Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Manage Identity Providers

You (superuser) can configure third-party Identity Providers (IdPs) to enable Single Sign-On (SSO) across your Juniper Cloud application portals. You can use any IdP that supports Security Assertion Markup Language (SAML) 2.0.

In addition to configuring the IdP, you can set a preferred portal for your organization. The preferred portal setting determines which application portal users are redirected to after successful SAML-based authentication. By default, the portal in which the organization was created becomes the preferred portal. For more information, seeSet a Preferred Portal for an Organization.

Add an Identity Provider

You must be a superuser to configure IdP in an organization.

You can add multiple IdPs to your organization from the Settings page. If you add mulitple IdPs, ensure that a user account is associated with only one IdP.

To add an identity provider for SSO:

  1. Click Organization > Settings in the navigation menu.
    The Organization Settings page appears.
  2. Click the Add IDP icon above the Identity Providers table.
    The Add Identity Provider window appears.
  3. Provide a unique name for the Identity Provider and click Add.
    The Create Identity Provider page appears.
  4. Configure the identity provider by using the guidelines in Table 1.
    Note: Use the information from your IdP’s SAML 2.0 configuration settings to fill the following fields:

    • Issuer

    • Signing Algorithm

    • SSO URL
  5. Click Save and close the window.
    The identity provider is created and listed in the Identity Providers table.
Remember:

To ensure user access, you must:

  • Create custom roles corresponding to the roles created in the IdP portal for the user. The custom roles take precedence over the roles assigned from the Administrators page. For more information, see Manage Roles.

  • Inform first time users to log in to the organization by using the SSO URL or an IdP-initated login method. This is necessary to establish a user's account as an SSO account.

    For subsequent logins, users can use either the SSO URL or the portal URL.

  • Avoid using the same e-mail address for both SSO and local account.

  • Delete any previously created local accounts once SSO is setup.

    However, it is advised to retain at least one local user account with the superuser privileges. This ensures that if there is an issue with the SSO, such as an expired certificate, at least one administrator will have access to the organization.

Edit an Identity Provider

To edit an identity provider:
  1. Click Organization > Settings in the navigation menu.
    The Organization Settings page appears.
  2. Click the identity provider you want to edit in the Identity Providers table.
    The Edit Identity Provider page appears.
  3. Edit the identity provider by using the guidelines in Table 1.
    Note:

    You cannot edit identity provider type, ACS URL, and Single Logout URL.
  4. Click Save.
    You are returned to the Organization Settings page, where you can view the changes in Identity Providers table.

Delete an Identity Provider

After you delete an identity provider, a user can log in only by using their local Juniper Routing Assurance account.

To delete an identity provider:
  1. Click Organization > Settings in the navigation menu.
    The Organization Settings page appears.
  2. Click the identity provider that you want to delete.
    The Edit Identity Provider page appears.
  3. Click Delete.
    You are returned to the Organization Settings page, where you can view that the identity provider is removed from the Identity Provider table.

Field Descriptions

Table 1 lists the parameters to add identity providers to an organization.

Table 1: Parameters to Add Identity Providers
Field Description
Name

Enter a name for the identity provider.
Type Displays the type of identity provider.

The default identity provider is SAML and cannot be modified.
Issuer Enter the unique URL that identifies your SAML identity provider.

You can get this information from your IdP’s SAML 2.0 configuration settings.
Name ID Format

Select the unique identifier for the user. The options are e-mail and unspecified.

E-mail—The identity provider uses your e-mail address to authenticate you.

Unspecified—The identity provider generates a unique identifier to authenticate you.
Signing Algorithm Select the algorithm used to sign SAML assertions

  • SHA1

  • SHA256 (default)

  • SHA384

  • SHA512

You can get this information from your IdP’s SAML 2.0 configuration settings.
Certificate Enter the certificate issued by the SAML identity provider.
Note: Download the certificate from the IdP dashboard, copy the entire text of the certificate, including the header and footer, and paste it in the field.
SSO URL Enter the URL to redirect the users to the SAML identity provider for authentication.

You can get this information from your IdP’s SAML 2.0 configuration settings.
Custom Logout URL Enter the URL to redirect the users after logging out.
ACS URL The Assertion Consumer Service (ACS) URL where the IdP sends the authentication response after the user signs in.

The value is auto-generated and not editable.

Copy the ACS URL and store it securely. You will need the URL to complete the SAML 2.0 integration in your IdP portal.
Single Logout URL The URL that the identity provider should redirect when a user logs out of an authentication session.

The value is auto-generated and not editable.

Copy the Single Logout URL and store it securely. You will need the URL to complete the SAML 2.0 integration in your IdP portal.