> ## Documentation Index
> Fetch the complete documentation index at: https://docs.livingsecurity.com/llms.txt
> Use this file to discover all available pages before exploring further.

# SailPoint IdentityNow

> Connect SailPoint IdentityNow to import identity and account data.

export const ConnectInPlatform = ({tile, children}) => <Step title="Enter the credentials in the Living Security Platform">
    <p>
      Completed by whoever holds Living Security access — the program owner, or the system
      admin if they've been invited (delegated setup).
    </p>
    <ol>
      <li>
        Go to <strong>Settings → Integrations → Catalog</strong>, find the{' '}
        <strong>{tile}</strong> tile, click <strong>Connect</strong>.
      </li>
      <li>
        Fill in the fields below, then click <strong>Connect</strong>.
      </li>
    </ol>
    {children}
  </Step>;

export const SystemAdminBanner = ({system, recommendDelegated}) => <Note>
    <p>
      <strong>This guide is for your {system} administrator.</strong> It covers creating API
      credentials inside {system}, which requires admin access to {system} — not to the
      Living Security Platform.
    </p>
    <p>
      If you're the Living Security <strong>program owner</strong> and don't administer {system},
      send this page to whoever does. They complete Part A and hand the credentials back to you
      (or enter them directly if you've invited them into the platform).
      {recommendDelegated && <>
          {' '}Because setup produces sensitive key material, we recommend the{' '}
          <strong>delegated setup</strong> path so the secret is never sent back to you.
        </>}
    </p>
  </Note>;

<SystemAdminBanner system="SailPoint IdentityNow" recommendDelegated={true} />

## What Living Security needs

| Credential           | Description                                                                         |
| -------------------- | ----------------------------------------------------------------------------------- |
| **Client ID**        | The identifier for the OAuth 2.0 API client                                         |
| **Client Secret**    | The credential generated with the API client (displayed once at creation)           |
| **Tenant subdomain** | The subdomain of your IdentityNow tenant (e.g., `acme` from `acme.identitynow.com`) |

**Scopes:** Client Credentials grant type with access to `/v3/accounts` and `/v3/search` endpoints

**Required role:** **Admin** or **System Administrator** in SailPoint IdentityNow

### Prerequisites

* You must have **Admin** or **System Administrator** access in SailPoint IdentityNow to create and manage API clients.

***

## Part A — In SailPoint IdentityNow

*Your SailPoint IdentityNow administrator completes these steps.*

<Steps>
  <Step title="Locate your tenant subdomain">
    Your tenant subdomain appears before `.identitynow.com` in all IdentityNow URLs.

    **From your IdentityNow URL:**
    When signed in, your browser shows `https://TENANT.identitynow.com`. The part before `.identitynow.com` is your tenant subdomain.

    **From the admin dashboard:**
    Navigate to **Admin** → **Dashboard** → **Overview** and look for the **Org Name** in the Org Details section.

    Record this value for Part B.
  </Step>

  <Step title="Create an OAuth 2.0 API client">
    1. Sign in to your IdentityNow admin console.

    2. Navigate to the API Management panel:
       `https://TENANT.identitynow.com/ui/admin/#admin:global:security:apimanagementpanel`

       Replace `TENANT` with your actual tenant subdomain.

    3. Click **New** (or **Create API Client**).

    4. Enter a descriptive **Name** (e.g., `Living Security Platform`).

    5. Under **Grant Types**, enable **Client Credentials**.

    6. Leave other grant types disabled unless you have a separate use case.

    7. Click **Save**.

    <Note>
      The **Client Credentials** grant type authorizes the integration to request access tokens using only the client ID and secret, with no user interaction. This is appropriate for server-side data sync integrations.
    </Note>
  </Step>

  <Step title="Copy the Client ID and Client Secret">
    After saving, IdentityNow displays the **Client ID** and **Client Secret**.

    **Copy both values immediately** and store them securely (e.g., in a password vault).

    <Warning>
      The **Client Secret** is displayed only once immediately after creation. If you navigate away before copying it, you must delete the client and create a new one. The Client ID remains visible in the API Management panel, but the secret does not.
    </Warning>
  </Step>
</Steps>

***

## Part B — In the Living Security Platform

*The program owner completes this step, or the system admin if using delegated setup.*

<Steps>
  <ConnectInPlatform tile="SailPoint IdentityNow">
    | Field                | Value                                                                        |
    | -------------------- | ---------------------------------------------------------------------------- |
    | **Client ID**        | The Client ID from Part A, Step 3                                            |
    | **API Key**          | The Client Secret from Part A, Step 3                                        |
    | **Tenant subdomain** | The subdomain from Part A, Step 1 (e.g., `acme`, not `acme.identitynow.com`) |

    <Note>
      Enter the subdomain only — for example, `acme`, not `acme.identitynow.com` or `https://acme.api.identitynow.com`.
    </Note>

    <img src="https://mintcdn.com/livingsecurity/oVkrOMkYmNevekTI/integrations/images/sailpoint-identitynow/connect-dialog.png?fit=max&auto=format&n=oVkrOMkYmNevekTI&q=85&s=6d9fff0e4cc72d3c9d1a8c5bcff1588a" alt="Living Security connect dialog for SailPoint IdentityNow" style={{maxWidth: "450px"}} width="576" height="416" data-path="integrations/images/sailpoint-identitynow/connect-dialog.png" />
  </ConnectInPlatform>
</Steps>

You are now connected to SailPoint IdentityNow.

***

## Troubleshooting

<AccordionGroup>
  <Accordion title="401 Unauthorized">
    The credentials are invalid. Check:

    1. Client ID and Client Secret are correct
    2. Client Secret has not been rotated or deleted
    3. Tenant subdomain matches your IdentityNow environment exactly
  </Accordion>

  <Accordion title="403 Forbidden">
    The API client may not have sufficient authorization scopes, or your IdentityNow admin account lacks the necessary rights.

    Verify:

    1. The API client is configured with the **Client Credentials** grant type
    2. Your admin account has roles required to access `/v3/accounts` and `/v3/search` endpoints
  </Accordion>

  <Accordion title="Connection fails with invalid tenant">
    The tenant subdomain may be incorrect. Verify:

    1. You entered only the subdomain (e.g., `acme`), not the full domain
    2. The subdomain matches your IdentityNow URL exactly (case-sensitive)
  </Accordion>

  <Accordion title="Empty results">
    The API client may lack permissions to read identity data. Verify your IdentityNow admin account has the roles required to access the identities and accounts APIs.
  </Accordion>
</AccordionGroup>
