8.4
Customer wants to prohibit contractors to login to Sailpoint IIQ. Is there any method where we can prohibit this? They are using pass-through authentication with AD but not SSO.
Hi @lweisz
You can create second AD application that points to the same Active Directory, with just a very limited set of attributes on the schema and an iterate search filter that ignores any contractor accounts. Then only that second AD instance is used for pass-through authentication, but ignored for LCM provisioning and excluded from access reviews
Thanks
One solution I can think of now is create workgroup and add a sample capability and add all the non-contractors to it, so that they can access all/ some features of Sailpoint.
When Contractor logs in, they will only get the basic (sandbox type) features of sailpoint.
You can use the Sailpoint IIQ loopback connector to set the accounts of all contractors to inactive. Inactive accounts do not have the ability to log in to IIQ. However, it is worth asking whether this action might impact other aspects related to identity lifecycle. I have not checked if there is a direct attribute that prevents logging in; it probably exists, but as I mentioned, I have not verified it.
Hi @lweisz
Switch to a SAML SSO configuration with an IDP then manage the user access with group membership. Assign a role to all Identities that require the access except for contractors.
Thanks for all the help. The second AD connector doesn’t work because we can’t determine the contractor users in AD. We can set up IIQ so that contractors cannot do anything after logging in, but the specific request from the customer was to prevent contractors logging in.
Do you have any experience with the activity policy? I have tried to manage login activity but to no avail. Or is the activity policy for something else?
it may impact the other process to such inactive users like access certification , leaver process etc.