Global Identity Providers
This article explains the concept of Global Identity Providers (Global IDPs), which enable users from different organizations to share a common (i.e. global) Identity Provider for authentication.
Global IDP is an extension of the Cloud Identity Plane (CIP) federation functionality. Global IDP also includes the ability to link a federated authentication request to existing user accounts in CIP , known as account linking.
Elements
This section defines the services, objects, APIs, and configurations that are used when configuring Global Identity Providers.
Services
The following CIP microservices are used in the federation process:
- IAM Services (iam-services): Manages creation and retrieval of CIP objects, including users, organizations, and IDPs. Also manages single sign-on (SSO) sessions.
- Federation Service (federation-service): Converts external federation assertions into internal CIP requests.
- AuthN UI (authn-ui): CIP’s login page and related pages for managing authentication flows. The typical non-federation login flow is presented by the AuthN UI as username and password authentication. Public IDPs are presented as icons on the AuthN UI main page.
- Admin UI (admin-ui): CIP’s UI for creating and managing objects, like users, organizations, and IDPs. Only privileged users, called admins, are permitted to access the Admin UI.
Objects and Attributes
The following objects are stored in the CIP database and are reflections of real-life elements:
- User: User may refer to an end user who is interacting with CIP and related systems, or to the actual user record stored in CIP or an external database.
- IDP: Identity providers are the source of a user’s identity. In the federation flows described in this document, IDPs are sources of user records that are external to CIP, like Google, SalesForce, or Active Directory. In CIP, a representation of an IDP is stored as an IDP configuration and managed through APIs; throughout this document, “IDP” may be used as a shorthand to refer to the IDP configuration object in CIP, rather than just the actual external IDP.
- Organization / Customer: Organizations are groupings of users in CIP. All users must belong to exactly one organization in CIP. The legacy name for organization in CIP is “customer” and may be used interchangeably.
The relevant attributes for these objects are described in Configuring attributes for global IDP federation flows (Operations docs)
APIs
The following APIs are related to federation flows. Several have updates in the Global IDPs epic. All of these APIs are found in the IAM Services service and are accessible through the API Gateway:
API Name | HTTP Method | HTTP Path | AuthN Types | Description |
---|---|---|---|---|
Create IDP | POST | /federation/idps |
SSO | Create an IDP in the CIP datastore |
Get IDP | GET | /federation/idps/{uuid} |
SSO | Retrieve an IDP from the CIP datastore |
Update IDP | PUT | /federation/idps/{uuid} |
SSO | Update an IDP in the CIP datastore |
Delete IDP | DELETE | /federation/idps/{uuid} |
SSO | Remove an IDP from the CIP datastore |
List IDPs | GET | /federation/idps |
SSO, System | Retrieve a set of IDPs based on a search filter |
Get IDPs For User | GET | /federation/authentication/idps |
SSO | Retrieve a set of IDPs with which a user can federate |
Get IDPs For User Identifier (IDP Discovery) | GET | /idpdiscovery/idps/useridentifier/{userIdentifier} |
SSO, System | Retrieve a set of IDPs with which a user can federate |
Admin Subscribe Organization to IDP | PUT | /federation/customers/{customerIdentifier}/idps/{idpIdentifier} |
SSO | Add an IDP to a specified organization’s subscription list |
Admin Unubscribe Organization from IDP | DELETE | /federation/customers/{customerIdentifier}/idps/{idpIdentifier} |
SSO | Remove an IDP from a specified organization’s subscription list |
Self Subscribe Organization to IDP | PUT | /federation/customer/idps/{idpIdentifier} |
SSO | Add an IDP to the subscription list of the organization to which this user belongs |
Self Unubscribe Organization from IDP | DELETE | /federation/customer/idps/{idpIdentifier} |
SSO | Remove an IDP from the subscription list of the organization to which this user belongs |
SAML Authentication Complete | POST | /federation/authentication/complete |
System | Federate a user, producing an SSO token. This is the most important and complex API. |
Service Configuration
See Configuring iam-services for global IDPs (Operations docs)
High Level Federation Flow
See Global IDP Federation Flows
Capabilities
Global IDP
Global IDP offers the following new capabilities:
- A user can come from more than one IDP and map to the same CIP record;
- Federated users are permitted to authenticate using ordinary authentication flows; and,
- Although each IDP is still based on one organization, IDPs may be marked as global (organization-independent) and organizations may subscribe to them if they want to enable their users to authenticate from them.
The format of remoteIdentifiers
is improved to pair the IDP hash with each user identifier,
separated by a delimiter ("#"). For example, if a user with identifier “testuser1” comes from IDP
with hash “1234”, then the remote identifier “1234#testuser1” will be stored in that user’s
remoteIdentifiers
.
The federatedIdpHash
field is deprecated. This feature includes “data healing”, which is meant to
clean up user records and update their data format. Specifically, when a user with an old remote
identifier format and federatedIdpHash
completes federated authentication, their
federatedIdpHash
is automatically removed and their old remote identifier is updated to the new
format (with IDP hash included).
A single instance of a global IDP configuration may be used by many organizations. New APIs have been added to enable admins to subscribe, or unsubscribe, organizations to/from global IDPs. Since global IDPs are shared between different organizations, they are protected with higher security measures than organization-specific IDPs. A new entitlement, “ADMIN_MANAGE_GLOBAL_IDPS”, must be owned by an admin before they can create, modify, or delete any attributes of a global IDP, and before they can set an IDP as global.
Account Linking
Also solved in this feature is the ability to link a federated authentication request to existing
user accounts in CIP through values in the user account. This is referred to as account linking.
For a given IDP, the accountLinkingAttributes
can be set with a priority-ordered list of attribute
names. If a user record is not found by its remoteIdentifiers
(which is derived from the primary
identifier mapped from the correlationIdentifierFieldName
and the IDP hash), then a secondary
search will look for CIP users whose attributes match the incoming claims from the external IDP. For
example, if account linking is set up for CIP attribute uid
and during federated authentication a
claim “testuser1” is mapped to uid
, and if no other user is found with the corresponding remote
identifier, then a user in CIP with uid
= “testuser1” will be used for this authentication.
On the AuthN UI front page, any public IDPs which are global will be displayed for unidentified users. If the user begins entering their identifier, IDPs with which they previously federated are displayed as well.
For admins listing IDPs in the Admin UI, global IDPs are visible to the admin, in addition to IDPs belonging to the admin’s organization.
Features In Detail
Topics are arranged by category.
Retrieving IDPs - Get, List, Discovery
There are four (4) APIs for retrieving IDPs: Get IDP, List IDPs, Get IDPs for User, and IDP Discovery (see API table above).
Previously, Get and List IDPs would only permit retrieval of IDPs in the same organization as the current session context’s organization. However, global IDPs are now able to be retrieved, even if they belong to a different organization.
Get IDPs for User and IDP Discovery are APIs that accept an optional user identifier and, in the
case of the former, an optional customer
(organization) parameter. Previously, if the user was
found, only the user’s single IDP from their federatedIdpHash
would be returned. Otherwise, the
specified organization’s public IDPs would be returned. Now, if the user is found, the public IDPs
of their organization are returned alongside the user’s other IDPs. Furthermore, global IDPs that
are public are returned, even if they belong to a different organization than the user.
Modifying IDPs - Create, Update, Delete
For functionalities that modify IDPs, there are no changes for non-global IDPs. Global IDPs, on the other hand, are only allowed to be modified by users who have the entitlement “ADMIN_MANAGE_GLOBAL_IDPS” (the name is configurable). The reason for this is, global IDPs are shared between many organizations, so changes must be handled by only certain high-ranking admins.
-
For Create IDP, the “ADMIN_MANAGE_GLOBAL_IDPS” entitlement is needed if creating an IDP with the
isGlobal
attribute set totrue
. -
For Update IDP, the “ADMIN_MANAGE_GLOBAL_IDPS” entitlement is needed if changing the
isGlobal
attribute totrue
, or if modifying any attribute of an IDP that is already marked as global. -
For Delete IDP, the “ADMIN_MANAGE_GLOBAL_IDPS” entitlement is needed if deleting an IDP with
isGlobal
set totrue
.
Organization subscription to global IDP
In order for users within an organization to be able to federate with a global IDP, the organization must subscribe to that IDP.
The functionality for subscribing or unsubscribing an organization to a global IDP comes in two flavors:
- Admin (subscribe/unsubscribe specified organization): These APIs allow the user to choose an
organization’s subscription to an IDP to manage. Admins must be permitted to modify the specified
organization; i.e. it must exist in their
customers
attribute, or they must have the special entitlement “ADMIN_ALL_CUSTOMERS”. - Self (subscribe/unsubscribe my organization): These APIs allow the user to manage the subscription of their own organization to an IDP. The organization is based on the current authentication context of the user.
When subscribing an organization to an IDP, the IDP must exist and be global (isGlobal
= true).
When unsubscribing an organization from an IDP, the IDP need not exist or be global; this allows
cleanup of stale data to be performed, in case an IDP was deleted or its global status changed after
an initial subscription.
SAML Authentication Complete API
The logic within the SAML Authentication Complete API has increased in complexity to support identifying users belonging to multiple IDPs and organizations. This section describes this API’s logic in detail.
Elements of the API
In a federation flow, the Federation Service calls the SAML Authentication Complete API. This API accepts a request body with the following parameters:
idpConfigurationIdentifier
(string): The unique hash of the IDP from which the user authenticated.userIdentifier
(string): The value of the unique identifier for the user, which had been mapped from the federation assertion’s claims by the Federation Service based on the IDP’scorrelationIdentifierFieldName
.user
(object): The set of attribute name-value pairs which were mapped from the federation assertion’s claims by the Federation Service based on the IDP’scustomMapping
. In this section, these attributes will be referred to as “external user attributes”.
If a user who matches the request is identified in the CIP datastore, their existing attributes are also considered when resolving the final attribute set of the user. These are referred to as “internal user attributes.” Note that if there is no matching user record in CIP, there will be no internal user attributes.
For certain user attributes that must exist in a CIP record, there is a set of default values that are applied if not found through the above sources. These are referred to as “default user attributes.”
Identifying the User
One of the goals of the SAML Authentication Complete API is to identify a user account in CIP which corresponds to the federated authentication in-progress. There are two means by which it accomplishes this: remote identifiers and account linking.
Identifying through Remote Identifiers
Remote identifiers are the primary mechanism for finding users in CIP who have previously federated, since this attribute exists solely for federated authentication purposes. Before account linking was introduced in this feature to identify native (non-federated) CIP users, this was the only means to find users in CIP during federated authentication. The algorithm is as follows:
Using the userIdentifier
and idpConfigurationIddentifier
(IDP hash), the API searches for users
who have remoteIdentifiers
containing either "<idpHash>#<userIdentifier>"
(the updated,
hash-delimited format for remoteIdentifiers
) or "<userIdentifier>"
(the legacy format).
- If a single user is found with the updated format, it is selected.
- If multiple users are found with the updated format, an error is returned.
- If no users are found with the updated format, but a single user is found with the legacy format
and
federatedIdpHash
matching the IDP hash, it is selected. - If no users are found with the updated format, but multiple users are found with the legacy format
and
federatedIdpHash
matching the IDP hash, an error is returned. - Otherwise, no user is selected.
Note that if users are found with the legacy format but federatedIdpHash
matching a different IDP
than the one in the request, these users are not selected.
If no users are selected, the API falls back to account linking.
Identifying through Account Linking
If no users are found using the remote identifiers algorithm above, account linking may be used to find a CIP record. Account linking attempts to find a CIP record using external user attributes (mapped from the federation claims).
Account linking depends on the accountLinkingAttributes
field of the IDP configuration and the
external user attributes that are mapped from federation claims into the user
part of the API
request body. accountLinkingAttributes
is a prioritized list of CIP attribute names, for which a
user record will be searched in order. An example configuration is as follows:
[
{
"attributeName": "uid",
"priority": 0
},
{
"attributeName": "identifierEmails",
"priority": 1
},
{
"attributeName": "defaultEmail",
"priority": 1
},
{
"attributeName": "identifierMobiles",
"priority": 2
},
{
"attributeName": "defaultMobile",
"priority": 2
}
]
An example set of external user attributes is the following:
{
"uid": "testuser1",
"firstName": "Test",
"lastName": "User",
"defaultEmail": "testuser1@test.cloudentity.com",
"identifierEmails": ["testuser1@test.cloudentity.com"],
"identifierMobiles": ["5555555555"]
}
This is the account linking algorithm, using the above configuration as an example:
-
For all attributes in the
accountLinkingAttributes
configuration, any corresponding values among the external user attributes are found and all users matching any of these attributes are retrieved from the datastore. -
If no users are found, or no
accountLinkingAttributes
are configured, the algorithm terminates with no user found. -
The attribute names corresponding external values are grouped by priority, from lowest priority integer to highest. In the above example, this would result in the following data structure:
[ { "uid": "testuser1" }, { "defaultEmail": "testuser1@test.cloudentity.com", "identifierEmails": ["testuser1@test.cloudentity.com"] }, { "identifierMobiles": ["5555555555"] } ]
-
Starting with the highest priority attribute group, matching users are identified.
-
If one matching user is found for the highest priority, that user is selected and the algorithm terminates.
-
If multiple users are found, the one whose organization (
customer
attribute) matches the IDP’s organization is selected. -
If multiple users are found with the organization matching the IDP’s organization, an error is returned.
-
-
If no users are found for the highest priority, the next priority is evaluated until a single matching user record is selected.
It is important to note that account linking will not be used if a user was found by remote
identifiers, or if no accountLinkingAttributes
are configured for the IDP.
User Attribute Resolution and Data Healing
User Attribute Resolution and Data Healing includes default user attributes. If a new user is JIT provisioned, or if an existing user is updated, the external, internal, and default user attributes must be merged by the API.
In order to unify basic data for CIP user records, the following values will always be set if they do not exist for a user upon federated authentication (any existing values in the user record will be retained):
status
: “active”customer
: IDP’scustomer
customers
: IDP’scustomer
entitlements
: Set of entitlements configured in IAM Service configuration (see configurations above). Default configured value is empty array.entitlementGroups
: Set of entitlements configured in IAM Service configuration (see configurations above). Default configured value is["FEDERATED_USER_ENTITLEMENT_GROUP"]
.authSecret
: System-generated TOTP secretauthSecretAccepted
: false
In addition, the IDP hash and user identifier will be added in the format
"<idpHash>#<userIdentifier>"
to the user’s remoteIdentifiers
array, any existing
remoteIdentifiers
will be updated to the new format, and the user’s legacy federatedIdpHash
will
be removed if it exists.
Values from external attributes override any default or internal attributes if the user does not
exist, or if the IDP’s updateProvisionedUser
flag is set to true.
If the IAM Service configuration areVerifiedAddressesIdentifiers
is set to true, and
verifiedEmails
or verifiedMobiles
is being set from external attributes, then
identifierEmails
and identifierMobiles
, respectively, will be updated to match.
Organization Resolution
The final organization of a user, which will be stored in the user’s customer
attribute, must be
resolved and validated by the API logic. The logic for resolving the customer is:
- If
customer
is provided in the external attributes from the request body, and the user is either not found or the IDP’supdateProvisionedUser
is true, thiscustomer
value will be used. - If the user is found and already has a
customer
, this will be retained. - Otherwise, the IDP’s
customer
will be used.
In some cases, the resolved customer
from the above algorithm does not match the IDP’s own
customer
setting. In this case, the IDP must be global, and the resolved organization must exist
and be subscribed to the IDP. Otherwise, an error is returned.