3.4.2 Identity provider

The identity provider configures the following settings related to single sign-on via “Setting up external IdP linkage”.

Adding, confirming, editing, and deleting OIDC
Adding, confirming, editing, and deleting SAML
Adding, confirming, editing, and deleting attribute/group/role mappings
Setting, confirming, and changing the user data reuse policy
Setting, confirming, and changing the default identity provider

For the connection settings procedures for OIDC and SAML for linking external IdP, see “Setting up OIDC connection” or “Setting up SAML connection”. For an outline and the required description for setting of attribute/group/role mappings, see “Mapping attributes/groups/roles”.

(1) Identity provider outline

Select [Connection Settings] or [Common Settings] in the navigation area to configure various settings in the identity provider. Identity provider tree information is shown below.

(Table) Identity provider tree information

Item		Description
Connection Settings		Opening the [Connection Settings] window displays a list of OIDC and SAML connection settings. Clicking each connection setting will display the [Details] window. ID: [ID] of the connection setting Display name: [Display Name] of the connection setting Enabled: Enables/disables the connection setting Type: Type of connection setting (OIDC/SAML)
Common Settings	User Data Reuse Policy	If the user linking to the external IdP is the same as an existing user on OTOBO who has been deleted in the past, you can set whether or not the user information is inherited. For details, see "User data reuse policy".
Common Settings	Default Identity Provider	Specify when setting the external IdP to be used by default at login. For details, see "Default identity provider".

The types of operation buttons in the [Connection Settings] window are as follows.

(Table) Operation buttons in the [Connection Settings] window

Item	Description
Add OIDC	Adds OIDC connection settings. Becomes inactive when the checkbox is checked in the connection setting list. For details, see "Adding OIDC".
Add SAML	Adds SAML connection settings. Becomes inactive when the checkbox is checked in the connection setting list. For details, see "Adding SAML".
Delete	Deletes connection settings. Becomes inactive when the checkbox is not checked in the connection setting list.

(2) Adding OIDC

To add an OIDC, click the “Add OIDC” button in the [Connection Settings] window. You will be taken to the [Add OIDC] window. Enter the required information and click the “Save” button to add an OIDC. Click the “Cancel” button to return to the [Connection Settings] window.

After adding the OIDC, the added OIDC can be edited from the [Connection setting detail] window. For details on the [Connection setting detail] window, see “Connection setting detail window”.

The items displayed and the items that can be edited differ for adding and editing OIDC. Details of the items displayed in the [Add OIDC] and [Edit OIDC] windows are shown below. The items with checkboxes are enabled by checking the checkbox. Only [Disable Nonce] is disabled by checking the checkbox.

(Table) Items displayed in the [Add OIDC] window

Item	Required	Description	Add window	Edit window
General Settings
Enabled	No	Enables/disables this connection setting. Disabled OIDC are not displayed on the Ops I login window and cannot be used.	◯	◯
Redirect URI	No	Redirect URI used in the identity provider settings.	△	△
ID	Yes	The ID uniquely identifies the identity provider and is also used for building the redirect URI. The number of characters allowed is from 1 to 20. The characters that can be input are as follows. Single-byte alphanumeric character: a-z 0-9 Single-byte symbol: -	◯	△
Display Name	No	Specifies the friendly name for the identity provider. [Display Name] is displayed on the Ops I login window.	◯	◯
Display Order	No	Specifies the display ordering for [Display Name]. Displayed in ascending order. If you want to fix the display order, specify that the order should be ascending. Values from 1 to 1000 can be specified.	◯	◯
OpenID Connect Settings
Use Discovery Endpoint	No	Checks whether to use a discovery endpoint to obtain the identity provider configuration.	◯	－
Discovery Endpoint	Yes	Specify the [Discovery Endpoint] to obtain the identity provider configuration. Displayed if [Use Discovery Endpoint] is enabled.	◯	－
Authorization URL^*	Yes	Specifies the URL for the authorization endpoint. Activated if [Use Discovery Endpoint] is disabled.	◯	◯
Token URL^*	Yes	Specifies the URL for the token endpoint. Activated if [Use Discovery Endpoint] is disabled.	◯	◯
UserInfo URL^*	No	Specifies the URL for the UserInfo endpoint. Activated if [Use Discovery Endpoint] is disabled.	◯	◯
Issuer^*	No	Specifies the publisher identifier in the response. If not set, verification will not be executed. Activated if [Use Discovery Endpoint] is disabled.	◯	◯
Validate Signatures^*	No	Specifies whether to verify the identity provider signature. Activated if [Use Discovery Endpoint] is disabled.	◯	◯
Use JWKS URL^*	No	Specifies whether to obtain the identity provider's public key from the JWKS (JSON Web Key Sets) endpoint. Specify "Validating Public Key" if not used. Displayed when [Validate Signatures] is enabled.	◯	◯
JWKS URL^*	No	Specifies the URL for the JWKS endpoint. Displayed when [Validate Signatures] and [Use JWKS URL] are enabled.	◯	◯
Validating Public Key	No	Specifies the public key to be used for the identity provider signature verification. Displayed when [Validate Signatures] is enabled and [Use JWKS URL] is disabled.	◯	◯
Validating Public Key ID	No	Specifies the ID of the public key to be used for verification. Leave blank when always using [Validating Public Key]. Set when only using the [Validating Public Key] when it matches the identity provider's key ID. Displayed when [Validate Signatures] is enabled and [Use JWKS URL] is disabled.	◯	◯
Use PKCE	No	Checks whether to use PKCE (Proof Key for Code Exchange).	◯	◯
PKCE Method	No	Specifies the method for generating the PKCE code_challenge. Displayed when [Use PKCE] is enabled.	◯	◯
Client Authentication	No	Specifies the client authentication method.	◯	◯
Client ID	Yes	Specifies the client identifier registered with the identity provider.	◯	◯
Client Secret	Yes	Specifies the client secret registered with the identity provider.	◯	◯
Client Assertion Signature Algorithm	No	Specifies the signature algorithm for when creating a JWT assertion in [Client Authentication]. Set if [JWT signed with client secret] is selected for [Client Authentication]. If "Algorithm not specified" is selected, [HS256] is used.	◯	◯
Disable Nonce	No	Checks whether to send a nonce parameter in the authentication request.	－	◯
Scopes	No	Specifies the requested scope. Specify a list of scopes separated by spaces. If omitted, "openid" is assumed.	－	◯
Prompt	No	Specifies the required interaction that the authorization server requests from the user.	－	◯
Sync Mode	No	Specifies the default synchronization mode for all mappings. [Sync Mode] uses mapping to determine the timing for synchronizing user data. If [At creating user] is selected, user data will be set only once when the user is created by logging in for the first time using this identity provider. If [Every logging in] is selected, the user data is updated at every login on this identity provider.	－	◯

(Legend) ◯: Editable, △: Reference only, －: Not displayed

*This is an item in which the external IdP information is automatically entered when a discovery endpoint is specified in the [Discovery Endpoint] item. Depending on the information obtained, some fields may not be automatically entered.
When automatic entry is performed by [Discovery Endpoint], the automatically entered items and [Use PKCE] and [PKCE Method] become reference only.

(3) Adding SAML

To add an SAML, click the “Add SAML” button in the [Connection Settings] window. You will be taken to the [Add SAML] window. Enter the required information and click the “Save” button to save the SAML. Click the “Cancel” button to return to the [Connection Settings] window.

After adding the SAML, the added SAML can be edited from the [Connection setting detail] window. For details on the [Connection setting detail] window, see “Connection setting detail window”.

The items displayed and the items that can be edited differ for adding and editing SAML. Details of the items displayed in the [Add SAML] and [Edit SAML] windows are shown below. The items with checkboxes are enabled by checking the checkbox. Also, depending on the item, further selections or input items will be displayed for the item contents, so please select and specify them according to the window.

(Table) Items displayed in the [Add SAML] window

Item	Required	Description	Add window	Edit window
General Settings
Enabled	No	Enables/disables this connection setting. Disabled SAML are not displayed on the Ops I login window and cannot be used.	◯	◯
Redirect URI	No	Redirect URI used in the identity provider settings.	△	△
ID	Yes	The ID uniquely identifies the identity provider and is also used for building the redirect URI. The number of characters allowed is from 1 to 20. The characters that can be input are as follows. Single-byte alphanumeric character: a-z 0-9 Single-byte symbol: -	◯	△
Display Name	No	Specifies the friendly name for the identity provider. [Display Name] is displayed on the Ops I login window.	◯	◯
Display Order	No	Specifies the display ordering for [Display Name]. Displayed in ascending order. If you want to fix the display order, specify that the order should be ascending. Values from 1 to 1000 can be specified.	◯	◯
SAML Settings
Import Config From File	No	Import identity provider metadata. Click the "Browse" button to select the IdP metadata (XML file), or drop it into the input field.	△	－
Service Provider Entity ID	Yes	Specify an entity ID to identify Ops I as a SAML service provider. The number of characters allowed is from 1 to 200. The characters that can be input are as follows. Single-byte alphanumeric character: a-z 0-9 Single-byte symbol: . / : -	◯	◯
Identity Provider Entity ID^*1	No	Specifies an entity ID to identify the identity provider. If specified, the issuer of the SAML assertion will be verified. If blank, verification of the issuer will not be executed.	◯	◯
Single Sign-On Service URL^*1	Yes	Specifies the URL used for sending authentication requests (SAML AuthnRequest).	◯	◯
NameID Policy Format^12	No	Specifies the format of the NameID that identifies the user.	◯	◯
Principal Type^12	No	Specifies the method for identifying and tracking external users from SAML assertions. [Subject NameID] is used by default, but attributes can also be used.	◯	◯
Principal Attribute	No	Specifies the name or friendly name of the attribute to use to identify an external user. Displayed when [Principal Type] is [Attribute [Name]] or [Attribute [Friendly Name]].	◯	◯
Allow Create	No	Allow identity providers to create new identifiers to represent principals.	◯	◯
Require HTTP-POST Binding In AuthnRequest^*1	No	Checks whether to request HTTP-POST binding when sending AuthnRequest. If off, HTTP-REDIRECT binding is requested.	◯	◯
Require HTTP-POST Binding In AssertionConsumerService^*1	No	Checks whether to request HTTP-POST binding with the metadata AssertionConsumerService. If off, HTTP-REDIRECT binding is requested.	◯	◯
Want AuthnRequests Signed^*1	No	Checks whether the identity provider requests a signed AuthnRequest.	◯	◯
Signature Algorithm	No	Specifies the algorithm to be used for signing SAML documents. Displayed when [Want AuthnRequests Signed] is enabled.	◯	◯
SAML Signature Key Name	No	Specifies the key name of the signature to be specified in the KeyName element. Displayed when [Want AuthnRequests Signed] is enabled.	◯	◯
Want Assertions Signed	No	Checks whether this service provider requests a signed assertion.	◯	◯
Want Assertions Encrypted	No	Checks whether this service provider requests an encrypted assertion.	◯	◯
Encryption Algorithm	No	Specifies the algorithm to be used for encrypting assertions. Displayed when [Want Assertions Encrypted] is enabled.	◯	◯
Force Authentication	No	Checks whether to force re-authentication even if the user is already logged in to the identity provider.	◯	◯
Validate Signatures^*1	No	Specifies whether to verify the identity provider signature.	◯	◯
Validating X509 Certificates^*1	No	Specifies the X.509 certificate used in [Validate Signatures]. Specify in a character string format (PEM format with header, footer, and no line breaks). If specifying multiple certificates, separate them with a comma (,). Displayed when [Validate Signatures] is enabled.	◯	◯
Sign Service Provider Metadata	No	Checks whether to sign this service provider's metadata.	◯	◯
Sync Mode	No	Specifies the default synchronization mode for all mappings. [Sync Mode] uses mapping to determine the timing for synchronizing user data. If [At creating user] is selected, user data will be set only once when the user is created by logging in for the first time using this identity provider. If [Every logging in] is selected, the user data is updated at every login on this identity provider.	－	◯

(Legend) ◯: Editable, △: Reference only, －: Not displayed

*1: This is an item in which the external IdP information is automatically entered when IdP metadata was imported in the [Import Config From File] item. Depending on the information obtained, some fields may not be automatically entered.
When automatic entry is performed by IdP metadata, the automatically entered items become reference only.

*2: It is not possible to specify both [Transient] for [NameID Policy Format] and [Subject NameID] for [Principal Type].

(4) Connection setting detail window

Clicking on a connection setting in the “Connection settings list” in the [Connection Settings] window opens the [Connection setting detail] window where connection settings can be confirmed.
When the [Connection setting detail] window for SAML is displayed, the “SAML Service Provider Metadata” button is shown in the [General Settings] area. The SP metadata (XML file) can be output by clicking this button.

There is a mapping tab on the [Connection setting detail] window - [Related Resources], where the settings for mapping attributes/groups/roles are configured. For details, see “Mapping tab” and “Mapping attributes/groups/roles”.

A description of the operation buttons on the [Connection setting detail] window is shown below.

(Table) Operation buttons on the [Connection settings detail window]

Item	Description
Edit	The [Edit connection settings] window opens, where the connection settings can be edited. For the items displayed on the [Edit connection settings] window, see "(Table) Items displayed in the [Add OIDC] window" for OIDC, and "(Table) Items displayed in the [Add SAML] window" for SAML. In both, the items displayed and the items that can be edited differ for adding and editing.
Delete	Deletes connection settings. Connection settings can also be deleted using the "Delete" button in the [Connection settings] window. For details, see "(Table) Operation buttons in the [Connection settings] window".

(5) Mapping tab

A list of attribute/group/role mapping information is displayed in the “Mappers” tab on the [Connection setting detail] window - [Related Resources]. Here, attribute/group/role mappings can be added, edited, confirmed, and deleted.
For details on attribute/group/role mappings, see “Mapping attributes/groups/roles”.

The items on the mapping tab are as follows.

(Table) Mapping tab items

Item	Description
Mappers list	A list of mappings is displayed. The columns are as follows. Name: Mapping name Type: Type of mapping
Add button	Adds a mapping. Clicking the "Add" button opens the [Identity Provider Mapper] window. For the items displayed, see "(Table) Items displayed in the identity provider mapping window". The button becomes inactive when the mapping checkbox is checked in the mapping list.
Delete button	Deletes a mapping. This button becomes active when any mapping checkbox is checked in the mapping list. Clicking this button deletes the mapping.

[Identity Provider Mapper] window items are as follows.
The items displayed differ depending on the type of mapping. Items with the numbers ① to ⑨ in the item field indicate the type of mapping that will be displayed for that item. For information about the numbers, see the description field for the [Mapper Type] item. Items without numbers are displayed for all mapping types.

(Table) Items displayed in the identity provider mapping window

Item	Required	Description
Name	Yes	Sets the mapping name. This is an item that can only be set when adding a mapping. The number of characters allowed is from 1 to 255.
Sync Mode	Yes	Specifies the synchronization mode for this mapping. Synchronization mode uses mapping to determine the timing for synchronizing user data. Select from the following. Inherit: Use the default synchronization mode for the connection setting At creating user: Set user data only once when the user is created by logging in for the first time using this identity provider Every logging in: Update the user data at every login on this identity provider
Mapper Type	Yes	Select a type of mapping from the following. ① Hardcoded Attribute: Sets a fixed attribute. ② Hardcoded Group: Assigns user to a specific group. ③ Hardcoded Role: Assigns user to a specific role. ④ Claim to Group: Assigns user to a specified group when Claim meets the specified criteria. ⑤ Claim to Role: Assigns user to a specified role when Claim meets the Claim criteria. ⑥ Claim to Attribute: Sets the specified Claim value to the user's attribute. ⑦ Attribute to Group: Assigns user to a specified group when the Assertion attributes meet the specified criteria. ⑧ Attribute to Role: Assigns user to a specified role when the Assertion attributes meet the specified criteria. ⑨ Attribute to Attribute: Sets the user attribute with the Assertion attribute value. *④, ⑤ and ⑥ are items shown when the connection setting type is OIDC. ⑦, ⑧ and ⑨ are items shown when the connection setting type is SAML.
User Attribute ①⑥⑨	Yes	The following values can be specified as destination attributes. E-mail First Name Last Name Company Department Address PhoneNumber1 PhoneNumber2 Memo Customer
User Attribute Value ①	Yes	Specifies the value to be set for the attribute. If [Customer] is selected for the user attribute, specify the customer ID.
Group ②④⑦	Yes	Specifies the group to be assigned.
Role ③⑤⑧	Yes	Specifies the role to be assigned.
Condition ④⑤⑦⑧	Yes	Specify the criteria for group and role mapping as follows. Multiple criteria can be specified by clicking the "Add condition" button. If multiple criteria are specified, all criteria must be met. For ④ and ⑤ Specify the Claim name and Claim value pair. Specify the following items. You can browse nested Claims by using periods (.) in the Claim name. If using period (.) as a character, use backslash (\) for escape. Key: Claim name Value: Claim value For ⑦ and ⑧ Set the attribute name and attribute value pair. Searches the SAML attribute names and friendly names with the specified attribute name. If the SAML attribute is an array, it must contain the attribute value. If it matches multiple SAML attributes, it must match at least one. Specify the following items. Key: Attribute name Value: Attribute value
Claim ⑥	Yes	Specifies the Claim name that is the search target. You can browse nested Claims by using periods (.). If using period (.) as a character, use backslash (\) for escape.
Attribute Name ⑨	Either the attribute name or the friendly name, or both are required	Sets the attribute name to be searched for. Search the SAML attribute name and friendly name with this value. Also, this value is set as the attribute name in the RequestedAttribute of the metadata. Always specify this when outputting metadata.
Friendly Name ⑨		Specifies the friendly name to be searched for. Search the SAML attribute name and friendly name with this value. Also, this value is set as the friendly name in the RequestedAttribute of the metadata.
Name Format ⑨	Yes	Select the Name Format for the attribute to be set in the RequestedAttribute of the metadata from the following. Basic：urn:oasis:names:tc:SAML:2.0:attrname-format:basic URI：urn:oasis:names:tc:SAML:2.0:attrname-format:uri Unspecifed: urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified

Section structure

3.4.2.1 Common settings