Step 1: Create
a generic OIDC and OAuth Web application for the OIDC and OAuth Web applicationYou can configure IDaaS as an Identity Provider to be used with other IDaaS accounts. When configured, users log into IDaaS as an IDP and are then redirected to another IDaaS account. You might want to do this in some of the following situations:
● Your IDaaS Consumer bundle does not include access to AD Sync and you want your administrators to use your internal Active Directory to manage AD passwords. In this example, configure an IDaaS account as an IDP to use user account and password information from Active Directory with IDaaS access. You must enable multi-factor authentication on the IDP.
● You have multiple IDaaS accounts (for example, development, test, and production accounts). In this example, you can redirect the development and test accounts to the production account using IDP login credentials.
● You have a B2B scenario (both IDaaS accounts) where one business accesses the other business applications using their own IDP login credentials.
Step 1: Create
a generic OIDC and OAuth Web application for the OIDC and OAuth Web applicationAdd a generic OIDC and OAuth Web application for the IDaaS IDP account
1. Log in to an Identity as a Service account with a role assigned that allows you to configure applications on Identity as a Service.
2. Click
> Security > Applications. The Applications
List page appears.
3. Click Add. The Select an Application Template page appears.
4. Under OpenID Connect and OAuth Cloud Integrations, click Generic Web Application. The Add Generic Web Application page appears.
5. Change the Application Name and Application Description to reflect the custom application you are configuring for SSO through Identity as a Service.
6. Optional. Add a custom application logo, as follows:
a. Click 
next
to Application Logo. The Upload Logo dialog
box appears.
b. Click 
to select an image file to upload.
c. Browse to select your file and click Open. The Upload Logo dialog box displays your selected image.
d. If required, resize your image.
e. Click OK.
7. Click Next. The Settings page appears.
8. Copy the Client ID and the Client Secret to a text file. You need these values for Step 3: Create an Identity Provider for IDaaS.
9. From the Token / Revocation Endpoint Client Authentication Method drop-down list, select Client Secret Post.
10. From the Subject ID Attribute drop-down list, select User ID.
11. Click Add to add a Login Redirect URI and enter the URL of the IDaaS account that is using this Identity Provider, for example: https://<tenant_name>/idp/api/oidc/callback. Copy this URL because you need it in Step 3: Create an Identity Provider for IDaaS.
12. In the Authentication Settings, do the following:
a. Optional. Select Require Consent to prompt users for consent during authentication.
b. Optional. Enter a Consent Message to include a message to users when consent is requested.
c. Optional. Enter the Max Authentication Age (seconds) to the maximum amount of time that can elapse before being prompted to complete a different authentication challenge. The setting is disabled when no value is entered.
d. Under Grant Types, select Authorization Code.
13. Select the following Supported Scopes:
● Your unique identifier (selected by default). If disabled, the OIDC application is strictly using an access token that can be used to access a resource server API on behalf of a user.
● Email address
● Profile information
14. Optional. If required, modify or add additional Supported Claims to map OIDC claims to Identity as a Service user attributes. For example, to assign an IDaaS role to the client side during IDP Authentication, map the role claim to the User Related Attribute Role.
The supported claims define the claims that the client requests during an authorization request. A claim is mapped to an Identity as a Service user attribute, for example, First Name.
The default claims are
● family_name
● given_name
● name
● phone_number
You can derive claim values based on multiple user attributes and static text. For example, the default claim, name, includes the user attribute First Name, a text-based value of a space and the user attribute value of Last Name so that the claim returned to the client is First Name <space> Last Name, for example Alice Gray.
15. To add a claim:
16. Ensure that you have already created the required User Attributes in Identity as a Service (see Create and manage user attributes).
a. Click 
. The Add
Claim dialog box appears.
b. From the Open ID Claim list, select the claim you want to associate with an attribute.
Tip:
Click the filter icon 
to filter the list of claims
in the list.
c. From the Association Type drop-down list, select one of the following:
– User Attribute Value—An Identity as a Service user attribute (see Create and manage user attributes)
– Text Based Value—A text based value. For example, to add a space between two claims or add text information.
– Related Value—Include user group or authenticator attributes. See Configure OIDC claim to include user authenticators or groups.
d. Select or enter the attribute Association Value.
– If you set Association Type to Text-Based Value, enter a text value for the attribute to associate with the OpenID Claim.
– If you set Association Type to User Attribute Value, select an Identity as a Service attribute to associate with the OpenID Claim.
– If you set Association Type to Related Value, select Groups or Authenticators to associate with the OpenID Claim.
17. Click Submit.
Step 2: Add
a resource rule to protect access to the IDaaS account being used as the
IDPStep 3: Create
an Identity Provider for IDaaS1. Click
> Security > Identity Providers. The Identity
Providers List page appears.
2. Click Add and then select Generic from the drop-down list. The Add Identity Provider page appears.
3. Configure the Identity Provider Settings, as follows:
a. Enter a Name for your Identity Provider.
b. Enter the Client ID you created in Step 1: Create a generic OIDC and OAuth Web application.
c. Enter the Client Secret you created in Step 1: Create a generic OIDC and OAuth Web application.
d. From the Client Authentication Method from the drop-down list, select Client Secret Post.
e. In the Issuer URL enter https://<idp_tenant_name>/api/oidc. This based on the IDaaS OIDC and OAuth Web application account you created in Step 1: Create a generic OIDC and OAuth Web application.
4. Click Fetch Configuration to obtain the OIDC Endpoints.
5. Enter the Scopes. OIDC sends scopes to the Identity Provider to retrieve information. Separate each scope with a space.
a. Associated with each scope are claims. The Identity Provider returns multiple claims based on the requested scopes. The openid scope is mandatory to do authentication.
b. Enter email and profile if those scopes are used to set user attributes.
c. Enter the role for the ID Tokens Claims. If there is more than one ID Token Claim, separate each value with a space. Leave tis blank to omit this feature.
Id token claims requests from the Identity Provider define specific claims that can also be requested for inclusion in the returned id token. This can be used in addition to the requested scopes.
d. Enter the User Information Claims. Separate each value with a space. Leave this setting blank to omit the feature.
User information claims requests from the Identity Provider define specific claims that can also be requested for inclusion in the returned userinfo response. This can be used in addition to the requested scopes.
6. Configure Branding as follows:
a. Enter the Login Button Text. This is the text that appears on the IDaaS log in page.
b. If your Identity Provider has a login button image, enter the URL in the Login Button Image field. The login button appears on the IDaaS log in page.
7. Configure User Management.
a. Select Create User to create the user whose information is returned from the Identity Provider if it does not already exist.
Attention: Create user allows anyone with access to your chosen Identity Provider to create a user in your IDaaS account. Depending on your IDaaS configuration, new users created by your IDP will be able to access all the resources controlled by your IDaaS account. This may be a concern if your Identity Provider has no limits on who can create an account or if it has a large userbase. Analyze the risks before enabling this option.
b. Select Update User (Authentication) to update the IDaaS user to match the Identity Provider during authentication.
If you select Update User (Authentication), the IDaaS system user attributes and any existing IDaaS custom user attributes can be set based on claim mappings. After user authentication, if the user exists in IDaaS, IDaaS compares the attributes of the existing user to the claims returned from the Microsoft Azure AD. If they are different, the IDaaS user attributes are updated with the claim values.
i) The following system attributes are mandatory in IDaaS by default:
– Email: email
– First name: given_name
– Last name: family_name
ii) If they do not exist in your Identity Provider account, you must add them to your user profiles or make them optional in IDaaS. See your Identity Provider documentation for information on how to add a new user or update an existing user profile.
c. Optional. Select Update User (Verification) to update the IDaaS user to match the Identity Provider during Identity Provider verification (if verification is used by the Identity Provider).
If you select Update User (Verification), the IDaaS system user attributes and any existing IDaaS custom user attributes can be set based on claim mappings. After user verification, the IDaaS user attributes are updated with the claim values.
8. Configure Groups and role mapping.
a. Select applicable groups from the Select Group drop-down list to assign created users to groups.
b. In the Group Mapping field, enter the claim containing the group membership for users.
Only existing groups are mapped. If a group is not found, it is not mapped. The mapping does not remove any existing groups. If group mapping is not configured, existing groups remain.
Attention: Group Mapping allows anyone with access to this Identity Provider to have their IDaaS groups include the groups defined by the Identity Provider. Groups set the policies applied to users. Enabling this setting could result in users having access to unexpected policies, especially if the Identity Provider has different user access policies than IDaaS. Analyze the risks before configuring this option.
c. In the Role Mapping field, enter the claim containing the role membership for users.
Only existing roles are mapped. If the role is not found, it is not mapped. The mapping does not remove an existing role. If a role is mapped and is different from the existing role, the existing role is replaced. If role mapping is not configured and if there is an existing role exist, the existing role remains.
Attention: Role Mapping allows anyone with access to this Identity Provider to have their IDaaS account role defined by the Identity Provider, including the super administrator role that has access to all the resources controlled by your IDaaS account. Enabling this setting could result in unexpected access, especially if your Identity Provider has different user access policies than IDaaS. Analyze the risks before configuring this option.
Note: If any system attributes are mandatory, a claim value must be mapped if users are being created. If is a claim value is not mapped, then user creation fails. In addition, claim values must be valid (for example, the Email attribute requires a valid email address). Before mapping claims to attributes, ensure that the claim value exists with your Identity Provider, this includes mandatory custom user attributes.
9. Configure User Authentication as follows:
a. Select Enabled for User Authentication.
During authentication, the Identity Provider returns a claim value that is used to find the IDaaS user based on a user attribute. The attribute mappings in the claim must uniquely identify the IDaaS user for mapping to be successful. If mapped successfully, the Identity Provider can be used as an alternative authentication method.
b. In the Domains field, enter the domains returned from the OIDC Identity Provider after authentication. When set, any user ID ending with the domain (for example user@mycompany.com), or one of the domains is linked to the Identity Provider. Separate each domain with a space.
c. From the drop-down list, select the User Attribute used to identity the user to map a claim returned from the Identity Provider to the IDaaS user (for example, User ID/Alias).
d. Enter the Claim used to identify the user, (for example, email).
Example: If you set User ID/Alias as the user attribute, and you set email as the claim to use, the email address is then used to locate the user in IDaaS using the user's User ID/Alias value.
e. Optional. Configure System User Matching and Custom User Match Mapping.
– Every configured attribute must match the corresponding Identity Provider claim value and the IDaaS user attribute, which must both exist and match.
– User matching is case-insensitive.
10. Do not enable User Verification.
11. Click Save.