SSO Integration Between SailPoint NERM and Entra ID

This guide provides a comprehensive walkthrough to configure Single Sign-On (SSO) between SailPoint NERM, acting as the Service Provider (SP), and Entra ID (formerly Azure Active Directory), serving as the Identity Provider (IDP). The demonstration described here was conducted on a developer or demo tenant with full admin access to configure all necessary settings.

Prerequisites

Before proceeding, ensure the following prerequisites are met:

SailPoint NERM Instance:

Access to a properly configured and operational SailPoint NERM instance.

Note: Most users will not have admin access to the customer’s NERM tenant. Coordination with the SP team is required to complete the NERM-side configuration.

Entra ID Tenant:

Administrator access to an active Entra ID tenant.

Note: For production environments, you may need to collaborate with the Entra Admin team to configure settings. This demonstration assumes admin-level access to the Entra tenant.

SSO Configuration Details:

Obtain metadata or endpoint details from the SailPoint NERM SSO Configuration tab.

Step 1: Configure Entra ID as the Identity Provider (IDP)

1.1 Register the Application in Entra ID

1. Log in to the Azure Portal.

2. Navigate to Azure Active Directory > App Registrations and click on New Registration.

3. Provide the following details:

• Name: Enter a recognizable name (e.g., “SailPoint NERM SSO”).

• Supported Account Types: Choose the appropriate option based on your requirements.

• Redirect URI: Use the SSO endpoint provided by SailPoint NERM (e.g., https://<NERM_instance>/sso/acs).

https://demo.portal.mynonemployee.com/saml/consume

Note: The Assertion Consumer Service URL is located under the NERM SSO Configuration tab. If not accessible, contact SailPoint support to retrieve this information.

If you have configured portal for different profile types, then please add those here, for example if you have created a portal for VENDOR with the name of vendor, then add below.

https://demo.portal.mynonemployee.com/vendor/saml/consume

4. Click Register.

1.2 Configure SAML in the Application

1. Open the newly created application and navigate to Single Sign-On.

2. Select SAML as the SSO method.

3. In the Basic SAML Configuration section:

Identifier (Entity ID) : Enter the Entity ID provided by SailPoint NERM.

SecZetta

Note: This name of the application created above can be different from the SP Entity ID (as defined in NERM). For example, the application name can be NERM Entra SSO whereas the Entity ID on NERM can be SecZetta or NERM. Just make sure that you provide the same value as defined under the SAML Configuration on Entra ID.

Reply URL (Assertion Consumer Service URL) : Enter the ACS URL from SailPoint NERM.

https://demo.portal.mynonemployee.com/saml/consume

Note: Copy the value as defined under the SSO Configuration in NERM.

1.3 Define Attributes & Claims

1. Click Attributes & Claims. Click on “Add new Claim”.

For Passing User Attributes in SAML Response

To include identity attributes in the SAML responses, navigate to the Attributes & Claims section and click on Add New Claim. Ensure that the claim names you define match the attribute names specified on the Service Provider (SP) side. This ensures seamless integration and accurate mapping of identity information.

The screenshot below shows the attributes expected in the SAML response by the Service Provider.

NERM SSO Configuration

For sending groups, please click on “Add a group claim”, please use the custom name.

For Group Claims

• Use a custom name for group claims and define the name accordingly.
• Note: The custom name here must match the name defined in the NERM SSO Configuration.

In the SAML response, the group object IDs will appear instead of group names. For example, the group “Tester” may display as an object ID like 7524c1c1-2761-4a29-9ec2-443c52922404. This occurs because group claims in Entra ID are mapped by the Group ID as the source attribute.

Users are assigned roles based on their groups or entitlements in your Identity Provider (IDP), such as Entra ID. Every time a user authenticates via the IDP (whether through Identity Security Cloud or directly), the Non-Employee Risk Management system receives a list of the user’s entitlements. If any of these match the groups required for a specific role, the corresponding role is assigned to the user within the system.

Reference:

Managing Lifecycle User Roles - SailPoint Non-Employee Risk Management Admin Help

5. Save the configuration.

1.4 Export IDP Metadata

1. In the SAML Signing Certificate section:

Click Download the Federation Metadata XML file.

3. Note down the Login URL, which will be used as the IDP SSO URL in SailPoint NERM.

https://login.microsoftonline.com/8212568f-2356-46dd-bc1f-9f6155beb318/saml2

Step 2: Configure SailPoint NERM as the Service Provider (SP)

2.1 Access SSO Settings in SailPoint NERM

1. Log in to your SailPoint NERM instance as an administrator.

2. Navigate to System > Authentication > SSO.

https://demo.mynonemployee.com/admin/saml_settings

2.2 Enter IDP Details

1. In the Identity Provider Configuration section:

• IDP Metadata: Upload the Federation Metadata XML file downloaded from Entra ID, or manually input the required details:
• IDP Entity ID: Found in the metadata file.

https://sts.windows.net/8212568f-2356-46dd-bc1f-9f6155beb318/

Note: This should match to the value shown in the figure above against Microsoft Entra Identifier.

IDP Login URL: Use the Login URL from Entra ID.

https://login.microsoftonline.com/8212568f-2356-46dd-bc1f-9f6155beb318/saml2

Note: This should match the value shown in the figure above against Login URL.

Signing Certificate: Upload the certificate from the metadata file.

Note: This is the certificate that was downloaded under section SAML Signing Certificate.

2. Click Save (at Top Right) to save the configuration.

2.3 NERM (Service Provider) Details

SP Entity ID: The unique identifier for SailPoint NERM.

SecZetta

SP Assertion Consumer Service (ACS) URL: The endpoint for handling SAML assertions (e.g., https://<NERM_instance>/sso/acs).

SP Certificate: Download and share the public certificate from SailPoint NERM with Entra ID.

2.4 Define User Role Mapping (mapped with Groups Claims) in NERM

Here is an example of how User Role in NERM are mapped to Groups in Entra ID.

As you can see here, you can either map the group name or group object here. You can create custom roles in your IDP tenant to manage user access to parts of your NERM tenant, and to assign users in bulk to manage profiles. They are also used to grant users access to the admin console.

3. Test the SSO Integration

3.1 Assign Users in Entra ID

1. In the Azure Portal, navigate to Enterprise Applications > SecZetta > Users and Groups.

2. Assign users or groups who need access to SailPoint NERM.

3.2 Test SSO Login

1. Open SailPoint NERM and attempt to log in using the SSO option.

2. You should be redirected to Entra ID for authentication.

3. After successful authentication, you should be redirected back to SailPoint NERM and logged in.

4. Alternatively, you can use the Test Single sign-on with SecZetta in Entra ID to test the SSO Login.

4. Troubleshooting

4.1 Login Fails at Entra ID

• Ensure the user is assigned to the application in Entra ID.
• Verify the login URL and credentials.

4.2 Login Fails at SailPoint NERM:

• Check the ACS URL and Entity ID configurations.
• Validate that the certificate matches between the SP and IDP.

4.3 SAML Response Errors:

Use debugging tools like browser developer tools or SAML-tracer plugins to analyze the SAML response and identify mismatches.

Here is a working SAMPLE SAML Response for reference:

You can use below online tool to decode SAML Response, SAML Decoder - Online SAML Request-Response Decode Tool - Base64 - Inflate

4.4 Decoded SAML Response

Note: The text highlighted in green are some of the key information that should be verified/matched in case of any issue.

<samlp:Response ID=“_bbfa379f-b270-48eb-96e6-82311185091f” Version=“2.0” IssueInstant=“2024-12-12T19:01:24.880Z” Destination=“https://demo.mynonemployee.com/saml/consume” InResponseTo=“_9e2ef6c5-a5b9-4471-99e1-5d600c7d389f” xmlns:samlp=“urn:oasis:names:tc:SAML:2.0:protocol”>https://sts.windows.net/8212568f-2356-46dd-bc1f-9f6155beb318/cBryfW4lvW7HRQCSLbhry1xkKUuFrAAPRxb2q2C1Ssw=LJl/MCoiGY5iTbDvqd8rq4eiEmsHU15Mo6TryOAJWt5EYQrx7FbMdGXykFsk2yW2uMiOzSlI1Hw12EP4778LsSOsJtcQsa0kybPNT+vmuRbYRpcvad2s6qfrN0pStlq0SEjnr7GklwWJuNbZhpl6Ny3xqvxO0ViCwcgtZOYbK9Gp/n449qNq4hSkEppfrzKBHDpMRXMZ5I9e84OPN5I8x9ZkoNMruVUK2NssT0JyhukbRB3sZ+EbHkBGQRlBZ4kNToePJ5ESSYd8PPRLVCvVZw/zh4XDK3L/cUF8KhucMuDfzvgB/khIff+ygsDRk7d/T4l9X0cV/KcOtW0IRR1adQ==<ds:KeyInfo xmlns:ds=“XML-Signature Syntax and Processing”>ds:X509Datads:X509CertificateMIIC8DCCAdigAwIBAgIQEIjN9pCe9JNOL4lf+jItIDANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQDEylNaWNyb3NvZnQgQXp1cmUgRmVkZXJhdGVkIFNTTyBDZXJ0aWZpY2F0ZTAeFw0yMzAyMTUxNzA5MjNaFw0yNjAyMTUxNzA5MjFaMDQxMjAwBgNVBAMTKU1pY3Jvc29mdCBBenVyZSBGZWRlcmF0ZWQgU1NPIENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAw1cBF9YDcf9ks6j8srJS3L1WBM4WVaMTFs0mcp9EB+n0uiZo5Tz+uyHz7A6j+1EIbC15Yw0BIglYHBRbyZ8mLHTV1qZm/ExJppBWzPGfR+SJ/rD7otlBC9Qsnl3+LvzxMN96w+QpRrd0Z4y/jh5DGkZATYOZXHd6KN8ZUQIQF8Jt9ABdTlNWf9vVLnGC0qcYK9RZpL855+RW/5TGKI+BjuqF87AXCHkK6/o/3zb48Usvm4JBHr1jO2E0+O+lEFpFmyGhA+ww15HqdggudIh/jxAu91PizMpaS/vDyzG1vI1l7fYvMGUD66zy5J3mINjBV8ZTAKNfudjrCqGmlrRbXQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQA8Qo5Rm5jNFL9RPY3U7Z/z87bNHXysJFAlnhG3ztnPa4hAkHxVmQ0uyfVdnhdaJoWAP6T15vk/+YaASvYCyfpZAVcO1OL1x3VegnBgUa8ahfz4x5o4ndvikhCLtsexiTxJgnHqjkmrSbxlf6Nhz8jhfjNYLyJzejgdDA5ZOIQ0di8XyYpjbUAOxEY7KNSElsAemLGIvegJzdFCGnJmsVkfwPWMuM2KqZ13re8UFjo7T4Q88HZjNp1D0d1Ieg89rwFs7yp9KobUKM2iY5YgjTcxIPaC48CNkrErWCH9a5svX2+Gl8i4fjsqn59y4wLEDw/dH8T9iws+LriF1ioQLgz4</ds:X509Certificate></ds:X509Data></ds:KeyInfo>samlp:Status<samlp:StatusCode Value=“urn:oasis:names:tc:SAML:2.0:status:Success”/></samlp:Status>https://sts.windows.net/8212568f-2356-46dd-bc1f-9f6155beb318/KeOyLjQZjc5GRzphjQlJPGxs8Z1nuXHjsBthxvCdAUE=rHlHfa8JVnyUz3eJgOj5GF+ZmBSfvHFXEs052ACjRW/bcxjIhzb2hy1CZ1OY2mhCgBq/88CDBEjrMe9VCtWTAzaauldPdcmb7ExCFz1uOYBbaVd8AkApVImDUfWFRcnp6ob0HQKl0b/g9/SyhE0OQh3khT2OrBCSkiJ4Cid3nejDhz1SxI9uA/bY3DviQFDgFIgEZBJzP1MjxnXFcSi99hxYrHMwLJ7oVg/Kqrjr+nsaKc2l6XvYHGz001lTh7tIFKPFSSUDlzBNtVHOU1+gL3ktBS3DKQsWKHRzdL3qi5ARdxUv3ukrjEFpFpOs32kUgw/fV0aSjQYnaeCxGZLtsA==MIIC8DCCAdigAwIBAgIQEIjN9pCe9JNOL4lf+jItIDANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQDEylNaWNyb3NvZnQgQXp1cmUgRmVkZXJhdGVkIFNTTyBDZXJ0aWZpY2F0ZTAeFw0yMzAyMTUxNzA5MjNaFw0yNjAyMTUxNzA5MjFaMDQxMjAwBgNVBAMTKU1pY3Jvc29mdCBBenVyZSBGZWRlcmF0ZWQgU1NPIENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAw1cBF9YDcf9ks6j8srJS3L1WBM4WVaMTFs0mcp9EB+n0uiZo5Tz+uyHz7A6j+1EIbC15Yw0BIglYHBRbyZ8mLHTV1qZm/ExJppBWzPGfR+SJ/rD7otlBC9Qsnl3+LvzxMN96w+QpRrd0Z4y/jh5DGkZATYOZXHd6KN8ZUQIQF8Jt9ABdTlNWf9vVLnGC0qcYK9RZpL855+RW/5TGKI+BjuqF87AXCHkK6/o/3zb48Usvm4JBHr1jO2E0+O+lEFpFmyGhA+ww15HqdggudIh/jxAu91PizMpaS/vDyzG1vI1l7fYvMGUD66zy5J3mINjBV8ZTAKNfudjrCqGmlrRbXQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQA8Qo5Rm5jNFL9RPY3U7Z/z87bNHXysJFAlnhG3ztnPa4hAkHxVmQ0uyfVdnhdaJoWAP6T15vk/+YaASvYCyfpZAVcO1OL1x3VegnBgUa8ahfz4x5o4ndvikhCLtsexiTxJgnHqjkmrSbxlf6Nhz8jhfjNYLyJzejgdDA5ZOIQ0di8XyYpjbUAOxEY7KNSElsAemLGIvegJzdFCGnJmsVkfwPWMuM2KqZ13re8UFjo7T4Q88HZjNp1D0d1Ieg89rwFs7yp9KobUKM2iY5YgjTcxIPaC48CNkrErWCH9a5svX2+Gl8i4fjsqn59y4wLEDw/dH8T9iws+LriF1ioQLgz4VD6Juby4yIuAwfRRdpPYsOuPSdGMO96kVzGW5qRKD28SecZetta8212568f-2356-46dd-bc1f-9f6155beb3182c012432-ef7b-4d71-8b8a-552f3e01d813https://sts.windows.net/8212568f-2356-46dd-bc1f-9f6155beb318/http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/passwordhttp://schemas.microsoft.com/claims/multipleauthnb79fbf4d-3ef9-4689-8143-76b194e85509Sunny[email protected]Sunny Ajmera7fb61000-8606-4fb9-9897-5e6727371f9c5cb97007-d1dc-4327-9f2a-5c87c51c947834deea1b-c3bd-4f9a-90e7-580a10e4167a0371e51e-793c-4406-a781-1a3f329887bf7aa4df26-e91d-4aad-871c-1a115ddecfe7436d0d69-8ed3-41d7-86f9-1b5a7e2cdbe3c003cf7d-156f-4995-b081-f343b60c547186107680-af33-4b7b-b37b-2d729ed2c47b3d3e888d-7763-4763-92f4-e33f23332fe07524c1c1-2761-4a29-9ec2-443c52922404c87d19c5-a048-45fa-aeb2-626efbc2d9bd8d9b83cf-d005-4619-b94f-e75d7be857c12ed0bfec-08e9-4c2f-a5dd-292827b6a42ff40ac0fa-5046-430f-84ac-b9cdda66ee9fc780db4e-68a1-468d-9c9c-3250f6c2e7a1c48cca7d-ca20-4ef4-8ba2-90433037698797ce625c-7597-40ac-9cfa-042411ab37a9e03dc5f9-291f-4d1a-a3a3-7d018ed7bbcf2af7e819-db41-41a6-bc89-8576404e8523d54b7298-6eac-400a-8021-3842dd7568e3de06f422-f987-4181-ba94-64bc7df10cadad7db5f0-24ab-4a52-b04f-4bcbc3e7c3ea6d398136-5665-43c4-abcc-00a6a0a34f8f8d787d19-271d-4a9b-b19d-2957e3d5bc0f6213991b-7ee1-4513-9a96-6518de58f5410bed5d98-38d5-40a9-9669-7121a066bbce4c303da5-0ee4-4075-848d-9d8e11f8287fcdf5af86-0198-476b-96ef-677217429a22a0ee7e1b-a2b2-431f-baa5-03add6a9c687f87f574e-48a8-425d-a524-38a58de2e79224a97dda-0587-47c7-8842-640ef14020e3cdcd1311-df97-4bc4-b2c2-80c4a10c8dbfaabdbe76-fc07-40c9-a2c1-e72f3e9d6df319b9acd9-af76-40d1-93c8-cf11373396cea67accd4-fc3f-4a10-97d0-a95353fb5e4cfdd7680b-f8df-4452-8999-7c6fe91936f76b7ddb03-6b54-4b94-b186-d85669e4e4921a2a26e3-dcfd-4d90-98fc-40a2f846546bb581b939-9364-42e5-82a7-09d457369e878741dcbd-6ece-4e5b-973b-405a7df094618154090b-3333-46c7-8be5-b5067a7ee58351abfd7e-30d5-4d6e-8d07-3b5acbe58699d00dd57a-56ed-44c8-88d5-213fe8ee92f697d00df3-431c-4f0d-b0f8-1bcfe611997d576c9efb-67b3-4d86-a08e-126d7d2a68618867a819-2e11-4c61-95db-1caa517b0e4557a4e0ef-95b9-44e5-92ab-77d67b0df3b17976aed8-1bfd-4262-96ac-c4f2ea7eaa72Sunny AjmeraSunnyAjmeraurn:oasis:names:tc:SAML:2.0:ac:classes:Password</samlp:Response>