Adding a MaaS360 Cloud Extender identity provider

MaaS360® Cloud Extender user authentication is a form of authentication where the users' identities are verified against information stored in the enterprise repository or local user registry such as Microsoft Active Directory (AD) or Microsoft Azure but the authentication request is delegated or pass through a different server or agent. Add a MaaS360 Cloud Extender authentication identity provider as an alternative if your organization does not want to use SAML-based identity federation but is already using the MaaS360 Cloud Extender to connect to MaaS360 Cloud or on-premises instance.

Before you begin

You must configure the following Cloud Extender modules:
User Authentication
This module interacts with the Active Directory and LDAP directories to provide user authentication service for various MaaS360 functions, such as self-service device enrollment with corporate credentials, MaaS360 Portal login, and user management portal.

The Cloud Extender supports integration with LDAP implementations, including Active Directory, Domino® LDAP, Oracle LDAP, Novell eDirectory LDAP, and OpenLDAP.

See https://www.ibm.com/support/knowledgecenter/SS8H2S/com.ibm.mc.doc/ce_source/references/ce_ua_config_settings.htm.

User Visibility

This module uses the corporate directory groups to allow for the assignment and distribution of policies, apps, and content to mobile devices. These groups are imported by the MaaS360 Administrator to control administrator access to manage a subset of devices. LDAP filters are used to limit the groups and organizations imported. Devices are managed based on corporate directory structure.

See https://www.ibm.com/support/knowledgecenter/SS8H2S/com.ibm.mc.doc/ce_source/references/ce_uv_config_settings.htm.

Procedure

  1. Select Authentication > Identity Providers. Select Add Identity Provider. The Add Identity Provider dialog box is displayed.
  2. Select MaaS360 Cloud Extender and select Next.
  3. Specify the basic information.
    Table 1. Basic information
    Information Descriptions
    Name

    The name that you assign to represent the user registry that is used by identity providers such as Microsoft™ Active Directory, Microsoft Azure Active Directory, or others.

    If there is more than one identity provider that is configured and enabled, the identity provider name is displayed in the Verify Sign In page.

    This information is also displayed in the Directory > Users & Groups > Users tab, Add User dialog box, when you select an Identity Provider.

    Realm

    It is an identity provider attribute that helps distinguish users from multiple identity providers that have the same username.

    It must be a unique name across all other configured identity sources in your subscription. The name can contain any alphanumeric characters. Special characters are not allowed except for dot (.) and hyphen (-).

    The maximum allowed string length is 253, similar to the maximum length of a domain name.
    Note: You cannot edit the name once you have created it.
    Enabled

    Indicates whether the identity provider is active and available.

    When the identity provider is configured and enabled, users can single sign-on to Verify and into their entitled applications with the selected identity provider. If the identity provider is not enabled, it is not displayed as an option in the Sign In page.
    Note:
    • There must be at least one identity provider that is enabled to sign in to Verify.
    • If only one identity provider is enabled, it becomes the default sign-in option for the user.
  4. Optional: If you enabled public preview CI-108233, select whether to enable user invitations.
    Invitations are created and sent by using POST /v1.0/usc/user/invitation APIs. See Inviting users. Select the Enable user invitations check box to invite others to register as new users. You can also select a user profile for the user to enter more data as part of accepting the invitation. See Managing user profiles.
  5. Select Done.
    The identity provider configuration opens in edit mode.

What to do next

To improve performance and to avoid any impact on user login during an MaaS360 release downtime, enable and configure the caching of user credentials. See User authentication caching.