Identity providers

Any changes that you make on the identity provider are not reflected in the system until the information is removed from the cache. For example, if you add a user to an LDAP identity provider, that user cannot access the system for up to four hours, or until the cache is cleared. If you delete a user from an LDAP identity provider, that user will be able to access the system for up to four hours, or until the cache is cleared.

To ensure that a change is reflected immediately, use the clearCache command or API.

These sections describe the configuration settings for each type of identity provider that your system supports.

Security Realm Name: The name by which to identify this identity provider in the system. This name appears as an option in the Security Realm list on Admin App login pages.

• Identity Provider Hostname: Hostname or IP address for the identity provider.
• Transport Security: The protocol to use for securing communications between the system and the identity provider. Options are:
  • None
  • TLS Security (Transport Layer Security)
    • Use Suffix For Hostname Verification: When enabled, if the client hostname doesn’t match the certificate hostname, hostname verification will instead check whether the ending of the client hostname matches the provided suffix.
      WARNINGThis option could impact security and should only be enabled if the client hostname is expected to differ from the certificate hostname.
    • Hostname Suffix: The suffix which will be used for hostname checking if the default hostname verification check fails.
  • SSL (Secure Sockets Layer)
  NoteWhen selecting TLS Security, the Use Suffix For Hostname Verification setting appears.
• Identity Provider Host Port: Network port used to communicate with the identity provider. The default value depends on the Transport Security setting:
  • For None or TLS Security (Transport Layer Security), 389
  • For SSL (Secure Sockets Layer), 636
• User Name: A user account on the identity provider. Your system uses this user account to read information from the identity provider.
• Password: The user account password.
• Domain: The AD domain in which the user account is defined.
  NoteUse the short name for the AD domain. For example, use MYACTIVEDIRECTORY instead of MYACTIVEDIRECTORY.local.
• Search Base DN: The distinguished name (DN) of the identity provider location where you want your system to begin its searches for users and groups.

  For example, if you specify a value of OU=Users,DC=corp,DC=example,DC=com, the system searches for users and groups in the organization unit called Users in the corp.example.com domain.

• Default Domain Name: The default domain for users logging into the Admin App and Search App. For example, if you specify a default domain name of east.example.com, the user jdoe@east.example.comneeds to specify only jdoe when logging into either app.

• Identity Provider Hostname: Hostname or IP address for the identity provider.
• Transport Security: The protocol to use for securing communications between the system and the identity provider. Options are:
  • None
  • TLS Security (Transport Layer Security)
    • Use Suffix For Hostname Verification: When enabled, if the client hostname doesn’t match the certificate hostname, hostname verification will instead check whether the ending of the client hostname matches the provided suffix.
      WARNINGThis option could impact security and should only be enabled if the client hostname is expected to differ from the certificate hostname.
    • Hostname Suffix: The suffix which will be used for hostname checking if the default hostname verification check fails.
  • SSL (Secure Sockets Layer)
• Identity Provider Host Port: Network port used to communicate with the identity provider. The default value depends on the Transport Security setting:
  • For None or TLS Security (Transport Layer Security), 389
  • For SSL (Secure Sockets Layer), 636
• User Name: A user account on the identity provider. Your system uses this account to read information from the identity provider.
• Password: The user account password.
• User DN Template: A template on the LDAP server. When a user logs into their system, the provided username is inserted into this template to determine the user's LDAP distinguished name (DN).
• Unique ID: The unique identifier for the specified LDAP server.
• Member Name Attribute: The name of the attribute that each group on the identity provider uses to list its members.
• Search Base DN: The distinguished name (DN) of the identity provider location where you want your system to begin searching for users and groups.

  For example, if you specify a value of OU=Users,DC=corp,DC=example,DC=com, your system searches for users and groups in the organization unit called Users in the corp.example.com domain.

• Group Object Class: The objectClass value for groups on the LDAP server.

• Identity Provider Hostname: Hostname or IP address for the identity provider.
• Transport Security: The protocol to use for securing communications between the system and the identity provider. Options are:
  • None
  • TLS Security (Transport Layer Security)
    • Use Suffix For Hostname Verification: When enabled, if the client hostname doesn’t match the certificate hostname, hostname verification will instead check whether the ending of the client hostname matches the provided suffix.
      WARNINGThis option could impact security and should only be enabled if the client hostname is expected to differ from the certificate hostname.
    • Hostname Suffix: The suffix which will be used for hostname checking if the default hostname verification check fails.
  • SSL (Secure Sockets Layer)
• Identity Provider Host Port: Network port used to communicate with the identity provider. The default value depends on the Transport Security setting:
  • For None or TLS Security (Transport Layer Security), 389
  • For SSL (Secure Sockets Layer), 636
• User Name: A user account on the identity provider. Your system uses this account to read information from the identity provider.
• Password: The user account password.
• User DN Template: A template on the LDAP server. When a user logs into their system, the provided username is inserted into this template to determine the user's LDAP distinguished name (DN).
• Unique ID: The unique identifier for the specified LDAP server.
• Member Name Attribute: The name of the attribute that each group on the identity provider uses to list its members.
• Search Base DN: The distinguished name (DN) of the identity provider location where you want your system to begin searching for users and groups.

  For example, if you specify a value of OU=Users,DC=corp,DC=example,DC=com, your system searches for users and groups in the organization unit called Users in the corp.example.com domain.