Cloud Gateways Switching WiFi Physical Security Integrations
What's New Support
User
Sign Up UniFi Site Manager
Help Center Help Articles Professional Support Professional Integrators Community RMA & Warranty Downloads Tech Specs
User
Sign Up UniFi Site Manager
Help Center Help Articles Professional Phone Support Professional Integrators Community RMA & Warranty Downloads Tech Specs
Cloud Gateways Switching WiFi Physical Security Integrations

Social

Facebook Twitter Youtube Instagram

Company

Careers Contact Us Investors

Training

Courses Calendar Trainers Become a Trainer

Tools

WiFiman UISP Design Center
  1. Ubiquiti Help Center
  2. UniFi
  3. Organization Manager

Creating an Identity Hub In Your Organization

Identity Hub allows you to centralize user and permission management for your Organization, offering real-time syncing of users from your Identity Provider (IdP) or directory service, along with SAML-based single sign-on (SSO) and multi-factor authentication (MFA). 

Central management of the following services are available at the Organization level:

  • One-Click VPN (including Split-Tunnel Routing) using the Identity Endpoint App
  • One-Click WiFi using the Identity Endpoint App
  • Door Access Permissions and Unlock Methods

If you haven’t done so, start by Creating a UniFi Organization.

Before You Begin

Warning This feature is in Early Access.

    • Requires UniFi OS 4.2.5+
    • Use dedicated account and have caution when using in production environments.

Data Migration

When Identity Hub is enabled, your connected Identity Provider (IdP) or Directory Service becomes the source of truth for all users in the Organization. Please note the following behaviors:

  • Admin retention depends on if they were added using a UI Account, or locally.
    • Admins added using their UI Account will be retained, regardless of their presence in the IdP.
    • Local (offline) admins will not be retained.
  • User retention is based on email address:
    • Only users with matching emails in your IdP will be retained.
    • If the same email exists on multiple sites, those records will be merged into a single Organization-level user.
  • If using Door Access:
    • You’ll select one site whose local user-to-unlock method mappings (e.g., PINs, NFC cards) will be retained and migrated.
    • Unlock methods from all other sites must be manually reassigned or re-provisioned to users at the Organization level.
    • License plates, face photos, and Touch Pass credentials will be retained across all sites
  • If a user has multiple license plates, touch passes, or face photos, only one of each will be preserved.
  • Access policies will be retained.
  • If any site is using Identity or Identity Enterprise:
    • Identity Enterprise must be deactivated before proceeding.
    • Users managed via non-Enterprise Identity (local Identity) will be migrated automatically after setup.
    • One-Click VPN and WiFi assignments from non-Enterprise Identity will also be retained during this process.

Selecting an Identity Hub

As part of your Organization, one UniFi Host will act as the Identity Hub—orchestrating users, group permissions, and access policies across all other connected sites.

UniFi OS Host and Door Access Requirements

Any of the hosts listed below, running a minimum UniFi OS version of 4.2.8 or later:

  • Enterprise Fortress Gateway (EFG)
  • Dream Machine Pro / SE / Max
  • CloudKey Enterprise
  • UniFi Network Video Recorders (UNVR Pro and ENVR)

Note: For Organizations using Door Access, Access must also run version 3.2.50 or later

Getting Started

  1. Navigate to your Organization Manager using one of the following methods:
    • Navigate to unifi.ui.com > select your Organization from the dropdown menu next to the search bar.
    • Navigate directly to your organization’s domain(i.e., <your-org-domain>.ui.com).
  2. Navigate to Admins>Identity Hub>Get Started.
  3. Select a Host that will be your Organization’s Identity Hub. 
    • This device stores identity configurations and syncs with your Identity Provider.
    • For best results, choose a high-availability host like an Enterprise Fortress Gateway configured with Shadow Mode.
  4. (Optional) Manually configure the Server Address and Port used for communication between Identity Hub and your IdP.
    • If your Identity Hub has multiple public IPs, select which one to use.
    • You can also choose Use Alternative Address to manually enter an IP or FQDN.
    • If your UniFi Host does not have a public IP, create a port forwarding rule on the upstream gateway.
      • <Upstream-Gateway-Public-IP>:9543 → <Identity-Hub-IP>:9543
  5. Integrate with your respective Identity Provider (IdP) or Directory Service.
  6. (Door Access Deployments Only) Select the one site whose existing NFC Card and PIN assignments you want to retain.
    • Unlock methods from all other sites will need to be reassigned or re-provisioned after setup

    • For full behavior details and recommendations, see Before You Begin .

  7. Assign permissions to users and onboard them to the Identity Endpoint App following the instructions here.

Troubleshooting if Unable to Set Up Identity Hub After Zone-Based Firewall Upgrade

If you're setting up Identity Hub on a UniFi Console behind a Gateway Console after upgrading to the Zone-Based Firewall (ZBF) feature, the setup may fail. This issue typically occurs because once a zone-based policy is applied, access to the UniFi Console via its gateway WAN IP and port (e.g., 9543) is blocked by default — including self-access.

To resolve this, you can choose one of the following workarounds:

Option 1: Manually Add a Self-to-Self Allow Policy

  1. Open the Gateway Console and go to Network Application > Settings > Policy Engine.
  2. Scroll down and click Create Policy.
  3. In Source Zone, select the affected zone.
  4. Set the Action to Allow.
  5. In Destination Zone, select the same zone.
  6. Under Port settings for the Destination Zone:
    • Choose Specific.
    • Enter your port forwarding port (e.g., 9543) as the allowed port.

Once this policy is added, the UniFi Console should be able to reach itself via your port forwarding port without any further issues.

Option 2: Move the Hub Console to a Different LAN

If you prefer not to modify firewall rules, another option is to relocate the UniFi Console to a LAN that is not assigned to the restricted zone. This allows communication to proceed without being blocked by zone-based restrictions.

Troubleshooting Identity Hub Setup Issues

  1. Verify Hosting Console Requirements
    1. Ensure your hosting console firmware is v4.2.5 or later.
    2. Confirm the console model meets the requirements here.
    3. Make sure the console is powered on and connected to the internet.
  2. Check Network Connectivity
    1. Test server address reachability ping <server_address>
      1. Success: Returns latency (ms) with 0% packet loss
      2. Failure: Shows timeout or unreachable
    2. Run the following command to test network communication between the hosted console and the server address nc -zv <hosted_console_ip> <port>
    3. Expected Output (Normal): Connection to {hosted_console_ip} port {port} [tcp/*] succeeded
    4. If both (a) and (b) fail:
      1. Check Step 3 below for port or gateway forwarding issues.
      2. Verify local firewall settings or ISP restrictions aren’t blocking outbound connections. Contact your ISP if necessary.
  1. Check Public IP and Port Forwarding

If your hosting console does not have a public IP, set up port forwarding.

  1. If your upstream console is a UniFi Gateway
    1. Go to your Gateway’s Network Application > Settings > Policy Engine > Port Forwarding.
    2. Click Create Entry.
    3. Set a Rule Name.
    4. Under WAN Port and Forward Port, enter an unused port between 9450–9550.
    5. In Forward IP Address, enter your hosting console’s IP.
    6. Click Add.
    7. Return to the Identity Hub setup page, select the hosting console, enter your WAN IP and port, and try again.
  2. If your UniFi Gateway has Zone-Based Firewall enabled, follow the steps here to troubleshoot.
  3. If your upstream console is a third-party gateway, follow the manufacturer’s manual or website for port forwarding instructions, and configure:
    1. External (WAN) Port: Any unused port between 9450–9550.
    2. Internal Port: Same as the selected WAN port.
    3. Internal IP Address: LAN IP of your hosting console.
  1. Check your Identity Hub status:
    1. Run the following command to check Identity Hub status: SSH root@{hosting_console_ip} then ucs test status
    2. If the status shows stopped, restart it: ucs restart
    3. Return to the Identity Hub setup page and try again.
  2. If the issue persists, contact Support with your hosting console’s support file.

Organization and Identity Hub Management

For more information, see Managing Your UniFi Organization.

Was this article helpful?