HelloID

The name of this IdP. Shown on the login screen.

Disabled IdPs are not available for authentication, and are not shown on the login screen. (The Local IdP cannot be disabled, to prevent you from being locked out of HelloID.)

Whether this IdP is shown on the user login screen.

Users logging into this IdP will have a new user account created in HelloID, if one does not already exist.

Upload a new icon for this IdP. Shown on the login screen.

The external URL to which HelloID sends all authentication requests.

The URL to which users will be routed when they log out of HelloID. Leave this blank to route them back to the HelloID login screen.

Whether to hide or show this IdP on the login screen, based on the configured restriction(s). See Show/hide IdPs (client restrictions).

The IP ranges for which this IdP will either be hidden or shown.

The browser types for which this IdP will either be hidden or shown.

Requires the response from the IdP to be signed with the selected certificate.

Verifies that the SAML assertion was issued within an acceptable time period. If not, authentication fails.

Verifies that the Auth ID sent from HelloID is correctly sent back in the SAML response. If not, authentication fails.

Enable if you plan to use a different certificate to sign the IdP response. (optional, advanced use only)

Enable if you plan to use a different certificate to decrypt the IdP response. (optional, advanced use only)

The IdP mapping set to use for this IdP. See IdP mapping sets.

The HelloID URL to which SAML assertions will be sent.

The base URL of your HelloID instance (e.g., https://company.helloid.com)

Enable if the IdP only allows starting the login flow from its side.

A "binding" is how a SAML requester and responder communicate. Two kinds of bindings are support: Redirect and POST. Your chosen IdP will most likely define which binding they support. The default setting, Redirect, sends SAML protocol messages as URL query parameters. POST sends SAML protocol messages as base64-encoded content through an HTTP-POST message.

The certificate that HelloID will use to encrypt the authentication request.

The certificate that the IdP will use to encrypt the response (optional, advanced use only).

The certificate that HelloID will use to decrypt the response (optional, advanced use only).

The AD configuration to use with this IdP. AD configurations are created when you set up AD sync.

The Application (client) ID value provided by Azure AD.

The Application (client) Secret value provided by Azure AD.

Additional scopes to request when authenticating with Azure AD.

Domain hint directives to send along with authentication requests.

Store the on-behalf-of and on-behalf-of-refresh tokens as Custom user attributes. These tokens can then be passed into Applications, to directly access the Azure Graph API on behalf of the users, without requiring re-authentication.

The URL which the user will be redirected to.

AD Agent IdP only. Enable if your organization is using SSRPM for Active Directory self-service password resets. When enabled, and a SSRPM URL is specified, users are redirected to your organization's SSRPM portal when they click the 'Forgot your password?' link on the HelloID login page.

Display a custom message to users on the login screen. Only available for AD Agent IdP and Local IdP types.