Cloud Gateways Switching WiFi Camera Security Door Access Integrations Accessory Tech Identity
User
Sign Up UniFi Site Manager
Help Center Help Articles Professional Support Professional Integrators Community RMA & Warranty Downloads Tech Specs
User
Sign Up UniFi Site Manager
Help Center Help Articles Professional Phone Support Professional Integrators Community RMA & Warranty Downloads Tech Specs
Cloud Gateways Switching WiFi Camera Security Door Access Integrations Accessory Tech Identity

Social

Facebook Twitter Youtube Instagram

Company

Careers Contact Us Investors

Training

Courses Calendar Trainers Become a Trainer

Tools

WiFiman UISP Design Center
  1. Ubiquiti Help Center
  2. UniFi
  3. Identity Enterprise
  4. Admin Guide - Third-Party Integration

UniFi Identity Enterprise - SSO Apps Overview

SSO (Single Sign-On) enables users to sign in to multiple applications using a single set of authentication credentials. SSO Apps are configured connections between UniFi Identity Enterprise and third-party applications. Administrators can assign SSO apps to user groups or users in UniFi Identity Enterprise, allowing users to access configured third-party applications with UniFi Identity Enterprise credentials.

Users can view and access the applications assigned to them in their Identity Enterprise Workspace or Identity Enterprise apps.

  • Identity Enterprise Workspace: Go to your Identity Enterprise Workspace > APPLICATIONS.
  • Identity Enterprise desktop app: Open the UniFi Identity Enterprise desktop app and click Apps.
  • Identity Enterprise mobile app: Open the UniFi Identity Enterprise mobile app and tap the App icon.

Requirements

  • Not all user roles can view, configure, and assign/unassign users to SSO Apps on UniFi Identity Enterprise. See Workspace-Level Permissions - SSO Application Management for more details.
  • You can configure context-based security policies for your applications to determine whether users have access to the applications, whether they should re-enter their password, or whether they should be authenticated by MFA based on their login attributes. See SSO Apps Policy and Rule for more details.

Add SSO Apps Assignment Admins

You can create SSO app assignment admins and let them assign added apps to users.

  1. Sign in to your Identity Enterprise Manager (https://[your workspace domain].ui.com/cloud).

  2. Go to SSO Apps > select an added app > Settings > Assignment Admin and enable Designate the admins for assigning this app.
  3. Click Add Admin and select the users to assign as SSO app assignment admins.
  4. Click Save

Add Pre-Configured SSO Apps

UniFi Identity Enterprise offers 20+ pre-configured applications that are ready to be added and set up with minimal configuration.

  1. Go to your Identity Enterprise Manager > SSO Apps.
  2. Click the Add New App icon to view the available pre-configured applications.
  3. Select an application and click Add. Refer to the following articles for more details.

Add Custom Apps

If the desired app is not available in the pre-configured list, you can integrate custom apps using SAML 2.0, OpenID Connect, or Shortcut.

Add SAML 2.0 App (Supports SCIM Provisioning)

SAML 2.0 refers to XML-based open standard for SSO. Use it if the identity provider for your app only supports SAML.

  1. Go to your Identity Enterprise Manager > SSO Apps.
  2. Click the Add New App icon and then click Add Custom App.
  3. Select SAML 2.0 and click Add.
  4. Enter the app Name.
  5. Click Upload App Icon to upload an image in PNG or JPG format (maximum 400 pixels, 200 KB). Tick Show the app icon to users if needed.
  6. Complete the Sign On Settings.

    • Single Sign-On URL: The location to send the SAML assertion using a POST operation. This URL is required and serves as the default Assertion Consumer Services (ACS) URL value for the Service Provider (SP). This URL is always used for the IdP that initiated sign-on requests.

    • Audience URI (SP Entity ID): The intended audience of the SAML assertion.

    • Default RelayState: The page users will be redirected to after a successful sign-on.

    • Name ID Format: The username format that you're sending in the SAML Response. Consult the SP documentation to determine which format to use, but use the default Unspecified if the application doesn't explicitly specify a format.

    • App Username: The default value to use for the username with the application.

  7. Turn on SCIM Connection if the app supports SCIM provisioning and complete the following: 
    • SCIM Version: SCIM 2.0 is currently supported.
    • SCIM Connector Base URL 
    • Unique Identifier Field for Users
    • Supported Provisioning Actions: Choose the provisioning actions supported by your SCIM server.
      • Push new users from Identity Enterprise to the app: This contains the settings for updated first name, last name, and email information that flow from Identity Enterprise into your SCIM app.
      • Push profile updates from Identity Enterprise to the app: This contains the settings for all the profile information that flows from Identity Enterprise into your SCIM app.
      • Authentication Mode: Choose which mode you want Identity Enterprise to use to connect to your SCIM app.
        • Basic Auth: To authenticate using Basic Auth mode, provide the username and password for the account that handles the create, update, and deprovisioning actions on your SCIM server.
        • HTTP Header: To authenticate using the HTTP Header, provide a bearer token that authorizes the user against your SCIM app. 
        • OAuth2: To authenticate using OAuth 2.0, provide the access token and authorization endpoints for your SCIM server, along with a client ID and a client secret.
  8. Click Add.
  9. Please obtain the values according to your app configuration requirements and configure them in your third-party app.
  10. Click Done to complete.

Add OpenID Connect App

An OpenID Connect (OIDC) app integration provides an identity layer on top of the OAuth 2.0 protocol to verify end users' identities and obtain profile information.

  1. Go to your Identity Enterprise Manager > SSO Apps.
  2. Click the Add New App icon and then click Add Custom App.
  3. Select OpenID Connect and click Add.
  4. Enter the app Name.
  5. Click Upload App Icon to upload an image in PNG or JPG format (maximum 400 pixels, 200 KB). Tick Show the app icon to users if needed.
  6. Enter the Initiate Sign-In URI.
  7. Complete the Configure OpenID Connect settings:
    • Sign-In Redirect URL: This is where Identity Enterprise sends the authentication response and ID token for the sign-in request. The URIs must be absolute URIs. You can specify multiple URIs, and sort them in any order. Users see an error message if they try to sign in to a URI that isn't registered with your integration.
    • Sign-Out Redirect URL: After your app contacts Identity Enterprise to close the user session, Identity Enterprise redirects the user to this URI. The URIs must be absolute URIs. You can specify more than one URI. 
  8. Click Add.
  9. Please obtain the values according to your app configuration requirements and configure them in your third-party app.
  10. Click Done to complete.

Add Shortcut App

Access the specified website quickly by entering its URL.

  1. Go to your Identity Enterprise Manager > SSO Apps.
  2. Click the Add New App icon and then click Add Custom App.
  3. Select Shortcut and click Add.
  4. Enter the app Name.
  5. Click Upload App Icon to upload an image in PNG or JPG format (maximum 400 pixels, 200 KB). Tick Show the app icon to users if needed.
  6. Enter the Sign-On URL.
  7. Click Add.

View SSO App Expense Insights

Identity Enterprise simplifies SSO app expense management by automatically generating charts that display each month's estimated or actual expenses. This feature helps you ensure timely subscription cancellations for unused or redundant apps, preventing unnecessary costs.

Note: This feature is only available in the Identity Enterprise Standard Plan. To subscribe to it, please use your Owner account to sign in to your Identity Enterprise Manager and go to Settings > Plan & Billing > Upgrade Plan.

  1. Go to your Identity Enterprise Manager > SSO Apps > select an app > Settings > General Settings > Expense Analysis.
  2. Tick the Show app expense insights option.
  3. Tick the Notify admins when users have been inactive for [1, 3, or 6] months to receive push and email notifications for users who haven't accessed their assigned applications for a specified duration. The Assignment page will also display the inactive users, helping admins to unassign them and save costs. 
  4. Click Save and the Expenses section will be displayed.
  5. Click Show More and fill in the required information.
  6. Click Save. You can view the app usage and performance regularly in the app's Overview tab.
Was this article helpful?