Event Triggers in SailPoint's Cloud Services

Event Triggers in SailPoint's Cloud Services

IdentityNow has a set of event triggers that you can configure to connect to webhooks in third-party systems. This feature is currently in Early Access.

Some triggers are available by default. You can request other triggers from a list.



  • A familiarity with event triggers and webhooks
  • Access to a third-party system with the ability to configure webhooks

Available Event Triggers

You can subscribe to the following triggers in SailPoint's cloud services by default, in both the API and UI:

  • Identity Attribute Changed - One or more identity attributes were changed.
  • Identity Created - An identity was created.
  • Identity Deleted - An identity was deleted from IdentityNow, sometimes because their account on the authoritative source was removed or because their required attributes are no longer correctly filled.
  • Scheduled Search - A scheduled search completed, and the results are available.
  • Identity Aggregation Completed - An account aggregation completed, was terminated, or failed.

 The following triggers can be enabled for your org in both the API and UI upon request:

  • Access Request Decision - An access request was approved or denied.
  • Access Request Submitted - An access request to add or remove access from a user was submitted.
  • Provisioning Completed - A provisioning action completed on a source.
  • Access Request Dynamic Approval - An access request to add or remove access from a user was submitted. This trigger adds an identity or governance group to the review process based on criteria you add.

Event Trigger Details

By clicking each event trigger, you can see details about the trigger that you'll need to configure the webhook.

  • Trigger Name - The name of the trigger in SailPoint's cloud services.
  • Trigger ID - The unique ID of the trigger.
  • Description - A description of what causes the trigger to fire, sometimes with additional information.
  • Type - Whether the trigger is a Fire and Forget trigger or a Response Required trigger.
  • Input Schema - The schema of the JSON blob IdentityNow sends to the webhook. You can also see an Example Input.
  • Output Schema - The schema of the JSON blob IdentityNow expects to be returned from a webhook for Response Required triggers. You can also see an Example Output.


Configuring Subscriptions to Event Triggers in SailPoint's Cloud Services

All event triggers can be configured using the API.

IMPORTANT: Before configuring a subscription in IdentityNow, make sure you've configured the information the webhook needs to receive event triggers.

Complete the following steps:

1. Sign in to SailPoint's cloud services and go to the Admin interface.

2. Click Event Triggers.

A list of available triggers is displayed.

3. Click the Subscribe button beside a trigger to subscribe to it.

A Fire and Forget type trigger can have up to 50 subscriptions, and a Response Required trigger once.

4. Enter the following information for your subscription:

  • Subscription Name - Enter a unique name for your subscription.
  • Description - Optionally enter a description for your subscription.
  • Subscription Type - Choose whether your subscription will be an HTTP subscription or an Amazon EventBridge subscription.
    If you choose HTTP, you will be required to complete the following field:
    • Integration URL - The URL of the webhook.

    If you choose Amazon EventBridge, you will be required to complete the following fields:

    • AWS Region - Your AWS region
    • AWS Account ID - Your AWS Account ID
  • Filter - Optionally, enter a JSON XPath filter expression to specify the conditions under which this trigger should fire.
  • Response Type - For Response Required triggers, specify whether you want the response to be synchronous or asynchronous. You can also choose to allow the integration to provide this information. This is sometimes known as dynamic.
  • Response Deadline - For Response Required triggers using an asynchronous response type, specify how long SailPoint's cloud service should wait for a 200 response before timing out. Use ISO 8601 Duration format. The default Response Deadline is 1 hour.
    The Response Deadline for synchronous triggers is 10 seconds. This can't be modified.
  • Authentication Type - Choose the type of authentication to use. You may be asked to complete additional fields.
    If you choose Bearer Token, you will be required to complete the following field:
    • Bearer Token - The bearer token used for authentication into the integration

    If you choose Basic Auth, you will be required to complete the following fields:

    • User Name - A user name to the integration service
    • Password - The password for the integration service account
  • Enabled/Disabled - Determine whether this subscription is enabled or disabled.

5. Click Save.

ets subscribe to trigger.png


You can take several actions on the Subscriptions page.

Click the slider in the Enabled/Disabled column to change the status of the subscription.

Click the menu icon beside a subscription to do the following:

  • Edit an existing subscription
  • Delete that subscription
  • View the Activity Log for that specific trigger
  • Select Test Subscription to send a test of this trigger using mock data.

Click Activity Log in the left menu to see a complete list of activity for all subscriptions in your org.

Version history
Revision #:
22 of 22
Last update:
‎Apr 15, 2021 12:40 PM
Updated by: