Configuring an IDP for the Tenant
    • 26 Mar 2024
    • 3 Minutes to read
    • Dark
    • PDF

    Configuring an IDP for the Tenant

    • Dark
    • PDF

    Article summary

    Setting the Identity Provider (IDP) within the Platform needs to be done at the Tenant level. This topic explains how to configure the Platform for either a PlainID Internal IDP or an External IDP.

    Connecting to an Internal or External IDP at the Tenant Level

    At the Tenant level, you can either use the internal PlainID IDP or you can configure PlainID to access your Identity Provider by selecting to use an External IDP on the Tenant. When you enable an External IDP, you can then enable multiple users from your organization to access the Platform.

    With the PlainID Internal IDP, a single user is designated as the Admin with all rights. With an External IDP configured for the Tenant, individual users can be assigned Permissions, enabling them to be either an Editor (edit/view rights) or a Viewer (view only rights).

    By default, the PlainID Internal IDP source is used.

    To configure the IDP Source:

    1. Click the Tenant settings icon (image.png).

    2. The Tenant IDP Settings screen opens.

    3. The current IDP Source is displayed. To change the IDP Source, click Edit.

    4. Select either PlainID Internal or External IDP.

    If you select External IDP, you'll need to configure some of the parameters as explained in below.

    Configuring an External IDP

    Configuring an External IDP for the Tenant involves configuring the IDP Side (a configuration that needs to be done on the vendor IDP (for example Okta, ForgeRock, Auth0, etc.) interface as well as within the Platform. Once you configure an External IDP, you will be able to add users as either editors or viewers based on the permissions you apply at the Tenant level.

    For more information, see About Permissions.

    Requirements to Configure an External IDP

    To configure an External IDP, you must provide the IDP Metadata URI from your IDP configuration. With this, you can either import the remaining IDP general settings required to use your IDP with the Platform, or you can manually enter the following OpenID Connect configuration requirements taken from your IDP source configuration:

    • Authorization URL
    • Token URL
    • Logout URL
    • JKWS URL
    • Issuer

    Configuring an External IDP at the Tenant Level

    1. Select Tenant Settings > Tenant IDP Settings. The Select IDP Source screen is displayed.

    2. Click Edit. The fields become editable and the External IDP option is displayed.

    3. Select External IDP. Additional sections are displayed.

    4. In the General Details section, the Redirect URI is displayed. Click Copy and save the information for when you configure the Organization's IDP to work with the Platform.

    5.Enter a Display Name for the IDP

    1. In the IDP Application Settings section, enter the Client ID and Client Secret from your Identity source

    2. In the Client Authentication field, choose how the Client ID and Client Secret is sent to the IDP. Options include:

    • Client Secret sent as JWT
    • Client Secret sent as basic auth
    • Client Secret sent as POST
    • JWT signed as private key
    1. In the IDP General Settings section, enter the IDP Metadata URI.

    2. Alternatively, you can define the OpenID Connect Configuration settings including the:

    • Authorization URL
    • Token URL (required)
    • Logout URL
    • JWKS URL (required)
    • Issuer (required)
    1. In the Tenant Authorization Settings section, enter the Claim and Claim Value. The Claim and Claim Value enable you to define who has Admin rights in the Tenant. This claim needs to be included in the ID token passed to the Platform.

    2. Click Save.

    You can configure the Platform to work with any IDP that supports OIDC. For this configuration to be successful, the ID token passed to the Platform from the IDP must contain:

    • The claims used for permissions.
    • The default OIDC scopes openid, profile, email.

    Was this article helpful?