Learn IAM
Learn IAM

Okta + SailPoint Integration Blueprint

Okta + SailPoint Integration Blueprint

Overview

Okta and SailPoint together form a common enterprise IAM stack: Okta handles authentication, SSO, and session policy; SailPoint handles access governance, certification, and audit evidence. The challenge is that both platforms can provision users and manage entitlements—if you don't establish clear boundaries, you get "dueling provisioning engines" that create drift, audit confusion, and operational chaos.

The fundamental question: Who owns what? Both platforms have lifecycle management capabilities. Both can provision to downstream apps. Both can manage groups. Without explicit boundaries, you'll spend more time debugging conflicts than delivering value.

The recommended model:

  • Okta owns authentication: SSO, MFA, session policy, sign-in risk
  • SailPoint owns governance: Access requests, approvals, certifications, audit evidence
  • SailPoint provisions: Tier-0/Tier-1 systems, group memberships that drive Okta assignments
  • Okta may provision: Tier-2 SaaS with simple entitlements (bounded, documented exception)

This blueprint documents how to integrate these platforms without stepping on each other.

Key Decisions

DecisionOptionsRecommendationNotes / Gotchas
Provisioning owner for OktaSailPoint / Okta self-managedSailPoint provisions Okta accounts and group membershipsOkta as a target, not a provisioning engine
Provisioning to SaaS appsOkta / SailPoint / Both (tiered)SailPoint for Tier-0/Tier-1; bounded Okta for Tier-2Document boundary explicitly; avoid overlap
Group governanceOkta / SailPointSailPoint governs group membership; Okta consumes for app assignmentGroups are the integration point
Approval workflowsOkta Workflows / SailPointSailPoint for all approval workflowsSingle approval source for audit
User creation sourceHR → Okta / HR → SailPointHR → SailPoint → OktaSailPoint is IGA; Okta is IdP
DeprovisioningOkta-triggered / SailPoint-triggeredSailPoint triggers; Okta revokes sessionsBoth must act; SailPoint is authoritative
Password managementOkta / SailPoint / DirectoryOkta (via directory or Okta-managed)Okta is the authn layer

Architecture & Reference Patterns

Diagram

Pattern 2: Group-Based Integration

Diagram

Integration Boundary Matrix

FunctionOwnerNotes
Identity creationSailPoint (from HR)SailPoint creates identity; provisions to Okta
Okta account provisioningSailPointVia SCIM or Okta API
Okta group membershipSailPointGroups are the control point
App assignment rulesOkta (consuming SailPoint groups)Okta rules reference SailPoint-managed groups
Direct SaaS provisioning (Tier-2)Okta (bounded exception)Only for simple SaaS; documented
SSO federationOktaOkta is the IdP
MFA policyOktaOkta enforces authn policy
Access requestsSailPointAll requests through SailPoint
ApprovalsSailPointSingle approval workflow system
CertificationsSailPointSailPoint certifies all access
Session revocationOkta (triggered by SailPoint)SailPoint disables; Okta revokes session
Audit evidenceBoth → SIEMCorrelated in SIEM

Provisioning Flow

Diagram

Implementation Approach

Phase 0: Discovery (2-3 weeks)

Inputs: Current Okta config, current SailPoint config, app inventory Activities:

  • Inventory current provisioning flows (who provisions what today)
  • Document current group governance (who manages Okta groups)
  • Identify overlapping provisioning (apps provisioned by both)
  • Assess Okta Lifecycle Management usage
  • Map approval workflows in both systems

Outputs: Current-state integration map, overlap analysis, gap assessment

Phase 1: Boundary Design (2-3 weeks)

Inputs: Discovery outputs, business requirements Activities:

  • Define provisioning ownership per app tier
  • Define group governance model (SailPoint manages, Okta consumes)
  • Define approval workflow consolidation (move to SailPoint)
  • Design deprovisioning flow (SailPoint triggers, Okta revokes)
  • Document exceptions and rationale

Outputs: Integration boundary document, responsibility matrix

Phase 2: Integration Build (4-6 weeks)

Inputs: Boundary design, API access Activities:

  • Configure SailPoint → Okta SCIM connector
  • Configure group synchronization
  • Migrate Okta-native provisioning to SailPoint (for Tier-0/Tier-1)
  • Configure Okta app assignment rules to use SailPoint-managed groups
  • Build deprovisioning workflow (disable + session revoke)
  • Configure audit forwarding to SIEM

Outputs: Integrated platforms, migrated provisioning

Phase 3: Validation & Rollout (3-4 weeks)

Inputs: Integrated platforms, test users Activities:

  • Test end-to-end lifecycle (hire, role change, termination)
  • Test access request and approval flow
  • Test deprovisioning and session revocation timing
  • Validate audit evidence trail
  • Pilot with limited population

Outputs: Validated integration, pilot results

Phase 4: Operate (Ongoing)

Activities:

  • Monitor provisioning success rates
  • Review boundary exceptions quarterly
  • Update integration as apps are added/removed
  • Maintain documentation as platforms evolve

Deliverables

  • Integration boundary matrix — who owns what, with rationale
  • Provisioning runbooks — per-app provisioning procedures
  • Group governance model — how groups are managed and consumed
  • Deprovisioning workflow — disable, revoke, verify sequence
  • Exception process — how to request and document exceptions
  • Audit correlation guide — how to trace access across systems

Risks & Failure Modes

RiskLikelihoodImpactEarly SignalsMitigation
Dueling provisioningHHSame app provisioned by both; driftClear boundary; technical enforcement
Group sync failuresMHAccess not granted/removedMonitoring; retry logic; alerting
Session not revoked on terminationMHTerminated users still authenticatedExplicit session revoke in deprovisioning flow
Approval workflow confusionMMUsers don't know where to requestSingle request portal; user training
Boundary creepMMExceptions become the normQuarterly boundary review; executive sponsorship
Audit correlation gapsMMCan't trace request to access to usageConsistent identifiers; SIEM correlation rules

KPIs / Outcomes

  • Provisioning success rate: % of SailPoint → Okta provisioning successful (target: greater than 99%)
  • Deprovisioning latency: Time from SailPoint disable to Okta session revoke (target: fewer than 15 minutes)
  • Boundary compliance: % of apps following defined provisioning ownership (target: 100%)
  • Access request cycle time: Time from request to provisioned in Okta (target: fewer than 4 hours for auto-approved)
  • Audit completeness: % of access grants traceable from request to provisioning (target: 100%)

Workshop Questions

Security / IAM

  • What's the current provisioning overlap between Okta and SailPoint?
  • What's the appetite for Okta doing any provisioning vs. SailPoint-only?
  • What's the required time-to-revoke when someone is terminated?

IT / Okta Team

  • What Okta Lifecycle Management features are currently used?
  • What app assignment rules exist and how are groups managed?
  • How is session revocation triggered today?

Governance / Compliance

  • Where do access requests live today? Is there confusion?
  • What audit evidence is required (who requested, who approved, when provisioned)?
  • How are certifications handled—Okta or SailPoint?

Requirements Gathering Checklist

  • What applications are currently provisioned by Okta vs. SailPoint?
  • What's the app tiering (Tier-0, Tier-1, Tier-2) and provisioning ownership per tier?
  • How are Okta groups managed today (manually, rules, external)?
  • What approval workflows exist in Okta vs. SailPoint?
  • What's the deprovisioning flow—does SailPoint trigger Okta session revocation?
  • What's the required time-to-provision and time-to-revoke SLAs?
  • What audit evidence is required for compliance?
  • What exceptions to the boundary exist and why?
  • How will the integration be monitored for failures?
  • What's the escalation path when provisioning fails?
  • How will users request access—single portal or multiple?
  • What training is needed for users and admins?

References