Configure identity provider

Prerequisite: Configure service provider.

This section describes how to configure an IdP by completing the Identity Provider Registration step.

Overview

Consider the following before configuring an IdP:

Make sure you first configure the default alm IdP.
Before adding other IdPs, make sure that the alm IdP is successfully validated, and that SSO is enabled. For details, see Validate identity provider and enable SSO.
After completing the Identity Provider Registration step for an IdP, the configuration file is saved in the following ALM repository:

{ALM repository}\sa\DomsInfo\osp\<idp name>.properties

Basic properties

In the Identity Provider Registration > Basic Properties tab, complete the following configurations:

Field	Description
Federation Protocol	Select the federation protocol (SAML2 or OIDC) that ALM uses to communicate with IdP. The OIDC protocol requires that the ALM server should establish network connections with the IdP.
Name ID Format	Available only when you select SAML2 as the federation protocol. Name ID format supported by the IdP.
IDP Metadata Available	Available only when you select SAML2 as the federation protocol. Whether or not the real IdP metadata is available to be shared with ALM SP. NO. Select NO if you have not obtained the IdP metadata yet. ALM provides a temporary mock IdP metadata to ALM SP so that ALM can start the service and load the SP metadata. After you obtain the real IdP metadata, change the value to YES, provide the metadata with a URL or XML text, and restart the ALM server. YES. Select YES if you have already obtained the IdP metadata. Provide the metadata with a URL or XML text.
IDP Metadata Provision Mode	Available only when you select YES in the IDP Metadata Available field. Input Metadata URL. If you select this option, enter the IdP metadata URL. Select this option only when the IdP metadata URL can be accessed by the ALM server. Input/Upload Metadata Content. If you select this option, either manually enter the plain-text XML of the SAML metadata descriptor from the IdP, or click the upload icon to upload the metadata file. Select this option if the IdP metadata URL cannot be accessed from the ALM server.
OpenID Issuer OpenID Client ID OpenID Client Secret	Available and required only when you select OIDC as the federation protocol. Provide the issuer, client ID, and client secret. They are specified when you create a client that uses OIDC as the protocol in the IdP. Limitation: We recommend you use a simple name for the OpenID client. Otherwise, SSO validation would fail.
Enable Single Sign Out	This option controls whether or not ALM supports single sign-out. If you change the value of this option after enabling SSO, restart the ALM server to make your change take effect. YES. The ALM single-sign-out feature is enabled. When it is enabled, the following happens: A link to single sign out is displayed in the bottom-right corner of the Application Lifecycle Management Options window. When an IdP user clicks the link, the user logs out from the IdP, and the window displays the session out message to close all the sessions. When an IdP user clicks Close Project in ALM Desktop Client, a window pops up to confirm whether the user wants to single sign out from the IdP or just wants to close the project. If the user clicks NO or X to close the confirmation window, the user just closes the project and remains active in the IdP session. If the user clicks YES, the session in both IdP and ALM Client is closed, and the other ALM connections for the same user, if any, keep running until their access tokens expire. When an IdP user clicks Logout in Site Administration, the user logs out of the IdP, then Site Administration is closed automatically with all sessions cleared, and the other ALM connections for the same user, if any, keep running until their access tokens expire. NO. The ALM single sign-out feature is disabled. When an IdP user logs out from an ALM page, the user's session is still active in the IdP. Note: Single sign-out is only supported for SAML, not supported for OIDC due to the limitations in OIDC.

Attribute mapping

In the Identity Provider Registration > Attribute Mapping tab, map IdP user attributes to ALM user attributes.

Field	Description
Identity Key	Enter the IdP user attribute to be mapped to the ALM user attribute IdentityKey.
ALM Username	Enter the IdP user attribute to be mapped to the ALM user attribute ALMUsername.
*ALM User Email	Enter the IdP user attribute to be mapped to the ALM user attribute ALMEmail.
ALM User Phone	Enter the IdP user attribute to be mapped to the ALM user attribute ALMPhone.
ALM User Full Name	Enter the IdP user attribute to be mapped to the ALM user attribute ALMFullName.
ALM User Description	Enter the IdP user attribute mapped to the ALM user attribute ALMDescription.
Identity Key Case-sensitive	When ALM authorizes IdP users with identity keys, whether or not ALM treats the letters in the identity keys as case-sensitive. Yes. Case-sensitive. No. Case-insensitive.

Auto user provisioning

In the Identity Provider Registration > Auto User Provisioning tab, configure whether or not to enable auto user provisioning to update or create matching ALM users.

Field	Description
User Info Auto Update	This option controls whether or not to automatically update the user attributes of matching ALM users with the mapped user attributes of IdP users. ALM finds matching ALM users based on the attributes you select in Attributes Used to Match Existing ALM Users.
Attributes Used to Match Existing ALM Users	Available only when User Info Auto Update is enabled. Select the user attributes that ALM uses to match IdP users with existing ALM users. ALM finds the only one matching user as follows: ALM uses the first selected attribute to find the matching user, if only one matching user is found, then the identity key and identity ID information is attached to the user. If more than one matching user is found, then ALM continues to filter the matching users using the second selected attribute, and the process goes on until only one matching user is found. If ALM fails to find only one matching user after filtering users by all the selected attributes, ALM checks whether User Auto Generation is enabled to create new ALM users for IdP users.
User Auto Generation	This option controls whether or not to automatically create an ALM user based on the user attributes of an IdP user.
Attribute Mapped to ALM Username	Available only when User Auto Generation is enabled. Select one of the following attributes as the default username of a new ALM user: IdentityKey. When creating a user, ALM uses the IdentityKey value as the username. ALMUsername. When creating a user, ALM uses the ALMUsername value as the username. ALMEmail. When creating a user, ALM uses the ALMEmail value as the username.
Default ALM Username Editable	Available only when User Auto Generation is enabled. This option controls whether or not a new ALM user can change its default username during the user creation.
Send Notification	Available only when User Auto Generation is enabled. This option controls whether or not to send email notifications to the related users in the following circumstances: When new users are created during auto user provisioning, this option controls whether or not to send notification to the new users and the specified site admin users. When an IdP user accesses the SSO validation URL to validate the IdP, this option controls whether or not to send notifications to the specified site admin users. When the SSO certificate is about to expire, this option controls whether or not to send notifications to the specified site admin users.
Auto Provision Notification List	Available only when Send Notification is enabled. Specify the usernames of the site admin users who receive notifications.

Components preparation

In the Identity Provider Registration > Components Preparation tab, follow the on-screen instructions to deploy SP and fetch SP metadata.

Next steps:

Set up your profile