Create an AnyIdentity PAM provider in Devolutions Server

AnyIdentity providers are built and managed using templates. Templates leverage the efforts of Devolutions and the community to build providers, reducing the need for users to create them from scratch.

A template is an object within Devolutions PAM that serves as a framework for constructing an AnyIdentity provider.

Templates guide Devolutions Server in mapping the action script parameters and outputs to Devolutions PAM internal properties, facilitating the input and exchange of information. Templates enable users to populate the properties of an identity provider to create a provider.

Create an AnyIdentity template or import one of the templates that already exist.

The WinRM needs to be enabled for this to work.

Create an AnyIdentity template

Once the action scripts have been created, the next step is to develop the AnyIdentity template within Devolutions Server.

  1. In Devolutions Server, go to Administration – Privileged access – Providers.
  2. Click on AnyIdentity templates.
    Administration – Privileged access – Providers –  templates
    Administration – Privileged access – Providers – templates
  3. Click Add to create a new template.
    Add a new  template
    Add a new template
  4. In General, provide a Name (mandatory) and a Description (optional) for your new template. It is also possible to change the displayed icon.
  5. Three actions can be enabled, each with their own script. Check the boxes next to the ones that you wish this provider to implement.
    • Password rotation, to reset account passwords.
    • Heartbeat, to synchronize accounts.
    • Account discovery, for scanning.

General settings
General settings

While it is not mandatory to enable each action, it is recommended to do so to fully leverage the benefits of an AnyIdentity provider.

  1. In Provider properties and Account properties, set the fields that the providers and accounts will implement.

    • Provider properties define the attributes AnyIdentity uses to authenticate and connect to an identity provider. These properties may include username, password, hostname, or any other unique attribute of an identity provider.
    • Account properties are attributes related to a specific account on an identity provider. Common account properties include ID, username, and secret. Account properties uniquely identify provider accounts and provide a value to store an account's password or other secure credentials.

    Add properties by clicking on Add property. For each property, provide a Name and a Type. If the Below is a list of the different types:

    • Boolean
    • Description (string)
    • Int
    • Password (SecureString)
    • Sensitive Data (SecureString)
    • String
    • Unique Identifier (string)
    • Username (string)

Provider and account properties
Provider and account properties

Make sure to provide a Unique Identifier type if you plan on using account discovery. This field helps track which account have been added since the last scan.

  1. Check the Mandatory box next to a property if the fields are required for creation/editing.

  2. For each action that was enabled in the General section, go to the corresponding section in the left menu.

  3. Map the properties of the provider/account that the script needs to work by providing the following:

    • Name: Name of the variable in the script.
    • Source: If the value is provided by the provider or the account.
    • Property: The source property that will be injected into the script.

    All actions have associated action scripts with at least two or three parameters. AnyIdentity must understand how to map a property to a script parameter to define the relationship between the AnyIdentity object (provider or account) and each action script. Script parameters allow you to specify to AnyIdentity which parameters each of your action scripts possesses and which AnyIdentity property that script parameter should be mapped to. If need be, you can add other script parameters.

    Actions parameters
    Actions parameters

  4. Insert the script of the action by either browsing on your computer to find it or manually editing the Script field. You can also generate a base script to build upon.

    Action script
    Action script

  5. Test your script once it is complete, then Save your new template. Your new AnyIdentity template has been created and can be found in the templates list. You can skip to Create an AnyIdentity provider.

Template example

Below is an example of values for a completed AnyIdentity template based on the following action scripts:

[CmdletBinding()]
param(
    [Parameter(Mandatory)]
    [string]$IdentityProviderEndpoint,

    [Parameter(Mandatory)]
    [string]$IdentityProviderEndpointUserName,

    [Parameter(Mandatory)]
    [securestring]$IdentityProviderEndpointPassword
)
[CmdletBinding()]
param(
    [Parameter(Mandatory)]
    [string]$IdentityProviderEndpoint,

    [Parameter(Mandatory)]
    [string]$IdentityProviderEndpointUserName,

    [Parameter(Mandatory)]
    [securestring]$IdentityProviderEndpointPassword,

    [Parameter(Mandatory)]
    [securestring]$NewPassword,

    [Parameter(Mandatory)]
    [string]$AccountUserName
)
[CmdletBinding()]
param(
    [Parameter(Mandatory)]
    [string]$IdentityProviderEndpoint,

    [Parameter(Mandatory)]
    [string]$IdentityProviderEndpointUserName,

    [Parameter(Mandatory)]
    [securestring]$IdentityProviderEndpointPassword,

    [Parameter(Mandatory)]
    [securestring]$AccountSecret,

    [Parameter(Mandatory)]
    [string]$AccountUserName
)

Provider properties

Property name Property type Mandatory
IdentityProviderEndpoint String Yes
IdentityProviderEndpointUserName UserName Yes
IdentityProviderEndpointPassword Password Yes

Account properties

Property name Property type Mandatory
AccountUserName UniqueIdentifier Yes
AccountSecret Password Yes

Script parameter types

Parameter name Action(s) Property Source Mandatory
IdentityProviderEndpoint Password rotation, Heartbeat, Account discovery IdentityProviderEndpoint Provider Yes
IdentityProviderEndpointUserName Password rotation, Heartbeat, Account discovery IdentityProviderEndpointUserName Provider Yes
IdentityProviderEndpointPassword Password rotation, Heartbeat, Account discovery IdentityProviderEndpointPassword Provider Yes
NewPassword Password Rotation N/A System Yes
AccountUserName Password rotation, Heartbeat AccountUserName Account Yes
AccountSecret Heartbeat AccountSecret Account Yes

Import an AnyIdentity template

You can access our public GitHub repository to find AnyIdentity PAM providers made by the Devolutions team and instructions on how to use them.

  1. In Devolutions Server, go to Administration – Privileged access – Providers.
  2. Click on AnyIdentity templates.
    Administration – Privileged access – Providers –  templates
    Administration – Privileged access – Providers – templates
  3. Click on Import.
    Import an  template
    Import an template
  4. Upload your .json file, then click on Import.
  5. Adapt the template settings if need be, then click on Save.

Your template has now been imported and can be found in the AnyIdentity templates list.

Create an AnyIdentity PAM provider

Once your template has been created or imported, you are ready to create an AnyIdentity provider.

  1. Go to Administration – Privileged access – Providers, then click Add.
    Administration – Privileged access – Providers – Add
    Administration – Privileged access – Providers – Add
  2. Go to AnyIdentity in the left menu, then select your new template in the list. Click Continue.
    template selection
    template selection
  3. In the Provider configuration page, provide a Name and a Username, as this information is mandatory. Then, if necessary, set the other options according to your needs.
    Provider configuration
    Provider configuration
  4. Click Save.

Your new AnyIdentity provider has been created and can be found in the providers list.

Devolutions Forum logo Give us Feedback