We've compiled a list of the most common questions we've heard in our thousands of hours of customer interactions.
Want to find out how to track access request activities in IdentityNow? Need to migrate your IdentityIQ implementation to the cloud? We've got answers for you.
Are there any known product limits in Identity Security Cloud and IdentityNow?
There are some limits noted within various sections of the SailPoint Identity Services product documentation. There may be other recommended and enforced limits to be aware of, so please communicate any concerns through your Customer Success Manager, and we will do our best to address them. For example, we may recommend alternative implementation strategies to avoid potential performance issues.
Read more
Can we configure certification reminders and escalations in IdentityIQ?
IdentityIQ supports both configuring both reminder and escalation settings for certifications. Configuration is done for each certification campaign, and available for all certification types. IdentityIQ provides a great deal of flexibility for specifying the frequency, timing, and email template used for reminder notifications. Additionally, IdentityIQ provides the ability to configure escalatio...
Read more
Can we configure certification reminders and escalations in IdentityNow?
IdentityNow does not currently support configuring reminder and escalation settings for certifications. The system will send an email notification to reviewers when a certification campaign is started, then a reminder email notification is sent every seven (7) days after that until they sign off, the certification expires, or an administrator completes the campaign for them by choosing to maintai...
Read more
Can we deploy File Access Manager in the cloud?
File Access Manager (FAM) can be deployed in a cloud environment with on-premises collectors that harvest information from target applications. For more information, refer to the FAM product documentation (specifically, the Architecture section of the Administration Guide), as well as any applicable guidance and resources available via the SailPoint Community.
Read more
Does Identity Security Cloud support single sign-on (SSO)?
Identity Security Cloud (i.e., IdentityNow, etc.) supports integration with single sign-on (SSO) solutions via the SAML protocol. For more information, including details on configuration and testing, refer to the official product documentation.
Read more
Does IdentityIQ support requesting temporary access?
IdentityIQ supports the temporary assignment of roles and entitlements by allowing users submitting an access request to set a beginning (sunrise) and/or an end (sunset) date for access. Access will be provisioned on the sunrise date, and automatically deprovisioned on the sunset date. These dates can be set either per item or for all items in an access request. Users responsible for approving ...
Read more
Does IdentityNow support external password reset integrations?
IdentityNow supports integration with Duo Web as an external password reset method. For more information, refer to the official product documentation.
Read more
Does SailPoint publish any performance metrics or baselines we can evaluate?
SailPoint does not currently publish any performance metrics or baselines for our products and solutions. There are typically many factors that may effect performance, including customer-specific environmental factors. As such, it may be misleading to publish performance metrics or baselines that were derived from potentially non-representative environments. Additionally, given the seemingly endl...
Read more
How can we accelerate application onboarding in IdentityIQ?
The Rapid Setup feature of IdentityIQ (introduced in version 8.1p1) is a business-user-friendly interface that offers a streamlined way to onboard applications and handle common identity management scenarios such as joiner, mover, leaver, and terminating identities. It provides pre-configured processes that follow best practices for managing identities. Rapid Setup lets you separate the technic...
Read more
How can we automate application onboarding in IdentityIQ?
IdentityIQ customers have a couple of options for (partially or fully) automating application onboarding: Using a Task - the Application Builder task (introduced in version 7.3) lets you create multiple IdentityIQ applications, and update existing applications in bulk via inputs specified in a CSV file. Using the Java API - similar to how the task above works, the internal IdentityIQ Java A...
Read more
How can we leverage SoD and governance policies in IdentityIQ?
Separation of Duties, or SoD, and governance policies in IdentityIQ may be leveraged to both detect unwanted access conditions and prevent violations during certain requests. To leverage SoD and governance policies in a detective manner, both aggregation and refresh tasks may be configured to evaluate active policies in IdentityIQ, and any resulting violations will be sent to the configured use...
Read more
How can we leverage SoD and governance policies in IdentityNow?
Separation of Duties, or SoD, and governance policies may be leveraged to detect unwanted access conditions in Identity Security Cloud and IdentityNow. Additionally, SoD policies may also be leveraged to prevent violations during requests for access. To leverage SoD and governance policies in a detective manner, reports of policy violations may be generated per policy on an ad-hoc basis. Violat...
Read more
How can we manage identity lifecycle provisioning with Identity Security Cloud?
With respect to provisioning, managing identity lifecycle in Identity Security Cloud typically involves facilitating the changes to accounts, access, and attributes. Focusing on accounts and access, there are two primary ways to configure lifecycle provisioning: Lifecycle states Roles The recommend approach is to use lifecycle states for account management (i.e., enabling and disabling ...
Read more
How can we manage identity lifecycle provisioning with IdentityIQ?
With respect to provisioning, managing identity lifecycle in IdentityIQ typically involves facilitating the changes to accounts, access, and attributes. Focusing on accounts and access, there are two primary ways to configure lifecycle provisioning: Lifecycle events Roles The recommend approach is to use Rapid Setup, which was introduced in the 8.1p1 release of IdentityIQ, for both acco...
Read more
How can we monitor provisioning activity in Identity Security Cloud?
There are two primary ways to monitor provisioning activity in Identity Security Cloud: Reporting Admin interface The Provisioning Activity report provides information about individual provisioning events, and can be viewed online or downloaded. Within the administrative interface of Identity Security Cloud, the Provisioning Activities table shows the last 7 days of provisioning activit...
Read more
How can we track access request activity in IdentityNow?
Identity Security Cloud and IdentityNow customers can track access requests by navigating to Search > Reports > Access Request Activity. Customers can also enter the search query type:"ACCESS_REQUEST" to retrieve this information. However, note that only users with sufficient access levels will be able to perform the operations above.
Read more
How do we ensure optimal performance of File Access Manager?
In order to ensure optimal performance of File Access Manager (FAM), be sure to reference both the official product documentation and the resources available via the SailPoint Compass Community. With respect to the latter, in particular, the File Access Manager Hardware Sizing Guide and the FAM Database Sizing Tool are resources that will inform adequate sizing and performance scaling of deployme...
Read more
How do we ensure optimal performance of IdentityIQ?
In order to ensure optimal performance of IdentityIQ, be sure to reference the IdentityIQ Performance Resources via the SailPoint Compass Community. In particular, the Performance Management Guide for IdentityIQ and the Partitioning Best Practices resources contain useful information and guidance regarding configuration and considerations effecting the performance of IdentityIQ. Additionally, t...
Read more
How do we integrate our SIEM and SOAR solutions with IdentityIQ?
There are two primary approaches for integrating security information and event management (SIEM) and security orchestration, automation, and response (SOAR) solutions with IdentityIQ: Consume IdentityIQ event and log data by the SIEM and SOAR solutions Automate event response from the SIEM and SOAR solution via IdentityIQ Both of these approaches may be handled using the SailPoint SIEM...
Read more
How do we integrate our SIEM and SOAR solutions with IdentityNow?
There are two primary approaches for integrating security information and event management (SIEM) and security orchestration, automation, and response (SOAR) solutions with Identity Security Cloud and IdentityNow: Consume IdentityNow event and log data by the SIEM and SOAR solutions Automate event response from the SIEM and SOAR solution via IdentityNow For the first integration approac...
Read more
Should we upgrade IdentityIQ, then upgrade its underlying infrastructure components, or vice versa?
Often new releases of IdentityIQ drop support for older versions of required infrastructure components, such as older versions of Java application servers (i.e., Tomcat, WebLogic, WebSphere, etc.) or databases (i.e., Oracle, MS SQL Server, MySQL, etc.). Thus, upgrading IdentityIQ would require upgrading these underlying platforms to the supported versions for the target IdentityIQ release. Howeve...
Read more
We are migrating our IT systems to the cloud; how should we adjust connectivity with IdentityNow?
When migrating IT systems integrated with Identity Security Cloud and IdentityNow to cloud infrastructure, if connectivity is facilitated by a Virtual Appliance (VA), then the VA can also be migrated to the cloud in order to remain in close network proximity to the source it is connecting to. Refer to the documentation on deploying Virtual Appliances for more information (specifically the deplo...
Read more
We have a mandate to migrate our IdentityIQ solution to the cloud; what are our options?
To migrate an IdentityIQ solution to the cloud, there are two primary options: Migrate the current implementation to SailPoint’s Identity Security Cloud (i.e., IdentityNow, etc.) Migrate the existing IdentityIQ deployment to cloud infrastructure (i.e., AWS, Azure, private cloud, etc.) For the first option, SailPoint has a cloud migration program led by a dedicated team. As part of this ...
Read more
We need to upgrade across multiple versions of IdentityIQ; what is the best way to do this?
Customers must perform an upgrade to every General Availability (GA) release of IdentityIQ between the currently installed version and the final target version, but none of the patches on those interim versions are required. For more information, please reference the Upgrade Path through IdentityIQ Versions document via the SailPoint Community.
Read more
We would like to use container virtualization for our IdentityIQ deployment; is this feasible?
We have IdentityIQ customers that have successfully deployed using containerization technologies, and the application server requirements for the platform are light enough that they are generally suitable to this deployment model. A set of best practices and considerations regarding containerized IdentityIQ deployments is available via the SailPoint Community. However, one should consider the b...
Read more
What are our options for integrating our PAM solution with IdentityIQ?
There are two categories of options for integrating IdentityIQ with Privileged Access Management (PAM) solutions: Utilize the PAM Module (licensed separately) available for any PAM solution that supports the SCIM protocol, and includes dedicated in-product interfaces and exclusive features (see below) Utilize the SCIM connector to connect to PAM solutions that support the protocol The b...
Read more
What are our options for integrating our PAM solution with IdentityNow?
There are two categories of options for integrating Identity Security Cloud and IdentityNow with Privileged Access Management (PAM) solutions: Utilize the direct connectors (licensed separately) currently available for CyberArk, BeyondTrust, and Delinea (formerly known as Thycotic) Utilize the SCIM connector to connect to other PAM solutions that support the protocol For the vendors and...
Read more
What authentication options and methods are available in IdentityNow for password resets?
There are two main options for authenticating users for password reset (and account unlock) requests: Have IdentityNow perform the authentication Have an external Identity Provider (IDP) perform the authentication For the first option, there are multiple authentication methods available. These include both internal (SailPoint) and external methods. For more information, refer to Setting...
Read more
What is certification fatigue and what are some best practices for avoiding it?
Certification fatigue happens when your reviewers, faced with hundreds or thousands of individual access line-items to review, become overwhelmed. Delays and mistakes can result - or worse, your reviewers may start rubber-stamping approvals on access items they don’t fully understand, or don’t have the time to examine carefully. Some best practices for avoiding certification fatigue include usi...
Read more
What is the best way to manage the updates to Identity Security Cloud?
Managing updates to Identity Security Cloud (i.e., IdentityNow, etc.) is covered under the “SailPoint SaaS Updates” section (and associated sub-sections) of the SailPoint SaaS Change Management and Deployment Best Practices resource available via the SailPoint Community.
Read more
What is the difference between privileged access versus account management?
Generally speaking, Privileged Access Management (PAM) is an umbrella term that would include Privileged Account Management (also abbreviated PAM, and often used interchangeably, despite some key differences). Privileged access may specifically refer to a point of access (such as an entitlement or enterprise role) that grants elevated permissions. Typically, an account dedicated to facilitating p...
Read more
What is the difference between SoD and governance policies?
Governance policies are the codification of unwanted access conditions, such that these conditions may be detected or prevented. Separation of Duties, or SoD, is a type of governance policy that specifically codifies conflicting sets of access. Typically, SoD policies are used to detect or prevent access conditions that may allow potentially fraudulent activity, by ensuring that a single indivi...
Read more
What types of multi-factor authentication (MFA) integrations does IdentityNow support?
IdentityNow supports the following multi-factor authentication (MFA) integration use cases: Strong Authentication for Login, Password Resets, and Account Unlocks Integration with PingFederate (as an external identity provider), RSA SecureID, Symantec VIP, and SafeNet are available. Refer to the official product documentation for more information regarding configuring strong authentication ...
Read more
Where can we find a list of all connectors and integrations available in IdentityIQ?
A list of all the connectors and integrations available in IdentityIQ can be found via the official product documentation. However, please note that some connectors and integrations may require separate licensing. In addition, the Connector Directory available via the SailPoint Compass Community also lists systems that have been integrated using a generic connector (such as Web Services, JDBC, ...
Read more
Where can we find a list of all connectors and integrations available in IdentityNow?
A list of all the connectors and integrations available in IdentityNow can be found via the official product documentation. However, please note that some connectors and integrations may require separate licensing. In addition, the Connector Directory available via the SailPoint Compass Community also lists systems that have been integrated using a generic connector (such as Web Services, JDBC,...
Read more
Where can we find guidance on File Access Manager upgrade best practices?
The SailPoint Product Documentation includes an Upgrade section with instructions and guidance for upgrading to the latest version of File Access Manager (FAM), and links to similar “Upgrade Guide” content can be found for previous versions under the File Access Manager product documentation pages via the SailPoint Community.
Read more
Where can we find guidance on IdentityIQ upgrade best practices?
The Upgrade Best Practices guide is the definitive resource for guidance and advice regarding upgrading IdentityIQ. The guide is incredibly thorough and it is recommended that customers take their time to read and comprehend the material, as it answers most common questions, and can help to avoid common pitfalls. As noted in the guide linked above, customers should also reference the IdentityIQ...
Read more
Where can we find information on what’s new or upcoming in File Access Manager?
File Access Manager (FAM) customers can be informed of upcoming changes by subscribing to the File Access Manager Blog (open the “Options” menu on the page and select “Subscribe”). Additionally, the SailPoint Product Documentation includes a Release Notes section with an overview of new features in the latest version of FAM, and links to similar “What’s New” content can be found for previous vers...
Read more
Where can we find information on what’s new or upcoming in Identity Security Cloud?
Identity Security Cloud (i.e., IdentityNow, etc.) customers can be informed of upcoming changes by subscribing to the SaaS Updates Blog (open the “Options” menu on the page and select “Subscribe”). Additionally, a SaaS Release Notes page is also available with more information on both production and preview (non-production) updates. Finally, the “Product Talks” series of on demand Community Eve...
Read more
Where can we find information on what’s new or upcoming in IdentityIQ?
IdentityIQ customers can be informed of upcoming changes by subscribing to the IdentityIQ Blog (open the “Options” menu on the page and select “Subscribe”). Additionally, the “What’s New” links under the IdentityIQ Product Guides page offers a summary of new features in each release. Finally, the “Product Talks” series of on demand Community Events periodically feature IdentityIQ product roadma...
Read more
Why are there known product limits in IdentityNow and what is being done to address them?
It is important for SailPoint to understand what our infrastructure can support so that customers do not plan and implement an environment that results in poor performance. By understanding our limitations, we can adjust as we hear from market demands and do so intentionally and with confidence. We are continually working to improve our performance, including addressing known limits, and will c...
Read more
