Skip to content

SailPoint Identity Security Cloud (ISC) Onboarding Guide

Follow this step-by-step procedure to link your SailPoint Identity Security Cloud tenant with the SailPoint Entro platform.

Prerequisites

  • Administrative access to your target SailPoint Identity Security Cloud tenant.

  • Explicit permissions to create new API Clients (Admin → Global → Security Settings → API Management).

  • A valid SailPoint Tenant URL (e.g. https://acme.api.identitysecuritycloud.com).

  • Network reachability enabling outbound HTTPS access over port 443 from your Worker Group host to the SailPoint Entro API and SailPoint tenant API endpoints.

Caution

If Data Segmentation is turned on inside your SailPoint tenant, API Clients using Client Credentials are blocked from parsing roles or entitlements. You must disable Data Segmentation before beginning onboarding.


Step-by-Step Configuration

  1. Log in to SailPoint ISC

    Log in to your SailPoint enterprise tenant admin console as an infrastructure administrator (possessing the ORG_ADMIN user level or equivalent rules allowing API Client setup).

  2. Navigate to API Management

    From the admin panel interface, open the navigation menu and go to AdminGlobalSecurity SettingsAPI Management. Click the + New button to initiate the client configuration window.

  3. Populate the New API Client Form

    Provide the following precise details inside the configuration wizard:

    • Description: Input a distinct identifier to track this specific token connection (e.g. Entro Integration).

    • Grant Types: Check the box for Client Credentials only. Leave Refresh Token and Authorization Code unchecked.

      Note: Selecting alternative grant options breaks the background automated service task sync, resulting in validation errors.

    • Scopes: Use the scope search tool to find and explicitly toggle ON the following five items. Ensure all other unlisted scopes remain toggled OFF:

      • sp:scopes:default (Baseline token authorization requirement; essential for Search API use)

      • idn:role-unchecked:read (Enables reading SailPoint Roles and structural identity-to-role assignments)

      • idn:accounts:read (Enables reading linked source target accounts to support identity correlation engines)

      • idn:sources:read (Enables reading source engine metadata references)

      • idn:identity-profile:read (Enables scanning identity profile structural properties)

    Caution

    Do not enable sp:scopes:all. This grants broad access levels tied directly to the API Client owner's global user rights, violating the Principle of Least Privilege engineering practices. The five specific scopes listed above are sufficient.

  4. Provision Client and Copy Token Secrets

    Click the Create button at the base of the settings page. The interface will display a one-time generated Client ID and Client Secret.

    • Copy the Client Secret string immediately. It is concealed permanently once the window closes. If lost, you must delete the client item and start over.

    • Retain the Client ID, Client Secret, and Tenant URL inside a secure vault for insertion during the next section.

  5. Activate Integration in SailPoint Entro Console

    1. Log in to your SailPoint Entro environment.

    2. Navigate precisely to: ManagementAccounts & IntegrationsAdd New Account (top right)SailPoint ISC.

    3. Fill out the displayed configuration fields:

      • Environment Nickname: Enter a tracking name for this specific connection target (e.g. Acme-Prod-ISC).

      • Tenant URL: Provide the base endpoint path collected in Step 4 (e.g. https://acme.api.identitysecuritycloud.com).

      • Client ID: Paste the alphanumeric ID string from Step 4.

      • Client Secret: Paste the secret string token from Step 4.

      • Worker Group (Connector): Pick the designated active worker configuration group assigned to handle these platform discovery scans.

    4. Click the Connect button to save the configuration profile.

  6. Monitor Automated Verification Status

    SailPoint Entro automatically initiates background validation tests by requesting an access token and executing a read verify query. This task usually completes in under one minute:

    • Valid (Verified): The platform connection is established; automated inventory mapping tasks will initiate on the next scheduled run interval.

    • Invalid: The authentication process failed. Review the provided verification failure message details to target structural configuration mistakes.