SailPoint IdentityIQ provides comprehensive identity governance and administration (IGA) capabilities that bring critical compliance, risk management, and identity lifecycle context into SGNL for sophisticated access control decisions. By integrating IdentityIQ with SGNL, you gain deep visibility into user identities, role assignments, entitlement management, policy violations, approval workflows, and the complete governance lifecycle that governs identity and access management within your organization.
The IdentityIQ integration captures the complete identity governance ecosystem. It includes users with their enterprise attributes, roles and entitlements, applications and their schemas, and accounts across multiple systems. Additionally, it encompasses policy violations, compliance status, workflow processes, task results, and the complex relationships that define how identity governance decisions flow throughout your organization. This integration uses the SCIM 2.0 protocol, providing standardized access to IdentityIQ’s comprehensive identity data.
To successfully configure the SailPoint IdentityIQ integration, you need administrative access within IdentityIQ to create API credentials and read identity governance data across the entities and scopes you want to include in SGNL.
IdentityIQ Administrative Permissions: You need administrative privileges within IdentityIQ to create and manage API access credentials, configure SCIM endpoints, and read comprehensive identity data including users, roles, entitlements, accounts, applications, policy violations, and workflow information.
SCIM API Configuration: The integration requires the ability to configure and enable SCIM 2.0 API endpoints within IdentityIQ. This includes setting up authentication mechanisms, configuring endpoint access, and ensuring that the SCIM service is properly enabled and accessible.
Cross-Application Data Access: IdentityIQ manages identities and access across multiple applications and systems. The integration needs read access to account information, entitlements, and role assignments across all applications that are relevant to your access control policies.
Governance and Compliance Data Access: To provide comprehensive governance context, the integration needs access to policy violation data, workflow information, task results, and compliance-related metadata that IdentityIQ maintains as part of its governance processes.
SailPoint IdentityIQ integration uses the SCIM 2.0 protocol with HTTP Basic Authentication, providing standardized access to identity governance data.
Before configuring SGNL, review your IdentityIQ deployment to understand how identities, roles, entitlements, and applications are organized. Consider which applications contain critical access data, how role hierarchies are structured, which policy violations are most relevant for access decisions, and how workflow processes align with your broader access control requirements.
IdentityIQ’s comprehensive data model includes not just basic identity information, but also governance context such as risk scores, compliance status, approval histories, and policy enforcement results that can significantly enhance access control decisions in other systems.
SailPoint IdentityIQ uses HTTP Basic Authentication with your IdentityIQ API credentials:
This authentication approach follows the SCIM 2.0 standard where the username and API token/password are used for HTTP Basic Authentication to access SCIM endpoints.
Complete the required configuration parameters for your SailPoint IdentityIQ integration:
IdentityIQ URL: Replace the {{Input Required: Sailpoint URL}} placeholder with your IdentityIQ deployment URL. This should be the base URL for your IdentityIQ instance, typically in the format https://your-identityiq-server.com or https://your-org.identityiq.com.
The SailPoint IdentityIQ integration uses the SCIM 2.0 adapter with comprehensive configuration options that allow you to filter and customize which identity governance data is synchronized. The adapter configuration is provided as a base64-encoded JSON object with powerful filtering capabilities.
The adapter configuration supports entity-specific settings that allow you to customize how each type of identity data is retrieved from IdentityIQ:
Empty Configuration: For basic synchronization without filtering, you can use an empty configuration: {}
Entity-Specific Configuration: Each SCIM resource type (Users, Groups, Accounts, Roles, etc.) can have individual configuration settings that control data retrieval and filtering.
The integration supports sophisticated SCIM 2.0 filtering that allows you to precisely control which identity data is synchronized based on attributes, compliance status, and governance context.
SCIM Filter Syntax: SCIM 2.0 filters use attribute-based expressions with standard operators:
// Equality filters
displayName eq "SGNL"
active eq true
userType eq "Employee"
// Comparison filters
riskScore gt 50
lastModified ge "2024-01-01T00:00:00Z"
// String operations
displayName sw "admin"
department co "Engineering"
// Logical operations
active eq true and userType eq "Employee"
riskScore gt 75 or department eq "Security"
Query Parameters: Each entity can be configured with query parameters including:
Filter Active Users Only:
{
"Users": {
"queryParams": {
"filter": "active eq true"
}
}
}
Filter High-Risk Users:
{
"Users": {
"queryParams": {
"filter": "urn:ietf:params:scim:schemas:sailpoint:1.0:User:riskScore gt 75"
}
}
}
Filter Users by Department with Sorting:
{
"Users": {
"queryParams": {
"filter": "urn:ietf:params:scim:schemas:sailpoint:1.0:User:department eq \"Engineering\"",
"sortBy": "userName",
"ascending": true
}
}
}
Filter Active Policy Violations:
{
"PolicyViolations": {
"queryParams": {
"filter": "status eq \"Open\""
}
}
}
Filter Roles by Type:
{
"Roles": {
"queryParams": {
"filter": "active eq true and type.autoAssignment eq true"
}
}
}
Complex Multi-Entity Configuration:
{
"Users": {
"queryParams": {
"filter": "active eq true and urn:ietf:params:scim:schemas:sailpoint:1.0:User:isManager eq true",
"sortBy": "displayName",
"ascending": true
}
},
"Roles": {
"queryParams": {
"filter": "active eq true and type.manualAssignment eq true"
}
},
"PolicyViolations": {
"queryParams": {
"filter": "status ne \"Closed\""
}
}
}
Governance-Focused Filtering: Focus on users and entities with specific governance characteristics:
{
"Users": {
"queryParams": {
"filter": "urn:ietf:params:scim:schemas:sailpoint:1.0:User:riskScore gt 0"
}
},
"PolicyViolations": {
"queryParams": {
"filter": "status eq \"Open\" or status eq \"Pending\""
}
}
}
Application-Specific Filtering: Focus on specific applications or system types:
{
"Accounts": {
"queryParams": {
"filter": "active eq true and application.displayName sw \"Production\""
}
},
"Entitlements": {
"queryParams": {
"filter": "requestable eq true and active eq true"
}
}
}
When setting up your IdentityIQ integration in SGNL:
The SailPoint IdentityIQ template defines an extensive set of interconnected entities that represent the complete identity governance and administration ecosystem within your organization.
User Entity: Represents individuals within your organization with comprehensive identity information including basic SCIM attributes (name, email, status), enterprise extensions (manager relationships, employee data), and SailPoint-specific extensions (risk scores, capabilities, administrative relationships, departmental information, cost centers, and regional assignments). This rich user context enables policies that consider not just identity, but governance posture and organizational structure.
Account Entity: Represents user accounts across various applications and systems managed by IdentityIQ, including account status, correlation information, identity relationships, application associations, and governance metadata. Accounts provide the link between users and their access across multiple systems.
Role Entity: Represents IdentityIQ roles with comprehensive governance information including role types (business, IT, risk-based), activation and deactivation dates, ownership information, inheritance relationships, requirements, permits, and classification data. Roles are central to IdentityIQ’s governance model and provide structured access management.
Entitlement Entity: Represents fine-grained permissions and access rights within applications, including entitlement metadata, requestability status, aggregation information, classification details, ownership, and review information. Entitlements provide the detailed access context that roles and policies govern.
Application Entity: Represents systems and applications that IdentityIQ manages, including application metadata, feature capabilities, ownership information, and schema definitions. Applications provide the context for where access is being granted and managed.
Policy Violation Entity: Represents governance policy violations detected by IdentityIQ, including policy details, constraint information, affected identities, violation status, and ownership for remediation. Policy violations provide critical compliance and risk context.
Workflow and Task Entities: Represent the governance processes and workflows that IdentityIQ executes, including launched workflows, workflow inputs and outputs, task results, and process status. These entities provide visibility into governance operations and approval processes.
Alert Entities: Represent security and governance alerts generated by IdentityIQ, including alert metadata, associated applications, target information, and alert actions. Alerts provide real-time governance and security context.
After configuring the SailPoint IdentityIQ integration, systematic testing ensures that your identity governance data is being correctly imported and that the complex relationships between users, roles, entitlements, and governance processes are properly established.
Once synchronization is complete, use DataLens to explore your IdentityIQ governance data:
Basic Authentication Failures: If SGNL cannot authenticate with IdentityIQ, verify that your username and API token/password are correctly entered and that the user account exists with proper permissions. Test the credentials by accessing SCIM endpoints directly using tools like curl or Postman.
SCIM Endpoint Availability: If authentication succeeds but SCIM endpoints are not accessible, verify that SCIM 2.0 services are properly enabled in IdentityIQ and that the endpoints are configured correctly. Check firewall and network connectivity between SGNL and your IdentityIQ deployment.
Permission and Authorization Errors: If authentication works but entity synchronization fails, verify that your integration user has appropriate permissions to read all the entity types you’re trying to synchronize. IdentityIQ’s permission model may require specific rights for different types of governance data.
SCIM Schema Compatibility: Different versions of IdentityIQ may have variations in SCIM schema implementation. If certain attributes aren’t synchronizing correctly, verify that the attribute paths in the template match your IdentityIQ SCIM schema implementation.
Custom Attribute Handling: IdentityIQ often includes custom attributes and extensions specific to your organization. If custom attributes aren’t being captured, you may need to modify the template to include organization-specific attribute paths.
Multi-Application Context: IdentityIQ manages access across multiple applications, and some data may be application-specific. If certain accounts or entitlements aren’t appearing, verify that the relevant applications are properly configured and accessible through the SCIM API.
Workflow and Task State Synchronization: IdentityIQ workflows and tasks have complex state models that may change frequently. If workflow data isn’t synchronizing correctly, consider the timing of synchronization and whether workflow states are stable enough for your access control needs.
Entity Volume Management: IdentityIQ can contain large volumes of governance data including historical workflows, closed policy violations, and inactive entitlements. Use SCIM filtering to focus on active and relevant data to improve synchronization performance.
Relationship Complexity: The extensive relationship structure between IdentityIQ entities can result in complex data processing. Monitor SGNL’s resource usage during synchronization and consider whether all relationship types are necessary for your access control policies.
Governance Data Freshness: Some IdentityIQ data like risk scores and policy violations may change frequently, while other data like role definitions may be more stable. Consider different synchronization frequencies for different entity types based on their volatility and importance.
Once your SailPoint IdentityIQ integration is successfully configured and synchronized, you can leverage the comprehensive identity governance data in sophisticated SGNL policies that align access control with governance principles and compliance requirements.
Risk-Based Access Control: Use IdentityIQ risk scores and governance assessments to create dynamic access policies that adjust based on user risk profiles. Users with high risk scores might be subject to additional authentication requirements or restricted from accessing sensitive resources until risk factors are addressed.
Role-Based Governance Policies: Leverage IdentityIQ’s comprehensive role model to create access policies that consider not just current role assignments, but role types, inheritance patterns, and governance metadata. Users with specific governance roles might automatically receive corresponding access in related systems.
Compliance-Driven Access Decisions: Use policy violation data and compliance status to inform access decisions across your environment. Users with open policy violations might be restricted from accessing certain resources, or might trigger additional approval requirements for access requests.
Organizational Hierarchy Policies: Leverage IdentityIQ’s detailed organizational structure including management hierarchies, regional assignments, and departmental information to create access policies that reflect your organizational governance model. Managers might receive access to resources related to their direct reports, or regional owners might have access to location-specific systems.
Entitlement-Based Access Mapping: Use IdentityIQ’s detailed entitlement management to inform access decisions in other systems. Users with specific entitlements in governance-managed applications might automatically receive related access in connected systems, ensuring consistency across your access landscape.
Workflow and Approval Integration: Leverage IdentityIQ’s workflow and approval history to create policies that consider governance process participation. Users who have completed specific approval workflows might receive corresponding access, or access might be conditional on pending workflow completion.
Application-Centric Governance: Use IdentityIQ’s application management data to create policies that consider how access is governed across different application types. Users with privileged access in critical applications might be subject to enhanced monitoring or additional verification requirements.
Lifecycle-Based Access Control: Leverage IdentityIQ’s comprehensive identity lifecycle management to create policies that automatically adjust access based on identity status, account correlation, and lifecycle events. This ensures that access control stays aligned with identity governance throughout the user lifecycle.
For comprehensive guidance on creating policies with identity governance data, refer to the SGNL Policy Management documentation. For understanding how IdentityIQ entities relate to other systems in your environment, review the Entities and Relationships guide.