SailPoint MCP Server

MCP server for SailPoint IdentityNow/Identity Security Cloud API. Provides comprehensive tools for identity governance, access management, and compliance operations.

Features

Identity Management: List, search, and get identity details
Account Operations: List accounts, enable/disable, unlock, view entitlements
Access Profiles: Create, list, and manage access profile bundles
Roles: Create, list, and manage role definitions
Certifications: View certification campaigns and access reviews
Workflows: List, test, and monitor automation workflows
Search: Full-text search across identities, accounts, roles, and more
SOD Policies: View Separation of Duties policies and violations
Sources: List and inspect connected identity sources

Configuration

Set the following environment variables:

SAILPOINT_BASE_URL=https://your-tenant.api.identitynow.com
SAILPOINT_CLIENT_ID=your-client-id
SAILPOINT_CLIENT_SECRET=your-client-secret
SAILPOINT_API_VERSION=v3  # Optional: v3 (default) or v2025

API Version Support

The server supports both SailPoint API versions:

v3 (default): Stable, widely-supported API version
v2025: Latest API version with new features like Configuration Hub, enhanced identity management, and experimental endpoints

To use v2025 APIs, set SAILPOINT_API_VERSION=v2025. The v2025 API includes:

Configuration Hub for automated configuration deployment
Enhanced identity deletion capabilities
Machine account management
Data segmentation and access security
Advanced IAI features (outliers, role mining, common access)
Non-employee lifecycle management

For more information, see SailPoint API v2025 Documentation

Getting Credentials

Log into your SailPoint Identity Security Cloud tenant
Go to Preferences (under your username dropdown)
Select Personal Access Tokens on the left
Click New Token to generate a new PAT
Copy the Client ID and Client Secret

Your base URL follows the format: https://{tenant}.api.identitynow.com

Available Tools

Identities

list_identities - List identities with filtering
get_identity - Get detailed identity information

Accounts

list_accounts - List accounts across sources
get_account - Get account details
get_account_entitlements - List account entitlements
enable_account - Enable a disabled account
disable_account - Disable an account
unlock_account - Unlock a locked account

Access Profiles

list_access_profiles - List access profiles
get_access_profile - Get access profile details
create_access_profile - Create a new access profile

Roles

list_roles - List roles
get_role - Get role details
get_role_assigned_identities - List identities assigned to a role
create_role - Create a new role

Certifications

list_certifications - List active certifications
get_certification - Get certification details
list_certification_campaigns - List certification campaigns
get_certification_campaign - Get campaign details

Workflows

list_workflows - List automation workflows
get_workflow - Get workflow details
get_workflow_executions - View workflow execution history
test_workflow - Test a workflow

Sources

list_sources - List connected sources
get_source - Get source details

Search

search - Search across indices (identities, accounts, roles, etc.)
search_aggregate - Aggregate analytics queries

Entitlements

list_entitlements - List entitlements
get_entitlement - Get entitlement details

Access Requests

list_access_requests - List access requests
create_access_request - Create a new access request

Identity Profiles

list_identity_profiles - List identity profiles
get_identity_profile - Get identity profile details

SOD Policies

list_sod_policies - List SOD policies
get_sod_policy - Get SOD policy details
list_sod_violations - List SOD violations

Usage Examples

Search for identities

{
  "indices": ["identities"],
  "query": "name:John AND department:Engineering"
}

List active access requests

{
  "filters": "status eq \"PENDING\""
}

Create an access request

{
  "requestedFor": ["identity-id-1"],
  "requestedItems": [
    {
      "type": "ROLE",
      "id": "role-id",
      "comment": "Need access for project X"
    }
  ]
}

Building

npm install
npm run build

Performance Features

HTTP Connection Pooling

The server uses a singleton axios instance with HTTP Keep-Alive for optimal performance:

Reuses TCP connections across multiple requests
Connection pool: 50 max sockets, 10 max free sockets
30-second keep-alive timeout
Automatic token refresh without creating new connections

This provides significant performance improvements for sequential API calls, especially when making multiple requests in a short time period.

Token Caching

OAuth2 tokens are cached with a 60-second buffer before expiry, minimizing unnecessary token refresh requests.

License

MIT

SailPoint MCP Server