Configuring IdentityNow as a Service Provider

You might already be using a single sign-on solution when you purchase IdentityNow. If you want to use SAML to authenticate into IdentityNow, you can use one of many SSO solutions as an identity provider and IdentityNow as a service provider.

For example, users can authenticate into their identity provider, then federate into IdentityNow to perform tasks related to certifications or provisioning. IdentityNow is never aware of the user's password, and their information remains secure.

Prerequisites

• Users from your identity provider must have identities within IdentityNow with matching data.

  • To ensure that your users can authenticate into IdentityNow, load their IdentityNow accounts from the same source you used to load accounts into your identity provider.
  • The only exception is if you configure just-in-time account creation in IdentityNow.

• Obtain the following information from your identity provider:

  • Entity ID
  • Login URL for Post
  • Login URL for Redirect
  • Logout URL (optional)
  • Signing Certificate

Service Provider Configuration

Complete the following steps to configure IdentityNow as a service provider.

1. Go to Admin > Global > Security Settings > Service Provider.

2. Leave the Enable Remote Identity Provider option unchecked until you've provided correct values for the Identity Provider Settings below and imported the signing certificate.

3. We recommend you leave the Bypass Identity Provider option unchecked so that your users will always be required to sign in from your identity provider before they can authenticate into IdentityNow. (Users will not be prompted for registration or strong authentication information in IdentityNow.)

   Note

   No matter what you select here, admins, helpdesk users, and dashboard users can sign in directly to IdentityNow using your IdentityNow URL and appending ?prompt=true. Refer to Bypassing the Identity Provider for more details.

4. Under Identity Provider Settings, enter the following:

   • Entity ID - the unique entity ID of your identity provider. The number you enter here must exactly match the SAML metadata EntityID supplied by your identity provider.

   • Login URL for Post - the URL where an authentication request is sent using HTTP Post binding

   • Login URL for Redirect - the URL where an authentication request is sent using HTTP Redirect binding

   • (Optional) Logout URL - the URL where IdentityNow redirects users after they sign out of IdentityNow or when their session expires

   Note

   All IdentityNow sessions authenticated using an identity provider automatically expire after 90 days.

5. Select Save to save your changes.

6. If needed, make changes to the following options in SAML Request Options:

   • Identity Mapping Attribute - Set to the attribute you want to use to authenticate users

     If you select a custom identity attribute, that attribute must be configured as searchable.

   • SAML NameID - Set to the SAML NameID that your identity provider is expecting

   • SAML Binding - Set to Post or Redirect depending on what endpoint the authentication request is sent to

   • Choose one of the following options:

     • In Authentication Context, specify the authentication context the identity provider is required to use.

     • Select the Exclude Requested Authentication Context check box if you don't need to specify a required authentication context in the authentication request.

7. Under Signing Certificate, select Import and select the signing certificate from its location on your device. The certificate you upload must be in PEM format. The Certificate Name and Certificate Expires fields are populated automatically.

8. Check the Enable Remote Identity Provider option at the top of the page.

9. Under Hosted Service Provider, copy the Entity ID and SAML URL to your identity provider.

10. If your identity provider allows you to upload service provider metadata, select Metadata to download the metadata. Upload it to your identity provider following their process.

11. Select Save.

Testing Service Provider Configuration

Complete the following steps to test the service provider configuration:

1. Sign out of your IdentityNow account and go to the sign in page for your org. You are redirected to your identity provider.

   Important

   Ensure that you have removed ?prompt=true from the end of your URL.

2. Sign in to your identity provider. You are automatically redirected to IdentityNow and authenticated.

If any part of this test fails, you might have an error in your configuration. Verify that you have completed all fields described here correctly.

When your users navigate to IdentityNow, they will be automatically authenticated. If authentication fails, the user will be redirected to an error page.

Note

IdentityNow does not support SAML Single Logout (SLO).

Bypassing the Identity Provider

When configuring IdentityNow as a service provider, the default behavior is to only allow end users to launch IdentityNow after signing in to your identity provider.

However, to ensure continuity of access if your identity provider is unavailable, users with an access level beyond "user" can bypass the identity provider. This means they can either:

• Use your normal federated single-sign on process to authenticate to IdentityNow.
• Use a URL that includes ?prompt=true to navigate directly to the IdentityNow sign-in page to provide authentication credentials there. For example, if the user enters https://[customer].identitynow.com/login/login?prompt=true, they'll view the IdentityNow sign-in page.

You can also allow end users to go directly to the IdentityNow sign-in page by selecting the Bypass Identity Provider checkbox in the Service Provider configuration.

Caution

This setting is not recommended because it can result in user confusion for these reasons:

• All users will be prompted to provide registration information, including strong authentication preferences that are irrelevant to their normal identity provider authentication process.
• The username and password used for this direct sign-in may differ from the user's credentials with your identity provider. Depending on the user's identity profile configuration, they will sign in either with their identity name and an IdentityNow-specific password or with a username and password for a pass-through authentication source.
• Users who sign in this way can change their IdentityNow password using the dropdown menu under their names. They may not understand that this is not the same as resetting their identity provider password.
• To use this sign-in option, the user must specify the URL with the ?prompt=true parameter. Users who do not realize this may be frustrated if they attempt to bypass the identity provider without that argument.