Connect external identity providers
When you set up 10Duke Enterprise to trust user authentication done by an external identity provider, you must define a connection for each identity provider in 10Duke SysAdmin. If your client application authenticates directly with the identity provider, some of the connection settings are not needed.
For 10Duke Enterprise, the key requirements are that wherever the data on an authenticated user comes from, 10Duke Enterprise must know which identity provider authenticated the user, whether the identity provider is a trusted party, and how to interpret the user data received and map it to the user account details in 10Duke Enterprise. When communicating directly with the identity provider, 10Duke Enterprise must also know how to connect to it.
We recommend using OIDC as it’s easier to implement.
In addition to user authentication, you can provision the authenticated users from the identity provider to 10Duke Enterprise and keep the user data in sync. You enable or disable user provisioning in each identity provider’s connection settings in SysAdmin.
By default, the minimum data that the external identity provider must provide on a user is the user’s first name, last name, and email address. If needed, contact the 10Duke Integration Support team.
You can also automatically add the users to an organization’s user groups and grant an organization’s roles to the user. You can choose if groups and roles are only added for the user when they first log in, or if their groups and roles are updated at every login.
If you don’t enable user provisioning, users must be created in 10Duke Enterprise in advance for authentication to work.
View connections to identity providers
To view currently defined connections and set up new ones, go to IDENTITY > Federation in the left sidebar.