Add an identity provider for Conditional Access
In this topic, you will find general instructions on how to add an identity provider that will be used by Portnox™ Conditional Access for Applications.
Create a new identity provider configuration in Portnox Cloud
In this section, you will create a new identity provider configuration in Portnox Cloud
-
In a new tab of your browser, open your Portnox Cloud account by accessing the following URL: https://clear.portnox.com/
From now on, we will call this tab the Portnox tab.
-
In the Cloud portal top menu, click on the Settings option.
-
In the Cloud portal left-hand side menu, click on the
menu option.
-
Click on the Add a new identity provider link and select the Add a SAML identity
provider option.
-
In the Identity provider details section, enter an Identity provider
name and optionally a Description.
- Keep this browser tab open. You will need it later.
Create a new identity provider application
In this section, you will access the administrative interface of your identity provider, and use it to create a new application that will handle integration with Portnox Cloud.
-
In another tab of your browser, open your web identity provider’s administrative interface.
From now on, we will call this tab the provider tab.
- In your web identity provider’s administrative interface, find the configuration options for creating a new single sign-on application or a new single sign-on integration.
- Configure initial settings for the new application or integration. Your administrative screen should show a set of configuration fields that need to be filled, and a set of fields with pre-filled values and optionally a copy button.
Copy configuration values from the Portnox tab to the provider tab
In this section, you will copy the values displayed by Portnox Cloud and paste them in the relevant fields in the identity provider application setup section.
-
In the Portnox tab, in the Integration settings section, click on the ⧉ icon next to the Identifier (Entity ID) / Issuer URI
field to copy the value.
-
In the provider tab, paste the value copied from Portnox Cloud in a field used to uniquely identify the identity
provider in SSO transactions. For example:
Identifier, Issuer, Audience, Entity ID, SP Entity ID, Provider ID, Issuer’s Entity ID, Issuer Identifier, Issuer URL, or Audience URI.
-
In the Portnox tab, in the Integration settings section, click on the ⧉ icon next to the Assertion Consumer Service URL / Single Sign-on
URL field to copy the value.
-
In the provider tab, paste the value copied from Portnox Cloud in a field that specifies the URL to which the
identity provider sends its response after authenticating a user. For example:
Reply URL, Callback URL, Sign-in URL, Recipient URL, Single Sign-On URL, Application Callback URL, Consumer Service URL, Assertion Consumer URL, Assertion Consumer Service URL, ACS URL, Assertion Consumer Service Endpoint, ACS Endpoint, or SSO Endpoint.
Copy configuration values from the provider tab to the Portnox tab
In this section, you will copy the values displayed by the identity provider application setup section and paste them in the relevant fields in Portnox Cloud.
-
In the provider tab, copy the value of a field that specifies the URL to which users are redirected for
authentication. For example:
Login URL, Sign-On URL, Single Sign-On URL, SSO URL, Sign-In URL, Sign-In Page URL, Login Redirect URL, Login Endpoint URL, SSO Service URL, SSO Initialization URL, SAML Consumer URL, or SAML Recipient URL.
-
In the Portnox tab, in the Identity provider properties section, click on the empty field
under the Login / Sign on URL heading and paste the copied value.
-
In the provider tab, copy the value of a field used to identify the issuing entity of the SSO tokens. For
example:
Issuer, Issuer ID, Issuer URL, Directory ID, Entity ID, Provider URL, Identity Provider Issuer, Identity Provider Entity ID, or Microsoft Entra Identifier.
-
In the Portnox tab, in the Identity provider properties section, click on the empty field
under the Microsoft Entra Identifier / Issuer heading and paste the copied value .
-
In the provider tab, search for a section containing a certificate.
You may have an option to download a certificate file or copy the certificate in Base64 format. You can use either of those options.
-
In the Portnox tab, in the Add certificate link and select the Insert
certificate option if you copied the Base64 certificate, or the Upload certificate
file option if you downloaded a certificate file, and then follow up accordingly to paste the
certificate content or upload the certificate file.
section, click on the
-
When finished, in the Portnox tab, scroll all the way down to the end of the page, and then click on the
Save button.
Set up SAML attribute mapping
Set up the mapping between user attributes in the identity provider repository and attributes in the SAML assertion.
- In your identity provider application configuration, find the section for configuring SAML attribute mapping.
- Map the primary email of the user in the identity provider repository to the email SAML attribute.
- Optional:
Map the primary email of the user in the identity provider repository to the
eduPersonPrincipalName attribute.
Note: This mapping is required by some applications such as Datadog.
Result: You have added an identity provider for Portnox Conditional Access for Applications.