TTechclick ⚡ XP 0% All lessons
SailPoint · Identity Governance · ArchitectureInteractive · L1 / L2 / L3

SailPoint Identity Security Cloud Architecture — SaaS Tenant, VA Cluster & the Identity Cube

SailPoint Identity Security Cloud (formerly IdentityNow) is a multi-tenant SaaS IGA platform. This lesson maps its four layers — the cloud SaaS tenant, the Virtual Appliance cluster, sources and connectors, and the identity cube — and shows exactly how an account aggregation flows end-to-end.

📅 2026-06-20 · ⏱ 16 min · 4 infographics · live flow demo · 🏷 10-Q assessment + AI Tutor inline

⚡ Quick Answer

Master SailPoint Identity Security Cloud architecture in 2026: the SaaS tenant, Virtual Appliance cluster, sources and connectors, the identity cube, and core ISC services — built for interview prep and real deployments.

🎯 By the end you will be able to

Read as:

Pick where you want to start

1

What ISC is

Multi-tenant SaaS IGA and its four layers.

 2

VA cluster

How VAs connect on-prem systems to the cloud.

 3

Sources & connectors

AD, Workday, SAP and custom connectors.

 4

Identity cube & services

Unified identity, governance engine, AI insights.

🧠 Warm-up — 3 questions, no score

Just notice which ones make you pause. We answer all three inside the lesson.

1. Does SailPoint ISC require you to open an inbound firewall port to the cloud?

Answered in VA cluster.

2. What is the identity cube?

Answered in Identity cube & services.

3. Which connector type does NOT need a Virtual Appliance?

Answered in Sources & connectors.

Most engineers think…

Most people picture SailPoint as 'a server you install in your data centre'. That picture is outdated and will hurt you in an interview.

SailPoint Identity Security Cloud is a multi-tenant SaaS platform. Your data centre only needs a pair of lightweight Linux VMs — the Virtual Appliance cluster — that phone out to the ISC cloud. Everything else — the policy engine, identity cube store, certifications, provisioning, AI insights and APIs — lives in SailPoint's managed cloud. Understanding that boundary is the key to sizing, troubleshooting and passing a SailPoint interview.

① What SailPoint Identity Security Cloud is — a four-layer SaaS IGA platform

SailPoint Identity Security Cloud (ISC), formerly IdentityNow, is a multi-tenant SaaS Identity Governance and Administration platform. You do not install a server; you activate a cloud tenant. SailPoint manages the infrastructure, upgrades and availability; you manage policies, sources, roles and certifications inside the tenant.

The architecture has four logical layers. The ISC cloud tenant is the brain — it holds the governance engine, identity cube store, policy, certifications, provisioning workflows and REST/Transforms APIs. The Virtual Appliance (VA) cluster is the connectivity bridge between your private network and the cloud. Sources are the authoritative and managed systems you connect (Active Directory, Workday, SAP, ServiceNow, etc.). The identity cube is the per-person unified identity object assembled from all source aggregations and used to drive every governance decision.

All four layers work together: sources feed data through the VA cluster into the ISC cloud, where the governance engine processes it and builds the identity cube. That cube then powers access reviews, role analysis, provisioning and AI-driven recommendations.

Figure 1 — ISC architecture — four layers
Every governance action in ISC flows through the same four-layer stack — sources, VA cluster, cloud tenant, identity cube.ISC architecture — four layersSourcesAD, Workday, SAP, SaaSVA Clusteroutbound relay tocloudISC Tenantgovernance +provisioningIdentity Cubeunified identityrecord
Every governance action in ISC flows through the same four-layer stack — sources, VA cluster, cloud tenant, identity cube.
Quick check · Q1 of 10 · Understand

SailPoint Identity Security Cloud is best described as…

Correct: b. ISC is a multi-tenant SaaS platform — you activate a cloud tenant, manage policies and sources, and SailPoint handles infrastructure, upgrades and availability. You do not install a server.
👉 So far: ISC = multi-tenant SaaS IGA — four layers: cloud tenant (brain), VA cluster (connectivity), sources (systems), identity cube (unified identity).

② The Virtual Appliance cluster — outbound-only connectivity, no inbound ports

The Virtual Appliance (VA) is a lightweight Linux VM you deploy on-premises (or in your private cloud). You typically run a VA cluster — two or more VAs grouped together — for high availability. All VAs in a cluster read from the same VA cluster queue in the ISC cloud.

The key security insight

The VA polls the cloud queue over outbound HTTPS. There are no inbound firewall rules to open to SailPoint. The VA decrypts the queued message using a local private key, calls the appropriate connector to reach the target source (e.g. LDAP to Active Directory on your internal network), gets the response, and sends the result back to ISC over the same outbound channel. This design means your on-premises systems stay behind your firewall and are never directly reachable from the internet.

For HA, add a second VA to the same cluster. ISC load-balances work items across the cluster queue, so if one VA goes down, the other picks up requests with no manual intervention.

Figure 2 — VA cluster — inside the connectivity bridge
The VA cluster is two or more Linux VMs that poll a cloud queue outbound — no inbound firewall ports needed.VA cluster — inside the connectivity bridgeISC Cloud Queuepending work items from the tenantVA Cluster (HA pair)poll queue, decrypt, relay callsConnectorsLDAP, JDBC, REST, custom SDKTarget SourcesAD, SAP, DB on internal network
The VA cluster is two or more Linux VMs that poll a cloud queue outbound — no inbound firewall ports needed.
☁️
ISC Cloud Tenant
tap to flip

The SailPoint-managed SaaS environment holding the governance engine, identity cube store, certifications, provisioning, AI insights and REST APIs. You manage policy; SailPoint manages infrastructure.

🖥️
Virtual Appliance (VA)
tap to flip

A lightweight Linux VM deployed on-premises. It polls the cloud queue over outbound HTTPS and relays connector calls to internal sources — no inbound firewall ports needed.

🔗
Source
tap to flip

Any system ISC manages or reads from — AD, Workday, SAP, Salesforce, etc. Each source has an account schema, entitlement schema and provisioning policies, and is assigned to a VA cluster or SaaS connector.

🧩
Identity Cube
tap to flip

A per-person unified identity object assembled from all source aggregations. It holds every account, entitlement and HR attribute and is the input to certifications, policy enforcement and AI recommendations.

Always deploy two VAs per cluster

A single VA is a single point of failure. In an interview — and in production — the answer is always a HA VA cluster (minimum two VAs). During a patch or reboot of one, the other keeps polling the queue. SailPoint even refuses to mark a cluster 'production-ready' if it has only one VA.

Quick check · Q2 of 10 · Apply

Your company's firewall team refuses to open any inbound ports. Can you still connect on-premises Active Directory to ISC?

Correct: c. The VA makes only outbound HTTPS calls to the ISC cloud queue. No inbound firewall ports are needed. The VA then calls your internal AD over LDAP from inside your network.
👉 So far: The VA cluster polls the ISC cloud queue outbound over HTTPS — no inbound firewall ports. Always run two VAs per cluster for high availability.

③ Sources & connectors — what ISC manages and how it talks to each one

A source in ISC represents a system that holds accounts, entitlements or authoritative identity data. Common examples: Active Directory (accounts & groups), Workday (authoritative HR data), SAP (ERP roles), ServiceNow (tickets & CMDB), Azure AD, and dozens of SaaS apps. Each source is assigned to a VA cluster (for on-premises systems) or configured as a SaaS connector (for cloud-to-cloud integrations that don't need a VA).

ISC ships two categories of connectors. VA-based connectors run on the VA and are used for on-premises or network-restricted systems — the VA relays calls between the cloud queue and the target. SaaS connectors run entirely in the SailPoint cloud and call the target system directly over its public API, with no VA required — ideal for cloud SaaS apps like Salesforce, Google Workspace or ServiceNow. There are also custom connectors built with the SailPoint Connector SDK for systems without a bundled connector.

Each source defines account schema (which attributes to pull), entitlement schema (groups, roles, permissions), and provisioning policies. ISC runs scheduled or on-demand aggregations to pull account data and entitlement aggregations to pull permission catalogues.

Figure 3 — One ISC tenant — many source types
ISC manages VA-based and SaaS connectors from one tenant, correlating accounts into a single identity cube.One ISC tenant — many source typesISC Tenant+ Identity CubeActive DirectoryWorkday (HR)SAP ERPSalesforce (SaaS)Azure ADCustom SDK source
ISC manages VA-based and SaaS connectors from one tenant, correlating accounts into a single identity cube.
Figure 4 — VA-based vs SaaS connectors
Choose VA-based connectors for on-prem systems; SaaS connectors for cloud apps with public APIs.VA-based vs SaaS connectorsVA-based connectorRuns on the on-prem VARelays calls via cloud queueReaches firewall-protected systemsNeeds VA cluster for HASaaS connectorRuns in SailPoint cloudCalls target API directlyNo VA or firewall changesBest for cloud SaaS apps
Choose VA-based connectors for on-prem systems; SaaS connectors for cloud apps with public APIs.
'Source' and 'connector' are not the same

A connector is the software that knows how to talk to a system type (e.g. the AD connector speaks LDAP). A source is the configured instance of a connector pointing at a specific system (e.g. 'CORP-AD-PROD'). You can have many sources using the same connector type. Mixing these terms in an interview is a red flag.

▶ Watch an AD account aggregation flow end-to-end

How ISC collects accounts from Active Directory through the VA cluster. Press Play for the healthy path, then Break it to see the classic VA failure.

① ScheduleISC schedules an aggregation for the CORP-AD-PROD source and pushes a work item to the VA cluster queue.
② VA PollA healthy VA in the cluster picks up the work item from the cloud queue over outbound HTTPS and decrypts the task.
③ LDAP callThe VA runs the AD connector, calls LDAP on the internal domain controller, and retrieves account and group data.
④ Cube updateResults are returned to ISC. The cloud tenant updates the identity cube with new accounts, entitlements and correlation data.
Press Play to step through a healthy AD aggregation. Then press Break it.
Quick check · Q3 of 10 · Remember

Which connector type does NOT require a Virtual Appliance?

Correct: b. SaaS connectors run entirely in the SailPoint cloud and call the target application's public API directly. VA-based, custom and JDBC connectors for on-premises systems all need a VA.
👉 So far: VA-based connectors relay through the cluster for on-prem systems; SaaS connectors call cloud APIs directly with no VA needed. Each source has account schema, entitlement schema and provisioning policies.

④ The identity cube and core ISC cloud services

The identity cube is the central data object in ISC. After each aggregation, ISC merges account data from all sources into a single per-identity record — name, employee type, manager, all accounts, all entitlements, correlated across every source. The cube is the single source of truth for every downstream service.

Core ISC cloud services that consume the cube

The governance engine evaluates access policies, triggers certifications and enforces separation-of-duty rules. The certifications service creates periodic access reviews for managers and application owners to approve or revoke entitlements. The provisioning engine executes joiner-mover-leaver lifecycle events — creating, updating or disabling accounts via source connectors when identity attributes change. AI-driven identity security layers on top: peer-group analysis flags outlier access, role mining suggests roles from existing entitlement patterns, and recommendations guide reviewers during certifications. The REST API and Transforms layer lets you extend ISC, build custom workflows and integrate with ITSM tools like ServiceNow.

Priya at a Mumbai financial services firm faces this

An ISC aggregation for the HR Workday source keeps failing, and the identity cube records for 200 new joiners are not updating. Lifecycle provisioning is stalled.

Likely cause

The VA cluster has only one VA running; that VM was patched and rebooted overnight, leaving no healthy VA to poll the cluster queue.

Diagnosis

Check ISC Admin ▸ Infrastructure ▸ VA Clusters — the single VA shows 'Offline'. The source aggregation log shows 'No available VA in cluster'. The cluster queue has a backlog of pending work items.

ISC Admin ▸ Infrastructure ▸ VA Clusters ▸ Source Aggregation Logs
Fix

Bring the rebooted VA back online and — to prevent recurrence — add a second VA to the cluster for HA. With two VAs, one can be patched while the other keeps the queue moving.

Verify

Re-run the Workday aggregation manually. The identity cube records update and lifecycle provisioning events fire for the 200 new joiners.

Check the identity cube, not just the source account

When an entitlement is missing from a certification review, do not just check the source system. Check the identity cube record in ISC — the aggregation may be stale, correlation may have failed, or the entitlement schema may not include that attribute. The cube is what drives governance decisions, not the live source.

Quick check · Q4 of 10 · Analyze

An access certification reviewer flags that a user has conflicting ERP roles. Which ISC component detected the conflict?

Correct: c. The governance engine evaluates access policies — including SoD rules — against the identity cube, which holds all the user's entitlements aggregated from every source. The VA and connectors only move data; the governance engine is the decision-maker.
👉 So far: The identity cube is the per-person record assembled from all aggregations — it drives certifications, SoD policy, provisioning and AI recommendations.

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. No login, no waiting.

Pre-curated from vendor docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.

📝 Wrap-up assessment — six more

You've answered 4 inline. Six left. 70% (7 of 10) marks the lesson complete on your profile. Tap Submit all answers at the end.

Q5 · Remember

What is the primary role of the ISC cloud tenant in the architecture?

Correct: a. The ISC cloud tenant is the SaaS brain — it hosts the governance engine, identity cube, certifications, provisioning workflows and REST APIs. VAs and connectors are the connectivity layer; the cloud tenant is where governance decisions happen.
Q6 · Understand

Why does the VA cluster not require any inbound firewall rules?

Correct: c. The VA initiates outbound HTTPS connections to the ISC cloud queue. There is no inbound connection from the internet to your VA. The VA then makes calls to internal systems (e.g. LDAP to AD) from inside your network, keeping all sensitive systems behind your firewall.
Q7 · Apply

You are connecting ISC to a Salesforce tenant. Which connector approach is correct?

Correct: b. Salesforce is a cloud SaaS app with a public REST API. The ISC SaaS connector calls it directly from the SailPoint cloud. No VA is needed and no inbound firewall rules are required on the Salesforce side.
Q8 · Analyze

A user's access certification shows entitlements from three months ago despite daily aggregations. Where should you investigate first?

Correct: d. Certifications are driven by the identity cube, not live source data. If the cube is stale, check whether aggregations are succeeding (look at source aggregation history) and whether the entitlement schema includes the attributes in question. The VA or network may also be a factor but the cube and aggregation logs are the first stop.
Q9 · Evaluate

Your CISO asks why SailPoint ISC is safer than a self-hosted IGA server for on-premises connectivity. Best answer?

Correct: b. The outbound-only VA model means your AD, SAP and other systems are never exposed to the internet. SailPoint manages the cloud tenant's patching, availability and security. This is a stronger security posture than a self-hosted server that must accept inbound connections from cloud services.
Q10 · Evaluate

Which governance service in ISC consumes the identity cube to generate access review tasks?

Correct: c. The certifications service reads the identity cube to build the access review — showing managers or application owners the entitlements each identity currently holds. Reviewers certify or revoke based on the cube data. VAs and connectors only move data into the cube; they do not generate certifications.
Lesson complete — saved to your profile.
Almost! You need 70% (7 of 10) — re-read the path that tripped you up and tap "Try again".

🧠 In your own words

Type one line: why is SailPoint ISC called a SaaS platform rather than an on-premises product — and what does that mean for your firewall? Then compare with the expert version.

Expert version: SailPoint ISC is SaaS because the governance engine, identity cube store, certifications, provisioning and APIs all run in SailPoint's managed cloud — you only deploy lightweight VA VMs on-premises for connectivity. The VA polls the cloud queue outbound over HTTPS, so your firewall never needs an inbound rule pointing to SailPoint. Your internal systems (AD, SAP, databases) stay behind your firewall and are called locally by the VA, not directly from the internet. That is the core security and operational advantage over a self-hosted IGA server.

🗣 Teach a friend

Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.

📖 Glossary

Identity Security Cloud (ISC)
SailPoint's multi-tenant SaaS IGA platform, formerly IdentityNow. The cloud tenant hosts all governance, provisioning, certifications and APIs.
Virtual Appliance (VA)
A lightweight Linux VM deployed on-premises that polls the ISC cloud queue over outbound HTTPS and relays connector calls to internal sources. Requires no inbound firewall ports.
VA Cluster
Two or more VAs grouped together for HA. All VAs in a cluster read from the same cloud queue; work is distributed across available VAs automatically.
Source
A configured connection to a system ISC manages — e.g. CORP-AD-PROD pointing at Active Directory. Each source has account schema, entitlement schema and provisioning policies.
Connector
The software that knows how to talk to a specific system type (AD connector speaks LDAP; Workday connector uses REST). Many sources can use the same connector type.
Identity Cube
The per-person unified identity object assembled from all source aggregations. Holds every account, entitlement and HR attribute and drives certifications, SoD, provisioning and AI insights.
SaaS Connector
A connector that runs in the SailPoint cloud and calls a cloud app's public API directly — no VA or firewall change needed. Used for Salesforce, Google Workspace, ServiceNow, etc.
Aggregation
The scheduled or on-demand process where ISC pulls account and entitlement data from a source through the VA cluster and updates the identity cube.
Certification
A periodic access review workflow in ISC where managers or app owners review the identity cube entitlements for their users and certify or revoke access.
Governance Engine
The ISC cloud service that evaluates access policies and SoD rules against the identity cube, triggers certifications and enforces provisioning decisions.

📚 Sources

  1. SailPoint — Identity Security Cloud product overview and architecture. sailpoint.com/products/identity-security-cloud
  2. SailPoint Documentation — Virtual Appliances: deploying and managing VA clusters. documentation.sailpoint.com/saas/help/va/index.html
  3. SailPoint Documentation — Managing Sources Overview — account schema, connectors and aggregation. documentation.sailpoint.com/saas/help/sources/index.html
  4. SailPoint Documentation — Identity Security Cloud Connectivity — VA-based and SaaS connectors. documentation.sailpoint.com/connectors/isc/landingpages/help/landingpages/isc_landing.html
  5. SailPoint Documentation — Getting Started in Identity Security Cloud — tenant, sources and identity cube. documentation.sailpoint.com/saas/help/getting_started/index.html
  6. SailPoint Community — IdentityNow Architecture — VA cluster queues and connector processing. community.sailpoint.com

What's next?

Got the architecture? Next, go deep on SailPoint lifecycle events, access certifications and role modelling — the governance workflows that sit on top of this platform.

Next · All interview lessons → Practice on exam.techclick.in →