Integrating ServiceNow In SailPoint IdentityIQ


We recently had the opportunity to integrate ServiceNow’s ticketing system with SailPoint’s IdentityIQ platform for a client. The client was deploying IdentityIQ to aid in their quarterly access certification process. SailPoint IdentityIQ has provided an industry-leading access review and certification platform that would streamline their manual processes and increase the efficiency of their access reviews. The client used ServiceNow for all of their access requests, change management, and help desk incidents. Rather than using the standard SailPoint work items for revocation requests, they chose to use the out-of-the-box integration with ServiceNow to create ServiceNow tickets for provisioning.

The integration itself is relatively simple: the integration consists of an IntegrationConfig object as well as a plan initializer rule. Tickets can be initiated through any SailPoint provisioning action such as an access review revocation, access request, or role assignment. The integration converts a standard SailPoint provisioning plan into a SOAP message that is sent over to an endpoint within ServiceNow, which generates a ticket. When the ticket is generated, ServiceNow returns the ticket number to SailPoint, which stores the ticket number. SailPoint then periodically polls ServiceNow requesting the status of the open ticket and returning the ticket status to SailPoint. 

Configuring the integration between ServiceNow and SailPoint consisted of the following steps:

1. Add the following JAVA options to the application server hosting SailPoint IdentityIQ:

2. Verify the ServiceNow instance is operating and available to the SailPoint server. From the SailPoint server, navigate to the address below. The WSDL of the ServiceNow endpoint should be returned.

3. Create the IntegrationConfig object within SailPoint. The default configuration for the Integration config object can be found in %IIQ_HOME%/WEB-INF/config/sampleServiceNowIntegration.xml. This file must be customized to work for the specific ServiceNow environment. Some of the fields that must be modified are below. This specifies how SailPoint is to communicate with ServiceNow.

4. For any SailPoint applications that should be provisioned using the ServiceNow integration, create a ManagedResource reference in the ServiceNowIntegrationConfig.

5. Create a plan initializer rule. The OOB integration does not deal with XML reserved characters in application or entitlement names and will throw errors if not accounted for. We included the plan initializer rule to convert these characters into a character string that would be acceptable to SailPoint. For instance, an application name that was “Payroll & Accounting” would throw errors because of an ampersand (&). The plan initializer rule changed the application name to “Payroll & Accounting”. The rule is referenced in the ServiceNowIntegrationConfig with the following tag:

6. Test the integration with either an access request, role assignment, or access review revocation.

Once the integration is working and creating tickets in ServiceNow, the SOAP message for provisioning can be modified. The out-of-the-box integration relies mostly on static values for assignment group, and priority levels. These can be customized as needed within the IntegrationConfig.

Overall, the integration was relatively easy to setup, though it required a little customization to get it to function the way the customer wanted. The integration is not without its faults. While it returns back a ticket number, it lacks the true bidirectional communication the SailPoint direct connectors support. Also, comments and notes added to the ServiceNow ticket that is created do not flow back into SailPoint.  SailPoint only tracks the status of the ticket.


Questions, comments or concerns? Feel free to reach out to us below or at IDMWORKS

Questions, comments or concerns? Feel free to reach out to us below, or email us at IDMWORKS to learn more about how you can protect your organization and customers.

Comments on: “Integrating ServiceNow In SailPoint IdentityIQ”

    1. You could try encrypting the password using the IIQ encryption method (iiq.exe encrypt ) and putting that value in the IntegrationConfig object. While I haven’t tested this myself, most of the password fields in IIQ will take the encrypted value. Let me know if this works for you or if you need anything else.

Leave a Reply

Your email address will not be published. Required fields are marked *