Skip to content

Getting Started with SailPoint AI Services

AI Services analyze identity and access data from either IdentityNow or IdentityIQ. The following sections discuss how to get started using AI Services with both products.

Connecting to IdentityNow

If your organization has already set up IdentityNow, the only step required is for SailPoint to enable the licensed AI services in your tenant. No further action or configuration is required for AI Services to start gathering and analyzing IdentityNow data. Refer to the documentation for each service to start using it and learn more.

Connecting to IdentityIQ

AI Services for IdentityIQ are accessed in an IdentityNow interface. IdentityIQ users must work with SailPoint Services to create an IdentityNow tenant and deploy a virtual appliance (VA).

The VA is a Linux-based virtual machine that is deployed inside your corporate network or in a cloud environment where you control and manage its access to your IdentityIQ implementation. The VA allows AI Services to collect your IdentityIQ data for analysis.Once the VA is deployed and configured, IdentityIQ users can start using Access History and Identity Outliers in their IdentityNow tenant.

There are additional configuration and activation steps to complete before IdentityIQ users can start using Access Modeling or Recommendations.

Work through the steps in the following sections to connect IdentityIQ to AI Services:

  1. Verify requirements

  2. Provide administrator access information

  3. SailPoint creates the IdentityNow tenant

  4. Gather information for virtual appliance deployment

  5. Deploy the virtual appliance

  6. Create an IdentityIQ data source in your IdentityNow tenant

  7. If you have the Access Modeling service, configure IdentityIQ for Access Modeling.

  8. If you have the Recommendations service, activate Recommendations for IdentityIQ.

Verifying Requirements

To begin connecting AI Services to IdentityIQ, verify the following system, network, and software requirements:

  • Your system and network must meet the requirements for VA deployments with IdentityIQ.

  • Your browser and operating system (OS) must be supported by IdentityNow. AI Services and data insights are accessed through the IdentityNow web interface.

  • You must be running IdentityIQ version 8.0 or higher. These versions include support for AI Services.

Providing Administrator Access Information

After purchasing AI Services, you will receive a welcome email from your Customer Success Manager (CSM) that outlines the onboarding process. You will be asked to provide the following administrator access information:

  • A shared admin email address or group/distribution list.

    This email address or group/distribution list will used to create the initial admin account and typically serves as a unique, generic account for emergency access. This email address should not be a user email address, as it will conflict with user details brought from the source system.

  • Email addresses for any individual users that should have access to the IdentityNow tenant.

Creating the IdentityNow Tenant

SailPoint sets up your IdentityNow tenant and notifies you when it is accessible. After a tenant is created, you will receive an email invitation from IdentityNow.

Unless you have arranged in advance for a different URL, your IdentityNow tenant URL will be [CustomerName]

Gathering Information for Setup

For virtual appliance and data source setup, IdentityIQ administrators should have the following items ready:

  • A local database user on the IdentityIQ database with read-only access to the entire IdentityIQ schemaD
  • The JDBC URL from the file
  • The Hibernate Dialect from the file
  • Your database vendor's JDBC driver (<jdbc-file.jar>)

Deploying the Virtual Appliance with IdentityIQ

Complete the steps in this section to deploy a VA.

For general information about VAs, view the Virtual Appliance Reference Guide and Virtual Appliance Planning and Best Practices.

View the Virtual Appliance Troubleshooting Guide for information about troubleshooting tools, resources, VA status definitions, and logging.

VA Deployment Steps

  1. Deploy the VA Image


    To reduce latency, the VA must be deployed on the same location as the IdentityIQ database. If IdentityIQ is installed on-premises, the VA must be installed in the same datacenter. If IdentityIQ is installed in the cloud, the VA must be installed in the same region.

    Deploy the VA image to one of the following virtualization platforms:

    • Local with vSphere - Deploy the downloaded image on a virtual machine behind your firewall.
    • Local with Hyper-V - Deploy the downloaded image on a virtual machine behind your firewall.
    • On AWS - Work with SailPoint to get access to our AMI so you can deploy it on your AWS infrastructure.
    • On Azure - Deploy the downloaded image on a virtual machine in Azure.
  2. Set Up a Static Network for Local Deployments

    If you deployed the VA image locally, follow the directions in the configuration guide for your virtualization platform to set up a static network:

  3. Choose a VA Configuration Type

    Configuration options include:

    • Standard - Uses the standard traffic generated by the VA.
    • HTTP Proxy - Routes all HTTP/HTTPS traffic through a proxy.
    • Secure Tunnel - Strictly limits the outbound connections generated by the VA.
  4. Complete Tasks in IdentityNow

    Refer to the directions in the deployment guide for your selected virtualization environment, and complete the following tasks in your IdentityNow Admin interface.

    1. Create the VA cluster.
    2. Create the VA configuration.
    3. Download va-config-<va_id>.yaml.
  5. Make changes to va-config-<va_id>.yaml

    Open va-config-<va_id>.yaml on your workstation and complete the following steps:

    1. Change the value of keyPassphrase from _ch@ngeMe_ to a unique value for your organization.
    2. Add the following line: product: iai
    3. Copy va-config-<va_id>.yaml from your workstation to the VA using the following scp command:

    scp <local_path>/va-config-<va_id>.yaml sailpoint@<va_ip_address>:/home/sailpoint/config.yaml

  6. Copy the JDBC JAR File to the VA

    Copy your database vendor's <jdbc-file.jar> file to the VA using the following scp command and the IdentityIQ version paths in the table.

    scp <local_path>/<jdbc-file.jar> sailpoint@<va_ip_address>:/home/sailpoint/iai/identityiq<xx>/jdbc/<jdbc-file.jar>

    IdentityIQ Version JDBC Path on VA
    8.0 /home/sailpoint/iai/identityiq80/jdbc/<jdbc-file.jar>
    8.1 /home/sailpoint/iai/identityiq81/jdbc/<jdbc-file.jar>
    8.2 /home/sailpoint/iai/identityiq82/jdbc/<jdbc-file.jar>
    8.3 /home/sailpoint/iai/identityiq83/jdbc/<jdbc-file.jar>

Creating an IdentityIQ Data Source for Connectivity with AI Services

Complete the following steps in your IdentityNow tenant:

  1. Go to Admin > Global > Additional Settings.

  2. Select Create New.

  3. Complete the available fields, and select your IdentityIQ version under Data Source Types. If you use IdentityIQ 8.2 or 8.3, select IdentityIQ 8.1 from the dropdown list. After selection, additional fields become available.

  4. Complete the following required fields:

    • Clusters - Select the VA you deployed specifically to connect to IdentityIQ.
    • JDBC URL - Enter the JDBC URL found in the file.
    • JDBC Driver - Enter your JDBC driver class name. Example:
    • Username - Enter your local database connection username.
    • Password - Enter your local database connection password.
    • API Baseurl - Enter the base URL for the IdentityIQ API.
    • API Client ID - Enter the client ID for the IdentityIQ API.
    • API Client Secret - Enter the client secret for the IdentityIQ API.
    • Hibernate Dialect - Enter the hibernate dialect from the file.
  5. Optionally, you can complete the fields to exclude identity attributes, exclude account attributes, or change the maximum number of database connections.

  6. Select Save Config.

You are now ready to start using Access Insights and Identity Outliers.

Additional configuration and activation steps are required to use Access Modeling and Recommendations with IdentityIQ.

Configuring IdentityIQ for Access Modeling

To configure IdentityIQ for Access Modeling, you will complete the following tasks:

  1. Generate client credentials in your IdentityNow tenant

  2. Import the init-ai.xml file

  3. Configure AI Services in IdentityIQ

  4. Install the Access Modeling plugin

  5. Configure automatic role creation

Generating Client Credentials in Your IdentityNow Tenant

For Access Modeling, IdentityIQ sends data to the Access Modeling service through IdentityNow’s APIs. To create a secure connection between IdentityIQ and the Access Modeling service, you’ll need to generate client credentials within IdentityNow and configure IdentityIQ (the client) to use them to communicate with the service.

Complete the following steps to generate a Client ID and Client Secret in your IdentityNow tenant:

  1. Log in to IdentityNow as an Administrator.

  2. From the IdentityNow Admin Dashboard, select Admin > Security Settings.

  3. Select API Management in the options on the left.

  4. Select +New to display the New API Client dialog.

  5. Enter a description for how the access token will be used.

  6. Check Client Credentials as the method you want the client to use to access the APIs.

  7. Select Create.

A Client ID and Client Secret are generated for you to use when you configure Access Modeling. Save these offline. You’ll need them later when you configure AI Services in IdentityIQ.

Importing the init-ai.xml File

After generating client credentials in IdentityNow, you will next import the init-ai.xml file to initialize IdentityIQ with the object components to support the AI Services integration. This file includes objects such as the AI Module, some AI-specific IdentityIQ capabilities, system configuration entries, and an AIServices identity, among others.

Complete the following steps to import the init-ai.xml file in IdentityIQ:

  1. Verify that plugins.enabled=true in the WEB-INF/classes/ file of your IdentityIQ installation. Plugins must be enabled to use Access Modeling.

  2. Log on to your browser instance of IdentityIQ as an administrator.

  3. Select Global Settings under the gear icon and select Import from File.

  4. Select Browse and navigate to the following directory:

    Windows: <identityiq_home>\WEB-INF\config

    UNIX: <identityiq_home>/WEB-INF/config

    where: <identityiq_home> is the directory to which you extracted the identityiq.war file during IdentityIQ installation.

  5. Select the init-ai.xml file and select Import.

  6. When the import is complete, select Done.

You may notice that the plugin for SailPoint's Recommendations service is also installed as part of this process, but access is enabled for licensed users only. Please contact your CSM for Recommendations service pricing and licensing.

Configuring AI Services in IdentityIQ

Complete the following steps to configure IdentityIQ to connect to your IdentityNow tenant with the client credentials you previously generated:

  1. From the IdentityIQ gear icon, select Global Settings > AI Services Configuration.

  2. Complete following fields with information from your IdentityIQ installation and the client credentials from your IdentityNow tenant:

    • AI Services Hostname (The API Gateway URL for your IdentityNow tenant) Example: https://<org>
    • Client ID
    • Client Secret
  3. Select Test Connection to ensure that the connection information is correct and operating.

  4. Select Save.

Installing the Access Modeling Plugin

The Access Modeling plugin can be used with IdentityIQ 8.0 and later.

Complete the following steps to install the plugin:

  1. Get the Access Modeling plugin .zip file available here.

  2. From the IdentityIQ gear icon, select Plugins.

  3. Use the Plugins page to install the plugin.

  4. Select the Configure button for the Access Modeling plugin and provide the URL for the IdentityNow tenant.

    Example: https://<tenant>

Configuring Automatic Role Creation in IdentityIQ

To be able to automatically create a new role in IdentityIQ, there is some additional configuration required in both IdentityIQ and your IdentityNow tenant.

Complete the following steps in IdentityIQ:

  1. From the IdentityIQ gear icon, select Global Settings > API Authentication.
  2. Create a new client or refer to an existing client on this screen. The proxy user for new or existing clients must have Administrator permissions.
  3. Save the following information offline to enter later in IdentityNow:
    • Client ID
    • Client Secret
    • Base URL for the IdentityIQ App server, including the port and endpoints such as /identityiq.

Complete the following steps in your IdentityNow tenant:

  1. Log in to IdentityNow as an administrator, and select Admin > Global > Additional Settings.

  2. Select Edit on the enabled IdentityIQ data source.

  3. Enter the saved IdentityIQ information in the following fields:

    • API Baseurl (Enter the base URL for the IdentityIQ App server, including the port and endpoints such as /identityiq.)
    • API Client ID
    • API Client Secret

    If these fields are not visible, contact Professional Services for help.

  4. Select Save Config. You are now ready to auto-create roles for IdentityIQ.

After successfully configuring IdentityIQ for Access Modeling, you are now ready to discover roles and explore role insights.

Activating Recommendations for IdentityIQ

IdentityIQ users will need to complete steps to integrate or activate the Recommendations service. For integration information, see Integration with IdentityAI for Decision Recommendations.

For implementation/activation information see the following documentation:

After activating Recommendations, IdentityIQ users are ready to start using certification and approval recommendations.