Creating Identity Profiles

Most organizations have one or two authoritative sources: sources that provide a complete list of their users, such as an HR source or Active Directory. When you define a source as authoritative in IdentityNow, an identity is created for each of its accounts.

You make a source authoritative by configuring an identity profile for it. The identity profile determines:

• Security settings for the identities associated to the identity profile, such as authentication settings.
• Mappings for populating identity attributes for those identities.
• The access granted to or removed from those identities when Provisioning is enabled and their lifecycle states change.

Prioritizing Authoritative Sources

Each identity can be associated to only one identity profile. If a user can exist in multiple authoritative sources for your organization, it is important to set the priority order of those sources' identity profiles correctly. Identities will be associated with the highest priority identity profile where they have an account on its authoritative source.

By default, IdentityNow prioritizes identity profiles based on the order they were created. The earlier an identity profile is created, the higher priority it is assigned.

If you need to change this order, you can use the Update Identity Profile API to change the identity profiles' priority attribute values.

Setting Up Identity Profiles

To create an identity profile:

1. Go to Admin > Identities > Identity Profiles.

2. Select + New.

3. Enter a Name for your identity profile. As a best practice, the name should describe the source for this identity profile.

4. Choose an Account Source and select OK. The account source you choose here will become an authoritative source and the users on this source will be created as identities in IdentityNow.

5. Enter a Description for this identity profile.

6. Configure the identity profile's sign-in and security settings:

   Invitation Options

   • Unless you configure external authentication options (such as pass-through authentication or single sign-on), only invited users can sign in to IdentityNow. You can choose to invite users manually or automatically. If you have the provisioning service enabled for your org, you can configure the identity profile to automatically invite users to join IdentityNow when they enter a specific lifecycle state.
   • Refer to Inviting Users to Register with IdentityNow for details.

   Sign-in Method

   • < Site > User Name & Password - Users in this identity profile sign in to IdentityNow with the username and password created during their IdentityNow registration process.
   • Directory Connection - Users loaded from the identity profile sign in using the password associated with the source selected from the Authentication Source dropdown list. This type of authentication is also referred to as pass-through authentication.
   • Multifactor Authentication - Users in this identity profile sign in using a mobile authenticator application such as Google Authenticator or Duo Mobile. Multifactor authentication replaces the built-in strong authentication methods.

   Block Access From

   • Off Network - If you select this option, users with IP addresses outside of your specified network block won't be able to sign in to IdentityNow. Configure a network block in Restricting IdentityNow Access.
   • Untrusted Geography - You might have configured a list of untrusted countries. If you select this option, users in those countries won't be able to access IdentityNow.
   • Alternatively, you might have created a list of trusted countries. If this is the case, and you select this option, users outside of those trusted countries won't be able to access IdentityNow.

   Password Reset and User Unlock Settings

   • Enable Two-Factor Authentication - Select this option to require users to complete two (rather than the standard one) of the enabled Password Reset and User Unlock Methods before resetting their passwords or unlocking their IdentityNow accounts. Refer to Enabling Two-Factor Authorization for more information.
   • Mask Phone Numbers - Select this option to enable phone number masking when users are resetting their passwords.

   Password Reset and User Unlock Methods

   • Select the checkbox beside the options you want users to have for resetting their IdentityNow passwords or unlocking their accounts. You can learn about the available methods in Configuring User Authentication for Password Resets.
   • Depending on whether you've configured any strong authentication integrations for your org, you might have additional options in this list.

   Strong Authentication Methods

   • Select the checkbox beside the options you want users to have for using strong authentication. You can learn about the available methods in Configuring Strong Authentication Methods and Password Integrations.

   Error Message

   • Define the error message to present when issues occur with strong authentication or password reset. The error message should provide users a course of action, such as "Please contact your administrator."

7. Select Save.

Now that you've set up an identity profile in IdentityNow, you are ready to map the identity profile attributes to the appropriate source attributes.

Defining Identity Profile Attributes

Mappings define how each identity profile's attributes, also known as identity attributes, should be populated for its identities. Identity attributes can be mapped from account attributes on any source and can differ for each identity profile.

For example, your Employees identity profile could map most attributes from your HR system while the email attribute is sourced from Active Directory. At the same time, contractors' information might come exclusively from Active Directory.

You can also configure and apply a transform or rule if you need to make changes to a source value in setting your identity attributes.

Important

The special characters * ( ) & ! cannot be used in the source attribute mapped to a username or alternative sign-in attribute. If the username or other sign-in attribute includes any of these special characters, the user associated with the identity may not be able to sign in to or otherwise access IdentityNow.

Mapping Identity Attribute Values

The Mappings page contains the list of identity attributes. This includes both the default attributes included with IdentityNow and any identity attributes you have added for your site.

To map identity attributes for identities in an identity profile:

1. Open the identity profile you want to edit and select the Mappings tab.

   In some cases, IdentityNow sets a default mapping from attributes on the account source.

   Required Attributes

   • The identity attributes User Name (uid), Work Email (email), and Last Name (lastname) are required. They must be set with a mapping for each identity profile and cannot be null for any identity.
   • User Name must be unique across all identities from any identity profile.
   • Work Email cannot be null but is not validated as an email address.

2. To change or set the source attribute mapping for an identity attribute:

   • Select the desired source from the Source dropdown list.
   • Select a source attribute from the Attribute dropdown list.

3. If an identity attribute cannot be set directly from a source attribute, you can use a transform or rule to calculate the attribute value.

   • To apply a transform, choose a source and an attribute, then choose a transform from the Transform drop-down list.

   • To use a rule, choose Complex Data Source from the Source dropdown list and select a rule from the Transform drop-down list. Choose from one of the default rules or any rule written and added for your site.

     Default Rules

     The following rules are available in every IdentityNow site:

     • Cloud Calculate Identity Status - This rule calculates identity cloudStatus for the identity.
     • Cloud Calculate Internal Identity Status Rule - This rule also calculates identity cloudStatus for the identity.
     • Cloud Calculate Authentication Alias - This rule calculates any authentication aliases for the identity.

   For more information about working with rules and transforms, refer to the IdentityNow Rules Guide and the transforms documentation.

4. To unmap an attribute, select None from the Source dropdown list.

Special Attributes

• If you have Provisioning and want to use lifecycle states to perform provisioning tasks, the Lifecycle State attribute must be mapped.
• If you plan to use functionality that requires users to have a manager, make sure the Manager Name attribute is mapped, and then define manager correlation logic for the source. Download an audit report for a list of identities without managers.

Adding Identity Attributes

You can define custom identity attributes for your site. Any attribute you add under any identity profile will appear in all of your identity profiles, but you do not have to map and use all attributes in all identity profiles.

To add a new attribute for your site:

1. Select Add New Attribute at the bottom of the Mappings tab.

2. In the Add New Attribute dialog box, enter the name for the new attribute. The Name field only accepts letters, numbers, and spaces. The Technical Name field populates automatically with a camel case version of the name you typed in the Name field.

   

3. Select OK to save and add the new attribute.

4. Map the attribute to a source and source attribute as described in the mapping instructions above.

5. Repeat these steps for any additional attributes, and then select Save.

6. Use the Preview feature to verify your mappings. Make any needed adjustments and save your changes.

7. Select Apply Changes in the bar at the top of the page to apply your changes to the identity profile's identities.

   

Verifying Mappings with Preview

Use preview to verify your mappings using your data.

1. Select Preview at the upper-right corner of the Mapping tab of an identity profile.

2. Select an Identity to Preview and verify that your mappings populate their identity attributes as expected.

3. To return to the Mappings tab, to make adjustments or apply your changes, select the tab's back button .

Deleting Identity Attributes

You can delete custom attributes you no longer need. This deletes them from all identity profiles. Be mindful of where the attribute may be in use in your implementation and the implications of deleting them.

To delete a custom attribute:

1. Select the X on the attribute you want to delete. This immediately removes the attribute from the mappings list, though it is not yet deleted.
2. Select Save.

3. Review the warning message about deleting custom attributes. Select OK to proceed with the deletion, or select Cancel to abort the deletion and restore the attribute to the mappings list.

   Note

   If you select Cancel, all other unsaved changes will also be reverted.

Resolving Identity Exceptions

When you aggregate data from an authoritative source, if an account on that source is missing values for one or more of the required attributes, IdentityNow generates an identity exception. A duplicate User Name (uid) also generates an exception.

Note

Identities missing required attributes also appear as Incomplete Identities in the identity list.

To resolve these, complete the following steps:

1. Go to Admin > Identities > Identity Profiles.

2. In the Identity Exceptions column, select either CSV or PDF to download the report. The CSV button downloads the report as a zip file.

   If these buttons are disabled, there are currently no identity exceptions for the identity profile.

3. Review the report and determine which attributes are missing for the associated accounts.

4. Edit the account in the source to resolve the data problem.

5. Manually aggregate the source again or wait for a regularly scheduled aggregation to confirm that the exceptions were resolved.

   IdentityNow automatically processes identity data changed in aggregation, so you can be sure you're working with the latest identity data.

Deleting Identity Profiles

When you attempt to delete an identity profile, a warning message indicating the number of identities that came from that source is displayed to help you understand the implications of deleting it. Deleting an identity profile:

• Does not delete its account source, but it does make the source non-authoritative.
• Does not delete the source's accounts in IdentityNow or deprovision them from the source system.
• Deletes its identities unless they can be reassigned to other identity profiles in your system. When identities get deleted, all of their source accounts become uncorrelated.

Before deleting an identity profile, verify that any associated identities are not source or app owners. If they are, you won't be able to delete the identity profile until those connections are removed.

To delete an identity profile:

1. Go to Admin > Identities > Identity Profiles.

2. Select the checkbox next to the identity profile you want to delete.

3. Under Actions, select Delete.