When installing against an Identity Panel SaaS environment, much of the installation effort is prep-work and gathering of prerequisites.
NOTE: Items marked with * have dependencies on licensing and support purchasing decisions.
- * Choose deployment Instance
Based on data homing requirements, version availability, etc. choose which instance of Identity Panel you will deploy on. Instances are defined based on geographical location (e.g. EU, UK, USA...) and version (identified by name, e.g. Concord, Dragon, Eagle, Falcon)
- * Choose Production URLs
Most SaaS deployments use custom URLs for production and standard URLs for non-prod. Production URLs will be chosen for each purchased product: Identity Panel, Service Panel, Access Panel. There are two options when choosing URLs:
- Names controlled by SoftwareIDM, e.g. mycompany.identitypanel.com, mycompany.servicepanel.app, mycompany.accesspanel.app
- Names controlled by you e.g. identity.mycompany.com
If you choose a name you control you will need to create CNAME records pointed at the designated Azure Frontdoor service URL corresponding to your instance.
- * Design Panel Services
The number and scale of Panel Service instances required depends on number and type of providers and requirements for high availability. A common deployment scenario is to install Panel Service on each MIM server, and on two additional dedicated Panel Service servers.
- All Panel Service instances must have outbound access to the selected Identity Panel instance
- Create service accounts for Panel Service. Decide whether a shared service account will be used, or separate accounts per server (recommended)
- Grant permissions to Panel Service account to perform planned data collection and provider operations (e.g. database and MIMSyncAdmins rights for MIM scanning, AD rights for directory provider, etc.)
Performing the installations will require local admin privileges on the servers, as well as admin privileges in Identity Panel
See Panel Service section of Identity Panel Prerequisites for server sizing information
- Create Security Roles
To prepare for installing Identity Panel create three security groups in Azure Active directory corresponding to the Admin, Writer, and User roles in Identity Panel. Populate the Admin group with the intended identity admin team members
Additional groups may created if other roles are planned based on deployment requirements (e.g. Report Readers, Schedule Managers, Service Desk...)
- Plan Email Settings
Email and Notification workflows are executed on-premise via Panel Service. Choose whether a local SMTP server will be used for email, or the Azure Graph API. If SMS messages are planned obtain a Twilio subscription and API key.
- If using SMTP determine server and port names, planned FROM address, authentication credentials if needed, and whether security updates are required from the messaging team (e.g. to send messages with attachments)
- If using Azure Graph API create an Azure App Registration (with an arbitrary name, e.g. "Identity Panel Graph Access"), grant access and admin consent to the Microsoft Graph Mail.Send permission, and create a client secret. Make note of the Tenant Id, Application Id, and Client Secret for populating Identity Panel settings.
Create a mailbox for Identity Panel notifications. If using Graph API for Service Panel and/or Access Panel notifications it may be desirable to configure multiple mailboxes to reduce contention for a rate-limited resource (Graph API allows 30 messages per minute per mailbox).
- * Plan Provider Settings
Depending on providers configured additional service accounts and permissions may be required. For Example:
- MIM Provider: MIMSyncAdmins, db_datareader on MIM databases
- Directory Provider (read only): regular user account in each AD forest to be scanned
- Directory Provider (read/write, e.g. for Service Panel): elevated account in each AD forest to receive writeback
- Graph/Azure Provider (read only): App registration with Directory.Read.All and Reports.Read permissions
- Graph/Azure Provider (read/write): App registration with desired write permissions, Service Principal with permissions for desired PowerShell cmdlets
- SQL Provider (read only): db_datareader for desired databases
- SQL Provider (write): db_datawriter and/or db_owner for desired databases
- ServiceNow: Service account with permissions and listing of desired TableAPI scans and writeback operations
- * Plan Branding Settings
If deploying Service Panel and/or Access Panel obtain corporate branding guide and file assets including hex values for corporate colors, and logo files in .gif, .jpg, or .png formats
The installation should be coordinated in advance with SoftwareIDM as support is required to bind custom URLs.
Initial app registration of the installation must be performed by an Azure Global Admin
Please sign in to leave a comment.