To see the list of Identity Providers and manage them:

  1. Go to your Control Panel > AdminSettings > Authentication icon. You will see all SAML IdPs available in your cloud with their key details:
    • Name - the name of the Identity Provider
    • IdP SSO Target Url - the URL to which the authentication request is sent
    • Status - either active or disabled
    • Actions - click the button to edit, delete or access metadata of this Identity Provider
  2. To see more detailed description of the Identity Provider, click its label.
  3. To enable or disable IdP, go to the Edit screen. 

Edit SAML ID Provider

To edit Identity Provider instance, do the following:

  1. Go to your Control Panel > AdminSettings > Authentication icon.
  2. Click the Actions button next to the Identity Provider you want to edit, then click Edit.
  3. Fill in the fields in the new window:

    Idp sso target url and Idp cert are given by the Identity Provider. Idp cert fingerprint will be calculated by the system.
    • Enabled - move the slider to the right to enable this identity provider at the login screen
    • Show on login page – move the slider to the right to show a SAML provider on the login page
    • Name - enter the name of the identity provider
    • Icon - select the icon file, which will be displayed on the login page 
    • Issuer - the name of the service provider; by default - the address of your OnApp Control Panel
    • Idp sso target url - the URL to which the login authentication request should be sent
    • Idp slo target url - the URL to which the logout request should be sent
    • Idp cert - the identity provider's certificate in PEM format

    • Nameid format - specify a format of name identifier according to the Oasis SAML specification

      It is required that the IdP assertions are encrypted and there is a decrypting private key added to OnApp. The key will be used to sign the Single Logout requests.

  4. Upload the Service Provider certificate and key:

    • Private key - private key of the service provider in PEM format

    • Certificate - the service provider's certificate in x509 format

  5. Fill in the keys for attributes mapping. 

    If the SAML Identity Provider does not send the user's email as name_id in response, the user needs to fill in the User email key when configuring an ID provider.

    These keys are the names of attributes of the third-party system users that will be synchronized with OnApp. See Attributes Mapping Configuration for more details.

    Required Attributes Mapping

    • User bucket key - the key to assign the user to a particular bucket under which this user will be billed
    • OnApp Key - the key that enables the import and synchronization of user attributes during every login to OnApp; third-party system users who are not yet registered in OnApp will not be created without this key
    • User email key - the email of the user
    • User name key - login name of the user that cannot be changed or synchronized after creating. If this key is missing, the email address will be utilized as a login name for the user.

    Optional Attributes Mapping
      • First name key the key for the first name of the user

      • Last name key - the key for the last name of the user

      • Locale key - the key for the language in which OnApp Cloud UI will be available to the user
      • System theme key - the key for one of the default system themes in which OnApp Cloud UI will be available to the user
      • Display infoboxes key - the key that enables or disables the display of infoboxes to the user
      • Disable auto suspend key - the key that enables or disables auto-suspending of the user
      • Suspend after key - the key that indicates the period of time in hours after which the user will be suspended
      • Suspend at key - the key that indicates the date and time when the user will be suspended
      • User group key - the group attribute to assign the user to a particular group
      • Roles key - the key of the role attribute that will create/sync the user's role in OnApp
      • Time zone key - the key of the time zone to which the user will be associated
  6. Click Save button.

See also:

Leave feedback