Pricing

Articles in this section

See more

Create or manage an identity provider

  • Updated:

Introduction

This article documents the settings available when creating or editing an Identity Provider (IdP).

Create or edit an IdP

To create a new IdP, go to Security > Authentication > Identity providers and select the Create Provider button. See more information in the IdP getting started guide and detailed setup guides for specific IdPs.

mceclip0.png

To configure an existing IdP, select the relevant Edit link.

mceclip1.png

Portal Information tab

After creating a new IdP, or editing an existing one, you're taken to the Portal Information tab. This is where you configure the IdP.

mceclip0.png

The settings shown on the Portal Information tab depend on the IdP's type. Below is a list of all possible settings. You will only see the ones which apply to the IdP you're configuring.

  • Enabled
    Enables or disables this IdP. Disabled IdPs are not available for authentication, and do not show on the login page. (The Local IdP can never be disabled, to prevent you from being locked out of your HelloID environment.)
  • Display on login page
    Controls whether or not this IdP is shown as a login option on the login page.
  • Enable JIT
    When this is enabled (recommended), new users logging into HelloID through this IdP will have a user created in HelloID if one does not already exist.
  • Use SSRPM
    Enable if your organization is using SSRPM for Active Directory self-service password resets. When enabled, and a SSRPM URL is specified, users are redirected to your organization's SSRPM portal when they click the 'Forgot your password?' link on the HelloID login page.
  • SSRPM URL
    The URL of your organization's user-facing SSRPM portal. (only shown if Use SSRPM is enabled).
  • Require SAML response signature
    Requires the response from the IdP to be signed with the designated certificate.
  • Verify SAML issue time
    Verifies that the SAML assertion was issued within an acceptable time period.
  • Verify SAML request ID
    Validates that the Auth ID sent from HelloID is correctly sent back in the SAML response.
  • Use response certificate
    Enable if you plan to use a different certificate to sign the IdP response. (optional, advanced use only)
  • Use response decryption certificate
    Enable if you plan to use a different certificate to decrypt the IdP response. (optional, advanced use only)
  • Enable Text on Login Page
    Enable to show a custom message to the user on the login page. Only available for Local and Agent IdP types.
    mceclip1.png
    • Custom Text
      The message to show on the login page. Only available if the Enable Text on Login Page toggle is turned on. Supports Markdown syntax, including links.
  • Directory Configuration
    The directory configuration to use for the IdP (only for Active Directory IdPs).
  • Mapping Set
    The mapping set to use for the IdP.
  • Change Icon
    Upload a new icon for the IdP.
  • Consumer URL
    The URL to which SAML assertions will be sent by the IdP.

Configuration tab

IdPs which don't use the HelloID Agent also have a Configuration tab with additional settings, for managing the trust with HelloID.

mceclip3.png

Available settings include:

  • Issuer
    The base URL of your HelloID instance (e.g., https://company.helloid.com)
  • Login URL
    The URL to which all authentication requests are sent. This is provided by your Identity Provider.
  • Use IDP-Initiated Strategy
    Turn on if the IdP only allows starting the login flow from its own side.
  • Custom IdP-Initiation URL
    Only shown if Use IDP-Initiated Strategy is turned on. Enter the URL of the IdP's login screen. Users will be redirected to it when trying to log into HelloID.
  • Binding
    A "binding" is how a SAML requester and responder communicate. Two kinds of bindings are support: Redirect and POST. Your chosen IdP will most likely define which binding they support.

    The default setting, Redirect, sends SAML protocol messages as URL query parameters. POST, on the other hand, sends SAML protocol messages as base64-encoded content through an HTTP-POST message.
  • Request Certificate
    The certificate that HelloID will use to encrypt the authentication request.
  • Response Certificate
    The certificate that the IdP will use to encrypt the response (optional, advanced use only).
  • Response Decryption Certificate
    The certificate that you wish to use to decrypt the response (optional, advanced use only).
  • Logout URL
    The URL to which users from this IdP will be routed when they log out of HelloID. Leave this blank to route them to the HelloID login page.

Client Restrictions tab

Learn about client restrictions here.

Was this article helpful?
0 out of 0 found this helpful
Please visit our website for more information about HelloID (identity as a service).
Return to top