Configuring IdentityNow as a Service Provider

You might already be using a single sign-on solution when you purchase IdentityNow. If you want to use SAML to authenticate into IdentityNow, you can use one of many SSO solutions as an identity provider and IdentityNow as a service provider.

For example, users can authenticate into their identity provider, then federate into IdentityNow to perform tasks related to certifications or provisioning. IdentityNow is never aware of the user's password, and their information remains secure.

NOTES: 

  • The IdentityNow mobile app doesn't support the use of a third-party SSO solution as an identity provider and IdentityNow as a service provider.

  • This feature is not compatible with IdentityNow's Single Sign-On feature. If your site uses SSO, you won't see this menu.

 

PREREQUISITES:

  • Users from your identity provider who want to use IdentityNow must have identities within IdentityNow with data that matches their identities on your identity provider.

    To ensure that your users can authenticate into IdentityNow, load their IdentityNow accounts from the same source you used to load accounts into your identity provider.
  • Obtain the following information from your identity provider:

    • The Entity ID
    • The Login URL for Post
    • The Login URL for Redirect
    • The Logout URL (optional)
    • The Signing Certificate

 

Complete the following steps:

1. From the Admin interface, go to Global > Security Settings > Service Provider.

2. Leave the Enable Remote Identity Provider option unchecked until you've provided correct values for the Identity Provider Settings below and imported the signing certificate.

3. We recommend you leave the Bypass Identity Provider option unchecked so that your users will always be required to sign in from your identity provider before they can authenticate into IdentityNow. (Users will not be prompted for registration or strong authentication information in IdentityNow.)

No matter what you select here, admins, helpdesk users, and dashboard users can always sign in directly to IdentityNow using your IdentityNow URL and appending ?prompt=true. For example, if an admin visits https://acme.identitynow.com/login/login?prompt=true , they'll see the IdentityNow sign in page. They must sign in with a unique IdentityNow password. This can be useful if, for example, the identity provider is temporarily unavailable.

CAUTION: If you select Bypass Identity Provider, users can either:

4. Under Identity Provider Settings, enter the following:

  • Entity ID - the unique entity ID of your identity provider. The number you enter here must exactly match the SAML metadata EntityID supplied by your identity provider.

  • Login URL for Post - the URL where an authentication request is sent using HTTP Post binding

  • Login URL for Redirect - the URL where an authentication request is sent using HTTP Redirect binding

  • (Optional) Logout URL - the URL where IdentityNow redirects users after they sign out of IdentityNow or when their session expires

NOTE: All IdentityNow sessions authenticated using an identity provider automatically expire after 90 days.

5. Click Save to save your changes.

6. If needed, make changes to the following options in SAML Request Options.

  • Identity Mapping Attribute - Set to the attribute you want to use to authenticate users

    NOTE: If you select a custom identity attribute, that attribute must be searchable. See API to Extend Customizable Correlation Attributes​ for instructions.
  • SAML NameID - Set to the SAML NameID that your identity provider is expecting

  • SAML Binding - Set to Post or Redirect depending on what endpoint the authentication request is sent to

  • Choose one of the following options:

    • In Authentication Context, specify the authentication context the identity provider is required to use.

    • Select the Exclude Requested Authentication Context check box if you don't need to specify a required authentication context in the authentication request.

7. Under Signing Certificate, click Import and select the signing certificate from its location on your device.

IMPORTANT​: The certificate you upload must be in PEM format.

The Certificate Name and Certificate Expires fields are populated automatically.

8. Check the Enable Remote Identity Provider option at the top of the page.

9. Under Hosted Service Provider, copy the Entity ID and SAML URL to your identity provider.

If your identity provider allows you to upload service provider metadata, you can download the metadata and upload it to your identity provider.

10. Click Save to ensure all settings are saved.


Test this feature by completing the following steps:

1. Sign out of your IdentityNow account and go to the sign in page for your org.

IMPORTANT: Ensure that you have removed ?prompt=true from the end of your URL.

You are redirected to your identity provider.

2. Sign in to your identity provider.

You are automatically redirected to IdentityNow and authenticated.


If any part of this test fails, you might have an error in your configuration. Verify that you have completed all fields described here correctly.

When your users navigate to IdentityNow, they will be automatically authenticated.

If authentication fails for any reason, the user will be redirected to an error page.


NOTE:
IdentityNow does not support SAML Single Logout (SLO).


Did you find the information you needed?  If not, please let us know in the Forums. There's also much more on Compass you might find helpful.


Labels (1)
Tags (2)
Version history
Revision #:
14 of 14
Last update:
‎Jan 15, 2021 11:23 AM
Updated by: