On November 3, 2025, SailPoint published e-Fix patch IIQSR-940 for IIQ security vulnerability CVE-2025-10280. This patch takes the form of an updated Java class, SailPointResponseFilter.class (a servlet filter), along with an updated web.xml. Unfortunately, this e-Fix also unintentionally breaks plugins relying on jQuery plugins for their UI functions. This includes at least two supported Instrumental…
Introduction When a client asked me to connect GitLab on-premise with SailPoint Identity Security Cloud (ISC), I struggled to find online references addressing how to perform the integration. Now that I have completed the application onboarding, I am blogging about my process to guide other developers taking on this task. After reviewing the requirements provided…
IIQ 8.5 was released on July 15, 2025! Instrumental Identity architects have already downloaded the new IIQ 8.5 software package, installed it on our sandbox and demo servers, poked it, prodded it, and analyzed the compatibility of our software. Here’s what we’ve found. ✅ UI Enhancer: Completely compatible with IIQ 8.5! I will be adding…
Commercial Password Management solutions are often relatively expensive and not the most flexible when it comes to various configuration elements such as what text to display, what workflows to follow and how to integrate with other applications and directories that require password synchronization. Additionally, we often encounter many of our customers that have built their…
With the increase in social engineering attacks on the rise and the need for heightened security protocol and business processes around providing password and account support especially with the large amount of workforce being hybrid or remote, many organizations are finding it challenging to validate a persons identity. At Instrumental Identity we have worked with…
IID’s History Plugin, particularly in combination with our other plugins, remains the state-of-the-art for IIQ Identity History. It does not compete with IIQ’s new Access History, but rather the two complement one another.
This quick post will be about various wrappers in the Utilities and Metered classes. These classes provides lambda-based API for fluently decorating your SailPoint IIQ code.
IIQCommon’s table class provides a fluent, type-safe API for generating HTML tables in IIQ scripts.
ThingAccessUtils implements the Common Security behavior behind most of Instrumental ID’s plugins, utilities, and other IIQ enhancements
This will be part of a blog series providing an overview of the many SailPoint IIQ utilities and tools available in Instrumental ID’s open-source iiq-common-public library. (For an overview of the entire library, see this earlier post.) This post will be about the “Hybrid Object Matcher” utility. This utility expands on the matching tools available…
This will be part of a blog series providing an overview of the many SailPoint IIQ utilities and tools available in Instrumental ID’s open-source iiq-common-public library. (For an overview of the entire library, see this earlier post.) This post will be about the BaseCommonPluginResource, the superclass to nearly all of Instrumental Identity’s web services. This…
Rewriting URLs The problem Let’s say you’ve written a custom SailPoint IdentityIQ (IIQ) plugin that exposes a plugin page. By default, plugins in IIQ have a technical-looking URL, like this: https://iiqdemo.example.com/identityiq/plugins/pluginPage.jsf?pn=PluginName. That’s both too much and too little information for an end user. If your page consumes Angular state, it might have an even uglier…
Continuing the discussion from In Sync & Secure: CI/CD Design Challenges and Considerations: Phase 1 of the DevOps solution standup process focuses on the many pre-deployment tests you can run to prevent issues from reaching your IdentityIQ environment and can leverage both SailPoint and custom tooling to meet your testing needs. Phase 1 also acts…
The minimum viable product of every DevOps solution is to reliably deploy an application in an automated fashion without any developer interaction (outside of optionally clicking a start button). Regardless of what pipeline platform you have available, your first consideration will be to follow a “push” or “pull” methodology for your pipeline. In the scenario…
With Navigate around the corner, we felt now would be an opportune time to share our journey and experiences in implementing robust DevOps processes within our clients’ diverse environments. The world of Information Security is constantly evolving, and as a result, so are the tools and methodologies used to manage and automate security processes. As…
Identity Works LLC is excited to announce we are now doing business as Instrumental Identity. Our brand and image are important to us and as such we decided it was time for a change.
Identity Works had the privilege of presenting at the first annual SailPoint Developer Days conference. Our team of expert consultants provided valuable insights into what we have done with SailPoint IdentityIQ and presented on 4 different topics. Check out our recorded presentations below: Matching & Merging Identities from Multiple Authoritative Sources (presented by Mark Earnest)…
Identity Works LLC has been in the field for decades working across all verticals, but we often find ourselves working with colleges and universities. Over the years, we have solved many of the complex challenges with multi-personas and access policies that exist in higher education. We frequently hear “our setup is unique, we have this homegrown…
Have you ever needed to query data directly from your IIQ database for reporting? Have you ever wanted to test a SailPoint filter or HQL query before you used it in a role membership rule? Have you ever wondered why your IIQ Filters behave the way they do? Have you ever needed a Filter String…
The Instrumental Identity IIQ History Plugin painlessly enhances auditing and event tracking within existing IIQ systems, offering greater visibility to administrators, auditors, and business analysts. SailPoint IdentityIQ ships with a variety of historical and audit logging. Aggregation jobs can save a snapshot of an Identity containing all of its attributes and accounts so an admin…
IdentityWorks is pleased to announce the availability of the “public subset” of our feature-rich IIQCommon library, which you can find at: https://git.identityworksllc.com/pub/iiqcommon IIQCommon is a utility library used in virtually all of our SailPoint IdentityID installations and plugins. Some of the utilities included in this library are documented below. Utilities A whole slew of convenience…
The SailPoint IIQ user interface is far more user-friendly and reliable than the interface of competing identity managers. However, from time to time, it still encounters limitations. Instrumental Identity has created an IIQ plugin, the UI Enhancer, to insert many useful features and security enhancements to the existing user interface, filling in the gaps. Contact Instrumental…
There is a strange behavior of OIM 11.1.2.3, which appears to still be present in 12c, that causes unexpected password changes on accounts. Specifically, all encrypted fields on a parent UD table are set to NULL on access policy evaluation, which triggers any Password Updated-type provisioning actions. These will typically fail, resulting in an open task, because…
When creating business logic for a connector in SailPoint IdentityIQ, it is sometimes necessary to run a Powershell script “out of band” (i.e. from a Workflow or Run Rule task). This is not well-suited to the Before/After model used by IQService connectors. In this article, I will go through how the IQService invokes Powershell and how…
At Navigate 2019, several people expressed interest in IDW’s containerized version of SailPoint IIQ, so here it is in publicly accessible form! I’ve been using this containerized version to do virtually all of my local development since I created it. It takes about two minutes to have a brand new IdentityIQ system up and running…
A majority of organizations implementing Oracle Identity Manager (OIM) struggle with migration and deployment procedures. Migrating a newly developed connector often involves many manual steps, and can result in problems such as a missed deployment steps, importing wrong versions, etc. One solution to those problems is automation, where everything is stored and controlled in a…
Weblogic and OIM are vulnerable to Java deserialization attacks over the network. This vulnerability was reported to Oracle in 2015 and assigned CVE-2015-4852. Oracle has released a series of patches to address the issue, but many systems continue to be vulnerable. The attack is easy and the steps are publicly available. An attack does not…
Organizations in verticals such as Higher Education have requirements around multi-affiliation and multi-valued identity data. In this blog post we will look at how you can configure identity data in Oracle Identity Manager to meet the needs of Higher Education (or any organization with multi-affiliation and multi-valued identity data) without the need to make data…
