AI-Driven Identity Security Configuration - Failed

:bangbang: Please be sure you’ve read the docs and API specs before asking for help. Also, please be sure you’ve searched the forum for your answer before you create a new topic.

Please consider addressing the following when creating your topic:

  • Tried to configure AI-Driven Identity Security in IIQ to integrate the ISC tenant for recommendation and GenAI, however I am getting an error. GenAI failed to connect: Failed to connect with OAuth token provider at host ``https://xxxxxx.api.identitynow-demo.com`` : javax.net.ssl.SSLHandshakeException: (certificate_unknown) PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
  • Configurations are correct, client id and secret is working fine via postman.

Regards,

Kannan

Hi @kannan_sb85 - It can’t find the cert for some reason. Are you going through a proxy? One thing you may try is exporting the cert from your tenant url. Click the lock in your browser bar next to https and export that certificate. Then import it into your keystore.

Hi Ryan, I have not using the proxy, the tenant is demo only from the Ambassador and when I checked the certificate it is still valid till july 2026. I have imported the certificate in the keystore, still it is not working, is there any solution or does it related with the tenant issue? The GenAI testconnection is working, but not the AI-Driven Configuration

Regards,

Kannan

Hi @kannan_sb85 ,

Where is IIQ server hosted from where you are trying to connect to ISC functionality?

If it is in organization environment, probably it needs additional configuration for certification and blocking connection.

You can try same thing first from your personal IIQ server and see outcome.

Unfortunately, there is still no success I am getting the same connection failed error 401. what is confusing is that the GenAI test connection works using the same client ID, secret, and endpoint. Despite that, the main connection continues to fail, which makes the issue quite challenging.

Regards,

Kannan

Hi @kannan_sb85,

I had seen a very similar issue a few months back
In that case, configuring only the API Management Client ID/Secret in ISC was not enough for the complete AI-Driven Identity Security setup.

Since your GenAI Test Connection is already working, it looks like the credentials and endpoint are probably correct :+1:

You may want to verify whether the remaining ISC-side onboarding steps are also completed, especially things like:

  • Creating an IdentityIQ Data Source for Connectivity with AI-Driven Identity Security
  • Configuring IdentityIQ for Access Modeling
  • Generating Client Credentials in Your Tenant
  • Importing the init-ai.xml File
  • Configuring AI-Driven Identity Security in IdentityIQ
  • Installing the Access Modeling Plugin
  • Configuring Automatic Role Creation in IdentityIQ
  • Integrating Access Recommendations for IdentityIQ

Of course, you may already have some of these configured, but based on the behavior and the 401 during the main integration flow, it might be worth double-checking those sections once.

The official guide explains the remaining setup steps very well:

AI-Driven Identity Security for IIQ Setup Guide

Especially:

  • Deploying the Virtual Appliance
  • Creating an IdentityIQ Data Source

Hopefully this helps point things in the right direction.

Thanks
Raju :expert_ambassador:

@santhirajumunganda - Thanks Raju. I was tried and followed this guide and in my demo tenant I could not see that data source to add that up. Is there something issue with my tenant or I missed any configuration in specific?

Regards,

Kannan

You need to connect with Sailpoint to create the Data Sources here. Please connect with your CSM for more details on the same.

Yes, you can check once with the Developer Relations team.