Help Center Help Articles Professional Support Community RMA & Warranty Downloads Tech Specs

UniFi Identity Enterprise - Configure Identity Providers in the Legacy User Interface

The UniFi Identity Enterprise SSO engine utilizes SAML for Google, Microsoft, and other custom identity providers (IdPs), which allows users to sign in to UniFi Identity Enterprise using their IdP credentials. Users can choose to sign in with Google, Microsoft, or custom IdPs.

Note: This feature is unavailable in the Basic Plan. To use this feature, do either of the following:

  • Use your owner account to sign in to your Identity Enterprise Manager (https://[your workspace domain].ui.com/cloud) and go to SETTINGS > Plan to subscribe to the Standard Plan.
  • Use your owner account to sign in to your Identity Enterprise Manager (https://[your workspace domain].ui.com/cloud) and go to SETTINGS > Plan > Workspace Plan > Apply for Plan Add-Ons to apply for a free trial of this feature.

Google SSO Authentication

Set Up Google SSO Authentication

  1. Sign in to your Google Admin console at https://admin.google.com and navigate to Apps > Web and mobile Apps.
  2. Go to Add App > Add custom SAML app, provide the requested app details, and click Continue.
  3. Download the IdP Metadata file.
  4. On your Identity Enterprise Manager (https://[your workspace domain].ui.com/cloud), go to Security > Identity Provider > Google > Click to Enable.
  5. Fill in the information, go to the Metadata File field, and upload the metadata file you downloaded in Step 3.
  6. Click Save and do not close this page.
  7. Copy the values of ACS URL and Identifier (Entity ID) and then go to your Google Admin console and paste them into the Service Provider details page.
  8. Click Continue.
  9. Go to the Attribute mapping section and use the Add Mapping button to add the three values below.
  10. Click Finish to save the settings.
    Google Directory Attribute App Attribute
    Primary email email
    First name first_name
    Last name last_name

Enable SSO for UniFi Identity Enterprise on Google Admin Console

  1. On your Google Admin console, go to the app details page and expand the User access section.

  2. Enable the IdP by selecting ON for everyone. If you wish to only enable it for a specific UniFi Identity Enterprise organization, use the Organizational Units dropdown menu on the left to make your selection.

  3. Click Save to finish. Google indicates that it may take up to 24 hours for the Google option to appear on all users' UniFi Identity Enterprise sign-in pages.

Tips

If the following error is prompted when sign-in with Google:

Error: app_not_configured_for_users
  1. Please make sure the app is ON for everyone or for the user's organization.
  2. Allow up to 24 hours for Google to update the settings to allow users to access the app after the above steps are configured.

Set Up Microsoft 365 SSO

Set Up Microsoft 365 SSO

  1. Sign in to the Microsoft Admin Console.
  2. On the left navigation panel, go to Menu > Azure Active Directory > Enterprise applications.
  3. In the Application Type menu, click All applications > New application.
  4. Click Create your own application, name your application and enter the requested information, and select Integrate any other application you don't find in the gallery (Non-gallery).
  5. Click Create. Note: If no application is displayed after this step, please refresh the web page.
  6. Select Single sign-on > SAML. Do not close this page yet.
  7. Sign in to your Identity Enterprise Manager (https://[your workspace domain].ui.com/cloud).
  8. Go to SECURITY > Identity Providers and select Microsoft.
  9. Turn on theStatus“ toggle to enable Microsoft integration, and copy the values of Identity (Entity ID) and Reply URL (Assertion Consumer Service URL). Do not close this page yet.
  10. Go to the Microsoft Azure > Set up Single Sign-On with SAML page and edit the Basic SAML Configuration section. Do the following and click Save:
    • Identifier (Entity ID): Paste the value you copied from Identity (Entity ID) in your Identity Enterprise Manager.
    • Reply URL (Assertion Consumer Service URL): Paste the value you copied from Reply URL (Assertion Consumer Service URL) in your Identity Enterprise Manager.
  11. Download the Federation Metadata XML file from the SAML Signing Certificate section.
  12. Return to your Identity Enterprise Manager (https://[your workspace domain].ui.com/cloud) > SECURITY > Identity Provider > Microsoft page and upload the Federation Metadata XML file you downloaded.
  13. Click Save.
  14. Return to the Microsoft Azure > Set up Single Sign-On with SAML page and Edit the User Attributes & Claims section.
  15. Click Add new claim to add all the claims below. You do not need to fill the Namespace field.
Name Source Source Attribute
Email Attribute user.mail
First_name Attribute user.givenname
Last_name Attribute user.surname

 

Enable Microsoft 365 SSO

  1. Go to Microsoft Azure > Users and groups > Add user.
  2. Select Users and click Select to add the users.
  3. To test whether the configuration is successful, go to Microsoft Azure > Single Sign-on and select Test > Sign in as current user.
    Once the configuration is completed, any user on the assignment list selected in Step 2 can use Microsoft SSO to sign in to their Identity Enterprise Portal

Custom SAML Identity Provider

Was this article helpful?