
SailPoint Deployment Options & Rollout 2026
SailPoint ships as Identity Security Cloud SaaS on AWS or self-managed IdentityIQ. A rollout is a connector onboarding program that scales with your estate.
SailPoint Deployment verdict
SailPoint deploys as an identity-governance platform in two forms.
Identity Security Cloud is the multi-tenant SaaS on AWS microservices, with a Confluent and Kafka layer and a customer-chosen hosting region. IdentityIQ is a separate self-managed product.
Plan SailPoint as a governance onboarding program, not a quick directory switch. Choose Identity Security Cloud to avoid self-hosting and pick your hosting region at onboarding, or run IdentityIQ self-managed where you need full control. Then map your source systems to the connector taxonomy. Start light with quick-compliance connectors, then move to deep-governance connectors for provisioning, and stand up a virtual-appliance cluster for any on-premise systems. Budget for the connector estate, since each managed system needs credentials you maintain. Automate onboarding through the ISC REST API, using a personal access token and the client-credentials flow, so sources, accounts and aggregations are scriptable. Expect to engage billable Professional Services for a new implementation, and for federal work deploy into the FedRAMP Moderate public-government cloud. SailPoint is strongest for broad, complex and hybrid estates that need deep governance. A small team wanting a lightweight directory will find it heavier than it needs.
- SailPoint ships in two deployment forms: the Identity Security Cloud SaaS and the self-managed IdentityIQ, which differ in hosting and operations.
- On-premise sources require a virtual-appliance cluster, so a real deployment is usually hybrid rather than pure SaaS.
- Customers are responsible for the API keys and credentials the connectors use, and SailPoint does not guarantee their availability.
- Forms
- SaaS (ISC) + self-managed (IdentityIQ)
- Cloud
- Multi-tenant on AWS
- Bridge
- Virtual-appliance cluster
- As code
- ISC REST API (OAuth)
- Federal
- FedRAMP Moderate public cloud
This page covers how SailPoint deploys and is administered. Its compliance posture and pricing live on their own pages.
Deploy SailPoint: commands and config
Exchange a personal access token (client id and secret from the ISC UI) for a short-lived JWT via the client-credentials flow.
curl --location \
"https://$TENANT.api.identitynow.com/oauth/token" \
--header 'scope: sp:scopes:all' \
--form 'grant_type="client_credentials"' \
--form 'client_id="'$CLIENT_ID'"' \
--form 'client_secret="'$CLIENT_SECRET'"'
# -> { "access_token": "...", "token_type": "bearer", "expires_in": 749 }- A personal access token is generated under Preferences in the ISC UI (max 10 per user)
- Call versions through the gateway: /v3, /beta and /v2 on [tenant].api.identitynow.com
- Client-credentials tokens have no user context, so some admin endpoints need a PAT-backed identity
Real SailPoint commands from the official docs. Pick a task to see what it does, then copy the command.
What you run at each SailPoint layer
| Layer | What you run | Notes |
|---|---|---|
| Cloud (SaaS) | Identity Security Cloud, multi-tenant | Builds on IdentityNow; AWS microservices |
| Self-managed | IdentityIQ | Separate product on the trust portal filter |
| Core hosting | Amazon Web Services | Hosting and processing provider for SaaS core infrastructure |
| Messaging | Confluent (Kafka) | Async communication between microservices |
| On-prem bridge | Virtual-appliance cluster | Required for VA-based connectors to on-premise systems |
| Region / residency | Customer-selected hosting region | Chosen at onboarding from available regions |
| Federal cloud | Public Cloud (government) | FedRAMP Moderate; separate AWS GovCloud environment |
SailPoint connectors and integration surface
| Integration | Type | Capabilities | Setup |
|---|---|---|---|
| Quick Compliance | Read-only source | Lightweight config · Fast source onboarding | Low |
| Deep Governance (SaaS) | Provisioning connector | Read accounts · Provision changes · No on-prem appliance | Config |
| Deep Governance (VA-based) | Provisioning connector | On-premise systems · Requires VA cluster | Self-managed VA |
| Discovery | Application discovery | Auto-identify enterprise apps · Extract app details | Low |
| Service Desk Integrations | ITSM integration | Raise, track and close tickets · Service / Incident / Change | Config |
| Credential Providers | Privileged credential | Credential rotation · For privileged accounts | Config |
| Applications (IQ Service) | Connector application | Desktop Password Reset · IQ Service · Collaboration | Self-managed agent |
| Shared Signals (SSF) | Event sharing | Real-time security events · Cross-solution alerts | Config |
SailPoint rollout plan and risk points
- Source onboarding can start light: quick-compliance connectors let you quickly begin running source operations with lighter configuration.
- Deeper integration adds provisioning: deep-governance connectors read accounts and provision changes to managed systems and applications.
- On-premise systems require standing up and managing a virtual-appliance cluster to run VA-based connectors.
- Operationally the customer owns the credentials: SailPoint is not responsible for the availability of the API keys the connectors integrate with, and billable Professional Services are common during new implementations.
SailPoint Deployment FAQ
How is SailPoint deployed, cloud or self-managed?
Both. Identity Security Cloud is the multi-tenant SaaS, built on AWS and described on the FedRAMP record as a SaaS multi-tenant suite, and it builds on the earlier IdentityNow. IdentityIQ is a separate self-managed product, listed alongside ISC on SailPoint's trust portal, for teams that need to run governance in their own environment. Because on-premise sources need a virtual-appliance cluster, most real ISC deployments are hybrid.
What is the virtual appliance and when do I need it?
It is the bridge to on-premise systems. SailPoint splits deep-governance connectors into SaaS connectors, which need no on-premise appliance, and VA-based connectors, which are on-premise deployments that require a virtual-appliance cluster to run the connector. If you govern systems that live in your own data center, you stand up and operate that cluster as part of the deployment.
Can I automate SailPoint as code?
Yes, through the ISC REST API. You generate a personal access token, a client ID and secret, in the ISC UI. Then you use the OAuth client-credentials flow against https://[tenant].api.identitynow.com/oauth/token to get a JWT access token, and call the v3 endpoints with an Authorization: Bearer header. From there you can list and create sources, trigger account aggregations and search identities programmatically. Connector onboarding and governance operations are scriptable from CI rather than clicked in the UI.
What kinds of connectors does SailPoint offer?
A taxonomy rather than a flat list. Quick-compliance connectors give fast, lightweight, read-only onboarding. Deep-governance connectors, either SaaS or VA-based, read accounts and provision changes. Discovery connectors auto-identify enterprise applications. Service-desk integrations raise and track tickets, credential-provider integrations rotate privileged accounts, plus connector applications such as IQ Service and Desktop Password Reset extend the reach. Shared Signals, built on the Shared Signal Framework, deliver real-time security events.
How complex is a SailPoint rollout?
It scales with the estate. The SaaS removes self-hosting, but the value comes from connector breadth and governance depth, so the work is connecting and provisioning your sources. You can start light with quick-compliance connectors, then add deep-governance provisioning and a virtual-appliance cluster for on-premise systems. New implementations commonly engage SailPoint's billable Professional or Expert Services, and government deployments add the FedRAMP Moderate public-government cloud. A full enterprise rollout is a project-scale program.
Sources & verification
| Source | What was checked | Last checked |
|---|---|---|
| Sailpoint Official | Official product page | July 10, 2026 |
| FedRAMP Marketplace | FedRAMP authorization status | July 10, 2026 |
| Sailpoint Landingpages Isc Landing | Landingpages Isc Landing | July 10, 2026 |
| Sailpoint Trust center | Product documentation | July 10, 2026 |
Every fact on this SailPoint page is tied to a named source and a verification date. Freshness-sensitive figures trace to the sources above; verify against the vendor before relying on them.
Explore SailPoint
Every page on SailPoint in one place, you are on deployment.
Snapshot, score and verdict
Frameworks covered and what a security review will ask
You are here
Every tier and the entry price
Compared and ranked vs peers
Price and feature change history
Browse the full Identity & Access Management category
