Configuring your IdP in the HM console Innovation Release

Suggest edits

The IdP configuration workflow in the Hybrid Manager (HM) console automates the integration process. When you use this workflow, you don't need to manually modify the Helm chart or restart the workload. This method makes deployment consistent and reduces downtime.

Configuring a SAML IdP

You can use any identity provider (IdP) that supports SAML 2.0, such as Okta, Microsoft Entra ID, Google Workspace, or Keycloak.

Important

When you begin adding a SAML identity provider in HM, the system generates unique ACS URL and Audience URI values. These values change each time you start a new configuration. You must complete both the IdP configuration and the HM configuration in a single session without navigating away from the page.

Before you begin

  1. Open your IdP admin console in a separate browser tab.
  2. In HM, start the SAML IdP configuration to obtain the ACS URL and Audience URI.
  3. Copy these values to your IdP configuration immediately.
  4. Complete the IdP setup and obtain the SSO URL and certificate.
  5. Return to the HM tab (keep it open) and complete the configuration.

Starting the SAML configuration in HM

  1. In the HM console, go to Settings then Identity Providers.

  2. Select Add Identity Provider.

  3. Select the SAML tab.

  4. Copy the following values (you need these for your IdP):

    • Assertion Consumer Service (ACS) URL
    • Audience URI (SP Entity ID)
Note

Do not close or navigate away from this page until you complete the HM configuration.

Configuring your identity provider

In a separate browser tab, create a new SAML 2.0 application in your IdP with the following settings:

  1. Enter a name for the SAML integration.

  2. Enter the ACS URL from HM in the Single Sign-On URL field.

  3. Enter the Audience URI from HM in the Audience URI (SP Entity ID) field.

  4. Set the Name ID Format based on your requirements. See NameID formats for details.

  5. Configure attribute mappings to include user information in the SAML assertion.

    Where:

    • Username is the user's unique identifier.
    • Email is the user's email address.
    Note

    Attribute names vary by IdP. Refer to your IdP's documentation for configuring SAML attribute statements.

  6. Save the integration.

  7. Copy the Single Sign-On URL (also called SSO URL or Login URL) provided by your IdP.

  8. Download the Signing Certificate provided by your IdP (as a .pem or .cer file).

Completing the SAML configuration in HM

Return to the HM browser tab and enter the following:

  1. In the Name field, enter a unique name for this identity provider.

  2. In Description, enter an optional description for this identity provider.

  3. In Single Sign-On URL, enter the SSO URL from your IdP.

  4. Under Signature Certificate File, upload the signing certificate from your IdP.

  5. Under NameID Format, select the format that matches your IdP configuration.

  6. Enter the values for Username Attribute and Email Attribute.

    Where:

    • Username Attribute is the attribute name containing the username (for example, name).
    • Email Attribute is the attribute name containing the email address (for example, email).

  7. Select Save.

NameID formats

Select the NameID format that matches your IdP configuration:

FormatDescriptionUse case
Email AddressUser's email addressMost common. Use when users are identified by email.
PersistentA persistent, opaque identifier for the userWhen the IdP assigns stable user identifiers that aren't email addresses
TransientA temporary identifier valid only for the current sessionWhen privacy is required and no persistent identifier should be shared
X.509 Subject NameThe subject name from an X.509 certificateWhen using certificate-based authentication
Tip

If you're unsure which format to use, start with Email Address as it's the most commonly used format.

Configuring an LDAP IdP

You can configure HM to authenticate users against an LDAP directory server, such as OpenLDAP, Microsoft Active Directory, or other LDAP-compatible directories.

Requirements

Before configuring LDAP in HM, gather the following information from your LDAP administrator:

  • LDAP server hostname and port
  • Bind DN and password for a service account with read access
  • Base DN for user searches
  • User attribute names (username, email, name)

Configuring an LDAP IdP in HM

  1. In the HM console, go to Settings then Identity Providers.

  2. Select Add Identity Provider.

  3. Select the LDAP tab.

  4. In the Name field, enter a unique name for this identity provider.

  5. In Description, enter an optional description.

  6. Enter the LDAP server connection settings:

    Where:

    • Host is the LDAP server hostname. For example: ldap.example.com.
    • Port is the LDAP server port. Use 389 for LDAP or 636 for LDAPS.
    • Scheme is the connection protocol. Select ldap for unencrypted or ldaps for TLS-encrypted connections.
    • Use Custom Root CA enables uploading a custom CA certificate for LDAPS connections with self-signed certificates.

  7. Enter the bind credentials:

    Where:

    • Bind DN is the distinguished name of the service account used to search the directory. For example: cn=admin,dc=example,dc=com.
    • Bind Password is the password for the bind DN service account.

  8. Enter the user search settings:

    Where:

    • Base DN is the base distinguished name for user searches. For example: ou=People,dc=example,dc=com.
    • Filter is the LDAP filter for finding user entries. For example: (objectClass=inetOrgPerson).
    • Username is the attribute used for username matching. For example: uid or cn.
    • ID Attribute is the attribute to map to the HM user ID. For example: uid or cn.
    • Email Attribute is the attribute to map to the HM user email. For example: mail.
    • Name Attribute is the attribute to map to the HM user display name. For example: cn or displayName.

  9. Select Save.

Configuring an OIDC IdP

You can use any identity provider that supports OpenID Connect (OIDC), such as Okta, Microsoft Entra ID, Google Workspace, or Keycloak.

Starting the OIDC configuration in HM

  1. In the HM console, go to Settings then Identity Providers.

  2. Select Add Identity Provider.

  3. Select the OIDC tab.

  4. Copy the Redirect URI displayed on the page (you need this for your IdP).

Configuring your identity provider

In a separate browser tab, register a new application in your OIDC provider:

  1. Create a new OIDC or OAuth 2.0 application.

  2. Enter a name for the application.

  3. Set the Redirect URI (also called Callback URL) to the value copied from HM.

  4. Ensure the application is configured to include name and email claims in the ID token or UserInfo endpoint.

  5. Save the application.

  6. Note the following values provided by your IdP:

    • Issuer URL (for example, https://accounts.google.com)
    • Client ID
    • Client Secret

  7. Assign the users you want to have access to HM to the registered application.

Completing the OIDC configuration in HM

Return to the HM browser tab and enter the following:

  1. In the Name field, enter a unique name for this identity provider.

  2. In the Description field, enter an optional description.

  3. Enter the values from your OIDC provider:

    Where:

    • Issuer URL is the issuer URL of your OIDC provider.
    • Client ID is the client ID assigned to your registered application.
    • Client Secret is the client secret assigned to your registered application.

  4. Select Save.

Testing the IdP integration

After configuring an identity provider, you can verify if the integration is working correctly using the built-in test feature. The test performs a sign-in attempt through the configured IdP and validates that user attributes such as email and name are returned correctly.

  1. In the HM console, go to Settings then Identity Providers.

  2. Select the IdP you want to test.

  3. Select Test Connection.

  4. Follow the sign-in prompts from your IdP. After authentication is complete, the HM console displays the test result indicating whether the integration is configured correctly.

Managing the IdP

In HM, manage IdP providers by editing or deleting them, and assign users to restrict access to authorized users only.

Assigning users to the IdP

To assign users to the IdP you configured and give them access to HM:

  1. In your IdP's admin console, assign the users you want to give access to HM.

  2. Next to the name of the user you want to assign the IdP to, select Assign. Select Done.

  3. In the HM console, go to Settings then Identity Providers.

  4. Select the IdP you created and copy the value in the Quick Sign-in URL.

Removing the IdP from HM

Warning

Removing the IdP in HM deletes all users assigned to the IdP.

To remove the IdP from HM:

  1. In the HM console, go to Settings then Identity Providers.

  2. Select the IdP you want to remove and select Delete.

  3. Follow the instructions in the pop-up and select Delete Identity Provider.

← Prev

Configuring SAML

↑ Up

Configuring your own identity provider

Next →

Enabling Key Management Systems (KMS) for TDE