Skip to content

Configuring IdentityNow as a Service Provider

You might already be using a single sign-on solution when you purchase IdentityNow. If you want to use SAML to authenticate into IdentityNow, you can use one of many SSO solutions as an identity provider and IdentityNow as a service provider.

For example, users can authenticate into their identity provider, then federate into IdentityNow to perform tasks related to certifications or provisioning. IdentityNow is never aware of the user's password, and their information remains secure.

Note

The IdentityNow mobile app doesn't support the use of a third-party SSO solution as an identity provider and IdentityNow as a service provider.

Prerequisites

  • Users from your identity provider who want to use IdentityNow must have identities within IdentityNow with data that matches their identities on your identity provider.

  • To ensure that your users can authenticate into IdentityNow, load their IdentityNow accounts from the same source you used to load accounts into your identity provider.

  • Obtain the following information from your identity provider:

    • Entity ID
    • Login URL for Post
    • Login URL for Redirect
    • Logout URL (optional)
    • Signing Certificate

Service Provider Configuration

Complete the following steps to configure IdentityNow as a service provider.

  1. From the Admin interface, go to Global > Security Settings > Service Provider.

  2. Leave the Enable Remote Identity Provider option unchecked until you've provided correct values for the Identity Provider Settings below and imported the signing certificate.

  3. We recommend you leave the Bypass Identity Provider option unchecked so that your users will always be required to sign in from your identity provider before they can authenticate into IdentityNow. (Users will not be prompted for registration or strong authentication information in IdentityNow.)

    No matter what you select here, admins, helpdesk users, and dashboard users can always sign in directly to IdentityNow using your IdentityNow URL and appending ?prompt=true. For example, if an admin visits https://acme.identitynow.com/login/login?prompt=true, they'll see the IdentityNow sign in page. They must sign in with a unique IdentityNow password. This can be useful if, for example, the identity provider is temporarily unavailable.

    Caution

    If you select Bypass Identity Provider, users can either:

  4. Under Identity Provider Settings, enter the following:

    • Entity ID - the unique entity ID of your identity provider. The number you enter here must exactly match the SAML metadata EntityID supplied by your identity provider.

    • Login URL for Post - the URL where an authentication request is sent using HTTP Post binding

    • Login URL for Redirect - the URL where an authentication request is sent using HTTP Redirect binding

    • (Optional) Logout URL - the URL where IdentityNow redirects users after they sign out of IdentityNow or when their session expires

    Note

    All IdentityNow sessions authenticated using an identity provider automatically expire after 90 days.

  5. Select Save to save your changes.

  6. If needed, make changes to the following options in SAML Request Options:

    • Identity Mapping Attribute - Set to the attribute you want to use to authenticate users

    If you select a custom identity attribute, that attribute must be searchable. See API to Extend Customizable Correlation Attributes​ for instructions.

    • SAML NameID - Set to the SAML NameID that your identity provider is expecting

    • SAML Binding - Set to Post or Redirect depending on what endpoint the authentication request is sent to

    • Choose one of the following options:

      • In Authentication Context, specify the authentication context the identity provider is required to use.

      • Select the Exclude Requested Authentication Context check box if you don't need to specify a required authentication context in the authentication request.

  7. Under Signing Certificate, click Import and select the signing certificate from its location on your device. The certificate you upload must be in PEM format. The Certificate Name and Certificate Expires fields are populated automatically.

  8. Check the Enable Remote Identity Provider option at the top of the page.

  9. Under Hosted Service Provider, copy the Entity ID and SAML URL to your identity provider. If your identity provider allows you to upload service provider metadata, you can download the metadata and upload it to your identity provider.

  10. Select Save to ensure all settings are saved.

Testing Service Provider Configuration

Complete the following steps to test the service provider configuration:

  1. Sign out of your IdentityNow account and go to the sign in page for your org. You are redirected to your identity provider.

    Important

    Ensure that you have removed ?prompt=true from the end of your URL.

  2. Sign in to your identity provider. You are automatically redirected to IdentityNow and authenticated.

If any part of this test fails, you might have an error in your configuration. Verify that you have completed all fields described here correctly.

When your users navigate to IdentityNow, they will be automatically authenticated.

If authentication fails for any reason, the user will be redirected to an error page.

Note

IdentityNow does not support SAML Single Logout (SLO).

Updating IdentityNow Passwords with IdentityNow as a Service Provider

The way users update their IdentityNow passwords when their site is configured as a service provider depends on whether the site also has Password Management.

The following statements are true whether a site has Password Management or not:

  • If a user authenticates into IdentityNow using their identity provider, they won't be prompted to enter a password, even if they've never signed in before.

  • If a user signs in to IdentityNow by appending ?prompt=true to the end of the sign-in URL, they'll be prompted to provide a password the first time they sign in using this method. They can also update their password using the drop-down menu under their name.

If a site has Password Management enabled, they'll be able to update their IdentityNow password no matter how they access IdentityNow (via their identity provider or ?prompt=true) using the drop-down under their name.

In sites that do not have Password Management, they can only update their password if they sign in with ?prompt=true. If they do this, they can change their passwords using the drop-down under their names.

Use Caution When Bypassing the Identity Provider for SailPoint as a Service Provider

When configuring IdentityNow as a service provider, the default behavior, which is also the best practice configuration, is to force users to only launch IdentityNow after signing in to your identity provider. However, it is possible to go directly to the IdentityNow sign in page in some circumstances.

We have left this option open for the following reasons:

  • Admins can always use this option if the identity provider site goes down for some reason

  • Admins might want to make this option available to their users if those users have already been using the IdentityNow sign in page. However, we strongly encourage you to disable this for your users.

To allow users to go directly to the IdentityNow sign in page, you must select the Bypass Identity Provider check box.

If you select Bypass Identity Provider, users can either:

  • Use the normal sign in process to go to your identity provider and then launch IdentityNow.

  • Use a URL, that includes ?prompt=true to navigate directly to the IdentityNow sign in page. For example, if a user types https://sailpoint.identitynow.com/login/login?prompt=true, they'll see the IdentityNow sign in page.

Caution

This setting is not recommended. The following behavior is specific to this configuration:

  • Users might be asked for registration information including strong authentication preferences that might not be relevant to IdentityNow as a service provider.
  • If your org has the Password Management service, the first time they sign in this way, they'll be prompted to enter a password for IdentityNow. This password is not necessarily going to be connected to the password used with your identity provider.
  • All users who signed in this way can change their IdentityNow passwords using the drop-down menu under their names. Again, this password is not necessarily related to the identity provider. This could cause confusion for users who might be expected to normally sign in using your identity provider.
  • If users sign out of IdentityNow after authenticating this way, they'll be redirected to the IdentityNow sign in page.