Skip to content

Creating Identity Profiles

Many organizations have one or two sources that have a complete list of their users, such as an HR source or Active Directory. After setting up and aggregating those sources in IdentityNow, create identity profiles in IdentityNow to determine:

  • Security settings specific to the identities managed in the source
  • The source of the attributes for those identities
  • How IdentityNow's identity attributes map to source attributes
  • When Provisioning is enabled, how access is granted for those identities when their lifecycle states change or new accounts are added from other sources

Note

For a list of sources you can integrate with IdentityNow, refer to Supported Connectors for IdentityNow.

Setting up and aggregating sources in IdentityNow makes those sources the primary, or authoritative, sources for identities associated with a specific identity profile.

Prioritizing Authoritative Sources

Multiple authoritative sources can cause conflicts for authentication, as a user can only authenticate against a single target authentication system. To resolve this potential issue, you can prioritize authoritative sources. This capability allows data conflicts to not impact a user's ability to access the system, and gives administrators control of how IdentityNow processes data.

If you want to use this functionality, please open a support ticket for assistance.

Prerequisites:

  • An authoritative source has been created and then aggregated in IdentityNow
  • A valid email address exists for each user in the source
  • If you need to block users' access to IdentityNow based on their IP address or location, those settings have been configured as described in Restricting IdentityNow Access

Setting Up Identity Profiles

By default, IdentityNow prioritizes identity profiles based on the order they were created. The earlier an identity profile is created, the higher priority it is. If you need to change this order, you can use the API described in How do I Adjust the Identity Profile Priority?

To create an identity profile:

  1. In the Admin interface, go to Identities > Identity Profiles.

  2. Select + New.

  3. Enter a Name for your identity profile. As a best practice, the name should describe the source for this identity profile.

  4. Choose an Account Source and select OK. The account source you choose here will become an authoritative source and the users on this source will be granted identities in IdentityNow.

  5. Enter a Description for your new identity profile.

  6. Configure the following options:

    Invitation Options

    • You can choose to invite users manually or automatically. If you have the provisioning service enabled for your org, you can configure the identity profile to automatically invite users to join IdentityNow when they enter a specific lifecycle state.
    • Read Inviting Users to Register with IdentityNow for details.

    Sign-in Method

    • < Site > User Name & Password - Users in this identity profile sign in to IdentityNow with the user name and password created during their IdentityNow registration process.
    • Directory Connection - Users loaded from the identity profile sign in using the password associated with the source selected from the Authentication Source dropdown list. This type of authentication is also referred to as passthrough authentication.

    Block Access From

    • Off Network - If you select this option, users with IP addresses outside of your specified network block won't be able to sign in to IdentityNow. Configure a network block in Restricting IdentityNow Access.
    • Untrusted Geography - You might have configured a list of untrusted countries. If you select this option, users in those countries won't be able to access IdentityNow.
    • Alternatively, you might have created a list of trusted countries. If this is the case, and you select this option, users outside of those trusted countries won't be able to access IdentityNow.

    Password Reset and User Unlock Settings

    • Enable Two-Factor Authentication - Select this option to require users to complete two (rather than the standard one) of the enabled Password Reset and User Unlock Methods before resetting their passwords or unlocking their IdentityNow accounts. Refer to Enabling Two-Factor Authorization for more information.
    • Mask Phone Numbers - Select this option to enable phone number masking when users are resetting their passwords.

    Password Reset and User Unlock Methods

    Strong Authentication Methods

    Select the checkbox beside the options you want users to have for using strong authentication. You can learn about the available methods in Configuring Strong Authentication Methods and Password Integrations.

    Error Message

    Create an error message that users will see when issues with strong authorization and password reset configuration occur. The error message should provide users a course of action, such as "Please contact your administrator."

  7. Select Save to apply and save your changes.

Now that you've set up an identity profile in IdentityNow, you are ready to map the identity profile attributes to the appropriate source attributes.

Mapping Identity Profiles

If your organization uses information from multiple sources to manage employee identities, you need to be able to configure how IdentityNow pulls that data into the collection of information in each identity's page. For example, a employee's account ID might come from Active Directory, but their phone number and address might come from an HR system and their email might come from Salesforce. However, a contractor's information might come exclusively from Active Directory.

In IdentityNow, you can map an identity profile's attributes (also known as identity attributes) to the account attributes on any source. This capability allows you to precisely define identity details to match your organization's needs.

Tip

To make changes to a source value before applying it to your identities, you’ll need to configure a transform. For detailed information on using transforms, read Building Transforms in IdentityNow and Operations in IdentityNow Transforms.

Important

Make sure the special characters * ( ) & ! are not used in the source attribute mapped to a user name or alternative sign-in attribute. If the user name or other sign-in attribute includes any of these special characters, the user associated with the identity many not be able to log in to or otherwise access IdentityNow.

To map identity attributes to account attributes from the source:

  1. Open the identity profile you want to edit and select the Mappings tab. The Mappings panel contains a table with IdentityNow default identity attributes that are matched to attributes from the source.

    Notes

    • You can make changes to these mappings, but the IdentityNow attributes Work Email, Last Name, and First Name must always be mapped to source attributes.
    • If you have Provisioning and you want to use lifecycles to perform provisioning tasks, the Lifecycle State attribute must also be mapped to a source attribute.
  2. To map IdentityNow attributes to different source attributes:

    • Select the new source from the Source dropdown menu, if needed.
    • Select the new source attribute from the Attribute dropdown menu.
    • Select identity sources and source attributes for each IdentityNow attribute as needed. To unmap an attribute, select None from the Source dropdown menu.
    • If you plan on using any functionality that requires users to have a manager, make sure the manager attribute is mapped correctly. Download an audit report so you can see which identities do not have managers.
  3. To make changes to a source value before applying it to your identities, select Complex Data Source from the Source dropdown menu and select one of the following rules from the Transforms dropdown menu:

    • Cloud Calculate Identity Status - This rule calculates identity cloudStatus for the identity.
    • Cloud Calculate Internal Identity Status Rule - This rule also calculates identity cloudStatus for the identity.
    • Cloud Calculate Authentication Alias - This rule calculates any authentication aliases for the identity.

    For information about working with rules, refer to the IdentityNow Rules Guide.

To add a new attribute:

  1. Select Add New Attribute from the bottom of the Mappings tab.

  2. In the Add New Attribute dialog box, enter the name for the new attribute. The Name field only accepts letters, numbers, and spaces. The Technical Name field populates automatically with a camel case version of the name you typed in the Name field.

  3. Click OK to save and add the new attribute.

  4. Map the attribute to a source and source attribute as described in the mapping instructions in step 2 above.

To preview your new mappings:

  1. Select Preview from the upper right corner of the Mapping panel and an identity profile. The preview results show the new mappings in the selected identity profile. To return to the Mappings tab to make changes the mappings, select the tab's back button.

  2. When you've finished mapping and reviewing your sources and attributes, select Save and then select Update in the bar at the top of the tab to apply all your changes.

Resolving Identity Exceptions

IdentityNow generates identity exceptions when you create a new source and then create an identity profile from that source. If an account on that source is missing values for one or more attributes that an identity requires, IdentityNow generates an identity exception.

Prerequisites:

  • A source that has been aggregated successfully at least once
  • An associated identity profile that has been created successfully
  • Ability to edit the accounts in the source used to create the identity profile

Complete the following steps:

  1. In the Admin interface, go to Identities > Identity Profiles.

  2. In the Identity Exceptions column, select either CSV or PDF to download the report. The CSV button downloads the report as a zip file.

  3. Review the report and determine which attributes are missing for the associated accounts.

  4. Edit the account in the source.

  5. Either manually aggregate the source again or wait for a regularly scheduled aggregation.

  6. Run an identity refresh, as described in Updating Identity Data, so you can be sure you're seeing and working with the latest identity data.

The Identity Exceptions reports become disabled once you successfully resolve the errors.

Deleting Identity Profiles

When you attempt to delete an identity profile, a warning message indicating the number of identities that came from that source is displayed, to help you understand the implications of deleting it. Deleting an identity profile will delete those identities and the accounts on the related source will become uncorrelated, unless another identity profile in your system also owns those accounts.

Before deleting an identity profile, verify that any associated identities are not source or app owners. If they are, you won't be able to delete the identity profile until those connections are removed.

To delete an identity profile:

  1. In the Admin interface, go to Identities > Identity Profiles.

  2. Select the check box next to the identity profile you want to delete.

  3. Under Actions, select Delete.