Managing Organization User Permissions and Identity Endpoint Onboarding

UniFi Organizations allow you to centrally manage user permissions for key services like VPN, WiFi, and Door Access—making it easy to deliver a secure, seamless IT experience across all of your sites.

This guide covers what services can be managed at the Organization level, how to enable and configure them, and how Identity Endpoint enhances the end-user experience.

If you have not done so yet, start by Creating an Identity Hub for Your Organization.

Centrally Managed Services

The following services can be enabled and assigned to users or groups at the Organization level:

• One-Click VPN (including Split-Tunnel Routing) using the Identity Endpoint App
• One-Click WiFi using the Identity Endpoint App
• Door Access Permissions and Unlock Methods

These services will become available to users via their Identity Endpoint App.

Additional UniFi services will be added to centralized management over time. Currently, the following must still be configured at the individual site level:

• UniFi Talk (Users and Softphones)
• UniFi Protect (Camera Sharing)
• UniFi Drive (File Access)
• UniFi Connect (EV Charging)

What is Identity Endpoint?

Identity Endpoint is a license-free, zero-trust access solution that enables seamless, secure interaction between end users and your UniFi infrastructure.

Identity Endpoint uses SAML-based authentication, allowing users to log in with their existing SSO credentials and complete any configured multi-factor authentication (MFA) flows. This ensures a familiar and secure experience for end users.

Enabling UniFi Services and Assigning Permissions

1. Navigate to your Organization Manager using one of the following methods:
   1. Visit unifi.ui.com and select your Organization from the dropdown menu
   2. Or go directly to your domain (e.g., your-org.ui.com).
2. Navigate to Settings > Identity Hub.
3. Under the Services tab, click a service (e.g., One-Click VPN, One-Click WiFi, or Door Access) and select the sites where you want it enabled.
4. (Optional) Add custom configurations for each service:
   1. Smart Door Access
      1. By default, all unlock methods are enabled, but they can be customized per reader. See configuration steps here.
      2. To globally disable specific unlock methods, go to Settings>Identity Hub>Smart Door Access>Global Settings.
   2. One-Click WiFi
      1. One-Click WiFi Name: A new SSID will be automatically created on each selected UniFi Site.
   3. One-Click VPN
      1. Hover over a selected site and click the Settings icon to configure service-specific options:
         1. DNS Suffix: Appended to unqualified hostnames for DNS resolution. (Windows clients only)
         2. Split Tunneling: Routes only specified IP addresses and subnets through the VPN. All other traffic remains on the user’s local internet.
5. Navigate to Admins > User Groups or Directory.
6. Select a User or User Group, then click the Settings icon.
7. For each service, click the + and select the sites you’d like to grant access to.
   1. If you haven’t done so already, see Configuring Access Policies to create policies that can be applied to users within a given site.
8. If you haven’t already, send the user or group an invite to the Identity Endpoint App:
   1. Go to the Overview tab in the sidebar and click Invite.
9. Once invited, the user will receive an email with instructions to download the app and sign in using their SSO credentials.
10. The selected services will automatically appear in the user’s Identity Endpoint App.

Onboarding to the Identity Endpoint App

Once a user was assigned permissions and invited using the steps above, they will be sent an email prompting them to download the Identity Endpoint App, and will be prompted to authenticate using their SSO credentials. See UniFi Identity Endpoint User Guide for more information.