Universal Policy Administrator Documentation
< All Topics
Print

Configuring UPA to use a Third-Party Identity Provider

Install the UPA Gatekeeper and Gateway

Install the UPA Gatekeeper and Gateway. For more information, see “Installing Universal
Policy Administrator”

Configure the UPA application in the identity provider
  1. Create the Application for UPA in the identity provider’s console.
  2. If the identity provider requires it, assign or grant users and groups permission to use the application.
  3. Configure the authentication settings in the identity provider application.
SAML Authentication Settings
  1. If the identity provider allows for importing SAML metadata, import the UPA SAML metadata into the identity provider Application or Integration.
  2. The UPA SAML metadata is available at (https://<gatekeeper>/Portal/SSO/GetSPMetadata) or by clicking the Get SAML Metadata link in the SSO page of the UPA Owner Portal (https://<gatekeeper>/Portal/Account).
  3. If the identity provider does not provide an option to import a metadata XML file, use the following values:
    • Entity ID: https://<gatekeeper>
    • Single Signon (SSO) URL: (https://<gatekeeper>/Portal/SSO/SamlACS)
    • Name ID Format: EmailAddress (recommended)
    • Single Logout (SLO) URL: (https://<gatekeeper>/Portal/SSO/SLO)
Configuring Relay State

Choose a provider name for the SAML connection. Provider name is used when configuring the SAML connection in UPA. The connection name should consist of only alphanumeric characters. Set the SAML Relay State parameter to the provider name.

Federation Metadata

Download the federation metadata from the identity provider. You will need this metadata to configure UPA in the next step.

OIDC Authentication Settings
  1. Set the Redirect URI to: (https://<gatekeeper>/Portal/SSO/OIDC)
  2. Set the logout URI to: (https://<gatekeeper>/Portal/SSO/Logout)
  3. Make a note of the Client ID ‘OpenID Connect metadata document URL’
  4. Set claim type to token.
Configure UPA to use SAML or OIDC Authentication
  • Sign in to the Owner portal (https://<gatekeeper>/Portal/Account) using the Owner account created during the Gatekeeper installation.
  • Click the SSO button.
UPA SAML Authentication Settings
  1. Click the Add SAML Provider button.
  2. Specify the provider name (the same name used in the Relay State)
  3. Set the Tenancy ID to 1.

IsDefault: Use this provider as the default identity provider. If IsDefault is checked, the UPA web console will use this provider for logins. If IsDefault is not checked, to log in to the UPA web console using this provider, you will need to use this URL: https://<gatekeeper>/Portal/SSO/SamlLogin?provider=.
NameIdFormat: The format of the SAML NameID. This value should match the value configured on the identity provider. In most cases, EmailAddress is the recommended value.
SignatureAlgorithm: The encryption algorithm used to sign SAML requests and responses. This setting should match the configuration of the identity provider. The recommended setting is SHA_256.

Provisioning Mode

The provisioning mode determines how users and groups are imported or provisioned into UPA.

  • Automatic provisioning: The identity provider’s provisioning service makes calls to the UPA SCIM endpoint to provision users or groups.
  • SCIM connector: UPA queries the identity provider’s SCIM endpoint to retrieve user or group information.
  • Match to AD account: In scenarios where there is a local Active Directory with user accounts synchronized with the identity provider, the SAML-authenticated user will be matched to an existing Active Directory user. In this scenario, UPA permissions can be delegated to the Active Directory users and groups.
  • Just In Time provisioning: In this model, the customer adds a custom attribute to the user accounts, specifying the name of the UPA role assignment to which the user should be added. This value is then sent as a claim during login. When the user logs on, the user account is created in UPA and added to the specified role assignment.
  • Manual provisioning: If the identity provider does not support automatic provisioning, the customer can use a PowerShell script to create the user and group accounts.
SAML Claims Mapping

Specify the names of the SAML claims that correspond to the user properties:

  • Require signed requests: This setting causes all SAML requests, including logout requests, to be signed.
  • Logout URL: If the identity provider provides a URL for single sign-out, specify it here. This setting overrides the Single Sign-out (SSO) endpoint specified in the SAML metadata.
UPA OIDC Authentication Settings

To use OIDC authentication:

  1. Click the “Add OIDC Provider” button
  2. Specify the provider name.
  3. Set the Tenancy ID to 1.

IsDefault: Use this provider as the default identity provider. If IsDefault is checked, the UPA web console will use this provider for logins. If IsDefault is not checked, to log in to the UPA web console using this provider, use the following URL: https://<gatekeeper>/Portal/SSO/OIDCLogin?provider=.
Config URL: The OpenID Connect metadata URL provided by the Identity Provider.
Identity Claim: The name of the OpenID Connect claim that contains the identity of the user. (Refer to the identity provider’s documentation for details).

Additional Parameters

If the identity provider requires additional information to be sent with the request (such as a tenancy id, you can add it in the Additional Parameters.

Configure Provisioning

Before external users can log in to the UPA console, they must be provisioned or imported into the UPA database. UPA provides two methods for provisioning users.

Automatic Provisioning

Automatic Provisioning requires the identity provider to support SCIM provisioning. In this scenario, the identity provider’s provisioning service makes SCIM calls to the UPA SCIM service to provision users and groups.
To configure automatic provisioning, you will need to configure the following settings in the identity provider’s provisioning settings:

  • Scim Endpoint: https://<gatekeeper>/api/scim
  • Authentication or Secret Token:
    • Navigate to the SSO page in the UPA owner portal.
    • Click Edit for the identity provider.
    • Click Configure Provisioning
    • On the Configure Provisioning page, click Get SCIM Token.
Scim Connector

If the identity provider does not provide a SCIM provisioning service but exposes a SCIM endpoint, you can use the UPA SCIM Connector to import users and groups. The UPA SCIM connector queries the identity provider’s SCIM endpoint to provision users and groups.
Configure the UPA SCIM Connector with the following settings:

  • Server URL: The server name portion of the Identity Provider’s SCIM endpoint (e.g., https://server.domain.com)
  • Base URL: The relative URL to the SCIM endpoint on the identity provider (e.g., “/scim/v2”).
  • AuthToken: The authentication token (client secret) provided by the identity provider for SCIM access.
  • Import Users: Indicates whether user information should be imported.
  • Import Groups: Indicates whether group information should be imported.
  • Refresh Interval: The interval, in minutes, at which the UPA SCIM Connector should query the identity provider for changes to users and groups.
Assigning the UPA global Administrator Role to a User
  • Allow time for the initial provisioning cycle to complete. (If using automatic provisioning, you can check the provisioning status in the Identity Provider’s portal)
  • Once the initial provisioning cycle is complete, go to the UPA Owner Portal
  • Navigate to the SSO page
  • Select the identity provider, and click List Users
  • Examine the list of users to verify the imported data
  • Select a user from the dropdown list and click Set User as Global Admin.

This user will now be able to log in to UPA at https://<gatekeeper>. On the Administration tab of the UPA web portal, this user can delegate UPA permissions to other users and groups as desired.

In This Article