Skip to content

Getting Started

Getting Started with SailPoint AI Services

SailPoint AI Services, powered by the SailPoint Identity Platform, are powerful solutions that provide immediate value to your identity governance program. There are three AI Services: Access Insights, Access Modeling, and Recommendations.

IdentityNow and IdentityIQ users can start on their journey with SailPoint AI Services by following the process below.


IdentityIQ users have additional steps to deploy the virtual appliance (VA) before using AI Services. Some of these steps are completed in the IdentityNow Admin interface.

Working with SailPoint Services

Each stage of your initial Services engagement includes important milestones and work sessions to prepare your environment and your team. We work with your unique environment and guide you through the steps required for a successful implementation.

To begin, your Customer Success Manager sends a welcome email outlining the onboarding process and requesting information required to grant the initial admin users access.

Setting up your site requires our support team to create your tenant, or unique website, on our servers. Because SailPoint's AI Services are a part of IdentityNow, you will be logging in to IdentityNow to access the AI Services content.

Once you are able to log in, your Engagement Manager schedules a project kick-off session to discuss the configuration process.

Onboarding Process

The following list describes the general AI Services onboarding process from start to finish.

  1. Prerequisites

    Make sure your environment meets the supported software requirements for the AI Services you purchased. All AI Services are supported for IdentityNow and IdentityIQ. See the supported software table for the specific browsers, operating systems, and IdentityIQ versions supported.

  2. Environment Details

    Your Customer Success Manager sets up your IdentityNow tenant and notifies you when it is accessible. A tenant is created, and you will receive an email invitation from IdentityNow.

    URL Example: [CustomerName]

  3. Administrator Details

    Provide a shared admin email address (group/distribution list) to associate as the initial admin account. This shared admin email address is typically used as a unique, generic account in case an individual admin is locked out. This email address should not be a user email address, as it will conflict with user details brought from the source system.

  4. User Details

    Provide a list of names and email addresses of users who need access to the tenant. Users will receive email invitations when access is granted.

  5. Database Connectivity

    SailPoint's virtual appliance directly connects your source system to AI Services, without requiring you to open your firewall to incoming traffic.

    If you are an IdentityNow customer, your organization has already connected to the virtual appliance.

    IdentityIQ administrators need to set up a virtual appliance according to the directions in Deploying the Virtual Appliance with IdentityIQ. For data source setup, IdentityIQ administrators should have the following items ready:

    • A local database user on the IdentityIQ database with read-only access to the entire IdentityIQ schema
    • The JDBC URL from the file
    • Your database vendor's JDBC driver (<local_path>/<jdbc-file.jar>)
  6. Project Kick-Off

    Work with your Engagement Manager to schedule the project kick-off where you will go over delivery and implementation phases together.

  7. Work Sessions

    Work with your Engagement Manager to schedule any required work sessions. Scheduled work sessions could include:

    • Health check of existing environment
    • Virtual appliance and collector configuration
    • Review of your organization's business requirements
    • General product training

Supported Software

The following list displays browser, operating system, and software support for AI Services.

Desktop Browsers:

  • Chrome - Most recent stable version.
  • Firefox - Most recent stable version.
  • Safari - Most recent stable version.
  • Edge - Most recent stable version.
  • Internet Explorer - Version 11. IdentityNow does not support Internet Explorer's compatibility mode.

For details about the most recent stable version of a browser, see

If you see an error message even though your browser matches the policy requirements, contact your administrator for assistance.

Desktop Operating Systems: Windows and MacOS

Mobile Browsers: None

Mobile Operating Systems: None

IdentityIQ Versions by AI Service:

  • Access Insights - IdentityIQ 7.2, 7.3, 8.0, 8.1, and 8.2
  • Access Modeling - IdentityIQ 7.3p3, 8.0, 8.1, and 8.2
  • Recommendations - IdentityIQ 7.3p3, 8.0, 8.1, and 8.2

Managing User Access

User management for AI Services occurs in IdentityNow.

After SailPoint Services has uploaded your initial user list during onboarding, you can update the account information​ when you need to make changes.

Deploying the Virtual Appliance with IdentityIQ

If you are an IdentityIQ customer, you will need to complete steps to deploy the virtual appliance (VA) before using AI Services. You will complete some of these steps in your IdentityNow Admin interface.

For general information about VAs, see the Virtual Appliance Reference Guide and Virtual Appliance Planning and Best Practices.

See the Virtual Appliance Troubleshooting Guide for information about troubleshooting tools, resources, VA status definitions, and logging.

IdentityNow customers have already deployed the VA and do not need to deploy additional VAs before using AI Services.

Minimum System Requirements for VA Deployments with IdentityIQ

Number of VAs Required: 1

VA Image Size:

  • Processors: 4
  • Memory: 16 GB
  • Storage: 128 GB

Network Requirements:

  • Outbound access for port 53 (DNS) to your internal name servers. You can connect VAs to a local DNS server behind your firewall.
  • Outbound access for ports 123 (NTP) and 443 (HTTPS). You can connect VAs to a local NTP server behind your firewall.
  • Optional inbound access for port 22 (SSH) for you to access the VA when inside your network

Network Performance Requirements: To reduce latency, the VA must be deployed on the same location as the IdentityIQ database.

VA Deployment Steps

  1. Deploy the VA Image

    You can deploy the VA image to the following virtualization platforms:

    • Local with vSphere - ​​Deploy the downloaded image on a virtual machine behind your firewall.
    • Local with Hyper-V - ​​​​Deploy the downloaded image on a virtual machine behind your firewall.
    • On AWS - ​Work with SailPoint to get access to our AMI so you can deploy it on your AWS infrastructure.
    • On Azure - ​​Deploy the downloaded image on a virtual machine in Azure.
  2. Set Up a Static Network for Local Deployments

    If you deployed the VA image locally, follow the directions in the configuration guide for your virtualization platform to set up a static network:

  3. Choose a VA Configuration Type

    Configuration options include:

    • Standard ​- Uses the standard traffic generated by the VA.
    • HTTP Proxy​ - Routes all HTTP/HTTPS traffic through a proxy.
    • Secure Tunnel​ - Strictly limits the outbound connections generated by the VA.
  4. Complete Tasks in IdentityNow

    Refer to the directions in the deployment guide for your selected virtualization environment, and complete the following tasks in your IdentityNow Admin interface.

    1. Create the VA cluster.
    2. Create the VA configuration.
    3. Download va-config-<va_id>.yaml.
  5. Make Changes to va-config-<va_id>.yaml

    Open va-config-<va_id>.yaml on your workstation and complete the following steps:

    1. Change the value of keyPassphrase from _ch@ngeMe_ to a unique value for your organization.
    2. Add the following line: product: iai
    3. Copy va-config-<va_id>.yaml from your workstation to the VA using the following scp command:

    scp <local_path>/va-config-<va_id>.yaml sailpoint@<va_ip_address>:/home/sailpoint/config.yaml

  6. Copy the JDBC JAR File to the VA

    Copy your database vendor's <jdbc-file.jar> file to the VA using the following scp command and the IdentityIQ version paths in the table.

    scp <local_path>/<jdbc-file.jar> sailpoint@<va_ip_address>:/home/sailpoint/iai/identityiq<xx>/jdbc/<jdbc-file.jar>

    IdentityIQ Version JDBC Path on VA
    7.2 /home/sailpoint/iai/identityiq71/jdbc/<jdbc-file.jar>
    7.3 /home/sailpoint/iai/identityiq73/jdbc/<jdbc-file.jar>
    8.0 /home/sailpoint/iai/identityiq80/jdbc/<jdbc-file.jar>
    8.1 /home/sailpoint/iai/identityiq81/jdbc/<jdbc-file.jar>
    8.2 /home/sailpoint/iai/identityiq82/jdbc/<jdbc-file.jar>

Now that you have deployed the VA with IdentityIQ, you are ready to learn more about specific AI Services: