You can add IdP on Site Configuration level in Identity Providers and Users > Identity Providers menu.
Click New IdP and follow the screens of the IdP wizard.
1. Info
Specify the general parameters of the IdP.
Parameter | Description |
|---|---|
Name ID | Id of the IdP, which is used on the system level, must contain only alphanumeric characters |
Display Name for Login Page | This name will be displayed on the IdP button on Login Page |
Authentication Method | Choose the type of authentication you are going to use:
|
User Policy | Defines how new users will be processed on the attempt to login with current IdP. You cannot change this option as it is connected to certain authorization type.
|
Email Domains | This setting can be used to limit the possibility to authorize to certain domains. Only users with emails that belong to specified domains will be able to log in. You can specify domain names separated by a comma, e.g. encode.dk, microsoft.com Starting from v16.1.0 Email Domains field can be empty. In such cases users from any domain can be added to the IdP. |
2. Login Page Settings
The pair of Login Page + Login URL called Encodify Login URL must be selected on this screen. With this, you connect IdP to the particular Login URL and it will be available for users only from the corresponding Login Page. Each IdP can be associated with only one Encodify Login URL.
Example
Using Encodify Login URL
https://example.domain.com:Encode, users who navigate tohttps://example.domain.comwill see the “Encodify” login page with corresponding IdP configured and associated with it.
You can select from the list of existing Encodify Login URLs or create a new one using the corresponding toolbar buttons:
You can later edit the Encodify Login URL pair (if you want, for example, to select another login page) or delete some unnecessary pairs. Note, delete means only detaching the pair, and does not delete the Login Page itself. It is more convenient to manage your Login URLs in the dedicated menu rather than in IdP settings. See the Configuration of Login URLs for more details.
Note!
Several different IdPs can be present on the associated Login Page. In case only one IdP is present on the login page (of type SAML 2.0 or OAuth 2.0), login page itself will not be even shown to a user. Automatic redirect will take the user to external system login page or, in case user was already authorized there, directly to Encodify site portal page.
Pay attention, a user who was logged in this way will not be able to log out from Encodify until he is logged in his external account — SSO will bring him back automatically.
Another option on this page is Hide Login Button. If checked, the IdP will not be visible on the Login Page. Can be useful if you have several IdPs on the same Login Page and want to hide some of them.
3. Details
This page depends on the authentication method you have chosen on the first configuration wizard’s screen. For Internal method, it will be hidden as there are no specific parameters.
Authentication method SAML 2.0
The screen includes three configuration steps.
Copy the listed endpoints Identifier URI (Metadata) and Reply URL and save them somewhere. They will come in handy for configuring your third-party SAML Identity Provider server. For example, for Azure AD you will need both endpoints (see the Microsoft Azure AD configuration chapter), and Microsoft on-premise AD FS on Windows server can be configured with a metadata endpoint only (see the Microsoft AD FS on premise configuration chapter).
Next parameters to be set on Step 2:
Parameter | Description |
|---|---|
Federation Metadata | Specify the link to Federation Metadata XML provided by external IdP server. That means that this server must be up and running at the moment (see how to get this link for Azure AD and AD FS 2.0 in corresponding chapters) |
External User ID Attribute | Select the User attribute that will be used for mapping users between Encodify and external system. Note, Encodify identifies users by email, but it is not necessarily that IdP server will use email attribute too, so for specific cases you might have to refer to IdP documentation. The main rule is that chosen attribute must uniquely identify a user |
Note!
If the third party SAML provider issues self-signed certificate for accessing the metadata (e.g. for testing purposes), Encodify will not be able to automatically get and parse the metadata link.
To solve this, the certificate should be added to JVM storage manually:
$ sudo keytool -import -v -trustcacerts -alias win_local_adfs -file certificate.crt -keystore /usr/lib/jvm/java-8-oracle/jre/lib/security/cacerts -keypass changeit -storepass changeit
You can also map other user attributes to be automatically set for the new user on login with auto-provisioning. The exact list of attributes depends on the IdP server, which provides the metadata. These may be the first and the last name, nickname, email, phone number etc.
When adding the attribute mapping, in the left selectbox you select the external user parameter that comes from IdP server, and in the right selectbox — the corresponding attribute of Encodify user.
As a result, mapped attributes will be synchronized on each user login to Encodify via SAML IdP, keeping the Encodify user profile always up to date.
4. Access Rights Mapping
On this screen it is possible to set mapping of external access rights to local Encodify access rights respectively. This allows to synchronize user access with external system, so user privileges in Encodify will be respected and updated from Identity Provider each time the user logs in. Access rights mapping is done using an XML file that describes the mapping pairs. See example:
<?xml version="1.0" encoding="UTF-8"?>
<MappingDocument>
<Mapping>
<ExternalSystemAccess>Global Company</ExternalSystemAccess>
<EncodeAccessRight>Admin</EncodeAccessRight>
</Mapping>
<Mapping>
<ExternalSystemAccess>Local Company</ExternalSystemAccess>
<EncodeAccessRight>Sales Manager</EncodeAccessRight>
</Mapping>
</MappingDocument>
Note!
The structure is not determined, it depends on the client needs and might be different.
This XML describes the external system access and corresponding access in Encodify system as a separate XML nodes . For example, this node matches the external access right “Global Company” to Encodify “Admin”:
<Mapping>
<ExternalSystemAccess>Global Company</ExternalSystemAccess>
<EncodeAccessRight>Admin</EncodeAccessRight>
</Mapping>To configure Access Right mapping follow the steps:
Click Import and upload the mapping XML.
In the selectbox on top select the SAML claim attribute which is responsible for carrying the access right from the external system (the exact claim depends on external system configuration).
In AzureAD roles are transferred via RoleTemplate Id Claim.
In the Claim Key selectbox select XML node that represents access in the external system (ExternalSystemAccess).
In the Access Right Mapping selectbox select XML node that represents access in Encodify (EncodeAccessRight).
The read-only mapping table will be generated and shown on the page.
It is possible configure access rights mapping so that several Encodify access rights are assigned to a user matching the specific value of the claim returned. For that, the comma-separated list of Encodify access rights needs to be specified in the corresponding tag in the XML file
Example:
<Mapping>
<ExternalSystemAccess>8460684d-hre889-2574-t28h7-dg8t6h74er</ExternalSystemAccess>
<EncodeAccessRight>Inquisitor, Developer</EncodeAccessRight>
</Mapping>
The next logic is applied to assign Access Rights to the new or existing user on SSO login.
User exists | Mapping is enabled | Encodify user AR found in mapping | Expected result |
|---|---|---|---|
yes | yes | yes | External AR that is found is assigned |
yes | yes | no | Default AR from IdP settings is assigned |
yes | no | n/a | Default AR is ignored. Existing AR is kept |
no | yes | yes | External AR that is found is assigned |
no | yes | no | Default AR from IdP settings is assigned |
no | no | n/a | Default AR from IdP settings is assigned |
5. User Groups Mapping
On this screen, it is possible to set mapping of external user groups to local Encodify user groups exactly respectively. User groups mapping is done the same way as for access rights mapping using the proper XML.
Note, that, unlike access right, the user can be a member of several groups and it is possible to map them separating by a comma:
<Mapping>
<ExternalSystemAccess>Local Company</ExternalSystemAccess>
<EncodeGroup>Argentina, Chile, Bolivia</EncodeGroup>
</Mapping>To configure User Groups mapping follow the steps:
On the User Groups Mapping screen click Import and upload the mapping XML.
In the selectbox on top select the SAML claim attribute which is responsible for carrying the groups from the external system (the exact claim depends on external system configuration).
In the Claim Key selectbox select XML node that represents a group in the external system (ExternalSystemAccess).
In the User Groups Mapping selectbox select XML node that represents a group in Encodify (EncodeGroup).
The read-only mapping table will be generated and shown on the page.
The next logic is applied to assign User Groups to the new or existing user on SSO login.
User exists | Mapping is enabled | Encodify user group found in mapping | Expected result |
|---|---|---|---|
yes | yes | yes | External groups that are found are assigned. Existing groups are overwritten |
yes | yes | no | Default groups from IdP settings are assigned. Existing groups are overwritten |
yes | no | n/a | Default groups are ignored. Existing groups are kept |
no | yes | yes | External groups that are found are assigned. Existing groups are overwritten |
no | yes | no | Default groups from IdP settings are assigned. Existing groups are overwritten |
no | no | n/a | Default groups from IdP settings are assigned |
6. Default User Properties
This screen allows you to set default properties for users who will be added to this IdP or created on auto-provisioning via Single Sign-On. Those are:
Access Right
Portal Page
Skin
Dashboard Theme
Language
New UI (removed in version 13.0.0)
Classic UI (removed in version 13.0.0)
Enable User Profile
Other custom User Attributes can be added only in case User Management module is enabled on site. Click Add user Attribute to add an attribute. The left selectbox contains the list of custom fields in User Management module and the right one — the values you want to set as default.
Enable User Profile checkbox will show the user profile modal window on the first user login, so user can add the valuable information to it.
7. Default User Groups
This screen allows setting default user groups for users, who will be added to this IdP or created on auto-provisioning.
8. Welcome Email and Login Message
This screen allows configuring Welcome Email and “First Login” Message for new users. If those are enabled, a user who logs in to the Encodify system first time will receive the email and will see the modal window with welcome text on entering the site using current IdP authentication.
It is possible to upload predefined email template (a single HTML file) and then modify it or create the layout from scratch via Rich Text Editor.
It is also possible to use placeholders in Welcome mail and message. Following placeholders can be used in a template:
${user.name},${user.login},${user.email}— will be replaced with the value of the corresponding attribute of the new user.${site.name}— will be replaced with the name of a current site.
