Alert EnterpriseWiki

SailPoint (Identity Security Cloud)

SailPoint·AE_HSc_SailPoint_RestConnectorGuide

IAMactiveSailPoint Identity Security Cloud (versionless / continuously updated SaaS)
Transports
rest
Direction
inbound
Authentication
SailPoint Public API OAuth 2.0 client credentials
Last updated
2026-04-09
Compare with another connector →Open in composer →

Overview

The SailPoint connector integrates AlertEnterprise Guardian with SailPoint Identity Security Cloud (formerly SailPoint IdentityNow) — the dominant Identity Governance & Administration (IGA) platform in the Fortune 500 financial services and federal verticals. SailPoint sits "above" the IAM directory layer (Okta, Entra) and governs the full identity-lifecycle workflow — birthright provisioning, access reviews, certifications, and SOD policy enforcement.

The integration is read-only — reconciliation only, no provisioning. AE consumes SailPoint as a source of identity events and lifecycle state but does not provision into it. Capabilities: Test Connection, Full User Recon, Incremental User Recon. The intended pattern is: SailPoint owns the identity lifecycle (new hire, transfer, termination); AE polls SailPoint at a configurable interval (typically every 15 minutes), detects qualifying events (new hire, change of department, termination), and triggers AE Guardian workflows downstream — most commonly to provision the new hire's access into one or more PACS or to remove access at termination.

The connector is actively iterated — 6 revisions between September 2025 and April 2026 with active updates to system parameters and query payloads. Customers deploying this connector should verify against the latest revision.

Architecture

Composed from this connector's actors + edges. Trust zones are color-coded; trust crossings render as thicker lines.

Composing diagram — running ELK layout5 actors · 4 edges

Authentication

1 method supported

SailPoint Public API OAuth 2.0 client credentials
oauth2-client-credentials

The connector authenticates to SailPoint via OAuth 2.0 client credentials grant. Tenant admin generates a Personal Access Token (or app-registration-style client_id + client_secret) in SailPoint admin. The connector posts to /oauth/token?grant_type=client_credentials with client_id + client_secret and uses the returned bearer token on subsequent API calls.

Credential storage
Encrypted in AE connector configuration.

Endpoints

2 endpoints exercised by the connector

MethodPathDescriptionCategory
POST{instance}/oauth/token?grant_type=client_credentialsOAuth 2.0 token exchange.auth
POST{instance}/v3/searchSearch SailPoint identity events / identities — used for new-hire detection and incremental reconciliation. Indices include `events`, `identities`.query

Prerequisites

Everything that must be in place for this connector to work, with the owner who's responsible.

SailPoint Identity Security Cloud tenant with Public API access

customer

An operational SailPoint Identity Security Cloud tenant. Tenant admin must enable Public API access and generate OAuth client credentials.

AE Guardian workflows mapped to SailPoint event types

ae

AE Guardian-side workflow mappings must be configured for the events of interest — new hire, identity-attribute change, termination. Without these mappings, polling SailPoint produces events that AE doesn't act on.

Known limitations

Documented constraints to set customer expectations before deployment.

Reconciliation only (no provisioning back to SailPoint)

important

The connector reads from SailPoint but does not write into it. SailPoint remains the authority for the identity lifecycle; AE consumes events and acts on them downstream. If a deployment requires AE to push into SailPoint, that requires custom connector development.

Active iteration — track guide revisions

informational

6 revisions in 8 months (Sept 2025 - April 2026), with active updates to system parameters and query payloads. Verify against the latest connector guide revision before each deployment and after each SailPoint platform update.

IAM specifics

Protocol support
OIDC
yes
SAML
yes
SCIM
yes · SCIM 2.0
JIT provisioning
configurable
Group sync mode
not-supported
Source of record
Yes
MFA model

SailPoint defers MFA to the upstream IdP (Okta, Entra ID). The connector reads identity state from SailPoint but does not configure or enforce MFA itself.

Default attribute mapping

SailPoint identity attributes — id, name, email, employeeNumber, department, manager, lifecycleState, status. AE-side mapping is configurable.

Source materials
  • src/connectors/sail-point-rest/source.pdf Full connector guide — 32 pages, revision 6.0 dated 2026-04-06
  • src/connectors/sail-point-rest/source.pdf p7 — Connector Architecture
  • src/connectors/sail-point-rest/source.pdf p7 — Integration Mechanism / Polling Schedule
Verifying access
Desktop only

The AE Mobile Wiki needs a bigger screen.

The diagrams, comparisons, and animated flows aren't built for phones. Open this link on your laptop or desktop browser and you'll see the full reference.

wiki.alertenterprise.app

Same Google sign-in as the AE App Hub — you'll be in once you open it on a larger screen.