Configuration

The configuration steps differ depending on whether you are integrating the Delinea Platform with SailPoint Identity Security Cloud (ISC) or SailPoint IdentityIQ (IIQ).

Before proceeding, you must complete the Delinea SCIM Connector configuration. This includes creating the SCIM service account, assigning the required custom role and permissions, and validating OAuth 2.0 token retrieval.

Complete the following steps in the Delinea Platform:

  • Step 1: Configure SCIM Connector for the Delinea Platform.

  • Step 2: Review the recommended best practices to confirm that your configuration follows recommended guidelines for authentication, synchronization, permissions, filters, and connectivity.

  • Step 3: Review the FAQ for answers to common questions about SCIM Cloud Connector Configuration and Troubleshooting

Once these steps are completed, follow the section below that matches your SailPoint deployment.

Delinea supports integrations with SailPoint Identity Security Cloud (ISC) or SailPoint IdentityIQ (IIQ)

Configure SailPoint Identity Security Cloud (ISC)

Follow these steps to create and configure the SCIM 2.0 source in SailPoint ISC:

  1. Log in to Sailpoint Cloud Instance.

  2. Navigate to Admin > Connections > Sources > Create New.

  3. In the Search for a source field, type SCIM 2.0 SaaS and then select Configure for the SCIM 2.0 SaaSdisplayed source.

  4. Enter the connection details:

  5. Once you are done, select Continue. The Connection Settings page opens

  6. Complete the following fields:

    • Base URL: https://<your-tenant>.delinea.app/scim/v2

    • Authentication Type: OAuth 2.0

    • Grant Type: Client Credentials

    • OAuth 2.0 Token URL: https://<your-tenant>.delinea.app/identity/api/oauth2/token/xpmplatform

    • Client ID: Delinea SCIM service account username

    • Client Secret: Delinea SCIM service account password

  7. Configure OAuth request parameters:

    • Key: scope

    • Value: xpmheadless

  8. Save the source.

Configure SailPoint IdentityIQ (IIQ)

Follow these steps to create and configure the SCIM 2.0 source in SailPoint IdentityIQ:

Step 1: Create and Configure the SCIM 2.0 Source in SailPoint

  1. Once the role and user has been created in Platform go to SailPoint, and navigate to Setup > Sources > Add New Source > SCIM 2.0.

  2. Enter the following connection details:

    1. In the Host URL field add the SCIM url: https://tenantname.delinea.app/scim/v2.

      This is the base SCIM endpoint for your Delinea tenant. SailPoint uses this URL to retrieve users, groups, and permissions via SCIM.

    2. Select the OAuth 2.0 checkbox in the Authentication Type field.

      This determines how SailPoint authenticates to the Delinea Platform. Delinea requires OAuth 2.0 token-based authentication.

    3. In the Grant Type field select Client Credentials from the dropdown. This grant type is used for service accounts and non-interactive system authentication.

    4. In the OAuth 2.0 Token URL field, enter the Delinea OAuth token endpoint: https://tenantname.delinea.app/identity/api/oauth2/token/xpmplatform

      This is the Delinea endpoint where SailPoint requests an access token using the client ID, secret, and scope.

    5. In the Client ID field enter Delinea Platform SCIM service account username.

  3. In the Client Secret field, enter the password for your SCIM service account.

  4. In the Source Setup navigation menu, click Additional Settings.

  5. Scroll to the OAuth Request Parameters section.

  6. Click Add and enter the required Delinea scope:

    • Key: scope

    • Value: xpmheadless

  7. Click Add, then Save the Source.

Step 2: Configure SailPoint IdentityIQ Application

Step 1: Create Application

  1. Log in to your SailPoint instance using administrative credentials.

  2. Navigate to Applications > Application Definition.

  3. Select Add New Application to begin creating a new integration.

  4. In the Details tab, fill in the required fields:

    1. Name: Enter a descriptive name for the application (e.g., scimCloudProd).

    2. Owner: Select the appropriate SailPoint administrator from the dropdown.

    3. Application Type: Select Privileged Account Management from the dropdown.

    4. Select the Authoritative Application checkbox.

  5. After selecting Authoritative Application, additional tabs will appear: Configuration, Correlation, Risk, Activity Data Sources, Unstructured Targets, Rules, Password Policy.

    This SCIM Cloud application will later be referenced when creating the sync tasks (Account Aggregation, Group Aggregation, Target Aggregation).

Step 2: Configure SCIM Settings

  1. Select the Configuration tab and go to the Settings sub-tab.

  2. In the Base URL field, enter your Delinea Platform SCIM URL. (your domain.delinea.app/scim/v2)

  3. In the Authentication Type field, select the OAuth 2.0 checkbox.

  4. In the Grant Type field, select the Client Credentials from the dropdown list.

  5. In the Token URL field, enter the Delinea OAuth token endpoint:https://<your-platform-tenant-url>/identity/api/oauth2/token/xpmplatform)

    This is the static OAuth 2.0 token URL that SailPoint uses to request access tokens.

  6. In the Client ID field, enter the Delinea Platform SCIM service account username.

  7. In the Client Secret field, enter the Delinea Platform SCIM service account password.

  8. Assign these permissions:

    • Owner

    • Edit

    • Add Secret

    • View

    9. No additional permissions should be granted beyond the list above. This configuration ensures that the application maintains the intended access control and aligns with the defined security requirements.

  9. Click Test Connection and ensure the connection is successful.

  10. Click Save to commit your configuration.

Step 3: Add Unstructured Target

  1. Navigate to the Unstructured Targets tab.

  2. Select Add New Unstructured Data Source if a target does not already exist.

  3. Either select an existing target source from the dropdown or click Create Target Source to create a new one.

  4. In the Select Target Source field select a SCIM target from the dropdown.

  5. In the Unstructured Target Configuration page, verify the following SCIM settings are filled:

    • Base URL: same as used above.

    • Authentication Type: OAuth 2.0

    • Grant Type: Client Credentials

    • Token URL: Delinea Token URL.

    • Client ID / Secret: SCIM service credentials.

    • Correlation Rule: Select PAM Account Mapping Correlation Rule.

    • Target Source Type: Privileged Account Management Collector.

  6. Select Save to save the data source.

  7. Select Next, then save again to save the application.

To verify the SCIM target linkage:

  1. Return to the main Application page and open your SCIM Cloud application again.

  2. Go to the Unstructured Targets tab.

  3. Verify that your target (for example, scimCloudProd-TargetSource) appears in the list with Type = Privileged Account Management.

  4. This confirms that the SCIM data source is successfully linked to the application.

Step 3: Configure Refresh Token

  1. Log in to SailPoint Debug Mode using http://<your-instance>.sailpointtechnologies.com:8890/identityiq/debug.

  2. From the Debug page, open the Object Browser Grid and select Application from the dropdown menu.

  3. Select the SCIMCloud application to open the Object Editor.

  4. Scroll to the XML configuration section in the Object Editor and locate the <Map> entries.

  5. Add a <entry key="retryableErrors"> section in the XML to define retriable errors (e.g., Unauthorized, 401, 401 Unauthorized), based on the example below:

    Copy 
    <entry key="retryableErrors">
    <value>
    <List>
    <String>Unauthorized</String>
    <String>401</String>
    <String>401  Unauthorized</String>
    </List>
    </value>
    </entry>

  6. Add your refresh token securely in the appropriate XML field to enable token refresh.

  7. Click Save in the Object Editor to apply the changes.

  8. Re-run an aggregation task and observe Task Results.

  9. Confirm that the connector automatically retries and refreshes the token as defined in your XML configuration (added in Debug Mode).

  10. Return to the application configuration and click Test Connection to confirm retry and refresh functionality.

Step 4: Create Sync Tasks

  1. Log in to SailPoint with administrative credentials.

  2. Navigate to Setup > Tasks.

  3. Select New Task to expand it and select the following task types one by one:

    1. Select Account Aggregation to sync users.

    2. Select Account Group Aggregation to sync groups.

    3. Select Target Aggregation to sync permissions.

  4. In the Name field, type a descriptive name for each task (e.g., SCIM-Cloud-UserSync, SCIM-Cloud-GroupSync, SCIM-Cloud-PermissionSync).

  5. In the task details:

    1. Select your SCIM application (e.g., scimCloudProd).

    2. Leave other options as default unless additional rules are required.

  6. Click Save to finalize each task.

  7. Confirm that the tasks automatically pull users, groups, and permissions from Delinea Platform into SailPoint.

  8. You can execute the task in the background if you are confident that the information is correct and there is no need for manual verification.

    • To do so, right-click on the name of a task and select Execute in Background.

    • Alternatively, right-click the task and select Edit. Once you have verified the accuracy of the information, select Save and Execute.

  9. After the task was successfully executed in the background, you can verify the status of the tasks in the Task Results tab.

  10. Repeat for all tasks (Account, Group, and Target).

  11. Confirm that each task appears as expected and is ready to run.

After completing the SCIM configuration and saving your application:

  1. Go to Applications > Application Definition.
  2. Select the SCIM application you configured.
  3. Click the Accounts tab.
  4. Confirm that the synchronized user and group accounts from the Delinea Platform appear here.

This view allows you to verify that the application is correctly aggregating data through the SCIM connector.

After completing configuration and creating your sync tasks, verify that each task ran successfully.

  1. In SailPoint, navigate to Setup > Tasks > Task Results.

  2. Locate your SCIM tasks (for example, scimCloudProd-AccountAggregation, scimCloudProd-TargetAgg).

  3. In the Result column, confirm that each task shows Success with a green checkmark.

  4. If any task shows Fail, review the error details and confirm that:

    • The SCIM application configuration is correct.

    • The Client ID, Secret, and Token URL are valid.

    • The Delinea Platform endpoint is reachable.

  5. Once all tasks show Success, the integration is verified and functioning as expected.