Hi all,
we’re integrating Ping Identity (single IdP) with SailPoint Identity Security Cloud and want to use SAML Just-in-Time (JIT) Provisioning for identity creation.
Constraint: 1 Ping Identity IdP + 1 SAML JIT provisioning source (authoritative) for identities
Need: assign two NERM Lifecycle roles automatically, e.g.:
-
Lifecycle role 1
-
Lifecycle role 2
Goal: when a user logs in via SSO: create the identity JIT if it doesn’t exist (or correlate if it does) assign Lifecycle role 1 or Lifecycle role 2 based on attributes/groups in the SAML assertion
With a single JIT provisioning source, what is the recommended way to auto-assign one of two Lifecycle roles from the SAML assertion?
Is the expected approach to drive role assignment via SAML groups claim + NERM directory group mapping?
Any gotchas around correlation/unique identifier (NameID) when using one JIT source?
Thanks!