Skip to main content

External identity provider

Lenovo XClarity One uses an internal identity-management system to authenticate local users. You can choose to set up federation using your company’s existing identity provider (IDP) to provide seamless access to the XClarity One portal using corporate credentials without the need for additional user-account creation or management, while maintaining strong identity and access management practices.

To configure an external IDP for your organization, click User Authentication in the context menu of the Settings view, click Set up, and follow the steps in the wizard.

After XClarity One is set up to use your external IDP, sign-in requests from the XClarity One portal are redirected to your external IDP for authentication, based on the email domain for the user. After the user is authenticated, the web browser is redirected back to the XClarity One portal.

Attention
A DNS server must be configured before configuring an external IDP. If you set up XClarity One portal to use DHCP for IP addresses, but the DHCP server does not provide a DNS server (this is uncommon), then configuring the external IDP might fail. In this case, manually configure the DNS server on the Network settings page before configuring the external IDP (see Portal network). Note that changing the network configuration requires you to restart the virtual machine, which can take several minutes.

Protocols

You can configure XClarity One portal to use a federation IDP that supports OIDC/OAuth, SAML, and LDAP protocols. If your identity provider is not currently supported, open a service ticket using the Submit an eTicket webpage.

Tip
After you set up an external IDP, you cannot edit the protocol. If you need to change the protocol, remove the configuration by clicking Remove from the User Authentication card, and then click Set up to reconfigure the external IDP.
OIDC/OAuth and SAML

The following IDPs are supported.

  • Amazon Cognito IAM

  • Auth0 (by OKTA)

  • Google Cloud IAM

  • Microsoft Entra ID

  • OKTA

  • OneLogin

  • Ping One (by Ping Identity)

LDAP
LDAP is supported only when running XClarity One as a local VM. The following IDP is supported.

  • Microsoft Active Directory

Provide the following information.

  • Host/FQDN. LDAP server host name or FQDN.

  • Port. Port used by the LDAP server

    If you choose to use secure LDAP (SSL), port 636 is used by default.

    If you choose to use insecure LDAP (non SSL), port 389 is used by default.

    You can also specify a global catalog server port: 3269 (SSL), or 3268 (non SSL).

  • Enable SSL. When enabled, the connection uses SSL (Secure LDAP) for secure, encrypted communication. You must provide the full certificate chain for the LDAP server. The certificate chain does not need to be signed by a well-known certificate authority.

    Attention
    When disabled, the connection uses non-SSL (Insecure LDAP) without encryption, which might expose sensitive data during transmission. Use insecure LDAP only in trusted, secure network environments.

  • Bind DN/Username. User account to use for LDAP authentication to bind XClarity One to the LDAP server. Specify the fully-qualified LDAP distinguished name (for example, cn=somebody,dc=company,dc=com) or email address (for example, somebody@company.com).

    The distinguished name must be a user account within the domain that has at least read-only privileges.

    If the LDAP server does not have sub-domains, you can specify the username without the domain (for example, user1). However, if the LDAP server does have sub-domains (for example, sub-domain new.company.com in domain company.com), then you must specify the username and domain (for example, user1@company.com)

    If the bind fails, the authentication process also fails.

  • Bind password. Password for secure LDAP authentication

  • Base user DN. Fully-qualified LDAP distinguished name from which LDAP client initiates the search for users (for example, dc=company,dc=com)

    This value must comply with the distinguished-name guidelines defined by RFC2253.

Email domain

The external IDP is setup based on your company’s email domain. If your company has multiple organizations that use the same email domain, the external IDP is available to all organizations with the same domain.

Multi factor authentication

XClarity One requires multi-factor authentication to prevent malicious attacks in the XClarity One portal within your organization and across organizations. If multi-factor factor authentication is not already setup in your federation identify provider, XClarity One will handle it for you.

Local vs corporate users

When users are added to XClarity One, including the initial organization owner, a local user account is created in the internal identity-management system. After your company’s external IDP is set up for your organization, those users might also have a corporate user account in the external IDP. The first time a user with both local and corporate (federated) user accounts attempts to sign in, the user is prompted to link the two accounts. Those users can then choose whether to authenticate using their local or corporate user account. If you chose to use your corporate user account, and later you want to use your local account, click the link to sign in locally from sign in page.

Note

  • When using the XClarity One cloud portal, an email is sent to you to link your corporate and local user accounts.

  • When using a XClarity One local portal, the web interface prompts you to sign in again using your credentials and one-time passcode to link your corporate and local user.

After logging in to the corporate IDP, corporate users can access the XClarity One portal without providing additional credentials. In addition, XClarity One requires multifactor authentication by providing a one-time passcode (OTP) from an authenticator application that is connected to XClarity One.

If the corporate IDP is disabled or removed, all corporate users are disabled. Users with local user accounts can still sign in using local XClarity One credentials.