SailPoint IdentityIQ vs IdentityNow - A Technical Comparison

Having spoken to many people working with both SailPoint IdentityIQ (IIQ) and SailPoint IdentityNow (IDN), I thought that a quick explanation about some of the differences could be a useful resource for those who haven't encountered both products.

Overall, they both provide strong Identity Governance and Administration (IGA) solutions, but they do so by catering to different needs. Here are some key takeaways I've gotten from my conversations:

Target Audience

SailPoint IIQ is the more mature of the pair; it is designed for on-perm or hybrid environments, with a deeper level of customization available. It is ideal for larger organizations that require more complex workflows, policies and integrations with on-prem applications. IIQ is tried and tested across many years in highly regulated industries and thrives in enterprises that prioritize control and flexibility.

On the other end of the spectrum, IdentityNow is SailPoint's cloud-based IGA platform. It's core focus is around simplicity, ease of deployment, and high rates of time-to-value ratios. While it has evolved significantly over the years, it has been and continues to be designed with cloud environments at the forefront of the decision making process. This means the target audience is organizations looking for a managed service that can be maintained and scaled easily. It is more streamlined than IIQ, but can still be utilized in a variety of cases in hybrid or on-cloud environments.

Technical Requirements

SailPoint IdentityIQ

SailPoint IIQ is more technically demanding, owing to its higher levels of customization. Java knowledge is strongly recommended as a large proportion of core work will involve Java. The best SailPoint Engineers in my experience strive towards having great levels of knowledge in:

- Core Java

- JAX-RS

- JDBC

- SQL

-BeanShell (Java Compatible Scripting Language)

This combination of technical skills will allow you to build custom connectors, create provisioning policies, manipulate identity attributes and perform numerous other tasks within IdentityIQ. Of course, this does not mean you need all of this to be effective and the exact requirements vary project to project. Should you be working on integrations with modern cloud services, knowledge of REST APIs (via JAX-RS) is very helpful, whereas alternatively if you're managing identity data or writing more complex rules knowledge of JDBC and SQL will be useful.

Since IIQ is so customizable, having this strong background will allow you to ensure that the product will fit specific business needs.

SailPoint IdentityNow

The reliance on Java for IdentityNow is much lower than in IIQ. Java is still involved, but since IdentityNow is designed to be less code-intensive and more configure driven, the requirements for a strong background in Java is softened. IdentityNow makes a point of its ease of use with a more declarative approach, but that being said you will often need to come in with Java for certain connectors and customizations.

Other technologies are still in play though:

PowerShell is extremely useful for integrating with Microsoft Environments.

Python or Javascript is also useful for specific connectors or executing custom tasks.

Since IdentityNow is a SaaS product, the legwork is somewhat reduced, meaning engineers can focus more on configuration as opposed to coding. However, when extending the platforms capabilities or building custom connectors, you will need to dive back into Java or scripting tools.

Customization and Extensibility

A distinct differentiator between the two products is the level of customization each one provides. IIQ is incredibly flexible, which is a large part of why the technical requirements (particularly in J2EE) is higher than IdentityNow. This allows you to build out custom solutions for almost any IGA scenario you could come across.

This of course, can lead to people getting carried away. I've found that developers with extremely deep knowledge of Java will find themselves constantly tweaking and optimizing custom workflows, policies and connectors.

IdentityNow offers less customization, but as discussed in last weeks episode this makes it much more approachable for teams without the depth of knowledge or resources to utilize the customization of IIQ. It has more "out-the-box" functionality and most tasks can already be handled with the easy to use interface. Customization for IdentityNow typically comes in the form of configurations and scripting as opposed to deeper levels of coding.

Conclusions

By now, it should be clear that it depends on the organizations size, complexity, and specific IGA needs. On prem and highly complex? You're best off with IIQ. Need an On-Cloud, scalable and less developmentally taxing solution? Then IdentityNow is ideal.

In my conversations with people involved in SailPoint's products, many note that IdentityNow is currently receiving more attention from SailPoint and believe that is the main solution they will be supporting in the future. So if you're new to the space, consider learning IdentityNow.

In any case, as an Engineer understanding Java and technologies surrounding identity governance is critical. IIQ makes Java a non-negotiable, but IDN still massively benefits from having Java knowledge.