Manage Identity Providers

To see the list of Identity Providers and manage them:

  1. Go to your Control PanelAdminSettings > Authentication. You will see all SAML IdPs available in your cloud with their key details:
    • Name - name of the Identity Provider
    • IdP SSO Target Url - the URL to which the authentication request is sent
    • Status - either "Active" or "Disabled"
    • Action - click the "gear" button to Edit, Delete or access Metadata of this Identity Provider
  2. To see more detailed description of the Identity Provider - click its label.
  3. To enable or disable IdP - go to Edit screen. 

Edit SAML ID Provider

To edit Identity Provider instance, do the following:

  1. Go to your Control Panel > AdminSettings > Authentication tab.
  2. Click the Actions button next to the Identity Provider you want to edit, then click Edit.
  3. Fill in the fields in the new window:

    Idp sso target url and Idp cert are given by the Identity Provider. Idp cert fingerprint will be calculated by the system.
    • Enabled - move the slider to the right to enable this identity provider at the login screen
    • Name - enter the name of the identity provider
    • Icon - select the icon file, which will be displayed on the login page 
    • Issuer - the name of the service provider; by default - the address of your OnApp Control Panel
    • Idp sso target url - the URL to which the login authentication request should be sent
    • Idp slo target url - the URL to which the logout request should be sent
    • Idp cert - the identity provider's certificate in PEM format

    • Nameid format - specify a format of name identifier according to the Oasis SAML specification

      It is required that the IdP assertions are encrypted and there is a decrypting private key added to OnApp. The key will be used to sign the Single Logout requests.

  4. Upload the Service Provider certificate and key:

    • Private key - private key of the service provider in PEM format

    • Certificate - the service provider's certificate in x509 format

  5. Fill in the keys for attributes mapping. 

    If the SAML Identity Provider does not send the user's email as name_id in response, the user needs to fill in the User email key when configuring an ID provider.

    These keys are the names of attributes of the third-party system users that will be synchronized with OnApp. See Attributes Mapping Configuration for more details.

    Required Attributes Mapping

    • User bucket key - the key to assign the user to a particular bucket under which this user will be billed
    • OnApp Key - the key that enables the import and synchronization of user attributes during every login to OnApp; third-party system users who are not yet registered in OnApp will not be created without this key
    • User email key - the email of the user
    • User name key - login name of the user that cannot be changed or synchronized after creating. If this key is missing, the email address will be utilized as a login name for the user.

    Optional Attributes Mapping

      • First name key the key for the first name of the user

      • Last name key - the key for the last name of the user

      • Locale key - the key for the language in which OnApp Cloud UI will be available to the user
      • System theme key - the key for one of the default system themes in which OnApp Cloud UI will be available to the user
      • Display infoboxes key - the key that enables or disables the display of infoboxes to the user
      • Disable auto suspend key - the key that enables or disables auto-suspending of the user
      • Suspend after key - the key that indicates the period of time in hours after which the user will be suspended
      • Suspend at key - the key that indicates the date and time when the user will be suspended
      • User group key - the group attribute to assign the user to a particular group
      • Roles key - the key of the role attribute that will create/sync the user's role in OnApp
      • Time zone key - the key of the time zone to which the user will be associated
  6. Click Save button.