Configuring Identity Security Cloud as a Service Provider

You might already be using a single sign-on solution when you purchase Identity Security Cloud. If you want to use SAML to authenticate into Identity Security Cloud, you can use one of many SSO solutions as an identity provider and Identity Security as a service provider.

For example, users can authenticate into their identity provider, then federate into Identity Security to perform tasks related to certifications or provisioning. Identity Security Cloud is never aware of the user's password, and their information remains secure.

Prerequisites

• Users from your identity provider must have identities within Identity Security Cloud with matching data.

  • To ensure that your users can authenticate, load their Identity Security Cloud accounts from the same source you used to load accounts into your identity provider.
  • The only exception is if you configure just-in-time account creation in Identity Security Cloud.

• Obtain the following information from your identity provider:

  • Entity ID
  • Login URL for Post
  • Login URL for Redirect
  • Logout URL (optional)
  • Signing Certificate

Service Provider Configuration

Complete the following steps to configure Identity Security Cloud as a service provider.

1. Go to Admin > Global > Security Settings > Service Provider.

2. Leave the Enable Remote Identity Provider option unchecked until you've provided correct values for the Identity Provider Settings below and imported the signing certificate.

3. We recommend you leave the Bypass Identity Provider option unchecked so that your users will always be required to sign in from your identity provider before they can authenticate.

   Note

   No matter what you select here, admins, helpdesk users, and dashboard users can sign in directly using your Identity Security Cloud URL and appending ?prompt=true. Refer to Bypassing the Identity Provider for more details.

4. Under Identity Provider Settings, enter the following:

   • Entity ID - the unique entity ID of your identity provider. The number you enter here must exactly match the SAML metadata EntityID supplied by your identity provider.

   • Login URL for Post - the URL where an authentication request is sent using HTTP Post binding

   • Login URL for Redirect - the URL where an authentication request is sent using HTTP Redirect binding

   • (Optional) Logout URL - the URL where Identity Security Cloud redirects users after they sign out or when their session expires

   Note

   All Identity Security Cloud sessions authenticated using an identity provider automatically expire after 90 days.

5. Select Save to save your changes.

6. If needed, make changes to the following options in SAML Request Options:

   • Identity Mapping Attribute - Set to the attribute you want to use to authenticate users

     If you select a custom identity attribute, that attribute must be configured as searchable.

   • SAML NameID - Set to the SAML NameID that your identity provider is expecting

   • SAML Binding - Set to Post or Redirect depending on what endpoint the authentication request is sent to

   • Choose one of the following options:

     • In Authentication Context, specify the authentication context the identity provider is required to use.

     • Select the Exclude Requested Authentication Context check box if you don't need to specify a required authentication context in the authentication request.

7. Under Signing Certificate, select Import and select the signing certificate from its location on your device. The certificate you upload must be in PEM format. The Certificate Name and Certificate Expires fields are populated automatically.

8. Check the Enable Remote Identity Provider option at the top of the page.

9. Under Hosted Service Provider, copy the Entity ID and SAML URL to your identity provider.

10. If your identity provider allows you to upload service provider metadata, select Metadata to download the metadata. Upload it to your identity provider following their process.

11. Select Save.

If your organization is required to use FedRAMP-authorized services, you must encrypt communications between Identity Security Cloud and your identity provider.

Testing Service Provider Configuration

Complete the following steps to test the service provider configuration:

1. Sign out of your account and go to the sign in page for your org. You are redirected to your identity provider.

   Important

   Ensure that you have removed ?prompt=true from the end of your URL.

2. Sign in to your identity provider. You are automatically redirected to Identity Security Cloud and authenticated.

If any part of this test fails, you might have an error in your configuration. Verify that you have completed all fields described here correctly.

When your users navigate to Identity Security Cloud, they will be automatically authenticated. If authentication fails, the user will be redirected to an error page.

Note

Identity Security Cloud does not support SAML Single Logout (SLO).

Bypassing the Identity Provider

When configuring Identity Security Cloud as a service provider, the default behavior is to only allow end users to launch Identity Security Cloud after signing in to your identity provider.

However, to ensure continuity of access if your identity provider is unavailable, users with an access level beyond "user" can bypass the identity provider. This means they can either:

• Use your normal federated single-sign on process to authenticate to Identity Security Cloud.
• Use a URL that includes ?prompt=true to navigate directly to the sign-in page to provide authentication credentials there. For example, if the user enters https://[customer].identitynow.com/login/login?prompt=true, they'll view the Identity Security Cloud sign-in page.

You can also allow end users to go directly to the sign-in page by selecting the Bypass Identity Provider checkbox in the Service Provider configuration.

Caution

This setting is not recommended because it can result in user confusion for these reasons:

• The username and password used for this direct sign-in may differ from the user's credentials with your identity provider. Depending on the user's identity profile configuration, they will sign in either with their identity name and an Identity Security Cloud-specific password or with a username and password for a pass-through authentication source.
• Users who sign in this way can change their password using the dropdown menu under their names. They may not understand that this is not the same as resetting their identity provider password.
• To use this sign-in option, the user must specify the URL with the ?prompt=true parameter. Users who do not realize this may be frustrated if they attempt to bypass the identity provider without that argument.

Encrypting SAML Assertions for FedRAMP

If your organization needs to comply with FedRAMP requirements, you must configure your SSO integration to encrypt the SAML assertions sent between Identity Security Cloud and your identity provider.

Note

This feature is only available in FedRAMP authorized tenants.

To encrypt communications between Identity Security Cloud and your identity provider:

1. Download the Identity Security Cloud Service Provider metadata file containing the public key that will be used to encrypt the SAML assertion.

   This can be accessed at:

   https://<tenantName>.login.saas.sailpointfedramp.com/saml/metadata/alias/<tenantName>-sp

   Where <tenantName> is the name of your tenant.

2. Within the downloaded metadata file, copy the text value within the ds:X509Certificate node, excluding the tags.

3. In a separate text file, add two lines:

   • -----BEGIN CERTIFICATE-----
   • -----END CERTIFICATE-----

   Paste the copied certificate value between these two lines.

4. Save this file with a .cer filetype.

5. Go to your identity provider and enable encryption. Upload the .cer file you created.

Documentation Feedback

Feedback is provided as an informational resource only and does not form part of SailPoint’s official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.