To see the list of Identity Providers and manage them:
- Go to your Control Panel > Admin > Settings > Authentication. You will see all SAML IdPs available in your cloud with their key details:
- Name - name of the Identity Provider
- IdP SSO Target Url - the URL to which the authentication request is sent
- Status - either "Active" or "Disabled"
- Action - click the "gear" button to Edit, Delete or access Metadata of this Identity Provider
- To see more detailed description of the Identity Provider - click its label.
- To enable or disable IdP - go to Edit screen.
Edit SAML ID Provider
To edit Identity Provider instance, do the following:
- Go to your Control Panel > Admin > Settings > Authentication tab.
- Click the Actions button next to the Identity Provider you want to edit, then click Edit.
Fill in the fields in the new window:Idp sso target url and Idp cert are given by the Identity Provider. Idp cert fingerprint will be calculated by the system.
- Enabled - move the slider to the right to enable this identity provider at the login screen
- Name - enter the name of the identity provider
- Icon - select the icon file, which will be displayed on the login page
- Issuer - the name of the service provider; by default - the address of your OnApp Control Panel
- Idp sso target url - the URL to which the login authentication request should be sent
- Idp slo target url - the URL to which the logout request should be sent
Idp cert - the identity provider's certificate in PEM format
Nameid format - specify a format of name identifier according to the Oasis SAML specification
It is required that the IdP assertions are encrypted and there is a decrypting private key added to OnApp. The key will be used to sign the Single Logout requests.
Upload the Service Provider certificate and key:
Private key - private key of the service provider in PEM format
Certificate - the service provider's certificate in x509 format
Fill in the keys for attributes mapping.
If the SAML Identity Provider does not send the user's email as name_id in response, the user needs to fill in the User email key when configuring an ID provider.
These keys are the names of attributes of the third-party system users that will be synchronized with OnApp. See Attributes Mapping Configuration for more details.
Required Attributes Mapping
- User bucket key - the key to assign the user to a particular bucket under which this user will be billed
- OnApp Key - the key that enables the import and synchronization of user attributes during every login to OnApp; third-party system users who are not yet registered in OnApp will not be created without this key
- User email key - the email of the user
- User name key - login name of the user that cannot be changed or synchronized after creating. If this key is missing, the email address will be utilized as a login name for the user.
Optional Attributes Mapping
First name key - the key for the first name of the user
Last name key - the key for the last name of the user
- Locale key - the key for the language in which OnApp Cloud UI will be available to the user
- System theme key - the key for one of the default system themes in which OnApp Cloud UI will be available to the user
- Display infoboxes key - the key that enables or disables the display of infoboxes to the user
- Disable auto suspend key - the key that enables or disables auto-suspending of the user
- Suspend after key - the key that indicates the period of time in hours after which the user will be suspended
- Suspend at key - the key that indicates the date and time when the user will be suspended
- User group key - the group attribute to assign the user to a particular group
- Roles key - the key of the role attribute that will create/sync the user's role in OnApp
- Time zone key - the key of the time zone to which the user will be associated
- Click Save button.