search

darrenjrobinson / powershell_module_identitynow

SailPoint IdentityNow PowerShell Module
https://blog.darrenjrobinson.com/sailpoint-identitynow/
MIT License
47 stars 15 forks source link

Authentication Issues using PowerShell Core and Linux OS #64

Closed jmilczek closed 6 months ago

jmilczek commented 1 year ago

Even though I have set AdminCredential, v2APIKEY and v3APIKEY credentials using the Set-IdentityNowCredential cmdlet, I receive an error when attempting to run any of the SailpointIdentityNow module's cmdlets that require authentication. This is not an issue if I run the same commands using the same credentials on PowerShell 5.1 Desktop, PowerShell 6 Core or PowerShell 7 Core on a Windows system.


Get-Host

Name             : Visual Studio Code Host
Version          : 2023.6.0
InstanceId       : 697f6a26-215d-4bee-86bf-fc40899a3c10
UI               : System.Management.Automation.Internal.Host.InternalHostUserInterface
CurrentCulture   : en-US
CurrentUICulture : en-US
PrivateData      : Microsoft.PowerShell.ConsoleHost+ConsoleColorProxy
DebuggerEnabled  : True
IsRunspacePushed : False
Runspace         : System.Management.Automation.Runspaces.LocalRunspace

$PSVersionTable

Name                           Value
----                           -----
PSVersion                      7.3.4
PSEdition                      Core
GitCommitId                    7.3.4
OS                             Linux 5.19.0-43-generic #44~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Mon May 22 13:39:36 UTC 2
Platform                       Unix
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

Get-Module SailPointIdentityNow          

ModuleType Version    PreRelease Name                                ExportedCommands
---------- -------    ---------- ----                                ----------------
Script     1.1.6                 SailPointIdentityNow                {Complete-IdentityNowTask, Convert-UnixTime, Export-IdentityNowConfig, Get-HashString…}

$adminCreds.GetType()          

IsPublic IsSerial Name                                     BaseType
-------- -------- ----                                     --------
True     True     PSCredential                             System.Object

$v2Creds.GetType()   

IsPublic IsSerial Name                                     BaseType
-------- -------- ----                                     --------
True     True     PSCredential                             System.Object

$v3Creds.GetType()

IsPublic IsSerial Name                                     BaseType
-------- -------- ----                                     --------
True     True     PSCredential                             System.Object

#region Populate Sailpoint Configuration
Set-IdentityNowOrg -orgName $idnorgname

# IdentityNow Admin User
$adminCreds = [pscredential]::new((Get-AzKeyVaultSecret -VaultName $azkvname -Name $kvidnadminusername -AsPlainText), (Get-AzKeyVaultSecret -VaultName $azkvname -Name $kvidnadminpassword).SecretValue)

# IdentityNow v2 API Creds
$v2Creds = [pscredential]::new((Get-AzKeyVaultSecret -VaultName $azkvname -Name $kvidnv2username -AsPlainText), (Get-AzKeyVaultSecret -VaultName $azkvname -Name $kvidnv2password).SecretValue)

# IdentityNow v3 API Creds
$v3Creds = [pscredential]::new((Get-AzKeyVaultSecret -VaultName $azkvname -Name $kvidnv3username -AsPlainText), (Get-AzKeyVaultSecret -VaultName $azkvname -Name $kvidnv3password).SecretValue)

Set-IdentityNowCredential -AdminCredential $adminCreds -v2APIKey $v2Creds -v3APIKey $v3Creds -Verbose

Get-SCWXIdentityNowAccessProfile -Verbose
Unable to auth password grant type for ########## v2:True v3:True cred:True pat:False {"error":"unauthorized","error_description":"Full authentication is required to access this resource"}

Test-IdentityNowCredentials -Verbose
VERBOSE: AuthType: Admin Creds
VERBOSE: {
  "grant_type": "password",
  "username": "############",
  "password": "##################################################"
}
VERBOSE: HTTP/1.1 POST with 115-byte payload
VERBOSE: received 102-byte response of content type application/json
WARNING: Testing APIv3 credentials failed for ######### Unable to continue.
WARNING: Unable to auth password grant type for ######### v2:True v3:True cred:True pat:False {"error":"unauthorized","error_description":"Full authentication is required to access this resource"}
darrenjrobinson commented 1 year ago

This maybe associated with SailPoint AuthN API changes. Create a Personal Access Token in the Admin Portal for your account and set that in your module creds config. The module will use that as priority.

DR

On Fri, 16 Jun 2023 at 01:59, jmilczek @.***> wrote:

Even though I have set AdminCredential, v2APIKEY and v3APIKEY credentials using the Set-IdentityNowCredential cmdlet, I receive an error when attempting to run any of the Sailpoint module's cmdlets that require authentication. This is not an issue if I run the same commands using the same credentials on PowerShell 5.1 Desktop, PowerShell 6 Core or PowerShell 7 Core on a Windows system.

Get-Host

Name : Visual Studio Code Host Version : 2023.6.0 InstanceId : 697f6a26-215d-4bee-86bf-fc40899a3c10 UI : System.Management.Automation.Internal.Host.InternalHostUserInterface CurrentCulture : en-US CurrentUICulture : en-US PrivateData : Microsoft.PowerShell.ConsoleHost+ConsoleColorProxy DebuggerEnabled : True IsRunspacePushed : False Runspace : System.Management.Automation.Runspaces.LocalRunspace $PSVersionTable

Name Value---- ----- PSVersion 7.3.4 PSEdition Core GitCommitId 7.3.4 OS Linux 5.19.0-43-generic #44~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Mon May 22 13:39:36 UTC 2 Platform Unix PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…} PSRemotingProtocolVersion 2.3 SerializationVersion 1.1.0.1 WSManStackVersion 3.0 Get-Module SailPointIdentityNow

ModuleType Version PreRelease Name ExportedCommands---------- ------- ---------- ---- ---------------- Script 1.1.6 SailPointIdentityNow {Complete-IdentityNowTask, Convert-UnixTime, Export-IdentityNowConfig, Get-HashString…} $adminCreds.GetType()

IsPublic IsSerial Name BaseType-------- -------- ---- -------- True True PSCredential System.Object $v2Creds.GetType()

IsPublic IsSerial Name BaseType-------- -------- ---- -------- True True PSCredential System.Object $v3Creds.GetType()

IsPublic IsSerial Name BaseType-------- -------- ---- -------- True True PSCredential System.Object

region Populate Sailpoint ConfigurationSet-IdentityNowOrg -orgName $idnorgname

IdentityNow Admin User$adminCreds = [pscredential]::new((Get-AzKeyVaultSecret -VaultName $azkvname -Name $kvidnadminusername -AsPlainText), (Get-AzKeyVaultSecret -VaultName $azkvname -Name $kvidnadminpassword).SecretValue)

IdentityNow v2 API Creds$v2Creds = [pscredential]::new((Get-AzKeyVaultSecret -VaultName $azkvname -Name $kvidnv2username -AsPlainText), (Get-AzKeyVaultSecret -VaultName $azkvname -Name $kvidnv2password).SecretValue)

IdentityNow v3 API Creds$v3Creds = [pscredential]::new((Get-AzKeyVaultSecret -VaultName $azkvname -Name $kvidnv3username -AsPlainText), (Get-AzKeyVaultSecret -VaultName $azkvname -Name $kvidnv3password).SecretValue)

Set-IdentityNowCredential -AdminCredential $adminCreds -v2APIKey $v2Creds -v3APIKey $v3Creds -Verbose Get-SCWXIdentityNowAccessProfile -Verbose Unable to auth password grant type for secureworks v2:True v3:True cred:True pat:False {"error":"unauthorized","error_description":"Full authentication is required to access this resource"}

— Reply to this email directly, view it on GitHub https://github.com/darrenjrobinson/powershell_module_identitynow/issues/64, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAC55XNTP7ESNFBCVRXMKALXLMWMTANCNFSM6AAAAAAZICCHA4 . You are receiving this because you are subscribed to this thread.Message ID: @.***>

jmilczek commented 1 year ago

But why does it work on a Windows OS?Sent from my iPhoneOn Jun 16, 2023, at 6:17 PM, Darren Robinson @.***> wrote: This maybe associated with SailPoint AuthN API changes.

Create a Personal Access Token in the Admin Portal for your account and set

that in your module creds config.

The module will use that as priority.

DR

On Fri, 16 Jun 2023 at 01:59, jmilczek @.***> wrote:

Even though I have set AdminCredential, v2APIKEY and v3APIKEY credentials

using the Set-IdentityNowCredential cmdlet, I receive an error when

attempting to run any of the Sailpoint module's cmdlets that require

authentication. This is not an issue if I run the same commands using the

same credentials on PowerShell 5.1 Desktop, PowerShell 6 Core or PowerShell

7 Core on a Windows system.

Get-Host

Name : Visual Studio Code Host

Version : 2023.6.0

InstanceId : 697f6a26-215d-4bee-86bf-fc40899a3c10

UI : System.Management.Automation.Internal.Host.InternalHostUserInterface

CurrentCulture : en-US

CurrentUICulture : en-US

PrivateData : Microsoft.PowerShell.ConsoleHost+ConsoleColorProxy

DebuggerEnabled : True

IsRunspacePushed : False

Runspace : System.Management.Automation.Runspaces.LocalRunspace

$PSVersionTable

Name Value---- -----

PSVersion 7.3.4

PSEdition Core

GitCommitId 7.3.4

OS Linux 5.19.0-43-generic #44~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Mon May 22 13:39:36 UTC 2

Platform Unix

PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}

PSRemotingProtocolVersion 2.3

SerializationVersion 1.1.0.1

WSManStackVersion 3.0

Get-Module SailPointIdentityNow

ModuleType Version PreRelease Name ExportedCommands---------- ------- ---------- ---- ----------------

Script 1.1.6 SailPointIdentityNow {Complete-IdentityNowTask, Convert-UnixTime, Export-IdentityNowConfig, Get-HashString…}

$adminCreds.GetType()

IsPublic IsSerial Name BaseType-------- -------- ---- --------

True True PSCredential System.Object

$v2Creds.GetType()

IsPublic IsSerial Name BaseType-------- -------- ---- --------

True True PSCredential System.Object

$v3Creds.GetType()

IsPublic IsSerial Name BaseType-------- -------- ---- --------

True True PSCredential System.Object

region Populate Sailpoint ConfigurationSet-IdentityNowOrg -orgName $idnorgname

IdentityNow Admin User$adminCreds = [pscredential]::new((Get-AzKeyVaultSecret -VaultName $azkvname -Name $kvidnadminusername -AsPlainText), (Get-AzKeyVaultSecret -VaultName $azkvname -Name $kvidnadminpassword).SecretValue)

IdentityNow v2 API Creds$v2Creds = [pscredential]::new((Get-AzKeyVaultSecret -VaultName $azkvname -Name $kvidnv2username -AsPlainText), (Get-AzKeyVaultSecret -VaultName $azkvname -Name $kvidnv2password).SecretValue)

IdentityNow v3 API Creds$v3Creds = [pscredential]::new((Get-AzKeyVaultSecret -VaultName $azkvname -Name $kvidnv3username -AsPlainText), (Get-AzKeyVaultSecret -VaultName $azkvname -Name $kvidnv3password).SecretValue)

Set-IdentityNowCredential -AdminCredential $adminCreds -v2APIKey $v2Creds -v3APIKey $v3Creds -Verbose

Get-SCWXIdentityNowAccessProfile -Verbose

Unable to auth password grant type for secureworks v2:True v3:True cred:True pat:False {"error":"unauthorized","error_description":"Full authentication is required to access this resource"}

Reply to this email directly, view it on GitHub

https://github.com/darrenjrobinson/powershell_module_identitynow/issues/64,

or unsubscribe

https://github.com/notifications/unsubscribe-auth/AAC55XNTP7ESNFBCVRXMKALXLMWMTANCNFSM6AAAAAAZICCHA4

.

You are receiving this because you are subscribed to this thread.Message

ID: @.***>

—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you authored the thread.Message ID: @.***>

darrenjrobinson commented 1 year ago

I’ve definitely used the module on Linux in cloud automation scenarios. However the local saving of the configuration and autoload is a Windows only feature. In cloud automation I pull the creds and keys from a PaaS KeyVault and set them and the org before using module cmdlets.

Is this your scenario? Persistence between sessions?

On Sat, 17 Jun 2023 at 09:17, jmilczek @.***> wrote:

But why does it work on a Windows OS?Sent from my iPhoneOn Jun 16, 2023, at 6:17 PM, Darren Robinson @.***> wrote: This maybe associated with SailPoint AuthN API changes.

Create a Personal Access Token in the Admin Portal for your account and set

that in your module creds config.

The module will use that as priority.

DR

On Fri, 16 Jun 2023 at 01:59, jmilczek @.***> wrote:

Even though I have set AdminCredential, v2APIKEY and v3APIKEY credentials

using the Set-IdentityNowCredential cmdlet, I receive an error when

attempting to run any of the Sailpoint module's cmdlets that require

authentication. This is not an issue if I run the same commands using the

same credentials on PowerShell 5.1 Desktop, PowerShell 6 Core or PowerShell

7 Core on a Windows system.

Get-Host

Name : Visual Studio Code Host

Version : 2023.6.0

InstanceId : 697f6a26-215d-4bee-86bf-fc40899a3c10

UI : System.Management.Automation.Internal.Host.InternalHostUserInterface

CurrentCulture : en-US

CurrentUICulture : en-US

PrivateData : Microsoft.PowerShell.ConsoleHost+ConsoleColorProxy

DebuggerEnabled : True

IsRunspacePushed : False

Runspace : System.Management.Automation.Runspaces.LocalRunspace

$PSVersionTable

Name Value---- -----

PSVersion 7.3.4

PSEdition Core

GitCommitId 7.3.4

OS Linux 5.19.0-43-generic #44~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Mon May 22 13:39:36 UTC 2

Platform Unix

PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}

PSRemotingProtocolVersion 2.3

SerializationVersion 1.1.0.1

WSManStackVersion 3.0

Get-Module SailPointIdentityNow

ModuleType Version PreRelease Name ExportedCommands---------- -------

Script 1.1.6 SailPointIdentityNow {Complete-IdentityNowTask, Convert-UnixTime, Export-IdentityNowConfig, Get-HashString…}

$adminCreds.GetType()

IsPublic IsSerial Name BaseType-------- -------- ---- --------

True True PSCredential System.Object

$v2Creds.GetType()

IsPublic IsSerial Name BaseType-------- -------- ---- --------

True True PSCredential System.Object

$v3Creds.GetType()

IsPublic IsSerial Name BaseType-------- -------- ---- --------

True True PSCredential System.Object

region Populate Sailpoint ConfigurationSet-IdentityNowOrg -orgName

$idnorgname

IdentityNow Admin User$adminCreds =

[pscredential]::new((Get-AzKeyVaultSecret -VaultName $azkvname -Name $kvidnadminusername -AsPlainText), (Get-AzKeyVaultSecret -VaultName $azkvname -Name $kvidnadminpassword).SecretValue)

IdentityNow v2 API Creds$v2Creds =

[pscredential]::new((Get-AzKeyVaultSecret -VaultName $azkvname -Name $kvidnv2username -AsPlainText), (Get-AzKeyVaultSecret -VaultName $azkvname -Name $kvidnv2password).SecretValue)

IdentityNow v3 API Creds$v3Creds =

[pscredential]::new((Get-AzKeyVaultSecret -VaultName $azkvname -Name $kvidnv3username -AsPlainText), (Get-AzKeyVaultSecret -VaultName $azkvname -Name $kvidnv3password).SecretValue)

Set-IdentityNowCredential -AdminCredential $adminCreds -v2APIKey $v2Creds -v3APIKey $v3Creds -Verbose

Get-SCWXIdentityNowAccessProfile -Verbose

Unable to auth password grant type for secureworks v2:True v3:True cred:True pat:False {"error":"unauthorized","error_description":"Full authentication is required to access this resource"}

Reply to this email directly, view it on GitHub

< https://github.com/darrenjrobinson/powershell_module_identitynow/issues/64>,

or unsubscribe

< https://github.com/notifications/unsubscribe-auth/AAC55XNTP7ESNFBCVRXMKALXLMWMTANCNFSM6AAAAAAZICCHA4>

.

You are receiving this because you are subscribed to this thread.Message

ID: @.***>

—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you authored the thread.Message ID: @.***>

— Reply to this email directly, view it on GitHub https://github.com/darrenjrobinson/powershell_module_identitynow/issues/64#issuecomment-1595452640, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAC55XOTQUI63TAQQVTXC2DXLTSPFANCNFSM6AAAAAAZICCHA4 . You are receiving this because you commented.Message ID: @.*** .com>

jmilczek commented 1 year ago

I have it working in the same scenario. Works in Azure Automation pulling creds from Azure Keyvault; doesn’t work in Azure Functions.I’m not sure if you realize that Azure Automation with the PowerShell Core runtime is still running on Windows.Azure Functions with PowerShell Core is running on Linux.Try running your module on an actual Linux operating system and you’ll see what I’m talking about. Sent from my iPhoneOn Jun 18, 2023, at 6:09 AM, Darren Robinson @.***> wrote: I’ve definitely used the module on Linux in cloud automation scenarios.

However the local saving of the configuration and autoload is a Windows

only feature.

In cloud automation I pull the creds and keys from a PaaS KeyVault and set

them and the org before using module cmdlets.

Is this your scenario? Persistence between sessions?

On Sat, 17 Jun 2023 at 09:17, jmilczek @.***> wrote:

But why does it work on a Windows OS?Sent from my iPhoneOn Jun 16, 2023,

at 6:17 PM, Darren Robinson @.***> wrote:

This maybe associated with SailPoint AuthN API changes.

Create a Personal Access Token in the Admin Portal for your account and

set

that in your module creds config.

The module will use that as priority.

DR

On Fri, 16 Jun 2023 at 01:59, jmilczek @.***> wrote:

Even though I have set AdminCredential, v2APIKEY and v3APIKEY

credentials

using the Set-IdentityNowCredential cmdlet, I receive an error when

attempting to run any of the Sailpoint module's cmdlets that require

authentication. This is not an issue if I run the same commands using

the

same credentials on PowerShell 5.1 Desktop, PowerShell 6 Core or

PowerShell

7 Core on a Windows system.

Get-Host

Name : Visual Studio Code Host

Version : 2023.6.0

InstanceId : 697f6a26-215d-4bee-86bf-fc40899a3c10

UI :

System.Management.Automation.Internal.Host.InternalHostUserInterface

CurrentCulture : en-US

CurrentUICulture : en-US

PrivateData : Microsoft.PowerShell.ConsoleHost+ConsoleColorProxy

DebuggerEnabled : True

IsRunspacePushed : False

Runspace : System.Management.Automation.Runspaces.LocalRunspace

$PSVersionTable

Name Value---- -----

PSVersion 7.3.4

PSEdition Core

GitCommitId 7.3.4

OS Linux 5.19.0-43-generic #44~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Mon

May 22 13:39:36 UTC 2

Platform Unix

PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}

PSRemotingProtocolVersion 2.3

SerializationVersion 1.1.0.1

WSManStackVersion 3.0

Get-Module SailPointIdentityNow

ModuleType Version PreRelease Name ExportedCommands---------- -------

Script 1.1.6 SailPointIdentityNow {Complete-IdentityNowTask,

Convert-UnixTime, Export-IdentityNowConfig, Get-HashString…}

$adminCreds.GetType()

IsPublic IsSerial Name BaseType-------- -------- ---- --------

True True PSCredential System.Object

$v2Creds.GetType()

IsPublic IsSerial Name BaseType-------- -------- ---- --------

True True PSCredential System.Object

$v3Creds.GetType()

IsPublic IsSerial Name BaseType-------- -------- ---- --------

True True PSCredential System.Object

region Populate Sailpoint ConfigurationSet-IdentityNowOrg -orgName

$idnorgname

IdentityNow Admin User$adminCreds =

[pscredential]::new((Get-AzKeyVaultSecret -VaultName $azkvname -Name

$kvidnadminusername -AsPlainText), (Get-AzKeyVaultSecret -VaultName

$azkvname -Name $kvidnadminpassword).SecretValue)

IdentityNow v2 API Creds$v2Creds =

[pscredential]::new((Get-AzKeyVaultSecret -VaultName $azkvname -Name

$kvidnv2username -AsPlainText), (Get-AzKeyVaultSecret -VaultName $azkvname

-Name $kvidnv2password).SecretValue)

IdentityNow v3 API Creds$v3Creds =

[pscredential]::new((Get-AzKeyVaultSecret -VaultName $azkvname -Name

$kvidnv3username -AsPlainText), (Get-AzKeyVaultSecret -VaultName $azkvname

-Name $kvidnv3password).SecretValue)

Set-IdentityNowCredential -AdminCredential $adminCreds -v2APIKey

$v2Creds -v3APIKey $v3Creds -Verbose

Get-SCWXIdentityNowAccessProfile -Verbose

Unable to auth password grant type for secureworks v2:True v3:True

cred:True pat:False {"error":"unauthorized","error_description":"Full

authentication is required to access this resource"}

Reply to this email directly, view it on GitHub

<

https://github.com/darrenjrobinson/powershell_module_identitynow/issues/64>,

or unsubscribe

<

https://github.com/notifications/unsubscribe-auth/AAC55XNTP7ESNFBCVRXMKALXLMWMTANCNFSM6AAAAAAZICCHA4>

.

You are receiving this because you are subscribed to this thread.Message

ID: @.***>

—Reply to this email directly, view it on GitHub, or unsubscribe.You are

receiving this because you authored the thread.Message ID: @.***>

Reply to this email directly, view it on GitHub

https://github.com/darrenjrobinson/powershell_module_identitynow/issues/64#issuecomment-1595452640,

or unsubscribe

https://github.com/notifications/unsubscribe-auth/AAC55XOTQUI63TAQQVTXC2DXLTSPFANCNFSM6AAAAAAZICCHA4

.

You are receiving this because you commented.Message ID:

@.***

.com>

—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you authored the thread.Message ID: @.***>

jmilczek commented 1 year ago

Darren,

This is the problem. This line from Get-IdentityNowAuth does not convert the secure string to plain text like it does on a Windows host:

-Jason

On Sun, Jun 18, 2023 at 12:48 PM Jason Milczek @.***> wrote:

I have it working in the same scenario. Works in Azure Automation pulling creds from Azure Keyvault; doesn’t work in Azure Functions.

I’m not sure if you realize that Azure Automation with the PowerShell Core runtime is still running on Windows.

Azure Functions with PowerShell Core is running on Linux.

Try running your module on an actual Linux operating system and you’ll see what I’m talking about.

Sent from my iPhone

On Jun 18, 2023, at 6:09 AM, Darren Robinson @.***> wrote:



I’ve definitely used the module on Linux in cloud automation scenarios. However the local saving of the configuration and autoload is a Windows only feature. In cloud automation I pull the creds and keys from a PaaS KeyVault and set them and the org before using module cmdlets.

Is this your scenario? Persistence between sessions?

On Sat, 17 Jun 2023 at 09:17, jmilczek @.***> wrote:

But why does it work on a Windows OS?Sent from my iPhoneOn Jun 16, 2023, at 6:17 PM, Darren Robinson @.***> wrote: This maybe associated with SailPoint AuthN API changes.

Create a Personal Access Token in the Admin Portal for your account and set

that in your module creds config.

The module will use that as priority.

DR

On Fri, 16 Jun 2023 at 01:59, jmilczek @.***> wrote:

Even though I have set AdminCredential, v2APIKEY and v3APIKEY credentials

using the Set-IdentityNowCredential cmdlet, I receive an error when

attempting to run any of the Sailpoint module's cmdlets that require

authentication. This is not an issue if I run the same commands using the

same credentials on PowerShell 5.1 Desktop, PowerShell 6 Core or PowerShell

7 Core on a Windows system.

Get-Host

Name : Visual Studio Code Host

Version : 2023.6.0

InstanceId : 697f6a26-215d-4bee-86bf-fc40899a3c10

UI : System.Management.Automation.Internal.Host.InternalHostUserInterface

CurrentCulture : en-US

CurrentUICulture : en-US

PrivateData : Microsoft.PowerShell.ConsoleHost+ConsoleColorProxy

DebuggerEnabled : True

IsRunspacePushed : False

Runspace : System.Management.Automation.Runspaces.LocalRunspace

$PSVersionTable

Name Value---- -----

PSVersion 7.3.4

PSEdition Core

GitCommitId 7.3.4

OS Linux 5.19.0-43-generic #44~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Mon May 22 13:39:36 UTC 2

Platform Unix

PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}

PSRemotingProtocolVersion 2.3

SerializationVersion 1.1.0.1

WSManStackVersion 3.0

Get-Module SailPointIdentityNow

ModuleType Version PreRelease Name ExportedCommands---------- -------

Script 1.1.6 SailPointIdentityNow {Complete-IdentityNowTask, Convert-UnixTime, Export-IdentityNowConfig, Get-HashString…}

$adminCreds.GetType()

IsPublic IsSerial Name BaseType-------- -------- ---- --------

True True PSCredential System.Object

$v2Creds.GetType()

IsPublic IsSerial Name BaseType-------- -------- ---- --------

True True PSCredential System.Object

$v3Creds.GetType()

IsPublic IsSerial Name BaseType-------- -------- ---- --------

True True PSCredential System.Object

region Populate Sailpoint ConfigurationSet-IdentityNowOrg -orgName

$idnorgname

IdentityNow Admin User$adminCreds =

[pscredential]::new((Get-AzKeyVaultSecret -VaultName $azkvname -Name $kvidnadminusername -AsPlainText), (Get-AzKeyVaultSecret -VaultName $azkvname -Name $kvidnadminpassword).SecretValue)

IdentityNow v2 API Creds$v2Creds =

[pscredential]::new((Get-AzKeyVaultSecret -VaultName $azkvname -Name $kvidnv2username -AsPlainText), (Get-AzKeyVaultSecret -VaultName $azkvname -Name $kvidnv2password).SecretValue)

IdentityNow v3 API Creds$v3Creds =

[pscredential]::new((Get-AzKeyVaultSecret -VaultName $azkvname -Name $kvidnv3username -AsPlainText), (Get-AzKeyVaultSecret -VaultName $azkvname -Name $kvidnv3password).SecretValue)

Set-IdentityNowCredential -AdminCredential $adminCreds -v2APIKey $v2Creds -v3APIKey $v3Creds -Verbose

Get-SCWXIdentityNowAccessProfile -Verbose

Unable to auth password grant type for secureworks v2:True v3:True cred:True pat:False {"error":"unauthorized","error_description":"Full authentication is required to access this resource"}

Reply to this email directly, view it on GitHub

<

https://github.com/darrenjrobinson/powershell_module_identitynow/issues/64>,

or unsubscribe

<

https://github.com/notifications/unsubscribe-auth/AAC55XNTP7ESNFBCVRXMKALXLMWMTANCNFSM6AAAAAAZICCHA4>

.

You are receiving this because you are subscribed to this thread.Message

ID: @.***>

—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you authored the thread.Message ID: @.***>

— Reply to this email directly, view it on GitHub < https://github.com/darrenjrobinson/powershell_module_identitynow/issues/64#issuecomment-1595452640>,

or unsubscribe < https://github.com/notifications/unsubscribe-auth/AAC55XOTQUI63TAQQVTXC2DXLTSPFANCNFSM6AAAAAAZICCHA4>

. You are receiving this because you commented.Message ID: @.*** .com>

— Reply to this email directly, view it on GitHub https://github.com/darrenjrobinson/powershell_module_identitynow/issues/64#issuecomment-1596083890, or unsubscribe https://github.com/notifications/unsubscribe-auth/ADDXEGDF2PDHAOWBTMVXE73XL3HT5ANCNFSM6AAAAAAZICCHA4 . You are receiving this because you authored the thread.Message ID: @.*** .com>

jmilczek commented 1 year ago

This seems to work:

(System.Runtime.InteropServices.marshal::SecureStringToBSTR($IdentityNowConfiguration.AdminCredential.Password))

Source: https://github.com/PowerShell/PowerShell/issues/13494

I'm happy to check out a branch and fix it, but I'm not sure what to do about signing. Like, do I sign with my cert or take the signing block out all together? Let me know how you want to handle it.

-Jason

On Thu, Jun 22, 2023 at 10:57 PM Jason Milczek @.***> wrote:

Darren,

This is the problem. This line from Get-IdentityNowAuth does not convert the secure string to plain text like it does on a Windows host:

-Jason

On Sun, Jun 18, 2023 at 12:48 PM Jason Milczek @.***> wrote:

I have it working in the same scenario. Works in Azure Automation pulling creds from Azure Keyvault; doesn’t work in Azure Functions.

I’m not sure if you realize that Azure Automation with the PowerShell Core runtime is still running on Windows.

Azure Functions with PowerShell Core is running on Linux.

Try running your module on an actual Linux operating system and you’ll see what I’m talking about.

Sent from my iPhone

On Jun 18, 2023, at 6:09 AM, Darren Robinson @.***> wrote:



I’ve definitely used the module on Linux in cloud automation scenarios. However the local saving of the configuration and autoload is a Windows only feature. In cloud automation I pull the creds and keys from a PaaS KeyVault and set them and the org before using module cmdlets.

Is this your scenario? Persistence between sessions?

On Sat, 17 Jun 2023 at 09:17, jmilczek @.***> wrote:

But why does it work on a Windows OS?Sent from my iPhoneOn Jun 16, 2023, at 6:17 PM, Darren Robinson @.***> wrote: This maybe associated with SailPoint AuthN API changes.

Create a Personal Access Token in the Admin Portal for your account and set

that in your module creds config.

The module will use that as priority.

DR

On Fri, 16 Jun 2023 at 01:59, jmilczek @.***> wrote:

Even though I have set AdminCredential, v2APIKEY and v3APIKEY credentials

using the Set-IdentityNowCredential cmdlet, I receive an error when

attempting to run any of the Sailpoint module's cmdlets that require

authentication. This is not an issue if I run the same commands using the

same credentials on PowerShell 5.1 Desktop, PowerShell 6 Core or PowerShell

7 Core on a Windows system.

Get-Host

Name : Visual Studio Code Host

Version : 2023.6.0

InstanceId : 697f6a26-215d-4bee-86bf-fc40899a3c10

UI : System.Management.Automation.Internal.Host.InternalHostUserInterface

CurrentCulture : en-US

CurrentUICulture : en-US

PrivateData : Microsoft.PowerShell.ConsoleHost+ConsoleColorProxy

DebuggerEnabled : True

IsRunspacePushed : False

Runspace : System.Management.Automation.Runspaces.LocalRunspace

$PSVersionTable

Name Value---- -----

PSVersion 7.3.4

PSEdition Core

GitCommitId 7.3.4

OS Linux 5.19.0-43-generic #44~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Mon May 22 13:39:36 UTC 2

Platform Unix

PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}

PSRemotingProtocolVersion 2.3

SerializationVersion 1.1.0.1

WSManStackVersion 3.0

Get-Module SailPointIdentityNow

ModuleType Version PreRelease Name ExportedCommands---------- -------

Script 1.1.6 SailPointIdentityNow {Complete-IdentityNowTask, Convert-UnixTime, Export-IdentityNowConfig, Get-HashString…}

$adminCreds.GetType()

IsPublic IsSerial Name BaseType-------- -------- ---- --------

True True PSCredential System.Object

$v2Creds.GetType()

IsPublic IsSerial Name BaseType-------- -------- ---- --------

True True PSCredential System.Object

$v3Creds.GetType()

IsPublic IsSerial Name BaseType-------- -------- ---- --------

True True PSCredential System.Object

region Populate Sailpoint ConfigurationSet-IdentityNowOrg -orgName

$idnorgname

IdentityNow Admin User$adminCreds =

[pscredential]::new((Get-AzKeyVaultSecret -VaultName $azkvname -Name $kvidnadminusername -AsPlainText), (Get-AzKeyVaultSecret -VaultName $azkvname -Name $kvidnadminpassword).SecretValue)

IdentityNow v2 API Creds$v2Creds =

[pscredential]::new((Get-AzKeyVaultSecret -VaultName $azkvname -Name $kvidnv2username -AsPlainText), (Get-AzKeyVaultSecret -VaultName $azkvname -Name $kvidnv2password).SecretValue)

IdentityNow v3 API Creds$v3Creds =

[pscredential]::new((Get-AzKeyVaultSecret -VaultName $azkvname -Name $kvidnv3username -AsPlainText), (Get-AzKeyVaultSecret -VaultName $azkvname -Name $kvidnv3password).SecretValue)

Set-IdentityNowCredential -AdminCredential $adminCreds -v2APIKey $v2Creds -v3APIKey $v3Creds -Verbose

Get-SCWXIdentityNowAccessProfile -Verbose

Unable to auth password grant type for secureworks v2:True v3:True cred:True pat:False {"error":"unauthorized","error_description":"Full authentication is required to access this resource"}

Reply to this email directly, view it on GitHub

<

https://github.com/darrenjrobinson/powershell_module_identitynow/issues/64>,

or unsubscribe

<

https://github.com/notifications/unsubscribe-auth/AAC55XNTP7ESNFBCVRXMKALXLMWMTANCNFSM6AAAAAAZICCHA4>

.

You are receiving this because you are subscribed to this thread.Message

ID: @.***>

—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you authored the thread.Message ID: @.***>

— Reply to this email directly, view it on GitHub < https://github.com/darrenjrobinson/powershell_module_identitynow/issues/64#issuecomment-1595452640>,

or unsubscribe < https://github.com/notifications/unsubscribe-auth/AAC55XOTQUI63TAQQVTXC2DXLTSPFANCNFSM6AAAAAAZICCHA4>

. You are receiving this because you commented.Message ID: @.*** .com>

— Reply to this email directly, view it on GitHub https://github.com/darrenjrobinson/powershell_module_identitynow/issues/64#issuecomment-1596083890, or unsubscribe https://github.com/notifications/unsubscribe-auth/ADDXEGDF2PDHAOWBTMVXE73XL3HT5ANCNFSM6AAAAAAZICCHA4 . You are receiving this because you authored the thread.Message ID: <darrenjrobinson/powershell_module_identitynow/issues/64/1596083890@ github.com>