UniFi Identity Enterprise - Configure Identity Providers

Admins can set up SAML for Google, Microsoft, and other custom identity providers (IdPs) to let users sign in to UniFi Identity Enterprise using their IdP credentials.

Note: This feature is unavailable in the Identity Enterprise Basic Plan.

  • To subscribe to the Standard Plan, please use your owner account to sign in to your Identity Enterprise Manager and go to Settings > Plan & Billing > Upgrade Plan.
  • To apply for a free trial, please use your owner account to sign in to your Identity Enterprise Manager and go to Settings > Plan & Billing > Feature Usage > Apply for Plan Add-Ons. 

Google SSO Authentication

Set Up Google SSO Authentication

  1. Sign in to your Google Admin console at https://admin.google.com and navigate to Apps > Web and Mobile Apps.
  2. Go to Add App > Add custom SAML app, provide the requested app details, and click Continue.
  3. Download the IdP Metadata file.
  4. On your Identity Enterprise Manager (https://[your workspace domain].ui.com/cloud), go to Security > Identity Provider > Google > Click to Enable.
  5. Fill in the information, go to the Metadata File field, and upload the metadata file you downloaded in Step 3.
  6. Click Save and do not close this page.
  7. Copy the values of ACS URL and Identifier (Entity ID) and then go to your Google Admin console and paste them into the Service Provider details page.
  8. Click Continue.
  9. Go to the Attribute mapping section and use the Add Mapping button to add the three values below.
  10. Click Finish to save the settings.
    Google Directory Attribute App Attribute
    Primary email email
    First name first_name
    Last name last_name

Enable SSO for UniFi Identity Enterprise on Google Admin Console

  1. On your Google Admin console, go to the app details page and expand the User access section.

  2. Enable the IdP by selecting ON for everyone. If you wish to only enable it for a specific UniFi Identity Enterprise organization, use the Organizational Units dropdown menu on the left to make your selection.

  3. Click Save to finish. Google indicates that it may take up to 24 hours for the Google option to appear on all users' UniFi Identity Enterprise sign-in pages.

Microsoft 365 SSO Authentication

Set Up Microsoft 365 SSO Authentication on Identity Enterprise Manager

  1. Sign in to your Microsoft Azure Admin Portal at https://portal.azure.com.

  2. On the left navigation panel, go to Menu > Azure Active Directory > Enterprise applications.

  3. In the Application Type menu, click All applications > New application.

  4. Click Create your own application, name your application, enter the requested information, and select Integrate any other application you don't find in the gallery (Non-gallery).

  5. Click Create. Note: If no application is displayed after this step, please refresh the web page.

  6. Select Single sign-on > SAML. Do not close this page yet.

  7. On your Identity Enterprise Manager (https://[your workspace domain].ui.com/cloud), go to Security > Identity Provider > Microsoft > Click to Enable.

  8. Copy the values of Identifier (Entity ID) and ACS URL. Do not close this page yet.

  9. Go to Microsoft Azure > Set up Single Sign-On with SAML page and edit the Basic SAML Configuration section. Do the following and click Save:

    • Identifier (Entity ID): Paste the value you copied from Identifier (Entity ID) in your Identity Enterprise Manager.
    • Reply URL (Assertion Consumer Service URL): Paste the value you copied from ACS URL in your Identity Enterprise Manager.
  10. Download the Federation Metadata XML file from the SAML Signing Certificate section.

  11. Return to your Identity Enterprise Manager and upload the Federation Metadata XML file you just downloaded.

  12. Click Save.

  13. Return to the Microsoft Azure Admin Portal > Set up Single Sign-On with SAML page and Edit the User Attributes & Claims section.

  14. Click Add new claim to add all the claims below. You do not need to fill in the Namespace field.

Name Source Source Attribute
Email Attribute user.mail
First_name Attribute user.givenname
Last_name Attribute user.surname

Enable SSO for UniFi Identity Enterprise on the Microsoft Azure Admin Portal

  1. Go to Microsoft Azure Admin Portal > Users and groups > Add user.
  2. Select Users and click Select to add users.
  3. To test whether the configuration is successful, go to Microsoft Azure Admin Portal > Single Sign-on and select Test > Sign in as current user.

Once the configuration is complete, any user on the assignment list selected in Step 2 can use their Microsoft credentials to sign in to UniFi Identity Enterprise.

  1. Sign in to your Identity Enterprise Manager (https://[your workspace domain].ui.com/cloud).
  2. Go to Security > Identity Provider and click New Identity Provider.
  3. Fill in the required fields:
    • Name: Enter a name for the identity provider (IdP).
    • Type: Select SAML IdP.
    • Protocol: SAML 2.0 is the protocol that is currently supported.
    • Identifier (Entity ID) and ACS URL: These are generated by default. Copy and paste them to your IdP to obtain data for the following fields.
    • IdP Issuer URL (Entity ID): The IdP that provides the value.
    • IdP Single Sign-On URL: The sign-on URL from the IdP.
    • IdP Signature Certificate: Upload the certificate from the IdP that signed the assertion.
  4. Click Create. The added IdP will appear in the Identity Provider tab.

Workspace ONE

  1. Sign in to your Workspace ONE Access Console.
  2. Select Resources on the top navigation menu.
  3. Select Web Apps and click New.
  4. Enter the Web App name and fill in the information.
  5. Refer to the Workspace ONE and Identity Enterprise Manager tables below and fill in the required properties.
  6. To get the Metadata XML file from Workspace ONE, go to Resources > Web Apps > Settings > SAML Metadata > Identity Provider (IdP) metadata and click Copy URL.
  7. To get the launch URL from Workspace ONE, go to Resources > Web Apps and select the application you created for your Identity Enterprise Portal. Click Definition > Launch URL and click Copy URL.

Workspace ONE

Property Value
Single Sign-On URL https://example.ui.com/gw/eot/api/sso/saml
Recipient URL https://example.ui.com/gw/eot/api/sso/saml
Application ID xxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Username Format Email Address
Username Value ${user.email}

Identity Enterprise Manager

Property Value
Identifier (Entity ID) https://example.ui.com/cloud/saml2/service-provider/xxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
(The last part is Application ID.)
ACS URL https://example.ui.com/gw/eot/api/sso/saml
IdP Issuer URL (Entity ID) https://example.workspaceair.com/SAAS/API/1.0/GET/metadata/idp.xml
(See Step 6 above.)
IdP Single Sign-ON URL https://example.workspaceair.com:443/SAAS/API/1.0/GET/apps/launch/app/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
(This is the launch URL from the Workspace ONE application configuration. See Step 7 above.)

Known Issue

When signing in to your Identity Enterprise Portal via Workspace ONE from a URL that is not https://example.ui.com/login, you might encounter the error as shown in the screenshot below. To prevent this, do either of the following:

  • Make sure the format https://example.ui.com/login is used for Single Sign-On URL.
  • Before logging in to your Identity Enterprise Portal, log in to Workspace ONE first and make sure the account status is logged in.
    Workspace_ONE_Error

OneLogin

  1. Sign in to your OneLogin (https://[your_domain].onelogin.com/login)

  2. Select Applications in the top menu.

  3. Click Add App.

  4. Search and select "SAML Custom Connector (Advanced)".

  5. Fill in the information, and click Save.

  6. In Configuration, fill the following attributes:

    Attributes Content in UniFi Identity Enterprise
    Audience (EntityID) Identity (Entity ID)
    Recipient ACS URL
    ACS (Consumer) URL ACS URL
    ACS (Consumer) URL Validator ACS URL
  7. In SSO, copy the required fields and paste them to the corresponding sessions in UniFi Identity Enterprise:

    Attributes Content in UniFi Identity Enterprise
    Issuer URL IdP Issuer URL (Entity ID)
    SAML 2.0 Endpoint (HTTP) IdP Single Sign-On URL
    X.509 Certificate > View Details > Download Upload it to IdP Signature Certificate

Custom SCIM SSO Authentication

SCIM provisioning enables automatic provisioning and de-provisioning of users and groups from your identity provider. Please copy the Base URL and API Token as you will need them when configuring SCIM provisioning in your third-party app.

Notes: 

  • This is an early access (EA) feature. Contact uid.support@ui.com to apply for a free trial.
  • Users added via Identity Enterprise Manager cannot be assigned or unassigned, except for deactivated users, from third-party platforms.

Obtain Base URL and API Token from Identity Enterprise Manager

  1. Go to your Identity Enterprise Manager > Security > Identity Provider > SCIM Provisioning.
  2. Copy the Base URL and API token displayed. Ensure the token is stored safely for future use, as it is displayed only once for security reasons.

Configure in Okta

Here we use Okta as an example:

  1. Sign in to your Okta org with your admin account.
  2. Go to Applications > Applications.
  3. Click Browse App Catalog and search for SCIM.
  4. Select SCIM 2.0 Test App (Header Auth).
  5. Click Add Integration.
  6. Configure General Settings and click Next.
  7. Choose the sign-in method for your integration on the Sign-On Options page.
  8. Go to Provisioning > Integration and click Configure API Integration.
  9. Tick the Enable API integration checkbox and paste the Base URL and API token you previously copied from Identity Enterprise Manager.
  10. Test the credentials by clicking Test API Credentials, which attempts to connect to Okta. If there's an error, check the token you pasted.
  11. Click Save to complete the API integration. See Okta’s help article for details.
Was this article helpful?
0 out of 3 found this helpful