UniFi OS Consoles Wi-Fi Switching Camera Security Phone System Door Access Accessories UISP
Support Resources
Store
Support Resources
UniFi OS Consoles Wi-Fi Switching Camera Security Phone System Door Access Accessories UISP Store

UID - Enable Single Sign-On (SSO)

The UID Workspace is equipped with Single Sign-On with SAML for Google and Microsoft when using the Standard Plan. This feature allows users to log into UID using their credentials from either of these Identity Providers. If enabled, users will see the option to sign in with Google or Microsoft under the UID credential sign-in fields. 

Set up Google SSO for UID

To set up Google SSO for UID:

1. Log in to the Google Admin console at https://admin.google.com and navigate to Apps > SAML Apps

2. Go to Add App > Add custom SAML app and provide the requested app details and click continue.

3. Download the IdP metadata, you will need this file in step 5.

4. Log into UID and go to UID Cloud > Security > Identity Provider, click on Google integration.

identity-provider-google.png

5. Enable Google integration by changing its Status and upload the Metadata File you downloaded in step 3. Click Save. Do not close this page yet.identity-provider-google.upload-metadata.png

6. Go back to the Google Admin console and fill in the ACS URL and Entity ID in the Service Provider details page with the information seen in the UID Identity Providers section from step 5. Click Continue.

google-add-saml.png

7. Go to the Attribute mapping section and use the Add Mapping button to add these three values as follows:

Google Directory attributes

App attributes

Primary email

email

First name

first_name

Last name

last_name

google-add-saml-attributes.png

Click Finish to save your settings.

To enable Google SSO:

1. On the Google Admin site, go to the app details page and expand the User access section.

google.user-access.png

2. Enable the IdP by selecting ON for everyone. If you wish to only enable it for a specific UID organization, use the Organizational Units dropdown on the left hand menu to make your selection.

google.add-for-everyone.png

3. Click Save to finish. 

Note: Google warns it may take up to 24 hours for all users to see the Google login option.

google-sso.png

Set up Microsoft SSO for UID

To set up Microsoft SSO for UID:

1. Log in to the Microsoft Admin console at https://portal.azure.com/.

2. On the left navigation panel, go to Menu > Azure Active Directory > Enterprise applications.

3. In the Application Type menu, select All applications, and click New application.

microsoft.new-application.png

4. Click Create your own application, and enter the requested information. Click Create when you’re done.

  • Provide a name for the application
  • Select the Non-gallery option

microsoft.create-application.png

Note: If there’s no application displayed after this process, please refresh the web page.

5. Select Single sign-on > SAML. Do not close this page yet.

6. Log into UID and go to UID Cloud > Security > Identity Providers and select Microsoft.

7. Generate an Identity (Entity ID) and switch on the Status toggle to enable the Microsoft integration. Do not close this page yet.

microsoft.generate-entity-id.png

8. Go to the Microsoft Azure > Set up Single Sign-On with SAML page and Edit the Basic SAML Configuration data, substituting the default with the following:

  • Reply URL (Assertion Consumer Service URL) as seen in the previous UID page
  • Entity ID as seen in the previous UID page
  • Relay State with https://login.uid.alpha.ui.com
  • Click Save.

microsoft.basic-saml-config.png

9. Download the Federation Metadata XML file from the SAML Signing Certificate section.

microsoft.download-federation-metadata.png

10. Go back to the UID Cloud > Microsoft integration page and upload the Federation Metadata XML. Click Save. 

identity-provider-microsoft.choose-federation-metadata.png

11. Back on the Microsoft Azure > Set up Single Sign-On with SAML page Edit the User Attributes & Claims section. 

12. Click Add new claim to add each of these claims:

Name

Source

Source Attribute

Email

Attribute

user.mail

First_name

Attribute

user.givenname

Last_name

Attribute

user.surname

Note: You do not need to fill the Namespace field.

microsoft.add-attributes.png

To enable Microsoft SSO:

1. Go to Microsoft Azure > Users and groups > Add user.

microsoft.add-users.png

2. Select the Users and click Select to add them all.

microsoft.select-users.png

Note: You may test if the configuration was successful by going to Microsoft Azure > Single Sign-on and selecting Test > Sign in as current user.

microsoft.test.png

Once the configuration is complete, any user on the Assignment list selected in step 2 will be able to use Microsoft SSO when logging into UID.

microsoft-sso.png

Set up a custom SAML identity provider

To set up a custom SAML identity provider:

1. Log into the UID Manager Portal and navigate to Security > Identity Providers > select the Identity Provider tab to expand. 

2. Click Add Identity Provider.

3. On the Add Identity Provider page, select SAML IdP as Type and fill in the rest of the fields. Click Save.

SSO1.png

Need help filling in the SAML IdP fields?
  • Name: Enter a name for the identity provider.
  • Status: Switch on the toggle to enable the identity provider.
  • Protocol: SAML 2.0 is the protocol that is currently supported.
  • Identity (Entity ID) and Reply URL (Assertion Consumer Service URL): These are generated by default. Copy and paste these in the identity provider to get the data for the following fields of this page: IdP Issuer URI (Entity ID), IdP Single Sign-On URL, and IdP Signature Certificate.
  • IdP Issuer URI (Entity ID): The identity provider that provides the value.
  • IdP Single Sign-On URL: The sign-on URL from the Identity Provider.
  • IdP Signature Certificate: Click to upload the certificate from the Identity Provider used to sign the assertion.

4. After saving this configuration, the added identity provider will appear in the Identity Providers tab.

Was this article helpful?
22 out of 39 found this helpful