SailPoint IdentityNow SSO integration with Okta

Okta is the leading solution for user authentication and single sign-on (SSO) for workforce as well as customer identities. Okta is capable of managing SSO to wide range of applications along with multi-factor authentication, directory integrations and lifecycle management from the cloud.

SailPoint IdentityNow is a cloud based identity and access management solution which aims to provide identity-as-a-service. IdentityNow enables a complete set of IAM capabilities delivered from the cloud to manage hybrid IT environments that include on-premises and cloud resources. IdentityNow supports SAML based Single Sign On. SAML is an open standard which allows an identity provider (like Okta) to pass on authentication information to a service provider (like IdentityNow).

In the following demonstration, we take a look at the SAML integration of IdentityNow with Okta for Single Sign-on. We will also go over the Active Directory integration in Okta and how this can be backed by IdentityNow’s lifecycle management.

SailPoint IdentityIQ QuickBooks ERP Integration using Dell Boomi as Middleware

In recent years, we’ve witnessed a rapid shift from on-premise applications to a hybrid mix of SaaS (software-as-a-service), iPaaS (Integration Platform as a service) and on-premise applications, as well as integration between various cloud providers and platforms. Very Soon Everything is going to be connected to Cloud and data . All this is going to be mediated by a software(Middleware).

Amidst such scenarios , It is essential for the need of a software to bridge the gap between applications and other tools or databases. It is effectively a method of communication and data management between applications that would otherwise not have any way to exchange data — such as with software tools and databases. 

Dell Boomi AtomSphere is an on-demand multi-tenant cloud integration platform for connecting cloud and on-premises applications and data. The platform enables customers to design cloud-based integration processes called Atoms and transfer data between cloud and on-premises applications. Dell Boomi specializes in cloud-based integrationAPI management and Master Data Management

QuickBooks is an accounting software package developed and marketed by Intuit and are geared mainly toward small and medium-sized businesses and offer on-premises accounting applications as well as cloud-based versions that accept business payments, manage and pay bills, and payroll functions.

The following is the demonstration of steps for Integrating  SailPoint IdentityIQ QuickBooks ERP using Dell Boomi as Middleware.

SailPoint IdentityIQ SSO Integration with Okta

You have to admit that there are many people who change their password to ‘incorrect’ .That way it always reminds them whenever they enter a wrong password – “your password is incorrect” . Also a survey stated more than 78% of people tend to forget their latest passwords within 21 days of inactivity .

Amidst such scenarios , securing and monitoring the access for any external users like partners, contractors and customers who have access to organizational resources have always been a challenge for many organizations thereby increasing the demand for a centralized login system. Single sign-on (SSO) is an authentication process that allows a user to access multiple applications with one set of login credentials. 

Okta is the one of the leading provider for user authentication and standards-based single sign-on (SSO) for employee, partner and customer identity types. Okta supports and manages SSO for the enterprises with wide range of applications thereby providing a single secured centralized login system.

SailPoint IdentityIQ  supports Single sign-on as one of its supported login configurations . The SSO is based on the SAML protocol which is a standard protocol for the SSO and other security assertions.

In this blog we are going to take a look at the integration of SailPoint IdentityIQ with Okta for Single Sign on.

The following presentation discusses in detail about the integration between SailPoint IdentityIQ and Okta.

The following is the demonstration of steps for configuring Okta as an Identity Provider for SailPoint IdentityIQ

Comprehensive Overview of Sailpoint’s IdentityNow

SailPoint has the solution to meet the needs of identity governance that exist in today’s business environments. The solution is available for businesses to easily consume because it’s in the cloud this solution which is IdentityNow. With many features such as User Password Management, Access Certification, Access Requests, Provisioning, Multi-factor authentication, Strong Authentication and Analytics. IdentityNow is a leader in the market for a perfect IAM solution for organizations taking the next step into cloud computing.

The product is simpler to tack together than several other IAM solutions in the market, thus additional configuration can be completed without the need for specialist resources. The User interface (UI) is a lot of easier to interface for end-users and needs less coaching.

Continue reading

Governing G Suite using SailPoint Identity IQ

Identity IQ – G Suite Integration

Office productivity suites comprise the essential set of tools required for an employee’s day to day work. They offer core services to users like email, calendars, shared storage and other tools to create and consume the information. New generation productivity suites understand today’s business needs and are designed to be omnipresent and highly collaborative.

G Suite is Google’s cloud based productivity suite. Being a cloud based solution, it is omnipresent and can be accessed all possible devices. Also, it is highly collaborative in nature. Google’s most popular services like Google mail, calendar, drive, docs, sheets, hangouts are bundled into G Suite. G Suite has been received greatly by organizations of all the sizes and has recorded 5 million organizations by end of 2018. G Suite has quickly climbed up the ladder to become a leader in Gartner’s magic quadrant for 2 years consecutively.

Governing such core cloud based services containing sensitive information is of great importance.

In the following presentation, we provide a detailed overview of G Suite integration with Identity IQ.

G Suite – Identity IQ Integration

In the following video, we provide a detailed demo of this integration.

A detailed demo of G Suite governance with IDENTITY NOW is coming shortly.

SailPoint IIQ Pass Through Authentication using Active Directory – Global Catalog

Purpose : Here, we will be discussing about the SailPoint IIQ Pass-Through Authentication with respect to custom Active Directory attribute using Global Catalog Server.

Quick Description :

What is Pass-Through Authentication ?

Pass-Through Authentication, the user logs in to the IdentityIQ application through the normal IdentityIQ login page but the system validates the user’s credentials against an external source, “passing” the ID and password “through” to the authorizing system instead of consulting IdentityIQ’s internal records.

What is Global-Catalog server ?

The global catalog contains a partial replica of every naming context in the directory like, the schema and configuration naming contexts But, with only a small number of their attributes.

Requirements Context :

In a multi domain environment, it would be efficient to use global catalog because IIQ does not need to traverse through all the LDAP referrals returned for different domains during user login authentication. When using a Custom Active Directory attribute for correlation, where that attribute is not promoted to global catalog repository, then the SailPoint IIQ will be driven to a tangled state which results in Pass-Through Authentication Failure.

In order to overcome such scenarios, we can

Continue Reading

SailPoint IdentityIQ Plugins

Introduced with IdentityIQ 7.1, the plugin framework provides the infrastructure and tools to enable developers to extend the Open Identity Platform to meet a variety of specialized use cases that one might encounter in a non-standard deployment.

SailPoint IdentityIQ 7.1 Plugin Framework provides a dynamic, plugin-specific class loader. It also introduces a simple, supportable, and upgrade-able user experience. The dynamic class loader provides protection for the base classes from modification, and allows for additional security and upgrade-ability.

continue reading

SailPoint IdentityIQ SSO Integration with PingFederate

Nowadays, almost every website requires some form of authentication to access its features and content. With the number of websites and services rising, a centralized login system has become a necessity. Single sign-on (SSO) is an authentication process that allows a user to access multiple applications with one set of login credentials. PingIdentity’s PingFederate allows the SSO for the enterprises which have the multiple applications and API’s to protect.

PingFederate is the leading enterprise federation server for user authentication and standards-based single sign-on (SSO) for employee, partner and customer identity types.

Continue reading

Sailpoint Identity IQ: Refresh logging through IIQ console

Sailpoint IdentityIQ uses log4j framework for logging. “” is the file where all the logging related properties are configured. IdentityIQ Servers would a need a refresh of the log4j configurations after anything changes to are made.

Usually this kind of refresh is performed through UI from the debug pages in IdentityIQ. Following are the steps to follow for refreshing log4j configurations through UI.

This image has an empty alt attribute; its file name is image-3-1024x279.png
  • Click on the “Logging” option in the menu.
  • Click on “Reload Logging Configuration”

Problem context:

log4j configurations whenever there are any changes have to refreshed across all the servers present in the environment. However, when a load balancer is configured, we might not have control to access individual servers through UI, thus making the refresh of log4j configurations through UI on each server.

Possible solutions:

There are 3 possible solutions for this problem.

  1. Temporarily re-directing load-balancer traffic to only one server and refresh the configurations on the same through debug pages. This process has to be repeated across all the servers.
  2. Accessing IdentityIQ through individual server host-names or IP addresses rather than load balancer URL. This may not be quite helpful as servers are usually configured in a way that individual servers redirect us towards load balancer URL.
  3. Best way in which this could be performed is through IIQ console.
    Following are the steps to follow for the same.
    • Launch IIQ console on one of the servers
    • Modify the as required.
    • Refresh the log4j configurations using the command “logconfig” as shown in the below screenshot.
  • Repeat the above steps for all servers in the environments.

SailPoint Identity Attribute – Configuration Challenges

Identity attributes in SailPoint IdentityIQ are central to any implementation. They usually comprise a lot of information useful for a user’s functioning in the enterprise.

Purpose: The blog speaks about a rare way of configuring the identity attributes in SailPoint which would lead to a few challenges.

Requirements Context: By nature, a few identity attributes need to point to another identity. 2 such use-cases would be:

  1. manager” is an identity attribute which refers to the manager of the employee/contractor.
  2. assistant” can be a custom attribute which refers to the assistant of the employee/contractor. Action items of an employee/contractor can be delegated to this assistant when employee/contractor is on a vacation.

Any identity attribute in IdentityIQ can be configured as either searchable or non-searchable attribute. A searchable attribute has a dedicated database column for itself. In case of attributes like manager, we would ideally need a lot of filtering capability on the attributes and this makes a perfect case for being searchable attribute. A few use-cases where having manager as searchable attributes would help are.

  1. Finding list of identities without managers.
  2. Finding a list of identities with inactive managers.

However, usage of assistant attribute is not quite similar. Not a lot of searching/filtering would happen in a typical IAM implementation based on assistant attribute. It would be preferable to have this attribute as a non-searchable attribute.


As part of the implementation, an extended attribute is configured in the Identity Configuration for assistant attribute as follows.

Assistant identity attribute configuration

The following configuration details are to be observed.

  1. Type of attribute is “Identity“.
  2. Identity attribute is not configured to be searchable as there is no extended number that is configured on this attribute.

Attribute population logic: The attribute is configured to fetch the assistant attribute from Active Directory application and populate the assistant attribute based on the assistant attribute from Active Directory.

Challenge faced: A specific challenge is faced when this type of configuration is used with identity attributes.

Scenario: There will be certain situations where the assistant attribute in Active Directory points to itself. For example, John.Doe’s assistant would be John.Doe himself. This configuration has lead to failure of a lot of operations/tasks due to a SailPoint behavior described below.

Root Cause: SailPoint uses a hibernate for object relational model. Tables in IdentityIQ database are represented by java classes in Identity IQ. In this case, spt_Identity table is represented by the class “sailpoint.object.Identity”. Objects of “sailpoint.object.Identity” class shall correspond to rows in the “spt_Identity” table.

SailPoint has to serialize this Identity objects in the process of storing them in the tables. Non searchable attributes are all stored in an XML CLOB in spt_Identity table. As per the SailPoint’s default behavior, non-searchable attributes are going to be serialized in a recursive fashion. Following the same, serialization shall be attempted on the identity pointed by the assistant attribute.

In the scenario mentioned above where an identity is his/her own assistant, a sub-serialization of same identity as part of assistant attribute serialization is attempted as shown in below diagram.

Recursive Serialization of assistant attribute

Possible Solutions: Above problem can be solved in 2 ways.

  1. Adding checks to avoid self-references.
    Logic to populate such type of identity attribute shall include a check to avoid self-referencing of non-searchable identity attributes.
  2. Using Searchable attributes.
    Avoiding the use of non-searchable attributes for identity attributes of type identity.