How do I configure a remote identity provider?

Purpose

NSP can use OpenID Connect and SAML identity providers for user authentication to NSP. You can configure an OpenID Connect or SAML server in NSP. After you have enabled and submitted an IDP configuration in NSP, a cross-launch link to the IDP appears on the NSP login page. If you configure multiple IDP instances, there will be a list of cross-launch links at login.

Once IDP configuration is complete, users or IDP administrators can configure direct URL access into NSP; see How do I configure a direct URL to NSP for IDP users?.

The parameters you encounter for each IDP protocol are described at the bottom of this topic.

Note: The following URL provides NSP Keycloak metadata that can be used by a SAML or OpenID Connect IDPs to use NSP as a client:

https://<NSP_IP_Address>/auth/realms/Nokia/broker/<IDP_name_or_alias>/endpoint/descriptor

Steps
 

Open Users and System Security.

Click png1.png More Actions, Settings.

In the Users and System Security Settings form, click Identity Provider.

In the Identity Provider form, click + Server.

In the Select Protocol form, type a name for the IDP in the Displayed Name field.

This name appears as a redirect link on the NSP Login page.

Specify the authentication protocol for the IDP in the Select Protocol menu.

Additional authentication parameters appear in the GUI, based on the protocol you selected.

Do one of the following:

  • For a SAML IDP, complete Step 8.

  • For an OpenID Connect IDP, complete Step 9.

Configure the SAML IDP parameters:

  1. Configure the connection parameters using the values specific to the remote SAML IDP.

  2. Click Test Connection to read the IP address/hostname from the configuration and verify the SAML IDP reachability with a ping test. This ensures that the IDP is online and accessible from your network.

  3. Turn on the Enable SAML Authentication option if you want NSP to connect to the SAML IDP immediately.

Configure the OpenID Connect IDP parameters:

  1. Configure the connection parameters using the values specific to the remote OpenID Connect IDP.

    If you configure multiple OpenID Connect IDPs, each one must have a unique IP address or hostname.

  2. Update the NSP TLS certificate for OpenID Connect remote authentication; see How do I update the NSP TLS certificate for remote authentication?.

  3. Click Test Connection to read the IP address/hostname from the configuration and verify the OpenID Connect IDP reachability with a ping test. This ensures that the IDP is online and accessible from your network.

  4. Turn on the Enable OpenID Connect Authentication parameter if you want NSP to connect to the OpenID Connect identity provider immediately.

10 

Click Submit to save the identity provider configuration.

End of steps

SAML parameters

GUI Order

In an NSP deployment with multiple IDPs, this integer specifies the position of the SAML IDP redirect link in the link list on the NSP Login page.

Alias

The alias is a unique identifier for the SAML IDP, and is used to build the redirect URI.

Entity ID

The Entity ID is a unique identifier for the SAML service provider.

IDP Entity ID

The IDP Entity ID used to validate the issuer for received SAML assertions. If empty, no issuer validation is performed.

Single Sign On Service Url

The URL used to send authentication requests (SAML AuthnRequest).

OpenID Connect parameters

GUI Order

In an NSP deployment with multiple IDPs, this integer specifies the position of the OpenID Connect IDP redirect link in the link list on the NSP Login page.

Alias

The alias is a unique identifier for the OpenID Connect IDP, and is used to build the redirect URI.

Client ID

The client identifier registered with the IDP.

Client Secret

The client secret registered with the IDP.

Authorization URL

URL used to redirect users for authentication. This URL is used to initiate the OIDC authentication process.

JWKS Url

URL used to retrieve public keys required to verify identity tokens for OIDC authentication.

Token Url

URL/end point that is part of the OIDC flow. Provides the necessary tokens after successful authentication.

User Info Url

URL used to retrieve authenticated user profile information after successful authentication via OIDC.