Enabling the possibility to log into OnApp through Identity Provider involves two stages:
Add IdP Instance on CP
It is important to access OnApp CP via HTTPS before the following steps, to ensure the links containing in the Metadata file are correct.
To add a new Identity Provider instance, follow these steps:
- Go to your Control Panel > Admin > Settings > Authentication tab.
- Click New SAML Id Provider or a ''+" icon.
Fill in the fields in the new window:
Idp sso target url and Idp cert are given by the Identity Provider. Idp cert fingerprint will be calculated by the system.
- Enabled - move the slider to the right to enable this identity provider at the login screen
- Show on login page – move the slider to the right to show a SAML provider on the login page
- Name - enter the name of the identity provider
- Icon - select the icon file, which will be displayed on the login page
- Issuer - the name of the service provider; by default - the address of your OnApp Control Panel
- Idp sso target url - the URL to which the login authentication request should be sent
- Idp slo target url - the URL to which the logout request should be sent
Idp cert - the identity provider's certificate in PEM format
Nameid format - specify a format of name identifier according to the Oasis SAML specification
It is required that the IdP assertions are encrypted and there is a decrypting private key added to OnApp. The key will be used to sign the Single Logout requests.
Upload the Service Provider certificate and key:
Private key - private key of the service provider in PEM format
Certificate - the service provider's certificate in x509 format
Fill in the keys for attributes mapping.
If the SAML Identity Provider does not send the user's email as name_id in response, the user needs to fill in the User email key when configuring an ID provider.
These keys are the names of attributes of the third-party system users that will be synchronized with OnApp. See Attributes Mapping Configuration for more details.
Required Attributes Mapping
- User bucket key - the key to assign the user to a particular bucket under which this user will be billed
- OnApp Key - the key that enables the import and synchronization of user attributes during every login to OnApp; third-party system users who are not yet registered in OnApp will not be created without this key
- User email key - the email of the user
- User name key - login name of the user that cannot be changed or synchronized after creating. If this key is missing, the email address will be utilized as a login name for the user.
First name key - the key for the first name of the user
Last name key - the key for the last name of the user
- Locale key - the key for the language in which OnApp Cloud UI will be available to the user
- System theme key - the key for one of the default system themes in which OnApp Cloud UI will be available to the user
- Display infoboxes key - the key that enables or disables the display of infoboxes to the user
- Disable auto suspend key - the key that enables or disables auto-suspending of the user
- Suspend after key - the key that indicates the period of time in hours after which the user will be suspended
- Suspend at key - the key that indicates the date and time when the user will be suspended
- User group key - the group attribute to assign the user to a particular group
- Roles key - the key of the role attribute that will create/sync the user's role in OnApp
- Time zone key - the key of the time zone to which the user will be associated
- Click Save button.
Configure Service Provider
Besides adding the IdP instance, the Identity Provider must also configure the SP instance in their system. To simplify this configuration process, the Identity Provider may use the SP metadata as follows:
- Upon creation, you will be redirected to the page with details of the Identity Provider. At the bottom of the page, you will see the Link to Metadata.
- Copy this link and submit it to the Identity Provider in the Select Data Source menu.
- In the Claim Rules menu, create a new rule by clicking Add Rule and select Transform an Incoming Claim as the template.
- Select E-mail Address as the Incoming Claim Type.
- For Outgoing Claim Type, select Name ID.
- For Outgoing Name ID Format, select Email.
Now, this identity provider may be selected on the login page.