Property | Description |
|---|---|
Use Identity Provider File | The identity provider XML file that populates many of the properties on the SAML Setup page. To use an identity provider XML file to define identity provider properties, click Browse, and navigate to the identity provider XML file. |
Disable auto provisioning of users | Disables auto-provisioning of SAML users. When you enable this option, users are not automatically added to the organization when they attempt to sign on to Informatica Intelligent Cloud Services for the first time. If you disable auto-provisioning and you don't use SCIM 2.0 to push user and group information from the identity provider, you must create the users manually in Administrator. If you use SCIM 2.0, this option is disabled because users are provisioned by the SCIM client. Default is disabled. |
Map SAML Groups and Roles | Maps groups and roles from the SAML token each time a user signs on to Informatica Intelligent Cloud Services. Enable this option to use SAML SSO for both authentication and authorization. Disable this option to use SAML SSO for authentication only. Default is disabled. |
Enable IdP to push users/groups using SCIM 2.0 | Allows your identity provider to push user and group information to Informatica Intelligent Cloud Services using SCIM 2.0 in addition to passing these attributes in the SAML token. When you enable this option, you must generate a bearer token for the identity provider (SCIM client). To generate a token, click Manage Token. For more information about generating and managing bearer tokens, see Managing SCIM tokens. Warning: If you provide the identity provider with a token and then generate a new token, the previous token is overwritten, and you must provide the identity provider with the new token. When you enable this option, auto-provisioning of users is disabled because users are provisioned through the SCIM client. Default is disabled. |
Property | Description |
|---|---|
Issuer | The entity ID of the identity provider, which is the unique identifier of the identity provider. The Issuer value in all messages from the identity provider to Informatica Intelligent Cloud Services must match this value. For example: <saml:Issuer>http://idp.example.com</saml:Issuer> |
Single Sign-On Service URL | The identity provider's HTTP-POST SAML binding URL for the SingleSignOnService, which is the SingleSignOnService element's location attribute. Informatica Intelligent Cloud Services sends login requests to this URL. |
Single Logout Service URL | The identity provider's HTTP-POST SAML binding URL for the SingleLogoutService, which is the SingleLogoutService element's location attribute. Informatica Intelligent Cloud Services sends logout requests to this URL. |
Signing Certificate | Base64-encoded PEM format identity provider certificate that Informatica Intelligent Cloud Services uses to validate signed SAML messages from the identity provider. Note: The identity provider signing algorithm must be either DSA-SHA1 or RSA-SHA1. |
Use signing certificate for encryption | Uses the public key in your signing certificate to encrypt logout requests sent to your identity provider when a user logs out from Informatica Intelligent Cloud Services. |
Encryption Certificate | Base64-encoded PEM format identity provider certificate that Informatica Intelligent Cloud Services uses to encrypt SAML messages sent to the identity provider. Applicable if you do not enable use of the signing certificate for encryption. |
Name Identifier Format | The format of the name identifier in the authentication request that the identity provider returns to Informatica Intelligent Cloud Services. Informatica Intelligent Cloud Services uses the name identifier value as the Informatica Intelligent Cloud Services user name. The name identifier cannot be a transient value that can be different for each login. For a particular user, each single sign-on login to Informatica Intelligent Cloud Services must contain the same name identifier value. To specify that the name identifier is an email address, the Name Identifier Format is as follows: urn:oasis:names:tc:SAML:1.1:nameidformat:emailAddress |
Logout Service URL (SOAP Binding) | The identity provider's SAML SOAP binding URL for the single logout service. Informatica Intelligent Cloud Services sends logout requests to this URL. |
Logout Page URL | The landing page to which a user is redirected after the user logs out of Informatica Intelligent Cloud Services. Informatica Intelligent Cloud Services redirects the logged out user to the landing page in the following ways:
|
Property | Description |
|---|---|
Informatica Cloud Platform SSO | Displays the single sign-on URL for your organization. This URL is automatically generated by Informatica Intelligent Cloud Services. |
Clock Skew | Specifies the maximum permitted time, in seconds, between the time stamps in the SAML response from the identity provider and the Informatica Intelligent Cloud Services clock. Default is 180 seconds (3 minutes). |
Name Identifier value represents user's email address | If enabled, Informatica Intelligent Cloud Services uses the name identifier as the email address. Default is enabled. |
Sign authentication requests | If enabled, Informatica Intelligent Cloud Services signs authentication requests to the identity provider. Default is enabled. |
Sign logout requests sent using SOAP binding | If enabled, Informatica Intelligent Cloud Services signs logout requests sent to the identity provider. Default is enabled. |
Encrypt name identifier in logout requests | If enabled, Informatica Intelligent Cloud Services encrypts the name identifier in logout requests. Note: Verify that the identity provider supports decryption of name identifiers before you enable this option. Default is disabled. |
Property | Description |
|---|---|
Use friendly SAML attribute names | If selected, uses the human-readable form of the SAML attribute name which might be useful in cases in which the attribute name is complex or opaque, such as an OID or a UUID. |
First Name | SAML attribute used to pass the user first name. |
Last Name | SAML attribute used to pass the user last name. |
Job Title | SAML attribute used to pass the user job title. |
Email Addresses | SAML attribute used to pass the user email addresses. This property must be mapped. |
Emails Delimiter | Delimiter to separate the email addresses if multiple email addresses are passed. |
Phone Number | SAML attribute used to pass the user phone number. |
Time Zone | SAML attribute used to pass the user time zone. |
User Roles | SAML attribute used to pass the assigned user roles. This field is enabled when the Map SAML Groups and Roles option is enabled. |
Roles Delimiter | Delimiter to separate the roles if multiple roles are passed. This field is enabled when the Map SAML Groups and Roles option is enabled. |
User Groups | SAML attribute used to pass the assigned user groups. This field is enabled when the Map SAML Groups and Roles option is enabled. |
Groups Delimiter | Delimiter to separate the groups if multiple groups are passed. This field is enabled when the Map SAML Groups and Roles option is enabled. |
Property | Description |
|---|---|
Display Name | SCIM attribute used to pass the user displayName. |
Employee Number | SCIM attribute used to pass the enterprise user employeeNumber. |
Organization | SCIM attribute used to pass the enterprise user organization. |
Department | SCIM attribute used to pass the enterprise user department. |
Street Address | SCIM attribute used to pass the user streetAddress. |
Locality | SCIM attribute used to pass the user locality. |
Region | SCIM attribute used to pass the user region. |
Post Code | SCIM attribute used to pass the user postalCode. |
Country | SCIM attribute used to pass the user country. |
Locale | SCIM attribute used to pass the user locale. |
Preferred Language | SCIM attribute used to pass the user preferredLanguage. |
ID | SCIM attribute used to pass the user id. |
External ID | SCIM attribute used to pass the user externalId. For Azure Active Directory, this is the objectID. For Okta, it is the id. |
Property | Description |
|---|---|
Informatica Intelligent Cloud Services role | The SAML role equivalent for the Informatica Intelligent Cloud Services role. If you need to enter more than one role, use a comma to separate the roles. The role mapping fields are enabled when the Map SAML Groups and Roles option is enabled. |
Default Role | Default user role for single sign-on users. When auto-provisioning is enabled, new users are assigned this role the first time they sign on to Informatica Intelligent Cloud Services. This field is visible when the Map SAML Groups and Roles option is disabled. |
Default User Group | Optional, default user group for single sign-on users. When auto-provisioning is enabled, new users are assigned to this user group the first time they sign on to Informatica Intelligent Cloud Services. This field is visible when the Map SAML Groups and Roles option is disabled. |
Property | Description |
|---|---|
Informatica Intelligent Cloud Services role | The SAML group equivalent for the Informatica Intelligent Cloud Services role. If you need to enter more than one group, use a comma to separate the groups. You can enter up to 4000 characters. The role mapping fields are enabled when the Map SAML Groups and Roles option is enabled. |
Default Role | Default user role for single sign-on users. When auto-provisioning is enabled, new users are assigned this role the first time they sign on to Informatica Intelligent Cloud Services. This field is visible when the Map SAML Groups and Roles option is disabled. |
Default User Group | Optional, default user group for single sign-on users. When auto-provisioning is enabled, new users are assigned to this user group the first time they sign on to Informatica Intelligent Cloud Services. This field is visible when the Map SAML Groups and Roles option is disabled. |