Install the ADB Gatekeeper and Gateway. For more information, see Section 2.0, Installing AD Bridge.
Create the Application for AD Bridge in the identity provider’s console.
If the identity provider requires it, assign or grant users and groups permission to use the application.
Configure the authentication settings in the identity provider application.
If the identity provider allows for importing SAML metadata, import the AD Bridge SAML metadata into the identity provider Application or Integration.
The AD Bridge SAML metadata is available at (https://<gatekeeper>/Portal/SSO/GetSPMetadata) or by clicking the Get SAML Metadata link in the SSO page of the AD Bridge Owner Portal (https://<gatekeeper>/Portal/Account).
If the identity provider does not provide an option to import a metadata XML file, use the following values:
Entity ID: https://<gatekeeper>
Single Signon (SSO) URL: (https://<gatekeeper>/Portal/SSO/SamlACS)
Name ID Format: EmailAddress (recommended)
Single Logout (SLO) URL: (https://<gatekeeper>/Portal/SSO/SLO)
Choose a provider name for the SAML connection. Provider name is used when configuring the SAML connection in AD Bridge. The connection name should consist of only alphanumeric characters. Set the SAML Relay State parameter to the provider name.
Download the federation metadata from the identity provider. You will need this metadata to configure AD Bridge in the next step.
Set the Redirect URI to: (https://<gatekeeper>/Portal/SSO/OIDC)
Set the logout URI to: (https://<gatekeeper>/Portal/SSO/Logout)
Make a note of the Client ID ‘OpenID Connect metadata document URL’
Set claim type to token.
Sign in to the Owner portal (https://<gatekeeper>/Portal/Account) using the Owner account created during the Gatekeeper installation.
Click the SSO button.
Click the Add SAML Provider button.
Specify the provider name (the same name used in the Relay State)
Set the Tenancy ID to 1.
IsDefault:Use this provider as the default identity provider. If IsDefault is checked, the ADB web console will use this provider for logins. If IsDefault is not checked, to log in to the ADB web console using this provider, you will need to use this URL: https://<gatekeeper>/Portal/SSO/SamlLogin?provider=<ProviderName>.
NameIdFormat:The format of the SAML NameID. This value should match the value configured on the identity provider. In most cases, EmailAddress is the recommended value.
SignatureAlgorithm: The encryption algorithm used to sign SAML requests and responses. This setting should match the configuration of the identity provider. The recommended setting is SHA_256.
The provisioning mode determines how users and groups are imported or provisioned into AD Bridge.
Automatic provisioning: The identity provider’s provisioning service makes calls to the AD Bridge SCIM endpoint to provision users or groups.
SCIM connector: AD Bridge queries the identity provider’s SCIM endpoint to retrieve user or group information.
Match to AD account: In scenarios where there is a local Active Directory with user accounts synchronized with the identity provider, the SAML-authenticated user will be matched to an existing Active Directory user. In this scenario, AD Bridge permissions can be delegated to the Active Directory users and groups.
Just In Time provisioning: In this model, the customer adds a custom attribute to the user accounts, specifying the name of the AD Bridge role assignment to which the user should be added. This value is then sent as a claim during login. When the user logs on, the user account is created in AD Bridge and added to the specified role assignment.
Manual provisioning: If the identity provider does not support automatic provisioning, the customer can use a PowerShell script to create the user and group accounts.
Specify the names of the SAML claims that correspond to the user properties:
Require signed requests: This setting causes all SAML requests, including logout requests, to be signed.
Logout URL:If the identity provider provides a URL for single sign-out, specify it here. This setting overrides the Single Sign-out (SSO) endpoint specified in the SAML metadata.
To use OIDC authentication:
Click the “Add OIDC Provider” button
Specify the provider name.
Set the Tenancy ID to 1.
IsDefault: Use this provider as the default identity provider. If IsDefault is checked, the ADB web console will use this provider for logins. If IsDefault is not checked, to log in to the ADB web console using this provider, use the following URL: https://<gatekeeper>/Portal/SSO/OIDCLogin?provider=<ProviderName>.
Config URL:The OpenID Connect metadata URL provided by the Identity Provider.
Identity Claim: The name of the OpenID Connect claim that contains the identity of the user. (Refer to the identity provider’s documentation for details).
If the identity provider requires additional information to be sent with the request (such as a tenancy id, you can add it in the Additional Parameters.
Before external users can log in to the ADB console, they must be provisioned or imported into the ADB database. ADB provides two methods for provisioning users.
Automatic Provisioning requires the identity provider to support SCIM provisioning. In this scenario, the identity provider’s provisioning service makes SCIM calls to the ADB SCIM service to provision users and groups.
To configure automatic provisioning, you will need to configure the following settings in the identity provider’s provisioning settings:
Scim Endpoint: https://<gatekeeper>/api/scim
Authentication or Secret Token:
Navigate to the SSO page in the ADB owner portal.
Click Editfor the identity provider.
Click Configure Provisioning
On the Configure Provisioning page, click Get SCIM Token.
If the identity provider does not provide a SCIM provisioning service but exposes a SCIM endpoint, you can use the ADB SCIM Connector to import users and groups. The ADB SCIM connector queries the identity provider’s SCIM endpoint to provision users and groups.
Configure the ADB SCIM Connector with the following settings:
Server URL:The server name portion of the Identity Provider’s SCIM endpoint (e.g., https://server.domain.com)
Base URL: The relative URL to the SCIM endpoint on the identity provider (e.g., "/scim/v2").
AuthToken: The authentication token (client secret) provided by the identity provider for SCIM access.
Import Users: Indicates whether user information should be imported.
Import Groups: Indicates whether group information should be imported.
Refresh Interval:The interval, in minutes, at which the ADB SCIM Connector should query the identity provider for changes to users and groups.
Allow time for the initial provisioning cycle to complete. (If using automatic provisioning, you can check the provisioning status in the Identity Provider’s portal)
Once the initial provisioning cycle is complete, go to the ADB Owner Portal
Navigate to the SSO page
Select the identity provider, and click List Users
Examine the list of users to verify the imported data
Select a user from the dropdown list and click Set User as Global Admin.
This user will now be able to log in to ADB at https://<gatekeeper>. On the Administration tab of the ADB web portal, this user can delegate ADB permissions to other users and groups as desired.
For cloud/hybrid Windows or Linux agents, this feature enables users to log in to the device using their AD credentials. If SAML/OIDC login is configured, they can also use their SAML/OIDC credentials.
Since SAML/OIDC authentication requires users to authenticate directly with the identity provider, the login interface will display a URL: https://<gatekeeper>/Portal/SSO/OOB?id=<requestId>.
Users must visit this URL, which will redirect them to the identity provider to complete the login process. Afterward, a Passcode will be displayed. Users must then enter this passcode in the login interface on the client machine to complete the login.
To log in using the AD Bridge Agent Login feature, select 'AD Bridge Login' on the login screen. By default, the AD Bridge Agent Login feature will use the default identity provider for the gatekeeper (so if SAML/OIDC is selected as default, SAML/OIDC will be used). To allow login using a non-default provider, set AllowMultipleProviders=1.
The Windows Agent Login feature includes two components: HAPIAUTH, a custom LSA authentication package, which performs the login operations, and HAPICredentialProvider, a custom credential provider, which provides the UI displayed for the AD Bridge Login. The settings for both these components are stored under the registry key HKLM\Software\OpenText\HAPIAUTH.
The following settings can be configured:
GatekeeperUrl (REG_SZ): The URL of the HAPI gatekeeper.
LogPath (REG_SZ): The path for the HAPIAuth log file (C:\ProgramData\OpenText\Logs\HapiAuth.log).
LogLevel (REG_DWORD) (1=Debug, 2=Info, 3=Warning, 4=Error, 5=Critical): Determines the minimum severity of events to write to the log file.
EventLogLevel (REG_DWORD) (1=Debug, 2=Info, 3=Warning, 4=Error, 5=Critical): Determines the minimum severity of events to write to the event log.
AllowMultipleProviders (REG_DWORD) (0=Disabled, 1=Enabled): If enabled, AD Bridge Login will display a dropdown list of identity providers (including SAML/OIDC and AD), and the user can select which provider to use for login.
ShowQRCode (REG_DWORD) (0=Disabled, 1=Enabled): If enabled, AD Bridge will display a link that will open a window containing a QR code. The QR code represents the login URL that the user must visit to complete the login.
NOTE:Only administrators can read the HAPIAuth.log. To view the HAPIAuth.log, use "Run as Administrator.
During installation, the settings are configured to use the default identity provider. To switch to a different identity provider, update the DomainName and DomainSid properties in /etc/nss_hapi.conf.
The following settings can be configured:
GatekeeperUrl:The URL of the gatekeeper.
GenerateUids: (yes/no) Generates UID numbers for external users. If set to no, only user accounts that have a value specified in the uidNumber property are allowed to log in.
UidBase: (default=10000) - The starting number for Generated UIDs.
DomainName: The name of the Active Directory domain or SAML/OIDC provider to use for authentication.
DomainSid: For AD domains, the Domain SID. For SAML/OIDC providers, this should be set to TenancyId_ProviderId (in the HAPI Owner portal, select the identity provider, and click List Users – the DomainSid will be the first half of the unique ID for each user).
The Linux Agent Login feature includes a PAM module and NSS module. The settings for these modules are defined in /etc/nss_hapi.conf and can be configured via Universal Policy using the Linux/AD Logins/Cloud/Custom settings.
Install the ADB Gatekeeper and Gateway.
Create and configure an ENTRA Enterprise Application for ADB:
In the ENTRA console, navigate to Enterprise Applications, and select Create a new Application.
Give the application a name, and select “Integrate any other application you don't find in the gallery (Non-gallery).
Click Create.
In the ENTRA console, assign Users and Groups to the Enterprise Application.
Configure the Enterprise Application to use SAML authentication.
In the ENTRA Enterprise Application Settings, go to Single Sign On, and select SAML.
Download the HAPI SAML metadata:
In the ADB owner portal (https://<gatekeeper>/portal/account) (https://<gatekeeper>/portal/account), select SSO.
Click Get SAML Metadata.
Save the metadata to a file.
In the ENTRA Application SAML settings,
Select Upload metadata file and upload the HAPI SAML metadata.
Under “Relay State” specify a domain name for ADB to use for the ENTRA users and groups (for example “ENTRA” or “MYDOMAIN”).
(Optional) Set Sign on URL to (https://<gatekeeper>/Portal/SSO/SamlLogin?provider=<ProviderName>) where ProviderName is the name of the SAML provider in ADB – the name you specified for RelayState.
Select Download Federation Metadata XML and save the metadata to a file.
Configuring ADB to use SAML authentication:
In the ADB Owner Portal, navigate to SSO settings and click Add SAML Provider.
Set the provider name to the same value used for Relay State.
Check the IsDefault checkbox. This will set the ADB web console to use this SAML provider as the default identity provider for logins. To login with a non-default SAML provider, go to https://<gatekeeper>/Portal/SSO/SamlLogin?provider=<ProviderName>.
Set NameIdFormat to Email Address.
Set SignatureAlgorithm to SHA_256.
Set provisioning mode to AutomaticProvisioning.
Set the following values for SAML claims:
Save the changes.
Setting up SCIM provisioning:
Get a SCIM Authentication Token:
In the ADB Owner Portal, navigate to the SSO page
Select the SAML provider and click Edit
Click Edit Provisioning, then Get SCIM Token.
Configure Provisioning in the Entra Console:
Go to the Enterprise Application’s Provisioning tab.
Select Provisioning Mode: Automatic.
Under Admin Credentials/Tenant URL, specify the SCIM endpoint: https://<gatekeeper>/api/scim.
For Admin Credentials/Secret Token, paste the SCIM Auth Token from the first step.
Click Save Changes.
Click Start Provisioning.
Assigning ADB Global Administrator role:
Wait for the initial provisioning:
Allow time for the initial provisioning cycle to complete. You can check the provisioning status in the Microsoft Entra portal.
Assign Global Admin Role:
Once the provisioning cycle is complete, go to the ADB Owner Portal, SSO page.
Select the List Users button for the SAML provider.
Confirm that the users or groups have been imported correctly.
Select the user to grant Global Administrator permissions to and click Set User as Global Admin.
Install the ADB Gatekeeper/Gateway.
Create an ENTRA Enterprise Application for ADB:
Create an ENTRA Enterprise Application:
In the ENTRA console, navigate to Enterprise Applications
Select Create a new Application
Give the application a name and select Integrate any other application you don't find in the gallery (Non-gallery)
Click Create.
Assign Users and Groups:
In the ENTRA console, assign users and groups to the newly created Enterprise Application.
Configure Application Authentication:
In the ENTRA console, go to Applications/App Registrations
Select the application
Under Authentication, select Add a Platform and add the Web platform
Set Redirect URI to https://<gatekeeper>/Portal/SSO/OIDC
Set Front Channel Logout URL to https://<gatekeeper>/Portal/SSO/Logout
Check the Identity Tokens checkbox.
Configure ADB to use OIDC authentication.
You will need the following information from the ENTRA App Registration:
Application (client) ID
Directory (tenant) ID
OpenID Connect metadata document URL (Click on Endpoints)
In the ADB owner portal, on the SSO page, click Add OIDC Provider, and configure the following settings:
Provider Name: Specify a name for this identity provider.
Tenancy ID: Must be 1.
Is Default: Set to checked.
Provisioning Mode:Automatic Provisioning
Config URL:The OpenID Connect metadata document URL.
Client ID:The Application (client) ID
Claims Mapping: Click Configure Claims Mapping and set the following values:
Match login claims to users using this property: EmailAddress
Unique ID: email
Username: email
Email Address: email
ExtraPropertyName: tenancyId
ExtraPropertyValue1: The Directory (tenant) ID
ExtraPropertyName2: scope
ExtraPropertyValue2: openid email
Click Save Changes.
Set up SCIM provisioning
In the ADB owner portal, get a SCIM authentication token:
On the SSO page, select the SAML provider, and click Edit.
Click Edit Provisioning, then click Get SCIM Token.
In the Entra console: go to the Enterprise Application’s Provisioning tab.
Select Provisioning Mode: Automatic.
Under Admin Credentials/Tenant URL, specify the SCIM endpoint: https://<gatekeeper>/api/scim
For the Admin Credentials or Secret Token:
Paste the Scim Auth Token from the first step
Click Save Changes
Click Start Provisioning.
Assign ADB Global Administrator role
Wait for the initial provisioning cycle to complete.
In the ADB owner portal:
Go to the SSO page, and select the List Users button for the OIDC provider.
Confirm that the users/groups have been imported correctly:
Select the user to grant Global Administrator permissions to
Click Set User as Global Admin.
Install the ADB Gatekeeper and Gateway.
Create and configure an ENTRA Enterprise Application for ADB.
In the OKTA console, go to Applications, and click “Create App Integration”
Select “SAML 2.0” as the authentication type.
Give the application a name and click Next.
Configure the SAML settings:
Single Signon URL: https://<gatekeeper>/Portal/SSO/SamlACS
Use this for Recipient URL and Destination URL: Checked
Audience URI: https://<gatekeeper>
Default Relay State specify a domain name for ADB to use for the ENTRA users and groups (for example “ENTRA” or “MYDOMAIN”)
NameIDFormat: EmailAddress
Application Username: ENTRA Username
Update application username on: Create and Update
Under Advanced Options, upload the HAPI certificate: (On the Gatekeeper machine, the certificate can be found in C:\Program Files\OpenText\AD Bridge\Gatekeeper\nginx\conf\certificate.crt)
Check the “Allow application to initiate single logout” checkbox Single Logout URL: https://<gatekeeper>/Portal/SSO/SLO
In the ENTRA console, Assign Users and Groups to the Application.
Under “Relay State” specify a domain name for ADB to use for the ENTRA users and groups (for example “ENTRA” or “MYDOMAIN”)
Download the ENTRA SAML metadata and save the metadata to a file.
Configure ADB to use SAML authentication.
In the ADB Owner Portal, SSO settings, click “Add SAML Provider”.
Set the provider name to the same value used for Relay State.
Check the IsDefault checkbox. This causes the ADB web console to use this SAML provider as the default identity provider for logins. To login with a non-default SAML provider, go to https://<gatekeeper>/Portal/SSO/SamlLogin?provider=<ProviderName>
Set NameIdFormat to Email Address.
Set SignatureAlgorithm to SHA_256.
Set provisioning mode to AutomaticProvisioning.
Save Changes
Set up SCIM provisioning
In the ADB owner portal, get a SCIM authentication token:
On the SSO page, select the SAML provider, and click Edit.
Click “Edit Provisioning”, then “Get SCIM Token”.
In the OKTA console, go to the ADB Application, and check the “Enable SCIM Provisioning” checkbox.
In the Provisioning/Integration tab, set the following values:
Scim Connector Base URL: https://<gatekeeper>/api/scim
Unique Identifier field for Users: username
Push New Users
Push Profile Updates
Push Groups
Authentication Mode: Http Header Token: <the SCIM token from ADB
Under Provisioning/To App/Attribute Mappings, remove the following mappings:
Manager ValueEmployee Number Cost Center Organization Division Department Manager Display Name
Click “Save Changes.
Click “Force Sync”
Assign ADB Global Administrator role
Wait for the initial provisioning cycle to complete. Once the provisioning cycle has completed, go to the ADB owner portal, SSO page, and select the “List Users” button for the SAML provider.
Confirm that the users/groups have been imported correctly, then select the user to grant Global Administrator permissions to, and click “Set User as Global Admin”.
Install the ADB Gatekeeper/Gateway.
Create and configure an OKTA Application for ADB
In the OKTA console, click “Create App Integration”
Select Sign-in Method: OIDC – Open ID Connect
Select Application Type: Web Application
Specify an application name
Select grant types “Authorization Code”, “Refresh Token” and “Implicit (hybrid)
Set Sign-in redirect URI: https://<gatekeeper>/Portal/SSO/OIDC
Set Sign-out redirect URI: https://<gatekeeper>/Portal/SSO/Logout
Set user/group assignments as desired.
Configure ADB to use OIDC authentication.
You will need the Client ID from the OKTA Application properties.
In the ADB owner portal, SSO page, click “Add OIDC Provider”, and configure the following settings:
Provider Name: Specify a name for this identity provider.
Tenancy ID: Must be 1.
Is Default: Set to checked.
Provisioning Mode: Automatic Provisioning
Config URL: https://${yourOktaDomain}/.well-known/openid-configuration (see https://developer.okta.com/docs/reference/api/oidc/#well-known-openid-configuration)
Client ID: The Application (client) ID
Configure Claims Mapping: Click "Configure Claims Mapping" and set the following values:
Match login claims to users using this property: EmailAddress
Unique ID: email
Username: email
Email Address: email
Click Save Changes.
Automatic Provisioning:
Configure SCIM provisioning
OKTA does not currently support SCIM provisioning for OIDC applications. In order to use OKTA provisioning, you must create a SAML Application in OKTA.
Create an additional Application in OKTA. Choose SAML 2.0.
Specify a name for the application. Specify the gatekeeper URL in the required URL fields (these values will not be used, because this App will only be used for provisioning, not authentication). Check “Enable SCIM Provisioining” and “Do not display application icon to users”.
In the Provisioning/Integration tab, set the following values:
Scim Connector Base URL: https://<gatekeeper>/api/scim
Unique Identifier field for Users: username
Push New Users
Push Profile Updates
Push Groups
Authentication Mode: Http Header
Token: <the SCIM token from ADB>
Under Provisioning/To App/Attribute Mappings, remove the following mappings:
Manager ValueEmployee NumberCost CenterOrganizationDivisionDepartmentManager Display NameClick “Save Changes”. Click “Force Sync”
Alternatively, instead of Automatic Provisioning, you can use JustInTime provisioining to enable JustInTime provisioning:
In the OKTA console, in Directory/Profile Editor, create a custom attribute “ADBRole” (the name of the attribute doesn’t matter).
Add a mapping for the custom property to the Application profile for the application.
Populate the ADBRole for each user with the name of a role assignment in ADB.
NOTE:When the user attempts to log in to the ADB console, a SCIM user will be created for them, if one doesn’t already exist. If the SCIM user has not been assigned to any roles, it will be assigned to the role specified in the ADBRole property.
In the ADB owner portal, set the provider’s ProvisioiningMode to “JustInTime”.
For additional properties enter: scope “openid email profile”
Add the following Attribute Mappings:
DisplayName=”name”Email=”email”UserName=”email”RoleAssignment=”ADBRole”
Assign ADB Global Administrator role
Wait for the initial provisioning cycle to complete. Once the provisioning cycle has completed, go to the ADB owner portal, SSO page, and select the “List Users” button for the OIDC provider.
Confirm that the users/groups have been imported correctly, then select the user to grant Global Administrator permissions to, and click “Set User as Global Admin”.
Install the ADB Gatekeeper and Gateway.
Create and configure a Ping Identity Application for ADB.
In the Ping Identity console, Select Applications, and click the “+” button.
Give the application a name, and select “SAML Application”
Click Configure.
Select “Import from URL”. Enter the following url: https://<gatekeeper>/Portal/SSO/GetSPMetadata and click Import, then Save.
On the attribute mappings tab, specify the following mappings:
saml-subject: User ID email: Email Addressusername: Username
On the configuration tab, click “Download Metadata”
Configure ADB to use SAML authentication.
In the ADB Owner Portal, SSO settings, click “Add SAML Provider”.
Specify a name for the identity provider.
Check the IsDefault checkbox. This causes the ADB web console to use this SAML provider as the default identity provider for logins. To login with a non-default SAML provider, go to https://<gatekeeper>/Portal/SSO/SamlLogin?provider=<ProviderName> .
Set NameIdFormat to Email Address.
Set SignatureAlgorithm to SHA_256
Set provisioning mode to AutomaticProvisioning.
Set the following values for SAML claims:
DisplayName: userNameEmail: emailUnique ID: userName
Save Changes.
Set up SCIM provisioning
In the ADB owner portal, get a SCIM authentication token: On the SSO page, select the SAML provider, and click Edit. Click “Edit Provisioning”, then “Get SCIM Token”.
In the PingIdentity console, go to Integrations/Provisioning/New Connection.
Choose Connection Type: Identity Store, then choose “SCIM Outbound”.
Specify a name for the connection and click Next.
Set the following properties on the Configure Authentication page:
Scim Base URL: https://<gatekeeper>/api/scimUsers Resource: /UsersSCIM Version: 2.0Authentication method: “OAuth 2 Bearer token”Auth type header: BearerOauth Access Token: <the SCIM token from ADB>
Integrations/Provisioning/Rules/New Rule.
Select the SCIM connection you created in the previous step.Configure the user filter and attribute mappings, if desired.Enable the rule.
Assign ADB Global Administrator role:
Wait for the initial provisioning cycle to complete. You can check the provisioning status in provisioning rule on the Ping Identity portal.
Once the provisioning cycle has completed, go to the ADB owner portal, SSO page, and select the “List Users” button for the SAML provider.
Confirm that the users/groups have been imported correctly, then select the user to grant Global Administrator permissions to, and click “Set User as Global Admin”.
Install the ADB Gatekeeper and Gateway.
Create and configure a Ping Identity Application for ADB.
In the Ping Identity console, Select Applications, and click the “+” button.
Give the application a name, and select “OIDC Web App”Click Save.
Edit Configuration:
Response Type: Code, ID TokenGrant Type : Authorization CodeRedirect URIs: https://<gatekeeper>/Portal/SSO/OIDC https://<gatekeeper>Token endpoint authentication method: Client Secret BasicInitiate Login URI: https://<gatekeeper>/Portal/SSO/OIDCLogin?provider=<ADBProviderName>
On the attribute mappings tab, specify the following mappings:
ub, UserID, openid
email, Email Address,openid
userName: Username, openid
Configure ADB to use OIDC authentication.
You will need the following information from the configuration tab of the PingIdentity Application:
Application IDOpenID Connect metadata document URL
In the ADB owner portal, SSO page, click “Add OIDC Provider”, and configure the following settings:
Provider Name: Specify a name for this identity provider.Tenancy ID: Must be 1.Is Default: Set to checked.Provisioning Mode: Automatic ProvisioningConfig URL: The OpenID Connect metadata document URL.Client ID: The Client ID Identity Claim: emailClick Save Changes.
Set up SCIM provisioning
In the ADB owner portal, get a SCIM authentication token: On the SSO page, select the SAML provider, and click Edit. Click “Edit Provisioning”, then “Get SCIM Token”.In the PingIdentity console, go to Integrations/Provisioning/New Connection.Choose Connection Type: Identity Store, then choose “SCIM Outbound”.Specify a name for the connection and click Next. Set the following properties on the Configure Authentication page:Scim Base URL: https://<gatekeeper>/api/scim
Users Resource: /UsersSCIM Version: 2.0Authentication method: “OAuth 2 Bearer token”Auth type header: BearerOauth Access Token: <the SCIM token from ADB>
Integrations/Provisioning/Rules/New Rule.
Select the SCIM connection you created in the previous step.Configure the user filter and attribute mappings, if desired.Enable the rule.
Assign ADB Global Administrator role:
Wait for the initial provisioning cycle to complete. You can check the provisioning status in provisioning rule on the Ping Identity portal. Once the provisioning cycle has completed, go to the ADB owner portal, SSO page, and select the “List Users” button for the OIDC provider.Confirm that the users/groups have been imported correctly, then select the user to grant Global Administrator permissions to, and click “Set User as Global Admin”.
Install the ADB Gatekeeper and Gateway.
Create and configure an Amazon IAM Application for ADB.
In the Amazon IAM console, Select Applications, and click "Add Application”.
Select “I have an application I want to set up”Select Application type “SAML 2.0”, and click “Next”
Specify a name for the Application.
Click the link to download the IAM Identity Center SAML metadata file.
Specify the Application Start URL and Relay State:
Application Start URL: https://<gatekeeper>/Portal/SSO/SamlLogin?provider=<ProviderName>
Relay State: <ProviderName>
Where ProviderName is the name you will give this SAML provider in the ADB owner portal.
Download the ADB SAML metadata from: https://<gatekeeper>/Portal/SSO/GetSPMetadata and save it to a file.
In the IAM Application Metadata section, select “Upload Application SAML Metadata file”, and select the downloaded ADB SAML metadata.
Assign users and groups to the application as desired.
Configure ADB to use SAML authentication.
Specify a name for the identity provider.Check the IsDefault checkbox. This causes the ADB web console to use this SAML provider as the default identity provider for logins. To login with a non-default SAML provider, go to https://<gatekeeper>/Portal/SSO/SamlLogin?provider=<ProviderName> Set NameIdFormat to Email Address.Set SignatureAlgorithm to SHA_256.Set provisioning mode to AutomaticProvisioning.
Set the following values for SAML claims:
DisplayName: nameEmail: emailUnique ID: name
Save Changes.
Set up SCIM provisioning
In the ADB owner portal, get a SCIM authentication token: On the SSO page, select the SAML provider, and click Edit. Click “Edit Provisioning”, then “Get SCIM Token”.In the PingIdentity console, go to Integrations/Provisioning/New Connection.Choose Connection Type: Identity Store, then choose “SCIM Outbound”.Specify a name for the connection and click Next.
Set the following properties on the Configure Authentication page:
Scim Base URL: https://<gatekeeper>/api/scimUsers Resource: /UsersSCIM Version: 2.0Authentication method: “OAuth 2 Bearer token”Auth type header: BearerOauth Access Token: <the SCIM token from ADB>
Integrations/Provisioning/Rules/New Rule.
Select the SCIM connection you created in the previous step.Configure the user filter and attribute mappings, if desired.Enable the rule.
Assign ADB Global Administrator role:
Wait for the initial provisioning cycle to complete. You can check the provisioning status in provisioning rule on the Ping Identity portal.
Once the provisioning cycle has completed, go to the ADB owner portal, SSO page, and select the “List Users” button for the SAML provider.
Confirm that the users/groups have been imported correctly, then select the user to grant Global Administrator permissions to, and click “Set User as Global Admin”.
Install the ADB Gatekeeper and Gateway.
Create and configure a Ping Identity Application for ADB.
In the Ping Identity console, Select Applications, and click the “+” button.
Give the application a name, and select “OIDC Web App”Click Save.
Edit Configuration:
Response Type: Code, ID TokenGrant Type : Authorization CodeRedirect URIs: https://<gatekeeper>/Portal/SSO/OIDChttps://<gatekeeper>Token endpoint authentication method: Client Secret Basic Initiate Login URI: https://<gatekeeper>/Portal/SSO/OIDCLogin?provider=<ADBProviderName>
On the attribute mappings tab, specify the following mappings:
ub, UserID, openidemail, Email Address,openiduserName: Username, openid
Configure ADB to use OIDC authentication.
You will need the following information from the configuration tab of the PingIdentity Application:
Application IDOpenID Connect metadata document URL
In the ADB owner portal, SSO page, click “Add OIDC Provider”, and configure the following settings:
Provider Name: Specify a name for this identity provider.Tenancy ID: Must be 1.Is Default: Set to checked.Provisioning Mode: Automatic ProvisioningConfig URL: The OpenID Connect metadata document URL.Client ID: The Client ID Identity Claim: emailClick Save Changes.
Set up SCIM provisioning
In the ADB owner portal, get a SCIM authentication token:On the SSO page, select the SAML provider, and click Edit. Click “Edit Provisioning”, then “Get SCIM Token”.In the PingIdentity console, go to Integrations/Provisioning/New Connection.Choose Connection Type: Identity Store, then choose “SCIM Outbound”.Specify a name for the connection and click Next.
Set the following properties on the Configure Authentication page:
Scim Base URL: https://<gatekeeper>/api/scimUsers Resource: /UsersSCIM Version: 2.0Authentication method: “OAuth 2 Bearer token”Auth type header: BearerOauth Access Token: <the SCIM token from ADB>
Integrations/Provisioning/Rules/New Rule.
Select the SCIM connection you created in the previous step.Configure the user filter and attribute mappings, if desired.Enable the rule.
Assign ADB Global Administrator role:
Wait for the initial provisioning cycle to complete. You can check the provisioning status in provisioning rule on the Ping Identity portal. Once the provisioning cycle has completed, go to the ADB owner portal, SSO page, and select the “List Users” button for the OIDC provider.Confirm that the users/groups have been imported correctly, then select the user to grant Global Administrator permissions to, and click “Set User as Global Admin”.