Identity Providers

The Identify Providers page allows you to setup and configure external SAML and ADFS authentication providers.  Identity Providers setup and enabled here are available on the login page.

Creating New Identity Provider

To Create a new Identity Provider, click the Add Identity Provider button.  Creating a new Identity Provider is a multistep process that begins with filling out the form with all the required information.  Once the form is submitted, the Identity Provider can be configured to support DataShyft using the Callback URL and Audience URL that are provided after creating the Identity Provider.

Editing an Identity Provider

Editing an existing Identity Provider allows you to update some aspects of the configuration.  Here are some of the key fields you may want to edit.

Enabled — Toggling the Enabled flag will allow you to control whether this Identity Provider is displayed on the Login page or not.

Metadata — If the Identity Providers Metadata XML changes, you can either update this field with the new XML, or clear this field and let the system automatically refetch the XML from the Metadata URL on the next authentication attempt.

Metadata Refetch Interval — You can adjust this value to control how frequently DataShyft requests the Metadata XML.

IDP Group Mappings — If the group information sent by the IDP changes, you can update the group mappings to properly map those groups to DataShyft Roles.

Identity Provider Fields

ID

A Unique ID assigned to this Identity Provider.  This ID is used when setting up the various URLs used in the SAML/ADFS relationship.  It is recommended that you use a readily identifiable value to assist in troubleshooting any authentication issues.  This ID only needs to be unique within your tenant.

Enabled

Toggle that indicates if this Identity Provider is enabled or not.  If an IDP is enabled, it will appear on the login screen, and users will be able to use it to authenticate using this Identity Provider.

Display Name

The name shown to the users for this Identity Provider.  It is used on the Login screen if there are multiple, active Identity Providers.  In that case, the user will be given a series of of login buttons, each one labeled Login with <Display Name>  .  This allows the users to quickly identify which Identity Provider they should be logging in with.

Description

An optional description of this Identity Provider.  This is for your internal reference and is not displayed to end users.

Metadata

The Metadata XML for the identity provider.  If a Metadata URL is specified, the system will automatically fetch the Metadata XML from the Identity Provider and update it.  Generally, you only need to specify this if your Identity Provider does not support automatic fetching of the Metadata XML.

Metadata URL

The URL from which the Identity Providers Metadata XML can be retrieved.  If the Identity Provider does not support dynamic fetching of the Metadata XML, leave this field blank.

Metadata Refresh Interval

This setting specifies how long, in minues, the Metadata XML should be cached before it is refetched from the Identity Provider. The Metadata XML will only be fetched when someone logs in.  If a user attempts to login using this Identity Provider, and the Metadata XML is older then this interval, DataShyft will fetch the current Metadata XML before proceeding with the login.

Automatic refetching is disabled if the Metadata URL field is blank.

IDP Group Mappings

Specifies how the Group information received from the Identity Provider during login should be mapped to the internal DataShyft roles.  The default entry is used when none of the other Group mapping rules match.  

To configure mappings, click the plus button to add a new row to the table.  In the IDP Group field, enter the name of the IDP provided group that you wish to map.  In the DataShyft Role dropdown, select the DataShyft role that group maps to.  You can add as many mappings as you need.  Each IDP Group can only map to a single DataShyft Role.

The Update Roles on Login checkbox controls whether the group mapping is applied to users at every login, or just on their first login.  If enabled, every time a user logs in the system will apply the mappings based on the group information sent by the Identity Provider and update the roles assigned to the user.  This allows you to manage users' access within DataShyft entirely through the Identity Provider.  

If the Update Roles on Login option is disabled, the user will be assigned DataShyft roles on initial login, and those roles will not be automatically updated on login.  If you wish to change a user's roles in DataShyft, the roles will have to be manually change by editing their user account in DataShyft.

Domain Restriction

The Domain Restriction allow you to specify a list of regexes that are used to determine if a user account is logging in with the correct Identity Provider.  For example, if an Identity Provider specified a domain restriction regex of +@datashyft.com  , then any user whose email address was at the datashfyt.com domain would be required to login with this Identity Provider.  Attempting to login with a different Identity Provider would result in an authentication failure.

SAML Callback URL

The SAML Callback URL that is provided to the Identity Provider when setting up the trust relationship.  Responses from the Identity Provider will be directed to this URL so that DataShyft can complete the user authentication.

SAML Audience URL

The SAML Audience URL is provided to the Identity Provider when setting up the trust relationship.

Last Metadata Fetch

The date and time when the metadata was last fetched.

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.

Still need help? Contact Us Contact Us