Adding an Identity Provider
Important:
Perform the following general tasks in sequential order to add an external identity provider:
| • | Step 1: Creating a SAML 2.0 Application in Your Identity Provider |
| • | Step 2: Setting Up an Identity Provider in Flexera One |
| • | Step 3: Setting Up Your Identity Provider SSO |
| • | Step 4: Testing Your Identity Provider SSO |
Step 1: Creating a SAML 2.0 Application in Your Identity Provider
To create a SAML 2.0 application in your identity provider, perform the following steps.
To create a SAML 2.0 application in your identity provider:
| 1. | Use your administrative privileges in your organization’s identity provider to create a new application using SAML 2.0. |
| 2. | In your identity provider’s general settings, enter and save the following: |
| • | Application name |
| • | Application logo (optional) |
| 3. | In your identity provider’s SAML settings, complete the following fields (the field names may vary, depending on your provider) with temporary values in an http:// format. You will later populate these fields with actual values. |
| • | Single Sign-On (SSO) URL—Also known as Assertion Consumer Service (ACS) URL, ACS (Consumer) URL Validator, and Sign-On URL. |
| • | Audience URI (Service Provider Entity ID)—Also known as Issuer ID, Identifier (Entity ID), Issuer ID. |
| 4. | In your identity provider’s SAML settings, download the x.509 certificate. Flexera One accepts the following certification file extensions: |
.cer
.cert
.crt
.pem
.txt
| 5. | Save all SAML settings. |
Step 2: Setting Up an Identity Provider in Flexera One
Perform the following steps to set up an identity provider in Flexera One.
To set up an identity provider in Flexera One:
| 1. | Sign in to Flexera One (for details, see Log In to Flexera One or Reset Your Password). |
| 2. | Go to Administration and click Identity Providers. |
| 3. | On the Identity Providers screen: |
| • | If adding a new identity provider, click New Identity Provider. |
| • | If editing an existing identity provider, select your identity provider’s listing on the left and click Edit. |
| 4. | In the new identity provider record, click the General tab and complete the following fields. |
|
Field |
Description |
||||||||||||
|
Name* |
Enter the display name of your identity provider. Example: ABC Identity Provider |
||||||||||||
|
IDP SSO URL* |
From your identity provider, copy and paste into this field the endpoint responsible for receiving SAML AuthnRequest messages. This is the URL Flexera One’s sign in process uses to verify your users and log them in. Depending on your identity provider, this URL may also be called:
Example: https://mysamlprovider.com/exjo2H0GTZ357 |
||||||||||||
|
Issuer URI* |
Enter this global unique identifier for SAML entities to your identity provider SAML application setup. Depending on your identity provider, this value may also be called:
Example: https://mysamlprovider.com/exjo2H0GTZ357 |
||||||||||||
|
Discovery Hint |
Enter unique values to help users navigate more quickly to your organization’s federated identity provider sign-in page. Note:If you include special characters in the Discovery Hint, be aware that following characters (including spaces) are the only permissible special characters: |
||||||||||||
|
Signature Certificate* |
Drag and drop to upload, or browse for your identity provider’s Privacy Enhanced Mail (PEM) encoded public key certificate (x.509 certificate) that is used to verify SAML message and assertion signatures. |
||||||||||||
|
Logout Redirect URL |
When you sign in to Flexera One through your organization's identity provider, you will be directed to a logout redirect URL when your session ends. A Flexera One session may end when you log out or when your session expires due to inactivity. If no logout redirect URL is set, you will be directed to the Flexera One sign in page when your session ends. One suggested use for this feature is to set the logout redirect URL to the homepage of your organization's identity provider. An https:// URL is strongly recommended. However, an http:// URL is also valid). Note:When the logout redirect URL is changed, it only affects newly created sessions after the update. Any session already active during the update will not be affected by the update. To observe the changed behavior, log out of Flexera One, then sign in to Flexera One again through the identity provider and when that session ends, the new logout redirect value will be active. |
Note:All fields marked with an asterisk (*) are required.
| 5. | If you click the Show Advanced Settings link, the following additional fields are displayed. The default options are noted below for your reference. Changes to these settings are rarely required. You only need to reveal these settings if changes are needed. |
|
Field |
Description |
|||||||||
|
Request Binding |
Select the SAML Authentication Request Protocol binding used by your identity provider to send SAML AuthnRequest messages to the IDP.Enum.
|
|||||||||
|
Request Signature Algorithm |
Select the signature algorithm used to sign SAML AuthnRequest messages sent to the IDP.Enum.
|
|||||||||
|
Response Signature Algorithm |
Select the minimum signature algorithm when validating SAML assertions issued by the IDP.Enum.
|
|||||||||
|
Response Signature Verification |
Select the protocol to use when authenticating users from this IDP.Enum.
|
|||||||||
|
Sign Authorization Request (optional) |
Select this option if you wish to have Flexera One enable signing AuthnRequest (authentication request) messages to your identity provider. Signing these AuthnRequest messages increases the security of your transactions between your identity provider and Flexera One.
|
| 6. | Click Save. |
| 7. | Continue with the steps in Step 3: Setting Up Your Identity Provider SSO. |
Step 3: Setting Up Your Identity Provider SSO
Perform the following steps to set up your identity provider single sign-on.
To set up your identity provider single sign-on:
| 1. | In your identity provider’s SAML settings, complete the following fields: |
|
Field |
Description |
|
Single Sign-On URL This field is also known as Assertion Consumer Service (ACS) URL, ACS (Consumer) URL Validator, or Sign‑On URL. |
Copy the Assertion Consumer Service (ACS) URL from Flexera One into this field. The information to be copied is generated in step 4 of Step 2: Setting Up an Identity Provider in Flexera One. |
|
Audience URI (Service Provider Entity ID) This field is also known as Issuer ID, Identifier (Entity ID), or Issuer ID. |
Copy the Service Provider Entity ID from Flexera One into this field. The information to be copied is generated in step 4 of Step 2: Setting Up an Identity Provider in Flexera One. |
Note:The field names may vary, depending on your provider.
| 2. | Save all your settings. |
Step 4: Testing Your Identity Provider SSO
To test your identify provider single sign-on, perform the following steps.
To test your identify provider SSO:
| 1. | Complete all the steps for Adding a Domain and Verifying a Domain With a TXT Record. |
| 2. | Follow your external identity provider vendor’s instructions for assigning a user or group to test their access to the single sign-on application. |