Skip to end of metadata
Go to start of metadata

An organization administrator can configure an Identity Provider (IdP) and manage associated domains from the Organization's Settings tab.

Icon

Organizations are permitted access through an AMPLIFY Platform Enterprise subscription with an Identity Provider entitlement.

Pre-requisites

You must have an OpenID Connect (OIDC) or SAML v2.0 compatible Identity Provider.

Before creating a new Identity Provider configuration, you must ensure:

  • At least one user whose email address is on the domain for which the Identity Provider is being configured has been invited to or is an existing member of the organization.
  • All existing AMPLIFY Platform users whose email address is on the domain for which the Identity Provider is being configured are invited to or are existing members of the organization.
  • You have the necessary permissions to access and edit your Identity Provider in order to complete this configuration.

Icon

It is recommended to read this document in its entirety before creating a new Identity Provider as there is a time sensitive step to verify the configuration.

Create a new Identity Provider

An Identity Provider is created and maintained in the AMPLIFY Platform Dashboard's Organization Settings. An Identity Provider can be configured for the OpenID Connect (OIDC) and SAML v2.0 protocols.

To create a new Identity Provider

  1. Sign in to the AMPLIFY Platform.
  2. Click on the Profile menu and select Organization.
  3. Click the Settings tab from the left navigation.
  4. Click the Identity Provider tab. When you access the Identity Provider page in the Dashboard for the first time, you will see a message that the organization is currently using the AMPLIFY Platform for authentication. 
  5. If you're a member of multiple organizations, select the organization you want to view from the Branding dropdown menu.
  6. From the Identity Provider page, click the Actions (...) menu and select New
  7. The New Identity Provider form will be presented. Complete the following:
    • Email Domain: Select the email domain to which you are configuring for the Identity Provider.
    • Verification Recipient: Select the user's email address for the domain to which you are configuring for the Identity Provider. The recipient will receive an email from the Axway AMPLIFY Platform to confirm domain ownership. The email is sent after the Identity Provider configuration is saved. See Verify the Domain for details.

      Icon

      The email recipient has 30 minutes to accept the invitation. If the recipient does not accept the invitation within 30 minutes, then the link expires and the values configured for the Identity Provider are cleared. 


  8. Select the supported protocol for your Identity Provider and complete the form.

OpenID Connect (OIDC)

This section includes details on configuring an OpenID Connect (OIDC) Identity Provider.

  1. In the New Identity Provider form, select OpenID Connect. A blank form is presented.
  2. Enter the Issuer URL and then click Fetch to retrieve and populate the OIDC provider configuration values exposed by the issuer. The values can also be manually entered.
  3. Enter the Client ID and Client Secret fields from the values that are configured for your OIDC Identity Provider's AMPLIFY Platform client.
  4. Complete the Advanced configuration settings (Logout URL and Backchannel Logout) if they are applicable to your Identity Provider.
  5. Confirm the provider configuration values for Authorization and Token URL and Attribute Mapping. The following is an example of a completed OIDC form (before clicking Save).

     
  6. Click Save. A confirmation dialog appears with a message that, once the Identity Provider configuration is verified, all users on that domain will be required to log into the AMPLIFY Platform with their Identity Provider credentials.
     
     
  7. After you click Submit , an email with a verification link is sent to the configured recipient. See Verify Domain Ownership for details on this verification process.

    Icon

    The email recipient has 30 minutes to access the verification URL. If the recipient does not access the verification in 30 minutes, then the Identity Provider configuration is removed and the organization reverts to using AMPLIFY Platform for authentication. 

     

  8. To complete the configuration, you must add values configured in the AMPLIFY Platform Identity Provider page to your Identity Provider. 
    • Copy the Redirect URI and optionally the Post-Logout Redirect URI into the OIDC configuration manually or by clicking the clipboard icon.
       
    • Click Save in the OIDC  page. Now the Identity Provider configuration is complete. Proceed to Verify Domain Ownership.

When a new Identity Provider is being configured, the organization administrator can edit any field. After an OIDC Identity Provider is pending or verified, the organization administrator is permitted to edit some of the fields.

  • Basic Attributes
    • Authorization URL
    • Token URL
    • Logout URL
    • Client ID
    • Client Secret
  • Advanced Attributes
    • Logout URL
    • Backchannel Logout
  • Attribute Mapping
    • Email Address
    • First Name
    • Last Name
    • Phone Number
    • Country

SAML v2.0

This section includes details on configuring a SAML v2.0 Identity Provider with an example of a Microsoft Azure Active Directory SAML-based Single Sign-On configuration. 

Icon

Although the example in this section is for Microsoft Azure Active Directory, any SAML v2.0 Identity Provider is compatible.

Refer to the Microsoft configure SAML-based configure single sign on article for details.

  1. In the  New Identity Provider form, select  SAML v2.0 . A blank form is presented
  2. Complete the fields based on the values that are configured for your Identity Provider. The example is for SAML v2.0 for Azure Active Directory. For example, the SAML v2.0 Identity Provider values are found in the Azure Active Directory admin center in the Single sign-on menu. Refer to the Microsoft configure SAML-based configure single sign on article and the following example for details.

    Section 1: These URLs (for example, Assertion Consumer Service URL) will be provided after the AMPLIFY Platform Identity Provider configuration is saved, and then can be used on your Identity Provider.

    Section 2: The values to set in the NameID Format and Attribute Mapping fields in the AMPLIFY Platform Identity Provider configuration form.

    Section 3: The values that will be set on the Signature Algorithm and Validating X509 Certificates section of the AMPLIFY Platform Identity Provider configuration form. The certificate file whose contents will be used for that section of the AMPLIFY Platform Identity Provider configuration page will be available from the download button for Certificate (Base64) on this view.

    Section 4: The values that will be used in the Single Sign-On Service URL and Single Logout Service URL fields on the AMPLIFY Platform Identity Provider configuration page.

  3. Copy the mapping values from the Identity Provider configuration to complete Single Sign-On Service URL and Single Logout Service URL . See section 4 from the SAML v2.0 for Azure Active Directory example.
  4. Copy the mapping values from the Identity Provider configuration to complete the NameID Policy Format, Signature Algorithm, and Validating X509 Certificate. See sections 2 and 3 from the SAML v2.0 for Azure Active Directory example.
     
    • NameID Policy Format: Click the field under Required Claim to show the format that will be used for the NameID Policy Format section in the Identity Provider configuration form.
    • Signature Algorithm: Select the value that is configured for your Identity Provider.
    • Validating X509 Certificates: Download the contents. Then copy and paste the X509 certificate value into the text box making sure to omit ------BEGIN CERTIFICATE ----- and ------END CERTIFICATE--------.

      Icon
      If you have multiple certificates that are required for your configuration, add the X509 certificate value for each certificate in that field, separated by a comma.




  5. Copy the mapping values from the Identity Provider configuration to complete the Attribute Mapping fields (Email Address, First Name, and Last Name). See the Additional claims area in section 2 from the SAML v2.0 for Azure Active Directory example.




    The following is an example for a completed SAML v2.0 form (before clicking Save).
  6. Click Save. A Confirmation dialog appears with a message that once the Identity Provider is verified, all users on that domain will be required to log into the AMPLIFY Platform with their Identity Provider credentials.
     
     
  7. After you click  Submit , an email with a verification link is sent to the configured recipient. See Verify Domain Ownership for details on this verification process.

    Icon

    The email recipient has 30 minutes to access the verification URL. If the recipient does not access the verification in 30 minutes, then the Identity Provider configuration is removed and the organization reverts to using AMPLIFY Platform for authentication. 

     

  8. To complete the configuration, you must add the values configured in the AMPLIFY Platform identity configuration page to your Identity Provider's configuration. 
    • Copy the Entity ID , Assertion Consumer Service URL , and optionally the Post-Logout URL values individually from the Platform's page manually or by clicking the clipboard icon.
       

      Icon
      The link to the SAML Descriptor may include additional content that is applicable to your Identity Provider, such as the public key used for signed assertions.


    • Paste the copied values into their respective fields in the SAML v2.0 configuration page.
       
    • Click Save in the Azure Active Directory page. Now the Identity Provider configuration is complete. Proceed to Verify Domain Ownership.

When a new Identity Provider is being configured, the organization administrator can edit any field. After a SAML v2.0 Identity Provider is verified, the organization administrator is permitted to edit some of the fields.

  • Basic Attributes
    • Single Sign-On Service UR
    • NameID Policy Format
    • Signature Algorithm
    • Validating X509 Certificates
  • Advanced Attributes
    • Single Logout Service URL
    • Backchannel Logout
    • HTTP-POST Binding Response
    • HTTP-POST Binding for AuthnRequest
    • HTTP-POST Binding Logout
    • Want AuthnRequests Signed
    • SAML Signature Key Name
    • Want Assertions Signed
    • Want Assertions Encrypted
    • Force Authentication
  • Attribute Mapping
    • Email Address
    • First Name
    • Last Name
    • Phone Number
    • Country

Verify the Domain

After the Identity Provider is configured, the email recipient must verify the domain.

Confirm Domain Ownership

The verification recipient receives an email from Axway AMPLIFY Platform with a link to confirm the Identity Provider configuration is valid and their organization has ownership of the email domain.

Icon

The email recipient has 30 minutes to access the verification URL. If the recipient does not access the verification in 30 minutes, then the Identity Provider configuration is removed and the organization reverts to using AMPLIFY Platform for authentication. 

The link from the email takes the recipient to the Platform Sign In. The user enters their email address which then redirects to their Identity Provider login page to sign in with their credentials. The user is returned to the Platform where they receive a message that domain ownership has been successfully confirmed. They can then click Continue to AMPLIFY Platform where they are logging into that organization. Organization administrators will then see the domain as verified on the Identity Provider configuration page.

Any user with an email address on the verified domain will then be able to log in to AMPLIFY Platform with their Identity Provider credentials and will be added to the organization. The default role assignment if the user is not already a member of the organization is Developer. These users' roles and team membership can be managed on the organization's Members page.

Add Another Domain

An organization administrator can associate additional domains managed by their Identity Provider. If the domain you want to configure is not displayed, invite a user to the organization that is on the domain. There can be one pending domain at a time.

Once configured the Identity Provider page shows a list of domains and their status (pending or verified) and the configuration settings for the Identity Provider.

Remove an Associated Domain

The organization administrator can delete verified or pending email domains by selecting Remove from the Actions menu. 

All users on the associated domain(s) will revert to using the AMPLIFY Platform for authentication.

Delete an Identity Provider

The organization administrator can delete the Identity Provider by clicking Delete from the Actions (...) menu in the Identity Provider page. Deleting the Identity Provider is a permanent and irreversible action.

 

When a configured Identity Provider deletion is initiated, a confirmation dialog is presented. The organization administrator must type their email address to confirm they understand that this action will permanently delete the configuration and all users on the associated domain(s) will revert to using the AMPLIFY Platform for authentication.

Troubleshoot an Identity Provider

Session Invalidated message may appear in a couple of situations. The following Session Invalidated message displays when one of the configured Attribute Mappers contains an invalid value. 

The organization administrator must edit the Identity Provider configuration value in the Dashboard from the Action menu. When the changes are saved, the configured email recipient will receive a new verification email since the previous one is no longer valid, and the 30 minute timer for verification is reset.

Another situation that will generate the Session Invalidated message is when the user has an active session but the organization administrator configures a new Identity Provider, which is confirmed. After the domain ownership is confirmed, all other users whose accounts are on that domain will be logged out and shown this message.

The user must sign in with their Identity Provider credentials.

  • No labels