Creating and modifying identity providers

An Identity Provider (IdP) is typically set up shortly after installing the Access Management software. You can modify this IdP, as needed, such as to complete or adjust the access settings for the various applications. You can also configure additional IdPs. Access Management supports as many IdPs as needed for each implementation of Tridion Sites.

Before you begin

If you will be configuring an IdP to use OpenID Connect or SAML , you have registered Access Management as an application in the provider's configuration website.

Work in Access Management requires that you be an authorized user. If you do not have access and require it, contact your System Administrator.

About this task

The following procedure summarizes the process of configuring an IdP for the various Tridion Sites applications. Refer to the related topics for details on performing the different steps.

Procedure

  1. From the slide-out navigation, select Access Management.

    The Identity providers tab shows a list of existing IdPs. You can select an existing IdP for editing, or use Add identity provider button create a new one using the wizard.

  2. Define General settings. This is information tells Access Management how to connect to an external IdP. These vary for the different authentication types and also for specific IdPs. Refer to the related topics to review the information that will be required and obtain the necessary values from the IdP administrator.
  3. Define Forwarded claims. These are claims that you want to be forwarded from the external identity provider (IdP). The need to add claims to this section depends on the design of the integration between the IdP and your applications. Access Management.
  4. Define Access settings. These settings define end user and API access for the one or more applications. In simplest terms, the claims defined on the left represent what needs to be present in a token in order to grant the access to the applications and roles selected on the right side.
    1. First, define the a claim, which you can do in two basic ways:
      • Define a specific claim that gives access only to users (or to an API) who have some specific value present in their token. With this method, use the Type and Value fields to define type:value pairs, where the type is the name of the claim in the external IdP and the value is value that the claim must have in order for Access Management to give the user access. Note that the format of the value depends on the IdP.
      • Define a general, or "global" claim, that gives the same access to all valid, authenticated users. Select the option to Make selected settings global. Any user who successfully logs in through the IdP will be able to access the selected applications.
    2. Next, select one or more applications from the Applications list. When the token contains the claims you defined in the previous step, the user or API will have general access to these applications.
    3. Lastly, select one or more roles that will be granted when the claims are present in the token. When the token contains the claims you defined in step a, the user or API will be assigned this role (or roles) in the application. Note that the available roles and how they are used varies across the different applications.

    Repeat steps a to c, as needed, to define access to your needs. Note that you can combine the two methods (specific and global), and can define as many type:value pairs as needed, but you can have only one global setting.

  5. Select Save.
    Access Management returns you to the list of identity providers.