About Saviynt
Saviynt Enterprise Identity Cloud (EIC) is an identity governance and administration platform. The Serval Saviynt integration connects to your EIC tenant with an admin username and password. Serval exchanges those credentials for short-lived bearer tokens via/ECM/api/login and attaches them to every proxied request — workflow code never sees the password. The integration is marked Beta in Serval’s connect UI.
Authentication: Username and password → bearer token exchange. Tokens are cached until five minutes before expiry, then refreshed automatically.
Data sync: On demand only. There is no background sync of Saviynt users, roles, or entitlements.
What the Saviynt integration enables
| Capability | Description |
|---|---|
| Saviynt API request | Typed access to the Saviynt EIC Chicago REST API — users, accounts, entitlements, roles, SAV roles, endpoints (applications), security systems, access requests, certifications, and other /ECM/ and /ECMv6/ operations your admin account can reach. |
| Read-oriented health checks | Connection tests exercise authentication, application (endpoint) listing, user listing, and SAV role listing. |
Get your credentials
You need your EIC instance hostname and an admin account Serval can use for API login.Identify your instance URL
Your Saviynt EIC host typically looks like
company.saviyntcloud.com. Copy the hostname without https://.Choose an admin service account
Use a Saviynt admin user whose roles cover the data and mutations your workflows will perform. The account’s Saviynt roles govern every API call.
Saviynt API documentation for the Chicago release is available in Saviynt’s Postman collection.
Connect in Serval
Instance URL (required)
Enter your EIC tenant host without
https:// (for example company.saviyntcloud.com). Serval strips schemes, trailing slashes, and paths if you paste a full browser URL.When editing an existing connection, leave the password as its obfuscated placeholder to keep the stored credential, or paste a new password to rotate.
Verifying the connection
Four health checks run after you connect:- Test Connection — calls
GET /ECM/api/v5/getSecuritySystemsafter login. Success:Successfully connected to Saviynt.Auth failure:Authentication failed. Verify your Saviynt instance URL, username, and password. - List Applications — POST to
/ECM/api/v5/getEndpoints(Saviynt models applications as endpoints). Confirms endpoint read access. - List Users — GET
/ECM/api/v5/user. Confirms user read access. - List SAV Roles — GET
/ECM/api/v5/getSavRoles. Confirms role read access.
Gotchas and troubleshooting
Most list calls are POST, not GET
Most list calls are POST, not GET
Endpoints like
getEndpoints, getPendingRequests, and many search operations expect a JSON body with filters and pagination. Check the typed schema for each path before authoring workflows.Instance URL must be the bare tenant host
Instance URL must be the bare tenant host
Paste
company.saviyntcloud.com, not a path under /ECM/. Serval builds login and API URLs from the normalized host.Admin role scope drives every workflow
Admin role scope drives every workflow
Saviynt enforces authorization on the admin account you configure. A workflow that succeeds in dev against a sandbox admin may fail in prod if the production account lacks write privileges.
Token cache respects credential rotation
Token cache respects credential rotation
When you update the username or password in Serval, cached bearer tokens for the old credentials are discarded automatically.
Need help? Contact support@serval.com for assistance with your Saviynt integration.

