Hi everyone,
I’m working on the authentication setup for the NERM platform (e.g., acme-sb.nonemployee.com and acme.nonemployee.com) and I’d like to clarify a couple of architectural points before proceeding.
Specifically, I’m trying to understand:
NERM vs. ISC IdentityNow dependency: For users to log in to acme-sb.nonemployee.com and acme.nonemployee.com, do they necessarily need an identity in the corresponding ISC IdentityNow tenants (acme-sb.identitynow.com and acme.identitynow.com), or can NERM support local-only accounts (i.e., users managed exclusively within NERM without an upstream IdentityNow identity)?
SAML 2.0 with PingOne as Identity Provider: Does NERM support using PingOne as a SAML 2.0 IdP? If yes, is it possible to include in the SAML assertion attributes/claims representing the user’s group memberships (e.g., AD groups exposed via PingOne) and leverage them for an automatic mapping to NERM roles (group-to-role mapping), so that when the user logs in they are automatically assigned the corresponding NERM roles based on their groups?
Quick context: we have separate sandbox and PROD environments and we’d like to keep authorization consistent via group-based access control, minimizing manual provisioning/role assignment activities.
If anyone has implemented a similar setup (or can point me to official docs/best practices), I’d really appreciate your guidance.
@psalat8887100 NERM supports SSO for collaborators you can create an SSO configuration and pass the specific group attribute so that the collaborator can login using the collaborator portal.
However to access to NERM as an admin you need to have an identity in ISC with admin roles and as you access NERM it creates your user using JIT inside NERM allowing you to access NERM.
In order to bypass ISC and directly login i think only local login is possible for SSO login its tied up to the ISC SSO config only
However, the original query appears to be about Lifecycle (non-collaboration) users. NERM is fully connected to ISC for authentication. Each NERM User is required to be linked to an ISC Identity.
User Logs into ISC with a Local account and navigates to NERM, we pull the Display Name, Work Email, Username, and User Level data from their ISC Identity. These are passed into NERM and map to the Name, Email, Login, and Groups values (respectively) on the Lifecycle User account in NERM.
So, if the ISC account has the Admin User Level, they are granted the ORG_ADMIN Group in NERM - which can be mapped to a User Role. Custom User Levels assigned to an Identity will have the ID value of the User Level sent as a group.
User Logs into ISC with SSO and navigates to NERM, we pull the Display Name, Work Email, Username, and User Level data from their ISC Identity. The groups claim from the SSO SAML POST is merged with the User Levels and they are all sent as Groups to NERM - along with the Mapped Name, Email, and Login (respectively) for the Lifecycle User account.
There is now also the option to use Identity Security Cloud Entitlements for Roles in NERM. There is a toggle in NERM under Admin > System > Authentication > ISC Authentication. Enabling that will ignore the SSO SAML Groups claim and only take the User Levels and Entitlements from the ISC Identity as Groups to map to User Roles. This requires as Non-Employee Risk Management Users source to be configured to ensure Entitlements are assigned correctly.