Authentication and Timeouts
Users will authenticate into Non-Employee Risk Management with SAML from your Single Sign-On (SSO) provider. To establish authentication, you will need an integration with your SSO provider that supports a SAML connection.
SailPoint Professional Services will configure your SSO integration for the first time. SailPoint recommends that you contact Professional Services if you want to make changes later, to ensure you don't make changes that impact your access to your environment.
If a user doesn't have an account within Non-Employee the first time they try to authenticate, one will be created for them automatically through Just-In-Time provisioning, and they are granted roles based on their groups within your SSO provider.
You can also upload a CSV file of users to create accounts for them before they sign in, so they can be used in workflows and other processes.
If you have non-employees that are involved in managing other non-employee profiles, they must sign in using the portal.
Configuring an SSO Integration
Professional Services will complete most parts of your SSO configuration. You must make the relevant configurations within your identity provider.
- Use the metadata file provided by your Professional Services partner to configure your identity provider to support SAML into Non-Employee.
- Obtain a metadata file of your identity provider details to provide to your Professional Services partner so they can complete the configuration within Non-Employee.
- When configurations are finished, test the connection between your Non-Employee instance and your identity provider.
When these configurations are complete, you can review the SSO settings within your environment.
To review your SSO configuration settings:
Go to Admin > System > Authentication.
Select the SSO tab.
In the BASIC SETTINGS section, review the information in the following fields:
- SAML SSO - Whether or not SAML SSO is enabled for your environment.
- SSO Name - The name of your SSO provider, used on the login page to prompt users to sign in using your SSO provider. For example, if Acme SSO is entered in this field, the login page will display a button that says "Login with Acme SSO".
- SSO Only - Whether or not the username and password fields are hidden from Lifecycle users who are signing in.
In the SERVICE PROVIDER section, review the details about Non-Employee as a service provider:
- SP Entity ID - The ID of Non-Employee as a service provider. This must match what is configured in your identity provider.
- Name Attribute - The attribute your identity provider uses for names.
- Email Attribute - The attribute your identity provider uses for email addresses.
- Groups Attribute - The attribute your identity provider uses for groups or entitlements.
In the IDENTITY PROVIDER section, review the details about your identity provider that were uploaded with the metadata file you provided to SailPoint.
- IDP Login URL - The URL provided by your identity provider where users will be redirected to sign in when they choose to log in with SSO.
- X.509 Certificate - The digital certificate issued by the provider.
- Fingerprint Algorithm - The type of encryption used to generate the fingerprint. This is either rsa-sha1 or rsa-sha256.
- IDP Logout URL - The URL where users are redirected when they log out of Non-Employee.
- Certificate Fingerprint - The unique fingerprint for the identity provider's certificate.
- IDP Entity ID - The ID of the identity provider.
Configuring Timeout Settings
You can configure Non-Employee to require users to reauthenticate after a period of inactivity within the application.
To configure timeout settings:
Go to Admin > System > Authentication.
The SESSIONS tab is displayed.
In the SESSION SETTINGS section, choose a value in the Activity Timeout field.
You can choose a time period between 5 minutes and 24 hours, or you can select never. The user will be signed out after this length of time with no activity.