3.4 Configuring UPA to use a Third-Party Identity Provider

3.4.1 Install the UPA Gatekeeper and Gateway

Install the UPA Gatekeeper and Gateway. For more information, see Section 2.0, Installing Universal Policy Administrator.

3.4.2 Configure the UPA application in the identity provider

  1. Create the Application for UPA in the identity provider’s console.

  2. If the identity provider requires it, assign or grant users and groups permission to use the application.

  3. Configure the authentication settings in the identity provider application.

SAML Authentication Settings

  1. If the identity provider allows for importing SAML metadata, import the UPA SAML metadata into the identity provider Application or Integration.

  2. The UPA SAML metadata is available at (https://<gatekeeper>/Portal/SSO/GetSPMetadata) or by clicking the Get SAML Metadata link in the SSO page of the UPA Owner Portal (https://<gatekeeper>/Portal/Account).

  3. If the identity provider does not provide an option to import a metadata XML file, use the following values:

    • Entity ID: https://<gatekeeper>

    • Single Signon (SSO) URL: (https://<gatekeeper>/Portal/SSO/SamlACS)

    • Name ID Format: EmailAddress (recommended)

    • Single Logout (SLO) URL: (https://<gatekeeper>/Portal/SSO/SLO)

Configuring Relay State

Choose a provider name for the SAML connection. Provider name is used when configuring the SAML connection in UPA. The connection name should consist of only alphanumeric characters. Set the SAML Relay State parameter to the provider name.

Federation Metadata

Download the federation metadata from the identity provider. You will need this metadata to configure UPA in the next step.

OIDC Authentication Settings

  1. Set the Redirect URI to: (https://<gatekeeper>/Portal/SSO/OIDC)

  2. Set the logout URI to: (https://<gatekeeper>/Portal/SSO/Logout)

  3. Make a note of the Client ID ‘OpenID Connect metadata document URL’

  4. Set claim type to token.

3.4.3 Configure UPA to use SAML or OIDC Authentication

  • Sign in to the Owner portal (https://<gatekeeper>/Portal/Account) using the Owner account created during the Gatekeeper installation.

  • Click the SSO button.

UPA SAML Authentication Settings

  1. Click the Add SAML Provider button.

  2. Specify the provider name (the same name used in the Relay State)

  3. Set the Tenancy ID to 1.

IsDefault:Use this provider as the default identity provider. If IsDefault is checked, the UPA web console will use this provider for logins. If IsDefault is not checked, to log in to the UPA web console using this provider, you will need to use this URL: https://<gatekeeper>/Portal/SSO/SamlLogin?provider=<ProviderName>.

NameIdFormat:The format of the SAML NameID. This value should match the value configured on the identity provider. In most cases, EmailAddress is the recommended value.

SignatureAlgorithm: The encryption algorithm used to sign SAML requests and responses. This setting should match the configuration of the identity provider. The recommended setting is SHA_256.

Provisioning Mode

The provisioning mode determines how users and groups are imported or provisioned into UPA.

  • Automatic provisioning: The identity provider’s provisioning service makes calls to the UPA SCIM endpoint to provision users or groups.

  • SCIM connector: UPA queries the identity provider’s SCIM endpoint to retrieve user or group information.

  • Match to AD account: In scenarios where there is a local Active Directory with user accounts synchronized with the identity provider, the SAML-authenticated user will be matched to an existing Active Directory user. In this scenario, UPA permissions can be delegated to the Active Directory users and groups.

  • Just In Time provisioning: In this model, the customer adds a custom attribute to the user accounts, specifying the name of the UPA role assignment to which the user should be added. This value is then sent as a claim during login. When the user logs on, the user account is created in UPA and added to the specified role assignment.

  • Manual provisioning: If the identity provider does not support automatic provisioning, the customer can use a PowerShell script to create the user and group accounts.

SAML Claims Mapping

Specify the names of the SAML claims that correspond to the user properties:

  • Require signed requests: This setting causes all SAML requests, including logout requests, to be signed.

  • Logout URL:If the identity provider provides a URL for single sign-out, specify it here. This setting overrides the Single Sign-out (SSO) endpoint specified in the SAML metadata.

UPA OIDC Authentication Settings

To use OIDC authentication:

  1. Click the “Add OIDC Provider” button

  2. Specify the provider name.

  3. Set the Tenancy ID to 1.

IsDefault: Use this provider as the default identity provider. If IsDefault is checked, the UPA web console will use this provider for logins. If IsDefault is not checked, to log in to the UPA web console using this provider, use the following URL: https://<gatekeeper>/Portal/SSO/OIDCLogin?provider=<ProviderName>.

Config URL:The OpenID Connect metadata URL provided by the Identity Provider.

Identity Claim: The name of the OpenID Connect claim that contains the identity of the user. (Refer to the identity provider’s documentation for details).

Additional Parameters

If the identity provider requires additional information to be sent with the request (such as a tenancy id, you can add it in the Additional Parameters.

3.4.4 Configure Provisioning

Before external users can log in to the UPA console, they must be provisioned or imported into the UPA database. UPA provides two methods for provisioning users.

Automatic Provisioning

Automatic Provisioning requires the identity provider to support SCIM provisioning. In this scenario, the identity provider’s provisioning service makes SCIM calls to the UPA SCIM service to provision users and groups.

To configure automatic provisioning, you will need to configure the following settings in the identity provider’s provisioning settings:

  • Scim Endpoint: https://<gatekeeper>/api/scim

  • Authentication or Secret Token:

    • Navigate to the SSO page in the UPA owner portal.

    • Click Editfor the identity provider.

    • Click Configure Provisioning

    • On the Configure Provisioning page, click Get SCIM Token.

Scim Connector

If the identity provider does not provide a SCIM provisioning service but exposes a SCIM endpoint, you can use the UPA SCIM Connector to import users and groups. The UPA SCIM connector queries the identity provider’s SCIM endpoint to provision users and groups.

Configure the UPA SCIM Connector with the following settings:

  • Server URL:The server name portion of the Identity Provider’s SCIM endpoint (e.g., https://server.domain.com)

  • Base URL: The relative URL to the SCIM endpoint on the identity provider (e.g., "/scim/v2").

  • AuthToken: The authentication token (client secret) provided by the identity provider for SCIM access.

  • Import Users: Indicates whether user information should be imported.

  • Import Groups: Indicates whether group information should be imported.

  • Refresh Interval:The interval, in minutes, at which the UPA SCIM Connector should query the identity provider for changes to users and groups.

3.4.5 Assigning the UPA global Administrator Role to a User

  • Allow time for the initial provisioning cycle to complete. (If using automatic provisioning, you can check the provisioning status in the Identity Provider’s portal)

  • Once the initial provisioning cycle is complete, go to the UPA Owner Portal

  • Navigate to the SSO page

  • Select the identity provider, and click List Users

  • Examine the list of users to verify the imported data

  • Select a user from the dropdown list and click Set User as Global Admin.

This user will now be able to log in to UPA at https://<gatekeeper>. On the Administration tab of the UPA web portal, this user can delegate UPA permissions to other users and groups as desired.

3.4.6 Configuring UPA Agent Login to use SAML/OIDC Login

For cloud/hybrid Windows or Linux agents, this feature enables users to log in to the device using their AD credentials. If SAML/OIDC login is configured, they can also use their SAML/OIDC credentials.

Since SAML/OIDC authentication requires users to authenticate directly with the identity provider, the login interface will display a URL: https://<gatekeeper>/Portal/SSO/OOB?id=<requestId>.

Users must visit this URL, which will redirect them to the identity provider to complete the login process. Afterward, a Passcode will be displayed. Users must then enter this passcode in the login interface on the client machine to complete the login.

3.4.7 Windows Agent

To log in using the UPA Agent Login feature, select 'UPA Login' on the login screen. By default, the UPA Agent Login feature will use the default identity provider for the gatekeeper (so if SAML/OIDC is selected as default, SAML/OIDC will be used). To allow login using a non-default provider, set AllowMultipleProviders=1.

The Windows Agent Login feature includes two components: HAPIAUTH, a custom LSA authentication package, which performs the login operations, and HAPICredentialProvider, a custom credential provider, which provides the UI displayed for the UPA Login. The settings for both these components are stored under the registry key HKLM\Software\OpenText\HAPIAUTH.

The following settings can be configured:

  • GatekeeperUrl (REG_SZ): The URL of the HAPI gatekeeper.

  • LogPath (REG_SZ): The path for the HAPIAuth log file (C:\ProgramData\OpenText\Logs\HapiAuth.log).

  • LogLevel (REG_DWORD) (1=Debug, 2=Info, 3=Warning, 4=Error, 5=Critical): Determines the minimum severity of events to write to the log file.

  • EventLogLevel (REG_DWORD) (1=Debug, 2=Info, 3=Warning, 4=Error, 5=Critical): Determines the minimum severity of events to write to the event log.

  • AllowMultipleProviders (REG_DWORD) (0=Disabled, 1=Enabled): If enabled, UPA Login will display a dropdown list of identity providers (including SAML/OIDC and AD), and the user can select which provider to use for login.

  • ShowQRCode (REG_DWORD) (0=Disabled, 1=Enabled): If enabled, UPA will display a link that will open a window containing a QR code. The QR code represents the login URL that the user must visit to complete the login.

NOTE:Only administrators can read the HAPIAuth.log. To view the HAPIAuth.log, use "Run as Administrator.

3.4.8 Linux Agent

During installation, the settings are configured to use the default identity provider. To switch to a different identity provider, update the DomainName and DomainSid properties in /etc/nss_hapi.conf.

The following settings can be configured:

  1. GatekeeperUrl:The URL of the gatekeeper.

  2. GenerateUids: (yes/no) Generates UID numbers for external users. If set to no, only user accounts that have a value specified in the uidNumber property are allowed to log in.

  3. UidBase: (default=10000) - The starting number for Generated UIDs.

  4. DomainName: The name of the Active Directory domain or SAML/OIDC provider to use for authentication.

  5. DomainSid: For AD domains, the Domain SID. For SAML/OIDC providers, this should be set to TenancyId_ProviderId (in the HAPI Owner portal, select the identity provider, and click List Users – the DomainSid will be the first half of the unique ID for each user).

The Linux Agent Login feature includes a PAM module and NSS module. The settings for these modules are defined in /etc/nss_hapi.conf and can be configured via Universal Policy using the Linux/AD Logins/Cloud/Custom settings.

3.4.9 Configuring SAML Authentication with Microsoft ENTRA

  1. Install the UPA Gatekeeper and Gateway.

  2. Create and configure an ENTRA Enterprise Application for UPA:

    • In the ENTRA console, navigate to Enterprise Applications, and select Create a new Application.

      • Give the application a name, and select “Integrate any other application you don't find in the gallery (Non-gallery).

      • Click Create.

    • In the ENTRA console, assign Users and Groups to the Enterprise Application.

    • Configure the Enterprise Application to use SAML authentication.

    • In the ENTRA Enterprise Application Settings, go to Single Sign On, and select SAML.

    • Download the HAPI SAML metadata:

      • In the UPA owner portal (https://<gatekeeper>/portal/account) (https://<gatekeeper>/portal/account), select SSO.

      • Click Get SAML Metadata.

      • Save the metadata to a file.

    • In the ENTRA Application SAML settings,

      • Select Upload metadata file and upload the HAPI SAML metadata.

      • Under “Relay State” specify a domain name for UPA to use for the ENTRA users and groups (for example “ENTRA” or “MYDOMAIN”).

      • (Optional) Set Sign on URL to (https://<gatekeeper>/Portal/SSO/SamlLogin?provider=<ProviderName>) where ProviderName is the name of the SAML provider in UPA – the name you specified for RelayState.

      • Select Download Federation Metadata XML and save the metadata to a file.

  3. Configuring UPA to use SAML authentication:

    • In the UPA Owner Portal, navigate to SSO settings and click Add SAML Provider.

    • Set the provider name to the same value used for Relay State.

    • Check the IsDefault checkbox. This will set the UPA web console to use this SAML provider as the default identity provider for logins. To login with a non-default SAML provider, go to https://<gatekeeper>/Portal/SSO/SamlLogin?provider=<ProviderName>.

    • Set NameIdFormat to Email Address.

    • Set SignatureAlgorithm to SHA_256.

    • Set provisioning mode to AutomaticProvisioning.

    • Set the following values for SAML claims:

      • DisplayName:
      • Email:
      • Unique ID:
    • Save the changes.

  4. Setting up SCIM provisioning:

    • Get a SCIM Authentication Token:

      • In the UPA Owner Portal, navigate to the SSO page

      • Select the SAML provider and click Edit

      • Click Edit Provisioning, then Get SCIM Token.

    • Configure Provisioning in the Entra Console:

      • Go to the Enterprise Application’s Provisioning tab.

      • Select Provisioning Mode: Automatic.

      • Under Admin Credentials/Tenant URL, specify the SCIM endpoint: https://<gatekeeper>/api/scim.

      • For Admin Credentials/Secret Token, paste the SCIM Auth Token from the first step.

      • Click Save Changes.

      • Click Start Provisioning.

  5. Assigning UPA Global Administrator role:

    • Wait for the initial provisioning:

      • Allow time for the initial provisioning cycle to complete. You can check the provisioning status in the Microsoft Entra portal.

    • Assign Global Admin Role:

      • Once the provisioning cycle is complete, go to the UPA Owner Portal, SSO page.

      • Select the List Users button for the SAML provider.

      • Confirm that the users or groups have been imported correctly.

      • Select the user to grant Global Administrator permissions to and click Set User as Global Admin.

3.4.10 Configuring OIDC Authentication with Microsoft Entra

  1. Install the UPA Gatekeeper/Gateway.

  2. Create an ENTRA Enterprise Application for UPA:

    • Create an ENTRA Enterprise Application:

      • In the ENTRA console, navigate to Enterprise Applications

      • Select Create a new Application

      • Give the application a name and select Integrate any other application you don't find in the gallery (Non-gallery)

      • Click Create.

  3. Assign Users and Groups:

    • In the ENTRA console, assign users and groups to the newly created Enterprise Application.

  4. Configure Application Authentication:

    • In the ENTRA console, go to Applications/App Registrations

    • Select the application

    • Under Authentication, select Add a Platform and add the Web platform

    • Set Redirect URI to https://<gatekeeper>/Portal/SSO/OIDC

    • Set Front Channel Logout URL to https://<gatekeeper>/Portal/SSO/Logout

    • Check the Identity Tokens checkbox.

  5. Configure UPA to use OIDC authentication.

    • You will need the following information from the ENTRA App Registration:

      • Application (client) ID

      • Directory (tenant) ID

      • OpenID Connect metadata document URL (Click on Endpoints)

    • In the UPA owner portal, on the SSO page, click Add OIDC Provider, and configure the following settings:

      • Provider Name: Specify a name for this identity provider.

      • Tenancy ID: Must be 1.

      • Is Default: Set to checked.

      • Provisioning Mode:Automatic Provisioning

      • Config URL:The OpenID Connect metadata document URL.

      • Client ID:The Application (client) ID

      • Claims Mapping: Click Configure Claims Mapping and set the following values:

        • Match login claims to users using this property: EmailAddress

        • Unique ID: email

        • Username: email

        • Email Address: email

      • ExtraPropertyName: tenancyId

      • ExtraPropertyValue1: The Directory (tenant) ID

      • ExtraPropertyName2: scope

      • ExtraPropertyValue2: openid email

      • Click Save Changes.

  6. Set up SCIM provisioning

    • In the UPA owner portal, get a SCIM authentication token:

      • On the SSO page, select the SAML provider, and click Edit.

      • Click Edit Provisioning, then click Get SCIM Token.

    • In the Entra console: go to the Enterprise Application’s Provisioning tab.

      • Select Provisioning Mode: Automatic.

      • Under Admin Credentials/Tenant URL, specify the SCIM endpoint: https://<gatekeeper>/api/scim

    • For the Admin Credentials or Secret Token:

      • Paste the Scim Auth Token from the first step

      • Click Save Changes

      • Click Start Provisioning.

  7. Assign UPA Global Administrator role

    • Wait for the initial provisioning cycle to complete.

    • In the UPA owner portal:

      • Go to the SSO page, and select the List Users button for the OIDC provider.

    • Confirm that the users/groups have been imported correctly:

      • Select the user to grant Global Administrator permissions to

      • Click Set User as Global Admin.

3.4.11 Configuring SAML Authentication with ENTRA

  1. Install the UPA Gatekeeper and Gateway.

  2. Create and configure an ENTRA Enterprise Application for UPA.

    • In the OKTA console, go to Applications, and click “Create App Integration”

      • Select “SAML 2.0” as the authentication type.

      • Give the application a name and click Next.

      • Configure the SAML settings:

        • Single Signon URL: https://<gatekeeper>/Portal/SSO/SamlACS

        • Use this for Recipient URL and Destination URL: Checked

        • Audience URI: https://<gatekeeper>

        • Default Relay State specify a domain name for UPA to use for the ENTRA users and groups (for example “ENTRA” or “MYDOMAIN”)

        • NameIDFormat: EmailAddress

        • Application Username: ENTRA Username

        • Update application username on: Create and Update

        • Under Advanced Options, upload the HAPI certificate: (On the Gatekeeper machine, the certificate can be found in C:\Program Files\OpenText\UPA\Gatekeeper\nginx\conf\certificate.crt)

        • Check the “Allow application to initiate single logout” checkbox Single Logout URL: https://<gatekeeper>/Portal/SSO/SLO

      • In the ENTRA console, Assign Users and Groups to the Application.

      • Under “Relay State” specify a domain name for UPA to use for the ENTRA users and groups (for example “ENTRA” or “MYDOMAIN”)

      • Download the ENTRA SAML metadata and save the metadata to a file.

  3. Configure UPA to use SAML authentication.

    • In the UPA Owner Portal, SSO settings, click “Add SAML Provider”.

      • Set the provider name to the same value used for Relay State.

      • Check the IsDefault checkbox. This causes the UPA web console to use this SAML provider as the default identity provider for logins. To login with a non-default SAML provider, go to https://<gatekeeper>/Portal/SSO/SamlLogin?provider=<ProviderName>

      • Set NameIdFormat to Email Address.

      • Set SignatureAlgorithm to SHA_256.

      • Set provisioning mode to AutomaticProvisioning.

      • Save Changes

  4. Set up SCIM provisioning

    • In the UPA owner portal, get a SCIM authentication token:

      • On the SSO page, select the SAML provider, and click Edit.

      • Click “Edit Provisioning”, then “Get SCIM Token”.

    • In the OKTA console, go to the UPA Application, and check the “Enable SCIM Provisioning” checkbox.

    • In the Provisioning/Integration tab, set the following values:

      • Scim Connector Base URL: https://<gatekeeper>/api/scim

      • Unique Identifier field for Users: username

      • Push New Users

      • Push Profile Updates

      • Push Groups

      • Authentication Mode: Http Header Token: <the SCIM token from UPA

    • Under Provisioning/To App/Attribute Mappings, remove the following mappings:

      • Manager ValueEmployee Number Cost Center Organization Division Department Manager Display Name

    • Click “Save Changes.

    • Click “Force Sync”

  5. Assign UPA Global Administrator role

    • Wait for the initial provisioning cycle to complete. Once the provisioning cycle has completed, go to the UPA owner portal, SSO page, and select the “List Users” button for the SAML provider.

    • Confirm that the users/groups have been imported correctly, then select the user to grant Global Administrator permissions to, and click “Set User as Global Admin”.

3.4.12 Configuring OIDC Authentication with OKTA

  1. Install the UPA Gatekeeper/Gateway.

  2. Create and configure an OKTA Application for UPA

    • In the OKTA console, click “Create App Integration”

      • Select Sign-in Method: OIDC – Open ID Connect

      • Select Application Type: Web Application

      • Specify an application name

      • Select grant types “Authorization Code”, “Refresh Token” and “Implicit (hybrid)

      • Set Sign-in redirect URI: https://<gatekeeper>/Portal/SSO/OIDC

      • Set Sign-out redirect URI: https://<gatekeeper>/Portal/SSO/Logout

    • Set user/group assignments as desired.

  3. Configure UPA to use OIDC authentication.

    • You will need the Client ID from the OKTA Application properties.

    • In the UPA owner portal, SSO page, click “Add OIDC Provider”, and configure the following settings:

      • Provider Name: Specify a name for this identity provider.

      • Tenancy ID: Must be 1.

      • Is Default: Set to checked.

      • Provisioning Mode: Automatic Provisioning

      • Config URL: https://${yourOktaDomain}/.well-known/openid-configuration (see https://developer.okta.com/docs/reference/api/oidc/#well-known-openid-configuration)

      • Client ID: The Application (client) ID

      • Configure Claims Mapping: Click "Configure Claims Mapping" and set the following values:

        • Match login claims to users using this property: EmailAddress

        • Unique ID: email

        • Username: email

        • Email Address: email

      • Click Save Changes.

  4. Automatic Provisioning:

    • Configure SCIM provisioning

    • OKTA does not currently support SCIM provisioning for OIDC applications. In order to use OKTA provisioning, you must create a SAML Application in OKTA.

      • Create an additional Application in OKTA. Choose SAML 2.0.

      • Specify a name for the application. Specify the gatekeeper URL in the required URL fields (these values will not be used, because this App will only be used for provisioning, not authentication). Check “Enable SCIM Provisioining” and “Do not display application icon to users”.

      • In the Provisioning/Integration tab, set the following values:

        • Scim Connector Base URL: https://<gatekeeper>/api/scim

        • Unique Identifier field for Users: username

        • Push New Users

        • Push Profile Updates

        • Push Groups

        • Authentication Mode: Http Header

        • Token: <the SCIM token from UPA>

      • Under Provisioning/To App/Attribute Mappings, remove the following mappings:

        • Manager ValueEmployee NumberCost CenterOrganizationDivisionDepartmentManager Display NameClick “Save Changes”. Click “Force Sync”

      • Alternatively, instead of Automatic Provisioning, you can use JustInTime provisioining to enable JustInTime provisioning:

        • In the OKTA console, in Directory/Profile Editor, create a custom attribute “UPARole” (the name of the attribute doesn’t matter).

        • Add a mapping for the custom property to the Application profile for the application.

        • Populate the UPARole for each user with the name of a role assignment in UPA.

          NOTE:When the user attempts to log in to the UPA console, a SCIM user will be created for them, if one doesn’t already exist. If the SCIM user has not been assigned to any roles, it will be assigned to the role specified in the UPARole property.

        • In the UPA owner portal, set the provider’s ProvisioiningMode to “JustInTime”.

        • For additional properties enter: scope “openid email profile”

        • Add the following Attribute Mappings:

          • DisplayName=”name”Email=”email”UserName=”email”RoleAssignment=”UPARole”

  5. Assign UPA Global Administrator role

    • Wait for the initial provisioning cycle to complete. Once the provisioning cycle has completed, go to the UPA owner portal, SSO page, and select the “List Users” button for the OIDC provider.

    • Confirm that the users/groups have been imported correctly, then select the user to grant Global Administrator permissions to, and click “Set User as Global Admin”.

3.4.13 Configuring SAML Authentication with Ping Identity

  1. Install the UPA Gatekeeper and Gateway.

  2. Create and configure a Ping Identity Application for UPA.

    • In the Ping Identity console, Select Applications, and click the “+” button.

      • Give the application a name, and select “SAML Application”

      • Click Configure.

    • Select “Import from URL”. Enter the following url: https://<gatekeeper>/Portal/SSO/GetSPMetadata and click Import, then Save.

    • On the attribute mappings tab, specify the following mappings:

      • saml-subject: User ID email: Email Addressusername: Username

    • On the configuration tab, click “Download Metadata”

  3. Configure UPA to use SAML authentication.

    • In the UPA Owner Portal, SSO settings, click “Add SAML Provider”.

      • Specify a name for the identity provider.

      • Check the IsDefault checkbox. This causes the UPA web console to use this SAML provider as the default identity provider for logins. To login with a non-default SAML provider, go to https://<gatekeeper>/Portal/SSO/SamlLogin?provider=<ProviderName> .

      • Set NameIdFormat to Email Address.

      • Set SignatureAlgorithm to SHA_256

      • Set provisioning mode to AutomaticProvisioning.

      • Set the following values for SAML claims:

        • DisplayName: userNameEmail: emailUnique ID: userName

      • Save Changes.

  4. Set up SCIM provisioning

    • In the UPA owner portal, get a SCIM authentication token: On the SSO page, select the SAML provider, and click Edit. Click “Edit Provisioning”, then “Get SCIM Token”.

    • In the PingIdentity console, go to Integrations/Provisioning/New Connection.

    • Choose Connection Type: Identity Store, then choose “SCIM Outbound”.

    • Specify a name for the connection and click Next.

    • Set the following properties on the Configure Authentication page:

      • Scim Base URL: https://<gatekeeper>/api/scimUsers Resource: /UsersSCIM Version: 2.0Authentication method: “OAuth 2 Bearer token”Auth type header: BearerOauth Access Token: <the SCIM token from UPA>

    • Integrations/Provisioning/Rules/New Rule.

      • Select the SCIM connection you created in the previous step.Configure the user filter and attribute mappings, if desired.Enable the rule.

  5. Assign UPA Global Administrator role:

    • Wait for the initial provisioning cycle to complete. You can check the provisioning status in provisioning rule on the Ping Identity portal.

    • Once the provisioning cycle has completed, go to the UPA owner portal, SSO page, and select the “List Users” button for the SAML provider.

    • Confirm that the users/groups have been imported correctly, then select the user to grant Global Administrator permissions to, and click “Set User as Global Admin”.

3.4.14 Configuring OIDC Authentication with Ping Identity

  1. Install the UPA Gatekeeper and Gateway.

  2. Create and configure a Ping Identity Application for UPA.

    • In the Ping Identity console, Select Applications, and click the “+” button.

      • Give the application a name, and select “OIDC Web App”Click Save.

    • Edit Configuration:

      • Response Type: Code, ID TokenGrant Type : Authorization CodeRedirect URIs: https://<gatekeeper>/Portal/SSO/OIDC https://<gatekeeper>Token endpoint authentication method: Client Secret BasicInitiate Login URI: https://<gatekeeper>/Portal/SSO/OIDCLogin?provider=<UPAProviderName>

    • On the attribute mappings tab, specify the following mappings:

      • ub, UserID, openid

      • email, Email Address,openid

      • userName: Username, openid

  3. Configure UPA to use OIDC authentication.

    • You will need the following information from the configuration tab of the PingIdentity Application:

      • Application IDOpenID Connect metadata document URL

    • In the UPA owner portal, SSO page, click “Add OIDC Provider”, and configure the following settings:

      • Provider Name: Specify a name for this identity provider.Tenancy ID: Must be 1.Is Default: Set to checked.Provisioning Mode: Automatic ProvisioningConfig URL: The OpenID Connect metadata document URL.Client ID: The Client ID Identity Claim: emailClick Save Changes.

  4. Set up SCIM provisioning

    • In the UPA owner portal, get a SCIM authentication token: On the SSO page, select the SAML provider, and click Edit. Click “Edit Provisioning”, then “Get SCIM Token”.In the PingIdentity console, go to Integrations/Provisioning/New Connection.Choose Connection Type: Identity Store, then choose “SCIM Outbound”.Specify a name for the connection and click Next. Set the following properties on the Configure Authentication page:Scim Base URL: https://<gatekeeper>/api/scim

      • Users Resource: /UsersSCIM Version: 2.0Authentication method: “OAuth 2 Bearer token”Auth type header: BearerOauth Access Token: <the SCIM token from UPA>

    • Integrations/Provisioning/Rules/New Rule.

      • Select the SCIM connection you created in the previous step.Configure the user filter and attribute mappings, if desired.Enable the rule.

  5. Assign UPA Global Administrator role:

    • Wait for the initial provisioning cycle to complete. You can check the provisioning status in provisioning rule on the Ping Identity portal. Once the provisioning cycle has completed, go to the UPA owner portal, SSO page, and select the “List Users” button for the OIDC provider.Confirm that the users/groups have been imported correctly, then select the user to grant Global Administrator permissions to, and click “Set User as Global Admin”.

3.4.15 Configuring SAML Authentication with Amazon IAM

  1. Install the UPA Gatekeeper and Gateway.

  2. Create and configure an Amazon IAM Application for UPA.

    • In the Amazon IAM console, Select Applications, and click "Add Application”.

      • Select “I have an application I want to set up”Select Application type “SAML 2.0”, and click “Next”

    • Specify a name for the Application.

    • Click the link to download the IAM Identity Center SAML metadata file.

    • Specify the Application Start URL and Relay State:

      • Application Start URL: https://<gatekeeper>/Portal/SSO/SamlLogin?provider=<ProviderName>

      • Relay State: <ProviderName>

        Where ProviderName is the name you will give this SAML provider in the UPA owner portal.

    • Download the UPA SAML metadata from: https://<gatekeeper>/Portal/SSO/GetSPMetadata and save it to a file.

    • In the IAM Application Metadata section, select “Upload Application SAML Metadata file”, and select the downloaded UPA SAML metadata.

    • Assign users and groups to the application as desired.

  3. Configure UPA to use SAML authentication.

    • Specify a name for the identity provider.Check the IsDefault checkbox. This causes the UPA web console to use this SAML provider as the default identity provider for logins. To login with a non-default SAML provider, go to https://<gatekeeper>/Portal/SSO/SamlLogin?provider=<ProviderName> Set NameIdFormat to Email Address.Set SignatureAlgorithm to SHA_256.Set provisioning mode to AutomaticProvisioning.

    • Set the following values for SAML claims:

      • DisplayName: nameEmail: emailUnique ID: name

    • Save Changes.

  4. Set up SCIM provisioning

    • In the UPA owner portal, get a SCIM authentication token: On the SSO page, select the SAML provider, and click Edit. Click “Edit Provisioning”, then “Get SCIM Token”.In the PingIdentity console, go to Integrations/Provisioning/New Connection.Choose Connection Type: Identity Store, then choose “SCIM Outbound”.Specify a name for the connection and click Next.

    • Set the following properties on the Configure Authentication page:

      • Scim Base URL: https://<gatekeeper>/api/scimUsers Resource: /UsersSCIM Version: 2.0Authentication method: “OAuth 2 Bearer token”Auth type header: BearerOauth Access Token: <the SCIM token from UPA>

    • Integrations/Provisioning/Rules/New Rule.

      • Select the SCIM connection you created in the previous step.Configure the user filter and attribute mappings, if desired.Enable the rule.

  5. Assign UPA Global Administrator role:

    • Wait for the initial provisioning cycle to complete. You can check the provisioning status in provisioning rule on the Ping Identity portal.

    • Once the provisioning cycle has completed, go to the UPA owner portal, SSO page, and select the “List Users” button for the SAML provider.

    • Confirm that the users/groups have been imported correctly, then select the user to grant Global Administrator permissions to, and click “Set User as Global Admin”.

3.4.16 Configuring OIDC Authentication with Ping Identity

  1. Install the UPA Gatekeeper and Gateway.

  2. Create and configure a Ping Identity Application for UPA.

    • In the Ping Identity console, Select Applications, and click the “+” button.

      • Give the application a name, and select “OIDC Web App”Click Save.

    • Edit Configuration:

      • Response Type: Code, ID TokenGrant Type : Authorization CodeRedirect URIs: https://<gatekeeper>/Portal/SSO/OIDChttps://<gatekeeper>Token endpoint authentication method: Client Secret Basic Initiate Login URI: https://<gatekeeper>/Portal/SSO/OIDCLogin?provider=<UPAProviderName>

    • On the attribute mappings tab, specify the following mappings:

      • ub, UserID, openidemail, Email Address,openiduserName: Username, openid

  3. Configure UPA to use OIDC authentication.

    • You will need the following information from the configuration tab of the PingIdentity Application:

      • Application IDOpenID Connect metadata document URL

    • In the UPA owner portal, SSO page, click “Add OIDC Provider”, and configure the following settings:

      • Provider Name: Specify a name for this identity provider.Tenancy ID: Must be 1.Is Default: Set to checked.Provisioning Mode: Automatic ProvisioningConfig URL: The OpenID Connect metadata document URL.Client ID: The Client ID Identity Claim: emailClick Save Changes.

  4. Set up SCIM provisioning

    • In the UPA owner portal, get a SCIM authentication token:On the SSO page, select the SAML provider, and click Edit. Click “Edit Provisioning”, then “Get SCIM Token”.In the PingIdentity console, go to Integrations/Provisioning/New Connection.Choose Connection Type: Identity Store, then choose “SCIM Outbound”.Specify a name for the connection and click Next.

    • Set the following properties on the Configure Authentication page:

      • Scim Base URL: https://<gatekeeper>/api/scimUsers Resource: /UsersSCIM Version: 2.0Authentication method: “OAuth 2 Bearer token”Auth type header: BearerOauth Access Token: <the SCIM token from UPA>

    • Integrations/Provisioning/Rules/New Rule.

      • Select the SCIM connection you created in the previous step.Configure the user filter and attribute mappings, if desired.Enable the rule.

  5. Assign UPA Global Administrator role:

    • Wait for the initial provisioning cycle to complete. You can check the provisioning status in provisioning rule on the Ping Identity portal. Once the provisioning cycle has completed, go to the UPA owner portal, SSO page, and select the “List Users” button for the OIDC provider.Confirm that the users/groups have been imported correctly, then select the user to grant Global Administrator permissions to, and click “Set User as Global Admin”.