Configuring Security Integrations

You can use third-party security integrations for password reset and account unlock options.

Okta Verify

You can configure Okta Verify to integrate with IdentityNow to use it as a password reset method for your identity profiles.

You must first create an API token. Refer to the Okta API token management documentation for more information.

Notes

• Okta recommends generating API tokens from a service account with permissions that do not change.
• Tokens are only valid if the user who created the token is also active.

To integrate Okta Verify with IdentityNow:

1. Go to Admin > Connections > Integrations > Okta Verify.

2. Select the checkbox to Enable Okta Verify Integration.

   

3. Enter the API token you generated in Okta.

4. Enter the domain.
5. Under Okta Username, use the dropdown menu to select the Identity Attribute. The default is Work Email, or you can select other options that match the username in Okta.
6. Select Save.
7. Select Test Connection to verify that the connection between Okta Verify and IdentityNow is working.
8. Configure Okta Verify as an available password reset method.

Duo Web

You can use Duo Web to IdentityNow to embed iFrames and provide an improved user experience for password resets and account unlocks. Refer to Duo’s recommended best practices for IdentityNow Password Resets.

Note

The IdentityNow mobile app does not support password reset or unlocks for end users authenticating via Duo Web. You can use the mobile browser instead.

You must first configure and then integrate Duo Web with IdentityNow.

Configuring Duo Web

1. Follow the Duo 2FA for SailPoint IdentityNow configuration directions.
2. In the Duo Admin Panel, go to Applications > Protect an Application and select SailPoint Web. Refer to Duo - Protecting Applications for more information.

3. For strong, two-factor authentication:

   • (Optional) Change the integration name to a custom name configured for your organization. The integration name is important because it shows up in the Duo Push request sent when a user authenticates with Duo.

   • Do not apply a Remembered Devices policy to the SailPoint Web application.

   • Do not apply a New Users policy, Authentication policy, Authorized Networks, or User Location policy that allows access without two-factor authentication to the SailPoint Web application.

   • Never set the Authentication policy to Bypass 2FA.

   • Set username normalization to None.

   Important

   Failure to follow these best practices can result in users bypassing Duo security. To ensure proper configuration, test Password Reset with a test user account, then immediately repeat the reset action by the same user. Duo should prompt the user to authenticate their identity every time.

   For information about Duo's policy and user administration settings, refer to Duo Policy & Control and Duo Admin - Managing Users.

4. Select Protect this Application, and save the following information in the Duo Web application:

   • Integration key

   • Secret key

   • API hostname

   You will need these keys and API hostname when integrating Duo Web with IdentityNow. The akey is autogenerated.

Notes

• Disabling a user in Duo causes the Duo authentication options to be disabled in IdentityNow for the user.

• Your users must register at least one device in Duo to use these features.

• If a user has not enrolled in Duo or has not registered a device, the Duo password reset methods will not be displayed. For security purposes, the user does not have the opportunity to enroll in Duo during password resets.

You are now ready to integrate Duo Web in IdentityNow.

Integrating Duo Web

1. Go to Admin > Connections > Integrations > Duo Web.

   

2. Select Enable Duo Web Integration.

3. Complete all the available fields based on the information provided by Duo when you created the required integration. IdentityNow masks your Secret Key and autogenerates and masks the akey.

4. Under Duo Username, select the identity attribute that corresponds with users' Duo Security user names. By default, this is set to User Alias.

   Note

   If you choose an identity attribute that isn't populated for all of your identities, identities that don't have a value for that attribute cannot use Duo Web as an authentication method.

5. Select Save.

6. Select Test Connection to verify that the integration is working.

7. Configure Duo Web as an available password reset method for your identity profiles.

Note

To align with Duo’s best practices, ensure that Enable Two-Factor Authentication is selected. Then select additional methods. These additional methods will be presented first. Once end users satisfy these methods, Duo Web will be presented.

RSA SecurID

You can configure RSA SecurID to integrate with IdentityNow and give your users additional authentication options. IdentityNow users of RSA SecurID must be correlated to an existing identity.

Configuring RSA SecurID

1. Set up an on-premise RSA 8.1 server and roll out RSA SecurID to your users.

   Note

   To use RSA strong authentication in IdentityNow, your users must complete their RSA accounts. This includes setting up a PIN and being able to receive an RSA token.

2. Configure RSA to accept a SecurID from your users in a format IdentityNow supports.

3. Create and aggregate an RSA source.

Refer to the RSA SecurID documentation for configuration guidance.

You are now ready to integrate RSA SecurID in IdentityNow.

Integrating RSA SecurID Integration

1. Go to Admin > Connections > Integrations > RSA SecurID.

   

2. Select Enable RSA SecurID Integration.

3. For Source, select the RSA Authentication Manager source.

   Because only one RSA source can be configured for the integration, only users from this RSA source will be able to use RSA strong authentication methods.

4. Select Save.

5. If you have not already aggregated accounts from your RSA source, aggregate those accounts.

6. Configure RSA SecurID as an available password reset method for your identity profiles.

Symantec VIP

You can configure Symantec VIP to integrate with IdentityNow for additional account unlock and password reset methods for your identity profiles.

Notes

• If a user's account is disabled within Symantec VIP, they will not see options to use Symantec VIP within IdentityNow.

• If a user has not enrolled in Symantec VIP or has not registered an Access Credential, the Symantec VIP password reset options do not appear within IdentityNow.

Configuring Symantec VIP

1. Roll out Symantec VIP to your users.

2. In Symantec VIP, request a new VIP Certificate in PKCS#12 format.

3. Complete the other required fields in the Symantec interface and note the certificate password. You will need this later in IdentityNow.

4. Download the certificate to a known location. You will need this later in IdentityNow.

5. To allow your users to use Symantec VIP Push notifications for strong authentication, the Enable Mobile Push option must be globally enabled on the VIP Policy Configuration page within Symantec VIP.

Integrating Symantec VIP

1. Go to Admin > Connections > Integrations > Symantec VIP.

   

2. Under Integration Settings, select Enable Symantec VIP Integration.

3. Select Import to upload the Client Certificate you created within Symantec VIP.

4. Enter the Certificate Password you configured when you generated the certificate.

5. Under Endpoint, choose the type of endpoint you are pointing to. In most cases, you will select Production.

6. Under Symantec VIP User ID, select the identity attribute that represents the users' User ID in Symantec VIP. By default, this is set to User Alias.

   Important

   If you choose an identity attribute that isn't populated for all of your identities, identities that don't have a value for that attribute will not be able to use Duo Web as an authentication method.

7. Select Save. The Certificate Name and Certificate Expires fields are populated automatically.

8. Select Test Connection to verify that the integration is working.

9. Configure Symantec VIP as an available password reset method for your identity profiles.