Showing results for 
Show  only  | Search instead for 
Did you mean: 

IdentityNow - General FAQs

IdentityNow - General FAQs

IdentityNow - General FAQs

Below are Frequently Asked Questions for topics related to IdentityNow.  If you don't find your question answered here, please contact your Customer Onboarding Manager (COM) if you are in initial deployment, or your Customer Success Manager (CSM).

Register for Compass

Q: Can I use a personal email address to sign up for Compass?

A:  Access to Compass is restricted to our Customers and Partners.  You should register using your work email address so you will be associated correctly with your company.

Q: What if I have a partner company or contractor(s) working on our behalf who may submit Support or Expert Services tickets?

A:  If your contractor or partner has a work email with your company’s domain, have them use that email to register.  If they are going to use their own company work email, you can submit a Support ticket to provide their email address and the duration they have permission to submit cases on your behalf (e.g., 30-60-90 days).

IdentityNow environments & site names

Q: Can we have more than 2 IdentityNow environments?

A: Yes, additional non-production environments can be purchased.  Contact your CSM for more details.

Q: Does IdentityNow support subdomains in the URLs (e.g.,, )?

A: Subdomains are not supported.  In the example above, we suggest & .  If the naming convention goes beyond the 16-character limit, use abbreviations where possible.

Q: Why is there a 16-character limit for my IdentityNow URLs?

A: This IdentityNow requirement has to do with how IDs are created per customer org.

Q:  If we use the recommended URLs suggested by SailPoint, do we have to provide the SSL/TLS certificates for the domains?

A: No.  If you accept the default naming convention (https://* you do not need to submit any additional information, we’ll take care of the rest.

Vanity URLs

Vanity or custom URLs deviate from the standard * naming convention. They are often considered when customers want to associate their own domain with their IdentityNow instance(s).

Things to consider

Time & Complexity  Setting up vanity URLs require additional time consuming and technical steps. They must be completed correctly and submitted to SailPoint before your IdentityNow instances are created. They are a leading cause for delays in starting deployment projects.

Ongoing Maintenance  The certs behind vanity URLs expire over time (normally every 2-3 years), requiring you to provide updated certs to SailPoint.  If this is not completed before expiration, end users will see 'malicious or unsafe site' browser warnings until new certs are provided & processed. 

We urge your team to review the entire process to ensure you are able to create the necessary artifacts found on Compass here:

Vanity urls after your orgs have been created  Requesting vanity urls after your orgs have been created (and you are able to log into your prod & non-prod environments) requires creating new orgs with the new vanity urls--it's not possible to associate this type of url change with your existing org(s). The will require recreating foundational aspects like creating new VAs, connectors, and other customizations.

Q: I've created the vanity URL certificate and key, what next?

A: Open a Support case to submit the cert & keys for processing (NOTE: Submitting a case requires Support Portal credentials):

Q: How does DNS insertion work within IdentityNow?

A: Below is an overview of this process:

    • SailPoint sets up the DNS zone and cloud infrastructure for a vanity URL and sends you the NS servers of the zone we setup for your IdentityNow instances.
    • The customer inserts the NS record to delegate the specific domains to the provided NS servers.
    • Once delegation is complete, any requests browsers make to the vanity domains would be referred to the SailPoint-provided NS servers to resolve so the traffic proceeds to its destination.

In this process--because DNS is part of the cloud infrastructure setup--we require the SSL/TLS certificate from the customer before we can create the cloud infrastructure that responds to the requests. Our DevOps team can create the DNS zone ahead of time and provide customers with the zone delegation information, but keep in mind that without the infrastructure to respond to the requests, the host names will not resolve to any record.

Another option is to take care of this for you by requesting and hosting the certificate for your vanity URL(s) through Amazon Certificate Authority, provided to you free of charge.  This is the quickest path forward to setup custom URLs.

Initial Access to IdentityNow

Q:  Does the shared email address we request for initial Admin access have to be a working email?

A:  Yes, because the initial access into IdentityNow will be delivered via email to that address.  This step grants initial Admin level access to your personnel who will be admins in the deployment, so they will need access to that mailbox.

Configure Virtual Appliances

Q:  Can we setup just 1 VA for our sandbox or non-prod environment(s)?

A:  Yes, at a minimum, you need 1 VA per non-prod environment.  However, for resiliency and to avoid a single point of failure we recommend 2 VAs per environment.

Q:  Can the VA be setup on Windows?

A:  No. The VA software is designed to run Flatcar Container Linux through an .ovf file running on a Virtual Machine.  Our SailPoint Virtual Appliances documentation has all the common Linux commands to manage your VAs.

Q: Are there any options to host VAs in the cloud, rather than on-premise?

A: Yes, VAs can be hosted in your own Amazon Web Service (AWS) or Microsoft Cloud (Azure) instance. Refer to the documentation below for more details (these links require Compass credentials to access):


Cloud VA Deployment with AWS

For Azure

Cloud VA Deployment with Azure

Be sure to review the System and Network Requirements.

Contact your Customer Success Manager if you have any other questions


Q:  We also use IdentityIQ, can we use the Windows system running IQService for IIQ for IdentityNow as well?

A:  You should install a separate instance of IQService for IdentityIQ and IdentityNow.

Q:  How do I know if I need to install SailPoint’s IQService?

A:  If you intend to setup any of the following Connectors, you should install IQService:  Active Directory, Azure Active Directory, IBM Lotus Domino, or Microsoft SharePoint.

Q:  Where should I install IQService?

A:  Install IQService on a windows system that has connectivity to the Domain Controllers you want to manage with IdentityNow.  Ideally these window systems should be located close to the data centers to minimize network latency. 

Please refer to our IQService Admin guide for more details:

Version history
Revision #:
13 of 13
Last update:
‎May 23, 2023 04:46 PM
Updated by: