Skip to main content

HelloID

Add, edit, or remove an identity provider (IdP)

For more information, see Identity providers (IdPs).

Add an identity provider (IdP)

To continue, select a tutorial below.

Important

An Active Directory Agent IdP is automatically created when you set up AD sync. Typically, it's not necessary to create one manually.

  1. Go to Security > Authentication > Identity Providers.

  2. Click Create Provider.

  3. For Active Directory - Agent, click Add.

    2022-10-12_13-44-15.jpg
  4. Select the AD Directory Configuration to use with this IdP.

  5. Enable JIT.

  6. Enable SSRPM integration.

  7. Enable login page welcome text.

  8. Click Next.

    2022-10-12_13-45-44.jpg
  9. Configure Show/hide IdPs (client restrictions).

    2022-10-12_14-47-10.jpg
  10. Click Save.

The IdP has been added.

2022-10-12_14-48-03.jpg

It is now available to users on the login screen:

2022-10-12_14-49-01.jpg

Configure Portal access rules for this IdP.

Requirements

See Active Directory (SAML) IdP requirements.

Introduction

If your organization doesn't use Active Directory Federation Services, HelloID offers a simple, free alternative IdP that runs on an IIS web server in your local domain. It provides automatic, pass-through SAML authentication to all workstations logged in to the domain via Windows Authentication.

mceclip3.png

While using the HelloID Active Directory IdP, the HelloID Agent provides an alternative login method for users and devices outside the domain, while continuing to perform its normal synchronization tasks.

Install and Configure IIS

The HelloID Active Directory IdP requires an IIS web server to be configured and available to all client machines that will use it for authentication.

In this guide, the complete process for the installation of the Web Server Role is described. If you already have an IIS server set up, you may verify its installed features against those described in this section, and then move on to the installation of the IdP.

  1. Open Server Manager.

  2. Under the Manage menu, select Add Roles and Features.

    Active_Directory__SAML__IdP.png
  3. The Add Roles and Features Wizard will open. At Before You Begin, click Next.

    Active_Directory__SAML__IdP.png
  4. At Installation Type, select Role-based or feature-based installation and click Next.

    Active_Directory__SAML__IdP.png
  5. At Server Selection,click Select a server from the server pool, then select the server pool containing the server on which you want to install IIS, and click Next.

    Active_Directory__SAML__IdP.png
  6. At Server Roles, select Web Server (IIS) and click Next.

    Active_Directory__SAML__IdP.png
  7. The Add features that are required for Web Server (IIS)? screen will open, verify that Include management tools (if applicable) is selected and click Add Features.

    Active_Directory__SAML__IdP.png
  8. The previous windows will close. Verify that Web Server (IIS) is checked and click Next.

  9. At Features, click Next.

    Active_Directory__SAML__IdP.png
  10. At Web Server Role (IIS), click Next.

    Active_Directory__SAML__IdP.png
  11. At Role Services, verify that the following Role services are selected, and then click Next. The Role Services below in bold are not selected by default, and must be selected manually.

    • Common HTTP Features

      • Default Document

      • Directory Browsing

      • HTTP Errors

      • Static Content

    • Health and Diagnostics

      • HTTP Logging

    • Performance

      • Static Content Compression

    • Security

      • Request Filtering

      • Windows Authentication (not selected by default)

    • Application Development

      • .NET Extensibility 4.5 (not selected by default)

      • ASP.NET 4.5 (not selected by default)

      • ISAPI Extensions (not selected by default)

      • ISAPI Filters (not selected by default)

    • Management Tools

      • IIS Management Console

    Active_Directory__SAML__IdP.png
  12. At Confirmation, click Install to begin the installation of IIS.

    Active_Directory__SAML__IdP.png
Install the Active Directory Identity Provider
Download and Extract the Identity Provider Files
  1. On the HelloID Administrator Dashboard, navigate to Security > Authentication > Identity Providers.

  2. In the Identity Provider Downloads section, download the Active Directory Identity Provider. This will begin a download of a ZIP file.

    Active_Directory__SAML__IdP.png
  3. Open the ADIDP.zip file and extract its contents to a folder on the IIS server. We recommend creating a new folder for this purpose, such as C:\Identity Providers\adidp\.

    Active_Directory__SAML__IdP.png
Create an IIS Application
  1. Launch the IIS Manager console.

  2. Right click on a website (e.g., Default Web Site) and select Add Application...

    Active_Directory__SAML__IdP.png
  3. Enter the following settings and click OK.

    • Alias: Use a recognizable alias for application. For example, "adidp".

    • Physical Path: Enter the path of the folder containing the contents of the ADIDP zip file.

    Active_Directory__SAML__IdP.png
Configure IIS Authentication and SSL
  1. Select the IIS website that is hosting the AD IdP application (Default Web Site in this example).

  2. Double click on Authentication.

    Active_Directory__SAML__IdP.png
  3. Disable Anonymous Authentication and Enable Windows Authentication.

    115002875193_mceclip5.png
  4. Right click on the website and select Edit Bindings...

    115002875193_mceclip6.png
  5. Click Add.

    Active_Directory__SAML__IdP.png
  6. Configure the Add Site Binding dialog and click OK.

    • Type: https

    • Port: 443

    • Host name: Enter the host name by which the IIS website will be accessed. Make note of this for later use.

    • SSL Certificate: Select the SSL certificate you wish to use to encrypt this website's traffic.

    Active_Directory__SAML__IdP.png
  7. Close the Site Bindings dialog.

    Active_Directory__SAML__IdP.png

Note: Ensure that the certificate has a Subject Alternative Name. Without one, you may get certificate errors.

mceclip0.png
Create or Import a Certificate in HelloID

Communication between the Identity Provider and HelloID must be encrypted. To do this, we can either import a certificate into HelloID, or create a self-signed certificate. For this example, we will create a self-signed certificate.

  1. On the HelloID Administrator Dashboard, navigate to Settings > Certificates.

  2. Click Create Self-Signed Certificate.

    create_cert.png
  3. Enter the fields for the new certificate and press Save to continue. Learn more about creating and using certificates here.

    Active_Directory__SAML__IdP.png
  4. Click the Details link of the new certificate.

    Active_Directory__SAML__IdP.png
  5. In the Download Certificate section, configure the following items:

    • Download As: Personal Information Exchange (.PFX)

    • Secure it with a Password: Enter a password that will be used to secure this certificate. Make note of this password for later use.

    Active_Directory__SAML__IdP.png
  6. Click the Download button.

  7. Copy the downloaded certificate to the IIS server in a new folder (e.g., C:\HelloID Certificates).

    Active_Directory__SAML__IdP.png
Add the Identity Provider to HelloID
  1. On the HelloID Administrator Dashboard, navigate to Security > Authentication > Identity Providers.

  2. Click Create Provider.

    Active_Directory__SAML__IdP.png
  3. Find the Active Directory - SAML Identity Provider, and click the Add button next to it.

    Active_Directory__SAML__IdP.png
  4. On the Portal Information tab, you have a handful of configuration options. View a complete configuration reference here.

    Active_Directory__SAML__IdP.png
  5. Make note of the Consumer URL value, as you will need it later. You may also enable Just-In-Time Provisioning (recommended).

  6. Set the other options as desired.

  7. Click Next to go to the Configuration tab.

  8. The Configuration tab lets you specify the details of your IIS IdP. Configure the following required settings and click Next. You may configure other optional settings as desired.

    • Issuer: This will be set in by the template.

      • IMPORTANT: Verify that the URL ends with a forward slash.

    • Login URL: Enter the URL of the IIS website's AD IdP application.

    • Request Certificate: Select the certificate that you created or imported in HelloID.

    Active_Directory__SAML__IdP.png
  9. The Client Restrictions tab will allow you to show or hide this IdP from the login screen based on IP or source restrictions. For example, because the IIS web server must be accessible to client machines, you may only want to show this IdP if the clients are coming from your organization's own IP address. Configure this tab as you see fit and click Save. View more information about client restrictions here.

    Active_Directory__SAML__IdP.png
Configure the IIS Application
  1. Open the IIS Manager console.

  2. Select the AD IdP application, and then double click Application Settings.

    Active_Directory__SAML__IdP.png
  3. Fill in the following fields:

    • CertificatePath: The file path of the certificate on the IIS server.

    • CertificatePwd: The password that you create for the certificate.

    • ConsumerURL: The Consumer URL value from the IdP Portal Information page in HelloID.

    • TargetURL: The URL of your HelloID Portal.

    Active_Directory__SAML__IdP.png
Test the Configuration

The configuration is now finished and may be tested on a computer that has access to both the IIS server hosting the Active Directory IdP, as well as HelloID.

Launch a browser that supports integrated authentication (e.g., Internet Explorer or Chrome) and navigate to your HelloID portal's login page. You should now see a new login option for the Active Directory IdP, as shown below.

115002875193_mceclip12.png

Click on the Active Directory - SAML login option. There will be a brief redirect, and you will be routed to the HelloID user dashboard, logged in as the Windows user. The name of the user will be displayed in the upper-right corner of the HelloID Dashboard.

115002875193_mceclip13.png
Introduction

Active Directory Federation Services (AD FS) allows your organization's users to authenticate seamlessly with HelloID and their other applications. This guide will walk you through the steps of configuring AD FS as an Identity Provider (IdP) for HelloID.

Install Active Directory Federation Services

You must first install and configure Active Directory Federation Services before using it as an Identity Provider for HelloID. Please refer to this Microsoft AD FS Deployment Guide for instructions and best practices. If you have already done this, you may move on to the next section.

Configure HelloID
Create or Import a Certificate in HelloID

Communication between the Identity Provider and HelloID must be encrypted. To do this, we can either import a certificate into HelloID, or create a self-signed certificate. For this example, we will create a self-signed certificate.

  1. On the HelloID Administrator Dashboard, navigate to Settings > Certificates.

  2. Click Create Self-Signed Certificate.

    create_cert.png
  3. Enter the fields for the new certificate and press Save to continue. Learn more about creating and using certificates here.

    Active_Directory_Federation_Services__ADFS___SAML__IdP.png
  4. Click the Details link of the new certificate.

    Active_Directory_Federation_Services__ADFS___SAML__IdP.png
  5. Click the Download button to download a copy of the certificate.

    Active_Directory_Federation_Services__ADFS___SAML__IdP.png
  6. Copy the downloaded certificate to the AD FS server in a new folder (e.g., C:\HelloID Certificates).

    Active_Directory_Federation_Services__ADFS___SAML__IdP.png
Add the Identity Provider to HelloID
  1. On the HelloID Administrator Dashboard, navigate to Security > Authentication > Identity Providers.

  2. Click Create Provider.

    Active_Directory_Federation_Services__ADFS___SAML__IdP.png
  3. Find the Active Directory Federation Services Identity Provider, and click the Add button next to it.

    Active_Directory_Federation_Services__ADFS___SAML__IdP.png
  4. On the Portal Information tab, you have a handful of configuration options. View a complete configuration reference here.

    Active_Directory_Federation_Services__ADFS___SAML__IdP.png
  5. Make note of the Consumer URL value, as you will need it later.

  6. Disable Require SAML response signature.

  7. Enable JIT if you wish (recommended).

  8. Set the other options as desired.

  9. Click Next.

  10. The Configuration tab lets you specify the details of your AD FS IdP. Configure the following required settings and click Next. You may configure other optional settings as desired.

    • Login URL: Enter the URL of the AD FS site's /adfs/ls/ endpoint.

      • IMPORTANT: Verify that the URL ends with a forward slash.

    • Request Certificate: Select the certificate that you created or imported in HelloID.

    Active_Directory_Federation_Services__ADFS___SAML__IdP.png
  11. The Client Restrictions tab will allow you to show or hide this IdP from the login screen based on IP or source restrictions. For example, because the IIS web server must be accessible to client machines, you may only want to show this IdP if the clients are coming from your organization's own IP address. Configure this tab as you see fit and click Save. View more information about client restrictions here.

    Active_Directory_Federation_Services__ADFS___SAML__IdP.png
Configure Active Directory Federation Services
  1. On the AD FS server, open the AD FS Management console.

  2. Click Add Relying Party Trust...

    Active_Directory_Federation_Services__ADFS___SAML__IdP.png
  3. The Add Relying Party Trust Wizard will open. At Welcome page, click Start.

    Active_Directory_Federation_Services__ADFS___SAML__IdP.png
  4. On the Select Data Source page, select Enter data about the relying party manually. Click Next to continue.

    Active_Directory_Federation_Services__ADFS___SAML__IdP.png
  5. Specify Display Name page, enter a recognizable Display name and click Next.

    Active_Directory_Federation_Services__ADFS___SAML__IdP.png
  6. On the Configure Certificate page, click Browse.

    Active_Directory_Federation_Services__ADFS___SAML__IdP.png
  7. In the file explorer that appears, find the certificate that you exported from HelloID. Select the certificate file and click Open.

    Active_Directory_Federation_Services__ADFS___SAML__IdP.png
  8. Verify the certificate's details that appear and click Next.

  9. On the Configure URL page, select Enable support for the SAML 2.0 WebSSO Protocol. Then, paste the Consumer URL value from the IdP Portal Information page in HelloID. Click Next to continue.

    Active_Directory_Federation_Services__ADFS___SAML__IdP.png
  10. On the Configure Identifiers page, enter your HelloID portal URL into the Relying party trust identifier text box and click Add.

    Active_Directory_Federation_Services__ADFS___SAML__IdP.png
  11. Once the relying party trust identifier has been added, click Next.

    Active_Directory_Federation_Services__ADFS___SAML__IdP.png
  12. On the Choose Access Control Policy page, select Permit Everyone and click Next.

    Active_Directory_Federation_Services__ADFS___SAML__IdP.png
  13. On the Ready to Add Trust page, verify that all settings are correct and click Next.

    Active_Directory_Federation_Services__ADFS___SAML__IdP.png
  14. On the Finish page, ensure that Configure claims issuance policy for this application is selected, and click Close.

    Active_Directory_Federation_Services__ADFS___SAML__IdP.png
  15. The Edit Claim Issuance Policy window will appear. Click Add Rule ... This will bring up the Add Transform Claim Rule Wizard.

    115002886654_mceclip27.png
  16. On the Select Rule Template page, select Transform an Incoming Claim from the Claim rule template dropdown. Click Next to continue.

    Active_Directory_Federation_Services__ADFS___SAML__IdP.png
  17. On the Configure Rule page, enter the following settings.

    • Claim rule name: Name ID

    • Incoming claim type: UPN

    • Outgoing claim type: Name ID

    • Outgoing name ID format: Unspecified

    115002886654_mceclip31.png

    Note : In HelloID, the Windows account name is stored in "Name ID" attribute. In order to make a claim work from AD FS, a transformation must be applied to the claim.

  18. Click Finish to add the rule.

  19. Click Add Rule... to add another rule.

  20. On the Select Rule Template page, select Send LDAP Attributes as Claims from the Claim rule template dropdown. Click Next to continue.

    Active_Directory_Federation_Services__ADFS___SAML__IdP.png
  21. On the Configure Rule page, enter the following settings:

    • Claim rule name: Additional Attributes

    • Attribute store: Active Directory

  22. Underneath Mapping of LDAP attributes to outgoing claim types, enter the following settings. Not all of these listed values are selectable, so you will need to enter them manually.

    LDAP Attribute

    Outgoing Claim Type

    Given-Name

    givenName

    Surname

    sn

    E-Mail-Addresses

    email

    objectSid

    objectSID

    User-Principal-Name

    userPrincipalName

    manager

    manager

    SAM-Account-Name

    sAMAccountName

  23. Click Finish to add the claim rule.

  24. Click OK to close the Edit Claim Issuance Policy window.

    Active_Directory_Federation_Services__ADFS___SAML__IdP.png
  25. Right click on the newly created Relying Party Trust and select Properties.

    Active_Directory_Federation_Services__ADFS___SAML__IdP.png
  26. Go to the Signature tab and click Add.

    Active_Directory_Federation_Services__ADFS___SAML__IdP.png
  27. In the file explorer that appears, find the certificate that you exported from HelloID. Select the certificate file and click Open.

    Active_Directory_Federation_Services__ADFS___SAML__IdP.png
  28. Click OK to close the window.

Test the Configuration

The configuration is now finished and may be tested on a computer that has access to both the AD FS as well as HelloID.

Launch a browser and navigate to your HelloID portal's login page. You should now see a new login option for the Active Directory Federation Services IdP, as shown below.

115002886654_mceclip12.png

Click on the Active Directory Federation Services login, and you will be redirected to the AD FS login page. Enter your domain credentials. There will be a brief redirect, and you will be routed to the HelloID user dashboard, logged in as the Windows user. The name of the user will be displayed in the upper-right corner of the HelloID Dashboard.

115002886654_mceclip13.png
Introduction

This article will walk you through configuring Azure AD as an OIDC identity provider (IdP) for HelloID.

Register HelloID with Azure AD
  1. Log in to your Azure portal at https://portal.azure.com/.

  2. Select the Azure Active Directory button.

  3. Select the App registrations link under the Manage menu.

  4. Select the New registration button.

  5. Enter HelloID for the Name.

  6. Select your desired option for Who can use this application or access this API.

  7. Enter the following URL into the Redirect URI field: https://customer.helloid.com/azureadoidcauthentication/consumeoidc. Replace customer.helloid.com with your HelloID portal base URL.

  8. Select the Register button to save and open the new app.

  9. Select the Authentication link under the Manage menu.

  10. Enter the following URL into the Logout URL field: https://customer.helloid.com/authentication/signoff. Replace customer.helloid.com with your HelloID portal base URL.

  11. Select the ID tokens option under the Implicit grant section.

  12. Select the Save button.

  13. Select the Certificates & secrets link under the Manage menu.

  14. Select the New client secret button. Enter an optional description and select your preferred expiration period.

  15. Select the Add button.

  16. The client secret appears under the Client secrets section. Copy its Value into a separate notepad app for later use. (Important, because you won't be able to view it again.)

  17. Select the API permissions link.

  18. Go to Add a permission > Microsoft Graph > Delegated permissions. Select the following permissions:

    1. AccessReview.Read.All

    2. Directory.AccessAsUser.All

    3. email

    4. openid

    5. profile

    6. User.Read

  19. Select the Add permissions button to confirm your changes.

  20. Select the Grant admin consent for Default Directory button to grant admin consent for all users.

  21. Select the Yes button to confirm.

Configure the Azure AD OIDC IdP in HelloID
  1. Go to Security > Authentication > Identity providers in your HelloID admin dashboard. Select the Create Provider button.

    mceclip4.png
  2. Select the Add button for Azure AD OpenID Connect.

    mceclip5.png
  3. Select the Configuration tab.

    mceclip6.png
  4. Enter the following information:

    1. Login URLIn your Azure portal, go to Azure Active Directory > App registrations > HelloID and select the Endpoints button. Copy the OAuth 2.0 authorization endpoint (v2) value and paste it into this field. Remove the trailing authorize on this URL.

    2. Logout URLEnter https://login.microsoftonline.com/common/oauth2/logout.

    3. Client IdentifierIn your Azure portal, go to Azure Active Directory > App registrations > HelloID . Copy the Application (client) ID value and paste it into this field.

    4. Client SecretPaste the client secret value you copied into a separate notepad application in step 15 of the previous section.

  5. The required scopes are already added as defaults under Additional Scopes. Add additional scopes if needed.

  6. Configure additional options as needed. View a complete reference of IdP options here.

  7. Select the Save button to confirm.

    mceclip0.png
  8. If integration with Azure Graph API is required, please follow these instructions in the section below, Retrieve the "on-behalf" token.

Modify default attribute mappings (if using Azure AD Connect)

You must modify the default Azure AD mapping set if:

  • You are already syncing an on-premises AD environment to HelloID, and;

  • You plan to use the Azure AD OIDC IdP as an alternate login method for these users, and;

  • Your Azure AD users are created from your on-premises AD environment via Azure AD Connect.

By default, Agent retrieves an on-premises AD user's objectSid value and writes it to the user.immutableId field in the synced HelloID user. It then uses this field its unique identifier. The Azure AD mapping set works similarly, using the Azure AD oid value (which was previously set by Azure AD Connect to a base64 transformation of the AD objectGUID).

This causes a conflict because the two systems each overwrite the HelloID user.immutableId field with different values, while also attempting to use user.immutableId as their unique identifier. This results in failure to correlate to the correct user accounts, and/or creation of duplicate accounts.

Resolve this by adjusting the mapping set as shown below. This solves the problem by using Azure AD's preferred_username (mapped to the HelloID user.userName field) as the Azure AD OIDC IdP's unique identifier. Your on-premises AD environment can then safely continue to use AD's objectSid mapped to the HelloID user.immutableId field as its unique identifier.

Both on-premises AD and Azure AD will now correlate to the correct HelloID user without any conflicts.

  1. In the Azure portal, click App Registrations.

  2. Go to the HelloID application.

  3. Click Token Configuration.

  4. Click Add Optional Claim.

  5. Select ID for the Token Type.

  6. Select the onprem_sid claim.

  7. Click Add.

  8. In HelloID, go to Directory > Mapping sets.

  9. Select the Edit link for the IdP Mapping for Azure AD OpenID Connect.

  10. Select the Change mappings link.

  11. Select the X button to remove the following mapping:

    User

    HelloID User

    {{user.oid}}

    user.immutableId

    mceclip0.png
  12. Select the Close button.

  13. Select the Set Identifier link.

  14. Set the unique identifier as follows:This configuration uses the UserPrincipalName from the Azure user to match to the Username of the HelloID user.

    OIDC Provided User

    HelloID User

    {{user.preferred_username}}

    Username

    Azure_AD_OIDC_mapping_set_for_Azure_AD_only_accounts.png
  15. Select the Close button.

  16. Select the Save button to confirm.

Retrieve the "on-behalf" token (optional)

You can store the on-behalf-of and on-behalf-of-refresh tokens from Azure AD inside HelloID user attributes. In this way, the tokens can be passed through to any SSO applications that users log into from HelloID. The applications can then use these tokens to directly access the Azure Graph API on behalf of the users, without requiring re-authentication.

As prerequisites, you must have already done the following:

  • Set up Azure AD as an OIDC IdP in HelloID, as per the above instructions

  • Added the target application(s) to which you want to pass the on-behalf-of tokens, to both HelloID (as SSO application(s)) and Azure AD (as registered apps)

It is recommended to use multiple browser tabs while following these instructions. You will be copying and pasting several values between Azure AD and HelloID.

  1. In HelloID, go to Security > Authentication > Identity providers.

  2. Select the Edit link for the Azure AD OIDC IdP.

    mceclip1.png
  3. Select the Configuration tab.

  4. Turn on the Retrieve 'On-behalf-of' token and store to user attributes toggle. This automatically adds and maps onbehalfoftoken and onbehalfofrefreshtoken attributes to all users who log in via the Azure AD IdP, without requiring you to manually add these attributes to the Azure OIDC IdP's mapping set. Leave this browser tab open, without selecting the Save button yet.

    mceclip1.png
  5. In a new browser tab, go to Azure Active Directory > App registrations in your Azure portal.

  6. Select the HelloID app that you registered earlier, in the section Register HelloID with Azure AD.

  7. Copy its Application (client) ID to a separate notepad app. You will need it shortly.

  8. In Azure AD, go back to App registrations.

  9. Select the target app which users will SSO into from HelloID (the app to which the on-behalf-of tokens will be passed).

  10. Select the Expose an API link.

  11. Select the Add a scope link.

  12. Accept the default Application ID URI. Select the Save & continue button.

  13. Enter your desired scopes.

  14. Select the Add scope button to confirm.

  15. Copy the api:// value which appears under the Scopes column in the Azure AD Expose an API screen. (For example: api://37c086f5-bdc7-4f88-955c-49cb7c3d711d/Files.Read)

  16. In HelloID, paste it into the On Behalf of Scopes field of the Configuration tab.

    mceclip2.png
  17. Select the Save button.

  18. In Azure AD, return to the Expose an API page for the target application.

  19. Select the Add a client application button.

  20. Paste the HelloID app's Application (client) ID value you copied in step 7 into the Client ID field.

  21. Under Authorized scopes, select the check box for the scope you created in step 13.

  22. Select the Add application button to confirm.

  23. Select the Certificates & secrets link.

  24. Select the New client secret link.

  25. Enter a Description and an expiration period.

  26. Select the Add button to confirm.

  27. Copy the client secret that appears under the Value column.

  28. In HelloID, paste it into the On Behalf of Client Secret field of the Configuration tab.

    mceclip3.png
  29. Select the Save button to confirm.

  30. Go to Directory > Mapping sets and select the Edit link for the target application which will require these tokens. For example:

    mceclip7.png
  31. Select the Change attributes link to add On behalf of and On behalf of Refresh attributes with onBehalfOf and onBehalfOfRefresh for the External Field values, respectively. Learn more about mapping sets here.

    mceclip8.png
    mceclip13.png
  32. Select the Close button when done.

  33. Select the Change mappings link to map the newly-created user attributes as follows:

    User Attribute

    HelloID Claim Set Variable

    {{user.attributes.onbehalfoftoken}}

    On behalf of

    {{user.attributes.onbehalfofrefreshtoken}}

    On behalf of Refresh

    mceclip14.png
  34. Select the Close button when done.

  35. Select the Save button to confirm.

The on-behalf-of and on-behalf-of-refresh tokens will now be passed through to the configured application when an end user selects it in the Applications tab of the HelloID end user dashboard. The application will have access to the Azure Graph API without any additional authentication by the user.

Authentication Method Reference (AMR) Claims

If you have MFA enabled on the Azure side, you can additionally enable AMR claims to override Application Access Rule two-factor MFA challenges for users' HelloID applications. In other words, when AMR claims are enabled, users will only have to pass a single MFA challenge when initially logging into Azure. They will not receive additional MFA challenges for each application they launch. This configuration takes place entirely in Azure. Once enabled, the flow is handled transparently in HelloID.

Note: SAML is not recommended

We strongly suggest using the Azure AD (OIDC) IdP when possible. With OAuth, users who authenticate using multi-factor authentication (MFA) in Azure AD will have their MFA session information sent back to HelloID. This eliminates additional, unnecessary MFA challenges. SAML does not support this functionality.

Introduction

This article will walk you through configuring Azure Active Directory (AD) to be your SAML Identity Provider within HelloID. This is useful if your organization uses Azure AD as a primary source of authentication to access online services. This will allow your organization's users to log into HelloID and other cloud applications with their Azure AD username and password.

Configure the Azure IdP
  1. On the HelloID Administrator Dashboard, navigate to Security > Authentication > Identity Providers and click Create Provider. This will bring up the Identity Provider Catalog.

    add_provider.png
  2. Find the SAML - Generic IDP and click the Add button next to it.

    115002873353_mceclip0.png
  3. Enter the name and select an Icon (optional). Make note of the Consumer URL so that you can provide it to Azure in later steps. Enable JIT (just-in-time provisioning) if you so desire. Click Save to add the IdP to HelloID. We will come back to it later. View a complete configuration reference here.

    115002873353_mceclip3.png
  4. Log on to https://manage.windowsazure.com. On the left-side menu bar, select Azure Active Directory.

    115002873353_mceclip2.png
  5. Select your desired domain and then click App registrations.

    115002873353_mceclip3.png
  6. Click New application registration.

    Azure_AD__SAML__IdP.png
  7. Specify the Name (HelloID), select Web app / API as Application type and specify the HelloID portal URL as Sign-on URL. Click Create when finished.

    115002873353_mceclip5.png
  8. Once the application registration has been created, click Settings.

    Azure_AD__SAML__IdP.png
  9. Select the Reply URLs section.

    Azure_AD__SAML__IdP.png
  10. Delete the default reply URL.

    Azure_AD__SAML__IdP.png
  11. Add a new reply URL by pasting in the Consumer URL that you previously noted from HelloID. Click Save when you are finished.

    Azure_AD__SAML__IdP.png
  12. Select the Properties section.

    Azure_AD__SAML__IdP.png
  13. Change the App ID URI to the URL of your HelloID portal. Click Save when finished.

    Azure_AD__SAML__IdP.png
  14. Select the Required permissions section.

    Azure_AD__SAML__IdP.png
  15. Click on Windows Azure Active Directory. Enable the following permissions, then click Save. Note that these permissions require you to grant end users permission to use this new application--we will take care of that later.

    • Sign in and read user profile

    • Read all users’ basic profiles

    • Read all users’ full profiles

    • Read all groups

      Azure_AD__SAML__IdP.png
  16. Go back to Azure Active Directory in the main portal screen, then go to App registrations and click on Endpoints.

    Azure_AD__SAML__IdP.png
  17. Copy the Federation Metadata Document URL into a new browser window. A page of XML will appear.

    Azure_AD__SAML__IdP.png
  18. Highlight and copy the data within the X509Certificate tag.

    Azure_AD__SAML__IdP.png
  19. Go to the HelloID Administrator Dashboard and navigate to Settings > Certificates. Once there, click Import Certificate.

    Azure_AD__SAML__IdP.png
  20. Paste the X509 into the Certificate area. Add -----BEGIN CERTIFICATE----- to the beginning of the key and -----END CERTIFICATE----- to the end of the key. Click Save to continue.

    Azure_AD__SAML__IdP.png
  21. Navigate to Security > Authentication > Identity providers and edit the Azure Identity Provider that you created earlier. Click on its Configuration tab and fill out the following fields. You may configure other optional settings as desired.

    • Login URL: Paste the SAML-P sign-on endpoint from Azure.

    • Binding: Change this to HTTP-POST

    • Request Certificate: Select the certificate that you imported earlier.

    • Logout URL: https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0

      115002873353_mceclip0.png
  22. Click Save to finish the configuration.

Add attribute mappings

By default, the attribute mapping for HelloID is set to only map the nameID attribute. However, since we are connecting to Azure AD, we want to map more attributes, such as first name, last name and user principal name (this is also the user's email address).

  1. Navigate to Security > Authentication > Identity Providers. Edit the the Azure AD IDP and click on Configure Mapping Set. When prompted, click Proceed.

    Azure_AD__SAML__IdP.png
  2. Click Change attributes.

    Azure_AD__SAML__IdP.png
  3. Add the following attributes and click Close when you are finished.

    Display name

    Variable name

    Source field

    Object Identifier

    objectIdentifier

    Attributes.http://schemas.microsoft.com/identity/claims/objectidentifier

    UserPrincipalName

    userPrincipalName

    Attributes.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

    First name

    firstName

    Attributes.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname

    Last name

    lastName

    Attributes.http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname

    Display name

    displayName

    Attributes.http://schemas.microsoft.com/identity/claims/displayname

    Azure_AD__SAML__IdP.png
  4. Click Change mappings.

    Azure_AD__SAML__IdP.png
How are your Azure AD users created?

The mappings and identifier that are set from this point forward depend on how users accounts are created in your Azure AD environment. Please choose from the following selections:

  • Users are created by Azure AD Connect

  • Users are created manually or by HelloID

Users are created by Azure AD Connect
  1. Add the following mappings and click Close when you are finished.

    User

    HelloID user

    {{user.userPrincipalName}}

    user.userName

    {{user.firstName}}

    user.firstName

    {{user.lastName}}

    user.lastName

    {{user.userPrincipalName}}

    user.contactEmail

    Azure_AD__SAML__IdP.png
  2. Click Set Identifier.

    Azure_AD__SAML__IdP.png
  3. Modify the identifier as necessary to match the configuration shown below, and click Close.

    SAML Provided Data

    HelloID User

    {{user.userPrincipalName}}

    Username

    115002873353_mceclip1.png
  4. Click the Save button to finish. The setup is complete.

Users are created manually or by HelloID
  1. Add the following mappings and click Close when you are finished.

    User

    HelloID user

    {{user.userPrincipalName}}

    user.userName

    {{user.firstName}}

    user.firstName

    {{user.lastName}}

    user.lastName

    {{user.userPrincipalName}}

    user.contactEmail

    {{user.objectIdentifier}}

    user.immutableId

    Azure_AD__SAML__IdP.png
  2. Click Set Identifier.

    Azure_AD__SAML__IdP.png
  3. Modify the identifier as necessary to match the configuration shown below, and click Close.

    SAML Provided Data

    HelloID User

    {{user.objectIdentifier}}

    Immutable ID

    Azure_AD__SAML__IdP.png
  4. Click the Save button to finish.

This article will walk you through configuring Google Workspace to be your SAML Identity Provider within HelloID. This is useful if your organization uses Google Workspace as a primary source of authentication to access online services. This will allow your organization's users to log into HelloID and other cloud applications with their Google username and password.

Configure the Google IdP
  1. Log in to your Google Workspace admin console and select Apps.

    2022-09-09_10-03-46.jpg
  2. Select Web and mobile apps

    2022-09-09_10-04-28.jpg
  3. Go to Add app > Add custom SAML app

    2022-09-09_10-05-25.jpg
  4. Enter an App Name (e.g., HelloID) and click Continue.

    2022-09-09_10-06-37.jpg
  5. A screen will appear with the Google IdP information which is needed to set up the provider in HelloID. Minimize this browser tab.

    2022-09-09_10-47-02.jpg
  6. In the HelloID Administrator Dashboard, create a new certificate for the connection with Google Workspace.

    2022-09-09_10-15-50.jpg
  7. Go to Security > Authentication > Identity Providers and click Create Provider. This will bring up the Identity Provider Catalog.

  8. Find the SAML - Generic IdP and click the Add button next to it.

    2022-09-09_10-18-19.jpg
  9. Enter a Name. Turn on the Enable JIT toggle (just-in-time provisioning) if you would like new HelloID accounts to be automatically created the first time users log in via Google Workspace. When JIT is on, you do not need to manually create HelloID accounts in advance. Click on the Configuration tab.

    2022-09-09_10-20-18.jpg
  10. Enter the following values. All other fields may remain at their default value. View a complete configuration reference here.

    • Login URL: Copy SSO URL from the Google IdP configuration, which you minimized in step 5.

    • Request Certificate: Select the certificate that you created in step 6.

    • Logout URL: https://accounts.google.com/logout

      2022-09-09_10-44-41.jpg
  11. Click Save to save the IdP configuration in HelloID. You may configure other optional settings on the Configuration tab as desired.

  12. Back in the browser tab with the Google SAML App, click Continue.

  13. Enter the following values in the Service Provider Details screen.

    • ACS URL: the Consumer URL value from your newly-configured IdP object in HelloID

    • Entity ID: the Issuer value from your newly-configured IdP object in HelloID

    • Signed Response: Enable

    • Name ID Format: Email

    • Name ID: Basic Information > Primary email

      2022-09-09_10-26-41.jpg
  14. Click Continue.

  15. Click Add Mapping.

  16. Add the following mappings and click Finish.

    1. Basic Information > Primary email -> Email

    2. Basic Information > First name -> Firstname

    3. Basic information > Last name -> Lastname

      2022-09-09_10-33-13.jpg
  17. The SAML application for HelloID has been configured. Click Finish to continue.

  18. Expand the User Access pane.

    Google_Workspace_SAML_IdP.png
  19. Select On for everyone and click Save.

    2022-09-09_10-37-57.jpg
  20. The configuration is finished. It can now be tested. Go to your HelloID portal and log in with the Google Workspace IdP. The login will be routed to Google.

    2022-09-09_10-53-21.jpg
    2022-09-09_10-53-59.jpg
  21. Once authenticated through Google, the user will be logged into HelloID with their Google account.

    mceclip0.png
  22. As a final step, you may want to edit HelloID's user attribute mapping configuration. See Mapping - Overview and Edit a mapping set.

This guide describes the whole process of configuring Salesforce and HelloID. If the domain has already been added to Salesforce you can skip ahead to step 13.

1. Go to Salesforce as the system admin and press Setup in the top right corner

115002885674_1.png

2. Enter Identity in the search window and select the Identity Provider in the results

115002885674_2.png

3. Press Configure a Domain Name

115002885674_3.png

4. Enter the domain name and press Register domain

115002885674_4.png

5. The registration will take some time, wait until this has finished

115002885674_5.png

6. Press Login

115002885674_6.png

7. Deploy the new domain to the users

115002885674_7.png

8. Press OK to proceed deployment of the new domain

115002885674_8.png

If you have already enabled Salesforce as an identity provider, the steps 9 until 11 can be skipped

9. Go to Identity > Identity Provider and enable Salesforce as an identity provider

115002885674_9.png

10. Choose the default certificate and press Save

115002885674_1.png

11. Press OK to proceed enabling Salesforce as an identity provider

115002885674_1.png

12. Go to Identity > Identity Provider and download the Metadata

115002885674_1.png

13. Go to the HelloID portal, log on as an Administrator and go to the management portal. Go to Settings> Certificates and press Create Self-Signed Certificate to create or Import Certificate to import a Certificate. In this guide we will create a Certificate

115002885674_1.png

14. Enter the fields for the new certificate and press Save to continue. See document “How to use certificates” for more information about creating and using certificates.

115002885674_1.png

15. Go to Security > Authentication > Identity Providers and press Create Provider

115002885674_1.png

16. The Identity Provider Catalog will open, Add the Salesforce SAML Identity Provider

115002885674_1.png

17. Enable JIT . View a complete configuration reference here.

18. Press Configuration

115002885674_1.png

18. Open the Metadata file (downloaded at step 12)

115002885674_1.png

Enter the following required settings and press Save. You may configure other optional settings as desired.

  • Issuer: This will be set in by the template, check if it has a / at the end (<Portal URL>/)

  • Login URL: HTTP-Redirect URL from the Metadata

  • Binding: This will be set in by the template to Redirect

  • Request Certificate: select the created Salesforce certificate (see step 14 )

  • Logout URL: <Salesforce URL>/secur/logout.jsp

115002885674_1.png

19. Now switch back to Salesforce and press Service Providers are now created via Connected Apps. Click here

115002885674_1.png

20. Enter the following fields and press Save

  • Connected App Name: Use a recognizable name for the App

  • Api Name: Same as “Connected App Name”

  • Contact Email: Enter a contact Email for the App

  • Enable SAML: Enable this option

  • Entity URL: URL of the HelloID portal (There needs to be a / at the end of the URL)

  • ACS URL: Enter the Consumer ID, from Identity Provider - Portal Information (see step 17 )

115002885674_2.png

21. Press Manage

115002885674_2.png

22. Scroll down a bit and press Manage Profiles under Profiles to add profiles to the HelloID app

115002885674_2.png

23. Select the profile which you want to grant access to be able to login to HelloID and press Save

115002885674_2.png

24. The configuration has finished and can be tested by entering the portal URL. Instead of the showing the HelloID login you will be redirected to the Salesforce login page.

115002885674_2.png

25. All users in the application profiles (configured at step 23) will be able to login.

This article will help you configure VMWare Workspace ONE as your HelloID SAML Identity Provider. This is useful if your organization uses VMWare Workspace ONE as a primary method of authenticating access to online services.

Get the VMWare Workspace ONE Metadata
  1. Log in to your VMWare Workspace ONE admin console and select Catalog > Web Apps.

    mceclip2.png
  2. Select Settings and go to SaaS Apps > SAML Metadata.

  3. Select the Copy URL link for the Identity Provider (IdP) metadata. The URL resembles https://{customer}.vmwareidentity.co.uk/SAAS/API/1.0/GET/metadata/idp.xml.

    mceclip3.png
  4. Open the URL in your browser, and copy the certificate string inside the <ds:X509Certificate> element. Leave this tab open in your browser, as you will return to it later.

    mceclip4.png
Configure the HelloID Identity Provider
  1. Sign in into the HelloID Administrator Dashboard.

  2. Import a new certificate for the connection with VMWare Workspace ONE. Use the previously copied string. Learn how to import a certificate.

  3. Go to Security > Authentication > Identity Providers and select the Create Provider button.

    mceclip15.png
  4. Find the SAML - Generic IdP and select the Add button.

    mceclip16.png
  5. Enter a Name and turn on the Use Response Certificate toggle. Copy the Consumer URL to a notepad app on your computer, as you will need it shortly. View a complete configuration reference here.

    mceclip17.png
  6. Select the Configuration tab. Enter the following required information. You may configure other optional settings as desired.

    • Login URL: Enter the SingleSignOnService URL from the metadata file you left open in your browser. This URL is found in the line with the HTTP-POST binding. For example: <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://{customer}.vmwareidentity.co.uk/SAAS/auth/federation/sso"/>

    • Binding: Set to urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST

    • Request Certificate: Select the certificate you previously created.

    • Response Certificate: Select the certificate you previously created.

      mceclip18.png
  7. Select the Save button to confirm the IdP configuration.

Configure the VMWare Workspace ONE SaaS App
  1. In the VMWare Workspace ONE console, select the New button to create a new SaaS application.

  2. Enter a name for the new SaaS app and select the Next button.

    mceclip8.png
  3. Enter the following information:

    • Authentication TypeSAML 2.0

    • ConfigurationManual

    • Single Sign-On URLThe Consumer URL you previously copied.

    • Recipient URLThe Consumer URL you previously copied.

    • Application IDThe last part of the Consumer URL, after the final /.

    • Signed ResponseEnable

    • Name ID FormatEmail

      mceclip9.png
  4. Scroll down and select the Advanced Properties link.

    mceclip7.png
  5. Enter the following information:

    • Signature AlgorithmSHA256 with RSA

    • Digest AlgorithmSHA256

    • Assertion Time200

    • Request SignaturePaste the same certificate string you previously used to create the certificate.

      mceclip11.png
  6. Select the Next button.

  7. Select your preferred Access Policy. Select the Next button.

    mceclip12.png
  8. In the configuration overview, select the Save (or Save & Assign) button.

    mceclip13.png
  9. Users can now log in to HelloID via the new SAML connection, after being authenticated in VMWare Workspace ONE.

    mceclip14.png

To get started:

  1. Add your own unlisted proprietary/generic SAML IdP by going to Security > Identity Providers > Create Provider > SAML - Generic.

    2022-12-09_15-33-53.jpg
  2. Refer to the IdP settings reference to help you configure a generic SAML IdP.

The QR code IdP is deprecated. Instead, see Enable QR code login.

To be written.

  1. Go to Security > Authentication > Identity Providers.

  2. For the relevant IdP, click Edit.

  3. Continue by following the relevant tutorial in Add an IdP.

  1. Go to Security > Authentication > Identity Providers.

  2. For the relevant IdP, click Delete.

  3. To confirm, click Delete.