UniFi Identity Enterprise - Configure Identity Providers in the Legacy User Interface
The UniFi Identity Enterprise SSO engine utilizes SAML for Google, Microsoft, and other custom identity providers (IdPs), which allows users to sign in to UniFi Identity Enterprise using their IdP credentials. Users can choose to sign in with Google, Microsoft, or custom IdPs.
Note: This feature is unavailable in the Basic Plan. To use this feature, do either of the following:
- Use your owner account to sign in to your Identity Enterprise Manager (https://[your workspace domain].ui.com/cloud) and go to SETTINGS > Plan to subscribe to the Standard Plan.
- Use your owner account to sign in to your Identity Enterprise Manager (https://[your workspace domain].ui.com/cloud) and go to SETTINGS > Plan > Workspace Plan > Apply for Plan Add-Ons to apply for a free trial of this feature.
Google SSO Authentication
Set Up Google SSO Authentication
- Sign in to your Google Admin console at https://admin.google.com and navigate to Apps > Web and mobile Apps.
- Go to Add App > Add custom SAML app, provide the requested app details, and click Continue.
- Download the IdP Metadata file.
- On your Identity Enterprise Manager (https://[your workspace domain].ui.com/cloud), go to Security > Identity Provider > Google > Click to Enable.
- Fill in the information, go to the Metadata File field, and upload the metadata file you downloaded in Step 3.
- Click Save and do not close this page.
- Copy the values of ACS URL and Identifier (Entity ID) and then go to your Google Admin console and paste them into the Service Provider details page.
- Click Continue.
- Go to the Attribute mapping section and use the Add Mapping button to add the three values below.
- Click Finish to save the settings.
Google Directory Attribute App Attribute Primary email email First name first_name Last name last_name
Enable SSO for UniFi Identity Enterprise on Google Admin Console
-
On your Google Admin console, go to the app details page and expand the User access section.
-
Enable the IdP by selecting ON for everyone. If you wish to only enable it for a specific UniFi Identity Enterprise organization, use the Organizational Units dropdown menu on the left to make your selection.
-
Click Save to finish. Google indicates that it may take up to 24 hours for the Google option to appear on all users' UniFi Identity Enterprise sign-in pages.
Tips
If the following error is prompted when sign-in with Google:
Error: app_not_configured_for_users
- Please make sure the app is ON for everyone or for the user's organization.
- Allow up to 24 hours for Google to update the settings to allow users to access the app after the above steps are configured.
Set Up Microsoft 365 SSO
Set Up Microsoft 365 SSO
- Sign in to the Microsoft Admin Console.
- On the left navigation panel, go to Menu > Azure Active Directory > Enterprise applications.
- In the Application Type menu, click All applications > New application.
- Click Create your own application, name your application and enter the requested information, and select Integrate any other application you don't find in the gallery (Non-gallery).
- Click Create. Note: If no application is displayed after this step, please refresh the web page.
- Select Single sign-on > SAML. Do not close this page yet.
- Sign in to your Identity Enterprise Manager (https://[your workspace domain].ui.com/cloud).
- Go to SECURITY > Identity Providers and select Microsoft.
- Turn on the “Status“ toggle to enable Microsoft integration, and copy the values of Identity (Entity ID) and Reply URL (Assertion Consumer Service URL). Do not close this page yet.
- Go to the Microsoft Azure > Set up Single Sign-On with SAML page and edit the Basic SAML Configuration section. Do the following and click Save:
- Identifier (Entity ID): Paste the value you copied from Identity (Entity ID) in your Identity Enterprise Manager.
- Reply URL (Assertion Consumer Service URL): Paste the value you copied from Reply URL (Assertion Consumer Service URL) in your Identity Enterprise Manager.
- Download the Federation Metadata XML file from the SAML Signing Certificate section.
- Return to your Identity Enterprise Manager (https://[your workspace domain].ui.com/cloud) > SECURITY > Identity Provider > Microsoft page and upload the Federation Metadata XML file you downloaded.
- Click Save.
- Return to the Microsoft Azure > Set up Single Sign-On with SAML page and Edit the User Attributes & Claims section.
- Click Add new claim to add all the claims below. You do not need to fill the Namespace field.
Name | Source | Source Attribute |
Attribute | user.mail | |
First_name | Attribute | user.givenname |
Last_name | Attribute | user.surname |
Enable Microsoft 365 SSO
- Go to Microsoft Azure > Users and groups > Add user.
- Select Users and click Select to add the users.
- To test whether the configuration is successful, go to Microsoft Azure > Single Sign-on and select Test > Sign in as current user.
Once the configuration is completed, any user on the assignment list selected in Step 2 can use Microsoft SSO to sign in to their Identity Enterprise Portal.
Custom SAML Identity Provider
- Sign in to your Identity Enterprise Manager (https://[your workspace domain].ui.com/cloud).
- Navigate to SECURITY > Identity Providers and select the Identity Provider tab to expand.
- Click Add Identity Provider.
- On the Add Identity Provider page, select SAML IdP as Type and fill in the rest of the fields.
- Click Save.
- Name: Enter a name for the identity provider.
- Status: Switch on the toggle to enable the identity provider.
- Protocol: SAML 2.0 is the protocol that is currently supported.
- Identity (Entity ID) and Reply URL (Assertion Consumer Service URL): These are generated by default. Copy and paste these into the identity provider to get the data for the following fields of this page: IdP Issuer URI (Entity ID), IdP Single Sign-On URL, and IdP Signature Certificate.
- IdP Issuer URI (Entity ID): The identity provider that provides the value.
- IdP Single Sign-On URL: The sign-on URL from the Identity Provider.
- IdP Signature Certificate: Click to upload the certificate from the Identity Provider used to sign the assertion.
- After saving this configuration, the added identity provider will appear in the Identity Providers tab.
Workspace ONE
- Sign in to your Workspace ONE Access Console.
- Select Resources on the top navigation menu.
- Select Web Apps and click New.
- Enter the Web App name and fill in the information.
- Refer to the Workspace ONE and Identity Enterprise Manager tables below and fill in the required properties.
- To get the Metadata XML file from Workspace ONE, go to Resources > Web Apps > Settings > SAML Metadata > Identity Provider (IdP) metadata and click Copy URL.
- To get the launch URL from Workspace ONE, go to Resources > Web Apps and select the application you created for your Identity Enterprise Portal. Click Definition > Launch URL > Copy URL.
Workspace ONE
Property | Value |
Single Sign-On URL | https://example.ui.com/gw/eot/api/sso/saml |
Recipient URL | https://example.ui.com/gw/eot/api/sso/saml |
Application ID | xxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx |
Username Format | Email Address |
Username Value | ${user.email} |
Identity Enterprise Manager
Property | Value |
Identifier (Entity ID) |
https://example.ui.com/cloud/saml2/service-provider/xxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx (The last part is Application ID.) |
ACS URL | https://example.ui.com/gw/eot/api/sso/saml |
IdP Issuer URL (Entity ID) |
https://example.workspaceair.com/SAAS/API/1.0/GET/metadata/idp.xml (See Step 6 above.) |
IdP Single Sign-ON URL |
https://example.workspaceair.com:443/SAAS/API/1.0/GET/apps/launch/app/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx (This is the launch URL from the Workspace ONE application configuration. See Step 7 above.) |
Known Issue
When signing in to your Identity Enterprise Portal via Workspace ONE from a URL that is not https://example.ui.com/login
, you might encounter the error as shown in the screenshot below. To prevent this, do either of the following:
- Make sure the format
https://example.ui.com/login
is used for Single Sign-On URL. - Before logging in to your Identity Enterprise Workspace, log in to Workspace ONE first and make sure the account status is logged in.
OneLogin
-
Sign in to your OneLogin (https://[your_domain].onelogin.com/login)
-
Select Applications in the top menu.
-
Click Add App.
-
Search and select SAML Custom Connector (Advanced).
-
Fill in the information, and click Save.
-
In Configuration, fill the following attributes:
Attributes Content in UniFi Identity Enterprise Audience (EntityID) Identity (Entity ID) Recipient ACS URL ACS (Consumer) URL ACS URL ACS (Consumer) URL Validator ACS URL -
In SSO, copy the required fields and paste them to the corresponding sessions in UniFi Identity Enterprise:
Attributes Content in UniFi Identity Enterprise Issuer URL IdP Issuer URL (Entity ID) SAML 2.0 Endpoint (HTTP) IdP Single Sign-On URL X.509 Certificate > View Details > Download Upload it to IdP Signature Certificate