Authentication and Timeouts

In most cases, users will authenticate into Non-Employee Risk Management by authenticating into Identity Security Cloud using an identity provider and navigating to Non-Employee Risk Management.

Collaboration users will still authenticate through a portal. Identity Security Cloud administrators can always access Non-Employee Risk Management.

If you don't have Identity Security Cloud, you can also configure and maintain SAML authentication from your identity provider directly into Non-Employee Risk Management.

Configuring Authentication through Identity Security Cloud

You can configure your identity provider so that when a user authenticates into Identity Security Cloud, they can automatically authenticate into Non-Employee Risk Management as well.

If a user doesn't have an account within Non-Employee the first time they try to authenticate, one will be created for them automatically through Just-In-Time provisioning, and they are granted roles based on their groups within your SSO provider.

Within your identity provider, configure your attribute claim to contain the following attributes:

name
email
groups

The groups string must contain the groups, or entitlements, used to grant users the roles they have within Non-Employee Risk Management.

For example, you might be required to provide an attribute claim in XML format. You could use the following format:

    <AttributeStatement>
        <Attribute Name="name">
            <AttributeValue>John Smith</AttributeValue>
        </Attribute>
        <Attribute Name="groups">
            <AttributeValue>SampleValue1</AttributeValue>
            <AttributeValue>SampleValue2</AttributeValue>
        </Attribute>
        <Attribute Name="email">
            <AttributeValue>john.smith@sample.com</AttributeValue>
        </Attribute>
    </AttributeStatement>

Configure Identity Security Cloud as a service provider.

Note

Identity Security Cloud requires fewer attributes to enable SAML than Non-Employee Risk Management does. Your identity provider should still be configured to send the name, email, and groups attributes so that they can be used to authenticate into Non-Employee Risk Management.

When users authenticate into Identity Security Cloud using your SSO provider, they can go to the App Switcher to access Non-Employee Risk Management. The roles they are granted are based on the groups assigned to them within the SAML assertion.

Administrators within Identity Security Cloud will be able to access into Non-Employee Risk Management regardless of how they access the site. They will be granted the NERM Administrator role based on their administrator user level.

Identity Security Cloud's timeout settings will also apply to Non-Employee Risk Management.

Configuring an SSO Integration

If you don't have Identity Security Cloud, you can also configure an integration between your identity provider and Non-Employee Risk Management directly with a SAML connection.

If a user doesn't have an account within Non-Employee the first time they try to authenticate, one will be created for them automatically through Just-In-Time provisioning, and they are granted roles based on their groups within your SSO provider.

You can also upload a CSV file of users to create accounts for them before they sign in, so they can be used in workflows and other processes.

If you have non-employees who manage other non-employee profiles, they must sign in using the portal.

To configure an SSO integration with Non-Employee Risk Management:

Within your identity provider, configure Non-Employee Risk Management as a service provider.

Configure your attribute claim within your identity provider to contain the following attributes:
- name
- email
- groups
The groups string must contain the groups, or entitlements, used to grant users the roles they have within Non-Employee Risk Management.
Within Non-Employee Risk Management, go to Admin > System > Authentication.

You can also configure SSO settings for each collaboration portal on the portal's SSO tab.
Select the SSO tab.
In the BASIC SETTINGS section:
- SAML SSO - Set to ON to enable SAML SSO for your site.
- SSO Name - Enter the name of your SSO provider to display on the login page. For example, if you enter Acme SSO in this field, the login page will display a button that says "Login with Acme SSO".
- SSO Only - Choose whether the username and password fields are hidden from users who are signing in.
  
  Leave the SSO Only switch set to OFF unless all of the users in the system, or in the portal you're editing, will be authenticating through your SSO provider.
In the SERVICE PROVIDER section:
- SP Entity ID - Enter the ID of Non-Employee Risk Management as a service provider. This must match what is configured in your identity provider.
- Name Attribute - Enter the attribute your identity provider uses for name.
- Email Attribute - Enter the attribute your identity provider uses for email address.
- Groups Attribute - Enter the attribute your identity provider uses for groups or entitlements.
In the IDENTITY PROVIDER section:
- IDP Login URL - Enter the Login URL provided by your identity provider. Users will be redirected to sign in when they select Log in with SSO.
- X.509 Certificate - Enter the digital certificate issued by the provider.
- Fingerprint Algorithm - Enter the type of encryption used to generate the fingerprint. This is either rsa-sha1 or rsa-sha256.
- IDP Logout URL - Enter the URL where users are redirected when they log out of Non-Employee Risk Management.
- Certificate Fingerprint - Enter the unique fingerprint for the identity provider's certificate.
- IDP Entity ID - Enter the ID of the identity provider.

Configuring Timeout Settings

If you don't have an Identity Security Cloud tenant, you can configure Non-Employee Risk Management to require users to reauthenticate after a period of inactivity within the application.

To configure timeout settings:

Go to Admin > System > Authentication.

The SESSIONS tab is displayed.
In the SESSION SETTINGS section, choose a value in the Activity Timeout field.

You can choose a time period between 5 minutes and 7 days. The user will be signed out after this length of time with no activity.
Select Save.