a display name, and make sure to mark it "searchable":
We want the new attribute to show in the Identity Warehouse as well, so let's go alter the UI Configuration in the Debug page:
http://<hostname>:<port>/identityiq/debug
Click on "Configuration Objects" and select "UI Configuration".
Search for the entry key "identityViewAttributes" and add your new attribute name to the list. Don't forget to save the configuration!
#2: Create the Workflow and Rule to set Password Expiration
Go to Setup -> Business Processes
Create a new workflow of type "Identity Lifecycle" (you can copy an existing one as a base if you like)
In the Process Designer tab, create/ensure there is one step between Start and End, right click, and "Edit Step". In the Details tab, set the action to "Rule", and click the ellipses next to the rule name to write our rule:
If you'd like to copy and paste, here is the beanshell code itself (there may be some unnecessary things like unused imports and print statements):
import sailpoint.api.*;
import sailpoint.object.*;
import sailpoint.tools.*;
import java.util.*;
import java.lang.*;
import java.text.*;
import java.time.temporal.ChronoUnit;
import java.time.LocalDateTime;
import java.util.concurrent.TimeUnit;
import java.time.ZoneId;
System.out.println("%%%%%%%%%%%%%%");
System.out.println("Setting password expiration");
System.out.println("%%%%%%%%%%%%%%");
Configuration con = context.getConfiguration();
String expiryDaysString = con.getString("passwordExpirationDays");
if (expiryDaysString != null)
{
int expirysDays = Integer.parseInt(expiryDaysString);
LocalDateTime todayLocalDateTime = LocalDateTime.now();
long daysAhead = todayLocalDateTime.plusDays(expirysDays).atZone(ZoneId.systemDefault()).toInstant().toEpochMilli();
Identity identity = context.getObjectByName(Identity.class, identityName);
identity.setPasswordExpiration(new Date(daysAhead));
context.saveObject(identity);
context.commitTransaction();
}In short, what the code does is as follows:
Get the password expiration days from the system.
If there is a value there, calculate the new date for expiration based off he current time.
Set the newly calculate date as the user's password expiration.
Save and commit
Save this new rule, and remember to select it in the "Edit Step" dialogue. We also need to pass an argument into the rule, which can be done in the "Arguments" tab. Add your new argument as follows, and remember to save both the step and the workflow itself!:
#3: Create a Lifecycle Event
Navigate to Setup -> Lifecycle Events and add a new event. Ensure that the event type is "Attribute Change", Attribute is the new one we created in step 1, and the Business Process is the workflow we created in step 2. Save.
#4: Test by sending a REST call and running an Identity Refresh Task
Now you can make a REST PUT call. In addition to adding a password, make you you include a new value for our passwordReset field:
Now simply navigate to Setup -> Tasks and run an Refresh Identity Cube task. Make sure that the "Process Events" option is checked. Now the task (which in a production environment should be running regularly) should pick up the change on the user and trigger our workflow, setting our password expiration.
Navigate to the user in the Identity Warehouse and click on the Events tab. You should see an entry like these:
You can also go to the debug page, find the Identity object itself, and see the new password expiration directly:
And that's all there is to it! We hope that this guide proves useful to you!
- Gil