Currently, we are using Join Engine, the core service of a Meta-Directory Server, which manages the flow of data in and out of the meta view and synchronizes data across different directories if any changes occur.
Can we migrate this Join Engine to SailPoint, which monitors connectors for changes and flows data into different directories?
Hi @bhavesh11
Very good queestion.
Short answer, yes you can. Bear in mind, though, that SailPoint is primarily an Identity Governance and Administration (IGA) tool, rather than a data synchronisation tool, so you have to have a different conceptual view of the functionality.
Think of SailPoint as a Governance tool with lifecycle functionality, where your JE is a dedicated lifecycle tool.
In SailPoint you have Identities and Accounts - think of Identities as your MetaView and Accounts as your ConnectorView. Target systems are connected via Sources (Connectors).
Depending on which system you’re thinking of (IIQ vs ISC), you then have the concept of Applications, Entitlements and Roles which are Governance constructs.
Incoming connections involve “Aggregation” of Accounts. Accounts can be linked (correlated) to Identities, but will still get imported if not linked (orphan Accounts).
Outgoing connections involve “Attribute Sync” from Identities to Accounts. Other attribute values are available using SailPoint extensibility.
An IGA tool is best implemented with an Authoritiatve Source of Identities (such as an HRMS) where aggregation of Accounts provisions the Identities.
Short answer: Yes, you can replace (or migrate) many meta-directory “join engine” functions with SailPoint IdentityIQ’s connectors and provisioning workflows—but it’s not a simple lift-and-shift. SailPoint IdentityIQ is fundamentally an Identity Governance and Administration (IGA) platform, rather than a drop-in meta-directory engine, so you should plan carefully to ensure you replicate (or improve upon) your existing synchronization, correlation, and data-flow logic.
Below are some of the key considerations and best practices for such a migration:
1. Understand the Architectural Differences
Meta-Directory vs. IGA
Meta-Directory Join Engine: Traditionally focuses on aggregating identity attributes from multiple sources, creating a unified “joined” record in a meta-view, then pushing changes back out to various target directories for synchronization.
SailPoint IdentityIQ: Primarily manages identity lifecycle (joiner, mover, leaver), governance (access requests, certifications), and compliance. It also provisions changes to target systems, but it typically operates via scheduled aggregation or event-based triggers (instead of the real-time sync model that some meta-directories adopt).
Real-Time vs. Scheduled Provisioning
A meta-directory might do near real-time or event-driven updates.
IdentityIQ can be configured to do near real-time provisioning if the target systems and connectors support it (via “event triggers,” workflow calls, or custom messages), but often organizations use scheduled tasks.
Data Model Differences
Meta-directories often store a superset of attributes from each connected source.
IdentityIQ maintains an “Identity Cube” data model where attributes from authoritative sources are aggregated, correlated, and stored for governance and provisioning. Not all extended attributes from every directory need to be stored in IdentityIQ.
2. Map Existing Functionality to IdentityIQ
Aggregation and Correlation
Where the Join Engine previously pulled data from multiple directories, you can configure IdentityIQ “Aggregation Tasks” for each source system (LDAP directories, HR systems, databases, etc.).
Correlation (Identity Matching) Rules in IdentityIQ replace the “join rules” you might have had in the meta-directory, tying inbound accounts to the correct IdentityIQ identity.
Provisioning Logic
Meta-directories typically propagate changes automatically to all subscribers.
In IdentityIQ, changes can trigger Provisioning Workflows, which push updates out to target systems using the relevant connector(s).
IdentityIQ also supports Identity Lifecycle Events (e.g., new hire, transfer, termination) that can initiate provisioning changes automatically.
Attribute Mapping and Transformation
In a meta-directory, attribute transformations or mappings may be done centrally.
In IdentityIQ, you can implement transformations and mappings either in the source application’s connector configuration or in IdentityIQ rules/workflows.
Event-Driven or Real-Time Sync
If your Join Engine was providing real-time synchronization, replicate that by using SailPoint’s Event/Message Queue approach or by leveraging Web Services calls from your sources or connectors.
Alternatively, adjust your processes to use frequent scheduled tasks (e.g., every few minutes), depending on performance and business requirements.
3. Technical and Operational Considerations
Connector Coverage
Confirm that IdentityIQ has certified connectors or a reliable integration method (e.g., SCIM, JDBC, LDAP, REST, web services) for all the directories and applications involved.
If a custom or unique system is in play, you may need to develop a custom connector using SailPoint’s SDK.
Performance & Scaling
Meta-directories are designed for constant synchronization at scale.
IdentityIQ scales well but is more governance-focused; be mindful of how frequently you run aggregation and provisioning tasks to avoid performance bottlenecks.
Audit and Governance
A major advantage of migrating to IdentityIQ is the governance layer. You get full access certification, compliance policy enforcement, role management, and audit reporting on top of your provisioning flows.
Plan how you will leverage these governance features to replace or supplement the meta-directory’s auditing, if any.
Deployment Strategy
It’s often safer and smoother to phase in IdentityIQ for new provisioning flows, while gradually retiring the old meta-directory sync points.
Maintain both systems temporarily to ensure data consistency until you have fully validated that IdentityIQ is provisioning correctly.
4. Practical Migration Steps
Phase 1: Discovery and Inventory
Document each connector in your meta-directory (source systems, target systems).
List out all transformations, correlation rules, and sync schedules.
Phase 2: POC and Configuration in IdentityIQ
Implement equivalent aggregations (with correlation) for a small set of sources in IdentityIQ.
Configure provisioning workflows and check if IdentityIQ can replicate the existing sync logic.
Phase 3: Pilot
Move a subset of identities to use IdentityIQ for end-to-end provisioning.
Disable sync for those identities in the Join Engine to avoid conflicts or duplication.
Phase 4: Full Production Rollout
Migrate remaining connectors and transition all identity lifecycle processes.
Retire your meta-directory server or keep it in read-only/standby mode for a time until you confirm stability.
Phase 5: Validation, Governance, and Optimization
Ensure the data flows and attribute updates are complete and correct.
Use IdentityIQ’s certification and reporting features to provide governance oversight you likely didn’t have in a pure meta-directory approach.
Fine-tune schedules, performance settings, and consider near real-time triggers if needed.
Conclusion
Yes, it is entirely possible to replicate (and often improve) a meta-directory’s Join Engine capabilities using SailPoint IdentityIQ’s connectors, rules, and workflows. The key is recognizing that IdentityIQ is not just a meta-directory—it is an IGA solution with more extensive governance features. You will need to re-architect some of the real-time synchronization logic and attribute mappings to fit IdentityIQ’s aggregation + provisioning model.
A systematic, phased migration with thorough testing is strongly recommended to ensure continuity and data integrity. Once in place, you gain the added benefits of compliance controls, certifications, and full identity lifecycle governance—all while consolidating your identity infrastructure under SailPoint.