Adding an Identity Provider Connection

Link Identity Provider (IdP) connections with SOTI MobiControl.

Before you begin

Log in as a SOTI MobiControl user with the Manage Directory Services permission enabled.
Download the Metadata file from your preferred IdP to a personal device for use during setup. For more details on how to retrieve this Metadata file, refer to the IdP's documentation.

Note: If you plan to use a directory or LDAP groups for authentication, see Managing Directory Service Connections for more information on setting up a directory connection.

About this task

SOTI MobiControl integrates with external Identity Providers to authenticate users and enforce access permissions. When you configure an IdP, SOTI MobiControl uses the attributes from the IdP’s Security Assertion Markup Language (SAML) response to verify user credentials and enable web console authentication or device enrollment.

Procedure

In the SOTI MobiControl web console, select Global Settings from the main menu.
Select Services > Identity Provider to display the Identity Provider window.
Select MobiControl Metadata File and MobiControl IdP Certificate in the Identity Provider Downloads section to download the SOTI MobiControl metadata file and SOTI MobiControl IdP certificate file. These files give necessary information to the IdP when setting up the connection to SOTI MobiControl
Select (add) to create a new connection.
Under IdP Settings, enter information regarding your IdP connection to link the IdP and SOTI MobiControl.
1. Enter a Name for this IdP connection in SOTI MobiControl.
2. Browse for, or drag and drop your IdP Metadata File. You may also enter a IdP Metadata URL from which your Metadata can be uploaded to SOTI MobiControl, then select Refresh. The file or URL can auto populate information necessary to create a link between your IdP and SOTI MobiControl
  
  Note: You can fill in the rest of the settings manually if you do not have an IdP metadata file or an IdP Metadata URL.
3. Enter the IdP Entity ID to provide the globally unique identifier for the IdP.
4. Enter the IdP Single Sign on (SSO) login URL as the IdP URL. SOTI MobiControl uses this URL to start the SSO login sequence.
5. Enter a Logout URL that users are redirected to when they log out of the SOTI MobiControl web console. If a URL is not provided, users are redirected to a default logout page.
  
  Note: SOTI MobiControl does not support single logout (SLO).
6. Add Certificates to authenticate a secure connection with your IdP. Select the (download) icon to open the Add Certificate dialog box, in which you can add a certificate to the list. Select the (delete) icon to delete the selected certificate from the list. The certificates in the list are listed in ascending order until a valid certificate is successful in authenticating with the IdP.
  
  Note: Certificates must be in either DER-encoded binary X509 or Base64-encoded X.509 format.
Under Group Settings, choose to either use user group information from a Directory or IdP for authentication.
Select Directory to use user information from an Directory (LDAP) connection.
1. Select a directory from the drop-down list. If you do not have any directories configured, see Managing Directory Service Connections for more details on adding a new directory connection.

Alternatively, select IdP to use user group information from an IdP.

Add Group Attributes to authenticate users with SOTI MobiControl. Make sure that you have created these attribute values in your IdP and assigned them to users. You must also enter the values in the Attribute Statement section of the assertion response so SOTI MobiControl can match them with the defined IdP user groups to grant access rights.

Enter List Attributes to provide assertion attributes for the incoming SAML authentication response that contains user groups. Optionally, enter a List Delimiter to split attribute values into separate entries.

Note: If you do not set a delimiter, SOTI MobiControl treats the attribute value as multiple XML nodes, with each node representing a different group name.

Optional: Enter User Attributes to map IdP SAML response attributes to SOTI MobiControl attributes. For example, if you map the name attribute in the IdP SAML response to the First Name attribute in SOTI MobiControl, the value of the name attribute appears in the First Name field of the User Details card in the device’s Device Information panel.

SOTI MobiControl pre-populates user attributes to match with the IdP configuration, but can be re-configured based on user requirements:


First Name	Enter the attribute to map the user's first name.
Middle Name	Enter the attribute to map the user's middle name.
Last Name	Enter the attribute to map the user's last name.
User Principal Name	Enter the attribute to map the user's User Principal Name (UPN) identifier.
Phone Number	Enter the attribute to map the user's phone number.
Custom Attributes	Enter up to three custom attributes based on IdP and user requirements.

Optional: In the Map Additional User Attributes panel. Select on the icon to add extra user attributes. Select a mapped attribute and enter a value under the Name field. See Additional User Attributes for more information on the available attributes.
Tip: Use the mapped attributes to search for devices and assign profile and policies to the devices after indexing them on the search filter. For more information, see Indexing Properties.

Select Save.

Results

An IdP connection has been successfully created for SOTI MobiControl.

What to do next

To use this IdP connection for SOTI MobiControl console authentication, refer to Enabling an Identity Provider Connection

Note: On SOTI MobiControl cloud environments, IdP connections may experience issues due to an incorrect FQDN. To avoid this issue, you can use a macro scheme that enables you to override the management service address for all instances of SOTI MobiControl.

In the SOTI MobiControl Administration Utility, enable the Override Management Service Address option and enter the macro scheme.