Adding an IdP connection

Before you begin

Download your IdP's metadata file to your computer.

Note: If you plan to use LDAP groups for authorization, set up the LDAP connection first.

About this task

IdP connections can be used for SOTI MobiControl console authentication and (if backed by LDAP) to enroll devices.

To add an IdP connection to SOTI MobiControl:

Procedure

  1. Select Global Settings from the main menu.
  2. Do one of the following:
    • From the Settings tree on the left, select Services > Identity Provider to display the Identity Provider dialog box (see Authentication Options).
    • From the Settings tree on the left, select Console Settings > Authentication Options to display the Authentication Options page (see Authentication Options). Under Authentication Type, select Identity Providers.
  3. Use the links in the Identity Provider Downloads section to download to your computer the SOTI MobiControl metadata file and SOTI MobiControl IdP certificate file.
  4. Click the + icon.
  5. Fill out the IdP connection details as required:
    Name Enter a name for this IdP connection in SOTI MobiControl.
    IdP Metadata File Browse for, or drag and drop into the filed, your IdP's metadata file. This file contains information necessary to create a link between your IdP and SOTI MobiControl.

    You can fill in the rest of the settings manually if you do not have an IdP metadata file or an IdP metadata URL.

    IdP Metadata URL Enter a URL from which your IdP's metadata can be uploaded to SOTI MobiControl, then click Refresh.

    You can fill in the rest of the settings manually if you do not have an IdP metadata URL or an IdP metadata file.

    IdP Entity ID Enter the globally unique identifier for the SAML IdP. The IdP Entity ID should be obtained from your IdP administrator.
    IdP URL Enter the IdP SSO login URL. SOTI MobiControl uses this URL to initiate the SSO login sequence. The IdP URL should be obtained from your IdP administrator.
    Note: SOTI MobiControl supports only HTTP-POST binding.
    Logout URL [Optional] Enter a URL that users are redirected to when they log out of the SOTI MobiControl console and Self Service Portal. If a Logout URL is not provided, users are redirected to a default logoff page.
    Note: SOTI MobiControl does not support single logout (SLO).
    Certificates This section lists the certificates used to authenticate with your IdP. Click the Download icon to open the Add Certificate dialog box, in which you can add a certificate to the list. Click the Delete icon to delete the selected certificate from the list.

    The certificates in the list are evaluated in order starting from the top until a valid certificate is successful in authenticating with the IdP.

    Certificates must be in either DER-encoded binary X509 or Base64-encoded X.509 format.

  6. Enter Group Settings for Directory:
    Directory Name Select a directory from the drop-down list. If you do not have any directories configured, see Managing Directory Service Connections for information on setting one up.
  7. Alternatively, enter Group Settings for IdP:
    Group Attributes Click the chevron to expand this section. The expanded section contains the following controls:
    • List Attribute - enter an assertion attribute for the incoming SAML authentication response that contains groups.
    • List Delimiter - enter a delimiter that splits up attribute values into multiple values. If a delimiter is not set, it is assumed that the attribute value contains multiple XML nodes, each one a different group name.

    SOTI MobiControl uses these Group Attributes to authorize users. Make sure that you have created these attribute values in your IdP and assigned them to users. You also need to provide the values in the Attribute Statement section of the assertion response so they can be matched against the defined IdP User groups to determine access rights for the user.

    User Attributes Click the chevron to expand this section. The section Map attributes within the IdP SAML response to specific SOTI MobiControl labels. For example, if you associate the name attribute in an IdP SAML response with First Name user attribute in SOTI MobiControl, the value of the name attribute that was in the IdP SAML response will appear as the value of the First Name field in the User Details card in the device's Device Information panel of SOTI MobiControl.

    You can configure the following user attributes:

    • First Name
    • Middle Name
    • Last Name
    • User Principal Name
    • Phone Number
    • Custom Attribute 1
    • Custom Attribute 2
    • Custom Attribute 3

    Only configured attributes will appear in User Details.

  8. Click Save.

What to do next

To use this IdP connection for SOTI MobiControl console authentication, you must first enable it.

Note: On cloud deployments, IdP connections may experience issues due to an incorrect FQDN. To avoid this issue, you can use a macro scheme that allows you to override the management service address for all MS instances of SOTI MobiControl.
  • In the SOTI MobiControl Administration Utility, enable the Override Management Service Address option and enter the macro scheme.