SailPoint deployment
★★★★★ 4.6 CE

SailPoint Deployment Options & Rollout 2026

SailPoint ships as Identity Security Cloud SaaS on AWS or self-managed IdentityIQ. A rollout is a connector onboarding program that scales with your estate.

SailPoint Deployment verdict

Verified today·4 sources checked

SailPoint deploys as an identity-governance platform in two forms.

Identity Security Cloud is the multi-tenant SaaS on AWS microservices, with a Confluent and Kafka layer and a customer-chosen hosting region. IdentityIQ is a separate self-managed product.

How to roll it out

Plan SailPoint as a governance onboarding program, not a quick directory switch. Choose Identity Security Cloud to avoid self-hosting and pick your hosting region at onboarding, or run IdentityIQ self-managed where you need full control. Then map your source systems to the connector taxonomy. Start light with quick-compliance connectors, then move to deep-governance connectors for provisioning, and stand up a virtual-appliance cluster for any on-premise systems. Budget for the connector estate, since each managed system needs credentials you maintain. Automate onboarding through the ISC REST API, using a personal access token and the client-credentials flow, so sources, accounts and aggregations are scriptable. Expect to engage billable Professional Services for a new implementation, and for federal work deploy into the FedRAMP Moderate public-government cloud. SailPoint is strongest for broad, complex and hybrid estates that need deep governance. A small team wanting a lightweight directory will find it heavier than it needs.

Honest limits
  • SailPoint ships in two deployment forms: the Identity Security Cloud SaaS and the self-managed IdentityIQ, which differ in hosting and operations.
  • On-premise sources require a virtual-appliance cluster, so a real deployment is usually hybrid rather than pure SaaS.
  • Customers are responsible for the API keys and credentials the connectors use, and SailPoint does not guarantee their availability.
Forms
SaaS (ISC) + self-managed (IdentityIQ)
Cloud
Multi-tenant on AWS
Bridge
Virtual-appliance cluster
As code
ISC REST API (OAuth)
Federal
FedRAMP Moderate public cloud
View sources

This page covers how SailPoint deploys and is administered. Its compliance posture and pricing live on their own pages.

Deploy SailPoint: commands and config

What you run at each SailPoint layer

LayerWhat you runNotes
Cloud (SaaS)Identity Security Cloud, multi-tenantBuilds on IdentityNow; AWS microservices
Self-managedIdentityIQSeparate product on the trust portal filter
Core hostingAmazon Web ServicesHosting and processing provider for SaaS core infrastructure
MessagingConfluent (Kafka)Async communication between microservices
On-prem bridgeVirtual-appliance clusterRequired for VA-based connectors to on-premise systems
Region / residencyCustomer-selected hosting regionChosen at onboarding from available regions
Federal cloudPublic Cloud (government)FedRAMP Moderate; separate AWS GovCloud environment

SailPoint connectors and integration surface

IntegrationTypeCapabilitiesSetup
Quick ComplianceRead-only sourceLightweight config · Fast source onboardingLow
Deep Governance (SaaS)Provisioning connectorRead accounts · Provision changes · No on-prem applianceConfig
Deep Governance (VA-based)Provisioning connectorOn-premise systems · Requires VA clusterSelf-managed VA
DiscoveryApplication discoveryAuto-identify enterprise apps · Extract app detailsLow
Service Desk IntegrationsITSM integrationRaise, track and close tickets · Service / Incident / ChangeConfig
Credential ProvidersPrivileged credentialCredential rotation · For privileged accountsConfig
Applications (IQ Service)Connector applicationDesktop Password Reset · IQ Service · CollaborationSelf-managed agent
Shared Signals (SSF)Event sharingReal-time security events · Cross-solution alertsConfig

SailPoint rollout plan and risk points

  • Source onboarding can start light: quick-compliance connectors let you quickly begin running source operations with lighter configuration.
  • Deeper integration adds provisioning: deep-governance connectors read accounts and provision changes to managed systems and applications.
  • On-premise systems require standing up and managing a virtual-appliance cluster to run VA-based connectors.
  • Operationally the customer owns the credentials: SailPoint is not responsible for the availability of the API keys the connectors integrate with, and billable Professional Services are common during new implementations.

SailPoint Deployment FAQ

How is SailPoint deployed, cloud or self-managed?

Both. Identity Security Cloud is the multi-tenant SaaS, built on AWS and described on the FedRAMP record as a SaaS multi-tenant suite, and it builds on the earlier IdentityNow. IdentityIQ is a separate self-managed product, listed alongside ISC on SailPoint's trust portal, for teams that need to run governance in their own environment. Because on-premise sources need a virtual-appliance cluster, most real ISC deployments are hybrid.

What is the virtual appliance and when do I need it?

It is the bridge to on-premise systems. SailPoint splits deep-governance connectors into SaaS connectors, which need no on-premise appliance, and VA-based connectors, which are on-premise deployments that require a virtual-appliance cluster to run the connector. If you govern systems that live in your own data center, you stand up and operate that cluster as part of the deployment.

Can I automate SailPoint as code?

Yes, through the ISC REST API. You generate a personal access token, a client ID and secret, in the ISC UI. Then you use the OAuth client-credentials flow against https://[tenant].api.identitynow.com/oauth/token to get a JWT access token, and call the v3 endpoints with an Authorization: Bearer header. From there you can list and create sources, trigger account aggregations and search identities programmatically. Connector onboarding and governance operations are scriptable from CI rather than clicked in the UI.

What kinds of connectors does SailPoint offer?

A taxonomy rather than a flat list. Quick-compliance connectors give fast, lightweight, read-only onboarding. Deep-governance connectors, either SaaS or VA-based, read accounts and provision changes. Discovery connectors auto-identify enterprise applications. Service-desk integrations raise and track tickets, credential-provider integrations rotate privileged accounts, plus connector applications such as IQ Service and Desktop Password Reset extend the reach. Shared Signals, built on the Shared Signal Framework, deliver real-time security events.

How complex is a SailPoint rollout?

It scales with the estate. The SaaS removes self-hosting, but the value comes from connector breadth and governance depth, so the work is connecting and provisioning your sources. You can start light with quick-compliance connectors, then add deep-governance provisioning and a virtual-appliance cluster for on-premise systems. New implementations commonly engage SailPoint's billable Professional or Expert Services, and government deployments add the FedRAMP Moderate public-government cloud. A full enterprise rollout is a project-scale program.

Sources & verification

Verified by ComparEdgeMethod: Vendor docs, official pages, and selected independent sources
SourceWhat was checkedLast checked
Sailpoint OfficialOfficial product pageJuly 10, 2026
FedRAMP MarketplaceFedRAMP authorization statusJuly 10, 2026
Sailpoint Landingpages Isc LandingLandingpages Isc LandingJuly 10, 2026
Sailpoint Trust centerProduct documentationJuly 10, 2026

Every fact on this SailPoint page is tied to a named source and a verification date. Freshness-sensitive figures trace to the sources above; verify against the vendor before relying on them.