Authentication and Timeouts

In most cases, users will authenticate into Non-Employee Risk Management by authenticating into Identity Security Cloud using an identity provider and navigating to Non-Employee Risk Management. These users are known as lifecycle users.

Users that access Non-Employee Risk Management using the Collaboration service are authenticated through a portal. These users are known as portal users. Identity Security Cloud administrators can always access Non-Employee Risk Management.

Note

All lifecycle users must authenticate into Non-Employee Risk Management by authenticating into Identity Security Cloud.

Non-Employee Risk Management customers integrating with IdentityIQ or Identity Security Cloud will receive an Identity Security Cloud tenant which is used for authentication.

Customers without Identity Security Cloud should contact their account team to receive their Identity Security Cloud tenant.

Configuring Authentication through Identity Security Cloud

You can configure your identity provider so that when a user authenticates into Identity Security Cloud, they can automatically authenticate into Non-Employee Risk Management as well.

If a user doesn't have an account within Non-Employee the first time they try to authenticate, one will be created for them automatically through Just-In-Time provisioning, and they are granted roles based on their groups within your SSO provider.

1. Within your identity provider, configure your attribute claim to contain the following attributes:

   • name
   • email
   • groups

   If your identity provider prepends a namespace to your attribute names, it must be removed before the attributes are sent to Non-Employee Risk Management.

   The groups string must contain the groups, or entitlements, used to grant users the roles they have within Non-Employee Risk Management. This includes the groups that grant administrator access.

   For example, you might be required to provide an attribute claim in XML format. You could use the following format:

       <AttributeStatement>
           <Attribute Name="name">
               <AttributeValue>John Smith</AttributeValue>
           </Attribute>
           <Attribute Name="groups">
               <AttributeValue>SampleValue1</AttributeValue>
               <AttributeValue>SampleValue2</AttributeValue>
           </Attribute>
           <Attribute Name="email">
               <AttributeValue>john.smith@sample.com</AttributeValue>
           </Attribute>
       </AttributeStatement>
   

2. Configure Identity Security Cloud as a service provider.

   Note

   Identity Security Cloud requires fewer attributes to enable SAML than Non-Employee Risk Management does. Your identity provider should still be configured to send the name, email, and groups attributes so that they can be used to authenticate into Non-Employee Risk Management.

When users authenticate into Identity Security Cloud using your SSO provider, they can go to the App Switcher to access Non-Employee Risk Management. The roles they are granted are based on the groups assigned to them within the SAML assertion provided to Identity Security Cloud.

If an Identity Security Cloud administrator signs in without using an identity provider, they will be granted Non-Employee Risk Management administrator access based on their administrator user level.

Note

To authenticate directly in to Identity Security Cloud, bypassing your identity provider, go to your Non-Employee Risk Management site and add /?internal_login=true to the URL. Select Log in with Identity Security Cloud.

Authenticate with a user name and password and navigate to the SailPoint Solution Center.

Select Non-Employee Risk Management.

If your Identity Security Cloud account has administrator privileges, you will be granted admin access in Non-Employee Risk Management.

Configuring an SSO Integration for Portal Users

For collaboration users, you can configure an integration between your identity provider and Non-Employee Risk Management directly with a SAML connection.

Note

Integration directly between your identity provider and Non-Employee Risk Management is only supported for portals. Lifecycle users must authenticate through Identity Security Cloud.

If a user doesn't have an account within Non-Employee the first time they try to authenticate, one will be created for them automatically through Just-In-Time provisioning, and they are granted roles based on their groups within your SSO provider.

You can also upload a CSV file of users to create accounts for them before they sign in, so they can be used in workflows and other processes.

If you have non-employees who manage other non-employee profiles, they must sign in using the portal.

To configure an SSO integration with Non-Employee Risk Management:

1. Within your identity provider, configure Non-Employee Risk Management as a service provider.

   Configure your attribute claim within your identity provider to contain the attributes corresponding to the user's name, email, and groups within Non-Employee Risk Management.

   The "groups" string must contain the groups, or entitlements, used to grant users the roles they have within Non-Employee Risk Management.

2. Within Non-Employee Risk Management, go to Admin > Collaboration > Portals.

3. Create a new portal or select the portal you want to edit.

4. Select the SSO tab.

5. In the BASIC SETTINGS section:

   • SAML SSO - Set to ON to enable SAML SSO for your site.
   • SSO Name - Enter the name of your SSO provider to display on the login page. For example, if you enter Acme SSO in this field, the login page will display a button that says "Login with Acme SSO".

   The Encrypt SAML Assertions field, the Metadata URL field, and the CERTIFICATES section can be used later to configure SAML encryption.

   Caution

   Do not enable Encrypt SAML Assertions until after copying your certificate data to your identity provider to avoid being locked out of Non-Employee Risk Management.

   • SSO Only - Choose whether the username and password fields are hidden from users who are signing in.

     Leave the SSO Only switch set to OFF unless all of the users in the system, or in the portal you're editing, will be authenticating through your SSO provider.

6. In the SERVICE PROVIDER section:

   • Domain - The tenant domain where users should be redirected after authenticating using the IDP.

     Most often, this will be a URL similar to https://[tenant].portal.nonemployee.com, where [tenant] is the name of your Non-Employee tenant.

     The Consumer Service URL and the Logout URL will be updated when you fill in the Domain field.

   • SP Entity ID - Enter the ID of Non-Employee Risk Management as a service provider. This must match what is configured in your identity provider.

   • Name Attribute - Enter the attribute your identity provider uses for name.
   • Email Attribute - Enter the attribute your identity provider uses for email address.
   • Groups Attribute - Enter the attribute your identity provider uses for groups or entitlements.

7. In the IDENTITY PROVIDER section:

   • If you have the identity provider's metadata XML file, upload it using the Import File field.

   • If a metadata XML file is not available, complete the following fields:

   • IDP Login URL - Enter the Login URL provided by your identity provider. Users will be redirected to sign in when they select Log in with SSO.

   • X.509 Certificate - Enter the digital certificate issued by the provider.
   • Fingerprint Algorithm - Enter the type of encryption used to generate the fingerprint. This is either rsa-sha1 or rsa-sha256.
   • IDP Logout URL - Enter the URL where users are redirected when they log out of Non-Employee Risk Management.
   • Certificate Fingerprint - Enter the unique fingerprint for the identity provider's certificate.
   • IDP Entity ID - Enter the ID of the identity provider.

8. Select Save.

   Users or portal users can now authenticate into Non-Employee Risk Management using your identity provider.

   If you want to encrypt your SAML assertions, you must complete some additional configurations.

9. Optional: To encrypt your SAML assertions, copy the SAML assertion encryption details to your identity provider.

   If your identity provider supports certificate details in the form of a link, you can copy the link in the Metadata URL section and add it within the correct field in your identity provider.

   You can also download the certificate within the CERTIFICATES section by selecting the download icon , then upload this certificate to your identity provider.

   Caution

   Verify that these certificate details have been provided correctly to your identity provider before enabling SAML encryption within Non-Employee Risk Management to avoid being locked out of your tenant.

10. In the BASIC SETTINGS section, enable Encrypt SAML Assertions.

11. Select Save.

SAML assertions between your identity provider and this portal or sign-in page are now encrypted.

Configuring Timeout Settings

If you don't have an Identity Security Cloud tenant, you can configure Non-Employee Risk Management to require users to reauthenticate after a period of inactivity within the application.

To configure timeout settings:

1. Go to Admin > System > Authentication.

   The SESSIONS tab is displayed.

2. In the SESSION SETTINGS section, choose a value in the Activity Timeout field.

   You can choose a time period between 5 minutes and 7 days. The user will be signed out after this length of time with no activity.

3. Select Save.

Documentation Feedback

Feedback is provided as an informational resource only and does not form part of SailPoint’s official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.