Skip to main content

Identity Providers Management

To manage Identity Providers (IdPs), navigate to:

Integration Manager → Secure → Identity Providers

This interface enables administrators to add, edit, enable/disable, or delete identity providers and manage attribute mappers for each provider.

Overview

The Identity Providers page displays a searchable, filterable table of all configured IdPs. Each row contains:

  • Alias: A user-defined name
  • Type: OIDC or SAML
  • Enabled: A toggle switch to activate or deactivate the IdP
  • Actions: Delete icon

Only users with OWNER role (or PortX Techops team with support ticket) can add or modify IdPs.

PortX Configuration Information

When setting up your identity provider, you'll need to provide these PortX URLs and identifiers to your IdP administrator:

SAML Configuration

  • Entity ID: https://auth.piam.tenants.portx.io/realms/<your-tenant-name>/protocol/saml/descriptor
  • Redirect URL (ACS URL): https://auth.piam.tenants.portx.io/realms/<your-tenant-name>/broker/<IDP-ALIAS>/endpoint
    • Replace <IDP-ALIAS> with the alias you choose when creating the IdP

OIDC Configuration

  • Discovery Endpoint: https://auth.piam.tenants.portx.io/realms/<your-tenant-name>/.well-known/openid-configuration
tip

Copy these URLs and provide them to your identity provider administrator when configuring PortX as a service provider in your IdP system.

Finding Your Identity Provider Configuration

To configure PortX with your identity provider, you'll need specific URLs and metadata from your IdP. Here's where to find them for common providers:

SAML Providers

Microsoft Azure AD

  • Discovery Endpoint URL: https://login.microsoftonline.com/<TenantDomainNameOrID>/FederationMetadata/2007-06/FederationMetadata.xml
    • Replace <TenantDomainNameOrID> with your Azure tenant domain or ID
    • Example: https://login.microsoftonline.com/contoso.com/FederationMetadata/2007-06/FederationMetadata.xml

Okta

  • Discovery Endpoint URL: https://<yourOktaDomain>/app/<appid>/sso/saml/metadata
    • Replace <yourOktaDomain> with your Okta domain
    • Replace <appid> with your SAML application ID
    • Example: https://dev-12345.okta.com/app/abc123/sso/saml/metadata

OIDC Providers

Okta

  • Discovery Endpoint: https://<your-okta-domain>.okta.com/oauth2/default/.well-known/openid-configuration
    • Replace <your-okta-domain> with your Okta domain
    • Example: https://dev-12345.okta.com/oauth2/default/.well-known/openid-configuration

Microsoft Azure AD

  • Discovery Endpoint: https://login.microsoftonline.com/<tenant-id>/v2.0/.well-known/openid-configuration
    • Replace <tenant-id> with your Azure tenant ID
note

If you're using a different identity provider, look for their SAML metadata XML document or OIDC discovery endpoint (usually at /.well-known/openid-configuration).

Adding a New Identity Provider

Click ADD IdP to open a modal with two tabs: OIDC and SAML. Each tab has a form for configuring a new IdP.

OIDC Tab

The OIDC form includes:

  • Basic Settings:
    • Alias: A unique identifier for this IdP within PortX
    • Display Name: The name shown to users during login
    • Display Order: Controls the order of IdP buttons on login page
  • PKCE & Signature Options:
    • Enable PKCE: Enhanced security for OAuth flows
    • JWKS URL or public key options: For token signature validation
  • OAuth Settings:
    • Authorization URL: Where users are redirected for authentication
    • Token URL: Where PortX exchanges authorization codes for tokens
    • UserInfo URL: Where PortX retrieves user information
  • Client Config:
    • Client ID: Your application's identifier in the IdP
    • Client Secret: Your application's secret (if required)
    • Authentication method: How PortX authenticates with the IdP
  • Scopes: Comma-separated string specifying requested permissions
    • Common scopes: openid,email,profile

Discovery Endpoint: Use this to automatically prefill the OAuth settings above

OIDC Setup
  1. Create an OIDC application in your IdP with the PortX redirect URL
  2. Use the discovery endpoint to automatically populate most fields
  3. Enter your Client ID and Client Secret from your IdP application
  4. Adjust scopes based on what user information you need

SAML Tab

The SAML form includes:

  • Basic Settings:
    • Alias: A unique identifier for this IdP within PortX
    • Display Name: The name shown to users during login
    • Display Order: Controls the order of IdP buttons on login page
  • SAML Configuration:
    • Entity ID: Your IdP's unique identifier (found in IdP metadata)
    • SSO URL: Where PortX sends authentication requests
    • Logout URL: Where PortX sends logout requests
    • Certificates: Public certificates for signature verification
    • Signature & Encryption settings: Security configuration options
  • Discovery: Automatically populate settings from a metadata descriptor URL
  • Advanced Settings: Attribute handling, authentication settings, principal definitions
SAML Setup
  1. First, provide your IdP administrator with the PortX URLs from the PortX Configuration Information section
  2. Once your IdP is configured, use the Discovery URL to automatically fill most SAML fields
  3. If discovery doesn't work, manually copy the required values from your IdP's metadata

Editing an Identity Provider

Click on any provider row to open the Edit IdP modal. It contains:

  1. Edit IdP tab with a prefilled form (similar to Add flow)
  2. Manage Mappers tab to manage attribute mappings between IdP claims and user attributes

Managing Mappers

Each IdP can have associated mappers that transform IdP claims or attributes into internal user properties.

Editing a Mapper

From the Manage Mappers tab:

  • Click a mapper name to edit it
  • Change key-value pairs where:
    • OIDC: claim → user.attribute
    • SAML: attribute.name → user.attribute

Enabling/Disabling a Provider

Use the toggle switch under the Enabled column in the table to activate or deactivate a provider. The action updates the server immediately and shows a success or error notification.

Deleting a Provider

Click the trash icon. You will be prompted for confirmation. On success, the provider is removed from the list.

Troubleshooting Common Issues

Can't Find Required URLs

Problem: You can't locate the Entity ID, Redirect URL, or discovery endpoints mentioned in your IdP documentation.

Solutions:

Discovery Endpoint Not Working

Problem: The automatic discovery feature fails to populate fields.

Solutions:

  • Verify the discovery URL is accessible from your network
  • Check if the URL returns valid JSON/XML metadata
  • Manually copy values from your IdP's configuration if discovery fails
  • Ensure you're using the correct discovery endpoint format for your provider

SAML Configuration Errors

Problem: SAML authentication fails or returns errors.

Solutions:

  • Verify the Entity ID matches exactly between PortX and your IdP
  • Ensure the Redirect URL (ACS URL) is configured correctly in your IdP
  • Check that certificates are valid and properly formatted
  • Confirm signature and encryption settings match between both systems

OIDC Authentication Issues

Problem: OIDC login fails or returns authorization errors.

Solutions:

  • Verify Client ID and Client Secret are correct
  • Ensure redirect URLs are properly configured in your IdP application
  • Check that requested scopes are available and authorized
  • Confirm your IdP application allows the authentication flow type being used

Access Denied or Missing Information

Problem: You don't have access to your IdP's configuration or can't find required metadata.

Solutions:

  • Contact your identity provider administrator
  • Request access to the IdP administration console
  • Ask for the specific URLs and configuration details listed in this documentation
  • If using a managed service, check your provider's documentation portal

Best Practices

  • Use Discovery Endpoints: When available, auto-fill fields to minimize manual errors.
  • Use Meaningful Aliases: Alias names should clearly identify the purpose or source of the IdP.
  • Validate Certificates & URLs: Ensure that all URLs (auth, token, logout) are valid and reachable.
  • Assign Default Roles Carefully: Enabling default roles can affect user permissions—review this setting thoughtfully.
  • Test Before Enabling: Always validate configurations with test users before making an IdP active.

This documentation provides a comprehensive guide to managing identity providers effectively. Follow the outlined steps and best practices to ensure secure, scalable, and maintainable authentication integrations within your organization.