SailPoint Tutorial

Introduction to SailPoint

SailPoint is a leading Identity Governance and Administration (IGA) solution that automates user provisioning, access control, compliance, and lifecycle management. It helps enterprises ensure “the right people have the right access to the right resources at the right time.”

SailPoint offers two major products:

• IdentityNow – SaaS-based identity governance (cloud)

• IdentityIQ (IIQ) – On-premises identity governance solution

Used by organizations globally for SOX compliance, zero trust architecture, and automated access reviews, SailPoint is a critical tool in modern enterprise security.

Why Learn SailPoint?

• High-demand IAM tool in banking, healthcare, telecom

• Supports automated provisioning/de-provisioning

• Integrates with Active Directory, Workday, SAP, Azure, AWS

• Reduces compliance risks

• High-paying roles: IAM Analyst, SailPoint Engineer, Identity Architect

SailPoint Architecture Overview

1. IdentityNow Architecture (Cloud)

• Connector Layer: Connects to external systems (e.g., AD, Azure, Salesforce)

• IdentityNow Core: Manages governance, certifications, approvals

• UI/API Layer: Web interface and REST APIs

• Data Layer: Stores user identity data, entitlements, roles

2. IdentityIQ Architecture (On-prem)

• Java-based platform deployed on Apache Tomcat

• Uses relational databases (Oracle, MySQL, SQL Server)

• Custom workflows and tasks via XML, BeanShell scripting

• SOAP/REST APIs for integration

SailPoint Key Concepts

Getting Started with SailPoint IdentityNow

Step 1: Create Identity Profiles

• Define source of truth (e.g., Workday, AD)

• Configure identity attributes like email, employeeType, location

• Map these to identity schema

Step 2: Configure Identity Sources

• Connect to authoritative sources (LDAP, HRMS)

• Use out-of-the-box connectors or build custom using SailPoint IdentityNow IdentityNow Connector SDK

Step 3: Account Aggregation

• Pull user accounts from connected systems

• Reconcile attributes (email, title, department)

• IdentityNow builds identity cubes

Step 4: Provisioning and Lifecycle Management

• Define rules for account creation, update, disable

• Trigger provisioning events for:

  • New hires (Joiners)

  • Transfers (Movers)

  • Resignations (Leavers)

Step 5: Access Request and Approval

• Users request access via IdentityNow Portal

• Access governed by policies, manager approvals

• Automated or manual provisioning based on role/entitlement

Step 6: Certifications

• Periodic reviews of user access by managers or app owners

• Ensure least privilege and compliance

• Types of certifications:

  • Manager Certification

  • Application Owner Certification

  • Role Certification

SailPoint Lifecycle Management

Workflows are configured to automate these processes and reduce human error.

Policy & Compliance in SailPoint

SailPoint allows you to define and enforce policies:

• Separation of Duties (SoD): Prevent conflicting roles (e.g., create + approve invoice)

• Password Policies: Enforce strength and reset frequency

• Access Reviews: Detect orphan accounts and over-provisioned users

SailPoint IdentityIQ Features

Provisioning Engine

Handles user account creation and deactivation across systems.

Access Review Module

Certifications with electronic sign-off for audit tracking.

Role Mining

Suggests roles based on access patterns (role suggestion engine).

Compliance Manager

Tracks policy violations, audit logs, and remediation steps.

Real-Time SailPoint Use Case

Use Case: Automate provisioning for a new employee

1. HR adds a new hire in Workday

2. SailPoint aggregates identity from Workday

3. Based on job title/location, assigns role

4. Automatically provisions:

   • AD account

   • Office 365 mailbox

   • SAP access

5. Sends welcome email + access summary

6. Starts 30-day certification workflow

SailPoint Connectors (Examples)

Custom Rules in SailPoint

Rules extend platform behavior using BeanShell:

• Pre-provisioning Rule: Modify data before provisioning

• Correlation Rule: Match accounts to identities

• Policy Rule: Define custom SoD logic

• BuildMap Rule: Format attribute mapping for target app

IdentityNow vs IdentityIQ Comparison

SailPoint Best Practices

• Use roles for entitlement bundling

• Implement access request policies with approval workflows

• Automate certifications quarterly

• Regularly review SoD violations

• Integrate with SIEM tools for audit trails

• Configure real-time alerts for risky access assignments

Common Interview Questions on SailPoint

1. What is IdentityNow? How is it different from IdentityIQ?

2. Explain identity cube.

3. What are access certifications and how are they triggered?

4. What is SoD and how is it enforced in SailPoint?

5. How does SailPoint handle lifecycle events?

6. What is a correlation rule?

7. How do you onboard a new application into SailPoint?

8. Explain Joiner-Mover-Leaver automation.

9. What are provisioning policies in IdentityIQ?

10. How do you integrate SailPoint with Active Directory?

Also Read: SailPoint Interview Questions

Who Should Learn SailPoint?

• IAM Analysts

• IT Security Engineers

• Identity Architects

• DevOps & Cloud Engineers

• Compliance Officers

• SailPoint Administrators

Roles and Responsibilities in a SailPoint Project

Tools and Skills Required

• Java/BeanShell scripting

• REST/SOAP API integration

• LDAP/AD knowledge

• SQL for reporting

• IdentityNow CLI or APIs

• Azure/AWS IAM (for hybrid cloud setups)

Conclusion

SailPoint is a critical tool in enterprise IAM ecosystems, enabling governed access, automated provisioning, and compliance reporting. Whether you’re targeting IdentityNow (cloud) or IdentityIQ (on-prem), mastering SailPoint positions you for high-paying roles in cybersecurity, GRC, and cloud access control.