> ## Documentation Index
> Fetch the complete documentation index at: https://docs.serval.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Saviynt

> Connect Serval to Saviynt Enterprise Identity Cloud so workflows can query users, applications, roles, and access-request data through the EIC REST API.

## About Saviynt

Saviynt Enterprise Identity Cloud (EIC) is an identity governance and administration platform. The Serval Saviynt integration connects to your EIC tenant with an admin username and password. Serval exchanges those credentials for short-lived bearer tokens via `/ECM/api/login` and attaches them to every proxied request — workflow code never sees the password. The integration is marked **Beta** in Serval's connect UI.

**Authentication:** Username and password → bearer token exchange. Tokens are cached until five minutes before expiry, then refreshed automatically.

**Data sync:** On demand only. There is no background sync of Saviynt users, roles, or entitlements.

## What the Saviynt integration enables

| Capability                  | Description                                                                                                                                                                                                                                               |
| --------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Saviynt API request         | Typed access to the Saviynt EIC Chicago REST API — users, accounts, entitlements, roles, SAV roles, endpoints (applications), security systems, access requests, certifications, and other `/ECM/` and `/ECMv6/` operations your admin account can reach. |
| Read-oriented health checks | Connection tests exercise authentication, application (endpoint) listing, user listing, and SAV role listing.                                                                                                                                             |

Most Saviynt list operations are **POST** requests with JSON filter bodies rather than GET queries — prebuilt and custom workflows should follow the typed method for each path.

## Get your credentials

You need your EIC instance hostname and an admin account Serval can use for API login.

<Steps>
  <Step title="Identify your instance URL">
    Your Saviynt EIC host typically looks like `company.saviyntcloud.com`. Copy the hostname without `https://`.
  </Step>

  <Step title="Choose an admin service account">
    Use a Saviynt admin user whose roles cover the data and mutations your workflows will perform. The account's Saviynt roles govern every API call.
  </Step>

  <Step title="Collect the password">
    Serval stores the password encrypted and uses it only inside the proxy to call `/ECM/api/login`.
  </Step>
</Steps>

<Note>
  Saviynt API documentation for the Chicago release is available in Saviynt's [Postman collection](https://documenter.getpostman.com/view/50568759/2sB3dMyrnT).
</Note>

## Connect in Serval

<Steps>
  <Step title="Open the Saviynt connect form">
    In Serval, add the Saviynt integration. It is labeled **Beta**.
  </Step>

  <Step title="Instance URL (required)">
    Enter your EIC tenant host without `https://` (for example `company.saviyntcloud.com`). Serval strips schemes, trailing slashes, and paths if you paste a full browser URL.
  </Step>

  <Step title="Username (required)">
    Enter the Saviynt admin username used for `/ECM/api/login`.
  </Step>

  <Step title="Password (required)">
    Enter the admin password in the password field.
  </Step>

  <Step title="Save and verify">
    Submit the form. Serval runs four health checks (below).
  </Step>
</Steps>

<Note>
  When editing an existing connection, leave the password as its obfuscated placeholder to keep the stored credential, or paste a new password to rotate.
</Note>

## Verifying the connection

Four health checks run after you connect:

1. **Test Connection** — calls `GET /ECM/api/v5/getSecuritySystems` after login. Success: `Successfully connected to Saviynt.` Auth failure: `Authentication failed. Verify your Saviynt instance URL, username, and password.`
2. **List Applications** — POST to `/ECM/api/v5/getEndpoints` (Saviynt models applications as endpoints). Confirms endpoint read access.
3. **List Users** — GET `/ECM/api/v5/user`. Confirms user read access.
4. **List SAV Roles** — GET `/ECM/api/v5/getSavRoles`. Confirms role read access.

<Tip>
  If authentication succeeds but application or user checks fail, the admin account can log in but lacks read permissions for that resource type in Saviynt. Adjust the account's Saviynt admin roles.
</Tip>

## Gotchas and troubleshooting

<AccordionGroup>
  <Accordion title="Most list calls are POST, not GET">
    Endpoints like `getEndpoints`, `getPendingRequests`, and many search operations expect a JSON body with filters and pagination. Check the typed schema for each path before authoring workflows.
  </Accordion>

  <Accordion title="Instance URL must be the bare tenant host">
    Paste `company.saviyntcloud.com`, not a path under `/ECM/`. Serval builds login and API URLs from the normalized host.
  </Accordion>

  <Accordion title="Admin role scope drives every workflow">
    Saviynt enforces authorization on the admin account you configure. A workflow that succeeds in dev against a sandbox admin may fail in prod if the production account lacks write privileges.
  </Accordion>

  <Accordion title="Token cache respects credential rotation">
    When you update the username or password in Serval, cached bearer tokens for the old credentials are discarded automatically.
  </Accordion>
</AccordionGroup>

***

Need help? Contact **[support@serval.com](mailto:support@serval.com)** for assistance with your Saviynt integration.
