Set up IAM authentication

Use the IAM Authentication page to enable an external identity provider (IdP) to authenticate Calabrio ONE sessions or enable direct login using Calabrio ONE's IAM service. If you are using an external identity provider, see Configure SAML authentication to learn how to configure your organization’s IdP prior to using this page to enable your IdP connection to Calabrio ONE.

The IAM Authentication page is only available for Cloud deployments of Calabrio ONE.

Prerequisites

  • Your external IdP must be configured for Calabrio ONE. Follow the procedures detailed in Configure SAML authentication to set up your IdP.

  • Follow the "Configure identity providers" and "Export SAML Metadata" procedures in Configure SAML authentication if your IdP is not on the list below. If you are not able to successfully configure your IdP, please contact Calabrio Support.

    Identity Provider
    AD FS
    Azure AD
    Ping Federate
    OKTA
    Cisco Duo
    OneLogin

Page location

Application Management > Global > System Administration > IAM Authentication

Procedure

Configure IAM settings

  1. Under Enable Authentication, select the Enable IAM External Authentication Entity (Company Login) box to allow authentication using an external identity provider, or select Enable IAM Authentication (Direct Login) to authenticate using Calabrio ONE's IAM service. A form with additional fields expands.
  2. Enter the required information in the available fields. See Field descriptions for more information.
  3. Click Save.

Field descriptions

Field Description

Enable Authentication

At least one of the two check boxes must be selected.

Enable IAM Authentication (Direct Login) — Enables authentication through the Calabrio ONE IAM Service.
Enable IAM External Authentication Entity (Company Login) — Enables authentication using an external IdP.

Entity ID

The entity ID information from the customer’s configured IdP.

EXAMPLE   http://www.okta.com/mxkgk2l57kJrrPAeo0h7TEST

IDP X.509 Certificate

Import, export, or view an SP X.509 certificate. Acceptable file formats are CER, CRT, and CERT.

IMPORTANT   The certificate must be Base64 encoded.

Authorization Requests Signed Select if SAML requests need to be signed.
Name ID Format

The default is as follows.

urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
Single Sign-On Service Endpoint (HTTP-POST/HTTP-Redirect)

The value provided for a Single Sign On Service Endpoint (HTTP-Redirect). Include http or https in the url.

EXAMPLE   https://dev-111111.oktapreview.com/app/dev-111111_exampletest20220608_1/mpkznqqbkzvTHE3Nc0h7/sso/saml

SAML Binding

Select if SAML bonding is required to post or redirect.

NOTE   Check if your identity provider requires post or redirect. Azure AD, AD FS, and Ping Federate IdPS require post.

Related topics

Configure SAML authentication — Learn how to configure your organization’s external IdP for Calabrio ONE before using the IAM Authentication page to connect your organization’s IdP and Calabrio ONE‘s IAM service.