Authentication and Timeouts
In most cases, users will authenticate into Non-Employee Risk Management by authenticating into Identity Security Cloud using an identity provider and navigating to Non-Employee Risk Management.
Collaboration users will still authenticate through a portal. Identity Security Cloud administrators can always access Non-Employee Risk Management.
If you don't have Identity Security Cloud, you can also configure and maintain SAML authentication from your identity provider directly into Non-Employee Risk Management.
Configuring Authentication through Identity Security Cloud
You can configure your identity provider so that when a user authenticates into Identity Security Cloud, they can automatically authenticate into Non-Employee Risk Management as well.
If a user doesn't have an account within Non-Employee the first time they try to authenticate, one will be created for them automatically through Just-In-Time provisioning, and they are granted roles based on their groups within your SSO provider.
-
Within your identity provider, configure your attribute claim to contain the following attributes:
name
email
groups
The
groups
string must contain the groups, or entitlements, used to grant users the roles they have within Non-Employee Risk Management. This includes the groups that grant administrator access.For example, you might be required to provide an attribute claim in XML format. You could use the following format:
<AttributeStatement> <Attribute Name="name"> <AttributeValue>John Smith</AttributeValue> </Attribute> <Attribute Name="groups"> <AttributeValue>SampleValue1</AttributeValue> <AttributeValue>SampleValue2</AttributeValue> </Attribute> <Attribute Name="email"> <AttributeValue>john.smith@sample.com</AttributeValue> </Attribute> </AttributeStatement>
-
Configure Identity Security Cloud as a service provider.
Note
Identity Security Cloud requires fewer attributes to enable SAML than Non-Employee Risk Management does. Your identity provider should still be configured to send the
name
,email
, andgroups
attributes so that they can be used to authenticate into Non-Employee Risk Management.
When users authenticate into Identity Security Cloud using your SSO provider, they can go to the App Switcher to access Non-Employee Risk Management. The roles they are granted are based on the groups assigned to them within the SAML assertion provided to Identity Security Cloud.
If an Identity Security Cloud administrator signs in without using an identity provider, they will be granted Non-Employee Risk Management administrator access based on their administrator user level.
Note
To authenticate directly in to Identity Security Cloud, bypassing your identity provider, go to your Non-Employee Risk Management site and add /?internal_login=true
to the URL. Select Log in with Identity Security Cloud.
Authenticate with a user name and password and navigate to the SailPoint Solution Center.
Select Non-Employee Risk Management.
If your Identity Security Cloud account has administrator privileges, you will be granted admin access in Non-Employee Risk Management.
Configuring an SSO Integration
You can configure an integration between your identity provider and Non-Employee Risk Management directly with a SAML connection.
If a user doesn't have an account within Non-Employee the first time they try to authenticate, one will be created for them automatically through Just-In-Time provisioning, and they are granted roles based on their groups within your SSO provider.
You can also upload a CSV file of users to create accounts for them before they sign in, so they can be used in workflows and other processes.
If you have non-employees who manage other non-employee profiles, they must sign in using the portal.
To configure an SSO integration with Non-Employee Risk Management:
-
Within your identity provider, configure Non-Employee Risk Management as a service provider.
Configure your attribute claim within your identity provider to contain the attributes corresponding to the user's name, email, and groups within Non-Employee Risk Management.
The "groups" string must contain the groups, or entitlements, used to grant users the roles they have within Non-Employee Risk Management.
-
Within Non-Employee Risk Management, go to Admin > System > Authentication.
You can also configure SSO settings for each collaboration portal on the portal's SSO tab.
-
Select the SSO tab.
-
In the BASIC SETTINGS section:
- SAML SSO - Set to ON to enable SAML SSO for your site.
- SSO Name - Enter the name of your SSO provider to display on the login page. For example, if you enter Acme SSO in this field, the login page will display a button that says "Login with Acme SSO".
Caution
Do not enable Encrypt SAML Assertions until after copying your certificate data to your identity provider to avoid being locked out of Non-Employee Risk Management.
The Metadata URL field and the CERTIFICATES section can be used later to configure SAML encryption.
-
SSO Only - Choose whether the username and password fields are hidden from users who are signing in.
Leave the SSO Only switch set to OFF unless all of the users in the system, or in the portal you're editing, will be authenticating through your SSO provider.
-
In the SERVICE PROVIDER section:
- Domain - The tenant domain where users should be redirected after authenticating using the IDP. This field only appears when configuring an SSO integration for portals.
- SP Entity ID - Enter the ID of Non-Employee Risk Management as a service provider. This must match what is configured in your identity provider.
- Name Attribute - Enter the attribute your identity provider uses for name.
- Email Attribute - Enter the attribute your identity provider uses for email address.
- Groups Attribute - Enter the attribute your identity provider uses for groups or entitlements.
- SP SAML Data - Select to download the service provider metadata if your identity provider. This button only appears when configuring an SSO integration for Non-Employee Risk Management as a whole on the System > Authentication page.
-
In the IDENTITY PROVIDER section:
- Import File - If available, upload the metadata XML file containing details about your identity provider. If this file isn't available, the IDP must be configured manually using the fields below.
If a metadata XML file is not available:
- IDP Login URL - Enter the Login URL provided by your identity provider. Users will be redirected to sign in when they select Log in with SSO.
- X.509 Certificate - Enter the digital certificate issued by the provider.
- Fingerprint Algorithm - Enter the type of encryption used to generate the fingerprint. This is either rsa-sha1 or rsa-sha256.
- IDP Logout URL - Enter the URL where users are redirected when they log out of Non-Employee Risk Management.
- Certificate Fingerprint - Enter the unique fingerprint for the identity provider's certificate.
- IDP Entity ID - Enter the ID of the identity provider.
-
Select Save.
Users or portal users can now authenticate into Non-Employee Risk Management using your identity provider.
If you want to encrypt your SAML assertions, you must complete some additional configurations.
-
Optional: To encrypt your SAML assertions, copy the SAML assertion encryption details to your identity provider.
If your identity provider supports certificate details in the form of a link, you can copy the link in the Metadata URL section and add it within the correct field in your identity provider.
You can also download the certificate within the CERTIFICATES section by selecting the download icon , then upload this certificate to your identity provider.
Caution
Verify that these certificate details have been provided correctly to your identity provider before enabling SAML encryption within Non-Employee Risk Management to avoid being locked out of your tenant.
-
In the BASIC SETTINGS section, enable Encrypt SAML Assertions.
-
Select Save.
SAML assertions between your identity provider and this portal or sign-in page are now encrypted.
Configuring Timeout Settings
If you don't have an Identity Security Cloud tenant, you can configure Non-Employee Risk Management to require users to reauthenticate after a period of inactivity within the application.
To configure timeout settings:
-
Go to Admin > System > Authentication.
The SESSIONS tab is displayed.
-
In the SESSION SETTINGS section, choose a value in the Activity Timeout field.
You can choose a time period between 5 minutes and 7 days. The user will be signed out after this length of time with no activity.
-
Select Save.
Documentation Feedback
Feedback is provided as an informational resource only and does not form part of SailPoint’s official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.