IDHUB Identity Providers

Follow

IDHUB Identity Providers

Identity Providers are authentication mechanisms within IDHUB.

The In-built Identity Provider - that is the one that is configured during the first time installation of the Application cannot be deleted nor modified.

Definitions of fields of Identity Provider SAML2

Field Name Description
Is Default IDP This option when checked will automatically assign this IDP to any new User that is created
Display Name This is the descriptive name of the Identity Provider. It is a mandatory field and always need to be filled-in
URL This is the URL where the Identity Provider can be located. This isn't a mandatory field
Description This is the custom text of the Administrator that describes what the Identity Provider does
Type This field list all current Identity Provider types. It is also one of the mandatory fields and an item always need to be selected from the drop down list. The list is populated from a database
Authentication Request signed This is also one of the mandatory fields which specify whether or not the Identity Provider wants the Authentication signed. These details can be found in the XML Meta Data Provided the Identity Provider. The specific information is in the IDPSSODescriptor tag. See below:
<md:IDPSSODescriptorWantAuthnRequestsSigned="true"protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">

If the WantAuthnResquestsSigned value is set to true, then the Identity Provider wants it signed, if set to false then Identity Provider doesn't want it signed
SLO Signed This specify whether the Identity Provider want the Single Logout(SLO) request signed. This isn't part of the XML Metadata, rather it is agreed upon between the Identity Provider and the Organisation
Signing Subject This is the subject of the certificate in the keystore that is used to decrypt the SAML responses from the Identity Provider. This is an added on security feature.
SSO Post Location This is the location that is used to send SAML authentication request. This is contained in the SigleSignOnService in the location Attribute of the SAML2 XML provided by the partner. The binding attribute of the SingleSignOnService tag will have the value urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
SLO Post Location TThis is the location that is used to send SAML Single Logout(SLO) request. This is contained in the SingleLogoutService tag in the location attribute of the SAML2 XML provided by the Identity Provider. The binding attribute of the SingleLogoutService tag will have the value urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
Entity ID This uniquely identifies the SAML2 Partner. This is provided by the partner if the organisation want to use SAML2
Signing Certificate This is the base 64 encoded signing certificate of the Identity Provider

Defitions of fields of Identity Provider OAuth 2.0

Field Name Description
Is Default IDP This option when checked will automatically assign this IDP to any new User that is created
Display Name This is the descriptive name of the Identity Provider. It is a mandatory field and always need to be filled-in
URL This is the URL where the Identity Provider can be located. This isn't a mandatory field
Description This is the custom text of the Administrator that describes what the Identity Provider does
Type This field list all current Identity Provider types. It is also one of the mandatory fields and an item always need to be selected from the drop down list. The list is populated from a database
App Client ID An ID that uniquely identifies the OAuth 2.0 Identity Provider. It is one of the mandatory fields
App Client Scret This is a key shared between the Identity Provider and IDHUB. It is generated and provided by the Identity Provider, and it is also a mandatory field
Authorisation Endpoint TThis specifies the authorization endpoint of the Identity Provider. It is a mandatory field
Token Endpoint This is a back channel URL where the autorisation code is exchanged for an access token
User Info URL This is the URL where you can retrieve the user data stored at the IDP after the access token is retrieved. This is also a mandatory field
Provisioning URI This is a workflow or additional steps to complete the full registration
Attribute Name for Subject The IDP attribute that will be used to uniquely identify a user (mainly for the Subject area). This is also a mandatory field

Creating New Identity Provider

This operation creates a New Identity Provider

  • Click Identity Providers under Administration
  • Click Add New IDP button at the top right corner of the page
  • Enter all mandatory data, and click button Save & Close

Possible Alerts that can be encountered during this operation

Clicking on button Save & Close without filling in data for some, or all of the mandatory field(s), will trigger an alert message underneath these field(s), indicating that these are required field(s) that need to be filled-in

Editing Identity Provider

This operation edits the details of an existing Identity Provider except that of the in-built Identity Provider (the one that is configured during first time installation of the Application)

  • Click Identity Providers under Administration
  • Click on the Edit icon of the Identity Provider that you want to Edit
  • Make the necessary changes and click Save & Close

Possible Alerts that can be encountered during this operation

User will be informed via an alert message at the bottom of page that This operation is not allowed if User edits the in-built Identity Provider and click on Save & Close (that is the Identity Provider that is configured during first time installation of the Application) Clicking on button Save & Close without filling in data for some, or all of the mandatory field(s), will trigger an alert message underneath these field(s), indicating that these are required field(s) that need to be filled-in

Definitions of fields of the Identity Provider Settings

Field Name Description
Current Logo This is the currently available logo of the Identity Provider
Image File Adjacent to the Image File is a File Uploader link which when clicked sends User to the File Uploader Window for User to select an image or logo to upload
Preview of Uploaded File A preview of the uploaded image/logo
Expiration Policy All properties underneath the Expiration Policy pane relate to the password expiration policy
Grace Time This indicates the number of days left within which the User need to change his password(this is displayed in the form of pop up alert message the user when the days left begin to elapse)
Initial Lifetime The indicates the number of days until the password will expire when first/initially created This indicates the number of days after which User can change current password to any password of his choice
Lifetime This indicates the number of day for which the password remains active or can be used
Reset Lifetime The amount of time before a password can be reset again
Max Login Attempts This indicates the number of attempted login failures before the password get locked
Password Policy All properties underneath the Password Policy pane relate to the core password policy
Minimum Password Length This indicates the total number of minimum characters that a password must have
Maximum Password Length The IDP attribute that will be used to uniquely identify a user (mainly for the Subject area). This is also a mandatory field
Minimum Lowecase characters This indicates the total minimum lowercase characters that a password must have
Minimum Upper case Characters This indicates the total minimum uppercase characters that a password must have
Minimum Digits This indicates the total minimum digits that a password must have
Minimu Special Characters This indicates the total minimum special characters that a password must have
Special Characters This indicates the types of special characters that the password must have
Forbidden Words (one per line) This indicates words that cannot be used as a password
Trim Password This indicates whether the password would accept spaces as part of the characters of the password. If the *Trim Password* property of the password settings of the Identity Provider in use is checked then any spaces used before, and password would not be regarded as part of the password characters, otherwise(uncheck) it would be regarded as part of the password combination
Algorithm This represents the hashed version of the string of characters of the password. The Administrator have the option to choose between SHA-256, or a more-stronger hashed algorithm SHA-512. If the password of a User is already set based on one algorithm say SHA-256, and the Administrator changes the algorithm to SHA-512, all previous password set using the previous algorithm will continue to use the previous algorithm until the User changes his password. However, any new User provisioned will start using the new algorithm
Maximum Password Length The IDP attribute that will be used to uniquely identify a user (mainly for the Subject area). This is also a mandatory field

Editing Identity Provider Settings

This operation edits the current settings of an Identity Provider

  • Click Identity Providers under Administration
  • Click on the Edit Settings icon adjacent the Identity Provider you want to Edit its settings
  • Click on "Browse" to upload image
  • Double click or select image and click on Open
  • Click Upload Image File
  • Click button Save & Close

Minimum lowercase characters

This operation is used to set the minimum lowercase characters that can be used in the provisioning of a User to the in-built Identity Provider

  • Click Identity Providers under Administration
  • Click on the Edit Settings icon adjacent the in-built IDP
  • Change the Min lowercase characters to say 3 and click button Save & Close
  • Go back and provision a user with the inbuilt IDP, use a password with a combination of lower and upper case characters(please use a minimum of 3 lower case characters in the combination), and click button Save & Close
Possible Alerts that can be encountered during this operation

User will be informed via an alert message at the bottom of the page that Password Invalid if the minimum lower case character policy setting is not met.

Minimum upper case characters

This operation is used to set the minimum upper case characters that can be used in the provisioning of a User to the in-built Identity Provider, or any other Identity for that matter

  • Click Identity Providers under Administration
  • Click on the Edit Settings icon adjacent the in-built IDP
  • Change the Min uppercase characters to say 3 and click button Save & Close
  • Go back and provision a user with the inbuilt IDP, use a password with a combination of lower and upper case characters,(please use a minimum of 3 upper case characters in the combination), and click button Save & Close
Possible Alerts that can be encountered during this operation

User will be informed via an alert message at the bottom of the page that Password Invalid if the minimum upper case character policy setting is not met.

Minimum Digits

This operation is used to set the minimum digits that can be used in the provisioning of a User to the in-built Identity Provider, or any other Identity Provider for that matter

  • Click Identity Providers under Administration
  • Click on the Edit Settings icon adjacent the in-built IDP
  • Change the Min Digits to say 3 and click button Save & Close
  • Go back and provision a user with the inbuilt IDP, use a password with a combination of lower case characters and digits/numbers, (please use a minimum of 3 digits(numbers) in the combination), and click button Save & Close
Possible Alerts that can be encountered during this operation

User will be informed via an alert message at the bottom of the page that Password Invalid if the minimum upper case character policy setting is not met.

Minimum Special Characters

This operation is used to set the minimum special characters that can be used in the provisioning of a User to the in-built Identity Provider, or any other Identity Provider for that matter

  • Click Identity Providers under Administration
  • Click on the Edit Settings icon adjacent the in-built IDP
  • Change the Min Special Characters to say 1 and click button Save & Close
  • Go back and provision a user with the inbuilt IDP, use a password with a combination of lower case characters and one special character(say ampersand), and click on Save & Close
Possible Alerts that can be encountered during this operation

User will be informed via an alert message at the bottom of the page that Password Invalid if the minimum special character policy setting is not met.

Special Characters

This operation is used to define or list the special characters that can be used in the provisioning of a User to the in-built Identity Provider, or any other Identity Provider for that matter

  • Click Identity Providers under Administration
  • Click on the Edit Settings icon adjacent the in-built IDP
  • Add a couple of special characters to field Special Characters and click button Save & Close
  • Go back and provision a user with the inbuilt IDP, use a password with say only lower case characters, and more specifically add a special character that is part of the current Special Characters list, and click on Save & Close
Possible Alerts that can be encountered during this operation

User will be informed via an alert message at the bottom of the page that Password Invalid if the special character policy setting is not met.

Forbidden Word(s)

This operation is used to define or list any forbidden word(s) that cannot be used in the provisioning of a User to the in-built Identity Provider

  • Click Identity Providers under Administration
  • Click on the Edit Settings icon adjacent the in-built IDP
  • Add a couple of special Words that you wouldnt want it be used as a password to field Forbidden Word and click button Save & Close
  • Go back and provision a user with the inbuilt IDP,do not use any of the forbidden words as a password, and click Save & Close
Possible Alerts that can be encountered during this operation

User will be informed via an alert message at the bottom of the page that Password Invalid if the forbidden word(s) policy setting is not met.

Deleting Identity Provider

This operation deletes an existing Identity Provider except that of the in-built Identity Provider (the one that is configured during first time installation of the Application)

  • Click Identity Providers under Administration
  • Click on the Delete icon adjacent to the Identity Provider you want to delete
  • Click on the Delete button on pop up window that displays

Possible Alerts that can be encountered during this operation

Notice that the Delete icon is inactive (greyed out) for the in-built Identity Provider (that is the Identity Provider that is configured during first time installation of the Application), thus delete operation is not possible for this type of Identity Provider

User will be informed with an alert message at the bottom of page that IDP cannot be deleted as it is currently assigned to Users if User attempts to delete any Identity Provider that have Users linked to it.

User will be informed with an alert message at the bottom of page that IDP cannot be deleted as it has User Attributes related to it if User attempts to delete any Identity Provider that have User Attributes linked to it.

Identity Provider Attributes

These attributes are related to an Identity Provider; These are only stored in the repository. For example:

  • valid Until: 2015-12-31
    • This attribute could be used by a customer to limit the usage of an Identity Provider
  • TOD: 9to5
    • This attribute could be used by a customer to limit the usage of an Identity Provider to certain hours
  • It is important to leave the flexibility of the attributes to the customer for authorization.

Mapping Attributes to Identity Provider

This value maps the attribute required by the Identity Provider to that of the attribute of the user in the IDHUB database.

  • Click Identity Providers under Administration
  • Click on the icon Identity adjacent to the Provider you want to map the attribute to
  • Click on Add New IDP User Attribute
  • Enter data under field Identity Provider User Attribute
  • Select an item under field User Attribute
  • Click button Save & Close
Possible Alerts that can be encountered during this operation

User will be informed via an alert message at the bottom of the respective fields that User Attributes required field if User clicks on button Save & Close without entering any data in the text field under Identity Provider User Attribute

Remove Attribute from Mapping

This removes the attribute required by the Identity Provider from that of the attribute of the user in the IDHUB database

  • Click Identity Providers under Administration
  • Click on the icon Identity adjacent to the Identity Provider you want to remove the Attribute from
  • Click on the Delete basket icon adjacent the already mapped attribute, and click button Save & Close

Linking Identity Provider to a User

This operation links an Identity Provider to a User

  • From the Users list window, click on the icon Link Identity Provider adjacent to the User you want to link the Identity Provider to
  • Click on the Link icon adjacent the User you want to provision to the Identity Provider
  • Fill in all mandatory fields (ideally use an email for the User field), and click button Save & Close

Possible Alerts that can be encountered during this operation

User will be informed via an alert message at the bottom of page that Duplicate User Found if email used has already been used to link another User

User will be informed with an error message underneath the Confirm Password text field that Passwords do not match if there a password mismatch during the typing of password.

User will be informed via an alert message at the bottom of page that The Password is Invalid if the User uses any of these words (pwd, password) as password

Dissociate Identity Provider from a User

This operation unlinks or dissociate an Identity Provider from a User

  • Click Users under Administration
  • Go to a user that already has an Identity Provider linked to it, and click on the Link Identity Provider icon
  • Click on the Link icon under Subject to dissociate Identity Provider from User

Consequences of Dissociating (Unlinking)

A User will no longer be able to log into the Service once his or her Identity Provider is unlinked, in which case User will have no means of being authenticated

Have more questions? Submit a request

Comments