SailPoint Connectors List and Setup Guide 2026
SailPoint connectors are integration middleware enabling automated identity lifecycle management across enterprise applications. They facilitate bidirectional data flow—reading (aggregation) user data from systems like Active Directory, Workday, and SAP, and writing (provisioning) account changes. Connectors are critical infrastructure for compliance automation, security, and operational efficiency in modern identity governance.
★★★★★
4.9/5 rated by 1329+ students · Google Verified
Table of Contents
Introduction
SailPoint connectors form the backbone of enterprise identity governance. SailPoint Certification Training in Hyderabad professionals understand that mastering connectors is essential for successful identity management implementations. This guide covers connector types, architecture, setup procedures, best practices, and real-world enterprise integrations.
Whether preparing for certification or implementing enterprise SailPoint certification and training programs concepts in production, this comprehensive resource provides everything needed to configure, manage, and optimize SailPoint connectors for organizational success.
SailPoint Connectors List and Setup Guide
What Are SailPoint Connectors?
SailPoint connectors are specialized software components that establish communication bridges between SailPoint and external systems. To understand what SailPoint is and how it operates, recognize that connectors serve as translators converting SailPoint commands into application-specific protocols.
Each connector targets a specific system—Active Directory, cloud applications, databases, or REST APIs. Connectors read user data from source systems, transform it into SailPoint’s identity model, and manage provisioning operations (account creation, modification, deprovisioning).
A connector consists of three components: connector configuration (connection parameters and credentials), connector schema (attribute mappings), and connector operations (read/write actions).
Why SailPoint Connectors Are Essential
Automation: Eliminates manual account provisioning across applications. New employee onboarding triggers automatic account creation across dozens of systems through connectors.
Compliance: Regulatory requirements (SOX, HIPAA, GDPR) demand documented access controls and audit trails—connectors capture all provisioning actions automatically.
Security: Centralizes identity management reducing orphaned accounts, forgotten deprovisioning, and inconsistent access policies.
Operational Efficiency: Organizations report 40-60% reduction in manual identity management tasks, freeing security teams for strategic work.
SailPoint Connectors List and Primary Types
SailPoint maintains extensive pre-built connector libraries. Most deployments use these foundational connectors
Directory Services
- Active Directory: Windows environment user/group management; most widely deployed
- Azure AD/Entra ID: Cloud-native directory for Microsoft 365, Teams, Intune
- LDAP: Generic directory protocol supporting OpenLDAP, eDirectory systems
- Unix/Linux: User account management via SSH protocols
Enterprise Applications
- Workday: HCM platform; authoritative employee data source
- SAP: Enterprise resource planning user/role management
- ServiceNow: IT service management platform integration
- Salesforce: CRM platform user provisioning and access
- SuccessFactors: SAP cloud HCM employee master data
Cloud & Custom Connectors
- REST API Connector: Generic connector for REST-based APIs
- JDBC Connector: Java-based connector for databases
- SCIM Connector: System for Cross-domain Identity Management protocol
- Delimited File: CSV/flat-file data source integration
Connector Types and Deployment Models
|
Connector Type |
Architecture |
Examples |
Best Use Case |
|
Pre-Built |
Vendor-specific |
Active Directory, Workday, SAP |
Standard implementations with minimal customization |
|
REST API |
HTTP/JSON |
Custom APIs, modern SaaS |
Cloud applications without pre-built connectors |
|
JDBC |
Database connectivity |
Oracle, SQL Server, custom databases |
Direct database integration, legacy systems |
|
SCIM |
Standardized protocol |
Cloud identity providers, modern SaaS |
Applications supporting SCIM protocol standard |
How SailPoint Connectors Work: Core Operations
Aggregation (Read): Connectors read account data from target systems and import into SailPoint. Query executes against the target system, data normalizes according to schema mappings, and identity data transforms into SailPoint’s canonical model.
Provisioning (Write): Workflows trigger account actions (create, modify, disable, delete). Connector maps SailPoint attributes to target system parameters, executes target system operations, and returns success/error status to SailPoint for audit logging.
Understanding SailPoint certification curriculum connector workflows is essential for certification exam success and practical implementation.
SailPoint Connector Architecture Overview
Modern SailPoint architecture leverages Identity Security Cloud connector capabilities offering enhanced management and real-time synchronization versus legacy on-premises deployments.
Connector Framework: Core engine providing lifecycle management, error handling, retry logic, and connection pooling.
Schema Definition: Maps target system attributes to SailPoint objects (identity, application, account, group, role). Account schema defines account-level attributes; entitlement schema maps application groups/roles to SailPoint entitlements.
Deployment Options: Cloud connectors run in SailPoint infrastructure (automatic updates, scaling). On-premises connectors run on dedicated servers (full control, low latency).
Prerequisites Before Connector Setup
|
Requirement Category |
Specification |
Purpose |
|
Network Connectivity |
FQDNs resolved, ports open (389 LDAP, 443 HTTPS, etc.) |
Communication between SailPoint and target system |
|
Service Account |
Non-expiring account with read and write permissions |
Connector authentication to target system |
|
Credentials |
Secure credential storage, encrypted configuration |
Protect authentication details from unauthorized access |
|
Schema Documentation |
Target system attributes, mapping rules, provisioning workflows |
Configure connector schema and transformation rules |
|
Approval & Testing |
Stakeholder approval, change management tickets, test plan |
Governance and risk mitigation |
Step-by-Step Connector Configuration Guide
Step 1: Access Connector Management (Admin > Connectors).
Step 2: Select connector type (Active Directory, REST API, etc.).
Step 3: Enter connection parameters (host, port, credentials, base DN).
Step 4: Configure schema mappings (sAMAccountName → identity.name, etc.). Step 5: Test connection.
Step 6: Set aggregation schedule.
Step 7: Enable provisioning operations.
Step 8: Run initial aggregation.
Step 9: Validate imported data.
Step 10: Deploy to production.
If new to SailPoint, beginner-friendly SailPoint connector training covers these steps with hands-on labs.
Common Connector Configuration Parameters
|
Parameter |
Description |
Example |
|
Target System Host |
Hostname or IP of target system |
dc1.contoso.com |
|
Port |
Communication port |
389 (LDAP), 636 (LDAPS), 443 (HTTPS) |
|
Authentication Type |
Credential method |
Basic, OAuth, API Key, Certificate |
|
Service Account |
Connector identity |
svc_sailpoint or CONTOSO\svc_sailpoint |
|
SSL/TLS Enabled |
Encrypt connections |
True (recommended) |
|
Timeouts |
Connection/read operation limits |
30-60 seconds |
|
Base DN |
Search starting point (LDAP) |
DC=contoso,DC=com |
|
Provisioning Enabled |
Allow writes to target |
True/False |
Many configurations use UI-driven approaches; SailPoint connector configuration doesn’t require deep Java expertise, though advanced customization may need scripting.
Testing and Validation Strategies
Aggregation Testing: Compare imported account count to source system count (should match exactly). Spot-check random accounts for attribute accuracy. Verify entitlement correlation and aggregation performance metrics.
Provisioning Testing: Test account creation (new user in SailPoint, verify in target system), attribute updates, account disable/enable, and entitlement provisioning. Test failure scenarios (invalid credentials, network outage).
Security Testing: Verify encrypted credentials, SSL/TLS usage, audit log capture, and least-privilege service account access.
Troubleshooting Connector Issues
Connection Failures: Verify hostname/IP/port, test network connectivity, check firewall rules, validate credentials, and review target system logs.
Aggregation Failures: Check query filters aren’t too restrictive, verify service account read permissions, review schema mappings, and check aggregation logs for transformation errors.
Provisioning Failures: Verify provisioning permissions, check password policies, validate attribute value constraints, and test manual operations in target system.
Performance Issues: Optimize aggregation filters, implement delta aggregation, increase thread pools, batch provisioning requests, and check system resource consumption.
Real-world connector solutions are shared in SailPoint Community connector forums where practitioners discuss configuration challenges and advanced scenarios.
SailPoint Connector Best Practices
Credential Management: Use service accounts (non-human accounts that don’t expire). Apply the principle of least privilege. Rotate passwords quarterly. Use encrypted credential storage. Restrict configuration access.
Schema Mapping: Document mappings clearly. Maintain consistent naming across connectors. Validate mappings periodically. Use transformation rules for complex mappings. Test mappings with real data.
Aggregation: Align frequency with business needs (daily for HR, weekly for legacy systems). Schedule off-peak hours. Set up monitoring and alerts. Perform post-aggregation validation. Maintain audit logs.
Provisioning: Test in non-production first. Require approval for sensitive operations. Implement notifications and escalations. Document rollback procedures. Use batch provisioning.
Connector best practices align with SailPoint certification exam topics on connector configuration; mastering these is essential for exam success and production quality.
Security and Compliance in Connector Configuration
Network Security: Always use SSL/TLS. Restrict firewall access to specific IPs and ports. Route sensitive traffic through VPN/private networks. Monitor for anomalies.
Credential Security: Require strong service account passwords (20+ characters). Enable MFA where possible. Rotate credentials quarterly. Log all access and modifications.
Audit and Compliance: Enable detailed audit logging for all operations. Retain logs per compliance requirements (7 years for SOX/HIPAA/PCI). Ensure immutable audit trails. Perform quarterly audits.
Connector security aligns with NIST Role-Based Access Control standards governing provisioning and access validation across integrated systems.
Performance Tuning for Connectors
Aggregation Tuning: Increase connection pooling (test incrementally). Optimize batch sizes. Enable parallel processing. Switch to delta aggregation after initial import (10-20x faster).
Provisioning Tuning: Configure provisioning queues for batching. Use asynchronous provisioning. Implement exponential backoff retry logic. Tune connection timeouts (30-60 seconds).
System Resources: Allocate sufficient heap memory (4-8GB for medium deployments). Configure thread pools based on capacity. Maintain database indexes. Use SSD storage for disk I/O.
Cloud vs On-Premises Connectors
Cloud Connectors (Identity Security Cloud): Run in SailPoint infrastructure with automatic patching and scaling. No infrastructure management. Lower operational complexity. Higher cost transparency. Limited control over updates.
On-Premises Connectors: Run on dedicated servers with full control. No internet connectivity required. Better performance for low-latency needs. Higher infrastructure costs. Greater operational complexity.
Many enterprises use hybrid deployments: cloud connectors for SaaS applications, on-premises for legacy systems requiring low-latency or data residency.
Most Frequently Used Connectors
Active Directory: Windows environments; most widely deployed. Scales 100-500,000+ users. Supports dynamic groups and bidirectional provisioning.
Workday: HR systems using Workday. Medium to large enterprises. Real-time webhooks for near-instant notifications.
Azure AD/Entra ID: Cloud-native directory. Hybrid environments. Modern REST API.
ServiceNow: ITSM platform integration. Provisioning to user and group tables.
SAP: Enterprise resource planning. Large enterprises with complex deployments. RFC and SUMF support.
For enterprise systems like SAP, detailed guidance covers enterprise application integration best practices and complex configuration paths.
Real-World Connector Use Cases
Joiner-Mover-Leaver Automation: New employee in Workday triggers automatic account creation across 15+ applications within minutes. Reduces provisioning time from 1-2 days to minutes.
Access Certification: Connectors aggregate entitlements from 30+ systems. Managers certify access quarterly instead of annual reviews. Improves accuracy and reduces review duration.
Automatic Termination Disable: Workday termination event triggers automatic disable across all systems. Eliminates security risk from delayed deprovisioning.
SOD Compliance: Connectors monitor segregation of duties conflicts. Policies identify incompatible role combinations. Enables continuous compliance versus annual audits.
Future Connector Trends
Review SailPoint’s product roadmap for emerging connector enhancements. Upcoming directions include AI-driven connector intelligence, zero-trust architecture, event-driven webhooks replacing scheduled aggregation, expanded SCIM support, and low-code/no-code connector builders democratizing configuration.
Key Takeaways
- Connectors enable automated identity lifecycle management across enterprise portfolios
- Aggregation (read) and provisioning (write) are dual core operations requiring careful configuration
- Prerequisites, testing, and validation are non-negotiable before production deployment
- Ongoing credential rotation, performance monitoring, and audit logging are continuous operational requirements
- Security, compliance, and best practices ensure production stability and regulatory alignment
FAQ
1. What’s the difference between aggregation and provisioning?
Aggregation is read: SailPoint pulls user data from target systems. Provisioning is write: SailPoint pushes account changes to target systems. Both are necessary for complete lifecycle management.
2. How often should connectors run?
Depends on change rate. HR systems may need daily aggregation (frequent changes); legacy systems weekly/monthly. Start daily for critical systems; adjust based on actual change volume.
3. What’s the difference between pre-built and custom connectors?
Pre-built connectors (Active Directory, Workday, SAP) are SailPoint-configured for specific applications. Custom connectors (REST, JDBC) require configuration for applications without pre-built support.
4. Can I use personal accounts for connector credentials?
No. Always use service accounts (non-human accounts). Personal accounts expire when employees leave, causing connector failures. Service accounts are stable and auditable.
5. What happens if a connector fails?
SailPoint logs the failure and alerts administrators. Existing data remains unchanged. The connector retries per configured policies. Manual investigation fixes the underlying issue before retrying.
6. How do I test provisioning safely?
Use test accounts in non-production environments first. Create test identity, trigger provisioning, verify results before enabling in production.
7. Can one connector connect to multiple system instances?
Yes, but each instance needs a separate connector configuration with its own credentials and mappings. For example, separate connectors for Dev, Test, Production SAP systems.
8. What’s the maximum account volume a connector handles?
No hard limit. Performance degrades at very large scale (1M+ accounts). Optimize through delta aggregation, parallel processing, batch provisioning, and proper resource allocation.
9. Must I restart SailPoint after configuration changes?
No. Most configuration changes auto-reload. Only Java code changes require restart (rare in typical deployments).
10. How do I connect to systems without pre-built connectors?
Use generic connectors: REST API (REST systems), JDBC (databases), Web Services (SOAP APIs). These require more configuration but work with virtually any system.
SailPoint Trainer
SailPoint Masters Editorial Team | 15+ Articles Published
We specialize in SailPoint Certification Training in Hyderabad, helping aspiring professionals and IT experts develop in-demand Identity and Access Management (IAM) skills. Our training covers SailPoint IdentityIQ, Identity Security Cloud, certification preparation, real-world projects, and career guidance to support success in cybersecurity and identity governance careers.
Share