Skip to content

Creating Identity Profiles

Many organizations have one or two sources that have a complete list of their users, such as an HR source or Active Directory. After setting up and aggregating those sources in IdentityNow, create identity profiles in IdentityNow to determine:

  • Security settings specific to the identities managed in the source
  • The source of the attributes for those identities
  • How IdentityNow's identity attributes map to source attributes
  • When Provisioning is enabled, how access is granted for those identities when their lifecycle states change or new accounts are added from other sources

Note

For a list of sources you can integrate with IdentityNow, refer to Supported Connectors for IdentityNow.

Setting up and aggregating sources in IdentityNow makes those sources the primary, or authoritative, sources for identities associated with a specific identity profile.

Prioritizing Authoritative Sources

Multiple authoritative sources can cause conflicts for authentication, as a user can only authenticate against a single target authentication system. To resolve this potential issue, you can prioritize authoritative sources. This capability allows data conflicts to not impact a user's ability to access the system, and gives administrators control of how IdentityNow processes data.

If you want to use this functionality, please open a support ticket for assistance.

Prerequisites:

  • An authoritative source has been created and then aggregated in IdentityNow
  • A valid email address exists for each user in the source
  • If you need to block users' access to IdentityNow based on their IP address or location, those settings have been configured as described in Restricting IdentityNow Access

Setting Up Identity Profiles

By default, IdentityNow prioritizes identity profiles based on the order they were created. The earlier an identity profile is created, the higher priority it is. If an identity has an account on more than one authoritative source, the higher priority profile will be used to calculate their identity attribute values.

If you need to change this order, you can use the Update the Identity Profile API.

To create an identity profile:

  1. In the Admin interface, go to Identities > Identity Profiles.

  2. Select + New.

  3. Enter a Name for your identity profile. As a best practice, the name should describe the source for this identity profile.

  4. Choose an Account Source and select OK. The account source you choose here will become an authoritative source and the users on this source will be granted identities in IdentityNow.

  5. Enter a Description for your new identity profile.

  6. Configure the following options:

    Invitation Options

    • You can choose to invite users manually or automatically. If you have the provisioning service enabled for your org, you can configure the identity profile to automatically invite users to join IdentityNow when they enter a specific lifecycle state.
    • Read Inviting Users to Register with IdentityNow for details.

    Sign-in Method

    • < Site > User Name & Password - Users in this identity profile sign in to IdentityNow with the username and password created during their IdentityNow registration process.
    • Directory Connection - Users loaded from the identity profile sign in using the password associated with the source selected from the Authentication Source dropdown list. This type of authentication is also referred to as pass-through authentication.
    • Multifactor Authentication - Users in this identity profile sign in using a mobile authenticator application such as Google Authenticator or Duo Mobile. Multifactor authentication replaces the built-in strong authentication methods.

    Block Access From

    • Off Network - If you select this option, users with IP addresses outside of your specified network block won't be able to sign in to IdentityNow. Configure a network block in Restricting IdentityNow Access.
    • Untrusted Geography - You might have configured a list of untrusted countries. If you select this option, users in those countries won't be able to access IdentityNow.
    • Alternatively, you might have created a list of trusted countries. If this is the case, and you select this option, users outside of those trusted countries won't be able to access IdentityNow.

    Password Reset and User Unlock Settings

    • Enable Two-Factor Authentication - Select this option to require users to complete two (rather than the standard one) of the enabled Password Reset and User Unlock Methods before resetting their passwords or unlocking their IdentityNow accounts. Refer to Enabling Two-Factor Authorization for more information.
    • Mask Phone Numbers - Select this option to enable phone number masking when users are resetting their passwords.

    Password Reset and User Unlock Methods

    Strong Authentication Methods

    Select the checkbox beside the options you want users to have for using strong authentication. You can learn about the available methods in Configuring Strong Authentication Methods and Password Integrations.

    Error Message Create an error message that users will see when issues with strong authorization and password reset configuration occur. The error message should provide users a course of action, such as "Please contact your administrator."

  7. Select Save to apply and save your changes.

Now that you've set up an identity profile in IdentityNow, you are ready to map the identity profile attributes to the appropriate source attributes.

Defining Identity Profile Attributes

If your organization uses information from multiple sources to manage employee identities, you need to be able to configure how IdentityNow pulls that data into the collection of information in each identity's page. For example, a employee's account ID might come from Active Directory, but their phone number and address might come from an HR system and their email might come from Salesforce. However, a contractor's information might come exclusively from Active Directory.

In IdentityNow, you can map an identity profile's attributes (also known as identity attributes) to the account attributes on any source. This capability allows you to precisely define identity details to match your organization's needs.

Tip

To make changes to a source value before applying it to your identities, you’ll need to configure a transform. For detailed information on using transforms, read Building Transforms in IdentityNow and Operations in IdentityNow Transforms.

Important

Make sure the special characters * ( ) & ! are not used in the source attribute mapped to a username or alternative sign-in attribute. If the username or other sign-in attribute includes any of these special characters, the user associated with the identity many not be able to sign in to or otherwise access IdentityNow.

Mapping Identity Attribute Values

To map identity attributes to account attributes from the source:

  1. Open the identity profile you want to edit and select the Mappings tab. The Mappings panel contains a table with IdentityNow default identity attributes that are matched to attributes from the source. Match IdentityNow attributes to source attributes.

    Notes

    • You can make changes to these mappings, but the IdentityNow attributes Work Email, Last Name, and First Name must always be mapped to source attributes.
    • If you have Provisioning and you want to use lifecycle states to perform provisioning tasks, the Lifecycle State attribute must also be mapped to a source attribute.
  2. To map IdentityNow attributes to different source attributes:

    • Select the new source from the Source dropdown list, if needed.
    • Select the new source attribute from the Attribute dropdown list.
    • Select identity sources and source attributes for each IdentityNow attribute as needed. To unmap an attribute, select None from the Source dropdown list.
    • If you plan on using any functionality that requires users to have a manager, make sure the manager attribute is mapped correctly. Download an audit report so you can see which identities do not have managers.
  3. To make changes to a source value before applying it to your identities, select a transform or a rule.

    To select a transform, choose a source and an attribute, then open the Transform drop-down list and select the transform you want to use.

    To select a rule, choose Complex Data Source from the Source dropdown list and select a rule from the Transform drop-down menu. The following rules are available by default:

    • Cloud Calculate Identity Status - This rule calculates identity cloudStatus for the identity.
    • Cloud Calculate Internal Identity Status Rule - This rule also calculates identity cloudStatus for the identity.
    • Cloud Calculate Authentication Alias - This rule calculates any authentication aliases for the identity.

    For information about working with rules and transforms, refer to the IdentityNow Rules Guide and the transforms documentation.

Adding Identity Attributes

To add a new attribute for your site:

  1. Select Add New Attribute from the bottom of the Mappings tab.

  2. In the Add New Attribute dialog box, enter the name for the new attribute. The Name field only accepts letters, numbers, and spaces. The Technical Name field populates automatically with a camel case version of the name you typed in the Name field.

    The Name and Technical Name fields when adding a new attribute.

  3. Click OK to save and add the new attribute.

  4. Map the attribute to a source and source attribute as described in the mapping instructions in step 2 above.

Caution

You can delete custom attributes, but be mindful of where the attribute may be in use in your implementation and the implications of deleting them.

Verifying Mappings with Preview

Use preview to verify your mappings using your data:

  1. Select Preview from the upper right corner of the Mapping panel of an identity profile. The preview results show the new mappings in the selected identity profile. To return to the Mappings tab to make changes the mappings, select the tab's back button.

  2. When you've finished mapping and reviewing your sources and attributes, select Save and then select Update in the bar at the top of the tab to apply all your changes.

    Select Update from the bar at the top of the tab to apply all your changes.

Resolving Identity Exceptions

IdentityNow generates identity exceptions when you create a new source and then create an identity profile from that source. If an account on that source is missing values for one or more attributes that an identity requires, IdentityNow generates an identity exception.

To resolve these, complete the following steps:

  1. In the Admin interface, go to Identities > Identity Profiles.

  2. In the Identity Exceptions column, select either CSV or PDF to download the report. The CSV button downloads the report as a zip file.

  3. Review the report and determine which attributes are missing for the associated accounts.

  4. Edit the account in the source.

  5. Either manually aggregate the source again or wait for a regularly scheduled aggregation.

    IdentityNow automatically refreshes identities changed in aggregation, as described in Updating Identity Data, so you can be sure you're seeing and working with the latest identity data.

The Identity Exceptions reports become disabled once you successfully resolve the errors.

Deleting Identity Profiles

When you attempt to delete an identity profile, a warning message indicating the number of identities that came from that source is displayed, to help you understand the implications of deleting it. Deleting an identity profile will delete those identities and the accounts on the related source will become uncorrelated, unless another identity profile in your system also owns those accounts.

Before deleting an identity profile, verify that any associated identities are not source or app owners. If they are, you won't be able to delete the identity profile until those connections are removed.

To delete an identity profile:

  1. In the Admin interface, go to Identities > Identity Profiles.

  2. Select the check box next to the identity profile you want to delete.

  3. Under Actions, select Delete.