This article documents the settings available when creating or editing an Identity Provider (IdP).
Create or edit an IdP
To create a new IdP, go to Security > Authentication > Identity providers and select the Create Provider button. See more information in the IdP getting started guide and detailed setup guides for specific IdPs.
To configure an existing IdP, select the relevant Edit link.
Portal Information tab
After creating a new IdP, or editing an existing one, you're taken to the Portal Information tab. This is where you configure the IdP.
The settings shown on the Portal Information tab depend on the IdP's type. Below is a list of all possible settings. You will only see the ones which apply to the IdP you're configuring.
Enables or disables this IdP. Disabled IdPs are not available for authentication, and do not show on the login page. (The Local IdP can never be disabled, to prevent you from being locked out of your HelloID environment.)
- Display on login page
Controls whether or not this IdP is shown as a login option on the login page.
- Enable JIT
When this is enabled (recommended), new users logging into HelloID through this IdP will have a user created in HelloID if one does not already exist.
- Use SSRPM
Enable if your organization is using SSRPM for Active Directory self-service password resets. When enabled, and a SSRPM URL is specified, users are redirected to your organization's SSRPM portal when they click the 'Forgot your password?' link on the HelloID login page.
- SSRPM URL
The URL of your organization's user-facing SSRPM portal. (only shown if Use SSRPM is enabled).
- Require SAML response signature
Requires the response from the IdP to be signed with the designated certificate.
- Verify SAML issue time
Verifies that the SAML assertion was issued within an acceptable time period.
- Verify SAML request ID
Validates that the Auth ID sent from HelloID is correctly sent back in the SAML response.
- Use response certificate
Enable if you plan to use a different certificate to sign the IdP response. (optional, advanced use only)
- Use response decryption certificate
Enable if you plan to use a different certificate to decrypt the IdP response. (optional, advanced use only)
- Enable Text on Login Page
Enable to show a custom message to the user on the login page. Only available for Local and Agent IdP types.
- Custom Text
The message to show on the login page. Only available if the Enable Text on Login Page toggle is turned on. Supports Markdown syntax, including links.
- Custom Text
- Directory Configuration
The directory configuration to use for the IdP (only for Active Directory IdPs).
- Mapping Set
The mapping set to use for the IdP.
- Change Icon
Upload a new icon for the IdP.
- Consumer URL
The URL to which SAML assertions will be sent by the IdP.
IdPs which don't use the HelloID Agent also have a Configuration tab with additional settings, for managing the trust with HelloID.
Available settings include:
The base URL of your HelloID instance (e.g., https://company.helloid.com)
- Login URL
The URL to which all authentication requests are sent. This is provided by your Identity Provider.
- Use IDP-Initiated Strategy
Turn on if the IdP only allows starting the login flow from its own side.
- Custom IdP-Initiation URL
Only shown if Use IDP-Initiated Strategy is turned on. Enter the URL of the IdP's login screen. Users will be redirected to it when trying to log into HelloID.
A "binding" is how a SAML requester and responder communicate. Two kinds of bindings are support: Redirect and POST. Your chosen IdP will most likely define which binding they support.
The default setting, Redirect, sends SAML protocol messages as URL query parameters. POST, on the other hand, sends SAML protocol messages as base64-encoded content through an HTTP-POST message.
- Request Certificate
The certificate that HelloID will use to encrypt the authentication request.
- Response Certificate
The certificate that the IdP will use to encrypt the response (optional, advanced use only).
- Response Decryption Certificate
The certificate that you wish to use to decrypt the response (optional, advanced use only).
- Logout URL
The URL to which users from this IdP will be routed when they log out of HelloID. Leave this blank to route them to the HelloID login page.