Skip to main content

External identity provider

Lenovo XClarity One uses an internal identity-management system to authenticate local users. You can choose to set up federation using your company’s existing identity provider (IDP) to provide seamless access to the XClarity One portal using corporate credentials without the need for additional user-account creation or management, while maintaining strong identity and access management practices.

You can configure XClarity One portal to use a federation IDP that supports IODC or SAML protocols. The following IDPs are supported. If your identity provider is not listed, open a service ticket using the Submit an eTicket webpage.

  • Amazon Cognito IAM

  • Auth0 (by OKTA)

  • Google Cloud IAM

  • Microsoft Entra ID

  • OKTA

  • OneLogin

  • Ping One (by Ping Identity)

To configure an external IDP for your organization, click User Authentication in the context menu of the Settings view, click Set up in the Federated signin information section, and follow the steps in the wizard.

After XClarity One is set up to use your external IDP, sign-in requests from the XClarity One portal are redirected to your external IDP for authentication, based on the email domain for the user. After the user is authenticated, the web browser is redirected back to the XClarity One portal.

Tip
After you set up an external IDP, you can edit the mappers and secrets but not the protocol. If you need to change the protocol, remove the configuration by clicking Remove from the User Authentication card, and then click Set up to configure the external IDP.
Attention
Due to a limitation of the external IDP setup, other customers and organizations might see your organization name and federation types that are currently setup in the portal.

Email domain

The external IDP is setup based on your company’s email domain. If your company has multiple organizations that use the same email domain, the external IDP is available to all organizations with the same domain.

Multi factor authentication

XClarity One requires multi-factor authentication to prevent malicious attacks in the XClarity One portal within your organization and across organizations. If multi-factor factor authentication is not already setup in your federation identify provider, XClarity One will handle it for you.

Local vs corporate users

When users are added to XClarity One, including the initial organization owner, a local user account is created in the internal identity-management system. After your company’s external IDP is set up for your organization, those users might also have a corporate user account in the external IDP. The first time a user with both local and corporate (federated) user accounts attempts to sign in, the user is prompted to link the two accounts. Those users can then choose whether to authenticate using their local or corporate user account. If you chose to use your corporate user account, and later you want to use your local account, press Alt + . from the corporate-account sign in page to get redirected to the local-account sign in page.

After logging in to the corporate IDP, corporate users can access the XClarity One portal without providing additional credentials. In addition, XClarity One requires multifactor authentication by providing a one-time passcode (OTP) from an authenticator application that is connected to XClarity One.

Attention
If you set up your XClarity One organization to use your corporate IDP and then disable or remove a user from that IDP, you must also disable or remove the same user from your organization in XClarity One to ensure that the user is no longer able to sign in to access your organization in the portal.

If the corporate IDP is disabled or removed, all corporate users are disabled. Users with local user accounts can still sign in using local XClarity One credentials.