Admins can set up SAML for Google, Microsoft, and other custom identity providers (IdPs) to let users sign in to UniFi Identity Enterprise using their IdP credentials.
- This feature is unavailable in the Identity Enterprise Basic Plan.
- To subscribe to the Standard Plan, please use your owner account to sign in to your Identity
- Enterprise Manager and go to Settings > Plan & Billing > Upgrade Plan.
- To apply for a free trial, please use your owner account to sign in to your Identity Enterprise Manager and go to Settings > Plan & Billing > Feature Usage > Apply for Plan Add-Ons.
Google SSO Authentication
Set Up Google SSO Authentication
- Sign in to your Google Admin console at https://admin.google.com and navigate to Apps > Web and Mobile Apps.
- Go to Add App > Add custom SAML app, provide the requested app details, and click Continue.
- Download the IdP Metadata file.
- On your Identity Enterprise Manager (https://[your workspace domain].ui.com/cloud), go to Security > Identity Provider > Google > Click to Enable.
- Fill in the information, go to the Metadata File field, and upload the metadata file you downloaded in Step 3.
- Click Save and do not close this page.
- Copy the values of ACS URL and Identifier (Entity ID) and then go to your Google Admin console and paste them into the Service Provider details page.
- Click Continue.
- Go to the Attribute mapping section and use the Add Mapping button to add the three values below.
- Click Finish to save the settings.
Google Directory Attribute App Attribute Primary email First name first_name Last name last_name
Enable SSO for UniFi Identity Enterprise on Google Admin Console
On your Google Admin console, go to the app details page and expand the User access section.
Enable the IdP by selecting ON for everyone. If you wish to only enable it for a specific UniFi Identity Enterprise organization, use the Organizational Units dropdown menu on the left to make your selection.
Click Save to finish. Google indicates that it may take up to 24 hours for the Google option to appear on all users' UniFi Identity Enterprise sign-in pages.
Microsoft 365 SSO Authentication
Set Up Microsoft 365 SSO Authentication on Identity Enterprise Manager
Sign in to your Microsoft Azure Admin Portal at https://portal.azure.com.
On the left navigation panel, go to Menu > Azure Active Directory > Enterprise applications.
In the Application Type menu, click All applications > New application.
Click Create your own application, name your application, enter the requested information, and select Integrate any other application you don't find in the gallery (Non-gallery).
Click Create. Note: If no application is displayed after this step, please refresh the web page.
Select Single sign-on > SAML. Do not close this page yet.
On your Identity Enterprise Manager (https://[your workspace domain].ui.com/cloud), go to Security > Identity Provider > Microsoft > Click to Enable.
Copy the values of Identifier (Entity ID) and ACS URL. Do not close this page yet.
Go to Microsoft Azure > Set up Single Sign-On with SAML page and edit the Basic SAML Configuration section. Do the following and click Save:
- Identifier (Entity ID): Paste the value you copied from Identifier (Entity ID) in your Identity Enterprise Manager.
- Reply URL (Assertion Consumer Service URL): Paste the value you copied from ACS URL in your Identity Enterprise Manager.
Download the Federation Metadata XML file from the SAML Signing Certificate section.
Return to your Identity Enterprise Manager and upload the Federation Metadata XML file you just downloaded.
Return to the Microsoft Azure Admin Portal > Set up Single Sign-On with SAML page and Edit the User Attributes & Claims section.
Click Add new claim to add all the claims below. You do not need to fill in the Namespace field.
Enable SSO for UniFi Identity Enterprise on the Microsoft Azure Admin Portal
- Go to Microsoft Azure Admin Portal > Users and groups > Add user.
- Select Users and click Select to add users.
- To test whether the configuration is successful, go to Microsoft Azure Admin Portal > Single Sign-on and select Test > Sign in as current user.
Once the configuration is complete, any user on the assignment list selected in Step 2 can use their Microsoft credentials to sign in to UniFi Identity Enterprise.
Custom SAML SSO Authentication
- Sign in to your Identity Enterprise Manager (https://[your workspace domain].ui.com/cloud).
- Go to Security > Identity Provider and click New Identity Provider.
- Fill in the required fields:
- Name: Enter a name for the identity provider (IdP).
- Type: Select SAML IdP.
- Protocol: SAML 2.0 is the protocol that is currently supported.
- Identifier (Entity ID) and ACS URL: These are generated by default. Copy and paste them to your IdP to obtain data for the following fields.
- IdP Issuer URL (Entity ID): The IdP that provides the value.
- IdP Single Sign-On URL: The sign-on URL from the IdP.
- IdP Signature Certificate: Upload the certificate from the IdP that signed the assertion.
- Click Create. The added IdP will appear in the Identity Provider tab.
- Sign in to your Workspace ONE Access Console.
- Select Resources on the top navigation menu.
- Select Web Apps and click New.
- Enter the Web App name and fill in the information.
- Refer to the Workspace ONE and Identity Enterprise Manager tables below and fill in the required properties.
- To get the Metadata XML file from Workspace ONE, go to Resources > Web Apps > Settings > SAML Metadata > Identity Provider (IdP) metadata and click Copy URL.
- To get the launch URL from Workspace ONE, go to Resources > Web Apps and select the application you created for your Identity Enterprise Portal. Click Definition > Launch URL and click Copy URL.
|Single Sign-On URL||
Identity Enterprise Manager
|Identifier (Entity ID)||
(The last part is Application ID.)
|IdP Issuer URL (Entity ID)||
(See Step 6 above.)
|IdP Single Sign-ON URL||
(This is the launch URL from the Workspace ONE application configuration. See Step 7 above.)
When signing in to your Identity Enterprise Portal via Workspace ONE from a URL that is not
https://example.ui.com/login, you might encounter the error as shown in the screenshot below. To prevent this, do either of the following:
- Make sure the format
https://example.ui.com/loginis used for Single Sign-On URL.
- Before logging in to your Identity Enterprise Portal, log in to Workspace ONE first and make sure the account status is logged in.
Sign in to your OneLogin (https://[your_domain].onelogin.com/login)
Select Applications in the top menu.
Click Add App.
Search and select "SAML Custom Connector (Advanced)".
Fill in the information, and click Save.
In Configuration, fill the following attributes:
Attributes Content in UniFi Identity Enterprise Audience (EntityID) Identity (Entity ID) Recipient ACS URL ACS (Consumer) URL ACS URL ACS (Consumer) URL Validator ACS URL
In SSO, copy the required fields and paste them to the corresponding sessions in UniFi Identity Enterprise:
Attributes Content in UniFi Identity Enterprise Issuer URL IdP Issuer URL (Entity ID) SAML 2.0 Endpoint (HTTP) IdP Single Sign-On URL X.509 Certificate > View Details > Download Upload it to IdP Signature Certificate