Skip to content

Managing Identities

In IdentityNow, users are represented by identities. The identity list serves as a repository for data about users, and can calculate the data that’s authoritative based on admin-configured rules. An identity can also serve as an authoritative account for a user that includes attributes such as a user's first name, last name, and email as well as roles and entitlements used to grant access. Since most users won't ever sign in to IdentityNow, however, they will not be using their identities like accounts.

To access the list of all the identities in your org, go to the Admin interface and select Identities > Identity List.

Identity list with the name, email, account ID, and status of each identity in IdentityNow.


The list is designed to display a maximum of 250 identities per page. Use the controls at the bottom of the page to display additional identities.

Working with Identities

You can do the following from the identity list:

  • Send an a user an email by selecting the email icon .

  • Invite users to register with IdentityNow

  • Enable and disable identities

  • Remove identities from IdentityNow

  • Generate a list of identities in the system to view offline. Select Generate to create a current version of the report. Refer to the note below.

  • Export and filter a zipped CSV file with a report of the identities in IdentityNow. Select CSV to download the identity list. Open the file and sort the data as needed.

  • Search for and select a specific identity to view and update it. You can search for identities based on the following:

    • Account ID
    • Display Name
    • First Name
    • Last Name

    IdentityNow searches these identity attributes for values that begin with the search term you entered. If you sort the Status column, the Search field can only search for matches in Account ID and Display Name. To reset this limitation, sort on a different column.

Generating a Report

Depending on the number of accounts in your system, generating a report can take a substantial amount of time. You can close the window and the system will continue to generate the report.

The report always represents when Generate was selected. If identity data is being processed at the time, the report reflects the list of identities that were available when you selected the button.

The Generated field shows when the report was last generated.

Viewing Identity Statuses

You can view a status badge beside each identity in the identity list. This status refers to the identity's IdentityNow account. You can find a list of these statuses and what they mean below.

In most cases, you can search for these identity statuses within Search. A sample query to find identities in that status is included where applicable.

Status Description Search Query
Active The user has registered for IdentityNow and can sign in. status:active
Disabled The user's IdentityNow account was disabled. inactive:TRUE
Error The identity is in an error state due to email configuration errors, correlation problems, or other issues. Refer to Resolving an ERROR Status for details. status:ERROR
Locked The user's account has been manually locked, usually due to security concerns. status:LOCKED
Not Invited The user hasn't been invited to IdentityNow. status:UNREGISTERED
Pending The user has been invited to join IdentityNow, but they haven't registered yet. Not applicable
Warning The identity's invitation email failed to send. Verify that their email address is correct and reinvite the identity to resolve this status. Not applicable

Viewing Identity Details

Select the name (or >) from the list to view additional details such as the following:

Resolving an ERROR Status

On the Identity List, a user may have an ERROR status. You can select the Information icon to display more details.

Identities with an ERROR status may not be able to login to IdentityNow, so you'll need to address the error for them to regain access.

An ERROR status may occur because of email configuration errors, authentication source mismatching, or provisioning issues.

Email Configuration Errors

If your identity profile is configured to send an invitation only to a user's alternate email but the user does not have a alternate email configured. Contact your SailPoint customer support specialist if you suspect that this is the issue.

Authentication Source Mismatch

You might have a mismatch between the identity data in the authoritative source of the profile and the source selected in Directory Connection within the Sign In Method panel.

Specifically, users with the ERROR status might have an account in the authoritative source used to create the profile, but they do not have an account in the authentication source you selected in Directory Connection. You must resolve this issue before you'll be able to send these users invitations to register for SailPoint.

Temporarily removing a user from IdentityNow may resolve this and other problems related to user status.

Provisioning Issues

If an identity has more than one account on a source system and a provisioning event is triggered, this generates an error on the identity and no provisioning occurs. This occurs when IdentityNow cannot determine which account should be changed by the provisioning event.

Resetting a User Identity

You may need to reset a user's identity if they have forgotten their authentication information like their answers to knowledge-based questions. Resetting an identity deregisters the user and they will not be able to access IdentityNow until they are reinvited.

To reset the identity and reinvite the user to IdentityNow:

  1. From the Admin interface, select Identities > Identity List.

  2. Select the name of the user you want to reset.

  3. Select Actions > Reset Identity.

  4. The user's status changes from Active to Not Invited.

  5. Return to the Identity List and select the checkbox next to the name of the user you just reset.

  6. Select Invite Users to send an email invitation to the user who can then re-register and change their password.


If your organization has configured pass-through authentication, the user does not have to select the link in the email and can begin by signing in to IdentityNow with their existing username and password.

If your organization does not use pass-through authentication, resetting an identity will also reset their password. If you do have pass-through authentication, these steps will not change your users' passwords.