Cloud Gateways Switching WiFi Camera Security Door Access Integrations Accessory Tech Identity
User
Sign Up UniFi Site Manager
Help Center Help Articles Professional Support Professional Integrators Community RMA & Warranty Downloads Tech Specs
User
Sign Up UniFi Site Manager
Help Center Help Articles Professional Phone Support Professional Integrators Community RMA & Warranty Downloads Tech Specs
Cloud Gateways Switching WiFi Camera Security Door Access Integrations Accessory Tech Identity

Social

Facebook Twitter Youtube Instagram

Company

Careers Contact Us Investors

Training

Courses Calendar Trainers Become a Trainer

Tools

WiFiman UISP Design Center
  1. Ubiquiti Help Center
  2. UniFi
  3. Organization Manager

Creating an Identity Hub In Your Organization

Identity Hub allows you to centralize user and permission management for your Organization, offering real-time syncing of users from your Identity Provider (IdP) or directory service, along with SAML-based single sign-on (SSO) and multi-factor authentication (MFA). 

Central management of the following services are available at the Organization level:

  • One-Click VPN (including Split-Tunnel Routing) using the Identity Endpoint App
  • One-Click WiFi using the Identity Endpoint App
  • Door Access Permissions and Unlock Methods

If you haven’t done so, start by Creating a UniFi Organization.

Before You Begin

Warning This feature is in Early Access.

    • Requires UniFi OS 4.2.5+
    • Use dedicated account and have caution when using in production environments.

Data Migration

When Identity Hub is enabled, your connected Identity Provider (IdP) or Directory Service becomes the source of truth for all users in the Organization. Please note the following behaviors:

  • Admin retention depends on if they were added using a UI Account, or locally.
    • Admins added using their UI Account will be retained, regardless of their presence in the IdP.
    • Local (offline) admins will not be retained.
  • User retention is based on email address:
    • Only users with matching emails in your IdP will be retained.
    • If the same email exists on multiple sites, those records will be merged into a single Organization-level user.
  • If using Door Access:
    • You’ll select one site whose local user-to-unlock method mappings (e.g., PINs, NFC cards) will be retained and migrated.
    • Unlock methods from all other sites must be manually reassigned or re-provisioned to users at the Organization level.
    • License plates, face photos, and Touch Pass credentials will be retained across all sites
  • If a user has multiple license plates, touch passes, or face photos, only one of each will be preserved.
  • Access policies will be retained.
  • If any site is using Identity or Identity Enterprise:
    • Identity Enterprise must be deactivated before proceeding.
    • Users managed via non-Enterprise Identity (local Identity) will be migrated automatically after setup.
    • One-Click VPN and WiFi assignments from non-Enterprise Identity will also be retained during this process.

Selecting an Identity Hub

As part of your Organization, one UniFi Host will act as the Identity Hub—orchestrating users, group permissions, and access policies across all other connected sites.

UniFi OS Host and Door Access Requirements

Any of the hosts listed below, running a minimum UniFi OS version of 4.2.8 or later:

  • Enterprise Fortress Gateway (EFG)
  • Dream Machine Pro / SE / Max
  • CloudKey Enterprise

Coming Soon:

  • UniFi Network Video Recorders (UNVR Pro/ Enterprise UNVR)
  • Self-hosted UniFi Network

For Organizations using Door Access, the Identity Hub must also run:

  • Access version 3.1.30 or later for standard unlock methods
  • Access version 3.2.0 or later for Face Unlock and Touch Pass

Getting Started

  1. Navigate to your Organization Manager using one of the following methods:
    • Navigate to unifi.ui.com > select your Organization from the dropdown menu next to the search bar.
    • Navigate directly to your organization’s domain(i.e., <your-org-domain>.ui.com).
  2. Navigate to Admins>Identity Hub>Get Started.
  3. Select a Host that will be your Organization’s Identity Hub. 
    • This device stores identity configurations and syncs with your Identity Provider.
    • For best results, choose a high-availability host like an Enterprise Fortress Gateway configured with Shadow Mode.
  4. (Optional) Manually configure the Server Address and Port used for communication between Identity Hub and your IdP.
    • If your Identity Hub has multiple public IPs, select which one to use.
    • You can also choose Use Alternative Address to manually enter an IP or FQDN.
    • If your UniFi Host does not have a public IP, create a port forwarding rule on the upstream gateway.
      • <Upstream-Gateway-Public-IP>:9543 → <Identity-Hub-IP>:9543
  5. Integrate with your respective Identity Provider (IdP) or Directory Service.
  6. (Door Access Deployments Only) Select the one site whose existing NFC Card and PIN assignments you want to retain.
    • Unlock methods from all other sites will need to be reassigned or re-provisioned after setup

    • For full behavior details and recommendations, see Before You Begin .

  7. Assign permissions to users and onboard them to the Identity Endpoint App following the instructions here.

Organization and Identity Hub Management

For more information, see Managing Your UniFi Organization.

Was this article helpful?