Premium IAM Features

The premium IAM features described in this section are only available through a subscription. For more information, contact a HERE account manager.

These features provide organizations with additional capabilities, such as more control of authentication and access, and can provide overrides to their default limits. These are typically used by companies that have specific needs beyond the capabilities provided by the HERE platform.

HERE account executive access

The HERE account executive sign-in feature allows authorized users, designated as the role of Org Admin, to sign in to an organization using their Single Sign-On (SSO) credentials, which work in combination with HERE SSO.

Using this feature provides Org Admins with a way to verify that anyone from HERE, who is managing a customer organization, is an active employee of HERE and can authenticate using HERE SSO. This also allows HERE Support Admins access to customer organization accounts using HERE SSO. For more information, see Manage account executive access.

Single Sign-On (SSO)

The SSO feature allows customers to set their organization's authentication to use their identity provider (IdP) and validate their users against their own managed user list. Any user signing into an organization set to SSO requires that users authenticate against the customer supplied IdP, and are subject to the customer’s authentication policy. All users in the organization still need to be invited to the organization by an authorized user.

HERE currently supports the SAML 2.0 protocol for the authentication of users for any trusted, third-party identity provider such as OKTA, Entra, Keycloak.

Users without the SSO subscription are defaulted to a password-based login.

Limits for projects and roles

This feature provides an override of the default maximum limits for the number of projects and roles that a user can have. For each organization, the default number of projects a user can have is 50, and the default number of roles a user can have is 100. To calculate the number of roles (for example, Org Admin, projectadmin), each role counts against the limit for that user.

This feature allows an organization to increase the number of projects a user can have to a maximum of 1000. If the number of projects exceeds 100, the roles which a user can have must also increase, with a maximum role limit of 1000 (999 project related roles + the user role).

Limits for number of apps

This feature provides an override of the default maximum limit (100) for the number of apps per user. Consult with a HERE account manager if you require more apps per user for your organization.

Secure mTLS (mutual Transport Layer Security) authentication

HERE supports mTLS for customers utilizing a large number of identities for their org in situations requiring granular access control, streamlined onboarding, and enhanced security needs.

With this feature configured, customers can provide a Certificate Authority to their organization and register identities (vehicles and/or devices) with HERE.

Realms utilizing this feature must be set in the default Organization setting of “closed”, requiring all identities to have explicit access statements assigned to allow use of resources subscribed to that organization. Such requirements are useful for organizations where a very large number of users or devices are enrolled, and with each identity requiring a higher level of authentication with customized, granular access control.

This subscription feature comes with the new Certificate Authority manager (CA Manager) role type, who manages the authorization to upload and manage the CA for the organization.

In order for an mTLS-enabled realm to utilize the functionality, a Certificate Authority (CA) must be registered with HERE. The x.509 compliant CA can be generated from any trusted source and uploaded to HERE by a CA Manager. Due to the sensitivity of CA certificates, the permission for management of the CA can only be performed by a user identified with the CA Manager role. This role should be carefully controlled and assigned by the OrgAdmin of the organization.