Configuring UAA as Service Provider for External Identity Provider

If you provision your user accounts remotely on an Identity Provider (IdP) such as Company SSO, you can configure UAA as Service Provider (SP) that redirects to external IdP.

Before you begin

  • Obtain your Identity Provider (IdP) metadata from your IdP administrator.
  • Log In to Predix.io and go to Console view.

About this task

Complete the following procedure to configure UAA as SP for external IdP:

Procedure

  1. In the Services Instances page on Predix.io, select the UAA instance that you need to configure.
  2. Select the Configure Service Instance option.
  3. In the UAA Dashboard login page, specify your admin client secret and click Login.
  4. In UAA Dashboard, click on the Identity Providers tab.
  5. In the External Identity Provider section, select New Identity Provider.
  6. In the New Identity Provider form, specify the following information and press Submit:
    Name of the FieldDescription
    NameSpecify the name of your IdP.
    DescriptionSpecify a short description for your IdP.
    TypeSelect the type of IdP- SAML or OIDC.
    Email DomainSpecify the email domain that UAA can use to identify the identity provider if you have configured more than one identity provider. To support this feature, UAA provides a configuration of IdP discovery. By default, this configuration is set to False.

    UAA can be configured to set IDP Discovery to true if you have configured more than one identity provider. For more information, see t_identifying_idp_using_email_domain.html#task_64ea2282-0cac-4bbc-a838-542690b157a3

    ActiveSelect this option to set the IdP as active. If you have multiple IdPs defined for a single UAA instance, UAA interacts with only active IdPs. If you have multiple active IdPs for a single UAA instance, you must ensure that the clients related to the IdPs are updated with the corresponding information. Although it is possible to update a single client to interact with multiple IdPs, as a best practice, you can define a new client for each of your application to interact with UAA.

    If you are setting up an OpenID Connect (OIDC) IdP, the following field are available:

    Name of the FieldDescription
    Username MappingSpecify the username attribute defined in your IdP.
    Authorization Endpoint UrlSpecify the authorization endpoint for OIDC token.
    Token Endpoint UrlSpecify the token URL for OIDC authorization code.
    Token Key Endpoint UrlSpecify the token key endpoint for token verification.
    Token IssuerSpecify the URL of your OIDC provider.
    Relying Party Client IDSpecify the OIDC provider client id.
    Relying Party Client SecretSpecify the OIDC provider client secret.
    Automatically create a shadow user on loginSelect this option to create a local user in UAA corresponding to each user defined in the identity provider that you are configuring. The local user is created when the user logs-in for the first time. This feature enables a user to be authenticated by UAA without requiring you to create it in UAA also.

    By default this option is turned off. You must create each user in UAA even if the user exists in IdP for authentication from UAA.

    This option is useful if you need to white list users to authenticate only a subset of users setup in your identity provider. To white list users, you can turn this option off while configuring a new IdP, and individually create users in UAA corresponding to users that are defined in your IdP that you need authenticated.

    If you are setting up a SAML IdP, the following fields are available:

    Name of the FieldDescription
    Name ID FormatSpecify the IdP ID format that UAA SP must use. This is useful if the IdP metadata contains multiple ID formats and you need to specify the format that SP must use. You can copy the ID format string from the metadata that you specify.
    MetadataSpecify the IdP metadata and download the UAA SP metadata in this field. You must obtain the IdP metadata from your IdP administrator. You must supply the UAA SP metadata to your IdP administrator.
    Email(Optional) Specify the attribute defined in your IdP that corresponds to the email attribute in UAA.
    Given Name(Optional) Specify the attribute defined in your IdP that corresponds to the Given Name attribute in UAA.
    Family Name(Optional) Specify the attribute defined in your IdP that corresponds to the Family Name attribute in UAA.
    Automatically create a shadow user on loginCreates a local user in UAA corresponding to each user defined in the identity provider that you are configuring. The local user is created when the user logs-in for the first time. This feature enables a user to be authenticated by UAA without requiring you to create it in UAA also.

    If this option is turned off, you must create each user in UAA even if the user exists in IdP for authentication from UAA.

    This option is useful if you need to white list users to authenticate only a subset of users setup in your identity provider. To white list users, you can turn this option off while configuring a new IdP, and individually create users in UAA corresponding to users that are defined in your IdP that you need authenticated.

    The IdP is displayed in the list of Identity Providers.
  7. To set up the client for the IdP to access UAA, click on the View/Edit option next to the name of your IdP.
  8. Specify a client for your IdP.

    You can either choose an existing client or create a new client. As a best practice for development, you can add a new client for each application.

    To create a new client, click on the Create new client for this IDP option. By default, the Create Client form is populated for grant type Authorization Code. You can update it to use implicit or password grant types also. For client credentials grant type, you must first create a user.

    For more information on creating a client, see t_creating_an_oauth_client.html#task_79a81b74-552e-4f74-abfc-bd37e6adac87.