Add an identity provider for Conditional Access

In this topic, you will find general instructions on how to add an identity provider that will be used by Portnox™ Conditional Access for Applications.

Note: Check the menu on the left-hand side for examples of the most common identity providers. Use this general guide only if your specific identity provider is not included in the list.

Create a new identity provider configuration in Portnox Cloud

In this section, you will create a new identity provider configuration in Portnox Cloud

  1. In a new tab of your browser, open your Portnox Cloud account by accessing the following URL: https://clear.portnox.com/

    From now on, we will call this tab the Portnox tab.

  2. In the Cloud portal top menu, click on the Settings option.

  3. In the Cloud portal left-hand side menu, click on the INTEGRATION SERVICES tile.

  4. In the right-hand side pane, find and click on the IDENTITY PROVIDER heading.

    More options appear under the IDENTITY PROVIDER heading and description.

  5. Click on the Add a new identity provider link and select the Add a SAML identity provider option.

  6. In the Identity provider details section, enter an Identity provider name and optionally a Description.

  7. Keep this browser tab open. You will need it later.

Create a new identity provider application

In this section, you will access the administrative interface of your identity provider, and use it to create a new application that will handle integration with Portnox Cloud.

  1. In another tab of your browser, open your web identity provider’s administrative interface.

    From now on, we will call this tab the provider tab.

  2. In your web identity provider’s administrative interface, find the configuration options for creating a new single sign-on application or a new single sign-on integration.
  3. Configure initial settings for the new application or integration. Your administrative screen should show a set of configuration fields that need to be filled, and a set of fields with pre-filled values and optionally a copy button.

Copy configuration values from the Portnox tab to the provider tab

In this section, you will copy the values displayed by Portnox Cloud and paste them in the relevant fields in the identity provider application setup section.

  1. In the Portnox tab, in the Integration settings section, click on the  ⧉  icon next to the Identifier (Entity ID) / Issuer URI field to copy the value.

  2. In the provider tab, paste the value copied from Portnox Cloud in a field used to uniquely identify the identity provider in SSO transactions. For example:

    Identifier, Issuer, Audience, Entity ID, SP Entity ID, Provider ID, Issuer’s Entity ID, Issuer Identifier, Issuer URL, or Audience URI.

  3. In the Portnox tab, in the Integration settings section, click on the  ⧉  icon next to the Assertion Consumer Service URL / Single Sign-on URL field to copy the value.

  4. In the provider tab, paste the value copied from Portnox Cloud in a field that specifies the URL to which the identity provider sends its response after authenticating a user. For example:

    Reply URL, Callback URL, Sign-in URL, Recipient URL, Single Sign-On URL, Application Callback URL, Consumer Service URL, Assertion Consumer URL, Assertion Consumer Service URL, ACS URL, Assertion Consumer Service Endpoint, ACS Endpoint, or SSO Endpoint.

Copy configuration values from the provider tab to the Portnox tab

In this section, you will copy the values displayed by the identity provider application setup section and paste them in the relevant fields in Portnox Cloud.

  1. In the provider tab, copy the value of a field that specifies the URL to which users are redirected for authentication. For example:

    Login URL, Sign-On URL, Single Sign-On URL, SSO URL, Sign-In URL, Sign-In Page URL, Login Redirect URL, Login Endpoint URL, SSO Service URL, SSO Initialization URL, SAML Consumer URL, or SAML Recipient URL.

  2. In the Portnox tab, in the Identity provider properties section, click on the empty field under the Login / Sign on URL heading and paste the copied value.

  3. In the provider tab, copy the value of a field used to identify the issuing entity of the SSO tokens. For example:

    Issuer, Issuer ID, Issuer URL, Directory ID, Entity ID, Provider URL, Identity Provider Issuer, Identity Provider Entity ID, or Microsoft Entra Identifier.

  4. In the Portnox tab, in the Identity provider properties section, click on the empty field under the Microsoft Entra Identifier / Issuer heading and paste the copied value .

  5. In the provider tab, search for a section containing a certificate.

    You may have an option to download a certificate file or copy the certificate in Base64 format. You can use either of those options.

  6. In the Portnox tab, in the Certificates > Signature verification certificates section, click on the Add certificate link and select the Insert certificate option if you copied the Base64 certificate, or the Upload certificate file option if you downloaded a certificate file, and then follow up accordingly to paste the certificate content or upload the certificate file.

  7. When finished, in the Portnox tab, scroll all the way down to the end of the page, and then click on the Save button.

Set up SAML attribute mapping

Set up the mapping between user attributes in the identity provider repository and attributes in the SAML assertion.

  1. In your identity provider application configuration, find the section for configuring SAML attribute mapping.
  2. Map the primary email of the user in the identity provider repository to the email SAML attribute.
  3. Optional: Map the primary email of the user in the identity provider repository to the eduPersonPrincipalName attribute.
    Note: This mapping is required by some applications such as Datadog.

Result: You have added an identity provider for Portnox Conditional Access for Applications.