Manage Identity Providers

To see the list of Identity Providers and manage them:

Go to your Control Panel > Admin > Settings > Authentication. You will see all SAML IdPs available in your cloud with their key details:
- Name - name of the Identity Provider
- IdP SSO Target Url - the URL to which the authentication request is sent
- Status - either "Active" or "Disabled"
- Action - click the "gear" button to Edit, Delete or access Metadata of this Identity Provider
To see more detailed description of the Identity Provider - click its label.
To enable or disable IdP - go to Edit screen.

See also:

Edit SAML ID Provider

To edit Identity Provider instance, do the following:

Go to your Control Panel > Admin > Settings > Authentication tab.
Click the Actions button next to the Identity Provider you want to edit, then click Edit.
Fill in the fields in the new window:

Idp sso target url and Idp cert are given by the Identity Provider. Idp cert fingerprint will be calculated by the system.
- Enabled - move the slider to the right to enable this identity provider at the login screen
- Name - enter the name of the identity provider
- Icon - select the icon file, which will be displayed on the login page
- Issuer - the name of the service provider; by default - the address of your OnApp Control Panel
- Idp sso target url - the URL to which the login authentication request should be sent
- Idp slo target url - the URL to which the logout request should be sent
- Idp cert - the identity provider's certificate in PEM format
- Nameid format - specify a format of name identifier according to the Oasis SAML specification
  
  It is required that the IdP assertions are encrypted and there is a decrypting private key added to OnApp. The key will be used to sign the Single Logout requests.
Upload the Service Provider certificate and key:
- Private key - private key of the service provider in PEM format
- Certificate - the service provider's certificate in x509 format
Fill in the keys for attributes mapping.

If the SAML Identity Provider does not send the user's email as name_id in response, the user needs to fill in the User email key when configuring an ID provider.

These keys are the names of attributes of the third-party system users that will be synchronized with OnApp. See Attributes Mapping Configuration for more details.

Required Attributes Mapping
- User bucket key - the key to assign the user to a particular bucket under which this user will be billed
- OnApp Key - the key that enables the import and synchronization of user attributes during every login to OnApp; third-party system users who are not yet registered in OnApp will not be created without this key
- User email key - the email of the user
- User name key - login name of the user that cannot be changed or synchronized after creating. If this key is missing, the email address will be utilized as a login name for the user.
Optional Attributes Mapping
- - First name key - the key for the first name of the user
  - Last name key - the key for the last name of the user
  - Locale key - the key for the language in which OnApp Cloud UI will be available to the user
  - System theme key - the key for one of the default system themes in which OnApp Cloud UI will be available to the user
  - Display infoboxes key - the key that enables or disables the display of infoboxes to the user
  - Disable auto suspend key - the key that enables or disables auto-suspending of the user
  - Suspend after key - the key that indicates the period of time in hours after which the user will be suspended
  - Suspend at key - the key that indicates the date and time when the user will be suspended
  - User group key - the group attribute to assign the user to a particular group
  - Roles key - the key of the role attribute that will create/sync the user's role in OnApp
  - Time zone key - the key of the time zone to which the user will be associated
Click Save button.