Skip to content

Identity Provider (IDP) Integration with Management Console (Enterprise)

Management Console allows for secure network Single Sign-on (SSO) with Multi-factor Authentication (MFA). It also allows for integration with your Active Directory servers and your Identity Providers (IDP) using the Security Assertion Markup Language 2.0 (SAML). With the benefit of SSO, users will be able to securely sign into Management Console without having to remember a separate Management Console password. These instructions are to help with configuration of single sign-on with a third party Identity Provider (IDP) which will allow for the authentication of management console users.

The Service Provider (SP) referenced in this instruction topic is the Management Console while the Identity Provider (IDP) used for reference is Okta and PingFederate. When you configure the IDP, you are using SAML2.0 to allow the IDP to pass the authorization credentials to Management Console or any other service provider.

You can enable IDP configuration via the IDP CONFIGURATION tab on the AUTHENTICATION page.

The basic IDP flow for Management Console is shown in this flow image.

IDP Flow Diagram

Requirements

  • Management Console Enterprise License

  • IPv4 network (IDP, SSO and MFA for IPv6 currently not supported)

  • Account with an IDP Service Provider (Okta and PingFederate IDPs will be used for reference)

    • IDP Metadata XML file
  • Matching time configuration

    The date and time configurations on Management Console and your IDP must match for the successful authentication of the Management Console using an IDP user. This includes the same date, time, and time zone.

  • IDP must be enabled on Management Console. (SETTINGS > AUTHENTICATION > IDP CONFIGURATION > ON)

    IDP TAB ON

SSO Behaviors

Single Sign-on configurations for web based applications are browser specific, and do not support cross browser authentication. When you maintain an active browser session to an application that has been authenticated by an IDP, you will auto-login to applications authenticated by that IDP as long as the session is active.

IDP configured with SSO for Management Console and other applications (e.g. Office 365, Atlassian, ServiceNow)

When you are logged into another application and access the Management Console with the same browser, you will auto-login to Management Console without being prompted for IDP login credentials. Similarly, when you are logged into Management Console and access another application with the same browser, you will auto-login to the application without being prompted for IDP login credentials.

  • Browser session time-outs do not affect Management Console user time-out settings. You have to sign out of Management Console to close your Management Console session. This applies to both IDP and direct Management Console sign ins.

  • If your browser times out, re-launching your browser and accessing the Management Console will not prompt you for login credentials.

IDP Behaviors

  • A continuous session for an IDP user is independent of the Management Console session time out.

  • For all IDP users, the session will end by explicitly logging out of Management Console.

  • If an IDP user session expires, the IDP user's session in Management Console will not close until they log out of the existing session from Management Console. This is due to the IDP not sending a closed session notification.

  • If an IDP user session expires and the user then logs out of Management Console, than if the user logs in again with the SIGNIN WITH IDP button, the user will be redirected to the IDP login page.

  • First time sign in to Management Console using an IDP user will automatically create a Management Console user with the default Administrator role.

    Administrator default role

    An IDP created user in Management Console will not have access to the SETTINGS page nor will they be able to change the default Management Console settings.

    Administrators should consider changing the default IDP user role to System Administrator to provide access to SETTINGS and have the session timeout disabled.

Logging Out

  • Logging out of a Management Console session only terminates the local Management Console session and does not affect the IDP session, nor sessions at other SPs where the IDP user may have been logged in using SSO.

  • Logging out of a Management Console session using the dashboard LOGOUT link will close the user session and redirect the user to the Management Console login page.

  • Using the Sign In With IDP button after logging out from the same browser will redirect the user to the Management Console dashboard page without redirecting to the IDP login page, as the IDP session is still active.

  • All Management Console sessions in all browsers will close when a user logs out from any Management Console IDP connected session.

  • Logging out of an IDP session will redirect the user to the IDP login page when using the Sign In With IDP button.

Roles and Permissions

  • The default IDP role is Administrator and can be changed by any user with the System Administrator role.

  • Management Console created/edited user roles do not affect the IDP.

  • IDP created/edited user roles do not affect Management Console

Management Console IDP Configuration

Prior to configuring the IDP for Management Console, you will need an IDP service that you can manage. Complete the referenced Okta or PingFederate configuration prior to performing the next steps. Okta Reference | PingFederate Install Reference & PingFederate Configuration Reference

  1. Download the IDP metadata XML file from your IDP and upload this to Management Console. (See Okta reference here)

    XML metadata file validation

    To confirm the IDP metadata.xml file is valid, ensure the following:

    • The Metadata XML file, Attributes, and Tags are not empty

    • The file contains starting and ending tags

    • The contained signing certificate is valid

    • The file does not contain a <RoleDescriptor> tag

  2. Enter the Assertion Consumer Service URL.

    The Assertion Consumer Service URL should be the same as the single sign-on URL in the IDP configuration and it must be entered in following format https://<MC_FQDN/MC_IP_ADDRESS>/saml/SSO.

  3. Enter the SP Entity ID.

    This ID will be any unique string specified in the IDP configuration to identify the Management Console application as a service provider connection.

  4. Update the Encryption Certificate on Management Console.

    By default, a self-signed certificate is available in Management Console which you can update at any time. You can use any of the following certificates when updating your Management Console certificate:

    • The default Management Console Certificate:** Select the Revert Self-Signed Certificate button to have all the proper configurations using the default Management Console certificate applied. The Management Console will reset and be offline for a short period of time.

    • CA Signed Certificate: Select the Update Certificate button and then individually upload the Encryption Certificate, Encryption Private Key, and the Encryption Chain.

    • Self-Signed Certificate: Select the Update Certificate button and then individually upload the Encryption Certificate, Encryption Private Key, and the Encryption Chain.

    Update Certificate for IDP

  5. Download the Encryption Certificate used in step 4 which will be required in your IDP configuration.

  6. Use the Save Configuration button to save the IDP SAML configuration.
    This will cause the Management Console to restart and present the additional SIGN IN WITH IDP option on the Management Console sign in page.

  7. Download the Service Provider(SP)/Management Console metadata XML file by using the Download SP Metadata button. This button becomes active once the SAML configuration is enabled after performing step 6. See OKta - Obtaining IDP Metadata File

  8. Sign in to the Management Console using the SIGN IN WITH IDP button.