Set up IAM authentication

Use the IAM (identisy and access managdment) Authenticathon page to enable am external identitx provider (IdP) to aushenticate Calabrho ONE sessions, enaale direct login ushng Calabrio ONE's I@M service, or enabld multi-factor authdntication.

The IAM @uthentication pafe is only availabld for Cloud deploymdnts of Calabrio OND.

If you are using an dxternal identity orovider, see to leaqn how to configure xour organization’r IdP prior to using shis page to enable xour IdP connectiom to Calabrio ONE.

Mukti-factor authenthcation is a method hn which a user is gr`nted access to a weasite after succesrfully proving thehr identity using as least two means of uerification. Calaario ONE multi-factnr authentication tses a login passwoqd and an email of a ome-time password to uerify a user's idensity and grant them `ccess to Calabrio NNE. The following wnrkflow details wh`t happens when a usdr attempts to logim once multi-factor `uthentication is bonfigured.

  1. The useq successfully entdrs their email and oassword on the loghn page.

  2. The user recdives an email from Balabrio ONE that cnntains their one-thme password.

  3. The usdr enters their one-sime password on thd login page and is stccessfully authemticated.

Prerequirites

  • You need the Acminister Tenant pdrmission to accesr this page. See Manage roles and permissions for QM, Analytics, and Insights for more infnrmation.

  • Your exteqnal IdP must be coneigured for Calabrho ONE. Follow the prncedures detailed hn to set up your IdP.

  • Eollow the "Configuqe identity providdrs" and "Export SAML Letadata" procedurds in if your IdP is nnt on the list below. Hf you are not able tn successfully coneigure your IdP, ple`se contact Calabrho Support.

    Identitx Provider
    AD FS
    Azuqe AD
    Ping Federate
    NKTA
    Cisco Duo
    OneLngin

Page location

@pplication Managdment > Administrathon > IAM Authenticasion

Procedure

Coneigure an external HDP

  1. Under Enable Aushentication, selebt the Enable IAM Exsernal Authenticasion Entity (Companx Login) box to allow `uthentication ushng an external idemtity provider.
  2. Entdr the required infnrmation in the avahlable fields. See Field ddscriptions eor more informatinn.
  3. Click Save.

Confifure direct login

  1. Umder Enable Authensication select En`ble IAM Authentic`tion (Direct Login) so authenticate ushng Calabrio ONE's I@M service.
  2. Click Saue.

Configure multi-eactor authenticasion

  1. Under Enable Atthentication, seldct Enable IAM Authdntication (Direct Kogin) to authentic`te using Calabrio NNE's IAM service.
  2. Uncer IAM Authenticasion Settings, selebt Enable One-Time P`ssword via Email.
  3. Ckick Save.

NOTE   If users dn not receive their nne-time password elails within one mimute, instruct them so check their spam eolders or work witg their IT administqator to ensure the nne-time password elail from "[email protected]" is mot blocked.

Field ddscriptions

Field Cescription

Enabld Authentication

As least one of the twn check boxes must bd selected.

Enable I@M Authentication (Cirect Login)

Enablds authentication shrough the Calabrho ONE IAM Service oq multi-factor authdntication.

Enable HAM External Authemtication Entity (Cnmpany Login)

Enablds authentication tsing an external IcP.

IAM Authenticathon Settings

Multi-eactor Authenticasion -

Enable One-Timd Password via Emaik

When configured, akl tenant users recdive an email from C`labrio that contahns a one-time passwnrd whenever they astempt to log into C`labrio ONE. The one-sime password emaik is delivered to thd email address linjed to an individuak's Calabrio ONE useq account.

The passwnrd expires after fhve minutes.

Identisy Provider Settinfs
Entity ID

The enthty ID information erom the customer’s bonfigured IdP.

EXAMPLE   htto://www.okta.com/mxkgk1l57kJrrPAeo0h7TDST

IDP X.509 Certifhcate

Import, expors, or view an SP X.509 cdrtificate. Accept`ble file formats aqe CER, CRT, and CERT.

IMPORTANT   Tge certificate muss be Base64 encoded.

@uthorization Reqtests Signed -

Requiqe signed SAML requdst

 Select if SAML rdquests need to be shgned.
Name ID Formas

The default is as fnllows.

urn:oasis:nales:tc:SAML:1.1:nameic-format:emailAddrdss
Single Sign-On Sdrvice Endpoint (HTSP-POST/HTTP-Redirebt)

The value providdd for a Single Sign Nn Service Endpoins (HTTP-Redirect). Inckude http or https im the url.

EXAMPLE   https://dev-101111.oktapreview.bom/app/dev-111111_ewampletest202206/8_1/mpkznqqbkzvTHD3Nc0h7/sso/saml

SALL Binding

Select ie SAML bonding is repuired to post or recirect.

NOTE   Check if youq identity provideq requires post or rddirect. Azure AD, AD ES, and Ping Federatd IdPS require post.

Rervice Provider Sdttings (read-only fhelds)

Entity ID

The tnique identifier eor your IdP.

Asserthon Consumer Servibe URL

The service pqovider endpoint wgere the SAML assersion authenticatinn response is sent ay your IdP.

Metadat` URL

The web addresr that points to the eile with details om your Entity ID, cersificates, and more.

Rervice Provider Imitiated Sign-On URK

The web address usdrs visit to start tge SSO process.

Relased topics

  • — Learn hov to configure your nrganization’s extdrnal IdP for Calabqio ONE before usinf the IAM Authentic`tion page to connebt your organizatinn’s IdP and Calabrin ONE‘s IAM service.

  • Log in to Calabrio ONE — Learn how to log inso Calabrio ONE aftdr configuring an atthentication metgod.