This page is only accessible within the Identity Management Portal, while logged in at host level with a user with System Administrator role.
Important!
Restart the IIS server after performing any configuration changes within Identity Server.
The Google Tab
Note:
Google OpenID Connect authentication only works if Orchestrator is set up on a top-level domain.
| Field | Descriptions |
|---|---|
| Enabled | When selected, it enables Google OpenID Connect authentication. By default, this check box is not selected. |
| Display Name | The name displayed in the Login page for the Google OpenID Connect authentication. |
| Client ID | A Google API code required for Google OpenID Connect authentication. This cannot work without the Client Secret. |
| Client Secret | A Google API code required for Google OpenID Connect authentication. This cannot work without the Client ID. |
| Save | Saves the changes you made to the Google OpenID Connect authentication. |
Read this page for more information about Google OpenID Connect authentication settings.
The Windows Tab
| Field | Descriptions |
|---|---|
| Enabled | When selected, it enables Windows authentication. By default, this check box is not selected. |
| Force automatic login using this provider | When selected, it enables Windows automatic login. The value of this parameter is set during the installation or upgrade process. |
| Display Name | The name displayed in the Login page for the Windows authentication. |
| Save | Saves the changes you made to the Windows authentication. |
Read this page for more information about Windows authentication settings.
The AzureAD Tab
Note:
It is not recommended to use Microsoft Azure AD and Windows AD on the same Orchestrator instance.
| Field | Descriptions |
|---|---|
| Enabled | When selected, it enables Azure Active Directory authentication. By default, this check box is not selected. |
| Display Name | The name displayed in the Login page for the Azure Active Directory authentication. |
| Client ID | The Application Id associated with the registered Orchestrator in an Azure Active Directory. |
| Client Secret | The Client Secret obtained by registering Orchestrator in an Azure Active Directory. This cannot work without the Client ID. |
| Authority | The Authority is a URL that indicates a directory from which you can request tokens. It is composed of the identity provider instance and sign-in audience for the app, and possibly the Azure AD tenant ID. You can use one of the following common authorities: https://login.microsoftonline.com/<tenant>, where is the tenant ID of the Azure AD tenant or a domain associated with this Azure AD tenant. Used only to sign in users of a specific organization.https://login.microsoftonline.com/common. Used to sign in users with work and school accounts or personal Microsoft accounts. |
| Logout URL | The Logout URL obtained by registering Orchestrator in an Azure Active Directory. This is the URL where the external identity provider listens for incoming logout requests and responses. |
| Save | Saves the changes you made to the Azure Active Directory authentication. |
Read this page for more information about Azure Active Directory authentication settings.
The SAML Tab
| Field | Descriptions |
|---|---|
| Enabled | When selected, it enables you to authenticate using SAML 2.0. By default, this check box is not selected. |
| Display Name | The name displayed in the Login page for the SAML 2.0 authentication. |
| Service Provider Entity ID | The globally unique name for the SAML Service Provider. |
| Identity Provider Entity ID | The Entity Id associated with the registered Orchestrator in the External Identity Provider's own portal. |
| Single Sign-On Service URL | The single sign-on URL obtained by configuring Orchestrator in the External Identity Provider's portal. |
| Allow unsolicited authentication response | When selected, it enables Identity Server to deliver unsolicited authentication responses to the service provider. |
| Return URL | The URL to be used by the service provider to redirect you to Orchestrator after successfully authenticating in the Login page. |
| External user mapping strategy | The user mapping strategy to be used by the configured SAML identity provider. The following options are available:By user email - The user's email address is set as the attribute. This is the default value.By username - The username is set as the attribute.By external provider key - An external provider key is set as the attribute.ADFS, Google, and OKTA, they all use your email address as a SAML attribute. Read here more about custom mapping attributes. |
| SAML binding type | The transport mechanism to be used by the messages exchanged with the configured SAML identity provider. The following options are available:HTTP redirect - When selected, it enables SAML protocol messages to be transmitted within URL parameters. This is the default value.HTTP POST - When selected, it enables SAML protocol messages to be transmitted within an HTML form by using base64-encoded content.Artifact - When selected, it enables a SAML request or response (or both) to be transmitted by reference by using a unique identifier. |
| Signing Certificate > Store name | The Signing Certificate is used by the external identity provider to sign its messages. The fields in this section enable you to configure the use of private key certificates. The Store name field points to the certificate store to search for the certificate. The following options are available: My - The certificate is imported in the user's Personal certificate store. This is the default value.TrustedPublisher - The certificate is imported in the Trusted Publisher certificate store.TrustedPeople - The certificate is imported in the Trusted People certificate store.Root - The certificate is imported in the Trusted Root Certification Authorities certificate store.Disallowed - The certificate is imported in the Untrusted Certificates store.CertificateAuthority - The certificate is imported in the Intermediate Certificate Authorities store.AuthRoot - The certificate is imported in the Third-Party Root Certificates store.AddressBook - The certificate is imported in the Other People store. |
| Signing Certificate > Store location | The location of the store to search for the certificate. The following options are available:LocalMachine - The certificate is imported on the local machine's certificate store. This is the default value.CurrentUser - The certificate is imported in the current user's certificate store. |
| Signing Certificate > Thumbprint | The thumbprint value provided in the Windows certificate store, with all the spaces between the characters removed. Details here. |
| Service Certificate > Store name | The Service Certificate specifies the certificate that the service provider uses for encrypted assertions. The Store name field points to the certificate store to search for the certificate. The following options are available: My - The certificate is imported in the user's Personal certificate store. This is the default value.TrustedPublisher - The certificate is imported in the Trusted Publisher certificate store.TrustedPeople - The certificate is imported in the Trusted People certificate store.Root - The certificate is imported in the Trusted Root Certification Authorities certificate store.Disallowed - The certificate is imported in the Untrusted Certificates store.CertificateAuthority - The certificate is imported in the Intermediate Certificate Authorities store.AuthRoot - The certificate is imported in the Third-Party Root Certificates store.AddressBook - The certificate is imported in the Other People store. |
| Service Certificate > Store location | The location of the store to search for the certificate. The following options are available:LocalMachine - The certificate is imported on the local machine's certificate store. This is the default value.CurrentUser - The certificate is imported in the current user's certificate store. |
| Service Certificate > Thumbprint | The thumbprint value of the certificate, with all the spaces between the characters removed. Details here. |
| Save | Saves the changes you made to the SAML 2.0 authentication. |
Read this page for more information about single sign-on authentication settings using SAML 2.0. Check out the specific configuration needed for ADFS, Google and OKTA authentication settings.
Updated 2 years ago
See Also
| External Identity Providers |