Getting Started with SailPoint AI Services
SailPoint AI Services, powered by the SailPoint Identity Platform, are powerful solutions that provide immediate value to your identity governance program. There are three AI Services: Access Insights, Access Modeling, and Recommendations.
IdentityNow and IdentityIQ users can start on their journey with SailPoint AI Services by following the process below.
IdentityIQ users have additional steps to deploy the virtual appliance (VA) before using AI Services. Some of these steps are completed in the IdentityNow Admin interface.
Working with SailPoint Services
Each stage of your initial Services engagement includes important milestones and work sessions to prepare your environment and your team. We work with your unique environment and guide you through the steps required for a successful implementation.
To begin, your Customer Success Manager sends a welcome email outlining the onboarding process and requesting information required to grant the initial admin users access.
Setting up your site requires our support team to create your tenant, or unique website, on our servers. Because SailPoint's AI Services are a part of IdentityNow, you will be logging in to IdentityNow to access the AI Services content.
Once you are able to log in, your Engagement Manager schedules a project kick-off session to discuss the configuration process.
The following list describes the general AI Services onboarding process from start to finish.
Make sure your environment meets the supported software requirements for the AI Services you purchased. All AI Services are supported for IdentityNow and IdentityIQ. See the supported software table for the specific browsers, operating systems, and IdentityIQ versions supported.
Your Customer Success Manager sets up your IdentityNow tenant and notifies you when it is accessible. A tenant is created, and you will receive an email invitation from IdentityNow.
Provide a shared admin email address (group/distribution list) to associate as the initial admin account. This shared admin email address is typically used as a unique, generic account in case an individual admin is locked out. This email address should not be a user email address, as it will conflict with user details brought from the source system.
Provide a list of names and email addresses of users who need access to the tenant. Users will receive email invitations when access is granted.
SailPoint's virtual appliance directly connects your source system to AI Services, without requiring you to open your firewall to incoming traffic.
If you are an IdentityNow customer, your organization has already connected to the virtual appliance.
IdentityIQ administrators need to set up a virtual appliance according to the directions in Deploying the Virtual Appliance with IdentityIQ. For data source setup, IdentityIQ administrators should have the following items ready:
- A local database user on the IdentityIQ database with read-only access to the entire IdentityIQ schema
- The JDBC URL from the
- Your database vendor's JDBC driver (
Work with your Engagement Manager to schedule the project kick-off where you will go over delivery and implementation phases together.
Work with your Engagement Manager to schedule any required work sessions. Scheduled work sessions could include:
- Health check of existing environment
- Virtual appliance and collector configuration
- Review of your organization's business requirements
- General product training
The following list displays browser, operating system, and software support for AI Services.
- Chrome - Most recent stable version.
- Firefox - Most recent stable version.
- Safari - Most recent stable version. IdentityNow's SSO service is not supported on Safari.
- Edge - Most recent stable version. IdentityNow's SSO service is not supported on Edge.
- Internet Explorer - Version 11. IdentityNow does not support Internet Explorer's compatibility mode.
For details about the most recent stable version of a browser, see https://updatemybrowser.org/.
If you see an error message even though your browser matches the policy requirements, contact your administrator for assistance.
Desktop Operating Systems: Windows and MacOS
Mobile Browsers: None
Mobile Operating Systems: None
IdentityIQ Versions by AI Service:
- Access Insights - IdentityIQ 7.2, 7.3, 8.0, and 8.1
- Access Modeling - IdentityIQ 7.3p3, 8.0, and 8.1
- Recommendations - IdentityIQ 7.3p3, 8.0, and 8.1
Managing User Access
User management for AI Services occurs in IdentityNow.
After SailPoint Services has uploaded your initial user list during onboarding, you can update the account information when you need to make changes.
Deploying the Virtual Appliance with IdentityIQ
If you are an IdentityIQ customer, you will need to complete steps to deploy the virtual appliance (VA) before using AI Services. You will complete some of these steps in your IdentityNow Admin interface.
See the Virtual Appliance Troubleshooting Guide for information about troubleshooting tools, resources, VA status definitions, and logging.
IdentityNow customers have already deployed the VA and do not need to deploy additional VAs before using AI Services.
Minimum System Requirements for VA Deployments with IdentityIQ
Number of VAs Required: 1
VA Image Size:
- Processors: 4
- Memory: 16 GB
- Storage: 128 GB
- Outbound access for port 53 (DNS) to your internal name servers. You can connect VAs to a local DNS server behind your firewall.
- Outbound access for ports 123 (NTP) and 443 (HTTPS). You can connect VAs to a local NTP server behind your firewall.
- Optional inbound access for port 22 (SSH) for you to access the VA when inside your network
Network Performance Requirements: To reduce latency, the VA must be deployed on the same location as the IdentityIQ database.
VA Deployment Steps
Deploy the VA Image
You can deploy the VA image to the following virtualization platforms:
- Local with vSphere - Deploy the downloaded image on a virtual machine behind your firewall.
- Local with Hyper-V - Deploy the downloaded image on a virtual machine behind your firewall.
- On AWS - Work with SailPoint to get access to our AMI so you can deploy it on your AWS infrastructure.
- On Azure - Deploy the downloaded image on a virtual machine in Azure.
Set Up a Static Network for Local Deployments
If you deployed the VA image locally, follow the directions in the configuration guide for your virtualization platform to set up a static network:
Choose a VA Configuration Type
Configuration options include:
Complete Tasks in IdentityNow
Refer to the directions in the deployment guide for your selected virtualization environment, and complete the following tasks in your IdentityNow Admin interface.
- Create the VA cluster.
- Create the VA configuration.
Make Changes to
va-config-<va_id>.yamlon your workstation and complete the following steps:
- Change the value of keyPassphrase from
_ch@ngeMe_to a unique value for your organization.
- Add the following line:
va-config-<va_id>.yamlfrom your workstation to the VA using the following scp command:
scp <local_path>/va-config-<va_id>.yaml sailpoint@<va_ip_address>:/home/sailpoint/config.yaml
- Change the value of keyPassphrase from
Copy the JDBC JAR File to the VA
Copy your database vendor's
<jdbc-file.jar>file to the VA using the following scp command and the IdentityIQ version paths in the table.
scp <local_path>/<jdbc-file.jar> sailpoint@<va_ip_address>:/home/sailpoint/iai/identityiq<xx>/jdbc/<jdbc-file.jar>
IdentityIQ Version JDBC Path on VA 7.2
Now that you have deployed the VA with IdentityIQ, you are ready to learn more about specific AI Services: