Skip to main content

Manage IDPs for Organisations

As a Super User you control which external Identity Providers (IDPs) can issue accounts in the Directory and control to which groups the users are provisioned. Follow these steps each time an Organisation Admin submits a new or updated SSO Configuration Version.

Prerequisites

  • Super User role in Raidiam Connect.

  • DNS tools (or an online lookup) to confirm TXT records.

Configure Groups for External IDP

When Super User receives a request from an Organisation to approve an external IDP configuration, they need to make sure that appropriate groups are created in order to provision users within Raidiam IDP. Whenever a user from an external IDP authenticates into the Raidiam platform for the first time, a Raidiam account will be created for them with appropriate permissions assigned.

You can assign multiple IDPs to one group if needed.

  1. Select Reference Data > Groups > Add Group.

  2. Provide a Name for the group and save.

  3. Select the newly created group from the list and Bind IDP.

  4. Fill in the following details:

    • IDP: choose the IDP bound to the group.

      Binding an IDP to a group means that any users authenticated for the first time with this external IDP will be created within this particular group.

    • External ID: IDP-specific alias for this particular group. Must match the value of the claim used for group definition in the ID token issued by the bound IDP.

      For example, if an IDP issues ID tokens with groups claim which value equals admins, external ID should be set to admins. It means that users within the admins group will be provisioned within this group in Raidiam Connect.

  5. Save.

Bind Organisations to Groups

  1. Select Reference Data > Groups > Organisations > Bind Organisation.

  2. Choose an Organisation to bind to the group.


Binding an Organisation to the group influences to which organisations the user can have permissions to access or edit.

For example, if your group is bound to the ACME Organisation, the user provisioned within this group will be able to access and edit this Organisations Applications–if configured permissions allow it.

Organisation binding also influences what types of Domain Users can be added to the group since an Organisation Domain and Role assignment defines which types of Domain Users are available for given Organisation.

Configure Permissions for Provisioned Users

  1. Select Reference Data > Groups > Permissions > Bind Permission.

  2. Select between the permission types:

    • Organisation Administrator: users created with this permissions are provisioned as Organisation Admins and can manage the organisation and its resources fully.

    • Domain User: users are created as Domain Users with permissions available for the chosen Domain User System and Type. You need to choose:

      • Authorization Domain: domain assigned to the Organisation bound to this group.

      • Role: role assigned to the Organisation bound to this group.

      • System: domain user system to be used for the provisioned user.

      • User Type: type of the provisioned user within the Domain User System**.

  3. Select Done

Approve External IDP

  1. Navigate to the Organisation that requested an approval for an External IDP.

  2. Select Servers > Server > IDP Configuration and open the dropdown for the IDP you need to approve.

  3. Validate:

    • TXT Record appears in public DNS for each managed domain.

    • Domain Rules have no overlap/conflict with existing providers.

    • Authentication Policies match ecosystem security requirements.

  4. Next to the version that needs your approval, select the three dots and Approve.


Once you approve an IDP, an Organisation Administrator can switch it to the Active status and users will be able to authenticate with their IDP. When a user authenticates with the external IDP for the first time, their Raidiam account will be created for them. You can verify it in Reference Data > Groups > Users.

Open Book IconTABLE OF CONTENT