Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

Thales Authenticator Lifecycle Manager

Identity Provider Settings

search

Identity Provider Settings

Identity Provider (IDP) Settings enables integration between the Thales Authenticator Lifecycle Manager and enterprise identity systems allowing seamless user authentication and access management. This integration involves configuring endpoints and parameters required for secure communication with IDPs. After the integration is complete, administrators can search for IDP users and enroll or revoke FIDO devices for those users.

The following identity providers are supported:

  • Microsoft Entra ID (Azure AD)

  • SafeNet Trusted Access (STA)

  • PingOne

Identity Provider Settings Table

The Identity Provider Settings table displays all configured identity providers along with their current status and available quick actions.

The following table explains each column given in the Identity Provider Settings table.

Column Description
Provider Name of the identity provider.
Type Identity provider type (for example, Microsoft Entra ID or STA Identity Provider).
Status Indicates the following status of identity provider:
- Active: Configured, connection successfully tested, and available for communication with IDPs for user search and enrollment related operations.
- Inactive: Configured but connection not yet tested.
Actions Available actions, such as Edit and Delete identity provider configurations.

Manage IDP Integrations

Administrators can perform the following operations to manage IDP integrations:

Search Identity Providers

The Search feature allows administrators to quickly locate identity providers. Use the search bar to filter identity providers and view their details based on either the identity provider name or type.

Add Identity Providers

Use the Add Identity Provider button located at the top-right of the Identity Provider Settings window to initiate the identity provider type selection and configuration.

Caution

  • IDP credentials are case sensitive (for example, Client Secret for Entra ID, API Key for STA).
  • Ensure that Console access is restricted to authorized administrators and credentials are stored securely in accordance with your organization’s security policies.

  1. On the Identity Provider Settings window, click Add Identity Provider.

  2. On the Add Identity Provider window, select the IDP you want to configure.

  3. Perform the IDP configuration steps:

    Configure Microsoft Entra ID

    1. Under Microsoft Entra ID, complete the following fields:

      Field Description
      Name A unique name for the IDP.
      Active Turn on the Active toggle to activate the IDP.
      Authentication URL The endpoint URL is provided by the IDP support to handle authentication requests. This URL allows Thales Authenticator Lifecycle Manager to securely communicate with the IDP to validate user credentials and issue authentication tokens.
      Application/Client ID The client ID of the registered application or service that will use FIDO devices for user authentication.
      Client Secret A valid client secret generated for the registered application or service. Thales Authenticator Lifecycle Manager uses the client secret along with the Application/client ID to authenticate securely with the IDP.
      MS Graph API URL The URL (https://graph.microsoft.com/beta) used by Thales Authenticator Lifecycle Manager to connect with the Microsoft Graph API for operations such as user search, device assignment, and device revocation.

    2. Click Test Connection.

    3. After the connection is successful, click Create.

      Tip

      Ensure that your Entra ID application registration is correctly configured, and that the client secret is valid and has not expired. Also, verify that both the authentication URL and the Microsoft Graph API URL are correct and aligned with your tenant and environment requirements.

    Configure STA Identity Provider

    1. Under STA Identity Provider, complete the following fields:

      Field Description
      Name A unique name for the IDP.
      Active Turn on the Active toggle to activate the IDP.
      API URL The endpoint URL required to handle authentication requests. This URL allows Thales Authenticator Lifecycle Manager to securely communicate with the IDP to validate user credentials and issue authentication tokens.
      API Key A valid STA API key provided by the identity provider (IDP) used to authenticate and authorize access to the SafeNet Trusted Access (STA) API.

    2. Click Test Connection.

    3. After the connection is successful, click Create.

    Configure PingOne

    1. Under PingOne, complete the following fields:

      Field Description
      Name A unique name for the IDP.
      Active Turn on the Active toggle to activate the IDP.
      Application/Client ID The client ID of the registered application or service that will use FIDO devices for user authentication.
      Client Secret A valid client secret generated for the registered application or service. Thales Authenticator Lifecycle Manager uses the client secret along with the Application/client ID to authenticate securely with the IDP.
      Auth Server Base URL The endpoint URL (https://auth.pingone.sg) handles the authentication requests. This URL allows Thales Authenticator Lifecycle Manager to securely communicate with the IDP to validate user credentials and issue authentication tokens.
      API Server Base URL The URL (https://api.pingone.sg/v1), used by Thales Authenticator Lifecycle Manager to connect with the Microsoft Graph API for operations such as user search, device assignment, and device revocation.
      Environment ID The unique identifier of a PingOne environment, used by Thales Authenticator Lifecycle Manager to connect to the correct PingOne tenant for operations such as authentication, user management, and API communication.

    2. Click Test Connection.

    3. After the connection is successful, click Create.

      Tip

      Ensure that your PingOne application registration is correctly configured, and that the client secret is valid and has not expired. Also, verify that both the Client ID (Application ID) and the Environment ID are correct and aligned with your tenant and environment requirements.

Edit Identity Providers

  1. On the Identity Provider Settings window, search for and locate the target identity provider name from the list, and click Edit.

  2. On the Edit Identity Provider window, update the IDP configuration as needed.

    Note

    For field descriptions, refer to step 3 of the Add Identity Providers section.

  3. Click Test Connection to revalidate the configuration.

  4. After a successful connection, click Update to update the configuration.

Caution

When updating Client Secret for Entra ID or API Key for STA, coordinate with your identity provider support team to avoid authentication disruptions. Whenever possible, schedule these changes during a planned maintenance window.

Delete Identity Providers

  1. On the Identity Provider Settings window, search for and locate the target identity provider name from the list, and click Delete.

  2. The Delete Identity Provider window is displayed. Click Delete to confirm the operation. The IDP configuration will be successfully removed.

    Warning

    Deleting an identity provider immediately disables user authentication via the IDP. Before proceeding, ensure that no critical workflows or dependencies rely on the IDP. After deletion, console users will no longer be able to revoke existing device assignments, search for users, or assign new devices.

On this page