I am trying to create a Sailpoint Service account using delimated flat file but after following the article given by sailpoint I am unable to login after registration and changing password.
What can be the issue ?
Hello Manish , what is he error that you are seeing during the login ?
Make sure you use the right username .
You can create an identity using the csv file . Go to the identity and trigger change password . You will get notification and the. You can set the new password and that you can use to logon with that identity .
It seems your tenant is configured with SSO. These credentials are different from the IdentityNow Credentials.
Use this URL to bypass this , and make sure the Identity has the admin level access .
Do it should have any admin access , I mean its a service account only.
Can you clarify what the service account in this case means ?
@sidharth_tarlapally
It will be used for crowdstrike integration process which will have some limited access in sailpoint environment.
Please correct me if I’m misunderstanding the scenario:
You are trying to create an Identity (Account) using a delimited file. These accounts are service accounts intended for Source Integrations.
If that’s correct, then the Identity should be created within the tenant. If you want this Identity to log in to the tenant, you can invite and register it (which it seems you have already attempted, but it’s not working).
This issue is likely due to the fact that SailPoint supports three authentication methods for logging into the tenant:
- Native Authentication: Logging into the tenant using the registered username and password (set during the email registration process).
- Pass-Through Authentication: Authentication via Direct Connection Applications (we can ignore this for now).
- SSO (Single Sign-On): Authentication via an Identity Provider (Microsoft Azure, in your case), where Azure verifies if the user trying to log in exists.
Since your tenant is configured with SSO, the service account you’re trying to log in with must exist in Azure.
If the account does not exist in Azure, you can bypass SSO by promoting the Service Account Identity to Admin Level Access.
If you’re unsure about the Azure Identity Provider setup and SSO configuration, I suggest promoting the Identity you created for the service account to Admin level.
To promote it:
- Navigate to Admin → Identity Management → Identities
- Search for the Service Account Identity
- Click on the ellipsis (three dots) → Set User Levels → Enable Admin
(Reference screenshots)
Now, try logging in using the credentials you created during the invite/registration step.
Be sure to use the specific URL
https://tenantname.identitynow.com?prompt=true
that allows Admin-level identities to bypass SSO and use Native Authentication.
Let me know if you need more info on this
Thanks
Sid
This solution is helpful and I have gone through this already and was reluctnat to give admin permission to service account.
Still your response is quite helpful for me.
Also you have understood the scenario correctly.
@simplymanish
May I know the purpose of these service account Identities ?
You can utilise machine accounts , if these align with your purpose :
- udpate
Sorry ! , I overlooked , it seems there is an update on “Bypassing”:
Any user level apart from the Admin , can also bypass the SSO .
If you want user-level identities to bypass sso , it is also possible .
Please refer :
1 Like
Thank you so much and it worked.
Could you please help me with one more query ?
I have to add below permissions and user role should be there to add these roles.
