UniFi Identity Enterprise - Configure IdP Routing Rules

By default, users can sign in to UniFi Identity Enterprise via all the available identity providers (IdP) in their workspaces. Identity Provider Routing Rule can direct users to specific IdPs based on users' sign-in environments.

Requirements

Before adding routing rules, make sure that at least a Google, Microsoft 365, or custom SAML IdP has been configured.

Add Routing Rules

  1. Sign in to your Identity Enterprise Manager (https://[your workspace domain].ui.com/cloud).

  2. Go to Security > Identity Provider > Routing Rule and click New Routing Rule.
  3. Fill in the required fields (See the table below for more information) and click Create.

General

Fields Description
Name Enter a name for this rule.
Description Enter a description for this rule.
Validity Period Specify the effective period of the policy.
  • Always: The rule is always effective unless this rule is disabled or removed.
  • Specified time range: The rule is effective within the specified time period.
  • Recurring schedule: The rule takes effect according to the set schedule.
  • Based on users' time zones: When ticked, the rule takes effect according to the user's local time zone. When unticked, the rule takes effect according to the specified time zone.

Conditions and Actions

Fields Description
If the user's IP is Specify the IP address location.
  • Anywhere: The rule is triggered no matter what the user's IP address is.
  • Inside Zone: The rule is triggered when the user's IP address is within the network zone.
  • Outside Zone: The rule is triggered when the user's IP address is outside of the network zone.
And the user is accessing The rule is triggered when users are accessing any or specified apps.
And the user matches Specify which sign-in attributes users must match.
  • Anything: This rule applies to all users.
  • Validate email addresses using regex: Specify a regular expression. This rule applies to users whose email addresses match the regular expression. For example, ^[a-c]{5}@abc.com$. This means that the rule takes effect when users' email addresses contain 5 characters and lowercase letters a, b, or c, and when the domain is abc.com.
  • Domain list for sign-in email addresses: Specify the email domain in abc.com format. This rule applies to the users whose email matches the domain.
  • User attribute: Specify the user attribute. The rule applies to users whose email, first name, or last name matches the specified value.
  1. Select EmailFirst name, or Last name from the drop-down menu.
  2. Select Starts withEqualsContains, or Matches regex.
  3. Enter a valid value.
Then let them sign in to UniFi Identity Enterprise with Specify which IdP the users will be directed to when the specified conditions are met. The supported IdPs include UniFi Identity Enterprise, Google, Microsoft, and Custom SAML.

Prioritize Routing Rules

Note: The default rule has the lowest priority and its settings cannot be changed.

  1. Go to Security > Identity Provider > Routing Rule.
  2. Drag the Ellipsis icon in front of a rule either up or down to change its priority. Rules with a higher priority take precedence over rules with a lower priority.

Manage Routing Rules

  • Click an existing routing rule to edit it.
  • Click the Manage button to Enable, Disable, or Remove a rule.
Was this article helpful?
0 out of 0 found this helpful