Add Cloud Identity Provider

You can add a SAML 2 identity provider as a Cloud identity provider to automatically provide authentication for users who access cloud applications, such as My Page.

Before you begin

  • You must be a Super Admin in the Cloud Administration Console.
  • At least one identity router must be deployed and configured.
  • At least one identity source must be connected to the identity router.
  • A SAML 2-capable IdP must be available in your environment .
  • Obtain the certificate.pem file from the IdP administrator. The identity router uses this certificate to validate signed assertions from the IdP.

Procedure

  1. In the Cloud Administration Console, click Users > Identity Providers.

  2. Under Cloud Identity Providers, click Add.

  3. In the Name field, enter a name for the new IdP or leave the default name.

  4. (Optional) In the Description field, enter a description for the identity provider.

  5. In the Issuer ID field, enter the idp_id (IdP identifier) string. The Issuer ID string, sometimes called the IdP Entity ID, will be provided to you by the IdP administrator. An example string is 7k3hslw5u8pw2.

  6. In the Issuer URL field, enter the URL to which SecurID sends requests.

  7. In the Audience ID field, enter the value that the identity provider inserts into SAML assertions to indicate who the assertions are intended for.

    The Audience ID must be an alphanumeric string with no special characters.
    This value must match the Audience ID you specify on the SAML 2 identity provider.

  8. In the Assertion Consumer Service (ACS) URL field, enter an ACS URL for the SAML 2 identity provider.

    This value must match the ACS URL you specify on the SAML 2 identity provider.
    Use the following format: https://ServiceProvider.example.com/ ecp_assertion_consumer.

  9. (Optional) In the Requested Authentication Context field, enter the context (a set of rules that authentication must follow).

  10. Select Sign Request if the service provider (SecurID) signs the SAML request.

    Selecting this option ensures that the IdP only accepts signed requests from the SP and rejects non-signed requests from the SP.

  11. If you selected Sign Request, click Download Certificate to download the SAML request signing certificate for this IdP and securely send it to the IdP administrator.

  12. Upload the certificate file you received from the IdP administrator (for example certificate.pem) to validate signed identity assertions from the IdP. Click Choose File. Select the certificate file you received from the IdP administrator, and click OK.

  13. Click Save and Finish to exit the wizard.

  14. (Optional) Click Publish Changes to activate the settings immediately.