Skip to content

Using Email Templates

A number of email templates are used to notify users of certain milestones or other events. The template format provides you with a framework for the purpose and content of each email that is sent out to users. Each template is customizable to your needs and consists of a name, subject, and body, as well as a set of variables that can be used in the subject or body.  When the email is sent, the product will replace those variables with proper values. Additional variables may be available, depending on the template you're editing.

Global Variables

The following variables are available for you to use in the body of most email templates.

Name Type Description Properties
User User The recipient Any attribute of the user object including, but not limited to, name, alias, firstname, lastname, displayName, uid, manager, phone, workPhone
identityNowUrl String URL to the IdentityNow homepage N/A
PRODUCT_NAME String The name of the product N/A


  • To reference additional user properties in an email template, use the syntax: ${user.<property>}. For example, if you want to reference the user's work phone number in an email, you would enter ${user.workPhone}.
  • For more variables that are specific to the context of an individual email template, select the link for the corresponding template in the table below. In addition, if you want to use an object type variable, you might need to speak with your CSM to engage Expert Services.

Available Templates

The following table shows currently available email templates. Each template is fully customizable.

Template Description
Access Profile Owner Approval Notification Sent to access profile owners when their access profile is granted to a user as a result of a role request.
Access Request Cancelled Sent to users when a pending access request is canceled before it has been approved and provisioned.
Access Request Decision Sent to a user to notify them whether their request for an app was approved or denied.
Access Request Decision for Other Sent to a user when access was requested for them by another user, and the reviewer of that request has made a decision.
Access Request for Other Sent to users when access was requested for them by another user.
Access Request for Self Sent to users to confirm that they've successfully submitted an access request for themselves.
Access Request Reassignment Sent to a reviewer when they have had access requests reassigned to them.
Access Request Reviewer Sent to each access reviewer who needs to review an access request.
Access Request Sunset Date Reminder Sent to a user to remind them that their access to an item is coming to an end.
App Password Changed Only used if pass-through authentication is configured. Sent when a user changes their login password, or the password for any app or direct connect source connected to the source used for pass-through authentication.
Application Health Sent when an application changes status. This is a system notification email.
Certification Sent to reviewers whenever a certification campaign is created.
Certification Due Sent to certification reviewers one week after a certification campaign starts and every seven days after that, until they sign off or the campaign ends.
Certification Reassignment Notifies a reviewer when they have been reassigned identities from an existing certification.
Forgot User Name Sent when a user selects Forgot User Name on the Sign In page and then supplies an email address that is valid for their account.
Helpdesk Password Reset Sent when a user requests a password reset via email.
Identity Errors Sent when an identity refresh causes 5% or more of identities to be in an error state. This is a system notification email.
Lifecycle State Change Sent to select users when an identity's lifecycle state changes.
New Account Provisioned Sent to a user when an account is created on a source for them.
Non-Employee Account Request Sent to a non-employee account manager to confirm that their request for a new account for a non-employee was submitted.
Non-Employee Account Request Decision Sent to an account manager when all applicable account reviewers have made a decision about a non-employee account, to confirm that their account request was either approved or denied.
Non-Employee Account Review Sent to the account reviewers to notify them that a request needs their attention, after a new non-employee account request is submitted.
Non-Employee End Date Reminder Sent to the account managers for a non-employee source when one or more of the non-employees on that source has an end date in 7 days.
Preference Update Sent whenever a user’s authentication settings, like phone number or answers to security questions, change.
Password Expiration Sent when a user's password is about to expire or has expired.
Password Reset Code Sent when a user requests a password reset code via email.
Scheduled Certification Campaign Reminder Sent to the person who created a scheduled certification campaign 1 week prior to the scheduled generation date.
Search Subscription Notification Sent to administrators when a scheduled search is run.
SoD Policy Subscription Notification Sent to remediators or notification recipients for SoD Policies.
Source Health Sent when a source changes status. This is a system notification email.
Strong Authentication Sent when a user wants to use strong authentication when using an email.
Task Manager Subscription If enabled, sent to users daily when they have incomplete tasks in their Task Manager. You can enable this email using our API.
Unlock User Code Sent when a user selects Unlock on the Sign In page to provide a code that is used to unlock the account.
User Invitations Sent to invite a user to use IdentityNow.
User Locked Out Notifies a user that their account has been locked out due to too many failed sign in attempts.
User Password Changed Sent when a user from any app or source that does not use pass-through authentication changes their IdentityNow password.
User Unlocked Sent after the Unlock User Code email to confirm that the account was unlocked successfully.
User Verification Token Sent when an administrator or Helpdesk admin resets a user's SailPoint password, or their password for a source.
Virtual Appliance Health Sent when a virtual appliance changes status. This is a system notification email.

Customizing Email Templates

You can configure the emails that IdentityNow sends to your users in the Email Templates interface. To see a list of available templates, see Available Templates.


Org Admins can also configure email templates using our APIs after securely authenticating with the platform.

Editing an Email Template

  1. From the Admin interface, select Global > Email Templates. Choose the email template you wish to edit.

  2. Edit any of the fields displayed here (Reply To, Subject, and Body) to meet the needs of your organization:

  3. Text Editing - From the standard view of the Body text box, you can change the words on the page. You can also apply formatting using the various icons and dropdown menus above the text box.

  4. Source/HTML Editing - To edit the HTML, select the Source Edit icon on the far right side of the text editor.

  5. Adding and Removing Variables - Review the variables available to each template.

  6. Select Save.

The emails are sent automatically when the criteria for the emails is met, which depends on the email you're sending.


  • Regardless of how you edit your email, it is required to have both a subject and a body.
  • The variable {$PRODUCT_NAME} will be replaced with the text you choose as the product name.
  • Many of these templates use Velocity scripting and variables. SailPoint recommends that you have a strong background with the Velocity script engine if you want to edit templates. See Apache Velocity - Velocity User Guide for more information. Otherwise, you should be careful to edit only the text in the email.
  • You are responsible for ensuring that your email renders correctly in your users' email inboxes. Making significant changes to the email templates might disrupt the formatting of the email or prevent it from being sent at all. To anticipate and resolve any problems, you can test email templates before sending them.
  • If the email template includes a table, you'll be unable to use the WYSIWYG editor to modify it and see what the template will look like. You can still edit the HTML source for the template, however. If you are not comfortable editing the HTML source and prefer to use the WYSIWYG editor, you can remove any "table" references from the template and format the information without using a table.
  • Do not use the HTML to return a template to its default settings. Contact your customer support specialist.

Setting the Reply To Address

When you edit the Reply To field of an email template, you are changing the actual address that appears in the To field when a user replies to an email.

For example, the image above shows what an email would look like if you do not change the default Reply To address.

However, even if you do change the Reply To address, "" appears in the From address, shown on the right unless you request a change. For instructions, see Setting the From Address.

Setting the From Address

You can assign a different email address to appear in the 'From' field of emails sent by IdentityNow, based on the brand the recipient is a part of. All emails sent to users in that brand will display that address as their 'From' address.

Best Practices

  • Changing the value of the 'From' address for your org also changes the reply-to address on the backend. However, this change is not reflected in the Reply To field on each email template. You can edit the Reply To field to reflect the 'From' address using the steps in Setting the Reply To Address.
  • You can assign up to 10 'From' addresses for each of your orgs.
  • Using the steps below, you can configure an email address as a 'From' address for exactly one org. If you need to reuse the same email address on a different org, such as a staging org, contact SailPoint Support.
  • 'From' addresses are case sensitive. Enter the email address exactly as it appears in your email settings.

To change the 'From' address, complete the following steps:

  1. From the Admin interface, go to Global > System Settings. The Branding page is displayed.

  2. Scroll to 'From:' Address.

  3. To add a new email address to the list on the right:

    • Select New.

    • Add a new email address to the list and select Create.

    • Check that email address. You will receive an email from AWS to confirm that you own that email address. Select the link in that email within 24 hours.

    This email address will now appear in the dropdown list when you're selecting a 'From' address for emails sent to users in that brand. 

  4. Select the dropdown arrow and choose the email address you want to use as the 'From' address for that brand and select Save.


  • You can remove a 'From' address from your org by selecting the X icon beside it in the list.
  • If the X icon beside an email address is disabled, the 'From' address is in use in one or more of your brands. Choose another email for those brands and try again.

If you change the from address, be sure to use one of the options outlined in Ensuring Successful Delivery of Emails to make sure employees are receiving the emails.

Using Images in Email Templates

To insert an image into an email template, complete the following steps:

  1. Select Global > Email Templates.

  2. Select the template you want to add an image to. For example, this image shows the User Invitation template with the Invitation Type dropdown list set to Custom.

  3. Find the section(s) of the email to which you want to add the image.

    Because the Velocity scripting in the email often includes a variety of conditional content based on system and user behavior, you might need to add the image to anywhere from one to four - or in rare cases five or more - separate sections of the source content.

  4. Identify a hosted image reference.

    Best Practice

    While this can be any external image that is already on a website, SailPoint recommends using the logo you used when customizing your UI.

    To use this logo, right-click the logo in the top left corner of your IdentityNow site and choose Copy image address to copy the URL.

  5. In the email template, use tagging similar to the following:

        <div><p style="text-align:right"><img src="{URL} width="100" height="80"></p></div>

    where {URL} is the URL from step 4 above. This will add the image to the top of the page above the text.


    You can use the HTML for an image directly in the standard text box. This includes the ability to use a custom IdentityNow logo if your site uses one. Right-click the logo and copy the image address. The exact menu label depends on your browser (eg. Copy Image Location or Copy image address).

  6. Select Save and test the email to verify that your changes have been applied. 

Embedding Base 64 Encoded Files

If you have experience with base-64 encoding, you can also embed base-64 encoded file for the src instead of referencing a URL.

Be aware that embedding an image increases the overall size of your email message, depending on the size of your image. Many email servers will block email messages larger than a particular size (ex. 2 MB). To lessen the chance of a bounced email when using embedded images, scale your image down to the same size as your desired height and width settings first then base-64 encode the scaled image.

Testing Email Templates

You can test any email templates you have changed to make sure that the content displays as intended before sending them to the full list of recipients. You can choose to send them to your email or to another email address that you configure by doing the following:

  1. From the Admin interface, select Global > Email Templates.

  2. Choose whether you want to send test emails to your own email or one that you configure.

    • To use your own email, select an email template from the list, then select Test Email.

    • To configure a different email address for testing, scroll to the bottom of the list and select Email Config. In the Send All Emails To: field, enter the email address you want to use, then select Save.

Best Practice

After testing emails, return to this page and select the radio button for Intended Recipients so that these emails are sent to the correct users when generated in the future.


  • Only global variables render within the generated test email because the other variables are generated by the process that triggers the email.
  • Conditional statements, such as within the App Password Changed and the User Locked Out emails, are not included in the test emails.
  • An audit event is created whenever the test address is changed.

Stopping Automated Emails

You have the following options for stopping automated emails:

  1. Make changes to specific system configurations:

  2. Add one of the following keywords to the Subject field of any email template:

    • #stop
    • no_send
    • Stop


    As shown in the example, you can use the HTML for an image directly in the standard text box. This includes the ability to use a custom IdentityNow logo, if your site uses one. Simply right-click the logo and copy the image address. The exact menu label depends on your browser, for example Copy Image Location or Copy image address.

  3. Select Save and test the email to verify that your changes have been applied.