Get a Quote

Articles in this section

See more

How to create and manage Identity Providers

  • Updated:

Introduction

This article documents the settings available when creating or editing an Identity Provider (IdP).

Create a new IdP

To create a new IdP, view the IdP getting started guide and detailed setup guides for specific IdPs. The Edit an existing IdP section, below, provides a detailed reference of the settings available during this process.

Edit an existing IdP

To configure an existing IdP, go to Security > Authentication > Identity providers. Select the relevant Edit link.

mceclip1.png

Portal Information tab

You're taken to the Portal Information tab. This is where you configure the IdP.

mceclip0.png

If you're creating a new IdP, you're taken to this page immediately after selecting the type of IdP that you want to add.

The settings shown on the Portal Information tab depend on the type of IdP. Below is a list of all possible settings. You will only see the ones which are relevant to the type of IdP you're configuring.

  • Enabled
    Enables or disables this IdP. Disabled IdPs are not available for authentication, and do not show on the login page.
  • Display on login page
    Controls whether or not this IdP is shown as a login option on the login page.
  • Enable JIT
    When this is enabled (recommended), new users logging into HelloID through this IdP will have a user created in HelloID if one does not already exist.
  • Use SSRPM
    Enable if your organization is using SSRPM for Active Directory self-service password resets. When enabled, and a SSRPM URL is specified, users are redirected to your organization's SSRPM portal when they click the 'Forgot your password?' link on the HelloID login page.
  • SSRPM URL
    The URL of your organization's user-facing SSRPM portal. (only shown if Use SSRPM is enabled).
  • Require SAML response signature
    Requires the response from the IdP to be signed with the designated certificate.
  • Verify SAML issue time
    Verifies that the SAML assertion was issued within an acceptable time period.
  • Verify SAML request ID
    Validates that the Auth ID sent from HelloID is correctly sent back in the SAML response.
  • Use response certificate
    Enable if you plan to use a different certificate to sign the IdP response. (optional, advanced use only)
  • Use response decryption certificate
    Enable if you plan to use a different certificate to decrypt the IdP response. (optional, advanced use only)
  • Enable Text on Login Page
    Enable to show a custom message to the user on the login page. This option is only available for Local and Agent IdP types.
    mceclip2.png
    • Custom Text
      The message to show on the login page. Only visible if the Enable Text on Login Page toggle is turned on.
  • Directory Configuration
    The directory configuration to use for the IdP (only for Active Directory IdPs).
  • Mapping Set
    The mapping set to use for the IdP.
  • Change Icon
    Upload a new icon for the IdP.
  • Consumer URL
    The URL to which SAML assertions will be sent by the IdP.

Configuration tab

IdPs which don't use the HelloID Agent also have a Configuration tab with additional settings, for managing the trust with HelloID.

mceclip3.png

Available settings include:

  • Issuer
    The base URL of your HelloID instance (e.g., https://company.helloid.com)
  • Login URL
    The URL to which all authentication requests are sent. This is provided by your Identity Provider.
  • Use IDP-Initiated Strategy
    Turn on if the IdP only allows starting the login flow from its own side.
  • Custom IdP-Initiation URL
    Only shown if Use IDP-Initiated Strategy is turned on. Enter the URL of the IdP's login screen. Users will be redirected to it when trying to log into HelloID.
  • Binding
    A "binding" is how a SAML requester and responder communicate. Two kinds of bindings are support: Redirect and POST. Your chosen IdP will most likely define which binding they support.

    The default setting, Redirect, sends SAML protocol messages as URL query parameters. POST, on the other hand, sends SAML protocol messages as base64-encoded content through an HTTP-POST message.
  • Request Certificate
    The certificate that HelloID will use to encrypt the authentication request.
  • Response Certificate
    The certificate that the IdP will use to encrypt the response (optional, advanced use only).
  • Response Decryption Certificate
    The certificate that you wish to use to decrypt the response (optional, advanced use only).
  • Logout URL
    The URL to which users from this IdP will be routed when they log out of HelloID. Leave this blank to route them to the HelloID login page.

Client Restrictions tab

Learn about client restrictions here.