Set up IAM authentication

Use the IAM (identity and access management) Authentication page to enable an external identity provider (IdP) to authenticate Calabrio ONE sessions, enable direct login using Calabrio ONE's IAM service, or enable multi-factor authentication.

The IAM Authentication page is only available for Cloud deployments of Calabrio ONE.

If you are using an external identity provider, see Configure SAML authentication to learn how to configure your organization’s IdP prior to using this page to enable your IdP connection to Calabrio ONE.

Multi-factor authentication is a method in which a user is granted access to a website after successfully proving their identity using at least two means of verification. Calabrio ONE multi-factor authentication uses a login password and an email of a one-time password to verify a user's identity and grant them access to Calabrio ONE. The following workflow details what happens when a user attempts to login once multi-factor authentication is configured.

  1. The user successfully enters their email and password on the login page.

  2. The user receives an email from Calabrio ONE that contains their one-time password.

  3. The user enters their one-time password on the login page and is successfully authenticated.

Prerequisites

  • You need the Administer Tenant permission to access this page. See Manage roles and permissions for QM and Analytics for more information.

  • Your external IdP must be configured for Calabrio ONE. Follow the procedures detailed in Configure SAML authentication to set up your IdP.

  • Follow the "Configure identity providers" and "Export SAML Metadata" procedures in Configure SAML authentication if your IdP is not on the list below. If you are not able to successfully configure your IdP, please contact Calabrio Support.

    Identity Provider
    AD FS
    Azure AD
    Ping Federate
    OKTA
    Cisco Duo
    OneLogin

Page location

Application Management > Global > System Administration > IAM Authentication

Procedure

Configure an external IDP

  1. Under Enable Authentication, select the Enable IAM External Authentication Entity (Company Login) box to allow authentication using an external identity provider.
  2. Enter the required information in the available fields. See Field descriptions for more information.
  3. Click Save.

Configure direct login

  1. Under Enable Authentication select Enable IAM Authentication (Direct Login) to authenticate using Calabrio ONE's IAM service.
  2. Click Save.

Configure multi-factor authentication

  1. Under Enable Authentication, select Enable IAM Authentication (Direct Login) to authenticate using Calabrio ONE's IAM service.
  2. Under IAM Authentication Settings, select Enable One-Time Password via Email.
  3. Click Save.

NOTE   If users do not receive their one-time password emails within one minute, instruct them to check their spam folders or work with their IT administrator to ensure the one-time password email from "[email protected]" is not blocked.

Field descriptions

Field Description

Enable Authentication

At least one of the two check boxes must be selected.

Enable IAM Authentication (Direct Login) — Enables authentication through the Calabrio ONE IAM Service or multi-factor authentication.
Enable IAM External Authentication Entity (Company Login) — Enables authentication using an external IdP.

IAM Authentication Settings

Multi-factor Authentication -

Enable One-Time Password via Email

When configured, all tenant users receive an email from Calabrio that contains a one-time password whenever they attempt to log into Calabrio ONE. The one-time password email is delivered to the email address linked to an individual's Calabrio ONE user account.

The password expires after five minutes.

IAM External Authentication Settings

Entity ID

The entity ID information from the customer’s configured IdP.

EXAMPLE   http://www.okta.com/mxkgk2l57kJrrPAeo0h7TEST

IDP X.509 Certificate

Import, export, or view an SP X.509 certificate. Acceptable file formats are CER, CRT, and CERT.

IMPORTANT   The certificate must be Base64 encoded.

Authorization Requests Signed -

Require signed SAML request

Select if SAML requests need to be signed.
Name ID Format

The default is as follows.

urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

Single Sign-On Service Endpoint (HTTP-POST/HTTP-Redirect)

The value provided for a Single Sign On Service Endpoint (HTTP-Redirect). Include http or https in the url.

EXAMPLE   https://dev-111111.oktapreview.com/app/dev-111111_exampletest20220608_1/mpkznqqbkzvTHE3Nc0h7/sso/saml

SAML Binding

Select if SAML bonding is required to post or redirect.

NOTE   Check if your identity provider requires post or redirect. Azure AD, AD FS, and Ping Federate IdPS require post.

Related topics

  • Configure SAML authentication — Learn how to configure your organization’s external IdP for Calabrio ONE before using the IAM Authentication page to connect your organization’s IdP and Calabrio ONE‘s IAM service.

  • Log in to Calabrio ONE — Learn how to log into Calabrio ONE after configuring an authentication method.