SailPoint IdentityIQ MCP Server

An enterprise-grade Model Context Protocol (MCP) server for SailPoint IdentityIQ (IIQ). Exposes 63 tools covering the full IIQ surface area — SCIM API reads/writes, REST API lifecycle operations, and a custom XML import layer for creating Workflows, Rules, Tasks, Reports, and LCM event configurations entirely through natural language.

Table of Contents

• Getting Started
• Tool Reference
  • SCIM API — User Management
  • SCIM API — Account Management
  • SCIM API — Roles & Entitlements
  • SCIM API — Applications
  • SCIM API — Workflows & Tasks
  • SCIM API — Policy & Alerts
  • SCIM API — Metadata & Schema
  • REST API — Account Management
  • REST API — Role Lifecycle
  • REST API — Identity Lifecycle & Provisioning
  • REST API — Access Requests
  • REST API — Password Management
  • REST API — Certifications
  • REST API — Workflows & Tasks (Execute)
  • REST API — Policy Violation Remediation
  • REST API — Custom Object Import (XML)
• Adding New Tools
• Deployment
• Support

🚦 Getting Started

Prerequisites

• Node.js v18+ (v20+ recommended)
• A running SailPoint IdentityIQ instance (v8.x)

Note: Tools use the native fetch API. Node.js < 18 does not include it. If you must use an older version, install node-fetch and import it in each tool file.

Installation

npm install

Configuration

Create a .env file in the project root:

# IdentityIQ Connection
SAILPOINT_BASE_URL=http://your-iiq-server:8080/identityiq
SAILPOINT_SCIM_BASE_URL=http://your-iiq-server:8080/identityiq/scim/v2
SAILPOINT_USERNAME=your_username
SAILPOINT_PASSWORD=your_password
SAILPOINT_API_KEY=

# Server
PORT=3001
NODE_ENV=development

Connect to Claude Desktop

Open Claude Desktop → Settings → Developers → Edit Config and add:

{
  "mcpServers": {
    "sailpoint-iiq-mcp-server": {
      "command": "node",
      "args": ["C:\\sailpoint-iiq-mcp-server\\mcpServer.js"],
      "env": {
        "NODE_ENV": "development"
      }
    }
  }
}

Restart Claude Desktop. The 63 IIQ tools will be available immediately.

SSE Mode (optional)

node mcpServer.js --sse

Docker (Production)

docker build -t sailpoint-iiq-mcp-server .

{
  "mcpServers": {
    "sailpoint-iiq-mcp-server": {
      "command": "docker",
      "args": ["run", "-i", "--rm", "--env-file=.env", "sailpoint-iiq-mcp-server"]
    }
  }
}

🛠 Tool Reference

API Layers

• SCIM API — http://{host}/identityiq/scim/v2 — Standard SCIM 2.0, used for structured reads and writes on core objects.
• REST API — http://{host}/identityiq/rest — SailPoint proprietary REST, used for lifecycle operations, provisioning, and automation.
• XML Import — POST /rest/sailpoint/importObject — Imports any SailPoint XML object (Workflow, Rule, Task, Report, Config).

1. SCIM API — User Management

Read and manage IIQ identities (Users) via SCIM.

| Tool | Method | Endpoint | Description | |---|---|---|---| | get_all_users | GET | /Users | List all identities. Supports filter, sortBy, count, startIndex. | | get_user_by_id | GET | /Users/{userId} | Get a single identity by ID or by userName (set lookupByName:true). | | create_user | POST | /Users | Create a new identity using a SCIM User object. | | update_user | PUT | /Users/{userId} | Update identity attributes. Set active:false to deactivate. | | delete_user | DELETE | /Users/{userId} | Permanently delete an identity. |

2. SCIM API — Account Management

Read and create accounts on source applications via SCIM.

| Tool | Method | Endpoint | Description | |---|---|---|---| | get_all_accounts | GET | /Accounts | List all accounts across all applications. Supports filter, sortBy, count. | | create_account | POST | /Accounts | Provision a new account on a source application. |

3. SCIM API — Roles & Entitlements

Read roles (bundles) and entitlements via SCIM.

| Tool | Method | Endpoint | Description | |---|---|---|---| | get_roles | GET | /Roles | List all roles (bundles). Supports filter, sortBy. | | get_role | GET | /Roles/{roleId} | Get a single role by ID or name (lookupByName:true). | | get_entitlements | GET | /Entitlements | List all entitlements across all applications. | | get_entitlement | GET | /Entitlements/{entitlementId} | Get a single entitlement by ID. |

4. SCIM API — Applications

Read application (source) resources via SCIM.

| Tool | Method | Endpoint | Description | |---|---|---|---| | get_applications | GET | /Applications | List all configured applications/connectors. | | get_application | GET | /Applications/{applicationId} | Get a single application by ID or name. |

5. SCIM API — Workflows & Tasks (Read)

Read workflow definitions and execution records via SCIM.

| Tool | Method | Endpoint | Description | |---|---|---|---| | get_workflows | GET | /Workflows | List all workflow definitions. | | get_workflow | GET | /Workflows/{workflowId} | Get a workflow definition by ID. | | get_launched_workflows | GET | /LaunchedWorkflows | List all running or completed workflow instances. | | get_launched_workflow | GET | /LaunchedWorkflows/{id} | Get a specific workflow instance by ID. | | get_task_results | GET | /TaskResults | List all task execution results. | | get_task_result | GET | /TaskResults/{taskResultId} | Get a specific task result by ID. |

6. SCIM API — Policy & Alerts

Read and check policy violations; manage alerts.

| Tool | Method | Endpoint | Description | |---|---|---|---| | get_policy_violations | GET | /PolicyViolations | List all current policy violations. | | get_policy_violation | GET | /PolicyViolations/{id} | Get a specific policy violation by ID. | | check_policy_violations | POST | /CheckedPolicyViolations | Simulate provisioning and check if it would cause new violations. | | create_alert | POST | /Alerts | Create a new IIQ alert. | | get_alert | GET | /Alerts/{alertId} | Get an alert by ID. |

7. SCIM API — Metadata & Schema

Inspect IIQ's SCIM schema, resource types, and configuration.

| Tool | Method | Endpoint | Description | |---|---|---|---| | get_all_schemas | GET | /Schemas | List all SCIM schemas supported by this IIQ instance. | | get_schema | GET | /Schemas/{schemaId} | Get a specific SCIM schema. | | get_resource_types | GET | /ResourceTypes | List all SCIM resource types. | | get_resource_type | GET | /ResourceTypes/{id} | Get a specific resource type. | | get_service_provider_config | GET | /ServiceProviderConfig | Get SCIM service provider configuration and supported features. | | get_object_configs | GET | /ObjectConfigs | List all IIQ object configuration records. | | get_object_config | GET | /ObjectConfigs/{id} | Get an object configuration by ID or name. |

8. REST API — Account Management

Full CRUD and enable/disable control over accounts on source applications.

| Tool | Method | Endpoint | Description | |---|---|---|---| | update_account | PUT | /rest/accounts/{accountId} | Update account attributes. Pass disabled:true to disable or disabled:false to enable. | | disable_account | PUT | /rest/accounts/{accountId} | Convenience wrapper — disables the account (disabled:true). | | enable_account | PUT | /rest/accounts/{accountId} | Convenience wrapper — enables the account (disabled:false). | | delete_account | DELETE | /rest/accounts/{accountId} | Permanently delete an account from a source application. |

9. REST API — Role Lifecycle

Full lifecycle management for IIQ roles (bundles) and role assignments.

| Tool | Method | Endpoint | Description | |---|---|---|---| | create_role | POST | /rest/bundles | Create a new role. type: "business" or "it". | | update_role | PUT | /rest/bundles/{bundleId} | Update role name, description, or enabled/disabled state. | | delete_role | DELETE | /rest/bundles/{bundleId} | Permanently delete a role. | | assign_role_to_identity | POST | /rest/identities/{name}/assignedRoles | Assign a role to an identity. | | remove_role_from_identity | DELETE | /rest/identities/{name}/assignedRoles/{roleName} | Remove a role from an identity. |

10. REST API — Identity Lifecycle & Provisioning

Trigger lifecycle events, refresh identity cubes, and execute provisioning plans.

| Tool | Method | Endpoint | Description | |---|---|---|---| | trigger_lifecycle_event | POST | /rest/identities/{name}/lifecycle | Fire a lifecycle event: Joiner, Mover, Leaver, or Terminated. | | refresh_identity | POST | /rest/identities/{name}/refresh | Refresh an identity cube — re-reads source accounts and recalculates roles/entitlements. | | launch_provisioning_plan | POST | /rest/provisioningPlans | Execute a provisioning plan with account requests (Create / Modify / Delete / Disable / Enable) and attribute changes. |

11. REST API — Access Requests

Submit and manage access requests (role and entitlement grants/revocations).

| Tool | Method | Endpoint | Description | |---|---|---|---| | submit_access_request | POST | /rest/accessRequests | Submit a request to add or remove roles/entitlements for an identity. | | get_access_request | GET | /rest/accessRequests/{requestId} | Check the current status of an access request. | | approve_access_request | POST | /rest/accessRequests/{requestId}/approve | Approve a pending access request. | | reject_access_request | POST | /rest/accessRequests/{requestId}/reject | Reject a pending access request with optional comments. |

12. REST API — Password Management

Reset passwords for identities and their linked application accounts.

| Tool | Method | Endpoint | Description | |---|---|---|---| | reset_identity_password | PUT | /rest/identities/{name}/password | Set a new password for an IIQ identity. Optionally force change on next login. | | reset_account_password | PUT | /rest/accounts/{accountId}/password | Reset the password on a specific application account. |

13. REST API — Certifications

Create and retrieve access certification (access review) campaigns.

| Tool | Method | Endpoint | Description | |---|---|---|---| | create_certification | POST | /rest/certifications | Create a new certification campaign. Types: Identity, BusinessRoleComposition, Group. | | get_all_certifications | GET | /rest/certifications | List all certification campaigns. Supports filter, count, startIndex. | | get_certification | GET | /rest/certifications/{certificationId} | Get a specific certification by ID. |

14. REST API — Workflows & Tasks (Execute)

Launch and monitor workflows and tasks via the REST API.

| Tool | Method | Endpoint | Description | |---|---|---|---| | launch_workflow | POST | /rest/workflows/{name}/launch | Launch a workflow by name, passing optional workflowVariables. | | launch_task | POST | /rest/tasks/launch?name={taskName} | Launch a task by name (e.g. "Account Aggregation", "Identity Refresh"). Returns a task result ID. | | get_task_status | GET | /rest/tasks/{taskResultId} | Poll the status of a running or completed task. |

15. REST API — Policy Violation Remediation

Take action on existing policy violations.

| Tool | Method | Endpoint | Description | |---|---|---|---| | remediate_policy_violation | POST | /rest/policyViolations/{id}/remediate | Initiate remediation workflow for a policy violation. | | revoke_policy_violation_access | POST | /rest/policyViolations/{id}/revoke | Revoke the access that is causing the policy violation. |

16. REST API — Custom Object Import (XML)

Create any SailPoint IIQ object — Workflows, Rules, TaskDefinitions, LiveReports, and Configurations — without touching the UI. All tools generate valid SailPoint XML and import it via POST /rest/sailpoint/importObject.

| Tool | Description | |---|---| | import_sailpoint_object | Foundation tool. Import any raw SailPoint XML string directly into IIQ. Use when you have hand-crafted XML or are migrating existing objects. | | create_workflow | Create a Workflow from structured parameters. Define name, type, variables, and steps (each with optional BeanShell source and transitions). Start and Stop steps are auto-injected. | | create_rule | Create a BeanShell Rule. Specify the type (e.g. BeforeProvisioning, AfterProvisioning, IdentitySelector, Correlation, FieldValue) and provide the sourceCode. | | create_task_definition | Create a TaskDefinition. Use executor shortcuts: LiveReport, IdentityRefresh, AccountAggregation, PolicyScan, or provide a full Java class name. | | create_report_definition | Create a LiveReport definition. Provide title, columns (field + header + property), optional filters, and a dataSourceType (Identity, Account, Role, Entitlement, PolicyViolation, Bundle). | | configure_lcm_event | Map a lifecycle event (Joiner, Mover, Leaver, Terminated) to a workflow. Imports a Configuration and BusinessProcess object into IIQ so the workflow fires automatically on the event. |

Tool Interaction Pattern

These tools are composable — the output of one feeds naturally into the next:

create_report_definition  →  create_task_definition  →  create_workflow
                                                               ↓
                                                     configure_lcm_event
                                                               ↓
                                                    trigger_lifecycle_event
                                                               ↓
                                                        get_task_status

Rule Types Reference

| Type | When It Fires | |---|---| | BeforeProvisioning | Before a provisioning request is sent to a connector | | AfterProvisioning | After a provisioning request completes | | IdentitySelector | Determines if an identity matches a criteria | | Correlation | Matches accounts to identities during aggregation | | BuildMap | Transforms raw connector data into IIQ attributes | | FieldValue | Calculates a dynamic value for an identity attribute | | ManagedAttributePromotion | Promotes entitlement attributes during aggregation | | CertificationExclusion | Excludes items from certification campaigns | | PolicyViolation | Custom logic for policy violation evaluation | | Generic | General-purpose utility rule |

➕ Adding New Tools

1. Create a new .js file under tools/identityiq/scim-api/ or tools/identityiq/rest-api/.
2. Export an apiTool object with a function (async executor) and a definition (MCP tool schema).
3. Add the relative path to tools/paths.js.
4. Restart the MCP server — the tool is immediately available.

// tools/identityiq/rest-api/my-new-tool.js
import { /* helpers */ } from '../../../lib/iiq-import.js';

const executeFunction = async ({ param1 }) => { /* ... */ };

const apiTool = {
  function: executeFunction,
  definition: {
    type: 'function',
    function: {
      name: 'my_tool_name',
      description: 'What this tool does.',
      parameters: {
        type: 'object',
        properties: {
          param1: { type: 'string', description: 'Description.' }
        },
        required: ['param1']
      }
    }
  }
};

export { apiTool };

🚀 Deployment

CLI — List All Tools

node index.js tools

Running in SSE mode

node mcpServer.js --sse
# Server listens on http://localhost:3001

Docker

docker build -t sailpoint-iiq-mcp-server .
docker run -i --rm --env-file=.env sailpoint-iiq-mcp-server

💬 Support

• SailPoint IIQ REST API: developer.sailpoint.com/docs/api/iiq
• SailPoint IIQ SCIM API: developer.sailpoint.com/docs/api/iiq/identityiq-scim-rest-api
• MCP Protocol: modelcontextprotocol.io
• SailPoint Community: community.sailpoint.com