Creating and Configuring a SailPoint IdentityIQ System of Record

SailPoint IdentityIQ provides comprehensive identity governance and administration (IGA) capabilities that bring critical compliance, risk management, and identity lifecycle context into SGNL for sophisticated access control decisions. By integrating IdentityIQ with SGNL, you gain deep visibility into user identities, role assignments, entitlement management, policy violations, approval workflows, and the complete governance lifecycle that governs identity and access management within your organization.

The IdentityIQ integration captures the complete identity governance ecosystem. It includes users with their enterprise attributes, roles and entitlements, applications and their schemas, and accounts across multiple systems. Additionally, it encompasses policy violations, compliance status, workflow processes, task results, and the complex relationships that define how identity governance decisions flow throughout your organization. This integration uses the SCIM 2.0 protocol, providing standardized access to IdentityIQ’s comprehensive identity data.

Prerequisites

  • A SailPoint IdentityIQ deployment with SCIM 2.0 API capabilities enabled
  • Administrative access to IdentityIQ with permissions to configure API access and manage users
  • Understanding of your IdentityIQ organizational structure including roles, entitlements, and policy frameworks
  • Knowledge of which identity governance data is most relevant for your access control policies

Permissions Required

To successfully configure the SailPoint IdentityIQ integration, you need administrative access within IdentityIQ to create API credentials and read identity governance data across the entities and scopes you want to include in SGNL.

IdentityIQ Administrative Permissions: You need administrative privileges within IdentityIQ to create and manage API access credentials, configure SCIM endpoints, and read comprehensive identity data including users, roles, entitlements, accounts, applications, policy violations, and workflow information.

SCIM API Configuration: The integration requires the ability to configure and enable SCIM 2.0 API endpoints within IdentityIQ. This includes setting up authentication mechanisms, configuring endpoint access, and ensuring that the SCIM service is properly enabled and accessible.

Cross-Application Data Access: IdentityIQ manages identities and access across multiple applications and systems. The integration needs read access to account information, entitlements, and role assignments across all applications that are relevant to your access control policies.

Governance and Compliance Data Access: To provide comprehensive governance context, the integration needs access to policy violation data, workflow information, task results, and compliance-related metadata that IdentityIQ maintains as part of its governance processes.

Configuring SailPoint IdentityIQ

Setting Up SCIM 2.0 API Access

SailPoint IdentityIQ integration uses the SCIM 2.0 protocol with HTTP Basic Authentication, providing standardized access to identity governance data.

Enabling SCIM 2.0 in IdentityIQ

  1. Access IdentityIQ Administration: Log into your IdentityIQ console with administrative privileges
  2. Navigate to API Configuration: Access the Global Settings or API Configuration section within IdentityIQ administration
  3. Enable SCIM Services: Ensure that SCIM 2.0 services are enabled and properly configured for external API access
  4. Configure SCIM Endpoints: Verify that the necessary SCIM endpoints (Users, Groups, custom resources) are enabled and accessible
  5. Set API Permissions: Configure the SCIM service with appropriate permissions to read the identity data you want to synchronize with SGNL

Creating API Credentials

  1. Create Integration User: Create a dedicated user account in IdentityIQ specifically for SGNL integration with a descriptive name like “sgnl-integration-user”
  2. Assign Administrative Rights: Grant the integration user appropriate administrative capabilities to read identity governance data across all relevant scopes and applications
  3. Generate API Token: Create an API token or configure password-based authentication for the integration user, following your organization’s security policies for API access
  4. Document Credentials: Securely store the username and API token/password, as these will be required for SGNL configuration
  5. Test API Access: Verify that the integration credentials can successfully access SCIM endpoints and retrieve identity data

Understanding Your IdentityIQ Structure

Before configuring SGNL, review your IdentityIQ deployment to understand how identities, roles, entitlements, and applications are organized. Consider which applications contain critical access data, how role hierarchies are structured, which policy violations are most relevant for access decisions, and how workflow processes align with your broader access control requirements.

IdentityIQ’s comprehensive data model includes not just basic identity information, but also governance context such as risk scores, compliance status, approval histories, and policy enforcement results that can significantly enhance access control decisions in other systems.

Configuring SGNL

Setting Up the SailPoint IdentityIQ System of Record

  1. Access SGNL Console: Login to the SGNL Console with appropriate administrative privileges
  2. Navigate to Identity Data Fabric: From the left menu, select “Identity Data Fabric”
  3. Add New System of Record: Click “Add System of Record” or “Add” to open the SoR catalog
  4. Select SailPoint IdentityIQ Template: Locate and click on “Sailpoint (IdentityIQ)” in the SGNL SoR Catalog to open the configuration screen with pre-populated settings

Authentication Configuration

SailPoint IdentityIQ uses HTTP Basic Authentication with your IdentityIQ API credentials:

  1. Select Authentication Method: Choose “Basic” as the authentication method
  2. Configure Username: Enter the username of your IdentityIQ integration user
  3. Configure API Token: Enter the API token or password for your IdentityIQ integration user in the password field

This authentication approach follows the SCIM 2.0 standard where the username and API token/password are used for HTTP Basic Authentication to access SCIM endpoints.

System Configuration

Complete the required configuration parameters for your SailPoint IdentityIQ integration:

IdentityIQ URL: Replace the {{Input Required: Sailpoint URL}} placeholder with your IdentityIQ deployment URL. This should be the base URL for your IdentityIQ instance, typically in the format https://your-identityiq-server.com or https://your-org.identityiq.com.

Adapter Configuration Details

The SailPoint IdentityIQ integration uses the SCIM 2.0 adapter with comprehensive configuration options that allow you to filter and customize which identity governance data is synchronized. The adapter configuration is provided as a base64-encoded JSON object with powerful filtering capabilities.

Basic Configuration Structure

The adapter configuration supports entity-specific settings that allow you to customize how each type of identity data is retrieved from IdentityIQ:

Empty Configuration: For basic synchronization without filtering, you can use an empty configuration: {}

Entity-Specific Configuration: Each SCIM resource type (Users, Groups, Accounts, Roles, etc.) can have individual configuration settings that control data retrieval and filtering.

SCIM 2.0 Filtering Capabilities

The integration supports sophisticated SCIM 2.0 filtering that allows you to precisely control which identity data is synchronized based on attributes, compliance status, and governance context.

SCIM Filter Syntax: SCIM 2.0 filters use attribute-based expressions with standard operators:

// Equality filters
displayName eq "SGNL"
active eq true
userType eq "Employee"

// Comparison filters  
riskScore gt 50
lastModified ge "2024-01-01T00:00:00Z"

// String operations
displayName sw "admin"
department co "Engineering"

// Logical operations
active eq true and userType eq "Employee"
riskScore gt 75 or department eq "Security"

Query Parameters: Each entity can be configured with query parameters including:

  • filter: SCIM 2.0 filter expression to limit which entities are synchronized
  • sortBy: Attribute name to sort results by
  • ascending: Boolean indicating sort order (true for ascending, false for descending)

Practical Configuration Examples

Filter Active Users Only:

{
  "Users": {
    "queryParams": {
      "filter": "active eq true"
    }
  }
}

Filter High-Risk Users:

{
  "Users": {
    "queryParams": {
      "filter": "urn:ietf:params:scim:schemas:sailpoint:1.0:User:riskScore gt 75"
    }
  }
}

Filter Users by Department with Sorting:

{
  "Users": {
    "queryParams": {
      "filter": "urn:ietf:params:scim:schemas:sailpoint:1.0:User:department eq \"Engineering\"",
      "sortBy": "userName",
      "ascending": true
    }
  }
}

Filter Active Policy Violations:

{
  "PolicyViolations": {
    "queryParams": {
      "filter": "status eq \"Open\""
    }
  }
}

Filter Roles by Type:

{
  "Roles": {
    "queryParams": {
      "filter": "active eq true and type.autoAssignment eq true"
    }
  }
}

Complex Multi-Entity Configuration:

{
  "Users": {
    "queryParams": {
      "filter": "active eq true and urn:ietf:params:scim:schemas:sailpoint:1.0:User:isManager eq true",
      "sortBy": "displayName",
      "ascending": true
    }
  },
  "Roles": {
    "queryParams": {
      "filter": "active eq true and type.manualAssignment eq true"
    }
  },
  "PolicyViolations": {
    "queryParams": {
      "filter": "status ne \"Closed\""
    }
  }
}

Advanced Filtering Scenarios

Governance-Focused Filtering: Focus on users and entities with specific governance characteristics:

{
  "Users": {
    "queryParams": {
      "filter": "urn:ietf:params:scim:schemas:sailpoint:1.0:User:riskScore gt 0"
    }
  },
  "PolicyViolations": {
    "queryParams": {
      "filter": "status eq \"Open\" or status eq \"Pending\""
    }
  }
}

Application-Specific Filtering: Focus on specific applications or system types:

{
  "Accounts": {
    "queryParams": {
      "filter": "active eq true and application.displayName sw \"Production\""
    }
  },
  "Entitlements": {
    "queryParams": {
      "filter": "requestable eq true and active eq true"
    }
  }
}

Configuring Your Adapter Settings

When setting up your IdentityIQ integration in SGNL:

  1. Replace URL Placeholder: Update the address field with your actual IdentityIQ deployment URL
  2. Configure Entity Filtering: Customize the adapter configuration JSON to include filters for the entities most relevant to your access control policies
  3. Set Governance Filters: Use SCIM filters to focus on users with specific risk scores, compliance status, or governance attributes
  4. Optimize Performance: Apply filters to reduce data volume and focus on the most relevant identity governance information

Understanding SailPoint IdentityIQ Entity Structure

The SailPoint IdentityIQ template defines an extensive set of interconnected entities that represent the complete identity governance and administration ecosystem within your organization.

User Entity: Represents individuals within your organization with comprehensive identity information including basic SCIM attributes (name, email, status), enterprise extensions (manager relationships, employee data), and SailPoint-specific extensions (risk scores, capabilities, administrative relationships, departmental information, cost centers, and regional assignments). This rich user context enables policies that consider not just identity, but governance posture and organizational structure.

Account Entity: Represents user accounts across various applications and systems managed by IdentityIQ, including account status, correlation information, identity relationships, application associations, and governance metadata. Accounts provide the link between users and their access across multiple systems.

Role Entity: Represents IdentityIQ roles with comprehensive governance information including role types (business, IT, risk-based), activation and deactivation dates, ownership information, inheritance relationships, requirements, permits, and classification data. Roles are central to IdentityIQ’s governance model and provide structured access management.

Entitlement Entity: Represents fine-grained permissions and access rights within applications, including entitlement metadata, requestability status, aggregation information, classification details, ownership, and review information. Entitlements provide the detailed access context that roles and policies govern.

Application Entity: Represents systems and applications that IdentityIQ manages, including application metadata, feature capabilities, ownership information, and schema definitions. Applications provide the context for where access is being granted and managed.

Policy Violation Entity: Represents governance policy violations detected by IdentityIQ, including policy details, constraint information, affected identities, violation status, and ownership for remediation. Policy violations provide critical compliance and risk context.

Workflow and Task Entities: Represent the governance processes and workflows that IdentityIQ executes, including launched workflows, workflow inputs and outputs, task results, and process status. These entities provide visibility into governance operations and approval processes.

Alert Entities: Represent security and governance alerts generated by IdentityIQ, including alert metadata, associated applications, target information, and alert actions. Alerts provide real-time governance and security context.

Testing and Verification

After configuring the SailPoint IdentityIQ integration, systematic testing ensures that your identity governance data is being correctly imported and that the complex relationships between users, roles, entitlements, and governance processes are properly established.

Test with DataLens

Once synchronization is complete, use DataLens to explore your IdentityIQ governance data:

  1. Explore User Governance Context: Query user information including risk scores, role assignments, policy violations, and organizational placement
  2. Test Role and Entitlement Relationships: Verify that you can trace from users through their roles to specific entitlements and understand the complete access picture
  3. Check Compliance Data: Confirm that policy violations, workflow approvals, and governance metadata are correctly established and queryable
  4. Validate Cross-System Context: Test queries that show how IdentityIQ governance data relates to accounts and access across multiple applications

Troubleshooting

Authentication and SCIM Access Issues

Basic Authentication Failures: If SGNL cannot authenticate with IdentityIQ, verify that your username and API token/password are correctly entered and that the user account exists with proper permissions. Test the credentials by accessing SCIM endpoints directly using tools like curl or Postman.

SCIM Endpoint Availability: If authentication succeeds but SCIM endpoints are not accessible, verify that SCIM 2.0 services are properly enabled in IdentityIQ and that the endpoints are configured correctly. Check firewall and network connectivity between SGNL and your IdentityIQ deployment.

Permission and Authorization Errors: If authentication works but entity synchronization fails, verify that your integration user has appropriate permissions to read all the entity types you’re trying to synchronize. IdentityIQ’s permission model may require specific rights for different types of governance data.

IdentityIQ-Specific Configuration Issues

SCIM Schema Compatibility: Different versions of IdentityIQ may have variations in SCIM schema implementation. If certain attributes aren’t synchronizing correctly, verify that the attribute paths in the template match your IdentityIQ SCIM schema implementation.

Custom Attribute Handling: IdentityIQ often includes custom attributes and extensions specific to your organization. If custom attributes aren’t being captured, you may need to modify the template to include organization-specific attribute paths.

Multi-Application Context: IdentityIQ manages access across multiple applications, and some data may be application-specific. If certain accounts or entitlements aren’t appearing, verify that the relevant applications are properly configured and accessible through the SCIM API.

Workflow and Task State Synchronization: IdentityIQ workflows and tasks have complex state models that may change frequently. If workflow data isn’t synchronizing correctly, consider the timing of synchronization and whether workflow states are stable enough for your access control needs.

Performance and Scale Considerations

Entity Volume Management: IdentityIQ can contain large volumes of governance data including historical workflows, closed policy violations, and inactive entitlements. Use SCIM filtering to focus on active and relevant data to improve synchronization performance.

Relationship Complexity: The extensive relationship structure between IdentityIQ entities can result in complex data processing. Monitor SGNL’s resource usage during synchronization and consider whether all relationship types are necessary for your access control policies.

Governance Data Freshness: Some IdentityIQ data like risk scores and policy violations may change frequently, while other data like role definitions may be more stable. Consider different synchronization frequencies for different entity types based on their volatility and importance.

Integration with SGNL Policies

Once your SailPoint IdentityIQ integration is successfully configured and synchronized, you can leverage the comprehensive identity governance data in sophisticated SGNL policies that align access control with governance principles and compliance requirements.

Risk-Based Access Control: Use IdentityIQ risk scores and governance assessments to create dynamic access policies that adjust based on user risk profiles. Users with high risk scores might be subject to additional authentication requirements or restricted from accessing sensitive resources until risk factors are addressed.

Role-Based Governance Policies: Leverage IdentityIQ’s comprehensive role model to create access policies that consider not just current role assignments, but role types, inheritance patterns, and governance metadata. Users with specific governance roles might automatically receive corresponding access in related systems.

Compliance-Driven Access Decisions: Use policy violation data and compliance status to inform access decisions across your environment. Users with open policy violations might be restricted from accessing certain resources, or might trigger additional approval requirements for access requests.

Organizational Hierarchy Policies: Leverage IdentityIQ’s detailed organizational structure including management hierarchies, regional assignments, and departmental information to create access policies that reflect your organizational governance model. Managers might receive access to resources related to their direct reports, or regional owners might have access to location-specific systems.

Entitlement-Based Access Mapping: Use IdentityIQ’s detailed entitlement management to inform access decisions in other systems. Users with specific entitlements in governance-managed applications might automatically receive related access in connected systems, ensuring consistency across your access landscape.

Workflow and Approval Integration: Leverage IdentityIQ’s workflow and approval history to create policies that consider governance process participation. Users who have completed specific approval workflows might receive corresponding access, or access might be conditional on pending workflow completion.

Application-Centric Governance: Use IdentityIQ’s application management data to create policies that consider how access is governed across different application types. Users with privileged access in critical applications might be subject to enhanced monitoring or additional verification requirements.

Lifecycle-Based Access Control: Leverage IdentityIQ’s comprehensive identity lifecycle management to create policies that automatically adjust access based on identity status, account correlation, and lifecycle events. This ensures that access control stays aligned with identity governance throughout the user lifecycle.

For comprehensive guidance on creating policies with identity governance data, refer to the SGNL Policy Management documentation. For understanding how IdentityIQ entities relate to other systems in your environment, review the Entities and Relationships guide.