SailPoint HLD - razmipatel/Random GitHub Wiki

High-Level Design (HLD): SailPoint and Entra ID Integration via iRequest

1. Solution Design Summary

This High-Level Design outlines the integration of SailPoint and Entra ID using iRequest (built on BMC Remedy) as the interface for request initiation and approval workflow. The goal is to automate the provisioning and lifecycle management of B2B identities, and separately, enable the management of cloud-only Azure RBAC groups—used for both B2B and standard users—through custom SailPoint API integrations.

As part of the overall solution, a quarterly attestation process will also be implemented to periodically review, validate, and remove outdated access to Azure RBAC groups, ensuring alignment with governance and compliance policies.

This project excludes CyberArk and privileged AZZ account creation. The scope is limited to Entra ID identity management and PIM-enabled group access for standard and B2B users.

2. Components and Capabilities

Entra ID Service Principal

  • A new Service Principal will be created to support delegated permissions for API-based operations in Entra ID.

SailPoint Custom Connector

The connector will support the following:

  1. B2B User Management:

    • Guest user invitations (via Entra B2B APIs)
    • Group membership management (add/remove)
    • Account status checks
    • Removal of B2B users

  2. PIM-Enabled Cloud-Only Group Management:

    • Management of Azure RBAC groups used in the Enterprise Landing Zone (ELZ)
    • Group additions/removals enforced via PIM (Privileged Identity Management)

  3. Quarterly Attestation Process:

    • Automated lifecycle management and access attestation to ensure Azure access via Entra ID security groups is reviewed, extended, or removed in line with governance policies.

Custom API integrations will be developed in collaboration with SailPoint Professional Services. These APIs will perform the B2B user management and cloud-only group management tasks described above, and will be consumed by iRequest once the form-based approval workflows have completed.

iRequest Integration

  • iRequest acts as the request engine, using form-driven request processes that incorporate approval workflows. As part of this design, it will be integrated with SailPoint APIs to automate provisioning and access fulfilment.
  • Two new request forms and one updated form will support the end-to-end request and fulfilment process.

3. Forms in Scope

Note: The names for the External Partner Azure Access (EPAA) Form and Azure Enterprise Landing Zone Request (AELZ) Form are provisional and may change as final naming has not yet been confirmed.

1. External Partner Azure Access (EPAA) Form

  • Enables request and approval for guest user (B2B) invites from pre-approved partner domains.
  • Allows bulk addition (up to 10 users per request).
  • Supports removal of existing B2B users in Entra ID.
  • Triggered via iRequest; fulfilled via SailPoint custom APIs.

2. Azure Enterprise Landing Zone Request (AELZ) Form

  • Enables request for RBAC access to Azure subscriptions and workloads.
  • Applies only to non-privileged, PIM-enabled groups.
  • Requestor selects:
    • User (Staff ID or B2B user)
    • Value Stream
    • Group name (via dropdown mapped to Entra groups)
  • Requires approval based on group and access scope.
  • Post-approval, the request is fulfilled using SailPoint APIs.

3. Privileged User Request (PUR) Form (Updated)

  • Enhanced to support requests for privileged AZZ groups.
  • Will use dynamic group drop-downs and updated request logic to comply with RBAC and PIM policies.

4. Architecture Diagram

A diagram showing the flow between iRequest, SailPoint, Entra ID, and target Azure RBAC groups should be inserted here.

5. Key Requirements

Business Requirements

  • Streamlined and auditable guest user onboarding
  • Policy-based access assignment to cloud-only groups
  • Centralised control of request/approval workflows
  • Governance-driven access attestation for cloud resources

Technical Requirements

  • Secure API-based integration between SailPoint and Entra ID
  • Custom connector development with support for invite, group management, attestation, and account deletion
  • iRequest-to-SailPoint integration via REST APIs

Functional Requirements

  • Form-level logic for B2B and RBAC access
  • Support for conditional access group policies
  • PIM group enforcement for all ELZ access
  • Scheduled attestation reviews for security groups

6. Scope

In Scope

  • B2B guest management in Entra ID
  • PIM-based cloud group access for standard and B2B users
  • iRequest integration with SailPoint
  • Form development for EPAA and AELZ
  • Updating PUR form
  • Quarterly attestation automation

Out of Scope

  • CyberArk
  • Privileged AZZ Account provisioning
  • Tier 2 privileged access
  • DR deployment

7. Dependencies & Risks

  • DEP01: Availability of new Service Principal with required Entra ID API permissions
  • DEP02: Development of SailPoint custom connector by SailPoint Professional Services
  • DEP03: iRequest platform readiness and form logic testing

8. Assumptions

  • SailPoint will be the system of fulfilment
  • All access management will follow PIM-based enforcement for groups
  • Guest invites will be restricted to whitelisted domains
  • Group lists for RBAC access are curated and mapped within Entra ID
  • Quarterly attestations are mapped to governance and identity lifecycle policies

Next Steps

  • Complete connector API specification with SailPoint
  • Build and test EPAA and AELZ iRequest forms
  • Conduct integration testing between iRequest and SailPoint
  • Define approval workflows and access policy logic
  • Finalise documentation for LLD and support procedures