Skip to content

Getting Started with AI-Driven Identity Security for IdentityIQ

SailPoint AI-Driven Identity Security can be configured to analyze identity and access data from IdentityIQ. The following sections discuss how to get started using AI-Driven Identity Security with IdentityIQ.

AI-Driven Identity Security for IdentityIQ is accessed in the Identity Security Cloud tenant. IdentityIQ users must work with SailPoint Professional Services to create a tenant and deploy a virtual appliance (VA).

The VA is a Linux-based virtual machine that is deployed inside your corporate network or in a cloud environment where you control and manage its access to your IdentityIQ implementation. The VA allows collection of your IdentityIQ data for analysis. Once the VA is deployed and configured, IdentityIQ users can start using Access History in their tenant.

There are additional configuration and activation steps to complete before IdentityIQ users can start using Access Modeling or Access Recommendations.

Connecting IdentityIQ and AI-Driven Identity Security

Work through the steps in the following sections to connect IdentityIQ to AI-Driven Identity Security:

  1. Verify requirements.

  2. Provide administrator access information.

  3. SailPoint creates the tenant.

  4. Generate IdentityIQ API authentication credentials.

  5. Gather information for virtual appliance deployment.

  6. Deploy one virtual appliance (VA) with the IAI Harvester VA cluster type.


    Only one VA is required to connect IdentityIQ to AI-Driven Identity Security.

  7. Create an IdentityIQ data source in your tenant.

  8. If you have Access Modeling, configure IdentityIQ for Access Modeling.

  9. If you have Access Recommendations, activate Access Recommendations for IdentityIQ.

Verifying Requirements

To begin connecting AI-Driven Identity Security to IdentityIQ, verify the following system, network, and software requirements:

  • Your system and network must meet the requirements for VA deployments with IdentityIQ.

  • Your browser and operating system (OS) must be supported. AI-Driven Identity Security is accessed through an Identity Security Cloud tenant.

  • You must be running IdentityIQ version 8.1 or higher. These versions include support for AI-Driven Identity Security.

  • If you plan to use the HTTP proxy virtual appliance configuration and you have IdentityIQ version 8.3p1 or earlier, a patch upgrade is required. Install the patch upgrade before connecting AI-Driven Identity Security to IdentityIQ. Contact Professional Services for more information.

Providing Administrator Access Information

After purchasing AI-Driven Identity Security, you will receive a welcome email from your Customer Success Manager (CSM) that outlines the onboarding process. You will be asked to provide the following administrator access information:

  • A shared admin email address or group/distribution list.

    This email address or group/distribution list will used to create the initial admin account and typically serves as a unique, generic account for emergency access. This email address should not be a user email address, as it will conflict with user details brought from the source system.

  • Email addresses for any individual users that should have access to the tenant for AI-Driven Identity Security features.

Creating the Identity Security Cloud Tenant

SailPoint sets up your tenant and notifies you when it is accessible. After a tenant is created, you will receive an email invitation from SailPoint.

Unless you have arranged in advance for a different URL, your tenant URL will be [CustomerName]


FedRAMP customers will use the following URL: [CustomerName]

Generating IdentityIQ API Authentication Credentials

IdentityIQ API authentication credentials are required when creating the data source and configuration automatic role creation.

Complete the following steps in IdentityIQ:

  1. From the IdentityIQ gear icon, select Global Settings > API Authentication.
  2. Create a new client or refer to an existing client on this screen. The proxy user for new or existing clients must have Administrator permissions.
  3. Save the following information offline to enter later in your tenant:
    • API Client ID
    • API Client Secret
    • API Base URL for the IdentityIQ App server, including the port and endpoints such as /identityiq.

Save these credentials to use later during configuration and activation.

Gathering Information for Setup

For virtual appliance and data source setup, IdentityIQ administrators should have the following items ready:

  • A local database user on the IdentityIQ database with read-only access to the entire IdentityIQ schemaD
  • The JDBC URL from the file
  • The Hibernate Dialect from the file
  • Your database vendor's JDBC driver (<jdbc-file.jar>)
  • IdentityIQ API authentication credentials:

    • API Client ID
    • API Client Secret
    • API Base URL for the IdentityIQ App server

Deploying the Virtual Appliance with IdentityIQ

Complete the steps in this section to deploy a VA.

For general information about VAs, refer to the Virtual Appliances documentation.

For troubleshooting tools and resources, refer to the Virtual Appliance Troubleshooting Guide.

  1. Deploy the VA image.


    To reduce latency, the VA must be deployed on the same location as the IdentityIQ database. If IdentityIQ is installed on-premises, the VA must be installed in the same datacenter. If IdentityIQ is installed in the cloud, the VA must be installed in the same region.

    Deployment to the following virtualization platforms is described in Deploying Virtual Appliances:

    • Local with vSphere - Deploy the downloaded image on a virtual machine behind your firewall.
    • Local with Hyper-V - Deploy the downloaded image on a virtual machine behind your firewall.
    • On AWS - Work with SailPoint to get access to our AMI so you can deploy it on your AWS infrastructure.
    • On Azure - Deploy the downloaded image on a virtual machine in Azure.
    • On GCP - Import the downloaded VA image to Google Cloud Platform.
  2. Set up a static network for local deployments.

    If you deployed the VA image locally, follow the directions to set up a static network.

  3. Select a VA configuration type.

    Descriptions and instructions for implementing the following configurations can be found in the virtual appliance configuration documentation:

    • Standard - Uses the standard traffic generated by the VA.
    • HTTP Proxy - Routes all HTTP/HTTPS traffic through a proxy.
    • Network Tunnel - Strictly limits the outbound connections generated by the VA.
  4. Complete tasks in your tenant.

    Refer to the directions in the deployment guide for your selected virtualization environment, and complete the following tasks in your tenant Admin interface.

    1. Create the VA cluster with the IAI Harvester VA cluster type.
    2. Create the VA configuration.
    3. Download va-config-<va_id>.yaml.
  5. Make changes to va-config-<va_id>.yaml.

    Open va-config-<va_id>.yaml on your workstation and complete the following steps:

    1. Change the value of keyPassphrase from _ch@ngeMe_ to a unique value for your organization.
    2. Add the following line: product: iai
    3. Copy va-config-<va_id>.yaml from your workstation to the VA using the following scp command:

    scp <local_path>/va-config-<va_id>.yaml sailpoint@<va_ip_address>:/home/sailpoint/config.yaml

  6. After you have copied the .yaml file to the VA, contact SailPoint Services so they can "pin" the IdentityIQ harvester to the virtual appliance. Once this has been completed, you can move on to the next step.

  7. Run the following command to determine if there is a JDBC directory for your IdentityIQ version:

    ls -lR iai

    If the directory is not owned by sailpoint, modify the directory permissions by running the following command from /home/sailpoint/:

    sudo chown -R sailpoint /home/sailpoint/iai

    This command must be entered exactly as shown, and should not ask for a password.

  8. Copy the JDBC JAR file to the VA.

    Copy your database vendor's <jdbc-file.jar> file to the VA using the following scp command and the corresponding IdentityIQ version path.

    scp <local_path>/<jdbc-file.jar> sailpoint@<va_ip_address>:/home/sailpoint/iai/identityiq<xx>/jdbc/<jdbc-file.jar>

    IdentityIQ Version JDBC Path on VA
    8.1, 8.2, 8.3 /home/sailpoint/iai/identityiq81/jdbc/<jdbc-file.jar>
    8.4 /home/sailpoint/iai/identityiq84/jdbc/<jdbc-file.jar>

Creating an IdentityIQ Data Source for Connectivity with AI-Driven Identity Security

Complete the following steps in your tenant:

  1. Go to Admin > Global > Additional Settings.

  2. Select Add Data Source.

  3. Complete the available fields, and select your IdentityIQ version under Data Source Types.

    • If you use IdentityIQ 8.2 or 8.3, select IdentityIQ 8.1 from the dropdown list.
    • If you use IdentityIQ 8.4, select IdentityIQ 8.4 from the dropdown list.

    After data source type selection, additional fields become available.

  4. Complete the following required fields:

    • Clusters - Select the VA you deployed specifically to connect to IdentityIQ.
    • JDBC URL - Enter the JDBC URL found in the file.
    • JDBC Driver - Enter your JDBC driver class name.
    • Username - Enter your local database connection username.
    • Password - Enter your local database connection password.
    • API Baseurl - Enter the base URL for the IdentityIQ API.
    • API Client ID - Enter the client ID for the IdentityIQ API.
    • API Client Secret - Enter the client secret for the IdentityIQ API.
    • Hibernate Dialect - Enter the hibernate dialect from the file.
  5. Optionally, you can complete the fields to exclude identity attributes, exclude account attributes, change the maximum number of database connections, or enter an identity filter. The filter can include only named attributes and not Extended Attributes or namedColumns.

  6. Select Save Config.

You are now ready to start using Access History.

Additional configuration and activation steps are required to use Access Modeling and Access Recommendations with IdentityIQ.

Configuring IdentityIQ for Access Modeling

To configure IdentityIQ for Access Modeling, you will complete the following tasks:

  1. Generate client credentials in your tenant.

  2. Import the init-ai.xml file.

  3. Configure AI-Driven Identity Security in IdentityIQ.

  4. Install the Access Modeling plugin.

  5. Configure automatic role creation.

Generating Client Credentials in Your Tenant

IdentityIQ sends data to Access Modeling through APIs. To create a secure connection between IdentityIQ and Access Modeling, you’ll need to generate client credentials within your tenant and configure IdentityIQ (the client) to use them to communicate with Access Modeling.

Complete the following steps to generate a Client ID and Client Secret in your tenant:

  1. Log in to your tenant as an Administrator.

  2. From the Admin Dashboard, select Admin > Security Settings.

  3. Select API Management in the options on the left.

  4. Select +New to display the New API Client dialog.

  5. Enter a description for how the access token will be used.

  6. Check Client Credentials as the method you want the client to use to access the APIs.

  7. Select Create.

A Client ID and Client Secret are generated for you. Save these offline. You’ll need them later when you configure AI-Driven Identity Security in IdentityIQ.

Importing the init-ai.xml File

After generating client credentials in your tenant, you will next import the init-ai.xml file to initialize IdentityIQ with the object components to support integration. This file includes objects such as the AI Module, some AI-specific IdentityIQ capabilities, system configuration entries, and an AIServices identity, among others.

Complete the following steps to import the init-ai.xml file in IdentityIQ:

  1. Verify that plugins.enabled=true in the WEB-INF/classes/ file of your IdentityIQ installation. Plugins must be enabled to use Access Modeling.

  2. Log on to your browser instance of IdentityIQ as an administrator.

  3. Select Global Settings under the gear icon and select Import from File.

  4. Select Browse and navigate to the following directory:

    Windows: <identityiq_home>\WEB-INF\config

    UNIX: <identityiq_home>/WEB-INF/config

    where: <identityiq_home> is the directory to which you extracted the identityiq.war file during IdentityIQ installation.

  5. Select the init-ai.xml file and select Import.

  6. When the import is complete, select Done.

You may notice that the plugin for Access Recommendations is also installed as part of this process, but access is enabled for licensed users only. Please contact your CSM for Access Recommendations pricing and licensing.

Configuring AI-Driven Identity Security in IdentityIQ

Complete the following steps to configure IdentityIQ to connect to your tenant with the client credentials you previously generated:

  1. From the IdentityIQ gear icon, select Global Settings > AI Services Configuration.

  2. Complete following fields with information from your IdentityIQ installation and the client credentials from your tenant:

    • AI Services Hostname (The API Gateway URL for your tenant) Example: https://<org> or https://<org>
    • Client ID
    • Client Secret
  3. Select Test Connection to ensure that the connection information is correct and operating.

  4. Select Save.

Installing the Access Modeling Plugin

The Access Modeling plugin is required for IdentityIQ 8.1, 8.2, or 8.3. IdentityIQ 8.4 does not require the Access Modeling plugin.

Complete the following steps to install the plugin:

  1. Get the Access Modeling plugin.

  2. From the IdentityIQ gear icon, select Plugins.

  3. Use the Plugins page to install the plugin.

  4. Select the Configure button for the Access Modeling plugin and provide the URL for the tenant.

    Example: https://<tenant> or https://<tenant>

Configuring Automatic Role Creation in IdentityIQ

To be able to automatically create a new role in IdentityIQ, there is some additional configuration required in your tenant.

Complete the following steps in your tenant:

  1. Log in as an administrator, and select Admin > Global > Additional Settings.

  2. Select Edit on the enabled IdentityIQ data source.

  3. Enter the IdentityIQ API authentication information in the following fields:

    • API Client ID
    • API Client Secret
    • API Base URL (Enter the base URL for the IdentityIQ App server, including the port and endpoints such as /identityiq.)

    If these fields are not visible, contact Professional Services for help.

  4. Select Save Config.

You are now ready to auto-create roles for IdentityIQ.

Activating Access Recommendations for IdentityIQ

IdentityIQ users will need to complete steps to integrate or activate Access Recommendations. For integration information, see Integration with IdentityAI for Decision Recommendations.

For implementation/activation information see the following documentation:

After activating Access Recommendations, IdentityIQ users are ready to start using certification and approval recommendations.

Documentation Feedback