This article documents the settings available when creating or editing an Identity Provider (IdP).
Create a new IdP
To create a new IdP, view the IdP getting started guide and detailed setup guides for specific IdPs. The Edit an existing IdP section, below, provides a detailed reference of the settings available during this process.
Edit an existing IdP
To configure an existing IdP, go to Security > Authentication > Identity providers. Select the relevant Edit link.
Portal Information tab
You're taken to the Portal Information tab. This is where you configure the IdP.
If you're creating a new IdP, you're taken to this page immediately after selecting the type of IdP that you want to add.
The settings shown on the Portal Information tab depend on the type of IdP. Below is a list of all possible settings. You will only see the ones which are relevant to the type of IdP you're configuring.
Enables or disables this IdP. Disabled IdPs are not available for authentication, and do not show on the login page.
- Display on login page
Controls whether or not this IdP is shown as a login option on the login page.
- Enable JIT
When this is enabled (recommended), new users logging into HelloID through this IdP will have a user created in HelloID if one does not already exist.
- Use SSRPM
Enable if your organization is using SSRPM for Active Directory self-service password resets. When enabled, and a SSRPM URL is specified, users are redirected to your organization's SSRPM portal when they click the 'Forgot your password?' link on the HelloID login page.
- SSRPM URL
The URL of your organization's user-facing SSRPM portal. (only shown if Use SSRPM is enabled).
- Require SAML response signature
Requires the response from the IdP to be signed with the designated certificate.
- Verify SAML issue time
Verifies that the SAML assertion was issued within an acceptable time period.
- Verify SAML request ID
Validates that the Auth ID sent from HelloID is correctly sent back in the SAML response.
- Use response certificate
Enable if you plan to use a different certificate to sign the IdP response. (optional, advanced use only)
- Use response decryption certificate
Enable if you plan to use a different certificate to decrypt the IdP response. (optional, advanced use only)
- Enable Text on Login Page
Enable to show a custom message to the user on the login page. This option is only available for Local and Agent IdP types.
- Custom Text
The message to show on the login page. Only visible if the Enable Text on Login Page toggle is turned on.
- Custom Text
- Directory Configuration
The directory configuration to use for the IdP (only for Active Directory IdPs).
- Mapping Set
The mapping set to use for the IdP.
- Change Icon
Upload a new icon for the IdP.
- Consumer URL
The URL to which SAML assertions will be sent by the IdP.
IdPs which don't use the HelloID Agent also have a Configuration tab with additional settings, for managing the trust with HelloID.
Available settings include:
The base URL of your HelloID instance (e.g., https://company.helloid.com)
- Login URL
The URL to which all authentication requests are sent. This is provided by your Identity Provider.
- Use IDP-Initiated Strategy
Turn on if the IdP only allows starting the login flow from its own side.
- Custom IdP-Initiation URL
Only shown if Use IDP-Initiated Strategy is turned on. Enter the URL of the IdP's login screen. Users will be redirected to it when trying to log into HelloID.
A "binding" is how a SAML requester and responder communicate. Two kinds of bindings are support: Redirect and POST. Your chosen IdP will most likely define which binding they support.
The default setting, Redirect, sends SAML protocol messages as URL query parameters. POST, on the other hand, sends SAML protocol messages as base64-encoded content through an HTTP-POST message.
- Request Certificate
The certificate that HelloID will use to encrypt the authentication request.
- Response Certificate
The certificate that the IdP will use to encrypt the response (optional, advanced use only).
- Response Decryption Certificate
The certificate that you wish to use to decrypt the response (optional, advanced use only).
- Logout URL
The URL to which users from this IdP will be routed when they log out of HelloID. Leave this blank to route them to the HelloID login page.