How do I configure a remote identity provider?

Purpose

NSP can use OpenID Connect and SAML identity providers for user authentication to NSP. You can configure an OpenID Connect or SAML server in NSP. After you have enabled and submitted an IDP configuration in NSP, a cross-launch link to the IDP appears on the NSP login page. If you configure multiple IDP instances, there will be a list of cross-launch links at login.

Once IDP configuration is complete, users or IDP administrators can configure direct URL access into NSP; see How do I configure a direct URL to NSP for IDP users?.

The parameters you encounter for each IDP protocol are described at the bottom of this topic.

Steps
 

Open Users and system security.

Click png4.png More actions, Settings.

In the Users and System security settings form, click Identity provider.

The Identity provider form displays a list of any configured IDP servers. If you click png4.png More, Show Metadata on a SAML IDP server item in the list, the complete SAML service provider metadata is displayed in XML format in a popup window. You can copy the metadata to the clipboard and paste it into a new SAML IDP server configuration.

Click + Server.

In the Select protocol form, type a name for the IDP in the Displayed name field.

This name appears as a redirect link on the NSP login page.

Specify the authentication protocol for the IDP in the Select protocol menu.

Additional authentication parameters appear in the GUI, based on the protocol you selected.

Do one of the following:

  • For a SAML IDP, complete Step 9.

  • For an OpenID Connect IDP, complete Step 10.

Configure the SAML IDP parameters:

  1. Configure the connection parameters using the values specific to the remote SAML IDP.

  2. Click Test Connection to read the IP address/hostname from the configuration and verify the SAML IDP reachability. This ensures that the IDP is online and accessible from your network.

  3. Turn on the Enable SAML authentication option if you want NSP to connect to the SAML IDP immediately.

10 

Configure the OpenID Connect IDP parameters:

  1. Configure the connection parameters using the values specific to the remote OpenID Connect IDP.

    If you configure multiple OpenID Connect IDPs, each one must have a unique IP address or hostname.

  2. Update the NSP TLS certificate for OpenID Connect remote authentication; see How do I update the NSP TLS certificate for remote authentication?.

  3. Click Test Connection to read the IP address/hostname from the configuration and verify the OpenID Connect IDP reachability. This ensures that the IDP is online and accessible from your network.

  4. Turn on the Enable openID connect authentication parameter if you want NSP to connect to the OpenID Connect identity provider immediately.

11 

Click Submit to save the identity provider configuration.

End of steps

SAML parameters

GUI order

In an NSP deployment with multiple IDPs, this integer specifies the position of the SAML IDP redirect link in the link list on the NSP login page.

Alias

The alias is a unique identifier for the SAML IDP, and is used to build the redirect URI.

Entity ID

The entity ID is a unique identifier for the SAML service provider.

IDP entity ID

The IDP entity ID used to validate the issuer for received SAML assertions. If empty, no issuer validation is performed.

Single sign on service URL

The URL used to send authentication requests (SAML AuthnRequest).

Enable HTTP-POST binding for AuthnRequest

Option to use an HTTP-POST for Authentication Request with the SAML server (data is in the body of HTTP POST request).

Enable HTTP-POST binding response

Option to use an HTTP-POST in the SAML response (data is in the body of the HTTP POST response).

Allowed clock skew (seconds)

Allowed time difference between IDP and NSP system that is tolerated when validating identity provider tokens. Default value is zero.

OpenID Connect parameters

GUI order

In an NSP deployment with multiple IDPs, this integer specifies the position of the OpenID Connect IDP redirect link in the link list on the NSP login page.

Alias

The alias is a unique identifier for the OpenID Connect IDP, and is used to build the redirect URI.

Client ID

The client identifier registered with the IDP.

Client secret

The client secret registered with the IDP.

Authorization URL

URL used to redirect users for authentication. This URL is used to initiate the OIDC authentication process.

JWKS URL

URL endpoint that is used to retrieve public keys required to verify identity tokens for OIDC authentication.

Token URL

URL/end point that is part of the OIDC flow. Provides the necessary tokens after successful authentication.

User info URL

URL used to retrieve authenticated user profile information after successful authentication via OIDC.