SailPoint Identity Security Cloud Transforms


SailPoint Identity Security Cloud Transforms are configurable objects that allow us to manipulate attribute data while aggregating from or provisioning to a source. Sometimes transforms are referred to as Seaspray, the codename for transforms. Identity Security Cloud Transforms and Seaspray are essentially the same.

As we can see from the below diagram, we will be providing input to transform, transformation occurs and output will be returned. So, the way transformation occurs depends on the type of operation used. Some of the transform operations are Concatenation, Conditional, Date Format etc.

Transform REST APIs

In order to create the transform, get transform details, update transform or delete any tranform, we can make use of REST APIs available for transforms.

There are 5 REST APIs are available for transforms in V3 and Beta APIs.

Rest APIsDescription
List TransformsList Transform API is used to get list of all available transforms from the tenant
Create TransformCreate Transform API is used to create a new transform and upload it into the tenant.
Transform by IDTransform by ID is used to get the details of a particular transform.
Update TransformUpdate a transform API is used to update any existing transform.
Delete TransformDelete transform API is used to delete any transform using transform ID.

Transform Operations:

In order to make use of transform according to the use case, we should understand various transform operations that are available.

Below are the various types of operations that are available in transform. Each of these operations performs specific task, we can use them according to our needs.

Transform OperationDescription
Account Attribute TransformAccount attribute transform used to look up an account for a particular source on an identity and return a specific attribute value from that account. 
Base64 Decode TransformThe base64 decode transform allows you to take incoming data that has been encoded using a Base64-based text encoding scheme and render the data in its original binary format.
Base64 Encode TransformBase64 transform will take an input, this input is given to base64 encode transform and the encodes string is returned as output.
Decompose Diacritical Marks TransformDecompose diacritical marks transform to clean or standardize symbols used within language to inform the reader how to say or pronounce a letter.
E.164 Phone TransformUse the E.164 phone transform to convert an incoming phone number string into an E.164-compatible number.
Identity Attribute TransformTransform is used to get the users identity attribute value.
Lower TransformThis transform is used to convert input string into lowercase character.
Upper TransformThis transform is used to convert input string into uppercase characters.

In below series of 4 videos, we comprehensively cover all the details around the transforms including basic syntax of transforms, APIs around transforms and all the types of transforms.

Transforms Series – Video 1 of 4:
Below video is the first video in a series of 4 videos about transforms. This part contains an introduction to transforms, syntax of transform, types of Inputs, REST APIs and API Responses.


Transforms Series – Video 2 of 4: Below video is the second video in a series of 4 videos about transforms. This part contains use cases, transform operations like account attribute transform, base64 decode transform, base64 encode transform, concatenation, conditional, date format, date math, date compare, decompose diacritical marks, first valid, generate random string


Transforms Series Video 3 of 4:
Below video is the third video in a series of 4 videos about transforms. This part contains about transform operations like  get end of string, get reference identity attribute, identity attribute, index of , ISO3166, last index of, left pad, look up lower, name normalizer, random alphanumeric, random numeric


Transforms SeriesVideo 4 of 4:
Below video is the fourth video in a series of 4 videos about transforms. This part contains about transform operations like reference, replace all, replace, right pad, rule, split, static, substring, trim, upper, username generator, UUID generator


SailPoint IdentityNow Rules


  • Generally we write Rules when the required goal cannot be achieved by using transforms.
  • It is a Code based Configuration option.
  • A flexible framework that allows for very advanced or complex configurations.
  • You can just think of it as basically just writing Java code.
  • Technically it is Bean Shell however, it is much similar to Java, such that if you are familiar with Java, you will be familiar with Bean Shell.
  • Just like with transforms, the use cases drive the need for a rule and thus we have many different rule types.
  • Rules are very powerful but due to the IdentityNow architecture there are some special considerations regarding rules.
  • Essentially, rules must be very high-quality code because they are being deployed into a multi-tenant service.

Rule Execution :

There are two primary places where you can execute rules one is CLOUD EXECUTION RULE & other one is CONNECTER EXECUTION RULE .

Let us have an overview on the difference between the cloud rules & connector rules

Cloud Executed rules are running in the cloud within the Identity Now tenant. Connector rules run on the virtual appliance which is on-premise inside the customer’s data center

Cloud Execution Rule :

  • Cloud executed rules, as the name implies, are executed within the Identity Now multi-tenant environment.
  • They typically have independent functions for a specific purpose.  For example, calculating an Identity attribute value.
  • Cloud executed rules typically need to query the Identity Now data model in order to complete their work.
  • The rule might need to guarantee uniqueness of a value and it would generate a value and query Identity Now to determine if that value already exists.
  • Access to any Identity Now data is read-only and you can’t make any calls outside of Identity Now such as a REST API from another vendor service.
  • Because they run in a multi-tenant environment,  the are put in a very restricted context and there is a great deal of scrutiny taken during the required review process for rules.
  • We will cover the review process that is required when a cloud-executed rules is submitted later in the presentation.
  • Of course, this all makes sense as you cannot allow rules to effect other tenants if they are poorly written.
  • You also have to restrict the rules context so they can’t access any data from another tenant and things along those lines.

Connecter Execution Rule :

  • Connector executed rules do not run in the cloud which is fairly obvious based on the name.
  • These rules instead run on the VA itself. So they are running in the customers data center and therefore they are not running side by side  with services from another tenant.
  • They are usually extending the connector capabilities. The functions that they perform are quite complex.
  • They do NOT have access to the Identity Now Data Model because they are executing on a virtual appliance.
  • The huge difference here is that they are not subject to a review process by SailPoint. These rules can be uploaded via the REST API and are significantly easier to work with. With that said you still want these rules to be well written.
  • The simple fact is that the possible negative effect of a poorly written connector rule is limited because it is not running within the Identity Now tenant.

SailPoint Provides us with six APIs to perform connector rule operations mentioned below :

  • GET, LIST, CREATE, UPDATE, DELETE, VALIDATE are the APIs that are currently used for connector rule operations.
  • A token with ORG_ADMIN authority is required to perform any operation.

Rule Examples

Example usage:

  • Calculate complex identity attributes. 
  • Calculate complex account attributes. 
  • Provide connector logic

Connector rule Example – If there is a requirement to disable the account based on the number of entitlements or the account should be disabled automatically based on role revocation, this can be achieved by writing a connector rule

Cloud rule Example– This can be used for generating a unique email id which can scan the existing email id’s and generate a unique id for every joiner.

Please subscribe to our social media and stay updated with latest technology content. Thanks you.

SailPoint IdentityIQ Custom Connector


Connectivity is critical to successful IAM deployments. SailPoint is committed to providing design, configuration, troubleshooting and best practice information to deploy and maintain connectivity to target systems. SailPoint IdentityIQ enables you to manage and govern access for digital identities across various applications in your environment. Connectors are the bridges that IdentityIQ uses to communicate with and aggregate data from applications. SailPoint IdentityIQ provides a wide range of OOTB connectors that facilitate integration with variety of systems, applications and data sources. These connectors are designed to simplify the process of managing Identity information and access across different platforms.  

In SailPoint IdentityIQ, a Custom Connector is a specialized integration component that allows the IdentityIQ platform to connect and interact with external systems, applications, or data sources that are not supported by the standard OOTB connectors. Custom connectors extend the capabilities of IdentityIQ by enabling it to manage identity-related information in a wider range of systems. 

High level architecture of Custom connector 

Custom Connector Development

Developing Custom connector in SailPoint IdentityIQ involves creating a Java-based implementation that adheres to the connector framework and API provided by SailPoint.  

This allows you to define the interaction between IdentityIQ and the specific external system you want to integrate with. A typical development of custom connector includes 4 steps – 

  1. Creating a new implementation of functionality and packaging it into JAR file. 
  • The custom connector uses the openconnector framework provided by SailPoint in the openconnector package where there are lot of methods provided for different type of operations.  
  • The custom logic which you want to implement using this custom connector shall be developed in the specified methods.  
  • Once code development is completed, Custom connector code with all the classes must be compiled and packaged to a JAR file.  
  • And the JAR file must be placed in WEB-INF/lib folder of IIQ Installation directory 
  1. Defining Connector type in Connector Registry 
  • Connector Registry is an XML file present in IdentityIQ as Configuration object. This file contains the information about all the different connectors and their related details.  
  • Now that we have created a new connector in our IdentityIQ, we have to declare its information and details in Connector Registry.  
  • Here we will create an xml file consisting of the details pertaining to our custom connector. Once we Import this xml file into IdentityIQ, it will be merged with the existing Connector Registry file in IdentityIQ database allowing IdentityIQ to create a new entry in the list of connectors.  
  • Alternatively, the Connector Registry could be manually edited through the Debug page
  1. Defining .xhtml page which specifies required and optional connection parameters. 
  • Usually, some parameters are required to define the connection to the target resource (e.g. host, port, username, password, etc.).  
  • To allow these parameters to be specified through the UI for each application that uses this connector, an .xhtml page must be written to define how the Application Configuration user interface will request and record those parameters.  
  • This file must be placed in the [IdentityIQ Installation Directory]/define/applications/ directory and must be referenced in the application definition’s XML as the “formPath” entry.  
  1. Testing the connector by Creating an application which uses this connector. 
  • Finally, after completing all the development related activities, one must start the application server which is hosting IdentityIQ.   
  • An Application object must be created for using the IdentityIQ’s UI. Select the configured custom connector as application type to tie it to the connector registry configuration and specifying any connection parameters through the configuration. 
  •  Once the application is onboarded, we can perform all the configured functionalities in it and verify back the results within the targeted external application.  
  • Alternatively, Application connector can be tested from the integration console (run iiq integration from the [IdentityIQ Installation Directory]/WEB-INF/bin directory).  
  • This console can be used to test the various features of your connector including Aggregation and Provisioning

The following presentation gives you clear understanding of custom connector development in detail.

Now let’s have a demo on building custom connector, deploying it into SailPoint IdentityIQ and using it. 

Please subscribe to our social media and stay updated with latest technology content. Thanks!

SailPoint IdentityNow Workflows

About SailPoint IdentityNow Workflows:

IdentityNow workflows are a way to automate processes related to Identity Security Cloud. These processes when carried individually are manual, error prone and laborious in nature.

Here are a few examples of the power of workflows.

  1. Design workflows that can handle a growing number of users onboarding requests, ensuring scalability as the organization hires new employees.
  2. Design workflow to raise tickets in ticketing system to automate the resolution of access-related issues reported by users, ensuring a streamlined process.
  3. Modify an existing workflow to include new steps for managing temporary access during a special project, adapting to changing business needs.
  4. Implement a workflow for access reviews that automatically identifies and revokes unnecessary access rights, ensuring that users only retain permissions relevant to their current roles.
  5. Streamline access request procedures including approval steps for access approval or modification.
  6. Send email alert when an identity changes group in end application.
  7. No human involvement while configuring and activating certification campaign when identity changes department and also send email alert to reviewer.

In this video blog, we will be discussing about the IdentityNow workflows in detail. The following are the key topics that are discussed as part of the blog.

  1. Why SailPoint introduced Workflow in IdentityNow
  2. Available platforms in IdentityNow to build a workflow.
  3. General terminology and use of Inline variables
  4. Simulating and testing a workflow
  5. Migrate workflows between sandbox and production.

The detailed discussion of Workflows, it’s terminology and configuration process are present in the following video.

Detailed demo on developing & testing workflows in all 3 possible ways is present in the following video.

Please subscribe to our socials and stay updated with latest technology content.

SailPoint IdentityNow Automation Testing

Automation testing refers to the testing of the software in which tester write the test script once with the help of testing tools and framework and run it on the software.
The test script automatically tests the software without human intervention and shows the result.

Prerequisites for Automation:
To begin automation testing using Selenium, there are few prerequisites should have in place:

  1. Programming Language: Choose a programming language in which you will write your test scripts. Java, Python, C#, and Ruby are common choices for Selenium automation. You should have a good grasp of the chosen we have chosen java.
  2. Integrated Development Environment (IDE): Install an integrated development environment (IDE) such as Eclipse, IntelliJ IDEA, or Visual Studio Code to write and manage your Selenium scripts. We have chosen Eclipse as IDE platform.
  3. Java Development Kit (JDK): If u opt for Java, you’ll need to install the Java Development Kit (JDK) on your system.
  4. Selenium WebDriver: Download the Selenium WebDriver for your preferred programming language. You can add the WebDriver libraries to your project using build tools like Maven.
  5. Web Browsers: Make sure you have the web browsers you intend to automate (e.g., Chrome, Firefox) installed on your system.
  6. Web Drivers: Selenium interacts with browsers through web drivers. You should have the appropriate web drivers for the browsers you plan to test with (e.g., Chrome Driver, Gecko Driver). These should be downloaded and configured. Ensure that your chosen IDE is integrated with the Selenium WebDriver, making it easier to write, run, and debug test scripts.
  7. Test Framework: Select a test framework such as TestNG or Hybrid. Test frameworks help structure your tests and provide reporting capabilities.

By meeting these prerequisites, you’ll be well. prepared to start automation testing using Selenium and create efficient, maintainable, and effective test scripts.

The following below video showcases a small presentation on automation testing:

Tools used for Automation testing.

  1. Eclipse:
    Eclipse is a digital workspace for automation testing. It’s a special software that makes creating and running automated tests easier. It is used by testers because it’s super flexible and works with different programming languages. It helps in writing, organizing, and running tests for finding problems or bugs in software, making sure everything works smoothly.
  2. Selenium:
    Selenium is an Open source, It Supports multiple languages like java, python, Ruby. Scripts can be run on Multiple browsers like Chrome, Firefox, IE, Microsoft Edge. It supports Multiple operating systems like Linux, Windows, MacOS. It can be integrated with third party applications like TestNG, Cucumber.
  3. TestNG:
    TestNG is a testing framework used with Selenium for automating tests. It allows for organizing test cases, running tests in a specific sequence. It offers annotations to manage test execution flow, such as @Test for defining test cases, @BeforeMethod and @AfterMethod as you can see the highlighted point in the picture for pre and post-test setups, and @DataProvider for parameterization. This combination of Selenium and TestNG helps in efficient and structured automation testing, enabling testers to create, manage, and execute test cases reliably. Generates HTML reports showing test execution details.
  4. Maven:
    Maven is an open-source tool. Maven allows to download all the JARs and Dependencies and manage lifecycle for a Selenium Java project. This makes it easier for the QA to configure dependencies for Selenium Java by automatically downloading the JARs from the Maven repository.

Advantages of Automation testing

Efficiency: Automation testing can execute repetitive and complex tasks faster than manual testing.
Accuracy: Automated tests perform the same steps precisely every time, reducing the chance of human errors.
Reusability: Test scripts can be reused across different phases of development and in various testing scenarios.
Faster Feedback: Automated tests provide rapid feedback on the software’s stability and functionality.

Let us see how we can execute the test cases in the below video:

SailPoint IdentityNow Transforms


Transform allows you to manipulate attributes values while provisioning to a source. It will help in manipulating any incoming data from the source as per the requirement.

Transforms are configurable objects that define easy ways to manipulate attribute data without requiring you to write code. Transforms are configurable building blocks with sets of inputs and outputs.

As we can see in diagram there is Input-Transform-Output. In input the value or data is coming from identity attributes or Account attribute and according to requirement we will write the transforms and in output we can see our result.

Transform syntax

The Transform syntax has the following properties:

  • The basic requirement for a transform is name, type, attributes.
  • For name, we can take any objects and that will reflect to your identity profile.
  • For Type, we can put the transforms according to your requirement.
  • For inputs, the developer can decide whether we want to take the value from identity attribute or Account attribute.

Basic String Operations

These are basic string operation there are 18 transform. These transform are commonly used in any operation.

I will discuss each and every transform.

1)Base64 Decode– This transform is used for converting String to Base64. Basically it used for decoding purpose.

2)Base64 Encode-This transform is used for converting Base64 to String. Basically it used for encoding purpose.

3)Concatenation-Concatenation transform is used for Combining two string. This transform basically used to combined first name and last name.

4)Index Of– The index of transform is used to get the location of a specific substring. Suppose that if we give the string to find the index of a string if its found it will return the index number, if doesn’t find it will return -1.

5)Substring– Substring transform is used to take the specific part of the string with provided begin index and end index.

6)Split– Split Transform basically used to split the string based on the provided delimiter. This transform is often useful when you want to split combined names into their constituent parts or when you want to simplify an ordered list of values into a single attribute.

7)Leftpad – Left pad transform to pad the string left side with a user-supplied character out to a specific number of characters. This transform is often useful for data normalization situations.  such as user IDs are not uniform in length.

8)Right pad– Right pad transform to pad the string right side with a user-supplied character out to a specific number of characters. This transform is often useful for data normalization situations.  such as user IDs are not uniform in length.

9)Replace– Replace transform is used for replace the specific string based on the provided regex.

10)Replace All– Replace All transform used to replace the string based on the provided table attribute of key-value pairs as an argument.

11)Upper– Upper transform use to convert an string into uppercase letters.

12)Lower– Lower transform use to convert an string into lowercase letters.

13)Static– Static transform is use to return a fixed string value, or more commonly, to evaluate Velocity. Static transform can also take other dynamically provided variables as inputs into the value attribute.

14)Last Index of – The  last index of transform is used to get the last location of a specific substring.

15)Trim– Trim transform used to trim whitespaces from both the beginning and ending of input strings.

16)Get End of String– Get end of string transform as an out-of-the-box rule transform provided through SailPoint’s Cloud Services Deployment Utility rule. The transform allows you to get the rightmost N characters of a string.

17) Decompose Diacritial Marks– Decompose Diacritial marks transform is used to remove the diacritical marks.

18)E.164 phone transform:- The E.164 phone transform is used to convert an incoming phone number string into an E.164-compatible number.

Date Operation

Under the date operation there are three transform.

 1)Date compare , 2)Date format , 3)Date Math.

1)Date compare:-The date compare transform is used to compare two dates and, depending on the comparison it will return the one value accordingly.

For comparing the date we can use some of the operation like:- Less than , Less than or equal to , greater than and Greater than or equal to.

 We can use the date compare for calculating the Life cycle state.

2)Date Format:- The date format transform is used to convert datetime strings from one format to another. It is useful when you are syncing data from one system to another, because each application uses a different format for date and time data.

3)Date Math:- Date Math transform can be used for performing mathematical operation like addition, subtractions and rounding of a timestamp.

 It also allows you to work with a referential value of “now” to run operations against the current date and time instead of a fixed value.


Under generators Transform there are six different transforms are present.

Under generators Transform there are six different transforms are present.

1)Generate Random String- Generate Random String Transform provided through SailPoint’s Cloud Services Utility rule. This transform allow us to generate a random string of any length.

2) Random Alphanumeric:- The random alphanumeric transform is used to generate a random string of any provided length, if we do not provide the length it will give the default output that is 32 char. comprising both numbers and letters (both lowercase and uppercase). The maximum allowable value is 450 characters.

3)Username Generator:- To set the logic to use when it determines a unique value for an attribute in an account create profile, utilize the username generator transform. The logic of the generator can be as basic as combining elements of an HR record or the user’s name.

4)Name normalizer:- The name normalizer transform is used to clean or standardize the spelling of strings coming in from source systems. The most common use for this transform is for names.

5)Random Numeric:- The random numeric transform is used to generate a random number of any length. The transform defaults value is 10 char. and maximum allowable value is 450 characters.

6)UUID Generator:-The UUID generator transform is use to create a universal unique ID (UUID) in the form of a 36-character string.

Extending Transforms

Under extending transforms there are two transforms.

1)Reference transform:- The reference transform is used to reuse a transform that has already been written within another transform. We can use this transform when you want to repeat the same logic multiple times within other transforms.

2)Rule Transform:- Rule transform allows you to reuse logic that has already been written for a previous use case. you can use the rule transform to reuse code contained within a Generic rule.

Rules Vs Transforms


  • Transforms are JSON-based configurations, editable with IdentityNow’s transform REST APIs.
  • It supports complex logic to modify aggregation and provisioning process.
  • We can view, create, edit, and delete transforms directly via REST API without any involvement of SailPoint.


  • Rules are implemented with code (typically BeanShell, a Java-like syntax).
  • It support more complex logic.
  • By creating Rules there is involvement of Sailpoint for cloud rules.

Identity Deletion in SailPoint IdentityNow

Identity management (IDM), also known as identity and access management (IAM), ensures that authorized people and only authorized people have access to the technology resources they need to perform their job functions.

And access is managed by the user lifecycle state in IdentityNow. Identity Lifecycle State aims to automate and manage the entire digital identity lifecycle process and access throughout the organization.

Identity lifecycle is a set of stages of the identity from the creation to its deactivation or deletion. It contains a creation of an account, assignment of correct groups and permissions, setting and resetting passwords and in the end deactivation or deletion of the account.

Figure 1: Identity Lifecycle Management

Handling the unwanted identities in SailPoint increases the processing time and reduces the usability of the SailPoint tenant. To reduce the process and speed up the work, in tenant only limited and require identities we can handle, handling is easy and processing the limited identities is a less time-consuming process, so we can delete unwanted and terminated users’ identities from SailPoint.

Now, let us have a look at the SailPoint REST API’s used in the Identity deletion process. Below is the list of APIs used for Identity deletion in SailPoint IdentityNow:

Figure 2:  REST APIs in PowerShell Script connecting with SailPoint IdentityNow

And here, we will be using A personal access token (PAT) is a method of authenticating to an API as a user without providing a username and password.

Prerequisites for Identity deletion:

  1. SailPoint REST API’s.
  2. Client ID and Client Secret.
  3. IQservice Server.

Now, let us discuss the use case of Identity deletion.

Use Case:

All the identities in the “30daysPostTermination” lifecycle state will be deleted from IdentityNow. 

The deleted identities would be re-aggregated in the next aggregation cycle as “Uncorrelated accounts” in target application, and hence would not affect the new hire creation logic and the SAMAccount name would remain unique as per the requirement and the logic defined.

A PowerShell script will be developed to call the APIs to identify all the Identities in the required lifecycle state i.e. “30daysPostTermination” and will delete the accounts from the HRMS Source for all the Identities.

Figure 3: Use Case diagram.

Steps Overview as per the script:

Step1: As part of the PowerShell script first it will read the require details from property file. In property file we can maintain the ClientID, client Secret, base URL, search query, deletion limit, log file path and debug values.

Step2: Authentication API will execute to generate the access token.

Step3: Next Search API will execute and the fetch “30daysPostTermination” lifecycle state identities from SailPoint Tenant.

Step4: One by one Identities will pass to Delete API to delete from SailPoint Tenant.

Let us understand Identity Deletion by using SailPoint REST APIs, use cases and automation of the script via windows task scheduler in the following below presentation:

Advantages of Identities Deletion in SailPoint IdentityNow.

  1. It will increase the usability of the tenant.
  2. It decreases the aggregation and identity refresh process time.
  3. It will fasten the backend processes and reduce the unwanted identity handling.
  4. Reduce the burden on the tenant.

When a user got terminated or left the organization, all access will be removed, and accounts will be disabled.
Now, let us go through a demo on how we can achieve identity deletion in SailPoint IdentityNow.

Triggering Email from PowerShell for NELM users


This blog is intended to demonstrate on automating email notifications for newly on-boarded contractors from IdentityNow. This will help in sending auto email notifications to users & their managers (if required) to reset their first password. This is enabled by running a PowerShell script in a shared folder in the IQ Service Server. In the current process, the IT help desk team needs to reach out to the user for his first login. With the help of PowerShell script, this process can be automated by sharing the password reset link automatically.

Use Case Diagram

The above diagram depicts the overall process flow of the use case with the point of initiation being the IQ Service Server following with the SMTP server.

  • Current IdentityNow templates don’t have email notification which will send Email ID ,password reset link and user manual to end user on his first day to instantly. To achieve this requirement, we have written PowerShell script and rule to achieve desired requirement above diagram gives the overview of how we have achieved this requirement.
  • From UI Request center, HR or Manager will request for an AD account depending on the license to be assigned for the user to be on-boarded.
  • Once request is completed Active Directory account will be created and the After create rule will be triggered.  By using this rule, we are triggering PowerShell script which is placed in IQ service server for sending Email by using SMTP server containing Email Id, Password reset link & user manual. We can also edit the contents to be shared in the email based on the organization requirements.

Detailed discussion on the overall Use case, communication flow and the advantages:

Introduction to IQ Service Server

  • The IQ Service, also known as the Integration Service, is a native Windows service that allows Identity Now to participate in a Windows environment and access information that is only accessible via Windows APIs.
  • It is a lightweight service that must be installed on any supported Windows Server that has connectivity to the target systems you want to manage in Identity Now.
  • It also secures all incoming & outgoing communications of the server. Overall security of the solution and data integrity will be ensured even in crucial stage.
  • We can create several instances on the same machine as per the system requirements.
  • This server is primarily responsible for provisioning in AD from IdentityNow.

IQ Service Communication Flow

  • IdentityNow always push task to a VA cluster queue and from cluster queue, VA will pull the request based on the priority of task.
  • Once request is fetched by VA, VA will communicate to IQService for tasks such as aggregation, create and modify the accounts.
  • IQService server communicates with domain controller using LDAP/LDAPS.
  • IQService receives the data from domain controller and gives it back to VA (Outbound traffic).
  •  Finally VA will give the updated results to the tenant and requests for the new task.

Rule Execution process in IdentityNow

Rule execution can be executed in 2 primary places:

  • Cloud Execution – These rules are executed in the IDN multi-tenant cloud.
  • Connector Execution – These rules are executed on the on-premise IDN virtual appliance.
  • Connector Rules are rules that are executed in the IdentityNow virtual appliance, and they are usually extensions of the connector itself. The rules are particular to only certain connectors since they are frequently applied to carry out complex connector-related tasks. Because these rules function within the virtual appliance, they are unable to access IdentityNow’s data model or collect data from it.
  • The basic logic required to initiate a PowerShell script is derived from the after-creation rule, which then transfers the majority of the subsequent events and/or modifications to the PowerShell script itself. Since this script would be stored on the client’s servers, the customer could easily modify it as needed. Since the code runs outside of the IdentityNow platform, it allows the client to add updates to the PowerShell scripted functionality without requiring SailPoint to review the code.

Demonstration of the use case in IdentityNow

Use of Powershell script in IdentityNow

  • The popularity of scripting languages with Object Oriented capabilities—like PowerShell is because of their simplicity and use.
  • These languages’ native scripts can access request and result objects more quickly and effectively.
  • The Utils.dll class library that is bundled with the IQ Service contains all the necessary classes to access the request and result objects. Process environment variables would be presented as inputs to the script.
  • The environment variables contain XML-based data. Using Utils.dll, the script creates the appropriate objects.
  • Once the object is modified, the script should execute the object’s xml() function to convert it to XML and then send the XML to the path mentioned in the script’s single argument.
  • In the event of an error, the script generates a non-zero value and logs the message in the appropriate file at the specified directory.

Before/ After Scripts for IQ Service

  • The IQ Service allows function customization by allowing the integration of before/after scripts developed using scripting languages such as PowerShell.
  • Any required tasks that cannot be automated with the current source functionalities can be automated with scripts.
  • Native before scripts are scripts that are called before the request is processed; native after scripts are scripts that are called after the request is processed.

The following sources support Before/After Scripts for IQ Service:


  • It will helps end user to get his organization email ID, password Reset Link & User manual for SailPoint as IdentityNow Default email templates don’t have this type of functionality.
  • We can set a customized template and add an initial login guide or any policy documents as an attachments while triggering this email.
  • The dependency on IT help desk team for sharing login details for the newly on-boarded contractors is reduced to a huge extent.
  • Contractors can login to their system almost immediately post completion of the on-boarding without having any downtime.

Genie Integration with SailPoint IdentityIQ

Before going through the Integration of Genie with SailPoint IdentityIQ, let us understand what a ticket and a ticketing system is.

What is a ticket?

A Ticket is a special record that represents an incident, request or event that requires action from the IT department. It contains the necessary details of the incident, request or event.

A ticketing system is a software platform designed to manage and track customer support requests. It streamlines the process of resolving customer issues, making it easier for businesses to provide fast and effective support.

Benefits of embracing a ticketing system in your organization:

  • Control High Volume of Requests from a Centralized Place – Organizations can track and manage inbound support requests with the help of a good ticketing system. The solution can be used by executives to manage support cases more efficiently while still attending to all client issues.
  • Combine interactions into one thread – Your team can use ticketing system to combine customer-related conversations into a single thread when offering customer care to clients via a variety of channels.
  • Process automation and workload management – Ticketing systems provide several potentials for automation. As an illustration, the software gathers assistance requests from several sources before automating the creation of tickets. Regardless of the help channel clients select, tickets are automatically created whenever they submit requests.
  • Adequate team collaboration – Ticketing systems provide a platform to the customer service representatives to collaborate among themselves in assigning tickets to senior associates in terms of P0 escalations.

About Genie:

Genie is a ticketing tool, in which there are different types of tickets such as Work Order tickets, Incident tickets, etc. SailPoint handles creation of below tickets in Genie from SailPoint.

  1. Onboarding ticket
  2. Exit or Off-boarding ticket
    • Provision failure ticket

    Among the above tickets, Onboarding and Off-boarding tickets are Work Order tickets and Provision failure ticket is an Incident ticket.

    Integration with SailPoint IdentityIQ:

    Genie is integrated with SailPoint using REST APIs.

    Below is the high-level architecture of Genie – SailPoint Integration

    High level architecture

    Now, let us have a look at the APIs used in the Integration process. Below is the list of APIs used for creating tickets and getting specific ticket details:

    1. Generate Authentication key: We are using this API to generate an Authentication key. Here, the generated Authentication key expires for every few minutes.
    2. Creating Work Order ticket: We are using this API to create a Work Order ticket in Genie.
    3. Get specific Work Order ticket: We are using this API to Get a specific Work Order ticket details. In other words, it is used to Retrieve the Work Order ID of the submitted request.
    4. Creating Incident ticket: We are using this API to create a Work Order ticket in Genie.
    5. Get specific Incident ticket: We are using this API to Get a specific Incident ticket details. In other words, it is used to Retrieve the Incident number of the submitted request.

    Prerequisites for integrating Genie with SailPoint:

    Following are the prerequisites that are essential for integration of Genie with SailPoint IdentityIQ

    1. Genie API details for creating tickets
    2. Base URL and Authentication details of the APIs
    3. Access to Genie Test Instance
    4. Database table to store the ticket details
    5. Connection details of the Database

    Now, let us discuss the use cases involved in the integration process.

    Use Cases

    1. Onboarding Ticket Creation:

    An Onboarding Work order ticket will be created in Genie from SailPoint when a new joiner joins the organization and his/her account is created in Truth Source and Active Directory applications.

    The ticket contains details of the New Joiner such as Start Date, First Name, Last Name, Employee ID, Employment Type, AD ID, Domain ID, Contact Information, etc.

    Onboarding ticket creation process

    Success case:

    Once the ticket gets created in Genie successfully, the details of the created ticket such as    Work Order ID, Creation Date, Request ID and ticket summary will be added to the database table.

    Failure case:

    If the ticket creation fails for some reason, then an Email notification containing the New Joiner’s details, will be triggered to the respective stakeholders.

    1. Exit or Off-boarding Ticket Creation

    An Exit or Off-boarding Work order ticket will be created in Genie when HR assigns the Last working date of the user in Truth source and that Last working date is 7 days away from today’s date.

    The ticket contains details of the End dated user such as Last Working Date, First Name, Last Name, Employee ID, Employment Type, AD ID, Domain ID, Contact Information, etc.

    Exit ticket creation process

    Success case:
    Once the ticket gets created in Genie successfully, the details of the created ticket such as Work Order ID, Creation Date, Request ID and ticket summary will be added to the database table.
    Failure case:
    If the ticket creation fails for some reason, then an Email notification with the End Dated user’s details, will be triggered to the respective stakeholders specifying.

    1. Provisioning Failure (Incident Ticket)

    A Provisioning Failure (Incident) ticket per application will be created if the provisioning operations failed in SailPoint in last 24 hours. In this use case, applications under consideration are Active Directory, G-Suite and OpenLDAP and operations under consideration are Create, Enable, Disable and Delete.

    For example, if the Disable operation failed in Active Directory for an account, then a ticket (which will be of Incident type) will be created in Genie containing the details such as Type of operation failed and Display Name, Employee ID, email, sAMAccountName, userPrincipalName, distinguishedName, etc details of the account.

    Provisioning Failure ticket creation process

    Success case:

    Once the ticket gets created in Genie successfully, the details of the created ticket such as Incident Number, Creation Date, Request ID and ticket summary will be added to the database table.

    Failure case:

    If the ticket creation fails for some reason, then an Email notification will be triggered to the respective stakeholders specifying Type of operation failed, Application name in which Provisioning failed and Display Name, Employee ID, email, etc. details of the account.

    Now, let us understand the advantages of integrating a ticketing system with SailPoint IdentityIQ when compared with a traditional ITSM.

    Advantages of Integrating Genie with SailPoint IdentityIQ:

    1. In this integration, we have automated the creation of onboarding tickets for New Joiners. Whereas in traditional ITSM’s, the ticket should be created manually by the end user.
    2. While creating tickets in Genie, SailPoint uses the data coming from Truth Source which will be updated by the HR team. Whereas in traditional ITSM’s, there is every chance that end user does not give the mandatory details required by IT team to perform necessary action on that ticket or the end user mistakenly may also enter incorrect details. So, IT team might need to contact the HR team or the end user, which is a time-consuming process.
    3. In this integration, we will be using the details of the user as per the Truth Source application while creating the ticket. So, the IT team may not wait for the communication from the concerned team.
    4. Whereas in traditional ITSM’s, when the ticket is created, the IT team should get certain required details from the concerned team manually. The Exit ticket will be created automatically when the end-dated user is one week away from the Last Working date, which gives the IT team ample amount of time to take necessary actions such as collection of assets and disabling of access.
    5. In this integration, we are storing the ticket details such as Work Order ID, Incident Number, Creation Date, Request ID and Summary in the database table for all the tickets created from SailPoint. So, we can use this table’s data for auditing purposes which ensures centralized governance.
    6. The Incident tickets are created every day (one ticket per application) from SailPoint in Genie for applications such as Active Directory, G-Suite and OpenLDAP and for operations such as Create, Enable, Disable and Delete, if the provisioning fails in these applications. The point to be noted here is, if in an application, no provisioning operations failed for that day, then no ticket will be created for that application for the particular day. But, there is every chance that, one ticket per application will be created where each ticket contains the information of all the accounts for which Provisioning failed. Using SailPoint, this is one of the critical advantages of integrating genie with SailPoint IIQ. Whereas in traditional ITSM’s, this needs to be done manually, which will be a tedious task to do.

    The detailed discussion of APIs, use cases and integration approach is discussed in the following video:

    Now, let us a have a demo on integration of Genie with SailPoint IdentityIQ in the following video:

    SAP SuccessFactors Integration with SailPoint IdentityNow

    SAP SuccessFactors integration with  SailPoint IdentityNow.

    SuccessFactors is an SAP product suite to provide cloud-based solution to manage business alignment, people performance, recruitment, and employee central and learning activities for all sizes of organizations.

    SAP SuccessFactors is cloud based HCM solution and is designed on Software as a Service (SaaS) cloud model. Software as a Service is also known as On-demand software solution where software is licensed on a subscription basis and is centrally hosted.

    SaaS has become a common delivery model for many business applications, including office and messaging software, payroll processing software, DBMS software, management software, CAD software, development software, gamification, virtualization, accounting, collaboration, customer relationship management (CRM), management information systems (MIS), enterprise resource planning (ERP), invoicing, human resource management (HRM), talent acquisition management and other software and infrastructure services.

    • In SaaS, software and application data is hosted on a remote cloud and can be accessed on demand from any location using secured login credentials.
    • SaaS software is multitenant that allows many instances of the software to be accessed and are on the same application version.
    • Users have an option to select features and functionality to use in the standard solution and in the regular releases that are introduced by the vendor.
    • SaaS Solution is based on multitenant architecture where a single configuration is applied for all the tenants or customers. To provide scalability, you install application on multiple machines.

    IdentityNow SAP SuccessFactors connector supports Account Management for loading accounts, delta aggregation and Provisioning.

    SAP SuccessFactors integration with SailPoint IdentityNow Blog


    At-least Virtual Appliance need to be configured in order to have communication between IdentityNow cloud and SAP source however SailPoint recommends to have 2 virtual appliances in cluster.

    Permissions required :

    •Test connection : To test the connectivity from IDN cloud to SAP SuccessFactors source.

    •Account Aggregation : To aggregate account details to IDN cloud.

    •To perform connection tasks, must have the following permissions:

    a. SFAPI User Login

    b. Employee Central HRIS SOAP API

    •For example, The Success Factor source aggregates the employee data from the SuccessFactors managed system based on the Picklist configuration which is a configurable set of options or selection lists used to populate a data input field with one of a number of predefined values in the Success Factors that can be obtained.

    Next for aggregation we required the following permission:

    • Manage User : Employee Export
    • Metadata Framework : Admin access to MDF OData API
    • Manage System Properties : Picklist Management and Picklists Mappings Setup
    • Employee Central API : Employee Central Foundation OData API (read-only), Employee Central HRIS OData API (read-only), Manage Role-Based Permission Access

    Let us see prerequisites for SAP SF integration.

    •For configuring the base URL for IdentityNow tenant we need to configure data center wise.

    •The base url will vary from datacentre to datacentre.

    •In the blog we have provided the link for SuccessFactors API URLs for different Datacenters.

    SAP SuccessFactors integration with SailPoint IdentityNow Demo