Configuring your IdP in the HM console Innovation Release

Suggest edits

The IdP configuration workflow in the Hybrid Manager (HM) console automates the integration process. When you use this workflow, you don't need to manually modify the Helm chart or restart the workload. The workflow makes deployment consistent and reduces downtime.

Important

You must be a HM Organization Owner to configure an IdP in HM.

Configuring a SAML IdP

You can use any identity provider (IdP) that supports SAML 2.0, such as Okta, Microsoft Entra ID, Google Workspace, or Keycloak.

Important

When you begin adding a SAML identity provider in HM, the system generates unique ACS URL and Audience URI values. These values change each time you start a new configuration. You must complete both the IdP configuration and the HM configuration in a single session without navigating away from the page.

Before you begin

  1. Open your IdP admin console in a separate browser tab.
  2. In HM, start the SAML IdP configuration to obtain the ACS URL and Audience URI.
  3. Copy these values to your IdP configuration immediately.
  4. Complete the IdP setup and obtain the SSO URL and certificate.
  5. Return to the HM tab (keep it open) and complete the configuration.

Starting the SAML configuration in HM

  1. In the HM console, select Settings > Identity Providers.

  2. Select Add Identity Provider.

  3. Select the SAML tab.

  4. Copy the following values (you need these for your IdP):

    • Assertion Consumer Service (ACS) URL
    • Audience URI (SP Entity ID)
Note

Don't close or navigate away from this page until you complete the HM configuration.

Configuring your identity provider

In a separate browser tab, create a new SAML 2.0 application in your IdP with the following settings:

  1. Enter a name for the SAML integration.

  2. Enter the ACS URL from HM in the Single Sign-On URL field.

  3. Enter the Audience URI from HM in the Audience URI (SP Entity ID) field.

  4. Set the Name ID Format based on your requirements. See NameID formats for details.

  5. Configure attribute mappings to include user information in the SAML assertion.

    Where:

    • Username is the user's unique identifier.
    • Email is the user's email address.
    Note

    Attribute names vary by IdP. Refer to your IdP's documentation for configuring SAML attribute statements.

  6. Save the integration.

  7. Copy the Single Sign-On URL (also called SSO URL or Login URL) provided by your IdP.

  8. Download the Signing Certificate provided by your IdP (as a .pem or .cer file).

Completing the SAML configuration in HM

Return to the HM browser tab and enter the following:

  1. In the Name field, enter a unique name for this identity provider.

  2. In Description, enter an optional description for this identity provider.

  3. In Single Sign-On URL, enter the SSO URL from your IdP.

  4. Under Signature Certificate File, upload the signing certificate from your IdP.

  5. Under NameID Format, select the format that matches your IdP configuration.

  6. Enter the values for Username Attribute and Email Attribute. Where:

    • Username Attribute is the attribute name containing the username (for example, name).
    • Email Attribute is the attribute name containing the email address (for example, email).

  7. (Optional) To enable role mapping, configure group attribute mapping: Where:

    • Groups Attribute is the SAML attribute name containing the user's group memberships (for example, groups or memberOf).
    • Groups Delimiter is the delimiter used to separate multiple groups in the attribute value. Leave empty if groups are sent as separate attribute values.
    Note

    Configure your IdP to include group membership in the SAML assertion. The exact configuration varies by IdP. Refer to your IdP's documentation for configuring group attribute statements.

  8. Select Save.

NameID formats

Select the NameID format that matches your IdP configuration:

FormatDescriptionUse case
Email AddressUser's email addressMost common. Use when users are identified by email.
PersistentA persistent, opaque identifier for the userWhen the IdP assigns stable user identifiers that aren't email addresses
TransientA temporary identifier valid only for the current sessionWhen privacy is required and no persistent identifier can be shared
X.509 Subject NameThe subject name from an X.509 certificateWhen using certificate-based authentication
Tip

If you're unsure which format to use, start with Email Address as it's the most commonly used format.

Configuring an LDAP IdP

You can configure HM to authenticate users against an LDAP directory server, such as OpenLDAP, Microsoft Active Directory, or other LDAP-compatible directories.

Requirements

Before configuring LDAP in HM, gather the following information from your LDAP administrator:

  • LDAP server hostname and port
  • Bind DN and password for a service account with read access
  • Base DN for user searches
  • User attribute names (username, email, name)

Configuring an LDAP IdP in HM

  1. In the HM console, select Settings > Identity Providers.

  2. Select Add Identity Provider.

  3. Select the LDAP tab.

  4. In the Name field, enter a unique name for this identity provider.

  5. In Description, enter an optional description.

  6. Enter the LDAP server connection settings:

    Where:

    • Host is the LDAP server hostname. For example: ldap.example.com.
    • Port is the LDAP server port. Use 389 for LDAP or 636 for LDAPS.
    • Scheme is the connection protocol. Select ldap for unencrypted or ldaps for TLS-encrypted connections.
    • Use Custom Root CA enables uploading a custom CA certificate for LDAPS connections with self-signed certificates.

  7. Enter the bind credentials: Where:

    • Bind DN is the distinguished name of the service account used to search the directory. For example: cn=admin,dc=example,dc=com.
    • Bind Password is the password for the bind DN service account.

  8. Enter the user search settings: Where:

    • Base DN is the base distinguished name for user searches. For example: ou=People,dc=example,dc=com.
    • Filter is the LDAP filter for finding user entries. For example: (objectClass=inetOrgPerson).
    • Username is the attribute used for username matching. For example: uid or cn.
    • ID Attribute is the attribute to map to the HM user ID. For example: uid or cn.
    • Email Attribute is the attribute to map to the HM user email. For example: mail.
    • Name Attribute is the attribute to map to the HM user display name. For example: cn or displayName.

  9. (Optional) To enable role mapping, configure group search settings: Where:

    • Base DN is the base distinguished name for group searches. For example: ou=Groups,dc=example,dc=com.
    • Filter is the LDAP filter for finding group entries. For example: (objectClass=groupOfNames).
    • Name Attribute is the attribute to map to the group name. For example: cn.
    • User Matchers define how to match users to groups. Each matcher specifies:
      • User Attribute is the user attribute to match. For example: DN or uid.
      • Group Attribute is the group attribute that contains user references. For example: member or memberUid.

    Example configuration for OpenLDAP with groupOfNames:

    • Base DN: ou=Groups,dc=example,dc=com
    • Filter: (objectClass=groupOfNames)
    • Name Attribute: cn
    • User Matcher: User Attribute DN, Group Attribute member

    Example configuration for Active Directory:

    • Base DN: CN=Users,DC=example,DC=com
    • Filter: (objectClass=group)
    • Name Attribute: cn
    • User Matcher: User Attribute DN, Group Attribute member

  10. Select Save.

Configuring an OIDC IdP

You can use any identity provider that supports OpenID Connect (OIDC), such as Okta, Microsoft Entra ID, Google Workspace, or Keycloak.

Starting the OIDC configuration in HM

  1. In the HM console, select Settings > Identity Providers.

  2. Select Add Identity Provider.

  3. Select the OIDC tab.

  4. Copy the Redirect URI displayed on the page (you need this for your IdP).

Configuring your identity provider

In a separate browser tab, register a new application in your OIDC provider:

  1. Create a new OIDC or OAuth 2.0 application.

  2. Enter a name for the application.

  3. Set the Redirect URI (also called Callback URL) to the value copied from HM.

  4. Ensure the application is configured to include name and email claims in the ID token or UserInfo endpoint.

  5. Save the application.

  6. Record the following values from your IdP:

    • Issuer URL (for example, https://accounts.google.com)
    • Client ID
    • Client Secret

  7. Assign the users you want to have access to HM to the registered application.

Completing the OIDC configuration in HM

Return to the HM browser tab and enter the following:

  1. In the Name field, enter a unique name for this identity provider.

  2. In the Description field, enter an optional description.

  3. Enter the values from your OIDC provider: Where:

    • Issuer URL is the issuer URL of your OIDC provider.
    • Client ID is the client ID assigned to your registered application.
    • Client Secret is the client secret assigned to your registered application.

  4. (Optional) To enable role mapping, configure group claim settings: Where:

    • Groups Key is the claim name that contains the user's group memberships in the ID token or UserInfo response. For example: groups.
    Note

    Configure your OIDC provider to include group membership claims in the ID token or UserInfo response. The exact configuration varies by provider. Refer to your provider's documentation for configuring group claims.

  5. Select Save.

Testing the IdP integration

After configuring an identity provider, you can verify if the integration is working correctly using the built-in test feature. The test performs a sign-in attempt through the configured IdP and validates that the IdP returns user attributes such as email and name correctly.

  1. In the HM console, select Settings > Identity Providers.

  2. Select the IdP you want to test.

  3. Select Test Connection.

  4. Follow the sign-in prompts from your IdP. After authentication is complete, the HM console displays the test result indicating whether the integration is set up correctly.

Managing the IdP

In HM, manage IdP providers by editing or deleting them, and assign users to restrict access to authorized users only.

Granting users access through the IdP

Users are automatically associated with an IdP when they first log in to HM through it. To grant users access:

  1. In your IdP's admin console, assign the users you want to give access to HM.
  2. Share the Quick Sign-in URL with your users:
    • In the HM console, select Settings > Identity Providers.
    • Select the IdP and copy the Quick Sign-in URL.
  3. When users log in using this URL, they are automatically registered in HM and associated with the IdP.

Removing the IdP from HM

You must first delete all users who logged in through that IdP before you can delete the IdP from HM. The delete option is disabled for an IdP unless all users associated with it have been deleted.

  1. In the HM console, select User Management.

  2. Identify and delete all users associated with the IdP you want to remove.

  3. Select Settings > Identity Providers.

  4. Select the IdP you want to remove and select Delete.

  5. Confirm the deletion.

← Prev

Using the HM API

↑ Up

Using Hybrid Manager