Explain How to configure Azure SSO Integration with SailPoint IdentityIQ

IslamElkhouly · November 24, 2025, 2:32pm

I recently completed a working integration of Azure AD SSO with SailPoint IdentityIQ using SAML , and I’m sharing the full configuration + troubleshooting notes so others can benefit and avoid the common issues we faced.

Azure Configuration (Enterprise App or App Registration)

App Settings

Entity ID / Application ID URI:
https://<IIQ host>
Reply URL (ACS URL) / Redirect URI:
https://<IIQ host>/identityiq/home.jsf
Sign-on URL:
https://<IIQ host>/identityiq

IdentityIQ – IdP Settings

Entity ID / Issuer:
https://sts.windows.net/<tenant id>
SSO Login URL:
https://login.microsoftonline.com/<tenant id>/saml2
Public X.509 Certificate:
Provided by the Azure admin (Base64 format).
After installing the certificate, open it using Notepad to copy the Base64 text and paste it into IIQ.

IdentityIQ – SP Settings

Entity ID / Issuer: https://<IIQ host>
ACS URL: https://<IIQ host>/identityiq/home.jsf
Binding: HTTP POST
NameID Format: Must match Azure exactly
Correlation Rule: Map Azure UPN (NameID) to SailPoint email
→ Works because UPN = email in this environment

Fix for AADSTS75011

If you see this error, add the following inside <SAMLConfig> in IIQ:

authnContextClassRef="urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified"

This ensures Azure accepts the authentication context from IIQ.

Final Working : SAML Correlation Rule

import sailpoint.object.Identity;
import sailpoint.object.Filter;
import sailpoint.object.QueryOptions;

String nameId = (String) assertionAttributes.get("nameId");
Identity ident = null;

if (nameId != null) {
    Filter f = Filter.eq("email", nameId);
    QueryOptions qo = new QueryOptions();
    qo.addFilter(f);

    List<Identity> results = context.getObjects(Identity.class, qo);
    if (results != null && !results.isEmpty()) {
        ident = results.get(0);
    }
}
return ident;

Issue We Faced (and Solved)

We repeatedly saw the following warnings in identityiq.log:

Unable to correlate SAML Assertion to Identity via SAMLCorrelationRule

This happened because the previous correlation logic didn’t correctly map Azure NameID (UPN) to SailPoint’s email.
Implementing the updated correlation rule above solved the issue completely.

Summary

Azure SSO with SailPoint IIQ works smoothly if:

NameID formats match
The correlation rule maps UPN → email
The authnContextClassRef fix is applied to avoid AADSTS75011

Note: If anyone finds any part of this guide that could be improved or edited, your contributions are really appreciated!

Hope this helps anyone implementing SAML SSO between Azure AD and SailPoint IdentityIQ!

Muhammad_Mustafa · November 24, 2025, 3:31pm

Thanks for sharing @IslamElkhouly !

bilaltahir · December 2, 2025, 4:28pm

Thank you @IslamElkhouly

Topic		Replies	Views
SSO configuration using Azure IIQ Discussion and Questions identityiq	2	97	January 18, 2025
Unable to correlate SAML Assertion to Identity via SAMLCorrelationRule - Azure SSO with IdentityIQ IIQ Discussion and Questions identityiq , authentication	6	1161	June 28, 2023
Configure SSO with AD IIQ Discussion and Questions identityiq	11	197	September 1, 2025
SSO into ISC with Azure AD failure ISC Discussion and Questions identity-security-cloud	16	413	May 6, 2025
SailPoint Integration with Azure using JWT certificate IIQ Discussion and Questions aggregation , identityiq , provisioning , collaboration-integration-docs	2	50	November 23, 2025