Skip to content

Configuring Access Governance on SSO Providers

IdentityNow's governance capabilities can integrate with external SSO providers and access management providers in order to govern these systems.

This way, IdentityNow can:

  • Give your employees accounts on your provider based on their role or lifecycle state.

  • Assign applications and entitlements to users in your provider.

  • Allow you to review access to the apps and entitlements your users have.

You can also configure IdentityNow as a service provider in an SSO relationship with your identity provider.

Process Overview:

  1. Configure apps in your external SSO provider service that you'd like to govern in IdentityNow.

  2. Configure IdentityNow to manage those apps.

Configuring Apps in Your SSO Identity Provider

The basic process below creates apps and entitlements in your SSO provider that you'll govern in IdentityNow. You might already have some apps and entitlements configured in your provider. In this case, only step 3 is necessary.

To start this process from scratch, you'll assign entitlements to apps and then make configurations within IdentityNow.

IdentityNow can manage the apps on any SSO provider with a supported source that uses entitlements and apps. It's been tested as a governance solution with the following providers:

  • Azure AD

  • Okta

  • VMWare

Note

You must have an IdentityNow for Okta license to use the Okta integration. Contact your Customer Success Manager for more information.

Prerequisite: Be familiar with creating and managing apps and entitlements on your SSO provider service.

Complete the following steps:

  1. Navigate to your SSO provider's admin interface.

  2. Create a new app or edit an existing app.

  3. Assign that app to an entitlement or group. If necessary, you can create a new entitlement specifically for that app. For more specific instructions, refer to your provider's documentation.

Best Practices

  • Configure the entitlement to be assigned to users manually without a rule or other automatic assignment policy. This way, configurations you make in IdentityNow can control which users are granted the app and your governance policy can be maintained.

  • Prepend the entitlements' names with a unique identifier, such as SLPT_, to make the entitlement easier to recognize in IdentityNow.

Configuring IdentityNow to Govern Your Apps

Next, you'll configure IdentityNow so that the apps from above appear in your IdentityNow interface. This allows you to govern your apps.

Follow the steps below to pull the appropriate entitlements into IdentityNow to begin making governance decisions.

Prerequisites:

  • The Provisioning service has been enabled for your org.

  • Entitlements or groups have been created on your SSO provider source.

Complete the following steps:

  1. Create a source in IdentityNow for your SSO provider service.

  2. Aggregate accounts for that source at least once.

  3. Ensure that these accounts correlate to identities by resolving uncorrelated accounts for that source. Accounts that appear in that report are uncorrelated and can't be governed. You can manually correlate those accounts to resolve this.

  4. From IdentityNow's configuration page for your source, go to Import Data and select Import Entitlements.

  5. Run a full entitlement aggregation by selecting Start next to Manual Aggregation.

    Note

    If you do not see the Import Entitlements page, the source is configured to only recognize entitlements that have been assigned to an aggregated account. Assign entitlements to users in your source before aggregating them.

    The entitlements that are loaded in this aggregation are the entitlements that you associated with apps when configuring apps in your SSO provider.

  6. Create access profiles in your org. Make sure each entitlement you associated with an app on your SSO provider source is assigned to one or more access profiles.

     

    The governance configurations you apply to these access profiles will be applied to the entitlements in them, and by proxy, to the apps on your SSO provider.

  7. Make any other necessary configurations to your access profile. This might include:

    • Granting the access profile based on an identity's lifecycle state

    • Granting the access profile based on an identity's role

    • Configuring the access profile for access requests

    • Refer to the Provisioning section for a description of how IdentityNow uses lifecycle states and roles to provision your app to users once you've completed these steps.

    Important

    Do not enable any lifecycle states or roles at this stage.

  8. Select Applications.

  9. Select the app that you'd like to manage that corresponds to the entitlement and app from the SSO identity. If there isn't an app in IdentityNow that corresponds with the one you want to manage, create a new app.

  10. Enter a name and description for your app. SailPoint recommends that you give this app the exact same name as you gave to the app you created within your SSO provider source.

  11. Under App Accounts Created By, select Admin (IT).

  12. Under Account Source, select Specific Users From Source.
  13. Beside Select Source, select your SSO provider source.
  14. Select Save. You'll be prompted to configure access.
  15. Select the Edit icon next to Specific Users From Source to be directed to the Access tab for that app.
  16. Under Add Existing Access Profiles, select the access profile that is configured for this app's entitlement.

  17. Select Save.

  18. Make any other necessary configurations to your app. This application might include configuring the app for access requests.

  19. Select the toggle to enable the app for users and select Save.

  20. Enable any provisioning configurations you have made, such as lifecycle states or roles.

Governance configurations that you make within IdentityNow will be enforced even on your SSO provider.

Using IdentityNow Services with a Third-Party SSO Identity Vendor

Most of IdentityNow's services extend governance to your SSO service. These features allow you to use a complete set of identity governance capabilities. Details of how each service works with your provider are listed below.

Access Request

Once you've completed the process of creating apps within your SSO provider and configuring corresponding apps in IdentityNow, the Access Request service can be configured as usual for your site. Users can authenticate into IdentityNow and request an access profile(s) to the corresponding apps in the Request Center. If their request is approved, they're granted the access within the access profile which adds the app to their app list within your provider.

In order to use this app, the user must have an account on it. If your SSO provider source is not the source that grants users accounts on this app, you'll need to allow users to request accounts.

To do this, create a second access profile and requestable app that grants accounts on the source of accounts for the app. This way, users can request the app and the account separately.

Certifications

If your site has the Certifications service in IdentityNow, you can create a certification campaign to review users' access to data and apps. The apps assigned within your SSO service will be represented as access profiles or entitlements in the certification campaign. Any revocation of access in the certification campaign will result in the removal of the app from the SSO provider for that user.

Password Management

With IdentityNow's Password Management service, you can configure IdentityNow to automatically change your passwords within your sources and apps by creating password sync groups.

Caution

When creating password policies within IdentityNow, make sure that IdentityNow does not require a more complex password than your SSO provider. If this password policy is too complex, when users change their passwords on your SSO provider, the password change will succeed for your SSO provider but fail for IdentityNow and any other associated apps or sources.

Provisioning

You must have the Provisioning service enabled for your org for IdentityNow to govern your SSO provider's apps, and you can use IdentityNow's various provisioning features to simplify governing your apps.

If a user is provisioned in an app within IdentityNow, that app will be added to their app list within your SSO provider. The user will also be granted the entitlement that's associated with the app on your provider.

With IdentityNow's Provisioning service, you can use lifecycle states and roles:

  • Lifecycle States:

    Using lifecycle states, you can configure policies within IdentityNow to determine what access profiles are granted to a user and when. Using this feature, you can determine what access a user needs when they start at your company and grant it to them automatically. When they go on leave or change jobs, you can adjust their access accordingly. The access profiles will be granted to and removed from users automatically, and the applicable apps will be added to and removed from their app lists on your SSO provider.

  • Roles:

    Roles allow you to configure specific access for users based on their job within your company. You can configure specific access profiles to grant to users with a particular job title, and if a user's job title changes, you can change the role assigned to them. If a role grants your users an access profile associated with an app, that app will be added to users' app lists in your provider.