Last active
October 30, 2018 05:58
-
-
Save darrenjrobinson/49208ba967339b7a55489847e62ce056 to your computer and use it in GitHub Desktop.
Using PowerShell to leverage the SailPoint IdentityNow API's. Associated Blog Post can be found here https://blog.darrenjrobinson.com/leveraging-v1-v2-and-non-published-sailpoint-identitynow-apis-with-powershell/
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# * ----- Variables | |
# IdentityNow Orgname | |
$orgname = "yourIdentityNowOrgName" | |
# URI's | |
$logoutURI = "https://$($orgname).identitynow.com/logout" | |
$adminDashboardURI = "https://$($orgname).identitynow.com/ui/admin#admin:dashboard:overview" | |
$adminStrongAuthURI = "https://$($orgname).identitynow.com/api/user/strongAuthn" | |
# IdentityNow API Client ID | |
$clientID = 'yourIdentityNowAPIClientID' | |
# IdentityNow API Client Secret | |
$clientSecret = 'yourIdentityNowAPISecret' | |
# Basic Auth | |
$Bytes = [System.Text.Encoding]::utf8.GetBytes("$($clientID):$($clientSecret)") | |
$encodedAuth = [Convert]::ToBase64String($Bytes) | |
# IDN Admin Username | |
$adminUSR = [string]"YourIdentityNowAdminName".ToLower() | |
# * ----- | |
# Call Logout in case there is an existing session | |
$logout = Invoke-RestMethod -Method Get $logoutURI | |
$IDN = $null | |
# Login to IDN Portal | |
# Get the Login URI and Request using Chrome Developer Tools | |
$idnPortal = "PASTE IN THE LOGIN PS COMMAND HERE" -SessionVariable IDN | |
# it should then look like below | |
#$idnPortal = Invoke-WebRequest -Uri "https://stg01-uswest2-sso.identitynow.com/sso/login" -Method "POST" -Headers @{"Cache-Control" = "max-age=0"; "Origin" = "https://$($orgName).identitynow.com"; "Upgrade-Insecure-Requests" = "1"; "User-Agent" = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36"; "Accept" = "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8"; "Referer" = "https://$($orgName).identitynow.com/login/login?prompt=true"; "Accept-Encoding" = "gzip, deflate, br"; "Accept-Language" = "en-US,en;q=0.9"; "Cookie" = "_ga=GA1.2.125452778.1536379726; _gid=GA1.2.136027524.1538440258"} -ContentType "application/x-www-form-urlencoded" -Body "service=profile-1066&encryption=hash&IDToken1=$($adminUSR)&IDToken2=f2dbeb5a897abeeecafc9deee1234567823456789&realm=$($orgName)&goto=https%3A%2F%2F$($orgName).identitynow.com%2Fui&gotoOnFail=https%3A%2F%2F$($orgName).identitynow.com%2Flogin%2Ffail%2Fdefault%2F&openam.session.persist_am_cookie=true" -SessionVariable IDN | |
# Check to see if login successful and redirect to Dashboard | |
if ($idnPortal.BaseResponse.ResponseUri.LocalPath.Equals("/ui/d/dashboard")) { | |
# Successful Login to base Portal. Load Admin Portal Login Screen | |
$admPortal = Invoke-WebRequest -Uri $adminDashboardURI -Method Get -WebSession $IDN | |
if ($admPortal.BaseResponse.ResponseUri.AbsolutePath.Equals("/ui/admin")) { | |
# Get CSRF Token | |
$csrfraw = $admPortal.Content.Substring($admPortal.Content.IndexOf("SLPT.globalContext.csrf =")) | |
$csrf = $csrfraw.Substring(0, $csrfraw.IndexOf(";")) | |
$csrf = $csrf.Replace("SLPT.globalContext.csrf = '","") | |
$csrf = $csrf.Replace("'", "") | |
write-host -ForegroundColor Green "CSRFToken = $($csrf)" | |
# Login to Admin IDN Portal | |
# BELOW is the WebRequest to Authenticate to the Admin section of the IdentityNow Portal | |
# Replace with your WebRequest with your credentials then update to use the CSRF token retreived above "X-CSRF-Token" = $($csrf). $orgname references are optional | |
$admPortalAuthN = Invoke-WebRequest -Uri $adminStrongAuthURI -Method "POST" -Headers @{"Origin" = "https://$($orgName).identitynow.com"; "Accept-Encoding" = "gzip, deflate, br"; "X-CSRF-Token" = $($csrf); "Accept-Language" = "en-US,en;q=0.9"; "User-Agent" = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36"; "Accept" = "*/*"; "Referer" = "https://$($orgname).identitynow.com/ui/admin"; "X-Requested-With" = "XMLHttpRequest"} -ContentType "application/x-www-form-urlencoded; charset=UTF-8" -Body "password=f2dbeb5a897abeeecafc9deee1234567892345678942" -WebSession $IDN | |
If ($admPortalAuthN.BaseResponse.StatusCode -eq ('OK')) { | |
# Load ADMIN Dashboard | |
$admPortal2 = Invoke-WebRequest -Method Get -URI $adminDashboardURI -WebSession $IDN | |
if ($admPortal2.RawContent.Contains("SLPT.globalContext.api")) { | |
$TokensRaw = $admPortal2.RawContent.Substring($admPortal2.RawContent.IndexOf("SLPT.globalContext.api") + 26) | |
$TokensRaw = $TokensRaw.Substring(0, $TokensRaw.IndexOf("};")) | |
$Tokens = $TokensRaw.Split(",") | |
foreach ($token in $Tokens) { | |
if ($token.Contains("accessToken")) {$accessToken = $token.Replace("`"", ""); $accessToken = $accessToken.Replace("accessToken:", ""); write-host -ForegroundColor Green "$($accessToken)" } | |
} | |
} | |
# Check that it loaded | |
if ($admPortal2.BaseResponse.ResponseUri.AbsolutePath.Equals("/ui/admin")) { | |
$cookies = $IDN.Cookies.GetCookies($adminDashboardURI) | |
foreach ($cookie in $cookies) { | |
if ($cookie.name.Equals("CCSESSIONID")) { | |
Write-Host -ForegroundColor green "$($cookie.name) = $($cookie.value)" | |
$ccsessionID = $cookie.Value | |
} | |
} | |
} | |
} | |
if ($ccsessionID -and $csrf -and $accessToken -and $encodedAuth) { | |
write-host -ForegroundColor Green "Successfully Authenticated to IdentityNow Admin Portal" | |
write-host -ForegroundColor Yellow "Adding JWT Bearer Token for API Access" | |
# Basic Auth Header | |
#$IDN.Headers.Add('Authorization', "Basic $($encodedAuth)") | |
# JWT oAuth Bearer Token | |
$IDN.Headers.Add('Authorization', "Bearer $($accessToken)") | |
} | |
} | |
} | |
else { | |
write-host -ForegroundColor Red "Login was unsuccessful. Check Username/Password and/or Internet connectivity" | |
} | |
# Test a few different API's | |
if ($IDN.Headers.Authorization.Contains("Bearer")) { | |
# Old API | |
$transforms = Invoke-RestMethod -Uri "https://$($orgName).identitynow.com/api/transform/list" -WebSession $IDN | |
$transforms.items | |
# cc API's require the JWT Bearer Token | |
# Roles | |
$roles = Invoke-RestMethod -Uri "https://$($orgName).api.identitynow.com/cc/api/role/list" -WebSession $IDN | |
$roles.items | |
# BASIC Auth APIs | |
# Remove JWT Bearer Auth | |
$IDN.Headers.Remove('Authorization') | |
# Add Basic Auth | |
$IDN.Headers.Add('Authorization', "Basic $($encodedAuth)") | |
$groups = Invoke-RestMethod -Uri "https://$($orgName).api.identitynow.com/v2/workgroups" -WebSession $IDN | |
$groups | |
} | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment