Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Using PowerShell to leverage the SailPoint IdentityNow API's. Associated Blog Post can be found here https://blog.darrenjrobinson.com/leveraging-v1-v2-and-non-published-sailpoint-identitynow-apis-with-powershell/
# * ----- Variables
# IdentityNow Orgname
$orgname = "yourIdentityNowOrgName"
# URI's
$logoutURI = "https://$($orgname).identitynow.com/logout"
$adminDashboardURI = "https://$($orgname).identitynow.com/ui/admin#admin:dashboard:overview"
$adminStrongAuthURI = "https://$($orgname).identitynow.com/api/user/strongAuthn"
# IdentityNow API Client ID
$clientID = 'yourIdentityNowAPIClientID'
# IdentityNow API Client Secret
$clientSecret = 'yourIdentityNowAPISecret'
# Basic Auth
$Bytes = [System.Text.Encoding]::utf8.GetBytes("$($clientID):$($clientSecret)")
$encodedAuth = [Convert]::ToBase64String($Bytes)
# IDN Admin Username
$adminUSR = [string]"YourIdentityNowAdminName".ToLower()
# * -----
# Call Logout in case there is an existing session
$logout = Invoke-RestMethod -Method Get $logoutURI
$IDN = $null
# Login to IDN Portal
# Get the Login URI and Request using Chrome Developer Tools
$idnPortal = "PASTE IN THE LOGIN PS COMMAND HERE" -SessionVariable IDN
# it should then look like below
#$idnPortal = Invoke-WebRequest -Uri "https://stg01-uswest2-sso.identitynow.com/sso/login" -Method "POST" -Headers @{"Cache-Control" = "max-age=0"; "Origin" = "https://$($orgName).identitynow.com"; "Upgrade-Insecure-Requests" = "1"; "User-Agent" = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36"; "Accept" = "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8"; "Referer" = "https://$($orgName).identitynow.com/login/login?prompt=true"; "Accept-Encoding" = "gzip, deflate, br"; "Accept-Language" = "en-US,en;q=0.9"; "Cookie" = "_ga=GA1.2.125452778.1536379726; _gid=GA1.2.136027524.1538440258"} -ContentType "application/x-www-form-urlencoded" -Body "service=profile-1066&encryption=hash&IDToken1=$($adminUSR)&IDToken2=f2dbeb5a897abeeecafc9deee1234567823456789&realm=$($orgName)&goto=https%3A%2F%2F$($orgName).identitynow.com%2Fui&gotoOnFail=https%3A%2F%2F$($orgName).identitynow.com%2Flogin%2Ffail%2Fdefault%2F&openam.session.persist_am_cookie=true" -SessionVariable IDN
# Check to see if login successful and redirect to Dashboard
if ($idnPortal.BaseResponse.ResponseUri.LocalPath.Equals("/ui/d/dashboard")) {
# Successful Login to base Portal. Load Admin Portal Login Screen
$admPortal = Invoke-WebRequest -Uri $adminDashboardURI -Method Get -WebSession $IDN
if ($admPortal.BaseResponse.ResponseUri.AbsolutePath.Equals("/ui/admin")) {
# Get CSRF Token
$csrfraw = $admPortal.Content.Substring($admPortal.Content.IndexOf("SLPT.globalContext.csrf ="))
$csrf = $csrfraw.Substring(0, $csrfraw.IndexOf(";"))
$csrf = $csrf.Replace("SLPT.globalContext.csrf = '","")
$csrf = $csrf.Replace("'", "")
write-host -ForegroundColor Green "CSRFToken = $($csrf)"
# Login to Admin IDN Portal
# BELOW is the WebRequest to Authenticate to the Admin section of the IdentityNow Portal
# Replace with your WebRequest with your credentials then update to use the CSRF token retreived above "X-CSRF-Token" = $($csrf). $orgname references are optional
$admPortalAuthN = Invoke-WebRequest -Uri $adminStrongAuthURI -Method "POST" -Headers @{"Origin" = "https://$($orgName).identitynow.com"; "Accept-Encoding" = "gzip, deflate, br"; "X-CSRF-Token" = $($csrf); "Accept-Language" = "en-US,en;q=0.9"; "User-Agent" = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36"; "Accept" = "*/*"; "Referer" = "https://$($orgname).identitynow.com/ui/admin"; "X-Requested-With" = "XMLHttpRequest"} -ContentType "application/x-www-form-urlencoded; charset=UTF-8" -Body "password=f2dbeb5a897abeeecafc9deee1234567892345678942" -WebSession $IDN
If ($admPortalAuthN.BaseResponse.StatusCode -eq ('OK')) {
# Load ADMIN Dashboard
$admPortal2 = Invoke-WebRequest -Method Get -URI $adminDashboardURI -WebSession $IDN
if ($admPortal2.RawContent.Contains("SLPT.globalContext.api")) {
$TokensRaw = $admPortal2.RawContent.Substring($admPortal2.RawContent.IndexOf("SLPT.globalContext.api") + 26)
$TokensRaw = $TokensRaw.Substring(0, $TokensRaw.IndexOf("};"))
$Tokens = $TokensRaw.Split(",")
foreach ($token in $Tokens) {
if ($token.Contains("accessToken")) {$accessToken = $token.Replace("`"", ""); $accessToken = $accessToken.Replace("accessToken:", ""); write-host -ForegroundColor Green "$($accessToken)" }
}
}
# Check that it loaded
if ($admPortal2.BaseResponse.ResponseUri.AbsolutePath.Equals("/ui/admin")) {
$cookies = $IDN.Cookies.GetCookies($adminDashboardURI)
foreach ($cookie in $cookies) {
if ($cookie.name.Equals("CCSESSIONID")) {
Write-Host -ForegroundColor green "$($cookie.name) = $($cookie.value)"
$ccsessionID = $cookie.Value
}
}
}
}
if ($ccsessionID -and $csrf -and $accessToken -and $encodedAuth) {
write-host -ForegroundColor Green "Successfully Authenticated to IdentityNow Admin Portal"
write-host -ForegroundColor Yellow "Adding JWT Bearer Token for API Access"
# Basic Auth Header
#$IDN.Headers.Add('Authorization', "Basic $($encodedAuth)")
# JWT oAuth Bearer Token
$IDN.Headers.Add('Authorization', "Bearer $($accessToken)")
}
}
}
else {
write-host -ForegroundColor Red "Login was unsuccessful. Check Username/Password and/or Internet connectivity"
}
# Test a few different API's
if ($IDN.Headers.Authorization.Contains("Bearer")) {
# Old API
$transforms = Invoke-RestMethod -Uri "https://$($orgName).identitynow.com/api/transform/list" -WebSession $IDN
$transforms.items
# cc API's require the JWT Bearer Token
# Roles
$roles = Invoke-RestMethod -Uri "https://$($orgName).api.identitynow.com/cc/api/role/list" -WebSession $IDN
$roles.items
# BASIC Auth APIs
# Remove JWT Bearer Auth
$IDN.Headers.Remove('Authorization')
# Add Basic Auth
$IDN.Headers.Add('Authorization', "Basic $($encodedAuth)")
$groups = Invoke-RestMethod -Uri "https://$($orgName).api.identitynow.com/v2/workgroups" -WebSession $IDN
$groups
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.